What Does the "Connection Timed Out" Error Mean
When attempting to connect to a remote server via OpenSSH, you see the message: ssh: connect to host <IP> port 22: Connection timed out. This is not an authentication or key-related error. The system is reporting that the TCP packets sent (SYN) did not receive a response (SYN-ACK) within the allotted time. The client simply gives up waiting and forcibly terminates the connection. This error occurs at the very earliest stage of establishing a TCP session, before any SSH key exchange begins.
Common Causes
- The server is powered off, rebooting, or the
sshdservice has hung. - Incoming connections to port 22 are blocked by the server's firewall (UFW, firewalld, iptables) or a cloud security group.
- A local firewall or antivirus on your machine is blocking outbound traffic on port 22.
- An incorrect IP address or domain name pointing to a different, unreachable host.
- Routing issues with your ISP or a malfunctioning NAT gateway.
- Overly strict timeout settings in the default SSH client configuration.
Resolution Steps
Step 1: Verify Host Availability and Network Connectivity
Start with basic diagnostics. Ensure the server is physically reachable on the network.
# Check basic connectivity (ICMP may be disabled on the server)
ping -c 4 192.168.1.100
If ping fails, verify the IP address in your cloud provider's control panel or with your hosting provider. Next, check specifically if port 22 is open:
# Use netcat for a quick TCP port check
nc -zv 192.168.1.100 22
A successful output will read: Connection to 192.168.1.100 22 port [tcp/ssh] succeeded!. If the command hangs or immediately returns Connection timed out, proceed to the next steps.
Step 2: Configure Firewall Rules
Most often, the port is blocked at the server level. Configure the rules according to your OS. For Ubuntu/Debian (UFW):
sudo ufw allow 22/tcp
sudo ufw reload
sudo ufw status
For RHEL/CentOS/AlmaLinux (firewalld):
sudo firewall-cmd --permanent --add-port=22/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
💡 Tip: If you are using cloud platforms (AWS, Google Cloud, Azure, Hetzner), check the Security Group or Network ACL settings in the web console. OS-level firewall rules will not take effect if an external filtering layer blocks the traffic first.
Step 3: Increase Timeouts in the SSH Client Configuration
Sometimes the network is slow due to high latency, and the default OpenSSH timeout is too short. You can increase the wait time globally or for a specific host. Open the client configuration file:
nano ~/.ssh/config
Add the following lines:
Host *
ConnectTimeout 30
ServerAliveInterval 15
ServerAliveCountMax 4
ConnectTimeout sets the time to wait for a TCP connection to be established, in seconds. ServerAliveInterval and ServerAliveCountMax help keep the session alive over unstable connections. Save the file (Ctrl+O), exit the editor, and reconnect.
Step 4: Check Routing and DNS Resolution
If you are connecting via a domain name, ensure it resolves to the correct IP:
dig +short example.com
If multiple addresses are returned or the IP is incorrect, flush your local DNS cache or use the direct IP in your ssh command. To analyze packet loss along the route to the server, use the mtr utility:
mtr -n -c 50 192.168.1.100
A high packet loss percentage (Loss%) on intermediate hops indicates an ISP issue. In this case, try connecting via mobile internet (tethering) or contact your hosting provider's support with the trace results.
Prevention
To prevent recurring issues, always configure automatic session keep-alive using the ServerAliveInterval and ServerAliveCountMax parameters. Regularly check the sshd service status with systemctl status sshd. For critical servers, set up backup access methods: a provider emergency console (VNC/IPMI), a WireGuard tunnel, or an alternative SSH port (e.g., 2222), which is scanned less frequently by bots and less likely to be caught by default ISP blocks. Document firewall changes in a centralized infrastructure repository (Ansible, Terraform) to quickly roll back incorrect rules.