cannot access my windows-based instance from my laptop via telnet/ssh

0

I am hosting a license in the windows-based instance. It's a lmgrd managed license service. I have enabled the inbound/outbound rules for security group and ACL. and also enabled inbound/outbound rules in the instance firewall within windows.

I can ping the instance via its EIP public IP address. But I cannot connect to the instance via telnet or ssh. within the instance, I can telnet to itself via 127.0.0.1:27000.

In addition, i can access the instance with RDP from my windows laptop.

Fei
asked 24 days ago41 views
2 Answers
1

i can access the instance with RDP from my windows laptop.

This is good, as it shows that the EC2 instance is in a public subnet, and you will have (at least) inbound port 3389 open in the security group associated with the instance.

within the instance, I can telnet to itself via 127.0.0.1:27000

This shows that something is listening on port 27000. Can the instance also connect by telnet to its own private IP address on port 27000 ?

If it can then, going one step back, is inbound port 27000 open in the security group associate with the instance, and once that's confirmed can your laptop telnet to the public IP address of the instance on port 27000 ?

But I cannot connect to the instance via telnet or ssh

What are you expecting here, are you expecting to be able to SSH to the licence manager port and start interacting with it?

An SSH connection needs an SSH server on the target host to connect onto, typically these aren't part of Windows which you instead administer over RDP on port 3389 (which you can already do).

Is there something more here, like are you trying to use an SSH tunnel and port forwarding, or something like that?

profile picture
EXPERT
Steve_M
answered 24 days ago
profile picture
EXPERT
reviewed 24 days ago
profile pictureAWS
EXPERT
reviewed 24 days ago
0

It seems you're experiencing an issue where, although you can successfully RDP into your Windows-based instance and ping it, you’re unable to connect via Telnet or SSH to access the lmgrd license manager service. Since you’ve already configured the necessary inbound and outbound rules in the Security Group, Network ACL, and Windows Firewall, let’s go over some additional troubleshooting steps to help resolve the issue.

1. Security Group Configuration

Ensure that the Security Group attached to your instance explicitly allows:

  • Inbound TCP traffic on port 27000 (or whichever port your license manager is using) for Telnet.
  • Inbound TCP traffic on port 22 for SSH (if you're using SSH for remote access).

Also, confirm that the source IP in the inbound rules matches the IP range of your laptop (either your public IP address or 0.0.0.0/0 for testing purposes).

2. Network ACLs (NACLs)

Verify that the NACLs for the subnet where the instance resides allow:

  • Inbound and outbound TCP traffic on the required ports (27000 for Telnet and 22 for SSH). Ensure the ACLs are not inadvertently blocking traffic between your laptop and the instance.

3. Windows Firewall Configuration

Confirm that the Windows Defender Firewall (or any other firewall running on the instance) allows inbound traffic on ports 27000 and 22. Since you've already made changes to the firewall, double-check that the rules are applied to the right network profile (public, private, or domain) and are configured to allow both inbound and outbound traffic for these ports.

4. License Manager Configuration (lmgrd)

Ensure that the lmgrd service is correctly bound to either the public IP (EIP) or 0.0.0.0 (which would allow external connections) and not just to 127.0.0.1. If the service is only bound to 127.0.0.1, it will not accept external connections.

To verify this, run the following command on your instance:

netstat -an | findstr 27000

You should see that it's listening on 0.0.0.0:27000 or the instance’s private IP address.

5. SSH and Telnet Services

If you're using SSH, confirm that an SSH server (like OpenSSH) is installed and running on your Windows instance. Without this, SSH connections will fail. Similarly, for Telnet, ensure the Telnet server is installed and actively listening on the designated port.

6. Check Connectivity from Your Laptop

Make sure there are no firewalls or security settings on your laptop that are blocking outbound connections on ports 27000 or 22. You can also use tools like nmap or telnet from your laptop to check if the required ports are open:

telnet <instance_public_IP> 27000

or

ssh <instance_public_IP>

7. Enable Windows Firewall Logging

To further investigate, consider enabling Windows Firewall logging to check if any connection attempts on ports 27000 or 22 are being blocked. This can help diagnose if there are any hidden issues with the firewall.

You can enable logging by going to Advanced Security settings in the Windows Firewall and setting up logging for dropped packets.

8. VPC Flow Logs

Another useful step is enabling VPC Flow Logs to monitor traffic between your laptop and the instance. This can reveal whether any traffic is being blocked at the VPC level and whether your connection attempts are reaching the instance.

9. Accessing via RDP

As a temporary workaround, since you can successfully connect via RDP, you can manage the license service from within the instance. However, this is not ideal for long-term external access.

If you are still having an issue, reach out to the IBM Documentation or Support - https://www.ibm.com/docs/en/common-licensing/9.0.0?topic=licensing-license-manager-daemon-lmgrd

profile picture
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions