Help Center > > FAQs> Network Configurations> Website or Application Access Failures> How Do I Troubleshoot an Unresponsive Website Hosted on My ECS?

How Do I Troubleshoot an Unresponsive Website Hosted on My ECS?

Updated at: Jun 29, 2021 GMT+08:00

Symptom

Websites running on an ECS might become unreachable for multiple reasons. Check whether the configurations of network, port, firewall, or security group of the ECS are correct.

Fault Locating

If an error is displayed when you access a website, identify possible causes based on the error message.

Identify possible causes based on error code description in Returned Values for General Requests.

Possible causes are listed here in order of their probability.

If the fault persists after you have ruled out one cause, move on to the next one.

Figure 1 Fault locating
Table 1 Possible causes and solutions

Possible Cause

Solution

Port communication

Check whether the web port used by the target website is properly listened to on the ECS. For details, see Checking Port Communication.

Security group rules

Check whether the access to the port is allowed in the security group of the ECS. For details, see Checking Security Group Rules.

Firewall configuration

Disable the firewall and try again. For details, see Checking the Firewall Configuration.

Routing configuration

Check whether the gateway configurations in the ECS route table are correct. For details, see Checking the Routing Configuration.

Local network

Check whether you can use another hotspot or network to access the website. For details, see Checking the Local Network.

vCPU usage

Identify and optimize the processes leading to high vCPU usage. For details, see Checking the vCPU Usage.

Checking Port Communication

Ensure that service processes and ports are in LISTEN state. Table 2 lists the common TCP statuses.

  • Linux

    Run the netstat -antp command to check whether the port used by the target website is in LISTEN state.

    For example, run netstat -ntulp |grep 80.
    Figure 2 Checking port listening status
  • Windows

    Perform the following operations to check port communication:

    1. Run cmd.exe.
    2. Run the netstat -ano | findstr "PID" command to obtain the PID used by the process.
      For example, run netstat -ano | findstr "80".
      Figure 3 Checking port listening status
      • If the port is in LISTENING state, go to Checking Security Group Rules.
      • If the port is not in LISTENING state, check whether the web service process has been started and correctly configured.
Table 2 Common TCP statuses

TCP Status

Description

Application Scenario

LISTEN

Listens for network connection requests from a remote TCP port.

The TCP server is running properly.

ESTABLISHED

Indicates that a connection has been set up.

A TCP connection is properly set up.

TIME-WAIT

Waits until the remote TCP server receives the acknowledgement after sending a disconnection request.

The TCP connection is disconnected, and this state is cleared in 1 minute.

CLOSE-WAIT

Waits for a disconnection request sent by a local user.

An application program fault leads to an open socket. This state is displayed after the network is disconnected, indicating that a process is in an infinite loop or waiting for certain requirements to be met. To resolve this issue, restart the affected process.

FIN-WAIT-2

Waits for the network disconnection request from a remote TCP server.

The network has been disconnected and requires 12 minutes to automatically recover.

SYN-SENT

Waits for the matched network connection request after a network connection request is sent.

The TCP connection request failed, which is generally caused by the delayed handling of high CPU usage on the server or by a DDoS attack.

FIN-WAIT-1

Waits for the remote TCP disconnection request, or the acknowledgement for previous disconnection request.

If the network has been disconnected, this state may not automatically recover after 15 minutes. If the port has been used for a long period of time, restart the OS to resolve this issue.

Checking Security Group Rules

If the port used by the target website is denied in the security group, add a rule to the security group to allow the access of the port.
  1. Log in to the management console.
  2. Under Computing, click Elastic Cloud Server.
  3. In the ECS list, click the name of the ECS with security group rules to be modified.
  4. Click the Security Groups tab and view security group rules.
  5. Click Modify Security Group Rule.
  6. Configure the rule to allow the access of the port used by the website.

Checking the Firewall Configuration

  • Linux
    The following uses port 80 and CentOS 6.8 as an example.
    1. Run the iptables -nvL --line-number command to obtain firewall policies.
    2. Run the following commands to allow access to port 80:

      iptables -A INPUT -p tcp --dport 80 -j ACCEPT

      iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

    3. Run the service iptables save command to save the added rules.
    4. Run the service iptables restart command to restart iptables.
    5. Run the iptables -nvL --line-number command to check whether the added rules have taken effect.
    6. Disable the firewall and try again.
  • Windows
    1. Log in to the Windows ECS.
    2. Click the Windows icon in the lower left corner of the desktop and choose Control Panel > Windows Firewall.

    3. Click Turn Windows Firewall on or off.

      View and set the firewall status.

    1. Disable the firewall and try again.

Checking the Routing Configuration

  • Linux
    1. Run the route command to check the routing policy. Ensure that the default route of 0.0.0.0 is destined for the gateway and that the IP address and the gateway are in the same network segment, as shown in the first and third lines in the following figure.

    2. Run the ifconfig or ip addr command to obtain the ECS IP address.
      Figure 4 ifconfig command output
      Figure 5 ip addr command output
    3. Run the route -n command to obtain the gateway in the routing table.
      Figure 6 route -n command output
  • Windows
    1. Run cmd.exe.
    2. Run the ipconfig command to obtain the ECS IP address.
      Figure 7 ipconfig command output
    3. Run the route print command to obtain the gateway in the routing table.
      Figure 8 route print command output

Checking the Local Network

Try another hotspot or network for access.

If the access is successful, the fault may occur in the local carrier network. In such a case, rectify the local network fault and try again.

Checking the vCPU Usage

If the bandwidth or vCPU usage of an ECS is too high, website access failures may occur. If you have created an alarm rule using Cloud Eye, the system automatically sends an alarm to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

  1. Identify the processes leading to high bandwidth or vCPU usage.
    • Windows

      Windows offers multiple tools to locate faults, including Task Manager, Performance Monitor, Resource Monitor, Process Explorer, Xperf (supported by versions later than Windows Server 2008), and full memory dump analysis.

    • Linux

      Run the tcp command to check the OS running status.

  1. Check whether the processes are malicious and handle the issue accordingly.
    • If the processes are not malicious, optimize their programs or modify ECS specifications.
    • If the processes are malicious, stop these processes manually or use a third-party tool to stop them automatically.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel