Possible reasons for timeout when trying to access EC2 instance

Question

I cannot SSH into my instance - Operation timed out. What could be the reasons why, and what can I do to resolve it? Rebooting normally takes a long time to take effect, and might just makes things worst

UPDATE: It is not about permissions - i can log in normally just fine. I suspect it might be because of memory issues

You should try serverfault.com as this isn't really a programming question. — rwilliams, May 11 '10 at 19:33
Does the problem persist if you launch another instance? (It might also help to know more about your setup.) I updated my answer. — Jonik, May 12 '10 at 06:01
ping the DNS first . If fails then configure your inbound/outbound rules in the launch wizard . configure ALL traffic and ALL protocol and just save with default options . Ping again with your local system and then should work . — Maiden, Sep 16 '19 at 11:40
Just reboot the ec2 instance from aws console & try once reconnecting. It solved my problem. — Vikram Sapate, Jun 20 '21 at 19:21

score 113 · Answer 1 · answered Feb 21 '13 at 14:24

113

I had the same problem, and the solution ended up being adding my local machine's IP to the list of inbound rules in the active security group. In the inbound dialog below, enter 22 in the port range, your local IP/32 in the source field, and leave 'custom tcp rule' in the dropdown.

enter image description here

answered Feb 21 '13 at 14:24

ted.strauss

4,119
4
34
57

7

After you press the 'add rule' button, you also need to hit 'apply rule change' for it to take effect. Don't forget this. It messed me up a few times. – ted.strauss Apr 11 '13 at 16:05
Perfect answer! I'm no more scared of being hacked :D – softvar Dec 12 '15 at 13:34
2

this worked for me, thanks!! For some reason.. my ip address changed, and all of a sudden I couldn't ssh in to my ec2 instance. I just added a rule, and instead of putting a "custom" ip address, I just selected 'my IP' and wala... I was able to ssh in! – rikkitikkitumbo Oct 17 '16 at 07:32
Good answer! I found [this troubleshooting from AWS](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-ssh-troubleshooting/) very useful as well, and it contains the point suggested here above. – J0ANMM Oct 31 '16 at 09:05
Yes you will have to change the Inbound rules to allow SSH connection. – Mahtab Alam Aug 02 '17 at 09:16
I don't know reason why but my public ip address has changed. – Long Nguyen Aug 30 '19 at 08:55
1

Hello, my public i still does not work, i am only able to ssh when i add an inbound rule with "0.0.0.0" (anywhere) in the source field. How can i make just my machine's public ip able to reach my EC2 instance over ssh? – Jude Ukana Nov 02 '21 at 07:38
Why isnt this explained on AWS? – Lorenzo Covarrubias Mar 07 '23 at 18:15

Jonik · Accepted Answer · 2010-05-12T06:00:08.243

76

Did you set an appropriate security group for the instance? I.e. one that allows access from your network to port 22 on the instance. (By default all traffic is disallowed.)

Update: Ok, not a security group issue. But does the problem persist if you launch up another instance from the same AMI and try to access that? Maybe this particular EC2 instance just randomly failed somehow – it is only matter of time that something like that happens. (Recommended reading: Architecting for the Cloud: Best Practices (PDF), a paper by Jinesh Varia who is a web services evangelist at Amazon. See especially the section titled "Design for failure and nothing will fail".)

edited May 12 '10 at 06:00

answered May 11 '10 at 19:55

Jonik

80,077
70
264
372

Here's the same thing on EC2 FAQ: http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1145#08 (Besides `ec2-authorize`, you can use Elasticfox Firefox extension to easily configure the groups.) – Jonik May 11 '10 at 20:03
2

My goodness... opening the SSH port in the group is so basic, I can't believe its not in here: http://alestic.com/2009/08/ec2-connectivity. Thanks for pointing it out. – mtyson Dec 05 '14 at 23:01
1

oh, I completly forgot about the security group! Thanks! – Antonio Beno Aug 01 '17 at 03:09

score 41 · Answer 3 · answered Mar 19 '15 at 17:44

41

Destroy and create anew

I had one availability zone where I could connect and another where I could not. After a few hours I got so frustrated that I deleted everything in that availability zone.

Building everything back I had to make sure to create EVERYTHING. This included:

Create VPC
- CIDR: 10.0.0.0/24
Create Internet Gateway
Attach Internet Gateway to VPC
Create Routing Table
Add Route to Routing Table
- Destination: 0.0.0.0/0
- Target: <Internet Gateway from earlier>
Create Subnet
- CIDR: 10.0.0.0/24
- Routing Table: <Routing Table from earlier

It took me a LOT of fumbling to get all of this. I've ordered the steps in the way I think might be most efficient, but you may have to adjust them to get one item available for the next.

Suggestion

I'm not suggesting that you go thermo nuclear as I did. I'm offering all this information so that you can check these associations to ensure yours are appropriate.

answered Mar 19 '15 at 17:44

Bruno Bronosky

66,273
12
162
149

8

this really helped me out! I had a case where my routing table wasn't pointed to an internet gateway and that was the only issue. – EdgeCaseBerg May 20 '15 at 16:40
1

Honestly, I document these things on SO and in github/gists because I know I will kick myself when I need to do it again in 2 months. It is my hope that it helps others too. But ultimately, I'm just a selfish disaster. Thanks for taking the time to comment, @EdgeCaseBerg. – Bruno Bronosky May 21 '15 at 17:50
3

Thanks a TON @BrunoBronosky . Exactly, if that "Internet gateway" thingy is so must, then why default AWS documentation do not mention that? :( – Anand Jul 17 '15 at 03:52
1

@BrunoBronosky thanks! This is exactly what was preventing me from connecting to the instance. I'll save these steps for my future me. – saiyancoder Oct 01 '15 at 04:19
Thanks mate. EC2 Launch Instance wizard does create the Route Table, Security Group, and Subnet. But, creating Internet Gateway, attaching it with the VPC, and adding Route to this Internet Gateway in the Route Table is a mandatory step that needs to be taken by the user. – Tapas Bose Jan 07 '23 at 06:50

score 35 · Answer 4 · answered Oct 23 '15 at 03:39

35

This answer is for the silly folks (like me). Your EC2's public DNS might (will) change when it's restarted. If you don't realize this and attempt to SSH into your old public DNS, the connection will stall and time out. This may lead you to assume something is wrong with your EC2 or security group or... Nope, just SSH into the new DNS. And update your ~/.ssh/config file if you have to!

answered Oct 23 '15 at 03:39

dslosky

867
8
18

2

An hour troubleshooting my timeout issues and this was the solution. Thanks :) – Eric D. Brown D.Sc. Aug 16 '16 at 03:52
3

Thanks a lot @dslosky you saved my life. :) – A_01 Aug 30 '17 at 08:39
1

You probably saved me a week and possible self-harm. Thank you! – guero64 Oct 29 '21 at 01:03

score 19 · Answer 5 · edited Jul 15 '23 at 19:18

To connect use ssh like so:

ssh -i keyname.pem username@xxx.xx.xxx.xx

Where keyname.pem is the name of your private key, username is the correct username for your os distribution, and xxx.xx.xxx.xx is the public ip address.

When it times out or fails, check the following:

Security Group

Make sure to have an inbound rule for tcp port 22 and either all ips or your ip. You can find the security group through the ec2 menu, in the instance options.

Routing Table

For a new subnet in a vpc, you need to change to a routing table that points 0.0.0.0/0 to internet gateway target. When you create the subnet in your vpc, by default it assigns the default routing table, which probably does not accept incoming traffic from the internet. You can edit the routing table options in the vpc menu and then subnets.

Elastic IP

For an instance in a vpc, you need to assign a public elastic ip address, and associate it with the instance. The private ip address can't be accessed from the outside. You can get an elastic ip in the ec2 menu (not instance menu).

Username

Make sure you're using the correct username. It should be one of ec2-user or root or ubuntu. Try them all if necessary.

Private Key

Make sure you're using the correct private key (the one you download or choose when launching the instance). Seems obvious, but copy paste got me twice.

UFW (Ubuntu Firewall)

The default firewall may have been enabled before disconnecting, causing additional issues from the instance side, not necessarily from the server settings. Check this answer for quick disabling of ufw

Thanks for this, I always forget to add the 0.0.0.0/0 to internet gateway target when I create a new VPC — Chathushka, Jul 24 '17 at 08:18

score 8 · Answer 6 · edited Sep 13 '12 at 10:19

8

Have you looked at the console output from the instance ? You can do this via the AWS console (Instances -> Right-click on the instance -> Get System Log). I've had occasions where the network services on an EC2 instance failed to start correctly, resulting in timed out SSH connections; restarting the instance usually fixed things.

edited Sep 13 '12 at 10:19

Jonik

80,077
70
264
372

answered May 12 '10 at 21:24

gareth_bowles

20,760
5
52
82

vijay · Answer 7 · 2016-11-10T11:00:42.830

8

AFTER 2 HOURS I FOUND THIS

Note That ssh ip 120.138.105.251/32

IS NOT aws instance IP ADDRESS
It Is not your local ip 127.0.0.1
It Is not your local ip localhost

BUT BUT BUT

Its Your public ip address of your personal Computer from which you trying to access aws instance

Go to https://www.whatismyip.com/ whatever ip address put in ssh

IF YOU WANT TO FULLY OPEN SSH TO ALL IP ADDRESS

THIS IS HOW FULLY ACCESSIBLE ENTRIES LOOK - BASIC RECOMEENDED

THIS IS WHAT I AM USING IN PRODUCTION

edited Nov 10 '16 at 11:00

answered Nov 08 '16 at 11:14

vijay

10,276
11
64
79

Thank you! In my case, my public IP changed but in the EC2 security group, my old IP was registered, so updating that got it working! – dev1ce Apr 13 '23 at 06:06

score 3 · Answer 8 · answered Feb 04 '20 at 03:35

3

Allow ssh and port 22 from ufw, then enable it and check with status command

sudo ufw allow ssh
sudo ufw allow 22
sudo ufw enable
sudo ufw status

answered Feb 04 '20 at 03:35

Jagannath Swarnkar

339
1
3
9

pradosh nair · Answer 9 · 2015-01-08T01:52:14.993

2

The following are possible issues:

The most likely one is that the Security Group is not configured properly to provide SSH access on port 22 to your i.p. Change in security setting does not require a restart of server for it to be effective but need to wait a few minutes for it to be applicable.
The local firewall configuration does not allow SSH access to the server. ( you can try a different internet connection, your phone/dongle to try it)
The server is not started properly ( then the access checks will fail even on the amazon console), in which case you would need to stop and start the server.

edited Jan 08 '15 at 01:52

answered Jan 08 '15 at 01:46

pradosh nair

913
1
16
28

In my case, it was a firewall issue on the network I do work on. Using a VPN to circumnavigate it worked. – MDave Oct 20 '19 at 21:08

score 2 · Answer 10 · answered Nov 02 '21 at 11:15

If you still have this problem today and non of the other solutions have been helpful, what worked for me was; go to security groups, select a security group or create one, then click to add new inbound rule, click the source drop down and select "from anywhere" this will set 0.0.0.0/0 as the source ip.

You should be fine now.

Ensure you already have the private key file on your machine.

you can watch this video if you need more clarity.

https://www.youtube.com/watch?v=8UqtMcX_kg0

score 1 · Answer 11 · answered Dec 14 '16 at 02:02

Check out this help page on AWS docs:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectionTimeout You will probably find your solution there. for me this part did the fix:

[EC2-VPC] Check the route table for the subnet. You need a route that sends all traffic destined outside the VPC to the Internet gateway for the VPC.

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

In the navigation pane, choose Internet Gateways. Verify that there is an Internet gateway attached to your VPC. Otherwise, choose Create Internet Gateway and follow the directions to create an Internet gateway, select the Internet gateway, and then choose Attach to VPC and follow the directions to attach it to your VPC.

In the navigation pane, choose Subnets, and then select your subnet.

On the Route Table tab, verify that there is a route with 0.0.0.0/0 as the destination and the Internet gateway for your VPC as the target. Otherwise, choose the ID of the route table (rtb-xxxxxxxx) to navigate to the Routes tab for the route table, choose Edit, Add another route, enter 0.0.0.0/0 in Destination, select your Internet gateway from Target, and then choose Save.

But I suggest you check out all the options the link above covers , you may find there the one or more issues that you got.

score 1 · Answer 12 · answered Jan 15 '17 at 00:47

1

My issue - I had port 22 open for "My IP" and changed the internet connection and IP address change caused. So had to change it back.

answered Jan 15 '17 at 00:47

smDev

11
2

score 1 · Answer 13 · answered Jan 29 '18 at 18:15

1

Building off @ted.strauss's answer, you can select SSH and MyIP from the drop down menu instead of navigating to a third party site.

answered Jan 29 '18 at 18:15

Adam J. Gramling

45
5

score 1 · Answer 14 · answered Oct 25 '18 at 13:08

1

Just reboot the Ec2 Instance once you applied Rules

answered Oct 25 '18 at 13:08

Shaz

419
3
11

score 1 · Answer 15 · answered Jul 04 '19 at 07:27

I was working on the instance and it was fine, the very next day when I tried to SSH into my instance it said - Connection timeout.

I tried to go through this post but nothing worked. So I did -

On the Edit inbound rules from source column choose MY IP and it will automatically populate your Public IP address in CIDR format (XXX.XXX.XXX.XX/32).

I tried with the @ted.strauss answer by giving local IP but it did not help in my case. So I choose MY IP and it worked.

Hope this helps someone!

score 1 · Answer 16 · answered Sep 16 '19 at 11:41

1

ping the DNS first . If fails then configure your inbound/outbound rules in the launch wizard . configure ALL traffic and ALL protocol and just save with default options . Ping again with your local system and then should work

answered Sep 16 '19 at 11:41

Maiden

207
3
4

score 1 · Answer 17 · answered May 16 '21 at 03:22

1

There could be multiple reasons for connection getting timed-out during ssh. One of the cases where i have seen this is when your route and subnet does not have associations.

answered May 16 '21 at 03:22

Thalaivar

23,282
5
60
71

score 1 · Answer 18 · answered Jun 20 '21 at 19:15

1

In my case, Instance was reachable but suddenly it became unreachable.

I just rebooted the instance from aws console & it solved my problem.

answered Jun 20 '21 at 19:15

Vikram Sapate

1,087
1
11
16

Same here. Struggled for an hour and then it was that simple. – Franco Oct 20 '22 at 12:05

score 0 · Answer 19 · answered Jan 31 '13 at 14:40

One more possibility. AWS security groups are setup to work only with specific incoming ip addresses. If your security group is setup in this way you (or the account holder) will need to add your ip address to the security group. Todo this open your AWS dashboard, select security groups, select a security group and click on the inbound tab. Then add your ip as appropriate.

Yahya · Answer 20 · 2014-08-29T09:16:21.790

0

I had the same problem, and the solution was allowing access from anywhere to the list of inbound rules in the active security group. In the inbound dialog, enter 22 in the port range, anywhere in the source field, and select 'ssh' in the dropdown.

P.S : This might not be the recommended solution as it means this instance can be ssh'ed from any machine, but I could not get it to work with my local IP.

edited Aug 29 '14 at 09:16

answered Aug 29 '14 at 06:49

Yahya

520
2
10
26

score 0 · Answer 21 · answered Jan 30 '16 at 09:07

0

I had similar problem, when I was using public Wifi, which didn't have password. Switching the internet connection to a secure connection did solve the problem.

answered Jan 30 '16 at 09:07

Bharath Ram

929
7
11

score 0 · Answer 22 · answered Jun 12 '16 at 14:56

If SSH access doesn't work for your EC2 instance, you need to check:

Security Group for your instance is allowing Inbound SSH access (check: view rules).

If you're using VPC instance (you've VPC ID and Subnet ID attached to your instance), check:

In VPC Dashboard, find used Subnet ID which is attached to your VPC.
Check its attached Route table which should have 0.0.0.0/0 as Destination and your Internet Gateway as Target.

On Linux, you may also check route info in System Log in Networking of the instance, e.g.:

++++++++++++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++++++++++++
+--------+------+------------------------------+---------------+-------+-------------------+
| Device |  Up  |           Address            |      Mask     | Scope |     Hw-Address    |
+--------+------+------------------------------+---------------+-------+-------------------+
|   lo   | True |          127.0.0.1           |   255.0.0.0   |   .   |         .         |
|  eth0  | True |         172.30.2.226         | 255.255.255.0 |   .   | 0a:70:f3:2f:82:23 |
+--------+------+------------------------------+---------------+-------+-------------------+
++++++++++++++++++++++++++++Route IPv4 info+++++++++++++++++++++++++++++
+-------+-------------+------------+---------------+-----------+-------+
| Route | Destination |  Gateway   |    Genmask    | Interface | Flags |
+-------+-------------+------------+---------------+-----------+-------+
|   0   |   0.0.0.0   | 172.30.2.1 |    0.0.0.0    |    eth0   |   UG  |
|   1   |   10.0.3.0  |  0.0.0.0   | 255.255.255.0 |   lxcbr0  |   U   |
|   2   |  172.30.2.0 |  0.0.0.0   | 255.255.255.0 |    eth0   |   U   |
+-------+-------------+------------+---------------+-----------+-------+

where UG flags showing you your internet gateway.

