Updated on 2023-09-28 GMT+08:00

Why Does My Linux ECS Fail to Access the Internet?

Symptom

Your attempt to access the Internet from your Linux ECS failed.

Fault Locating

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped, or has no EIP bound.

Check whether the ECS is in the Running state and has an EIP bound. For details, see Checking the ECS Status.

The ECS is overloaded.

Check whether the bandwidth and vCPU usage of the ECS are too high. For details, see Checking Whether the ECS Is Overloaded.

The EIP bandwidth exceeds the bandwidth limit.

Increase the bandwidth and try again. For details, see Checking Whether the EIP Bandwidth Exceeded the Limit.

The DNS configuration is incorrect.

Change the DNS server to a private one. For details, see Checking the DNS Configuration.

Specified resolution has been configured in the hosts file.

Check whether the mappings in the hosts configuration file are correct. For details, see Checking the hosts Configuration File.

Both Network and NetworkManager are enabled.

Use either of the two tools to prevent incompatibility issues. For details, see Checking Whether Both Network and NetworkManager Have Been Enabled.

The security group is incorrectly configured.

Check whether the security group allows the network traffic in the outbound direction. For details, see Checking Whether the Security Group Is Correctly Configured.

A network ACL has been associated with the ECS.

Disassociate the network ACL with the ECS and try again. For details, see Checking ACL Rules.

The website you want to visit is outside the Chinese mainland.

Optimize the website link configurations and try again. For details, see Checking Whether the Website to Be Visited Is Outside the Chinese Mainland.

If the fault persists, use an HECS purchased in a region outside the Chinese mainland to access the website.

The EIP is blocked.

If the EIP is blocked, the ECS cannot access the Internet. For details, see Checking Whether the EIP Is Blocked.

The private IP address is lost.

Check whether the dhclient process is running. If it is not running, the private IP address may be lost. For details, see Checking Whether a Private IP Address Can Be Obtained.

NICs are incorrectly configured.

Check whether the NIC and DNS configurations are correct. For details, see Checking the NIC Configuration.

Firewall is enabled on the ECS.

Disable the firewall and try again. For details, see Checking the Firewall Configuration.

Checking the ECS Status

  • Check whether the ECS is in the Running state on the management console.
  • Check whether an EIP has been bound to the ECS.

    An ECS can access the Internet only if it has an EIP bound.

    For details about how to bind an EIP to the ECS, see Binding an EIP.

Checking Whether the ECS Is Overloaded

If the bandwidth and CPU usage of an ECS are too high, the network may be disconnected.

If you have created an alarm rule using Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Linux ECS Running Slowly?

Checking Whether the EIP Bandwidth Exceeded the Limit

If an EIP is bound to the ECS, the ECS can access the Internet through the bandwidth.

If Internet access fails, check whether the EIP bandwidth exceeds the bandwidth limit.

Check whether the bandwidth exceeds the configured bandwidth size. For details, see How Do I Know If My EIP Bandwidth Limit Has Been Exceeded?

If the bandwidth exceeds the limit, increase the bandwidth. For details, see Changing an EIP Bandwidth.

Checking the DNS Configuration

Private DNS servers resolve domain names for the ECSs created using a public image by default. The private DNS servers do not affect the domain name resolution for the ECSs to access the Internet. Additionally, you can use the private DNS servers to directly access the internal addresses of other cloud services, such as OBS. Compared with the access through the Internet, this access mode features high performance and low latency.

Run the following command to view the DNS configuration:

cat /etc/resolv.conf

If the command output shown in Figure 1 is displayed, the domain name is resolved using the private DNS server.

Figure 1 DNS configuration

If the domain name of the ECS is resolved using a non-private DNS server and you want to switch to a private DNS server, change the DNS server to a private one.

For details, see How Can I Configure the NTP and DNS Servers for an ECS?

Checking the hosts Configuration File

If the DNS configuration is correct but the ECS still cannot access the Internet, check whether the mapping information in the hosts configuration file is correct. In case of any incorrect mapping, comment them out.

For Linux, run the following command to view the hosts configuration:

vim /etc/hosts

If there is an incorrect domain name mapping, comment it out and save the hosts file.

Checking Whether Both Network and NetworkManager Have Been Enabled

Network and NetworkManager are two network management tools, and either one of them can be enabled each time. If both of them are enabled, they are incompatible with each other.

Take CentOS 7 as an example. NetworkManager is recommended for CentOS 7.

  1. Check the Network or NetworkManager running status.

    systemctl status network

    systemctl status NetworkManager

  1. Run the following commands to disable Network:

    systemctl stop network

    systemctl disable network

  1. Run the following commands to enable NetworkManager:

    systemctl start NetworkManager

    systemctl enable NetworkManager

Checking Whether the Security Group Is Correctly Configured

Check whether the security group of the ECS is correctly configured. If an allowlist is configured for the outbound rules of the security group, the network traffic in the outbound direction is permitted.

As shown in Figure 2, all network traffic in the outbound direction is permitted.

For instructions about how to permit a protocol or port, see Configuring Security Group Rules.

Figure 2 Permitting all network traffic in the outbound direction

Checking ACL Rules

By default, no ACL rules are configured for a VPC. If a network ACL is associated with a VPC, check the ACL rules.

  1. Check whether the subnet of the ECS has been associated with a network ACL.

    If an ACL name is displayed, the network ACL has been associated with the ECS.

    Figure 3 Network ACL
  2. Click the ACL name to view its status.
    Figure 4 Enabled network ACL
  3. Disassociate the network ACL from the subnet of the ECS.
    On the page providing details about the network ACL, choose Associated Subnets > Disassociate.
    Figure 5 Disassociating a network ACL

    The default network ACL rule denies all incoming and outgoing packets. If a network ACL is disabled, the default rule is still effective.

  4. Try to access the Internet through the ECS again.

Checking Whether the Website to Be Visited Is Outside the Chinese Mainland

Websites outside the Chinese mainland may not be accessible or respond slowly when you access them through an ECS. This is caused by the slow access of a DNS server outside the Chinese mainland.

If you intend to access websites outside the Chinese mainland, select a region according to the website when purchasing an ECS.

To speed up the access to a website outside the Chinese mainland, see Why Accessing a Website Outside the Chinese Mainland Is Slow on an ECS?

Checking Whether the EIP Is Blocked

IP address blocking indicates that all traffic is destined to a null route. If the EIP is blocked, the ECS cannot access the Internet.

Generally, blocked EIPs will be automatically unblocked after 24 hours if no subsequent attack occurs.

It is recommended that you use Advanced Anti-DDoS (AAD) to prevent attacks.

Checking Whether a Private IP Address Can Be Obtained

Private IP addresses may be lost if the dhclient process is not running or the target NIC is not managed by NetworkManager because NetworkManager automatic startup is not enabled. Perform the following operations to locate the fault:

Consider an ECS running CentOS 7 as an example.

  1. Run the following command to check whether dhclient is running:

    # ps -ef |grep dhclient |grep -v grep

  2. If dhclient is not detected, run the following command to check whether NetworkManager is running:

    # systemctl status NetworkManager

    • If NetworkManager is in Active: inactive (dead) state, NetworkManager is not enabled. Run the following command to check whether NetworkManager is automatically started upon system startup:

      # systemctl is-enabled NetworkManager

      If the command output is disabled, run the following command to enable NetworkManager automatic startup:

      # systemctl enable NetworkManager && systemctl start NetworkManager

    • If NetworkManager is in Active: active (running) state, run the following command to check whether the target NIC is managed by NetworkManager:

      # nmcli device status

      If the NIC is in unmanaged state, run the following command to enable it to be managed by NetworkManager:

      # nmcli device set eth0 managed yes

  3. Run the following commands to restart NetworkManager:

    # systemctl restart NetworkManager

  4. Run the following command to check whether the private IP address can be allocated:

    # ip add

Checking the NIC Configuration

  1. Run the following command to open the /etc/sysconfig/network-scripts/ifcfg-eth0 file:

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

  2. Modify the following configuration in this file.

    Consider an ECS running CentOS 7 as an example.

    DEVICE="eth0"
    BOOTPROTO="dhcp"
    ONBOOT="yes"
    TYPE="Ethernet"
    PERSISTENT_DHCLIENT="yes"
  3. Run the following command to restart the network:

    service network restart

Checking the Firewall Configuration

Consider an ECS running CentOS 7 as an example. Check whether the firewall is enabled.

For more details, see How Do I Disable a Linux ECS Firewall and Add a Port Exception on a Linux ECS Firewall?.

firewall-cmd --state

The command output is as follows:

[root@ecs-centos7 ~]# firewall-cmd --state 
running

Run the following command to disable the firewall:

systemctl stop firewalld.service

Enabling a firewall and configuring a security group protect your ECSs. If you disable a firewall, exercise caution when you enable ports in the security group.

Website or Application Access Failures FAQs

more