How do I troubleshoot ELB "Connection timed out" errors?

4 minute read
0

I want to troubleshoot "Connection timed out" errors when I use Elastic Load Balancing (ELB).

Resolution

Verify that your load balancer scheme is internet facing

If the client is trying to connect over the internet, then verify that the ELB scheme is internet facing.

Check that a listener is configured for the load balancer port

To check the configuration of the listeners for your load balancer port that the client connects to, see the following documentation:

Check that the security groups for your target instances allow traffic

Application Load Balancers and Classic Load Balancers

Check the settings of the security group that's attached to the load balancer. Confirm that traffic is allowed in both directions for the listener and health check ports. For more information, see Security groups for your Application Load Balancer and Configure security groups for your Classic Load Balancer.

Network Load Balancers

To register Amazon Elastic Compute Cloud (EC2) instances as targets, the instance security groups must allow traffic on both the listener and health check ports.

If you register targets by IP address, then be sure that the security group for the targets allows traffic from the Network Load Balancer nodes.

If you use client IP preservation, then confirm that the target security group allows traffic from the client IP addresses.

Verify that the network ACL allows the required traffic

Verify that the network access control list (network ACL) that's associated with the subnets where the load balancer nodes are allows access to the following:

  • The port that's accessed
  • Specific client IP addresses in the inbound rules

Network ACLs are stateless, so you must allow access in both inbound and outbound rules. Check that all the ephemeral ports are allowed in your outbound rules. If you allow only some ephemeral ports, then you might have intermittent connection issues. For more information, see Network ACLs for the instances for your Classic Load Balancer.

Confirm that route tables are configured correctly

For internet-facing load balancers, confirm that the route tables that are associated with the subnets where the load balancer nodes are have an internet gateway.

For internal load balancers that use a private connection to the load balancer, multiple route tables might be associated with different subnets. Connectivity issues can occur on individual nodes. Check the route tables that are associated with all nodes. If connectivity fails for a node, then verify that the route table that's associated with the load balancer node's subset is configured. Add routes as required.

To test node connectivity, run the following command:

nc –v ELB IP Address Port
telnet ELB IP Address Port

Note: Replace ELB IP Address with your ELB IP address and Port with your port.

Verify that the client isn't connecting to a terminated Application Load Balancer or Classic Load Balancer node

To verify that the client's IP addresses are included on the list of current published IP addresses in the ELB DNS, run the following command:

$ dig +short example.com
35.154.42.229
13.126.64.179

Note: Replace example.com with your domain name.

Confirm that a client-side firewall doesn't block traffic

If the previous resolutions don't resolve your connectivity issues, then a client-side firewall might be blocking traffic.

If you use Amazon Virtual Private Cloud (Amazon VPC) Flow Logs for IP address traffic, then check the logs of the load balancer node interfaces. Confirm that the load balancer node receives the SYN from the client IP address. Then, confirm that the load balancer node returns SYN, ACK to the client IP address. If the load balancer node doesn't return SYN, ACK, then there might be an issue with that node. For an example on how to read flow logs, see TCP flag sequence.

Take a packet capture on the machine that's running the client. To get network traffic for analysis, use the tcpdump utility. For more information about tcpdump, see Documentation on the tcpdump website. If the connection fails, then update your firewall rules to allow the required traffic.

Related information

Troubleshoot your Application Load Balancers

Troubleshoot your Classic Load Balancer

Custom network ACLs

AWS OFFICIAL
AWS OFFICIALUpdated 17 days ago