Connection was refused from different location
We are trying to access through SSH to the VPS server we created in Frankfurt.
We tried to access from two locations, one from Japan and Turkmenistan (TKM). We successfully could access to the server terminal from Japan. But unsuccessfully from TKM.
We tried to configure the firewall in the vps server, added rule to accept public ip address of terminal in TKM. Also tried to configure the ssh config, adding AllowUsers with username.
What could be the problem?
7 Replies
✓ Best Answer
You're right, my apologies! Unfortunately Turkmentelecom doesn't have a looking glass available on their website or anywhere else I could find.
"I wanted to try traceroute function from my VPS server to and from terminal in Turkmenistan."
Focusing on the host in Turkmenistan is the right idea. Since you know you can connect to your server in London from elsewhere (Japan), the issue likely resides with the host in Turkmenistan.
From Turkmenistan to VPS
In your screenshot, the Turkmen server is unable to connect to the host in London. I can see it is also unable to connect to another host, 195.133.199.33
. Where are you connecting to this host? Can you connect to any other servers from the Turkmen terminal? What are its firewall settings? Can you run MTRs to and from where you are connecting to it?
From VPS to Turkmenistan
When I run a scan the Turkmenistan server's ports using nmap
I can see that they are all filtered:
nmap -Pn --top 5 --reason 95.85.102.97
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-08 11:31 EST
Nmap scan report for 95.85.102.97
Host is up, received user-set.
PORT STATE SERVICE REASON
21/tcp filtered ftp no-response
22/tcp filtered ssh no-response
23/tcp filtered telnet no-response
80/tcp filtered http no-response
443/tcp filtered https no-response
Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds
Additionally, no connections to can be made from it from anywhere around the globe.
To double check this I ran MTRs from test hosts in Newark and Mumbai. They were able to successfully connect to the Turkmentelecom network (217.174.235.118) but died before they made it to the destination:
From Newark to Turkmenistan
# mtr -rwbzc 10 95.85.102.97
Start: Wed Mar 8 11:35:24 2023
HOST: xxxxxlocalhost.linode.com Loss% Snt Last Avg Best Wrst StDev
1. AS??? 10.206.5.158 0.0% 10 3.5 0.8 0.3 3.5 0.9
2. AS??? 10.206.35.10 0.0% 10 0.5 0.9 0.5 3.3 0.8
3. AS??? 10.206.32.2 0.0% 10 11.4 3.0 1.1 11.4 3.2
4. AS63949 lo0-0.gw2.cjj1.us.linode.com (173.255.239.102) 0.0% 10 1.0 2.5 0.6 13.5 3.9
5. AS??? nyiix.nyk.cw.net (198.32.160.112) 0.0% 10 1.7 3.2 1.7 9.8 2.4
6. AS1273 ae34-xcr1.ltw.cw.net (195.2.8.45) 0.0% 10 69.9 70.6 69.9 75.3 1.6
7. AS1273 ae37-pcr1.fnt.cw.net (195.2.2.74) 0.0% 10 83.3 83.4 81.9 86.9 1.5
8. AS1273 217.161.78.174 0.0% 10 82.1 82.4 82.0 83.7 0.5
9. AS??? 10.50.10.202 0.0% 10 155.7 155.8 155.6 156.5 0.0
10. AS29049 85.132.90.254 0.0% 10 175.7 175.8 175.4 177.5 0.3
11. AS20661 217.174.235.47 0.0% 10 175.3 175.4 175.1 176.7 0.3
12. AS20661 217.174.235.118 0.0% 10 176.7 176.8 176.5 177.7 0.0
13. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
From Mumbai to Turkmenistan
# mtr -rwbzc 10 95.85.102.97
Start: Wed Mar 8 16:33:06 2023
HOST: xxxlocalhost.linode.com Loss% Snt Last Avg Best Wrst StDev
1. AS??? 10.214.0.163 0.0% 10 0.1 0.2 0.1 0.3 0.0
2. AS??? 10.214.35.10 0.0% 10 0.5 0.4 0.4 0.5 0.0
3. AS??? 10.214.32.2 0.0% 10 0.9 2.1 0.9 9.1 2.5
4. AS63949 lo0-0.gw1.mum1.in.linode.com (172.105.32.101) 0.0% 10 0.6 0.6 0.4 0.7 0.0
5. AS63949 ae0-100.gw2.mum1.in.linode.com (172.105.32.9) 0.0% 10 0.5 0.6 0.5 0.8 0.0
6. AS9498 nsg-static-109.233.71.182.airtel.in (182.71.233.109) 0.0% 10 0.6 0.9 0.6 2.6 0.6
7. AS9498 116.119.112.192 0.0% 10 102.6 103.5 96.7 117.0 7.7
8. AS??? ipv4.de-cix.fra.de.as20485.ttk.ru (80.81.194.117) 0.0% 10 184.8 186.7 181.9 190.5 2.9
9. AS20485 mskn18-Lo1-gw.transtelecom.net (217.150.55.218) 0.0% 10 226.9 233.8 225.4 253.5 9.3
10. AS20485 DELTA-gw.transtelecom.net (188.43.209.205) 0.0% 10 203.7 206.6 202.5 210.9 3.2
11. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
12. AS29049 85.132.90.254 0.0% 10 208.6 210.5 205.5 214.2 3.2
13. AS20661 217.174.235.47 0.0% 10 212.9 213.2 209.0 216.2 2.5
14. AS20661 217.174.235.118 0.0% 10 213.5 212.3 207.7 215.9 2.5
15. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
So, thinking about all of this, I still believe this is an internal configuration issue with the terminal in Turkmenistan. My suggestion would be to investigate the firewall settings of that host.
Hi @Novmir23 - I can't say for certain but there may be a problem on the route the connection is taking. I'd recommend using MTR to check the route.
https://www.linode.com/docs/networking/diagnostics/diagnosing-network-issues-with-mtr
Hello @mjones!
Thank you for your reply and the article! I have read it and done some inspection with MTR. Here are results:
- First, I created new VPS server, this time in London. I requested MTR report from my local terminal in Japan to VPS server (window below), and vice versa (above window). Interestingly, even though it says packets are lost near my local Japan terminal, I could connect successfuly to VPS server from here. I am guessing ICMP requests were dropped due to misconfigured router or smth else.
VPS to Jap terminal, and vice versa
- Second, I tried to connect to VPS server from TKM, but still unsuccessful, even though different server location. MTR report from VPS to terminal in TKM is below:
MTR report from TKM terminal (windows terminal) to VPS server is:
|------------------------------------------------------------------------------------------|
| WinMTR statistics |
| Host - % | Sent | Recv | Best | Avrg | Wrst | Last |
|------------------------------------------------|------|------|------|------|------|------|
| 1.1.168.192.in-addr.arpa - 0 | 53 | 53 | 0 | 0 | 0 | 0 |
| 98.235.174.217.in-addr.arpa - 0 | 53 | 53 | 33 | 41 | 149 | 34 |
| 100.235.174.217.in-addr.arpa - 0 | 53 | 53 | 33 | 42 | 148 | 36 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
| No response from host - 100 | 11 | 0 | 0 | 0 | 0 | 0 |
|________________________________________________|______|______|______|______|______|______|
WinMTR v0.92 GPL V2 by Appnor MSP - Fully Managed Hosting & Cloud Provider
I think it is a problem with ISP maybe, or maybe Im wrong. What do you think could be the problem?
It could be an issue with the ISP, however using the looking glass tool from their website, connections can be made from their network to the IP address 139.162.235.71
.
traceroute 139.162.235.71 source 195.175.239.100
traceroute to 139.162.235.71 from 195.175.239.100, 30 hops max, 40 byte packets
1 212.156.120.53.34-acibadem-t3-1.34-acibadem-lg.statik.turktelekom.com.tr (212.156.120.53) 1.37 ms 0.633 ms 0.853 ms
2 34-acibadem-xrs-t2-2---34-acibadem-t3-5.statik.turktelekom.com.tr (81.212.217.124) 0.562 ms 0.552 ms 0.548 ms
3 34-ebgp-acibadem-sr12e-k---34-acibadem-xrs-t2-2.statik.turktelekom.com.tr (81.212.209.216) 0.586 ms 0.594 ms 0.583 ms
4 81.212.25.182.static.turktelekom.com.tr (81.212.25.182) 0.753 ms 0.750 ms
4 0.0.0.0 *
5 302-ams-col-2---34-ebgp-acibadem-sr12e-k.statik.turktelekom.com.tr (212.156.102.38) 55.7 ms 55.6 ms 55.7 ms
6 ae56.edge7.Amsterdam1.Level3.net (213.19.198.193) 57.5 ms 61.2 ms 57.2 ms
7 ae2.3215.edge7.London1.level3.net (4.69.166.6) 72.5 ms 70.9 ms 64.4 ms
8 195.50.112.34 (195.50.112.34) 57.0 ms 57.4 ms 57.4 ms
9 ae0.r02.lon01.ien.netarch.akamai.com (23.210.48.33) 65.1 ms 64.8 ms 65.2 ms
10 a23-210-48-17.deploy.static.akamaitechnologies.com (23.210.48.17) 64.2 ms 69.6 ms 64.9 ms
11 0.0.0.0 * * *
12 0.0.0.0 * * *
13 0.0.0.0 * * *
14 139-162-235-71.ip.linodeusercontent.com (139.162.235.71) 64.7 ms 65.0 ms 64.8 ms
This indicates that the issue may not be their network but may instead be the specific host your are attempting to connect from on their network.
