Network diagnostics for a dedicated server

Last update: May 10 2026

If you encounter network problems, perform a diagnostic.After diagnostics, some common problems can be solved by yourself.

If the problem cannot be solved, create a ticket.In the ticket, specify the description of the problem and attach the results of diagnostics.The method of diagnostics depends on the problem you encountered.

Network problems and diagnostic methods

No internet access	check the status of the network interfaces; check the routing settings; restart network services; check access from the OS in recovery and diagnostic mode
The server is unavailable on the network	scan the ports; check the filtering rules; check the routing settings; check the availability of the node in the network and measure the latency; check access from the OS in recovery and diagnostic mode
The server is unavailable from a specific external network	perform route tracing; check the routing settings; restart network services; scan the ports; dump network traffic
The server is unavailable via SSH, HTTP/HTTPS, VPN, RDP protocols, while the server responds to ICMP requests and checks via mtr, telnet utilities are performed successfully	diagnose the impact of the TSPU
Short-term loss of connection	perform route tracing; to dump the network traffic; check access from the OS in recovery and diagnostic mode
Low speed	perform route tracing; measure the baud rate
High network latency	check the availability of the node in the network and measure the latency; perform route tracing; check access from the OS in recovery and diagnostic mode
Packet loss	Perform route tracing

Perform route tracing

Perform route tracing if you encounter:

• with slow connection speeds;
• high network latency;
• by the loss of the connection;
• by packet loss during data transmission;
• inaccessibility of the server from a particular external network.

You need to trace in two directions - from the dedicated server to a point outside the Selectel infrastructure and back again.To do this, you need an external server - any server with a public IP address and Internet access that is outside the Selectel infrastructure.

We recommend performing tracing using the mtr utility (WinMTR for Windows).The utility allows you to trace the full path and time of the traffic and find out at what stage of the route delays or packet loss occur.

1. Perform a trace from the dedicated server to the front-end server.
2. Perform a trace from the external server to the dedicated server.

1. Perform a trace from the dedicated server to the front-end server

Linux

1. Connect to the server via SSH or via KVM console.

2. Install the mtr utility on a dedicated server.Read more on GitHub mtr.

3. Optional: prepare the dedicated server for tracing - shut down utilities and applications that may affect the trace result:

   • firewall rules in the OS;
   • application layer (L7, application layer) - web servers, mail servers, file servers, name servers, peer-to-peer network clients and servers, etc.

4. Perform a trace to the external server address:

   mtr -b <remote_ip_address>

   Specify <remote_ip_address> - The IP address of the external server.

5. Wait for the utility to perform a trace and display route and delay information.

6. Stop the trace:

   q

Windows

1. Connect to the server via RDP or via KVM console.

2. Install the WinMTR utility on a dedicated server.Read more on the winMTR website.

3. Optional: prepare the dedicated server for tracing - shut down utilities and applications that may affect the trace result:

   • firewall rules in the OS;
   • application layer (L7, application layer) - web servers, mail servers, file servers, name servers, peer-to-peer network clients and servers, etc.

4. Start WinMTR.

5. In the Host field, enter the IP address of the external server.

6. Press Start.

7. Wait for the utility to perform a trace and display route and delay information.

8. Stop the trace by pressing Stop.

macOS

1. Connect to the server via VNC or via KVM console.

2. Install the mtr utility on a dedicated server.Read more on GitHub mtr.

3. Optional: prepare the dedicated server for tracing - shut down utilities and applications that may affect the trace result:

   • firewall rules in the OS;
   • application layer (L7, application layer) - web servers, mail servers, file servers, name servers, peer-to-peer network clients and servers, etc.

4. Perform a trace to the external server address:

   mtr -b <remote_ip_address>

   Specify <remote_ip_address> - The IP address of the external server.

