155

This is a Canonical Question about Connection Refused

We see a lot of questions to the effect

When I try to connect to a system I get a message

Connection refused

Why is this ?

HBruijn
  • 77,029
  • 24
  • 135
  • 201
user9517
  • 115,471
  • 20
  • 215
  • 297
  • 2
    We get this a lot in Apache Hadoop, where it is often caused by configuration errors in the client: which host to talk to, what their DNS or /etc/host tables are set up to, or a mismatch between the ports used by a service and that the clients thinks it should use. Accordingly, we have [a dedicated wiki entry](http://serverfault.com/questions/725262/what-causes-the-connection-refused-message) on the topic. Many of the problems are likely elsewhere, albeit (hopefuily) on a smaller scale. Debugging connection problems in a 1000 node cluster is not fun. – stevel Jan 03 '17 at 12:28
  • 1
    Your dedicated wiki entry link points to this question ;) – user9517 Jan 03 '17 at 12:46
  • 1
    good catch. Here is the official link: https://wiki.apache.org/hadoop/ConnectionRefused. I'll add a cross reference back from there to here for that full loop though. – stevel Jan 06 '17 at 14:19
  • @SteveLoughran Cool article - one comment - the link back says Stack Overflow and we're Server Fault ;) – user9517 Jan 06 '17 at 14:27
  • done. FWIW, that wiki link is added to ConnectionRefused exceptions passed up in the Hadoop stack, along with the extra info (hosts, ports) needed to work out what is going wrong. We still get lots of bug reports from people who see the stack trace and don't follow the link to the wiki – stevel Jan 06 '17 at 14:39
  • People who need to never ready anything! – user9517 Jan 06 '17 at 14:41
  • In some cases, the connection can also be refused due to a lack of memory. Try raising your memory limit and see if that hepls. – Pikamander2 Jun 03 '20 at 08:05
  • @Pikamander2Would you care to expand on this a little. Which memory limit on what system ? Are you sure that the lack of memory wasn't just causing a process not to run so the real issue was nothing was listening ? – user9517 Jun 04 '20 at 05:34
  • 1
    3 main reasons: 1- Server is unable to receive the connection (performance related) 2- Firewall 3- Nothing is listening on the port. I would give this another answer but there's better coverage here: https://stackoverflow.com/a/2333446/1748266 – MER May 13 '21 at 17:10

2 Answers2

165

Note: This message is a symptom of the problem you are trying to solve. Understanding the cause of the message will ultimately lead you to solving your problem.

The message 'Connection Refused' has two main causes:

  1. Nothing is listening on the IP:Port you are trying to connect to.
  2. The port is blocked by a firewall.

No process is listening.

This is by far the most common reason for the message. First ensure that you are trying to connect to the correct system. If you are then to determine if this is the problem, on the remote system run netstat or ss1 e.g. if you are expecting a process to be listening on port 22222

sudo netstat -tnlp | grep :22222

or 

ss -tnlp | grep :22222

For OSX a suitable command is

sudo netstat -tnlp tcp | grep '\.80 '

If nothing is listening then the above will produce no output. If you see some output then confirm that it's what you expect then see the firewall section below.

If you don't have access to the remote system and want to confirm the problem before reporting it to the relevant administrators you can use tcpdump (wireshark or similar).

When a connection is attempted to an IP:port where nothing is listening, the response from the remote system to the initial SYN packet is a packet with the flags RST,ACK set. This closes the connection and causes the Connection Refused message e.g.

$ sudo tcpdump -n host 192.0.2.1 and port 22222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp14s0, link-type EN10MB (Ethernet), capture size 262144 bytes

12:31:27.013976 IP 192.0.2.2.34390 > 192.0.2.1.22222: Flags [S], seq 1207858804, win 29200, options [mss 1460,sackOK,TS val 15306344 ecr 0,nop,wscale 7], length 0

12:31:27.020162 IP 192.0.2.1.22222 > 192.0.2.2.34390: Flags [R.], seq 0, ack 1207858805, win 0, length 0

Note that tcpdump uses a . to represent the ACK flag.

Port is blocked by a firewall

If the port is blocked by a firewall and the firewall has been configured to respond with icmp-port-unreachable this will also cause a connection refused message. Again you can see this with tcpdump (or similar)

$ sudo tcpdump -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp14s0, link-type EN10MB (Ethernet), capture size 262144 bytes 13:03:24.149897 IP 192.0.2.1 > 192.0.2.2: ICMP 192.0.2.1 tcp port 22222 unreachable, length 68

Note that this also tells us where the blocking firewall is.

So now you know what's causing the Connection refused message you should take appropriate action e.g. contact the firewall administrator or investigate the reason for the process not listening.

1 Other tools are likely available.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
user9517
  • 115,471
  • 20
  • 215
  • 297
  • 5
    ELI5 version: it means the connection request got to the other computer, and the other computer had no clue what you were talking about. – user253751 Sep 29 '15 at 01:56
  • "No process is listening." The major reason ..! – Samitha Chathuranga Dec 11 '17 at 13:11
  • In my case, something was listening… but on a different node that the one I was attempting to connect to. Oops. – ijoseph Sep 07 '18 at 21:05
  • 1
    @ijoseph So nothing was listening then. – user9517 Sep 30 '18 at 12:21
  • Ok, so ufw is definitely allowing connections on port 80 and nginx is definity listening on port 80. So why am I see connection refused in the nginx error log? – Mark Micallef Jul 02 '20 at 11:10
  • If the message is in the nginx error log then the problem lies elsewhere. Most likely wherever nginx is trying to connect to upstream. – user9517 Jul 02 '20 at 19:47
  • 1
    Trying to reach a .dev or .local virtual host you've defined in your hosts file? Your problem may be Chrome. At some point they began forcefully upgrading those tlds to https. Try changing to something else like .localhost and your pain may go away! – MrChrisRodriguez Jul 21 '20 at 03:37
  • @MrChrisRodriguez this just means nothing is litening on the https (443) port - that's nothing to do with chrome and everything to do with not listening on IP:Port. – user9517 Dec 08 '20 at 12:17
  • 1
    @user9517 actually, it's both. When you're developing locally you'd expect that when you type in an insecure URL you'd hit port 80, but Chrome is silently forcing HTTPS on several TLDs (like .dev and .local) so even if you *intend* to hit port 80, you're actually hitting 443 which you likely do not have open, and it's not obvious on visual inspection what the issue is. I ended up here when trying to diagnose the problem, so posted this for posterity. – MrChrisRodriguez Mar 05 '21 at 21:05
  • Would we get the same error (Connection refused) if the server was out of connections? Say it has a pipeline that can accept up to 100 non-answered connection and you're client 101. What error does that 101th client receive? – Alexis Wilke Feb 08 '22 at 23:26
9

For me on Debian 6 squeeze it was as simple as checking the SSH service:

sudo service ssh status

And finding nothing existed (with the message ssh: unrecognized service) just installing the service:

sudo apt-get install openssh-server

This also works if you're not getting an SFTP connection, as SFTP is a subset of SSH (whereas FTPS is a subset of FTP).

SharpC
  • 243
  • 2
  • 4