Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Kafka By James Joyner IV · · 9 min read

Kafka Error Guide: 'Connection to node -1 could not be established' Bootstrap Failure

Fix Kafka 'Connection to node -1 could not be established. Broker may not be available' — diagnose dead brokers, wrong bootstrap.servers, and listener binds.

  • #kafka
  • #troubleshooting
  • #errors
  • #network

Exact Error Message

This error appears repeatedly in a Kafka producer or consumer log when the client cannot reach any of the brokers listed in bootstrap.servers:

[2026-06-29 14:02:11,883] WARN [Producer clientId=producer-1] Connection to node -1 (localhost/127.0.0.1:9092) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)
[2026-06-29 14:02:11,884] WARN [Producer clientId=producer-1] Bootstrap broker localhost:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient)
[2026-06-29 14:02:12,991] WARN [Producer clientId=producer-1] Connection to node -1 (localhost/127.0.0.1:9092) could not be established. Broker may not be available. (org.apache.kafka.clients.NetworkClient)

A closely related variant logs the same root cause as Error connecting to node:

[2026-06-29 14:02:13,114] WARN [AdminClient clientId=adminclient-1] Error connecting to node kafka-0.kafka.svc:9092 (id: -1 rack: null)
java.net.UnknownHostException: kafka-0.kafka.svc

What the Error Means

Node -1 is not a real broker. It is the synthetic ID the Kafka client assigns to the bootstrap connection — the very first TCP connection the client opens to an address in bootstrap.servers before it has fetched cluster metadata. Until that bootstrap connection succeeds and returns the broker list, every broker is “node -1.”

So this message means the client never completed its first handshake. It opened (or tried to open) a socket to the bootstrap address and the connection failed at the transport layer: refused, unresolved, or dropped. Because metadata never loaded, the client has no real broker IDs to talk to, and it loops on the same -1 address with exponential backoff. This is a pre-metadata, pre-authentication failure — credentials, topics, and ACLs are irrelevant here.

This is distinct from Node 1 disconnected, which happens after metadata is loaded and a real broker drops the connection.

Common Causes

  • No broker is running on the bootstrap address. The server is down, crashed, or never started, so 9092 is closed and the socket is refused.
  • bootstrap.servers points at the wrong host or port. A leftover localhost:9092 in a containerized or remote client is the classic case — the client talks to itself.
  • DNS does not resolve the bootstrap hostname (UnknownHostException), common with Kubernetes service names from outside the cluster.
  • The listener is bound to the wrong interface. The broker listens on 127.0.0.1 only, so remote clients cannot reach it even though it is up.
  • advertised.listeners is misconfigured. The bootstrap connection succeeds, but the advertised address the broker returns is unreachable, so the next connection to node -1 (now using the advertised name) fails.
  • A firewall, security group, or NetworkPolicy blocks 9092 between client and broker.

How to Reproduce the Error

Point a client at an address where nothing is listening. With a stopped broker and the default config:

kafka-console-producer.sh --bootstrap-server localhost:9092 --topic test

The producer will loop with Connection to node -1 (localhost/127.0.0.1:9092) could not be established. You can reproduce the DNS variant by pointing at an unresolvable name:

kafka-broker-api-versions.sh --bootstrap-server kafka-does-not-exist:9092

This yields Error connecting to node ... UnknownHostException.

Diagnostic Commands

All commands below are read-only.

Confirm what bootstrap.servers actually resolves to:

getent hosts kafka-0.kafka.svc

Check whether anything is listening on the broker host’s Kafka port:

sudo ss -ltnp | grep -E ':9092|:9093'

Test raw TCP reachability from the client host (instant refusal vs hang tells refused vs dropped):

nc -z -v -w 5 kafka-broker-1 9092

Ask the cluster for its API versions — the cleanest end-to-end bootstrap test:

kafka-broker-api-versions.sh --bootstrap-server kafka-broker-1:9092

Inspect the broker’s actual and advertised listeners in its logs:

sudo journalctl -u kafka --no-pager | grep -E 'advertised.listeners|Awaiting socket connections'

Step-by-Step Resolution

1. Verify the broker is actually up. On the broker host, check the service and the listening socket:

sudo systemctl status kafka --no-pager | head -5
sudo ss -ltnp | grep ':9092'

If nothing is listening, start the broker and re-check. If the service is up but the socket is missing, the listener failed to bind — check the broker log for bind errors.

2. Confirm the client target. Print the effective bootstrap.servers your application uses. A localhost:9092 baked into a container or CI job is the most common single cause. Set it to the reachable broker address.

3. Resolve DNS from the client. Run getent hosts <bootstrap-host>. If it fails, fix DNS, /etc/hosts, or use a resolvable name. From outside Kubernetes, internal service names will not resolve — use the external/NodePort/LoadBalancer address instead.

4. Test the path. nc -z -v -w 5 <host> 9092. An instant “Connection refused” means no listener or a REJECT firewall. A hang to timeout means a DROP firewall or routing black hole. Open 9092 from the client subnet if blocked.

5. Validate advertised listeners. If the bootstrap connects but the client immediately loops on node -1 again using a different hostname, the broker is advertising an unreachable address. The advertised name must be resolvable and routable from every client.

6. Re-test with the CLI: kafka-broker-api-versions.sh --bootstrap-server <host>:9092. Once this prints versions, your producer/consumer will connect too.

Prevention and Best Practices

  • List multiple brokers in bootstrap.servers so a single dead node does not break bootstrap.
  • Make advertised.listeners an explicit, externally resolvable name — never leave it implicitly bound to localhost in a multi-host or container deployment.
  • Use a stable DNS name or VIP for clients rather than hardcoded IPs.
  • Add a synthetic check that runs kafka-broker-api-versions.sh from a client-network host and alerts on failure, catching bootstrap breakage before applications do.
  • In Kubernetes, ensure clients use the in-cluster service name and external clients use a dedicated external listener; do not mix them.
  • For fast triage of a bootstrap page, the free incident assistant can turn this client log plus broker status into a likely cause.
  • Node 1 disconnected — a real broker dropping after metadata loaded, not a bootstrap failure. See the dedicated node-disconnected guide.
  • Connection to node -1 ... disconnected — bootstrap broker dropped mid-handshake, often a plaintext-to-SSL mismatch.
  • SocketTimeoutException / Connection timed out — the TCP connect itself times out (firewall DROP), a slower variant of this same bootstrap failure.
  • UnknownHostException — the DNS-resolution flavor of this error.

Frequently Asked Questions

Why does it say node -1 and not the broker name? Because the client has not loaded metadata yet. Node -1 is the placeholder for the bootstrap connection. Once metadata loads, the client uses real numeric broker IDs.

My broker is clearly running — why still node -1? The broker can be up while unreachable: bound to loopback, advertising an unresolvable address, or blocked by a firewall. Test the path with nc -z and check advertised listeners.

Is this an authentication problem? No. This failure occurs before any handshake or authentication. SASL/SSL errors look different and appear only after a TCP connection succeeds.

Why does my container say localhost/127.0.0.1:9092? The client defaulted to localhost:9092 and there is no broker inside the container. Set bootstrap.servers to the actual broker service address.

Does adding more bootstrap brokers help? Yes — if even one listed broker is reachable, bootstrap succeeds and the client learns the rest of the cluster from metadata.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.