Ansible 'Connection failed' Error: Fix SSH & WinRM Issues (Guide)

Today we're going to talk about Ansible troubleshooting and specifically about connection failed errors. I'm Luca Berton and welcome to today's episode of the Ansible Pilot. The root cause of these types of problems rely directly on the networking. So jump on the ssh command line and troubleshoot like an ssh connection error. In the following example the Operation timed out was caused by the virtual machine that doesn’t have network card enabled.

Links

• Network Debug and Troubleshooting Guide

See also: Ansible 'Failed to Connect via SSH localhost:22': Fix Guide

Demo

The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the connection failed error and how to solve it!

Error

Ansible relies on an SSH connection to the target machine. Let's try manually:

$ ssh username@hostname
Failed to connect to the host via ssh: ssh: connecto to host hostname port 22: Operation timed out

You need to verify the network connection between the source and the target machine.

Fix

Once the network connection is fixed you could successfully connect to the target machine.

$ ssh username@hostname
username@hostname:~$ 

code with ❤️ in GitHub

Conclusion

Now you know better how to troubleshoot the most common Ansible error about connection failure.

See also: Ansible SSH with Passwords: Fix sshpass & Authentication (Guide)

Common Connection Errors and Fixes

Error 1: Operation timed out

fatal: [server]: UNREACHABLE! => {"msg": "Failed to connect to the host via ssh: ssh: connect to host 192.168.1.100 port 22: Operation timed out"}

Causes: • Target machine is powered off or unreachable • Firewall blocking port 22 • Wrong IP address in inventory • Network routing issue

Fix checklist:

# 1. Can you reach the host at all?
ping 192.168.1.100

# 2. Is SSH port open?
nc -zv 192.168.1.100 22
# 3. Can you SSH manually?
ssh user@192.168.1.100
# 4. Check firewall on target (if you have console access)
sudo firewall-cmd --list-ports  # RHEL/CentOS
sudo ufw status                  # Ubuntu/Debian

Error 2: Permission denied (publickey,password)

fatal: [server]: UNREACHABLE! => {"msg": "Failed to connect to the host via ssh: user@192.168.1.100: Permission denied (publickey,password)."}

Causes: • Wrong username • SSH key not copied to target • SSH key passphrase not provided • PasswordAuthentication no in sshd_config

Fix:

# Copy your SSH key to the target
ssh-copy-id user@192.168.1.100

# Or specify the key in inventory
# inventory.yml
all:
  hosts:
    server:
      ansible_host: 192.168.1.100
      ansible_user: devops
      ansible_ssh_private_key_file: ~/.ssh/id_rsa

Error 3: Host key verification failed

fatal: [server]: UNREACHABLE! => {"msg": "Failed to connect to the host via ssh: Host key verification failed."}

Fix (choose one):

# Option 1: Accept the host key manually
ssh user@192.168.1.100  # type 'yes' when prompted
# Option 2: Disable host key checking (development only!)
export ANSIBLE_HOST_KEY_CHECKING=False
# Option 3: Set in ansible.cfg (development only!)
[defaults]
host_key_checking = False

⚠️ Warning: Disabling host key checking in production is a security risk. Use ssh-keyscan to populate known_hosts instead.

Error 4: Connection refused

fatal: [server]: UNREACHABLE! => {"msg": "Failed to connect to the host via ssh: ssh: connect to host 192.168.1.100 port 22: Connection refused"}

Causes: • SSH daemon (sshd) not running on target • SSH listening on a different port

Fix:

# On the target machine, check sshd status
sudo systemctl status sshd

# Start if not running
sudo systemctl start sshd
sudo systemctl enable sshd
# If using a non-standard port, specify in inventory
all:
  hosts:
    server:
      ansible_host: 192.168.1.100
      ansible_port: 2222

Debugging Connection Issues

Increase verbosity

# Add -vvvv for maximum debug output
ansible-playbook -i inventory playbook.yml -vvvv

Test with ansible ping module

ansible all -i inventory -m ping

Check Ansible configuration

# Show all active configuration
ansible-config dump --changed-only
# Show which config file is being used
ansible --version

See also: Failed to Connect via SSH in Ansible: Full Troubleshooting Guide

ansible.cfg Connection Settings

[defaults]
remote_user = devops
timeout = 30
host_key_checking = True
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
pipelining = True
retries = 3

FAQ

How do I connect to Windows hosts?

Windows doesn't use SSH by default. Use WinRM:

all:
  hosts:
    windows_server:
      ansible_host: 192.168.1.200
      ansible_connection: winrm
      ansible_winrm_transport: ntlm
      ansible_user: Administrator
      ansible_password: "{{ vault_win_password }}"

How do I use a jump host / bastion?

# ansible.cfg
[ssh_connection]
ssh_args = -o ProxyJump=bastion_user@bastion_host

How do I increase the connection timeout?

# Command line
ansible-playbook -i inventory playbook.yml --timeout=60
# Or in ansible.cfg
[defaults]
timeout = 60

Quick Diagnosis

# Test SSH manually
ssh -vvv deploy@192.168.1.10
# Test with Ansible
ansible web1 -m ping -vvvv
# Check host is reachable
ansible web1 -m wait_for_connection -a "timeout=10"

Common Causes & Fixes

SSH Authentication Failed

# Check these inventory settings
web1:
  ansible_host: 192.168.1.10
  ansible_user: deploy
  ansible_ssh_private_key_file: ~/.ssh/deploy_key
  ansible_port: 22

# Fix key permissions
chmod 600 ~/.ssh/deploy_key
chmod 700 ~/.ssh/
# Test key
ssh -i ~/.ssh/deploy_key deploy@192.168.1.10

Host Key Verification Failed

# ansible.cfg (for lab/dev only)
[defaults]
host_key_checking = false
# Or per-host
[ssh_connection]
ssh_args = -o StrictHostKeyChecking=no

# Better: accept host key once
- known_hosts:
    name: "{{ ansible_host }}"
    key: "{{ lookup('pipe', 'ssh-keyscan ' + ansible_host) }}"
  delegate_to: localhost

Connection Timeout

# Increase timeout
web1:
  ansible_host: 192.168.1.10
  ansible_ssh_timeout: 30
  ansible_timeout: 60

# ansible.cfg
[defaults]
timeout = 30
[ssh_connection]
ssh_args = -o ConnectTimeout=30

Python Not Found

web1:
  ansible_python_interpreter: /usr/bin/python3
  # Or auto-detect
  ansible_python_interpreter: auto_silent

Wrong Port

web1:
  ansible_port: 2222  # Non-standard SSH port

WinRM Connection Issues

# Windows host setup
win1:
  ansible_host: 192.168.1.20
  ansible_connection: winrm
  ansible_winrm_transport: ntlm
  ansible_user: Administrator
  ansible_password: "{{ vault_win_password }}"
  ansible_port: 5986
  ansible_winrm_server_cert_validation: ignore

# On Windows host - enable WinRM
Enable-PSRemoting -Force
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'

Network/Firewall Issues

# Test port connectivity
nc -zv 192.168.1.10 22
telnet 192.168.1.10 22
# Check from Ansible host
ansible web1 -m ping -vvvv 2>&1 | grep -i "connect"

SSH Connection Reuse

# ansible.cfg - speed up connections
[ssh_connection]
pipelining = true
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r

Debugging Checklist

| Check | Command | |-------|---------| | Host reachable | ping 192.168.1.10 | | SSH port open | nc -zv host 22 | | SSH works manually | ssh -vvv user@host | | Key permissions | ls -la ~/.ssh/ | | Python on remote | ssh user@host python3 --version | | Ansible verbose | ansible host -m ping -vvvv | | DNS resolution | nslookup hostname |

FAQ

"Permission denied (publickey)" but key is correct?

Check: key permissions (600), SSH agent running, correct user, key added to authorized_keys on remote.

"Connection timed out" intermittently?

Could be network issues, firewall rules, or SSH MaxStartups limit on the server. Increase ansible_ssh_timeout and check server SSH config.

How do I connect through a bastion/jump host?

[ssh_connection]
ssh_args = -o ProxyJump=bastion-user@bastion-host

Related Articles

• understanding Ansible roles