Can't SSH into AWS EC2 instance

7
votes

I can't SSH into my EC2 instances - I am getting a timeout error. I checked the security groups to ensure that SSH traffic is working. I checked the routing tables and ensured that they are connected to an internet gateway. I was able to SSH into the instances just an hour ago but no longer. I am connecting via Putty. I had the same timeout issue connecting before using ec2-user@domain which I solved by simply entering the ip address into the hostname field in Putty. At that point I was able to connect without a problem. I then created another EC2 instance and now I cannot connect to either instance. I have the .ppk file being correctly referenced in my Putty config. I tried connecting with a mac and copying the .pem file there. Is there anything else I can check? Also, why could I not type ec2-user@domain into the connection field in putty like the directions indicate. Is there something wrong with my AWS environment?

3
amazon-web-servicesamazon-ec2
Are you whitelsting access to port 22 by IP address in your security group? If so, check if your local external IP address changed?Mathew Tinsley
Connection time out during SSH is not a instance issue. It is generally related to security group or domain name of your instance FYI the domain name changes if you restart your instance and don't have an elastic IP. I would suggest checking the security group associated with your instance again configure SSH by selecting 'My IP' from the drop down menu. Refer this link for default username for EC2 instancesbot
I am allowing SSH connections from all IP addresses in the security group. I submitted a ticket with AWS because I saw other people had issues with reactivated accounts that mine is.Barodapride

3 Answers

17
votes

The best way to diagnose an SSH problem is to launch a new instance in the same subnet, using the same security group. If this works, then the problem is related to the original instance.

The fact that you are receiving a timeout error indicates that your SSH client has been unable to reach the instance. The instance is not rejecting the connection (eg due to a keypair), it is the fact that the instance cannot be reached.

Things to check:

  • Confirm that the Public IP address is still current (it can change it the instance is stopped and started)
  • Confirm that the instance is in a public subnet, which means a subnet that has a Route Table pointing to an Internet Gateway
  • Confirm that the security group is permitting inbound SSH traffic (port 22) from your IP address (or even 0.0.0.0/0 for testing purposes)
  • Keep NACLs at default settings unless you understand them deeply
  • Make sure the instance is a Linux instance (Windows does not have SSH enabled)
  • Try it from a different network (eg home, office, tethered via your phone) because some corporate networks block SSH connections

As another test, you might want to temporarily create another VPC. Use the VPC Wizard to create a VPC with just a single, public subnet. Launch an instance and confirm that you are able to SSH into the instance.

2
votes

This issue was an account issue. I had reactivated my old account but somehow it was still flagged as 'isolated' within AWS. I had access to the AWS console, but I couldn't SSH into anything. As a user, there is no way to see this yourself. I had to post on the AWS developer forums where an AWS developer was able to see that my account was 'isolated' and submitted a ticket on my behalf. I am now able to SSH into my EC2 instance with no problem.

-1
votes

If you've implemented the other solutions on this thread and they still don't solve your timeout problem, here's something that worked for me:

Simply edit your public Route Table (which should be associated with the subnet where your EC2 instance is). Add an Outbound Rule to allow all TCP traffic on ports 1024-65535.

I learned about this in an ACloudGuru AWS course (certified Solutions Architect, Associate level)--the basic idea is that when you initially connect to port 22, your session will be moved to an "ephemeral port" (between 1024-65535 on the instance itself) which is only used for the duration of your session. When your session is over, the port will become free again. This allows new incoming connections to the instance's port 22 to be translated into sessions. Essentially the purpose is to allow an instance to serve multiple incoming SSH connections concurrently.