How do I troubleshoot ConnectionReset errors when I upload or download objects from Amazon S3?

Resolution

You get connection reset errors because your application can't establish a connection to Amazon S3 endpoints. This might be because of connection closures or connections becoming inactive when S3 resources are accessed. These errors occur because of issues with the application or client layer, network path, or any intermediary resource. To identify the root cause of the issue, you must find out the component that's causing the error.

Test connectivity

To test connectivity, run the following commands to check if your machine can establish a connection to S3 over HTTP or HTTPS.

$ telnet mybucket.s3.REGION-CODE.amazonaws.com 80  
$ telnet mybucket.s3.REGION-CODE.amazonaws.com 443

Bypass SSL validation

Include the --no-verify-ssl parameter in your request to bypass SSL Validation. This parameter prevents the SSL certificates from getting validated. However, the request traverses over port 443. This approach helps you to isolate issues that are related to SSL validation.

Analyze network traffic

Take a packet capture to analyze the network traffic between your machine and Amazon S3. Analyze the packet capture to determine if the client or server throws the RST flag.

• If your network throws the RST flag, then note the IP address and the process when the RST flag is thrown. The processes include DNS lookup, TCP handshake, SSL handshake, and data transfer.
• If your network throws the RST flag during an SSL handshake, then be sure that your machine trusts the certificate that's returned by Amazon.

Debug connection

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version of the AWS CLI.

Run the AWS CLI cp command from the machine where you got the error to try to connect to the Amazon S3 bucket. Include the --debug flag in the command:

aws s3 cp/sync SOURCE_FILE_PATH/SOURCE_FILE_NAME DESTINATION --debug

Analyze the request headers, request method, and response. If the issue is intermittent and a few requests are successful, then check whether there are differences between a successful and an unsuccessful request.

Check the output of the command to verify whether a proxy in the network environment causes the error. The output indicates a proxy error or proxy connection failure for errors that occur because of a HTTP proxy. If an SSL proxy caused the error, then you see one of the connection reset errors when the SSL handshake tries to be established.

Check HTTP Keep-Alive

Turn on HTTP Keep-Alive on your machine so that your machine uses a single TCP connection to remain open for multiple HTTP requests and responses. Run the following command to check if TCP Keep-Alive is turned on:

curl -Iv s3.amazonaws.com 2>&1 | grep -i 'connection #0'

When TCP Keep-Alive is turned on, the output shows the following string:

Connection #0 to host s3.amazonaws.com left intact

Check intermediary resources

Intermediary resources, such as a NAT gateway, firewall, or load balancer, might close the connection prematurely when these resources experience high utilization. Also, they might close the connection prematurely and mark it dead when data isn't written to or from the wire for a period of time.