How to Quickly Diagnose and Resolve Packet Loss in Alibaba Cloud Environments

Background

In the context of growing cloud adoption, high‑quality network communication is essential; packet loss can cause communication interruptions, data anomalies, health‑check failures, and service outages.

Case Study: Rapid Problem Scoping

A customer deploying an ACK cluster in a new region experienced health‑check failures because SYN packets from the SLB were not answered with ACKs. Using the Alibaba Cloud OS Console, the issue was quickly pinpointed and resolved, avoiding prolonged deployment downtime.

Diagnostic Steps with the OS Console

1. Capture traffic on the ECS eth0 interface with tcpdump to verify that the SLB health‑check IP sends SYN packets but the instance does not return ACKs.

2. Confirm that iptables rules are unchanged, ruling out firewall blocks.

3. Use the OS Console’s “Network Diagnosis → Packet Loss Diagnosis” to run a diagnostic on the instance and view the report.

The report showed no kernel‑level packet loss, eliminating that cause.

Beyond iptables and Kernel Loss

Further inspection revealed additional sched_cls hooks installed by a network component. Removing the component restored health‑check success.

Another Scenario: Port 1678 Unreachable

A different customer could not connect to port 1678 despite the service listening. After confirming iptables and security software were clean, the OS Console diagnosed a netfilter rule dropping traffic to that port. Deleting the nftable rule restored connectivity.

Summary of Recommended Procedure

Run the OS Console packet‑loss diagnostic and examine the report.

If no kernel loss is reported, check for extra security software or unexpected hooks.

Validate iptables/nftables rules.

If needed, use tools like funcgraph or BPF to trace packet paths.

Following these steps typically resolves most packet‑loss issues in cloud environments.