9

I noticed earlier, one (of many) of our EC2 instances doesn't respond to ping requests. Everything else runs fine, SSH, HTTP, FTP, Database all working perfectly, but ping fails.

This instance is based on an image we use for about 40 nodes on EC2, and I don't remember ever having this issue before. I noticed because our main 'is it up' check for each server in NAGIOS uses Ping so I noticed it.

Functionally, it's not a problem (Just started another instance and that one worked fine), but for my education (and just because I was interested), why won't ping work whenever other services will?

Sam-Rudges-MacBook-Pro:~ sam$ curl -i http://50.19.x.x/
HTTP/1.1 302 Found
Date: Tue, 14 Jun 2011 16:38:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 0
Location: /dash
Server: TornadoServer/1.2.1

Sam-Rudges-MacBook-Pro:~ sam$ ping 50.19.x.x
PING 50.19.x.x (50.19.x.x): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
^C
--- 50.19.x.x ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

(Blanked out the IP addresses, but they're the same)

Didix
  • 109
  • 6
  • Any iptables rules that would deny it? – faker Jun 14 '11 at 16:45
  • @faker IP tables is off in favor of EC2 security groups =) Turned out it was a firewall issue, just not sure why it only happened on this instance. –  Jun 14 '11 at 16:48

1 Answers1

16

From: http://aws.amazon.com/articles/1145?_encoding=UTF8&jiveRedirect=1#18

Why can't I ping my instance?

Ping uses ICMP ECHO, which by default is blocked by your firewall. You'll need to grant ICMP access to your instances by updating the firewall restrictions that are tied to your security group.

ec2-authorize default -P icmp -t -1:-1 -s 0.0.0.0/0
Kyle Smith
  • 9,683
  • 1
  • 31
  • 32
  • Thanks, weird it hasn't/isn't being blocked on any of the other instances. –  Jun 14 '11 at 16:47
  • That is odd, did this work for you? Are you deploying to a new zone (I forget what EC2 calls them)? – Kyle Smith Jun 14 '11 at 16:49
  • Yes worked fine. No deploying to the exact same zone with the same image (It was done automatically by CloudWatch). All our servers are monitored with Nagios which uses 'PING' as the default host check (Why I noticed it failing). I might put a line in to AWS support see what happened. Post; I'll accept the answer as soon as SF lets me =) –  Jun 14 '11 at 16:52
  • I'd be interested to hear what AWS has to say about it, you should post it here. – Kyle Smith Jun 14 '11 at 16:55
  • Kyle, can you please also add the command to restore this setting back to the aws default? I want to ping my node, but then I want to lock it back in. – Spundun Jan 27 '14 at 22:05
  • I'm not sure you want Nagios to constantly modify your security group. Why don't you define a security group that allows your monitoring networks to always have ping access? (The setting of -s above defines a source network) – Kyle Smith Jan 28 '14 at 21:56