Help Center > > FAQs> Network Configurations> Website or Application Access Failures> What Can I Do If My Linux ECS Cannot Access the Internet?

What Can I Do If My Linux ECS Cannot Access the Internet?

Updated at: Jun 29, 2021 GMT+08:00

Symptom

If you failed to access the Internet on a Linux ECS, following the operations provided in this section for troubleshooting.

Fault Locating

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Figure 1 Fault locating
Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped, or has no EIP bound.

Check whether the ECS is in the Running state and has an EIP bound. For details, see Checking the ECS Status.

The ECS is overloaded.

Check whether the bandwidth and vCPU usage of the ECS are too high. For details, see Checking Whether the ECS Is Overloaded.

The EIP bandwidth exceeds the bandwidth limit.

Increase the bandwidth and try again. For details, see Checking Whether the EIP Bandwidth Exceeded the Limit.

The DNS configuration is incorrect.

Change the DNS server to a private one. For details, see Checking the DNS Configuration.

Specified resolution has been configured in the hosts file.

Check whether the mappings in the hosts configuration file are correct. For details, see Checking the hosts Configuration File.

Both Network and NetworkManager are enabled.

Use either of the two tools to prevent incompatibility issues. For details, see Checking Whether Both Network and NetworkManager Have Been Enabled.

The security group is incorrectly configured.

Check whether the security group allows the network traffic in the outbound direction. For details, see Checking Whether the Security Group Is Correctly Configured.

A network ACL has been associated with the ECS.

Disassociate the network ACL with the ECS and try again. For details, see Checking ACL Rules.

The website you want to visit is outside the Chinese Mainland.

Optimize the website link configurations and try again. For details, see Checking Whether the Website to Be Visited Is Outside the Chinese Mainland.

(Applicable to access to websites outside the Chinese mainland)

The EIP is blocked.

If the EIP is blocked, the ECS cannot access the Internet. For details, see Checking Whether the EIP Is Blocked.

The private IP address is lost.

Check whether the dhclient process is running. If it is not running, the private IP address may be lost. For details, see Checking Whether a Private IP Address Can Be Obtained.

NICs are incorrectly configured.

Check whether the NIC and DNS configurations are correct. For details, see Checking the NIC Configuration.

Firewall is enabled on the ECS.

Disable the firewall and try again. For details, see Checking the Firewall Configuration.

Checking the ECS Status

  • Check whether the ECS is in the Running state on the management console.
  • Check whether an EIP has been bound to the ECS.

    An ECS can access the Internet only after it has an EIP bound. Therefore, check whether the target ECS has an EIP bound.

    For details about how to bind an EIP to the ECS, see Assigning an EIP and Binding It to an ECS.

Checking Whether the ECS Is Overloaded

If the bandwidth and CPU usage of an ECS are too high, the network may be disconnected.

If you have created an alarm rule using Cloud Eye, the system automatically sends an alarm to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To handle this issue, perform the operations described in Why Is My Linux ECS Running Slowly?.

Checking Whether the EIP Bandwidth Exceeded the Limit

An ECS with an EIP bound accesses the Internet using the bandwidth specified by the EIP.

If accessing the Internet failed, check whether the EIP bandwidth exceeds the bandwidth limit.

For details, see How Do I Check Whether the Bandwidth Exceeds the Limit?

For instructions about how to increase the bandwidth, see Changing an EIP Bandwidth.

Checking the DNS Configuration

Private DNS servers resolve domain names for the ECSs created using a public image by default. The private DNS servers do not affect the domain name resolution for the ECSs to access the Internet. Additionally, you can use the private DNS servers to directly access the internal addresses of other cloud services, such as OBS. Compared with the access through the Internet, this access mode features high performance and low latency.

Run the following command to view the DNS configuration:

cat /etc/resolv.conf

If the command output shown in Figure 2 is displayed, the domain name is resolved using the private DNS server.

Figure 2 DNS configuration

If the domain name of the ECS is resolved using a non-private DNS server and you want to switch to a private DNS server, change the DNS server to a private one.

For details, see How Can I Configure the NTP and DNS Servers for an ECS?

Checking the hosts Configuration File

If the DNS configuration is correct but the ECS still cannot access the Internet, check whether the mappings in the hosts configuration file are correct. If there is any incorrect mapping, comment them out.

For Linux, run the following command to view the hosts configuration:

vim /etc/hosts

If there is an incorrect domain name mapping, comment it out and save the hosts file.

Checking Whether Both Network and NetworkManager Have Been Enabled

Network and NetworkManager are two network management tools, and either one of them can be enabled each time. If both of them are enabled, they are incompatible with each other.

