Linux Networking Errors — The Diagnostic Ladder
When the network breaks, the error message rarely tells you which layer. Connection refused could be a firewall, a daemon not listening, or a routing issue. The way to diagnose efficiently is to walk the OSI layers in order: link → address → route → firewall → DNS → application. This article covers the ten errors you’ll see most often and the diagnostic sequence for each.
#021 Connection refused (ECONNREFUSED)
Description: Client tried to connect to a TCP port and the server actively rejected with RST.
Root cause: No process is listening on that port (or it’s a different IP family).
Solution: ss -tlnp on the server — is the service actually listening? Bound to 127.0.0.1 instead of 0.0.0.0? journalctl -u SERVICE for crashes.
#022 No route to host (EHOSTUNREACH)
Description: Kernel has no routing table entry for the destination.
Solution: ip route get DEST shows what would be used; ip route for the table; default gateway present? Routing-protocol issue if BGP/OSPF involved.
#023 Connection timed out (ETIMEDOUT)
Description: Packets sent, no response within timeout. Different from refused — a refused connection got an answer (RST).
Root cause: Firewall silently dropping, peer down, or asymmetric routing.
Solution: tcpdump -i any port 443 — do packets leave? Do replies come back? iptables -L -nv for local firewall counters; check upstream firewalls.
#024 Name or service not known (NXDOMAIN / EAI_NONAME)
Description: DNS resolution failed.
Solution: dig +short hostname — isolate DNS from network; cat /etc/resolv.conf; systemd-resolve --status; getent hosts consults nsswitch order; check /etc/hosts for stale entries.
#025 SSL/TLS certificate verify failed
Description: Client refused the server’s certificate.
Common cause: Expired cert, wrong hostname (CN mismatch), self-signed CA not trusted, system clock wildly off.
Solution: openssl s_client -connect host:443 -showcerts; check expiry: openssl x509 -enddate -noout; update-ca-certificates; check date if recent VM clone.
#026 Network is unreachable (ENETUNREACH)
Description: Routing failed at the local routing table layer.
Solution: ip a — interface up with an address? ip link set DEV up; check VLAN tags; verify default gateway with ip route.
#027 Address already in use (EADDRINUSE)
Description: Service can’t bind to a port because another process owns it.
Solution: ss -tlnp 'sport = :PORT' identifies the holder; kill or reconfigure; for fast restart use SO_REUSEADDR.
#028 Too many TIME_WAIT sockets
Description: Server runs out of ephemeral ports under high reconnection load.
Solution: ss -s shows TIME_WAIT count; tune net.ipv4.ip_local_port_range, tcp_tw_reuse; better: use connection pooling client-side.
#029 ARP resolution failed
Description: L2 next-hop unreachable; kernel cannot map next-hop IP to MAC.
Solution: ip neigh shows ARP cache; flush stale: ip neigh flush all; check VLAN/switch port config.
#030 ssh: Permission denied (publickey)
Description: SSH key auth rejected.
Solution: ssh -vvv user@host for verbose trace; check ~/.ssh/authorized_keys on server (mode 600, dir 700); confirm key matches: ssh-keygen -lf ~/.ssh/id_rsa.pub; check sshd logs.
Conclusion
Five habits:
- Always isolate DNS from connectivity:
ping IPworks butping hostnamedoesn’t = DNS, not network. - Use
tcpdump -i any port Xas your truth source — it doesn’t lie. - Walk the OSI stack: link → addr → route → firewall → DNS → app.
- Refused vs timed out: refused = port not listening, timed out = packet dropped (firewall or peer down).
ss -sin your toolkit for quick socket-state summary.
Related Linux Admin articles
- Linux Networking Commands: ip, ss, ssh, curl, dig — the command reference
- Linux Advanced Networking Errors — MTU, conntrack, VLAN, bonding
- Linux Security Errors — when firewalls are the culprit