For more details, check: Troubleshooting Connecting to Your Instance at Amazon docs.

Innocent Anigbo · Answer 23 · 2017-05-14T11:02:08.557

To enable ssh access from the Internet for instances in a VPC subnet do the following:

Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control (at VPC Level) and security group rules (at ec2 level) allow the relevant traffic to flow to and from your instance. Ensure your network Public IP address is enabled for both. By default, Network AcL allow all inbound and outbound traffic except explicitly configured otherwise

score 0 · Answer 24 · answered Nov 24 '17 at 15:36

0

For me it was the apache server hosted on a t2.micro linux EC2 instance, not the EC2 instance itself.

I fixed it by doing:

sudo su

service httpd restart

answered Nov 24 '17 at 15:36

Gus

6,545
4
36
39

Majali · Answer 25 · 2019-04-19T10:48:00.393

0

I had the same problem and I solved it by adding a rule to the security Groups

Inbound SSH 0.0.0.0/0

Or you can add your IP address only

edited Apr 19 '19 at 10:48

answered Apr 19 '19 at 10:26

Majali

480
7
11

score 0 · Answer 26 · answered Jul 02 '19 at 03:26

0

For me, it was that I had deleted everything from the boot volume. And couldn't connect to the instance anymore.

answered Jul 02 '19 at 03:26

t_sologub

855
2
15
26

score 0 · Answer 27 · answered Oct 17 '19 at 21:55

0

If you've just created a new instance and can't connect to it, I was able to solve the issue by terminating that one and creating a new one. Of course this will only work if it's a new instance and you haven't done any more work on it.

answered Oct 17 '19 at 21:55

José Del Valle

691
1
13
27

score 0 · Answer 28 · answered Dec 15 '21 at 11:09

0

The solution with me was different than all the above solutions. I forgot the my VPN on. When I turned it off the problem is solved.

answered Dec 15 '21 at 11:09

Amr

433
5
12

score 0 · Answer 29 · answered Jul 20 '22 at 17:37

0

If you're trying to connect from another EC2 instance, you have to make sure to only use the PRIVATE IPv4 addresses to reference them or the connections will not work.

answered Jul 20 '22 at 17:37

Akaisteph7

5,034
2
20
43

Himavan · Answer 30 · 2022-08-27T18:44:33.860

This will be one of the reason. when you enable ufw and reboot your instance. First you have to add 22/tcp before enabling ufw. Following is the command

$ ufw allow 22/tcp

If you already made the mistake. Then follow the following guide

Start a recovery instance.
Stop the blocked instance (DON'T TERMINATE)
Detach the blocked instance volume.
Attach Blocked volume to the recovery instance.
Log to the recovery instance(Newly Launched) via ssh/putty
Type sudo lsblk to display attached volumes
Verify the name of the Blocked volume. Generally start with /dev/xvdf.
Mount blocked volume.

$ sudo mount /dev/xvdf1 /mnt
$ cd /mnt/etc/ufw

Open ufw configuration file

$ sudo vi ufw.conf

Enable insert mode by pressing i in vi editor
Update ENABLED=yes to ENABLED=no

ClickESC and type :wq to update the file.

Verify the file contents. where update to ENABLED=yes -> ENABLED=no

$ sudo cat ufw.conf

Remove the mounted blocked volume from recovery instance

$ cd ~
$ sudo umount /mnt

Now detach blocked install volume from recovery instance and re-attach it to the original instance as /dev/sda1.

Finally, Start the blocked instance. Here's you will able to access your instance. If you enable ufw again don't forget to allow 22/tcp.

sudo ufw allow ssh //this one are to be added
sudo ufw allow 22 // this one
sudo ufw enable
sudo ufw status