Take CentOS 7 as an example. NetworkManager is recommended for CentOS 7.

  1. Check the Network or NetworkManager running status.

    systemctl status network

    systemctl status NetworkManager

  1. Run the following commands to disable Network:

    systemctl stop network

    systemctl disable network

  1. Run the following commands to enable NetworkManager:

    systemctl start NetworkManager

    systemctl enable NetworkManager

Checking Whether the Security Group Is Correctly Configured

Check whether the security group of the ECS is correctly configured. If an allowlist is configured for the outbound rules of the security group, the network traffic in the outbound direction is permitted.

As shown in Figure 3, all network traffic in the outbound direction is permitted.

For instructions about how to permit a protocol or port, see Configuring Security Group Rules.

Figure 3 Permitting all network traffic in the outbound direction

Checking ACL Rules

By default, no ACL rules are configured for a VPC. If a network ACL is associated with a VPC, check the ACL rules.

  1. Check whether the subnet of the ECS has been associated with a network ACL.

    If an ACL name is displayed, the network ACL has been associated with the ECS.

    Figure 4 Network ACL
  2. Click the ACL name to view its status.
    Figure 5 Enabled network ACL
  3. Disassociate the network ACL from the subnet of the ECS.
    On the page providing details about the network ACL, choose Associated Subnets > Disassociate.
    Figure 6 Disassociating a Network ACL

    The default network ACL rule denies all incoming and outgoing packets. After the network ACL is disabled, the default rule still takes effect.

  4. Try to access the Internet again.

Checking Whether the Website to Be Visited Is Outside the Chinese Mainland

Websites outside the Chinese mainland may not be accessible or respond slowly on an ECS. This is caused by the slow access of a DNS server outside the Chinese Mainland.

If you are required to access websites outside the Chinese Mainland, purchase an ECS in a region outside the Chinese Mainland. To do so, select the target region when purchasing the ECS.

To speed up the access to a website outside the Chinese Mainland, see Troubleshooting Slow Access of a Website Outside the Chinese Mainland over an ECS.

Checking Whether the EIP Is Blocked

IP address blocking indicates that all traffic is designated to a null route. If the EIP is blocked, the ECS cannot access the Internet.

Generally, blocked EIPs will be automatically unblocked 24 hours later if no attack occurs.

It is recommended that you use Advanced Anti-DDoS to prevent attacks.

Checking Whether a Private IP Address Can Be Obtained

Private IP addresses may be lost if the dhclient process is not running or the target NIC is not managed by NetworkManager because NetworkManager automatic startup is not enabled. Perform the following operations to locate the fault:

Take an ECS running CentOS 7 as an example.

  1. Run the following command to check whether dhclient is running:

    # ps -ef |grep dhclient |grep -v grep

  2. If dhclient is not detected, run the following command to check whether NetworkManager is running:

    # systemctl status NetworkManager

    • If NetworkManager is in Active: inactive (dead) state, NetworkManager is not enabled. Run the following command to check whether NetworkManager is automatically started upon system startup:

      # systemctl is-enabled NetworkManager

      If the command output is disabled, run the following command to enable NetworkManager automatic startup:

      # systemctl enable NetworkManager && systemctl start NetworkManager

    • If NetworkManager is in Active: active (running) state, run the following command to check whether the target NIC is managed by NetworkManager:

      # nmcli device status

      If the NIC is in unmanaged state, run the following command to enable it to be managed by NetworkManager:

      # nmcli device set eth0 managed yes

  3. Run the following commands to restart NetworkManager:

    # systemctl restart NetworkManager

  4. Run the following command to check whether the private IP address can be allocated:

    # ip add

Checking the NIC Configuration

  1. Run the following command to open the /etc/sysconfig/network-scripts/ifcfg-eth0 file:

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

  2. Modify the following configuration in this file.

    Take an ECS running CentOS 7 as an example.

    DEVICE="eth0"
    BOOTPROTO="dhcp"
    ONBOOT="yes"
    TYPE="Ethernet"
    PERSISTENT_DHCLIENT="yes"
  3. Run the following command to restart the network:

    service network restart

Checking the Firewall Configuration

Check whether the firewall is enabled, taking CentOS 7 as an example.

For more details, see Configuring a Firewall.

firewall-cmd --state

The command output is as follows:

[root@ecs-centos7 ~]# firewall-cmd --state 
running

Run the following command to disable the firewall:

systemctl stop firewalld.service

Enabling a firewall and configuring a security group protect your ECSs. If you disable a firewall, exercise caution when you enable ports in the security group.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel