Cant login to mysql on another droplet

Posted June 1, 2017 4.6k views

Hi, there,
I have two droplet (vlife-portal & vlife-data ) with the same configuration.
vlife-portal have a SSL.

Within both mysql.user, I have set up root@‘private IP’ and grant them related privileges.

And I followed the tutorial in the community to set up master & slave mysql, I tried to make vlife-portal as master and the other as slave. But after I start the slave, I find that I cant connect to vlife-portal.

Then I tested on vlife-portal in my terminal, I can connect to vlife-data’s Mysql directly.
However, when I on the vlife-data, I cant connect to vlife-portal.

iptables / firewalls are not enabled.
No bind-address in my.cnf. I tried bind-address to still not work.

*Error msg: *
ERROR 2003 (HY000): Can’t connect to MySQL server on 'private IP’ (110)

Could you please give me an hand on this?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
5 answers

Hi @cetetek
Can you run sudo lsof -iTCP -sTCP:LISTEN -P on the data server?

  • In addition to that, can you also paste the output of both sudo iptables -L -n and sudo iptables-save? These will print any firewall rules that you have enabled.

    • [root@vlife-portal ~]# iptables -L -n
      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      ACCEPT all –

      ACCEPT tcp – tcp dpt:22
      ACCEPT tcp – tcp dpt:80
      DROP tcp – tcp dpt:3306
      ACCEPT icmp – icmptype 8

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination

      [root@vlife-portal ~]# iptables-save

      Generated by iptables-save v1.4.21 on Fri Jun 2 23:50:48 2017

      :INPUT ACCEPT [79935:4658370]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [43636440:35733086523]
      -A INPUT -i lo -j ACCEPT
      -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
      -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
      -A INPUT -p tcp -m tcp –dport 3306 -j DROP
      -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT

      Completed on Fri Jun 2 23:50:48 2017

  • Command not found
    But I use netstat -nlp |grep LISTEN

    [root@vlife-portal ~]# netstat -nlp |grep LISTEN
    tcp 0 0* LISTEN 2203/redis-server 1
    tcp 0 0* LISTEN 4399/nginx: worker

    tcp 0 0* LISTEN 2499/sshd

    tcp 0 0* LISTEN 4399/nginx: worker

    tcp 0 0* LISTEN 1627/php-fpm: maste
    tcp 0 0* LISTEN 5056/mysqld

    tcp6 0 0 :::22 :::* LISTEN 2499/sshd

    unix 2 [ ACC ] STREAM LISTENING 2961566 5056/mysqld /tmp/mysql.sock
    unix 2 [ ACC ] STREAM LISTENING 11943 1/systemd /var/run/dbus/systembussocket
    unix 2 [ ACC ] STREAM LISTENING 1451 1/systemd /run/systemd/journal/stdout
    unix 2 [ ACC ] STREAM LISTENING 8630 1/systemd /run/systemd/private
    unix 2 [ ACC ] SEQPACKET LISTENING 8694 1/systemd /run/udev/control


If you’re unable to connect on the private IP, it’s most likely due to MySQL not being bound to it. You may need to explicitly bind to it using:

bind-address = PRIVATE_IP

Where PRIVATE_IP is the private network IP for your Droplet. Once you bind MySQL to a private IP, you need to create a new user that uses the connecting servers private IP.

For example, let’s say that the MySQL servers private IP is and the connecting servers IP is

You’d set:

bind-address =

and then create a new user using the connecting servers private IP:

grant all on dbname.* to 'dbuser'@'' identified by 'dbpassword';

You’d sub out dbname, dbuser, and dbpassword with your own values.

  • I would try this later, but I think this may not be the problem. Because I can link from A to B directly, and B has not set the bind-address.
    Thanks all the same!

Hi @cetetek

Okay, so you actually have a firewall rule that specifically blocks MySQL:

DROP tcp -- tcp dpt:3306

And I don’t see MySQL listening on the port, but only on a socket, so maybe you have the skip-networking defined somewhere in the configuration.