I want to troubleshoot "Connection timed out" errors when I use Elastic Load Balancing (ELB).
Resolution
Verify that your load balancer scheme is internet facing
If the client is trying to connect over the internet, then verify that the ELB scheme is internet facing.
Check that a listener is configured for the load balancer port
To check the configuration of the listeners for your load balancer port that the client connects to, see the following documentation:
Check that the security groups for your target instances allow traffic
Application Load Balancers and Classic Load Balancers
Check the settings of the security group that's attached to the load balancer. Confirm that traffic is allowed in both directions for the listener and health check ports. For more information, see Security groups for your Application Load Balancer and Configure security groups for your Classic Load Balancer.
Network Load Balancers
To register Amazon Elastic Compute Cloud (EC2) instances as targets, the instance security groups must allow traffic on both the listener and health check ports.
If you register targets by IP address, then be sure that the security group for the targets allows traffic from the Network Load Balancer nodes.
If you use client IP preservation, then confirm that the target security group allows traffic from the client IP addresses.
Verify that the network ACL allows the required traffic
Verify that the network access control list (network ACL) that's associated with the subnets where the load balancer nodes are allows access to the following:
- The port that's accessed
- Specific client IP addresses in the inbound rules
Network ACLs are stateless, so you must allow access in both inbound and outbound rules. Check that all the ephemeral ports are allowed in your outbound rules. If you allow only some ephemeral ports, then you might have intermittent connection issues. For more information, see Network ACLs for the instances for your Classic Load Balancer.
Confirm that route tables are configured correctly
For internet-facing load balancers, confirm that the route tables that are associated with the subnets where the load balancer nodes are have an internet gateway.
For internal load balancers that use a private connection to the load balancer, multiple route tables might be associated with different subnets. Connectivity issues can occur on individual nodes. Check the route tables that are associated with all nodes. If connectivity fails for a node, then verify that the route table that's associated with the load balancer node's subset is configured. Add routes as required.
To test node connectivity, run the following command:
nc –v ELB IP Address Port
telnet ELB IP Address Port
Note: Replace ELB IP Address with your ELB IP address and Port with your port.
Verify that the client isn't connecting to a terminated Application Load Balancer or Classic Load Balancer node
To verify that the client's IP addresses are included on the list of current published IP addresses in the ELB DNS, run the following command:
$ dig +short example.com
35.154.42.229
13.126.64.179
Note: Replace example.com with your domain name.
Confirm that a client-side firewall doesn't block traffic
If the previous resolutions don't resolve your connectivity issues, then a client-side firewall might be blocking traffic.
If you use Amazon Virtual Private Cloud (Amazon VPC) Flow Logs for IP address traffic, then check the logs of the load balancer node interfaces. Confirm that the load balancer node receives the SYN from the client IP address. Then, confirm that the load balancer node returns SYN, ACK to the client IP address. If the load balancer node doesn't return SYN, ACK, then there might be an issue with that node. For an example on how to read flow logs, see TCP flag sequence.
Take a packet capture on the machine that's running the client. To get network traffic for analysis, use the tcpdump utility. For more information about tcpdump, see Documentation on the tcpdump website. If the connection fails, then update your firewall rules to allow the required traffic.
Related information
Troubleshoot your Application Load Balancers
Troubleshoot your Classic Load Balancer
Custom network ACLs