- Newest
- Most votes
- Most comments
i can access the instance with RDP from my windows laptop.
This is good, as it shows that the EC2 instance is in a public subnet, and you will have (at least) inbound port 3389 open in the security group associated with the instance.
within the instance, I can telnet to itself via 127.0.0.1:27000
This shows that something is listening on port 27000. Can the instance also connect by telnet to its own private IP address on port 27000 ?
If it can then, going one step back, is inbound port 27000 open in the security group associate with the instance, and once that's confirmed can your laptop telnet to the public IP address of the instance on port 27000 ?
But I cannot connect to the instance via telnet or ssh
What are you expecting here, are you expecting to be able to SSH to the licence manager port and start interacting with it?
An SSH connection needs an SSH server on the target host to connect onto, typically these aren't part of Windows which you instead administer over RDP on port 3389 (which you can already do).
Is there something more here, like are you trying to use an SSH tunnel and port forwarding, or something like that?
It seems you're experiencing an issue where, although you can successfully RDP into your Windows-based instance and ping it, you’re unable to connect via Telnet or SSH to access the lmgrd license manager service. Since you’ve already configured the necessary inbound and outbound rules in the Security Group, Network ACL, and Windows Firewall, let’s go over some additional troubleshooting steps to help resolve the issue.
1. Security Group Configuration
Ensure that the Security Group attached to your instance explicitly allows:
- Inbound TCP traffic on port 27000 (or whichever port your license manager is using) for Telnet.
- Inbound TCP traffic on port 22 for SSH (if you're using SSH for remote access).
Also, confirm that the source IP in the inbound rules matches the IP range of your laptop (either your public IP address or 0.0.0.0/0
for testing purposes).
2. Network ACLs (NACLs)
Verify that the NACLs for the subnet where the instance resides allow:
- Inbound and outbound TCP traffic on the required ports (27000 for Telnet and 22 for SSH). Ensure the ACLs are not inadvertently blocking traffic between your laptop and the instance.
3. Windows Firewall Configuration
Confirm that the Windows Defender Firewall (or any other firewall running on the instance) allows inbound traffic on ports 27000 and 22. Since you've already made changes to the firewall, double-check that the rules are applied to the right network profile (public, private, or domain) and are configured to allow both inbound and outbound traffic for these ports.
4. License Manager Configuration (lmgrd)
Ensure that the lmgrd service is correctly bound to either the public IP (EIP) or 0.0.0.0
(which would allow external connections) and not just to 127.0.0.1
. If the service is only bound to 127.0.0.1
, it will not accept external connections.
To verify this, run the following command on your instance:
netstat -an | findstr 27000
You should see that it's listening on 0.0.0.0:27000
or the instance’s private IP address.
5. SSH and Telnet Services
If you're using SSH, confirm that an SSH server (like OpenSSH) is installed and running on your Windows instance. Without this, SSH connections will fail. Similarly, for Telnet, ensure the Telnet server is installed and actively listening on the designated port.
6. Check Connectivity from Your Laptop
Make sure there are no firewalls or security settings on your laptop that are blocking outbound connections on ports 27000 or 22. You can also use tools like nmap or telnet from your laptop to check if the required ports are open:
telnet <instance_public_IP> 27000
or
ssh <instance_public_IP>
7. Enable Windows Firewall Logging
To further investigate, consider enabling Windows Firewall logging to check if any connection attempts on ports 27000 or 22 are being blocked. This can help diagnose if there are any hidden issues with the firewall.
You can enable logging by going to Advanced Security
settings in the Windows Firewall and setting up logging for dropped packets.
8. VPC Flow Logs
Another useful step is enabling VPC Flow Logs to monitor traffic between your laptop and the instance. This can reveal whether any traffic is being blocked at the VPC level and whether your connection attempts are reaching the instance.
9. Accessing via RDP
As a temporary workaround, since you can successfully connect via RDP, you can manage the license service from within the instance. However, this is not ideal for long-term external access.
If you are still having an issue, reach out to the IBM Documentation or Support - https://www.ibm.com/docs/en/common-licensing/9.0.0?topic=licensing-license-manager-daemon-lmgrd
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago