Connection refused. Connection reset by peer. Connection timed out. They all mean "I couldn't talk to the server," and they're easy to lump together as a single category of "the network is broken." But each one is telling you something specific and different about where in the connection process things went wrong — and reading them correctly can take you from an hour of blind guessing to a fix in minutes.
This guide decodes the three most common connection errors: what each actually means at the network level, what typically causes it, and how to monitor for them so you catch the failure before your users report it.
A 10-Second Refresher: How a Connection Starts
Almost everything on the web runs over TCP, and every TCP connection begins with a three-step handshake:
- The client sends a SYN ("I'd like to connect").
- The server replies with SYN-ACK ("sure, let's connect").
- The client sends ACK ("great, connected").
Each connection error maps to a different failure point in (or around) this handshake. That's the key to telling them apart — the error name is really a clue about which step broke.
Connection Refused
What it means: the client reached the host, but nothing was listening on that port. The server actively rejected the connection — it sent back a TCP RST (reset) in response to the SYN, saying "there's nobody home on this port."
The important word is active: the machine is up and reachable, the network path works, but no process accepted the connection. This is a fast error — it comes back almost immediately, because the rejection is deliberate, not a timeout.
Common causes:
- The service crashed or isn't running (most common).
- The service is running but bound to the wrong port or interface (e.g.
localhostonly, not0.0.0.0). - You're connecting to the wrong port number.
- The service is still starting up and hasn't begun listening yet.
The mental model: you knocked on the right door and someone shouted "go away" — the building exists, the door exists, but the room is empty. Because it's fast and explicit, "connection refused" is usually the easiest of the three to diagnose: check whether the process is running and listening on the expected port.
Connection Timed Out
What it means: the client sent its SYN and heard nothing back at all. No acceptance, no rejection — just silence, until the client gives up after a timeout (often tens of seconds). The packets vanished into the void.
This is the slow, frustrating one, precisely because nothing responds. Unlike "refused," there's no active rejection to learn from — the absence of any reply is the signal.
Common causes:
- A firewall or security group is silently dropping packets (dropping, not rejecting — a rejecting firewall would give "refused").
- The host is down or unreachable — wrong IP, bad route, or a network partition.
- Severe packet loss or a broken network path swallowing the SYN.
- The server is so overloaded it can't even accept new connections.
The mental model: you knocked and waited, and waited, and nobody ever came — you can't even tell if anyone's inside. Because the cause is "silence," diagnosing it means working the path: is the host up, is a firewall dropping traffic, is there loss along the route? A traceroute or ping helps localize where the silence begins.
Connection Reset
What it means: there was a connection (or a half-open one), and it was abruptly terminated — the peer sent a TCP RST mid-conversation instead of a graceful close. The connection didn't time out and wasn't politely shut down; it was yanked away.
Reset is distinct from refused in timing: refused happens at the handshake (nothing was ever listening), while reset typically happens after a connection was established or while data was in flight.
Common causes:
- The server process crashed or was killed mid-request.
- A load balancer, proxy, or firewall closed an idle connection that the client then tried to reuse (a classic with connection pools and keep-alive).
- The server hit a limit (max connections, memory) and forcibly dropped connections.
- A protocol mismatch — e.g. sending plain HTTP to an HTTPS port, or a TLS negotiation failure.
- An intermediary deliberately reset the connection (some firewalls RST traffic they block).
The mental model: you were mid-conversation and the other person hung up on you. Resets often point to something stateful failing — a crash, a pool serving a stale connection, or a resource limit being hit under load.
Telling Them Apart at a Glance
| Error | Where it fails | Speed | Usual cause |
|---|---|---|---|
| Refused | Handshake — nothing listening | Fast (active RST) | Service down / wrong port |
| Timed out | Handshake — no reply at all | Slow (waits, then gives up) | Firewall drop / host unreachable |
| Reset | After connect / mid-stream | Varies | Crash, stale pooled connection, limit hit |
The quickest triage heuristic: fast and explicit → refused (check the process and port); slow and silent → timed out (check the path and firewall); mid-conversation hang-up → reset (check for crashes, stale connections, and limits).
How to Monitor for Connection Errors
These errors are exactly what good uptime monitoring is designed to catch — and the type of error makes your alerts far more actionable:
- Check from outside your network. A service that works from inside but gives "timed out" from the public internet is almost always a firewall or routing problem — and you'll only see it with outside-in checks.
- Distinguish the error type in alerts. "Connection refused" (service down) and "connection timed out" (network/firewall) demand different responders and different runbooks. An alert that names the error saves precious minutes.
- Watch for resets under load. Intermittent resets that climb with traffic point to a connection-pool or resource-limit problem, not a hard outage.
- Monitor from multiple regions. A connection error from one location but not others localizes the fault to a network segment rather than your server.
- Alert on sustained failures, not single blips, to avoid alert fatigue — the occasional reset on a flaky network is normal.
How Webalert Helps
Webalert continuously opens real connections to your services from multiple locations — so connection errors surface as clear, typed alerts instead of mystery user complaints:
- Outside-in checks that experience "refused," "reset," and "timed out" the way your users do, from outside your own firewall.
- Multi-region perspective to separate "the service is down" from "one network path is broken."
- Clear failure detail so you know whether you're chasing a dead process, a dropping firewall, or a flapping connection — before you start digging.
- Sustained-failure alerting that tells you about real problems without paging on every transient blip.
The difference between "the site is down" and "the site is refusing connections on port 443 from three regions" is the difference between an hour of guessing and a targeted fix.
Summary
Connection errors aren't interchangeable — each names a different failure point. Refused means the host is reachable but nothing is listening (fast, active rejection — check the process and port). Timed out means total silence, with no reply to the handshake (slow — check for dropping firewalls and unreachable hosts). Reset means an existing connection was abruptly torn down (check for crashes, stale pooled connections, and resource limits).
Learn to read the timing and the failure point — fast-and-explicit, slow-and-silent, or mid-conversation — and these errors stop being a generic "network problem" and start pointing straight at the cause. Monitor for them from outside your network, distinguish the types in your alerts, and you'll turn a class of confusing failures into some of the most actionable signals you have.