Remote connections to a Windows instance can fail for many reasons. This topic describes how to identify the cause of a connection failure and resolve the issue.
Use the self-service troubleshooting tool
The Alibaba Cloud self-service troubleshooting tool helps you quickly check security group configurations, the internal firewall of the instance, and the listener status of common application ports. The tool provides a detailed diagnostic report.
Click to open the self-service troubleshooting page and select the target region.
If the self-service troubleshooting tool cannot identify the issue, follow the steps below to troubleshoot the issue manually.
Manual troubleshooting
Check the status of the ECS instance, and then use Cloud Assistant to send commands to the Windows instance or log on to the instance using VNC.
Step 1: Check the ECS instance status
An ECS instance must be in the Running state to provide services.
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
Step 2: Connect to the ECS instance using VNC
If Cloud Assistant is unavailable or does not meet your requirements, you can use the Alibaba Cloud VNC tool to connect remotely. Follow these steps:
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
In the Remote connection dialog box, click Show Other Logon Methods, and then click Sign in now next to VNC.
Log on to the instance operating system.
In the upper-left corner of the page, click .
Enter the logon password for the instance and press Enter.
NoteThe default account for a Windows instance is Administrator.
Step 3: Send commands by using Cloud Assistant
You can use Cloud Assistant to send commands to a Windows instance. Follow these steps:
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
No specific error message
If a remote connection fails without returning an error message and the ECS instance is in the Running state, follow these steps to troubleshoot the issue:
Step 11: Check for incorrect Windows registry configurations
Step 12: Check whether the Windows RDP self-signed certificate has expired
Step 1: Test the remote connection by using Workbench
You can use Workbench provided by Alibaba Cloud to connect remotely. If the remote connection fails, Workbench returns a specific error message and a solution.
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
In the Connect dialog box, click Sign in now next to Workbench.
Workbench automatically fills in the basic information required to log on to the target instance. Confirm that the information is correct and enter the username and authentication credentials. Then, take one of the following actions based on the result:
If you still cannot log on, Workbench returns an error message and a solution. Follow the on-screen instructions to resolve the issue and then try to connect again. You can connect to the instance using VNC to resolve common issues that occur when you use Workbench.
If you can log on to the instance with Workbench but not from your local computer, the instance's remote connection port and service are working correctly. The issue is likely with your local client, which you must troubleshoot.
Step 2: Check for blackhole filtering notifications
Check for notifications indicating that blackhole filtering has been triggered for the instance. This feature blocks all internet access to the instance. For more information, see Alibaba Cloud blackhole policy.
Step 3: Check ports and security groups
Check whether any security group rules are blocking the connection. Follow these steps:
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
On the Instances page, click the ID of the target instance.
Click the Security Groups tab. In the Security Group List section, find the security group that you want to manage and click Manage Rules in the Actions column.
Select the direction for the security group rule.
On the Security Group Details tab, use one of the following methods to add a security group rule.
Method 1: Quickly add a security group rule
Select RDP Connection to a Windows Instance
Method 2: Manually add a security group rule
Action: Allow
Priority: 1 (A smaller value indicates a higher priority.)
Protocol Type: Custom TCP
: 0.0.0.0/0 (represents all IP addresses)
: Set this to the RDP port (default 3389).
Connect to the remote desktop using the
IP:portformat.In the Computer text box of the Remote Desktop Connection dialog box, enter the address in the
IP:portformat, such as192.168.0.1:4389, and click Connect.Run the following command to test if the port is working correctly.
telnet <IP> <Port>Note<IP> specifies the IP address of the Windows instance.
<Port> specifies the RDP port number of the Windows instance.
For example, when you run the
telnet 192.168.0.1 4389command, the output is normally similar to the following.Trying 192.168.0.1 ... Connected to 192.168.0.1 4389. Escape character is '^]'If the port test fails, see Check port availability when the ping command is successful but the port is unreachable for troubleshooting.
Step 4: Check the firewall configuration
You must have permissions to modify the instance firewall to perform this step. If the firewall is enabled, you may need to adjust its configuration policies. For more information, see Manage the Windows system firewall.
In the menu bar, choose .
Set View by to Small icons and click Windows Firewall.
In the Windows Firewall window, click Advanced settings.
Enable the firewall configuration.
In the Windows Firewall with Advanced Security, window, click Windows Firewall Properties.
Select On (recommended) and click Apply(A).
We recommend that you enable the firewall on the Domain Profile, Private Profile, and Public Profile tabs.
In the Windows Firewall with Advanced Security window, click Inbound Rules. In the pane on the right, scroll down to the bottom, right-click Remote Desktop - User Mode(TCP-In), and select Enable Rule.
