Linux Error: Connection timed out — Cause, Fix, and Troubleshooting Guide
How to fix the Linux 'Connection timed out' error (ETIMEDOUT): diagnose dropped packets, firewalls, security groups and routing with ss, curl, nc and ip route.
- #linux
- #troubleshooting
- #networking
Summary
Connection timed out is errno ETIMEDOUT (110): the client sent TCP SYNs and never got a reply, so the kernel gave up after retransmitting. Unlike Connection refused (an instant RST), a timeout means packets are being silently dropped somewhere — by a firewall, security group, missing route, or a host that is down. The tell-tale sign is the long delay before the error.
Common Symptoms
- The client hangs for many seconds (often ~15–130s) before failing, not instantly.
curl -vsits atTrying <ip>:<port>...and then times out.- Some ports/hosts work while this one hangs — pointing at a per-port firewall rule.
- Intermittent timeouts under load (overloaded backend, dropped SYNs, or asymmetric routing).
Most Likely Causes of the ‘Connection timed out’ Error
- Firewall / security group dropping (DROP) the packets — cloud security groups,
iptables -j DROP, or an on-path appliance. - The remote host is down or the service is hung — SYNs go unanswered.
- Routing problem / wrong route — packets leave but never reach the destination, or replies cannot return.
- Wrong IP or a NAT/loadbalancer black-holing traffic.
- Network congestion / packet loss causing SYN loss under load.
- Server backlog full — the listen queue is saturated and drops new SYNs.
Quick Triage
# Note the delay: a long hang = timeout (dropped), instant = refused
time curl -v --connect-timeout 5 http://<host>:<port>/
# Does the port respond within a bound?
nc -vz -w 5 <host> <port>
# Basic reachability of the host itself
ping -c3 <host>
Diagnostic Commands
# Time-bounded probes so you are not waiting on the default 2-min timeout
nc -vz -w 5 <host> <port>
curl -v --connect-timeout 5 http://<host>:<port>/
# Is the destination even routable, and via which interface/gateway?
ip route get <host-ip>
ip route
# ICMP reachability (may itself be filtered, but a useful signal)
ping -c3 <host>
# Resolve first — make sure you are timing out against the right IP
getent hosts <host>
# On the SERVER: is it listening and is the backlog overflowing?
ss -tulpn | grep ':<port>'
ss -s # summary incl. socket states
netstat -s | grep -i 'listen' # SYN/listen-queue drops (RHEL/older)
# Local firewall on client or server
sudo iptables -S | grep -iE 'drop|reject'
sudo nft list ruleset 2>/dev/null | grep -i drop
sudo firewall-cmd --list-all # RHEL/Rocky
sudo ufw status verbose # Ubuntu/Debian
# Trace the path to find where packets die
traceroute -T -p <port> <host> # TCP traceroute to the service port
mtr -rw <host>
If ip route get picks an unexpected interface/gateway, or traceroute dies at a hop, the drop is in the network path, not the service.
Fix / Remediation
-
Open the port in the firewall / security group. For cloud hosts, add an inbound rule for the port/source in the security group first — this is the most common cause. On the OS firewall:
sudo ufw allow from <src-cidr> to any port <port> proto tcp # Ubuntu/Debian sudo firewall-cmd --add-port=<port>/tcp --permanent && sudo firewall-cmd --reload # RHEL/Rocky -
Confirm the service is up on the server (a hung/dead service also times out if the firewall silently drops, or if it never accepts):
ssh <server> 'ss -tulpn | grep ":<port>"; systemctl status <service>' -
Fix routing if
ip route getshows the wrong path:ip route get <host-ip> sudo ip route add <net>/<mask> via <gateway> dev <iface> # add/repair a routeWarning: Editing routes or firewall rules on a remote host can cut off your own SSH session. Have console/out-of-band access ready, or use a scheduled
iptables-restore/timeout to auto-revert before applying risky changes. -
Increase server backlog if
ss -s/netstat -sshows SYN queue drops under load:sudo sysctl -w net.core.somaxconn=1024 sudo sysctl -w net.ipv4.tcp_max_syn_backlog=2048(and raise the app’s own
listen()backlog to match). -
Correct the target IP/hostname if you are timing out against a stale or wrong address.
Validation
nc -vz -w 5 <host> <port> # succeeds quickly
curl -sS -o /dev/null -w '%{http_code} %{time_connect}s\n' --connect-timeout 5 http://<host>:<port>/
traceroute -T -p <port> <host> # reaches the destination
Prevention
- Codify firewall/security-group rules (IaC) and review them so a port drop is caught in change control.
- Always set explicit
--connect-timeout/socket timeouts and retries in clients so a drop fails fast instead of hanging. - Monitor SYN-queue drops (
netstat -s) and connection latency; alert on risingtime_connect. - Use TCP health checks from monitoring to detect black-holed paths before users do.
Related Errors
- Connection refused
- No route to host
- Network is unreachable
- Destination host unreachable
- Temporary failure in name resolution
Final Notes
The long delay is the diagnostic: a timeout means packets are dropped silently, so look at firewalls, security groups, and routing rather than the service config. Bound your probes with -w/--connect-timeout, use TCP traceroute to find where packets die, and remember that a cloud security group is the single most common culprit.
Want faster Linux incident response? Use DevOps AI Toolkit to turn production errors into clear diagnostics, remediation steps, and reusable runbooks.
Download the Free 500-Prompt DevOps AI Toolkit
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.