How to diagnose and troubleshoot CLB instance issues-Server Load Balancer(SLB)-阿里云帮助中心

Use the instance diagnostics module to check a Classic Load Balancer (CLB) instance for issues across seven categories: instance health, instance capacity, certificates, security policies, billing, listeners, and idle status. When an exception is detected, the module reports the cause and a recommended solution.

Prerequisites

Before you begin, ensure that you have:

A CLB instance in the CLB console

The first time you run a diagnosis, the system automatically creates the service-linked role AliyunServiceRoleForNis. For more information, see service-linked roles.

Run a diagnosis

Go to CLB console - Instances.
Start a diagnosis using either method:
- In the Instance Diagnostics column, click Start Diagnostics.
- Click the instance ID to open the details page, then choose More > Instance Diagnostics in the upper-right corner.
In the Instance Diagnostics panel, view the diagnostic status and results.
In the Diagnostic Items area, select Show All Diagnostic Items to display all supported diagnostic items.

Supported diagnostic items

Category	Diagnostic items
Health Check Diagnostics	Health Check Configurations: Checks whether health checks are configured for CLB listeners. Health Check Errors: Checks whether health checks of CLB listeners are abnormal.
Idle Instance Diagnostics	No Listener Configured: Checks whether listeners are empty. Backend Server Not Found: Checks whether backend servers are empty.
Quota Limit Diagnostics	Packets Dropped Due to Bandwidth Throttling: Checks whether the CLB instance has experienced packet loss caused by bandwidth throttling within the last 15 minutes. In some scenarios, packet loss can occur even when traffic does not reach the bandwidth peak. For details and solutions, see Failure to reach maximum bandwidth. Maximum Connections: Checks whether dropped connections occur or whether concurrent connections exceed 85% of the limit within the last 15 minutes. Maximum Number of New Connections: Checks whether dropped connections occur or whether new connections exceed 85% of the limit within the last 15 minutes. Maximum QPS: Checks whether dropped queries occur or whether queries exceed 85% of the limit within the last 15 minutes.
Certificate Diagnostics	No Certificate Configured for HTTPS Listener: Checks whether certificates are configured for HTTPS listeners. HTTPS Listener Certificate Expiration Check: Checks whether certificates expire in less than 60 days.
Security Policy Diagnostics	Access Control: If the instance has an ACL allowlist or blocklist configured, some traffic may be blocked. Anti-DDoS Origin Basic Status: Checks whether EIP-related network behavior is affected by DDoS protection. Interception by Cloud Firewall: Checks whether EIP-related network behavior is blocked by Cloud Firewall. Penalty for Security Control: Checks whether EIP-related network behavior is penalized by Yundun security control. Suspension for Security Reasons: Checks whether the instance is locked by risk control.
Cost Diagnostics	Alerts for Overdue Payments: Checks whether the instance has overdue payments. Alerts for Expiration: Checks whether the instance is in the 15-day pre-expiration warning state.
Listener Diagnostics	Access Errors: Uses the CLB log service to inspect log entries marked with abnormal HTTP status codes, helping you trace and diagnose the specific causes of access exceptions. Listener Throttling Check: Checks whether bandwidth throttling has occurred on listeners. Connection Failures Check: Checks whether the number of failed connections on listeners is too high. For details, see Sudden surge in CLB failed connections. Listener Status Check: Checks whether listeners on the instance are in the stopped state.

Manage diagnostic records

The Instance Diagnostics page supports the following actions on diagnostic records.

Action	Steps
View a diagnostic report	Find the instance and click View Report in the Actions column. The report opens in the Diagnostic Details panel.
Re-run a diagnosis	Click Re-diagnose in the Actions column.
Delete diagnostic records	Click Delete in the Actions column, then click OK to confirm. This deletes all diagnostic records for the instance.

Limitations

The instance diagnostics module checks instance status within the 15 minutes preceding the current time only. It cannot diagnose historical status outside this window.

For example: if a CLB instance goes down at 09:00:00 and recovers at 09:30:00, and you run a diagnosis at 10:00:00, the module checks the 09:45:00–10:00:00 window only. It cannot identify the exception that occurred between 09:00:00 and 09:30:00.

The further diagnostics feature, which identifies the root cause of health check exceptions, supports backend servers running CentOS, Ubuntu, and Alibaba Cloud Linux only. Windows and other operating systems are not supported.

FAQ

Why does the diagnostic result show an abnormal health check status?

The instance diagnostics module checks health check configurations on all listeners of a CLB instance. If health checks are not configured, or if a backend server fails its health checks, the health check status is reported as abnormal.

To identify the root cause, use the further diagnostics feature. It can detect issues such as backend services not running on listener ports and network filtering rules (for example, iptables) blocking traffic in the backend server OS.

What's next

For common CLB issues and solutions, see FAQs about CLB instances.
Application Load Balancer (ALB) and Network Load Balancer (NLB) also support instance diagnostics. See Diagnose ALB instances for ALB, and Diagnose an NLB instance for NLB.