Step 5: Check Remote Desktop Services
Check whether Remote Desktop Services is enabled on the Windows server.
This step uses Windows Server 2012 as an example. The steps may vary based on your operating system version.
Right-click the Start menu and click System.
In the System window, click Remote settings.
In the Remote Desktop section, select Allow remote connections to this computer (L), and click OK.
Start the Remote Desktop Services service.
In the Start menu, choose Administrative Tools > Component Services > Services (Local). In the pane on the right, find the Remote Desktop Services service and check its status. If the service is not running, start it.
Load the drivers and services that Remote Desktop Services depends on.
Key services that Remote Desktop Services depends on are sometimes disabled by mistake, causing connection failures. To resolve this, perform the following check.
Right-click the Start menu, click Run, enter
msconfig, and click OK.In the System Configuration dialog box, click the General tab, select Normal startup(N), and click OK.
Step 6: Check remote terminal service
The remote desktop of a Windows instance may be unreachable because of an incorrect remote terminal service configuration.
This example uses Windows Server 2008. The operations for other Windows Server versions are similar.
Issue 1: Corrupted self-signed certificate
If the local client runs a version of Windows later than Windows 7, it attempts to establish a Transport Layer Security (TLS) connection with the ECS instance. If the self-signed certificate that is used for the TLS connection on the ECS instance is corrupted, the remote connection fails.
Choose Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
In the Connections section, right-click RDP-Tcp and then click Properties.
In the RDP-Tcp Properties window, set Security Layer to RDP Security Layer and click OK.
In the Actions section, click Disable Connection and then click Enable Connection.
Issue 2: RDP connection disabled
A query with the netstat command shows that the port is not listening as expected.
After you log on to a Windows instance using VNC, you may find that the Remote Desktop Protocol (RDP) connection is disabled. In this case, you can re-enable the RDP-Tcp connection. For more information, see Issue 1: Corrupted self-signed certificate.
Issue 3: Terminal server role configuration
When you use Remote Desktop to access a Windows instance, the error message "If you are not a member of the Remote Desktop Users group or other groups that have these permissions, or if the Remote Desktop Users group does not have these permissions, you must be manually granted these permissions" may appear.
This issue occurs if a Terminal Server is installed on the server without a valid license. To resolve this issue, use one of the following solutions:
If the issue is caused by the terminal server role, log on to the server, right-click Computer, and choose Roles > Remove Role Services.
Step 7: Check the network
If you cannot remotely connect to a Windows instance, first check whether the network is working correctly.
Test the connection from other network environments, such as different network segments or from different carriers, to determine if the issue is with your local network or the server.
If the issue is with your local network or carrier, contact your local IT staff or the carrier to resolve it.
If the network adapter or its driver is not working correctly, ensure the network adapter is enabled and update its driver. Follow these steps:
Use the
pingcommand on your local client to test the network connectivity to the instance.If a network issue occurs, see Use a packet capture tool to capture network packets for troubleshooting.
If ping packets are lost or the ping command fails, see Use MTR to analyze network paths for troubleshooting.
If intermittent packet loss occurs and the network of your ECS instance is unstable, see Link interruption to resolve the issue.
If you receive a General failure error when you run the ping command from your instance to test the connectivity to the client, see The "General failure" error is reported when I ping a public IP address from a Windows instance to resolve the issue.
Step 8: Check CPU, bandwidth, and memory
A remote connection to a Windows instance may fail due to high CPU load, insufficient bandwidth, or insufficient memory.
Select the appropriate operation based on the CPU load.
If the CPU load is not high, continue to the next check.
If the CPU load is high, resolve the issue by using the methods in this step.
If you suspect high CPU load, log on to the instance from the terminal on the Instance Details page and check whether Windows Update is running in the background. A high CPU load is expected if Windows Update is running. Wait for the update to complete.
If applications on the instance cause high disk I/O, frequent network requests, or compute-intensive workloads, a high CPU load is expected. In this case, you can upgrade the instance type to resolve resource bottlenecks.
NoteFor more information about how to resolve high CPU loads, see Troubleshoot high CPU utilization on Windows instances.
If the CPU usage remains abnormally high after you rule out the preceding causes, the instance may be infected with malware. For example, cryptomining malware maliciously consumes CPU resources, which may cause the instance to lag, respond slowly, or even become unreachable. For more information about how to troubleshoot and handle this issue, see Scan for and handle cryptomining programs. If the instance is infected with ransomware, system files are encrypted and locked, which may also cause logon failures. For more information, see Protect your servers from ransomware.
