Why Can't My Windows ECS Access the Internet?

Symptom

Your attempt to access the Internet from your Windows ECS failed.

Fault Locating

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Checking the ECS Status

• Check whether the ECS is in the Running state on the management console.
• Check whether an ECS has an EIP bound.

  An ECS can access the Internet only if it has an EIP bound.

  For details, see Binding an EIP.

Checking Whether the ECS Is Overloaded

If the bandwidth and CPU usage of an ECS are too high, the network may be disconnected.

If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Windows ECS Running Slowly?

Checking Whether the EIP Bandwidth Exceeded the Limit

An ECS with an EIP bound accesses the Internet using the bandwidth configured for the EIP.

If Internet access fails, check whether the EIP bandwidth exceeds the limit.

Checking Whether the ISP Network Is Functional

Check whether the fault occurs for a specific IP address. If so, the IP address may be blocked by the ISP.

Try another hotspot for access. If the access is successful, the fault may lie in the local carrier network. Contact the carrier to resolve this issue.

Checking the NIC Configuration

• Check whether the NIC and DNS configurations on the ECS are consistent with those displayed on the ECS management console.
  1. On the CLI of the ECS, run the ipconfig /all command to check whether the NIC and DNS configurations are correct, as shown in Figure 1.
     Figure 1 NIC and DNS configurations
     
  2. Log in to the management console. On the ECS list page, click the name of the target ECS.
  3. On the page providing details about the ECS, click the VPC name.
  4. On the VPC list page, click the number displayed in the Subnets column.
  5. On the subnet list page, click the name of the target subnet. The subnet details page is displayed .
• Open the cmd window, run the ncpa.cpl command to start Network and Sharing Center, and check whether the NIC is functional.
  Figure 2 NIC status
  

Checking Whether the Default Route Is Destined for the Default Gateway

Run the route print command to obtain the routing table of the ECS and check whether the default route of 0.0.0.0 is destined for the default gateway.

Figure 3 Default route settings

Checking Whether the Security Group Is Correctly Configured

Check whether the security group of the ECS is correctly configured. If an allowlist is configured for the outbound rules of the security group, the network traffic in the outbound direction is permitted.

Checking ACL Rules

By default, no ACL rules are configured for a VPC. If a network ACL is associated with a VPC, check the ACL rules.

1. Check whether the subnet of the ECS has been associated with a network ACL.

   If an ACL name is displayed, the network ACL has been associated with the ECS.

2. Click the ACL name to view its status.
3. Disassociate the network ACL from the subnet of the ECS.
   On the page providing details about the network ACL, choose Associated Subnets > Disassociate.

   

   The default network ACL rule denies all incoming and outgoing packets. If a network ACL is disabled, the default rule is still effective.

4. Try to access the Internet through the ECS again.

Checking Whether the EIP Is Blocked

IP address blocking indicates that all traffic is destined to a null route. If the EIP is blocked, the ECS cannot access the Internet.

Generally, blocked EIPs will be automatically unblocked after 24 hours if no subsequent attack occurs.

Checking the Firewall Configuration

Disable firewall rules for the ECS and check whether the Internet connection is restored.

If the connection is restored, check the firewall settings.

1. Log in to the Windows ECS.
2. Click the Windows icon in the lower left corner of the desktop and choose Control Panel > System and Security > Windows Firewall.
   Figure 4 Windows Firewall
   
3. Choose Check firewall status > Turn Windows Firewall on or off.

   View and set the firewall status.

   Figure 5 Turn off Windows Firewall
   

Checking Whether the Gateway Is Accessible

1. Run the ping command to check whether data can be exchanged between the ECS and the gateway.

   Use an IP address in a different network segment to ping the gateway to check network connections.

2. Run the ping command to obtain the IP address of the DNS server.

   Compare the time required for pinging the DNS server and the time for pinging a specific IP address, and determine whether the DNS server is running properly.

Checking the ECS Performance

Run the netstat command to check whether SYN-SENT, CLOSE_WAIT, or FIN_WAIT is found.

If any of them is found, port resources are used up. This issue is generally caused by a software bug. After the bug is fixed, restart the ECS.

Figure 6 Checking network connection

Checking Whether the Access Is Blocked by Antivirus Software

Disable or uninstall the third-party antivirus software on the ECS, and check whether the fault is rectified.

Checking the ECS Security Status

Check the ECS security status and determine whether the ECS is affected by viruses or Trojan horses.