Error: Connection reset by peer while connecting to Elastic cache using stunnal method

Question

I am using elastic cache single node shard redis 4.0 later version.

I enabled In-Transit Encryption and gave redis auth token.

I created one bastion host with stunnal using this link

https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/

I am able to connect to elastic cache redis node using following way

redis-cli -h hostname -p 6379 -a mypassword

and i can do telnet also. BUT when I ping (expected response "PONG") on redis-cli after connection it is giving

"Error: Connection reset by peer "

I checked security group of both side. Any idea ? Bastion Host ubuntu 16.04 machine

Answer 1

As I mentioned in question, I was running the command like this:

redis-cli -h hostname -p 6379 -a mypassword

The correct way to connect into a ElastiCache cluster through stunnel should be using "localhost" as the host address,like this:

redis-cli -h localhost -p 6379 -a mypassword

There is explanation for using the localhost address:

when you create a tunnel between your bastion server and the ElastiCache host through stunnel, the program will start a service that listen to a local TCP port (6379), encapsulate the communication using the SSL protocol and transfer the data between the local server and the remote host.

you need to start the stunnel, check if the service is listening on the localhost address (127.0.0.1), and connect using the "localhost" as the destination address: "

1. Start stunnel. (Make sure you have installed stunnel using this link https://aws.amazon.com/premiumsupport/knowledge-center/elasticache-connect-redis-node/)

   $ sudo stunnel /etc/stunnel/redis-cli.conf

2. Use the netstat command to confirm that the tunnels have started:

   $ netstat -tulnp | grep -i stunnel

3. You can now use the redis-cli to connect to the encrypted Redis node using the local endpoint of the tunnel:

   $redis-cli -h localhost -p 6379 -a MySecretPassword

   localhost:6379>set foo "bar"

   OK

   localhost:6379>get foo

   "bar"

Answer 2

Most probably ElastiCache Redis Instance is using Encryption in-transit and Encryption at-rest and by design, the Redis CLI is not compatible with the encryption.

You need to setup stunnel to connect redis cluster

https://datanextsolutions.com/blog/how-to-fix-redis-cli-error-connection-reset-by-peer/

Answer 3

"Error: Connection reset by peer" indicates that Redis is killing your connection without sending any response.

One possible cause is you are trying to connect to the Redis node without using SSL, as your connection will get rejected by the Redis server without a response [1]. Make sure you are connecting through the correct port in your tunnel proxy. If you are connecting directly from the bastion host, you should be using local host.

Another option is that you have incorrectly configured your stunnel to not include a version of SSL that is supported by Redis. You should double check the config file is exactly the same as the one provided in the support doc.

It that doesn't solve your problem, you can try to build the cli included in AWS open source contribution.[2] You'll need to check out the repository, follow the instructions in the readme, and then do make BUILD_SSL=yes make redis-cli.

[1] https://github.com/madolson/redis/blob/unstable/src/ssl.c#L464 [2] https://github.com/madolson/redis/blob/unstable/SSL_README.md