Check for insufficient public bandwidth.
A remote connection may fail due to insufficient public bandwidth. Follow these steps to troubleshoot the issue.
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
On the Instances page, click the instance ID. On the Instance Details tab, view the Public Bandwidth in the Configuration Information section.
If the public bandwidth is 0 Mbit/s, the instance was created without public bandwidth. You can resolve this issue by upgrading the public bandwidth.
Check for insufficient memory.
After you remotely connect to a Windows instance, the desktop may not display correctly and the connection may close without an error message. Insufficient server memory can cause this issue. Follow these steps to check the memory usage.
Go to Start > Administrative Tools > Event Viewer and check for warning logs that indicate insufficient memory resources. For more information, see Troubleshoot insufficient virtual memory on Windows Server 2003/2008 ECS instances.
Step 9: Check system security policies
Check whether any security policies on the Windows server are blocking remote desktop connections. Follow these steps.
Choose Start > Control Panel > Administrative Tools and double-click Local Security Policy.
In the Local Security Policy window, click IP Security Policies on Local Computer. The next step depends on whether a relevant security policy already exists.
If a relevant security policy exists, delete or edit it.
To delete the security policy, right-click the policy and select Delete(D). In the dialog box that appears, click Yes.
Double-click the IP security policy to open it, reconfigure it to allow remote desktop connections, and then try to connect again by using Remote Desktop.
If no relevant security policies exist, proceed to Step 10 to continue troubleshooting.
Step 10: Check the antivirus software
Remote connection failures may be caused by third-party antivirus software settings. Use the following methods to resolve this issue. This section provides two case studies of how SafeDog configuration can cause remote access to fail.
If antivirus software is running in the background, connect to the instance using VNC to upgrade the antivirus software to the latest version or uninstall it. For more information about how to log on to an instance using VNC, see Connect to an instance by using VNC.
Use a commercial version of antivirus software, or use the free Microsoft Safety Scanner to scan for and remove viruses in safe mode. For more information about Security Scanner, see Microsoft Safety Scanner.
Case 1: Interception by the SafeDog blacklist
If you experience the following issues after you install SafeDog, check its security settings and interception rules.
The local client cannot remotely connect to the Windows instance, but clients in other regions can.
The server IP address cannot be pinged, and a route trace using the
tracertcommand fails to reach the server.The local public IP address is not blocked by Security Center.
Open Server Security Guard, select Network Firewall, and click the
icon to the right of Super Blacklist/Whitelist. If the public IP address of the ECS instance is in the Super Blacklist, delete the blacklist rule and add the public IP address to the Super Whitelist.
If the traffic scrubbing threshold is set too low in Security Center, the public IP address of the instance may be blocked. We recommend that you increase the traffic scrubbing threshold to prevent the public IP address of the instance from being blocked. For more information, see Anti-DDoS Origin Basic.
Case 2: SafeDog software error
After you log in to a Windows instance by using VNC, Safedog displays an error message in the bottom-right corner of the system desktop, such as Network driver error (Driver service not started). Please download the latest version, overwrite the installation, and restart.
This issue can be caused by a SafeDog software error. To restore network connectivity, uninstall SafeDog and restart the ECS instance.
Step 11: Check Windows registry configurations
Incorrect configurations in the Windows registry may block RDP connections. Follow these steps to fix the issue.
In the Run dialog box, enter regedit and click OK to open the Registry Editor.
In Registry Editor, modify the following parameter values.
In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, modify the value of thefEnableWinStationparameter to 1.Change the value of the
fDenyTSConnectionsparameter inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serverto 0.
Step 12: Check for expired RDP self-signed certificates
An expired RDP self-signed certificate may cause remote logon failures. Follow these steps to fix the issue.
Run Windows PowerShell as an administrator.
In the Windows PowerShell window, run the following command to check whether the current certificate has expired.
Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfterIf the certificate has expired, run the following command to delete the self-signed certificate and restart the TermService service.
Remove-Item -Path 'Cert:\LocalMachine\Remote Desktop\*' -Force -ErrorAction SilentlyContinue Restart-Service TermService -ForceWhen the TermService service restarts, the system automatically generates a new self-signed certificate.
Run the following command to confirm that the new self-signed certificate's timestamp has been updated.
Get-Item 'Cert:\LocalMachine\Remote Desktop\*' | Select-Object NotAfterNoteThe default validity period of an RDP self-signed certificate is six months.
Specific error messages
A protocol error occurs when you remotely connect to a Windows ECS instance
Authorization-related issues:
Connection count-related issues:
> Remote Connection > Send Command.
icon and select Open Network and Sharing Center.