How to Fix Linux Error ECONNREFUSED (111): Connection Refused
Quick Fix Summary
TL;DRVerify the target service is running and listening on the correct port using `ss -tlnp` or `netstat -tlnp`.
The ECONNREFUSED error (errno 111) indicates a TCP connection attempt was actively rejected by the host at the specified IP address and port. This means the remote host's TCP stack received the SYN packet but responded with a RST (reset) packet instead of a SYN-ACK.
Diagnosis & Causes
Recovery Steps
Step 1: Verify Service Status and Port Binding
First, confirm the service you're trying to connect to is actually running and listening on the expected port and interface.
# Check if the service process is running
sudo systemctl status <service_name>
# OR for non-systemd
sudo service <service_name> status
# Check what's listening on the target port (e.g., 5432 for PostgreSQL)
sudo ss -tlnp | grep :5432
sudo netstat -tlnp | grep :5432Step 2: Test Basic Network Connectivity
Rule out fundamental network issues. Use `telnet` or `nc` to test the TCP handshake from the client machine.
# Test connection to port (replace with your IP and port)
telnet 192.168.1.100 5432
# Using netcat (more scriptable)
nc -zv 192.168.1.100 5432
# Check local loopback if connecting to localhost
telnet 127.0.0.1 5432Step 3: Inspect and Configure Host Firewall
The local firewall on the *target* host is a common culprit. Check iptables or firewalld rules.
# For iptables: List rules for the specific port
sudo iptables -L -n --line-numbers | grep 5432
# For firewalld: Check if port is open
sudo firewall-cmd --list-all --zone=public | grep ports
# Add a rule to allow the port (firewalld example)
sudo firewall-cmd --permanent --add-port=5432/tcp
sudo firewall-cmd --reloadStep 4: Check Service Configuration for Binding
The service may be configured to listen only on `localhost` (127.0.0.1) instead of all interfaces (`0.0.0.0`).
# Example: Check PostgreSQL listen_addresses
sudo grep listen_addresses /etc/postgresql/*/main/postgresql.conf
# Example: Check SSH daemon bind address
sudo grep ListenAddress /etc/ssh/sshd_config
# Common fix: Change 'listen_addresses' to '*' or '0.0.0.0' in config, then restart.Step 5: Investigate Application-Level Rejection
Some applications (e.g., Redis, MySQL) can reject connections based on client IP, even if the port is open.
# Example: Check MySQL user grants and bind address
sudo grep bind-address /etc/mysql/mysql.conf.d/mysqld.cnf
# Connect locally and inspect grants
mysql -u root -p -e "SELECT host, user FROM mysql.user;"
# Example: Check Redis protected mode and bind
sudo grep -E "^(bind|protected-mode)" /etc/redis/redis.confStep 6: Advanced Diagnostics with tcpdump
If the issue persists, capture packets on the target host to see the exact SYN/RST exchange.
# On the TARGET host, capture traffic on the relevant port
sudo tcpdump -i any -nn 'tcp port 5432 and (tcp[tcpflags] & (tcp-syn|tcp-rst) != 0)'
# A simpler capture to see all traffic on the port
sudo tcpdump -i any -nn 'port 5432' -w capture.pcapArchitect's Pro Tip
"When `ss`/`netstat` shows `LISTEN` on `127.0.0.1:port` but not on `0.0.0.0:port`, remote connections will fail. Always verify the listening interface."
Frequently Asked Questions
What's the difference between ECONNREFUSED and a timeout?
A timeout means your SYN packet got no response (firewall drop, network blackhole). ECONNREFUSED means you got an immediate RST response, proving the host is reachable but the port is closed.
I can telnet to the port locally but not remotely. Why?
This classic symptom points to the service binding only to `localhost` (127.0.0.1) or a host-based firewall (iptables/firewalld) blocking the remote IP. Check the service's bind configuration and firewall rules.
Can SELinux cause ECONNREFUSED?
Yes. If SELinux is in enforcing mode, it can block a service from binding to a non-standard port. Check SELinux alerts with `sudo ausearch -m avc -ts recent` and consider the appropriate boolean or port label.