What's Actually Happening

Clients cannot connect to NATS server. Applications fail to publish or subscribe to messages, connection attempts timeout or are refused.

The Error You'll See

Connection refused:

```bash nats pub test.subject message

nats: error: connection refused: nats://localhost:4222 ```

Connection timeout:

bash
nats: error: connection timeout after 2s

Client error:

go
nats: connection failed: dial tcp 127.0.0.1:4222: connection refused

Server logs:

```bash tail -f /var/log/nats/nats.log

[ERR] Failed to accept connection: accept tcp [::]:4222: too many open files ```

Why This Happens

  1. 1.NATS server down - Server process not running
  2. 2.Wrong address - Incorrect server URL
  3. 3.Port blocked - Firewall blocking 4222
  4. 4.TLS mismatch - Client TLS config wrong
  5. 5.Auth failure - Credentials missing or invalid
  6. 6.Server overloaded - Too many connections
  7. 7.Network issue - Network connectivity problem

Step 1: Check NATS Server Status

```bash systemctl status nats-server

ps aux | grep nats-server

ss -tlnp | grep 4222 netstat -tlnp | grep 4222

systemctl start nats-server

journalctl -u nats-server -f

nats-server --version

# Check NATS configuration: cat /etc/nats/nats-server.conf ```

Step 2: Test NATS Connection

```bash # Test with nats CLI: nats server info -s nats://localhost:4222

# Test publish: nats pub test.subject test-message -s nats://localhost:4222

# Test subscribe: nats sub test.subject -s nats://localhost:4222

# Test connection: nats bench test.subject --pub --msgs 10 -s nats://localhost:4222

# Check server response: curl -s http://localhost:8222/varz | jq

# Monitoring endpoint: curl -s http://localhost:8222/connz | jq

# Routez endpoint: curl -s http://localhost:8222/routez | jq ```

Step 3: Check Network Connectivity

```bash # Test port connectivity: nc -zv localhost 4222

# Test with telnet: telnet localhost 4222

# Test from remote: nc -zv nats-server 4222

# Check DNS resolution: nslookup nats-server

# Ping test: ping -c 3 nats-server

# Check routing: traceroute nats-server

# Test with timeout: timeout 5 bash -c cat < /dev/null > /dev/tcp/nats-server/4222 ```

Step 4: Check NATS Server Configuration

```bash # View NATS config: cat /etc/nats/nats-server.conf

# Basic config: server_name: nats-server listen: 0.0.0.0:4222 http_port: 8222

# Check listen address: grep listen /etc/nats/nats-server.conf

# If listen is 127.0.0.1, only localhost connections

# For remote connections: listen: 0.0.0.0:4222

# Check port config: grep port /etc/nats/nats-server.conf

# Restart NATS: systemctl restart nats-server ```

Step 5: Check Firewall Rules

```bash # Check iptables: iptables -L -n | grep 4222

# Allow NATS: iptables -I INPUT -p tcp --dport 4222 -j ACCEPT

# Firewalld: firewall-cmd --add-port=4222/tcp --permanent firewall-cmd --reload

# UFW: ufw allow 4222/tcp

# Check cloud security groups: # AWS: Security group inbound 4222 # Azure: NSG inbound 4222 # GCP: Firewall rule allow 4222

# Test from client: nc -zv nats-server 4222 ```

Step 6: Check TLS Configuration

```bash # NATS TLS config: cat /etc/nats/nats-server.conf | grep -A 10 tls

# TLS config example: tls: { cert_file: /etc/nats/cert.pem key_file: /etc/nats/key.pem ca_file: /etc/nats/ca.pem }

# Check certificates exist: ls /etc/nats/*.pem

# Verify certificate: openssl x509 -in /etc/nats/cert.pem -text -noout

# Check certificate expiration: openssl x509 -in /etc/nats/cert.pem -noout -dates

# Client TLS config: # nats://localhost:4222 for non-TLS # tls://localhost:4222 for TLS

# Test TLS connection: nats server info -s tls://localhost:4222

# If TLS error, check client cert config ```

Step 7: Check Authentication Configuration

```bash # NATS auth config: cat /etc/nats/nats-server.conf | grep -A 20 authorization

# Auth config example: authorization: { users: [ {user: admin, password: secret} {user: client, password: clientpass} ] }

# Client auth: nats pub test.subject msg -s nats://user:pass@localhost:4222

# Or with token: nats pub test.subject msg -s nats://token@localhost:4222

# Token config: authorization: { token: mytoken }

# Check auth logs: journalctl -u nats-server | grep -i auth

# If auth error, check credentials match server config ```

Step 8: Check Connection Limits

```bash # NATS connection limits:

# Check max connections: grep max_connections /etc/nats/nats-server.conf

# Default: unlimited # Set limit: max_connections: 1000

# Check current connections: curl -s http://localhost:8222/connz | jq .connections | length

# Check connection details: curl -s http://localhost:8222/connz | jq .connections[]

# Check file descriptor limit: ulimit -n

# NATS needs FDs for connections # Increase if needed: ulimit -n 65535

# In systemd service: cat /etc/systemd/system/nats-server.service | grep LimitNOFILE

# Set limit: LimitNOFILE=65535

# Reload systemd: systemctl daemon-reload systemctl restart nats-server ```

Step 9: Check NATS Cluster

```bash # If NATS in cluster mode:

# Check cluster config: cat /etc/nats/nats-server.conf | grep -A 10 cluster

# Cluster config example: cluster: { name: nats-cluster routes: [ nats-route://server1:4222 nats-route://server2:4222 ] }

# Check cluster routes: curl -s http://localhost:8222/routez | jq

# Check cluster connectivity: nc -zv server1 4222 nc -zv server2 4222

# Check route status: curl -s http://localhost:8222/routez | jq .routes[].did_connect

# If route not connected, check route URLs ```

Step 10: Monitor NATS Server

```bash # NATS monitoring:

# Server info: curl -s http://localhost:8222/varz | jq

# Connection info: curl -s http://localhost:8222/connz | jq

# Subscription info: curl -s http://localhost:8222/subsz | jq

# Monitor metrics: watch -n 5 curl -s http://localhost:8222/varz | jq '{connections: .connections, msgs: .msgs, bytes: .bytes}'

# NATS server logs: journalctl -u nats-server -f

# Look for errors: grep -i error /var/log/nats/nats.log | tail -20

# Prometheus exporter: # Use nats-prometheus-exporter ```

NATS Connection Checklist

CheckCommandExpected
Server runningsystemctl statusActive
Port listeningss -tlnp4222
Connection testnats server infoConnected
Networknc -zvPort open
Firewalliptables -L4222 allowed
TLS/Authconfig checkCorrect config

Verify the Fix

```bash # 1. Check server running systemctl status nats-server // Active: active (running)

# 2. Test connection nats server info -s nats://localhost:4222 // Server info returned

# 3. Test publish nats pub test.subject msg -s nats://localhost:4222 // Published message

# 4. Test subscribe nats sub test.subject -s nats://localhost:4222 // Received message

# 5. Check connections curl -s http://localhost:8222/connz | jq .connections | length // Connections present

# 6. Check logs journalctl -u nats-server --since "5 min ago" | grep -i error // No errors ```

  • [Fix NATS Server Not Starting](/articles/fix-nats-server-not-starting)
  • [Fix Kafka Broker Not Starting](/articles/fix-kafka-broker-not-starting)
  • [Fix RabbitMQ Connection Failed](/articles/fix-rabbitmq-connection-failed)