1

I have a client EC2 instance and a server EC2 instance, both residing in the same EC2 subnet. The subnet routing table is configured so that this is a “local” route.

When I run EC2 networking insights for a TCP path from the client instance to the server instance at port 22, it finds a path successfully. To me, that suggests that security groups and ACLs are configured in a way that permits this traffic.

When I run telnet <server-ip> 22 from the client, I get “No route to host.” In strace, I see that connect(2) is failing with errno=EHOSTUNREACH.

To me, that kinda suggests security groups / ACLs / issues with intermediate routing?
 But when I run telnet from the server to the client with random ports, which I know nothing’s listening on, I get the expected “Connection refused.”

Especially weird is that I can see the communication fine in the VPC flow log. The action is “ACCEPT”, and the log-status is “OK.” So that kinda suggests that security groups / ACLs are fine?

When I run route(8) from the client instance, I see that the gateway for the server instance is 0.0.0.0, which suggests it’s just available on the local broadcast domain. So it doesn’t seem like there are any intermediate routers.

Does anyone have any idea of what’s going on here, or what I could do to debug further? Ideally, I'd have other ways of getting on the instance, or at least accessing its logs.

It kinda seems like the server instance might be rejecting the traffic at the level of IP, without getting to TCP? But that seems strange, because the server’s IP layer shouldn’t even know about the TCP port.

I believe that sshd is running on the server instance, so if I can resolve this networking issue, then presumably I can access my instance.

1 Answer 1

1

Apparently firwalld was started on the server instance here. So no response from server to TCP SYN.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.