5. Wait for the utility to perform a trace and display route and delay information.

6. Stop the trace:

   q

2. Perform a trace from the external server to the dedicated server

1. On the external server, install the utility depending on the OS you are using:

   • for Linux is mtr, more details on GitHub mtr;
   • for Windows - WinMTR.

2. Optional: prepare the front-end server for tracing - shut down utilities and applications that may affect the trace result:

   • firewall rules in the OS;
   • application layer (L7, application layer) - web servers, mail servers, file servers, name servers, peer-to-peer network clients and servers, etc.

3. Perform a trace to the address of the dedicated server.The IP address of the dedicated server can be viewed in the control panel: from the top menu, click Products → Dedicated Servers → Servers → Server → Server page → Operating System tab → IP field .

Measure the baud rate

If you are having problems with slow data transfer speeds, measure your connection speed.

Measure the data transfer rate in two directions - from a dedicated server to a point outside the Selectel infrastructure and back.To do this, you will need an external server - any server with a public IP address and Internet access that is outside the Selectel infrastructure.

We recommend using the iperf3 utility to measure speed.

1. Prepare the dedicated server for speed measurement.
2. Measure the data transfer rate.

1. Prepare a dedicated server for speed measurement

1. Boot the server in recovery and diagnostic mode To exclude the influence of OS processes on the diagnostic results.

2. Connect to the server via SSH or via KVM console.

3. Install the iperf3 utility on a dedicated server, see the iPerf documentation for details.

4. Run the iperf3 utility.The utility should run until the baud rate measurement is complete.

   iperf3 -s

2. Measure the baud rate

1. On the external server, open the CLI.

2. Install the iperf3 utility on the external server, see the iPerf documentation for details.

3. Measure the speed from the external server to the dedicated server.The command will perform the measurement in 20 threads to maximize the link load.

   iperf3 -c <ip_address> -P20 -t60 -i10

   Specify <ip_address> - public IP address of the dedicated server.You can view it in the control panel: in the top menu, click Products → Dedicated Servers → Servers → Server page → Server page → Operating System tab → IP field .

4. Perform the measurement in the opposite direction - add the -R key to the command:

   iperf3 -c <ip_address> -P20 -t60 -i10 -R

   Specify <ip_address> - public IP address of the dedicated server.You can view it in the control panel: in the top menu, click Products → Dedicated Servers → Servers → Server page → Server page → Operating System tab → IP field .

Check the status of the network interfaces

Check the status of the network interfaces if the server does not have Internet access.

Linux

1. Connect to the server via SSH or via KVM console.

2. Check the status of the network interfaces:

   ip a

   The response will show information about the network interfaces. For example:

   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
   
   2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
       link/ether 1c:1b:0d:12:34:56 brd ff:ff:ff:ff:ff:ff
       inet 192.168.1.100/24 brd 192.168.1.255 scope global dynamic enp0s1
         valid_lft 604675sec preferred_lft 604675sec
       inet6 fe80::1234:abcd:5678:9ef0/64 scope link 
         valid_lft forever preferred_lft forever
   
   3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
       link/ether 1c:1b:0d:65:43:21 brd ff:ff:ff:ff:ff:ff
       inet 203.0.113.10/24 brd 203.0.113.255 scope global dynamic enp0s2
         valid_lft 604675sec preferred_lft 604675sec
       inet6 fe80::abcd:1234:5678:9ef0/64 scope link 
         valid_lft forever preferred_lft forever

   Here:

   • enp0s1 - the name of the network interface on the local port;
   • enp0s2 - the name of the network interface on the Internet port;
   • UP - status of the network interface.

3. If the network interface is in DOWN status. enable it.For more information. in the IP Command Set documentation iproute2 instructions is a utility package that includes the ip utility.

   ip link set dev <eth_name> up

   Specify <eth_name> is the name of the network interface you obtained in step 2.

Windows

1. Connect to the server via RDP or via KVM console.

2. Run Powershell as administrator.

3. Check the status of the network interfaces:

   Get-NetAdapter

   The response will show information about the network interfaces. For example:

   Name          InterfaceDescription            ifIndex Status       MacAddress             LinkSpeed
   ----          --------------------            ------- ------       ----------             ---------
   Ethernet      Intel(R) Ethernet Connection         12 Up           00-1A-2B-3C-4D-5E       1 Gbps

   Here:

   • Ethernet - name of the network interface on the Internet port;
   • Up - status of the network interface.

4. If the network interface is in Disabled status, enable it:

   Enable-NetAdapter -Name "<eth_name>" -Confirm:$false

   Specify <eth_name> is the name of the network interface that you obtained in step 3.

macOS

1. Connect to the server via VNC or via KVM console.

2. Check the status of the network interfaces:

   ifconfig

   The response will show information about the network interfaces. For example:

   lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
       inet 127.0.0.1 netmask 0xff000000
       inet6 ::1 prefixlen 128 
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
       nd6 options=201<PERFORMNUD,DAD>
       
   en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       ether a4:5e:60:12:34:56 
       inet 203.0.113.10 netmask 0xffffff00 broadcast 203.0.113.255
       inet6 fe80::a65e:60ff:fe12:3456%en0 prefixlen 64 secured scopeid 0x4 
       inet6 2001:db8::1234:abcd prefixlen 64 autoconf secured
       nd6 options=201<PERFORMNUD,DAD>
       media: autoselect
       status: active

   Here:

   • en0 - The name of the network interface on the Internet port;
   • UP and active are the status of the network interface, interface en0 is up and running.

3. If the network interface is inactive, enable it:

   sudo ifconfig <eth_name> up

   Specify <eth_name> is the name of the network interface you obtained in step 2.

Check the routing settings

Check the routing settings if:

• there is no internet access on the server;
• the server is unavailable on the network;
• server is unavailable from a specific external network.

Linux

1. Connect to the server via SSH or via KVM console.

2. Check the routing settings:

   ip r

   A table of routes will appear in the response. For example:

   default via 203.0.113.1 dev enp0s2 proto dhcp metric 100
   203.0.113.0/24 dev enp0s2 proto kernel scope link src 203.0.113.10 metric 100
   192.168.1.0/24 dev enp0s1 proto kernel scope link src 192.168.1.100 metric 100

   Here:

   • default via 203.0.113.1 dev enp0s2 - default route, traffic to the Internet goes through the gateway 203.0.113.1 on the interface enp0s2;

   • 203.0.113.0/24 dev enp0s2 - route to public subnet 203.0.113.0/24 traffic to this subnet goes on the interface enp0s2;

   • 192.168.1.0/24 dev enp0s1 - route to private subnet 192.168.1.0/24, traffic to this subnet goes through the interface enp0s1.

Windows

1. Connect to the server via RDP or via KVM console.

2. Run Powershell as administrator.

3. Check the routing settings:

   Get-NetRoute | Select-Object DestinationPrefix, NextHop, RouteMetric, @{Name="Interface";Expression={(Get-NetIPInterface -InterfaceIndex $_.InterfaceIndex).InterfaceAlias}}

   A table of routes will appear in the response. For example:

   DestinationPrefix NextHop       RouteMetric Interface
   ----------------- -------       ----------- ---------
   0.0.0.0/0         203.0.113.1   25          Ethernet
   203.0.113.0/24    0.0.0.0       25          Ethernet
   192.168.1.0/24    0.0.0.0       10          Internal

   Here:

   • 0.0.0.0/0 with NextHop 203.0.113.1 - default route, traffic to the Internet goes through the gateway 203.0.113.1 on the interface Ethernet;

   • 203.0.113.0/24 with NextHop 0.0.0.0 - route to public subnet 203.0.113.0/24 traffic to this subnet goes through the interface Ethernet;

   • 192.168.1.0/24 with NextHop 0.0.0.0 - route to private subnet 192.168.1.0/24, traffic to this subnet goes through the interface Internal.

macOS

1. Connect to the server via VNC or via KVM console.

2. Check the routing settings:

   netstat -rn

   A table of routes will appear in the response. For example:

   Internet:
   Destination        Gateway            Flags        Refs      Use   Netif Expire
   default            203.0.113.1        UGSc           10        0     en0
   127                127.0.0.1          UCS             0        0     lo0
   203.0.113.0/24     link#4             UCS             2        0     en0

   Here:

   • default 203.0.113.1 - default route, traffic to the Internet goes through the gateway 203.0.113.1 on the interface en0;

   • 203.0.113.0/24 link#4 - route to public subnet 203.0.113.0/24, traffic to this subnet goes through the interface en0.

Dump network traffic

If the server is inaccessible from a particular external network or you observe momentary connection losses, collect a dump of network traffic.

Network traffic dump is the process of recording and storing network traffic that passes through a network or device.A dump contains information about network protocols, packets transmitted, their contents, data sources and recipients.

Linux

1. Connect to the server via SSH or via KVM console.

2. Install tcpdump, which is a utility for capturing and analyzing network traffic.See the tcpdump documentation for more information.

   apt update
   apt install -y tcpdump

3. Look for the name of the network interface for which you want to write a dump, for this purpose print the list of network interfaces:

   ip a

   The response will show information about the network interfaces. For example:

   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
   
   2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
       link/ether 1c:1b:0d:12:34:56 brd ff:ff:ff:ff:ff:ff
       inet 192.168.1.100/24 brd 192.168.1.255 scope global dynamic enp0s31f6
         valid_lft 604675sec preferred_lft 604675sec
       inet6 fe80::1234:abcd:5678:9ef0/64 scope link 
         valid_lft forever preferred_lft forever
   
   3: enp0s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
       link/ether 1c:1b:0d:65:43:21 brd ff:ff:ff:ff:ff:ff
       inet 203.0.113.10/24 brd 203.0.113.255 scope global dynamic enp0s2
         valid_lft 604675sec preferred_lft 604675sec
       inet6 fe80::abcd:1234:5678:9ef0/64 scope link 
         valid_lft forever preferred_lft forever

   Here enp0s2 is the name of the network interface on the Internet port.

4. Run tcpdump:

   sudo tcpdump -i <eth_name> -w <file_name>

   Specify:

   • <eth_name> - the name of the network interface you got in step 3;
   • <file_name> - the name of the file to which you want to write the network traffic capture, e.g. dump.pcap.

5. Wait until the right amount of data has been collected.

6. Stop the recording by pressing Ctrl + C.

Windows

1. Connect to the server via RDP or via KVM console.

2. Install Wireshark, which is a utility for capturing and analyzing network traffic, see the Wireshark documentation for details.

3. Run Wireshark with administrator privileges.

4. To start recording network traffic capture, click on the desired network interface.

5. Wait until the right amount of data has been collected.

6. Stop the recording.

7. Save the record to a file.

macOS

1. Connect to the server via VNC or via KVM console.

2. Install tcpdump, which is a utility for capturing and analyzing network traffic.See the tcpdump documentation for more information.

3. Look for the name of the network interface for which you want to write a dump, for this purpose print the list of network interfaces:

   networksetup -listnetworkserviceorder

   The response will show information about the network interfaces. For example:

   An asterisk (*) denotes that a network service is disabled.
   
   (1) Ethernet (Hardware Port: Ethernet, Device: en0)

   Here en0 is the name of the network interface on the Internet port.

4. Run tcpdump:

   sudo tcpdump -i <eth_name> -w <file_name>

   Specify:

   • <eth_name> - the name of the network interface you got in step 3;
   • <file_name> - the name of the file to which you want to write the network traffic capture, e.g. dump.pcap.

5. Wait until the right amount of data has been collected.

6. Stop the recording by pressing Ctrl + C.

Restart network services

Restart network services if on a server:

• no internet access;
• or the server is inaccessible from a specific external network.

Linux

1. Connect to the server via SSH or via KVM console.

2. Restart the network services:

   systemctl restart networking

Windows

1. Connect to the server via RDP or via KVM console.

2. Run PowerShell as an administrator.

3. Look up the name of the network interface on which you want to restart network services, to do this, bring up the list of network interfaces:

   Get-NetAdapter

   A list of network interfaces will appear in the response. For example:

   Name          InterfaceDescription            ifIndex Status       MacAddress             LinkSpeed
   ----          --------------------            ------- ------       ----------             ---------
   Ethernet      Intel(R) Ethernet Connection         12 Up           00-1A-2B-3C-4D-5E       1 Gbps

   Here Ethernet is the name of the network interface on the Internet port.

4. Restart the network services:

   Disable-NetAdapter -Name <eth_name>
   Enable-NetAdapter -Name <eth_name>

   Specify <eth_name> is the name of the network interface that you obtained in step 3.

macOS

1. Connect to the server via VNC or via KVM console.

2. Look up the name of the network interface on which you want to restart network services, to do this, bring up the list of network interfaces:

   networksetup -listnetworkserviceorder

   A list of network interfaces will appear in the response. For example:

   An asterisk (*) denotes that a network service is disabled.
   
   (1) Ethernet (Hardware Port: Ethernet, Device: en0)

   Here en0 is the name of the network interface on the Internet port.

3. Restart the network services:

   sudo networksetup -setnetworkserviceenabled <eth_name> off
   sudo networksetup -setnetworkserviceenabled <eth_name> on

   Specify <eth_name> is the name of the network interface you obtained in step 2.

Check filtering rules

If the server is inaccessible over the network, check the firewall filtering rules in the server OS.

Linux

1. Connect to the server via SSH or via KVM console.

2. Look at the list of firewall rules:

   iptables -L -n -v

   A list of rules will appear in the response. For example:

   Chain INPUT (policy DROP 1234 packets, 98765 bytes)
   pkts bytes target     prot opt in     out     source               destination
   2045  187K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   1087  159K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0      ctstate RELATED,ESTABLISHED
    120  8400 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0      tcp dpt:22
      0     0 DROP       all  --  *      *       192.168.1.100        0.0.0.0/0
   
   Chain FORWARD (policy DROP 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination
   
   Chain OUTPUT (policy ACCEPT 3456 packets, 456789 bytes)
   pkts bytes target     prot opt in     out     source               destination

   Here:

   • Chain - A list of rules for packets of a particular direction:

     • INPUT - for incoming packets;
     • FORWARD - for redirected packets;
     • OUTPUT - for outgoing packets;

   • policy - the action of the rule, such as ACCEPT or DROP.

Windows

1. Connect to the server via RDP or via KVM console.

2. Run PowerShell with administrator privileges.

3. Look at the list of firewall rules:

   Get-NetFirewallRule | Format-Table Name, Enabled, Action, DisplayName

   A list of rules will appear in the response. For example:

   DisplayName : File and Printer Sharing (SMB-In)
   Name        : FPS-SMB-In-TCP
   Enabled     : True
   Direction   : Inbound
   Action      : Allow
   
   DisplayName : Remote Desktop - User Mode (TCP-In)
   Name        : RDP-TCP-In
   Enabled     : True
   Direction   : Inbound
   Action      : Allow
   
   DisplayName : Core Networking - DNS (UDP-Out)
   Name        : CoreNet-DNS-Out
   Enabled     : True
   Direction   : Outbound
   Action      : Allow
   
   DisplayName : Windows Remote Management (HTTP-In)
   Name        : WINRM-HTTP-In
   Enabled     : False
   Direction   : Inbound
   Action      : Allow
   
   DisplayName : Block Internet Access (Test Rule)
   Name        : Block-Internet-Test
   Enabled     : True
   Direction   : Outbound
   Action      : Block

   Here Action is the action of the rule, such as Allow or Block.For more information, see the Windows firewall instructions in the Microsoft documentation.

macOS

1. Connect to the server via VNC or via KVM console.

2. Look at the list of firewall rules:

   sudo pfctl -sr

   A list of rules will appear in the response. For example:

   scrub in all fragment reassemble 
   block return all 
   pass out proto tcp from any to any port = ssh flags S/SA keep state 
   pass out proto tcp from any to any port = http flags S/SA keep state 
   pass out proto tcp from any to any port = https flags S/SA keep state 
   pass out proto udp from any to any port = domain keep state 
   pass out proto udp from any to any port = ntp keep state 
   pass out inet proto icmp all keep state 
   pass in proto tcp from any to any port = ssh flags S/SA keep state 
   pass in proto tcp from any to any port = http flags S/SA keep state 
   pass in proto tcp from any to any port = https flags S/SA keep state 

   Here block and pass are the action of the rule, see the Packet filtering instructions in the OpenBSD documentation for more information.

Scan the ports

If the server is unreachable over the network or unreachable from a specific external network, scan the ports.Ports can be scanned using the nmap utility.

Linux

1. Connect to the server via SSH or via KVM console.

2. Install nmap, more details in the Linux Distributions article of the nmap documentation.

3. Scan the ports:

   nmap -p <port> <ip_address>

   Specify:

   • optional: <port> - ports in commas, such as 22,80,443, or a range of ports, such as 20-30;
   • <ip_address> - The IP address of the dedicated server.The IP address of the dedicated server can be viewed in the control panel under Servers and equipment → Servers → server card → field IP address.

Windows

1. Connect to the server via RDP or via KVM console.

2. Install nmap, more details in the Windows documentation article nmap.

3. Run PowerShell as an administrator.

4. Scan the ports:

   nmap -p <port> <ip_address>

   Specify:

   • optional: <port> - ports in commas, such as 22,80,443, or a range of ports, such as 20-30;
   • <ip_address> - The IP address of the dedicated server.The IP address of the dedicated server can be viewed in the control panel under Servers and equipment → Servers → server card → field IP address.

macOS

1. Connect to the server via VNC or via KVM console.

2. Install nmap, more details in the Apple Mac OS X documentation article nmap.

3. Scan the ports:

   nmap -p <port> <ip_address>

   Specify:

   • optional: <port> - ports in commas, such as 22,80,443, or a range of ports, such as 20-30;
   • <ip_address> - The IP address of the dedicated server.The IP address of the dedicated server can be viewed in the control panel under Servers and equipment → Servers → server card → field IP address.

Check node availability on the network and measure latency

If the server is unavailable over the network, experiencing high network latency or packet loss, check the availability of the server and measure the latency using the ping utility.The ping utility is part of the standard networking toolkit and is pre-installed in most operating systems.

The check can be performed up to the public or private IP address of the server, or a domain name that is bound to the server's IP address.

You will need a second server from which you will perform the check.If the check will be to a private IP address, the servers must be connected over a private network.

1. Open the CLI on the server from which you will perform the check.

2. Perform the test:

   ping <ip_address>

   Specify <ip_address> - IP address or domain name of the server.The IP address of the dedicated server can be viewed in the control panel: in the top menu, click Products → Dedicated Servers → Servers → Server page → Server page → Operating System tab → IP field .

Check access from the OS in recovery and diagnostic mode

So that OS settings do not affect server operation and diagnostics:

1. Boot the server in recovery and diagnostic mode.

2. Connect to the server via SSH or via KVM console:

   • If the server responds and you can connect, there is a software problem on the server. Reboot the server to restart the network services.If the problem is software, returning to the previous OS boot pattern will fix the problem;
   • if the server in recovery and diagnostic mode is unavailable, create a ticket describing the problem.