20.67. kb-00066: DRP Endpoint ‘connect: connection refused’ or ‘i/o timeout’ errors

20.67.1. Knowledge Base Article: kb-00066

20.67.2. Description

This document describes some possible reasons for the following errors when trying to use drpcli to connect to a DRP Endpoint. Possible errors discussed in this document:

  • Error: Error creating Session: CLIENT_ERROR: Get "https://127.0.0.1:8092/api/v3/users/rocketskates/token": dial tcp 127.0.0.1:8092: connect: connection refused
  • Error: Error creating Session: CLIENT_ERROR: Get "https://127.0.0.1:8092/api/v3/users/rocketskates/token": dial tcp 127.0.0.1:8092: i/o timeout

These errors are almost always a result of an intervening Firewall/ACL that is blocking the connections to the DRP Endpoint API port. The “Additional Section” shows examples of IPTables commands that can induce either of these errors as follows:

  • i/o timeout is caused by use of the DROP directive
  • connect: connection refused is cause by use of the REJECT directive

20.67.3. Solution

Adjust any intervening Firewalls/routers/switch ACLs to not block the API and other important ports as described in the Server Documentation Ports section.

For iptables on a host, verify that no rules with DROP or REJECT (among other possibilities) are blocking traffic.

20.67.4. Additional Information

Additional resources and information related to this Knowledge Base article.

Here is an example flow of showing the above error conditions with the use of iptables on the host running the DRP Endpoint service, blocking the API port.

Exmaple deployment on Ubuntu 20.04.3 system (without any host based firewalls), then install DRP itself, with:

curl -s get.rebar.digital/tip | bash -s -- install --universal

This should succeed in a couple of minutes.. Check the service with:

systemctl status dr-provision

If you did a “developer” or “isolated” install, you may need to verify the service is running with:

ps -ef | grep -v grep | grep dr-provision

Once the service is running, drpcli should be able to connect and validate with the command drpcli info status. If default admin username/password has been changed at install time, adjust the drpcli client to use the correct authentication details. For example:

drpcli -U admin -P password -E https://127.0.0.1:8092 info status

Note the -E endpoint specified above is the default URL that the CLI will attempt to hit. drpcli can be run from any remote system, assuming it has network/security/acl/firewall access to the API port on the system (8092 by default; see Ports for more details). If alternate ports specified during the install; adjust the below tests/statements accordingly.

To replicate the above defined error conditions, using iptables and the following directives:

  • i/o timeout is caused by use of the DROP directive
  • connect: connection refused is cause by use of the REJECT directive

First show that the service is up and running with no intervening firewall

root@mach-01:~# drpcli info status
{
  "API": {
    "Alive": true,
    "Enabled": true,
    ... snip ...
}

Now, inject the REJECT directive, and test again:

root@mach-01:~# iptables -A INPUT -p tcp --destination-port 8092 -j REJECT

Checking our info status CLI call again will result in the connection refused error condition:

root@mach-01:~# drpcli info status
Error: Error creating Session: CLIENT_ERROR: Get "https://127.0.0.1:8092/api/v3/users/rocketskates/token":
dial tcp 127.0.0.1:8092: connect: connection refused

Reset the Firewall rules, then test for i/o timeout error.

Note

Do not flush the tables like this on a system with configured rulesets, this test assumes you are using a development system without any “production” (or otherwise) important iptables rulesets.

Flush the tables:

root@mach-01# iptables -F

Now, set the rule to DROP the traffic, to generate the i/o timeout condition.

root@mach-01:~# iptables -A INPUT -p tcp --destination-port 8092 -j DROP

Now our info status command will fail accordingly:

root@mach-01:~# drpcli info status
Error: Error creating Session: CLIENT_ERROR: Get "https://127.0.0.1:8092/api/v3/users/rocketskates/token":
dial tcp 127.0.0.1:8092: i/o timeout

To remove the firewall ruleset, again, flush the rules.

root@mach-01# iptables -F

20.67.4.1. See Also

20.67.4.2. Versions

all

20.67.4.3. Keywords

i/o timeout, connection refused, failed connection, unable to reach drp endpoint

20.67.4.4. Revision Information

KB Article     :  kb-00066
initial release:  Fri Sep 24 18:36:41 PDT 2021
updated release:  Fri Sep 24 18:36:41 PDT 2021