Can you make other remote connections using that host? If not, then the issue is likely with the host itself.
Dear @tlambert,
Thank you for your response!
I am sorry, but you have checked the connection from Turkey's ISP. But the terminal that refuses connection to the VPS server is in Turkmenistan.
However, I wanted to try traceroute function from my VPS server to and from terminal in Turkmenistan. I have also checked whether the firewall rules are blocking network connection to that particular country. When I requested sudo ufw status verbose
in VPS server, status was inactive. Meaning, firewall was not enabled. But then, how I am able to connect to VPS server from Japanese terminal? Well, I enabled the firewall and wanted to see configuration, it was on default rules.
Traceroute results:
- From Turkmenistan to VPS: https://imgur.com/y8NXiSu
- From VPS server to terminal in Turkmenistan are as follows:
traceroute to 95.85.102.97 (95.85.102.97), 30 hops max, 60 byte packets
1 10.207.5.214 (10.207.5.214) 0.256 ms 0.158 ms 0.133 ms
2 10.207.35.9 (10.207.35.9) 0.273 ms 0.257 ms 0.249 ms
3 10.207.32.1 (10.207.32.1) 0.229 ms 0.195 ms 0.164 ms
4 * lo0-0.gw1.lon1.gb.linode.com (109.74.207.101) 0.303 ms lo0-0.gw2.lon1.gb.linode.com (109.74.207.102) 0.569 ms
5 ae-0-100.gw1.lon1.gb.linode.com (109.74.207.8) 0.547 ms 0.353 ms ae21.r02.lon01.ien.netarch.akamai.com (23.210.48.16) 0.679 ms
6 ae21.r02.lon01.ien.netarch.akamai.com (23.210.48.16) 0.651 ms 0.732 ms 0.673 ms
7 ae2.3203.edge1.Stockholm1.level3.net (4.69.133.102) 28.657 ms * 28.436 ms
8 ae2.3203.edge1.Stockholm1.level3.net (4.69.133.102) 28.408 ms 194.88.84.250 (194.88.84.250) 60.134 ms ae2.3203.edge1.Stockholm1.level3.net (4.69.133.102) 28.352 ms
9 194.88.84.250 (194.88.84.250) 59.844 ms 59.956 ms 59.908 ms
10 10.50.10.106 (10.50.10.106) 92.548 ms 85.132.90.254 (85.132.90.254) 102.449 ms 102.731 ms
11 85.132.90.254 (85.132.90.254) 105.199 ms 217.174.235.47 (217.174.235.47) 102.850 ms 85.132.90.254 (85.132.90.254) 105.139 ms
12 217.174.235.47 (217.174.235.47) 105.317 ms 217.174.235.118 (217.174.235.118) 104.274 ms 104.216 ms
13 * * 217.174.235.118 (217.174.235.118) 101.746 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Best regards,
G. Novruz
Dear @tlambert,
Sorry for late response! I was away!
Thank you for your thorough inspection of this issue!
Yes, it seems the problem is within the Turkmenistan's ISP. I have tried to connect to different VPS server locations, such as Frankfurt, London, Moscow. And also tried to investigate the problem from those nodes.
For now, I have shut down and deleted all VPS servers. We want to ask our local telecom and investigate in person.
Thank you very much for your help in understanding the issue!
Best regards,
G. Novruz
If you are interested, I found new study about the internet censorship about Turkmenistan.