2

I have been trying to log in to my newly created Ubuntu oneiric AMI at EC2 but it always fails saying connection timed out. I have tried it using AWS Management console as well as command line tools. I have searched enough on Google and Server Fault/Stack Overflow and applied the suggestions to change the security group entries but could not find any success.

My AMI id is ami-0275f832(AMI: ubuntu/images-testing/ebs/ubuntu-oneiric-daily-amd64-server-20120212)

I am able to ping the instance and have opened the proper ssh 22 port in security group. I have also tried to change my region and availability zones to no avail.

Here are the security group entries for default group

ICMP Port Source
ALL 0.0.0.0/0

TCP Port Source
22 (SSH) 0.0.0.0/0

Here is the output of nmap

nmap -PN ec2-x-x-x-x.us-west-2.compute.amazonaws.com -p 22

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-17 16:24 IST

Nmap scan report for ec2-x-x-x-x.us-west-2.compute.amazonaws.com (x.x.x.x)

Host is up.

PORT STATE SERVICE

22/tcp filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 2.48 seconds

I am not sure why it shows port 22 as filtered even after I have explicitly opened it via security group.

Thanks

Charles
  • 50,943
  • 13
  • 104
  • 142
ahsan_cse2004
  • 182
  • 4
  • 16
  • in the security group - apply the changes to port 22 and SAVE after that. Can you post your ssh string with which you try to login? – hovanessyan Feb 17 '12 at 12:29
  • Thanks @hovanessyan I am doing it as follows. **ssh -v -i XYZ.pem ubuntu@ec2-x-x-x-x.us-west-2.compute.amazonaws.com** I am doing it from an ubuntu 11.10 machine which is able to connect to other machines via ssh – ahsan_cse2004 Feb 17 '12 at 15:12
  • you run ssh in verbose mode-any interesting messages there? – hovanessyan Feb 17 '12 at 15:30
  • Thanks @hovanessyan. This is the output of running ssh in verbose mode. However I have already mentioned that it is not even responding to telnet at 22 port. OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ec2-50-112-17-39.us-west-2.compute.amazonaws.com [50.112.17.39] port 22. debug1: connect to address 50.112.17.39 port 22: Connection timed out – ahsan_cse2004 Feb 18 '12 at 06:20
  • It seems to me that you've actually have not successfully enabled port 22. Can you describe the process, post screenshots etc. How do you manage your image - via AWS Management console or via command line? Have you tried to restart the image? Also check out this link http://cloud-computing.learningtree.com/2010/09/24/understanding-amazon-ec2-security-groups-and-firewalls/ – hovanessyan Feb 18 '12 at 11:55
  • Hi @hovanessyan, Thanks for taking the time. I followed all the instructions given on amazon [AWS Management Console tutorial](http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/Welcome.html?r=645). Apart from this I have also tried the [command line tutorial](https://help.ubuntu.com/community/EC2StartersGuide). Both say that the port is opened successfully. I have many times restarted the images. I also understood the points made in your link and followed them to make sure the port is actually opened. – ahsan_cse2004 Feb 20 '12 at 05:32
  • I just noticed something - you have changed regions? Have you generated new ssh-key after that(I am not 100% if you have to)? Before you go for re-generate new ssh-key, try to add 'ICMP ALL' to your security policy and see what happens. – hovanessyan Feb 20 '12 at 09:25
  • You are right, I changed the region because I was not able to get it working in previous regions. I have although already generated the new key as you suggested. I added ICMP ALL and I am able to ping the new instance but still unable to access it via ssh. What are the ways I can get to know if my firewall is blocking outbound 22 port. and if yes how can I circumvent that? – ahsan_cse2004 Feb 21 '12 at 07:00
  • if you're able to ssh to other machines form your workstation, workstation is OK. The only security options for an AMI are in the AWS Management Console... The last resort would be to try different image. – hovanessyan Feb 21 '12 at 09:14
  • Guys, Thanks However it turned out to be issue with our own firewall...Our admin did some thing and it started responding...May be issue with AWS as suggested by @Tyler or issue with Firewall... – ahsan_cse2004 Feb 23 '12 at 10:55

2 Answers2

1

I ran into issues the other day with RDS, I added an IP to the security group, but it was stuck in pending mode. Long story short I checked http://status.aws.amazon.com/ here and noticed a service interruption causing delays. When it was resolved so was my issue.

I see service interruption bulletins for your area too for that timeframe. Try removing and readding the ssh port in your security group again and see if it works this time around.

Tyler
  • 1,291
  • 1
  • 13
  • 20
0

When editing a security group, there 2 buttons: "add rule" and "apply rule changes". There might be a simple usability issue where it is easy press "apply rule changes" once and then add another rule and skip final the "apply rule changes".

The javascript-base web UI does not remind the user that changes will be discarded if one starts editing another rule or picks another view.

(I just ran into this problem myself and noticed that the new security group I created and assigned to an instance of the EBS AMI was incomplete. The security group had some, but not all of the rules I defined.)

Paul Baclace
  • 36
  • 4