Dear Community,
In short; I cannot access my neo4j server remotely.
I am trying to setup a remote neo4j server (enterprise version 5.22.0).
-
I installed it on an Ubuntu 22.4 VM.
-
In the neo4j.conf file I stated:
server.default_listen_address=0.0.0.0
server.bolt.enabled=true
server.bolt.tls_level=disabled
server.bolt.listen_address=:7687
server.bolt.advertised_address=:7687
server.http.enabled=true
server.http.listen_address=:7474
server.http.advertised_address=:7474
(In my understanding that should enable unencrypted requests to the dbms.)
3. I started the server. It runs and I can access it locally from cypher-shell
- When I try to remotely access from my home computer with
cypher-shell -a 'bolt://(IPaddressofneo4jserver):7687' -u neo4
I will be asked for a password, then I get:
"Unable to connect to (IPaddressofneo4jserver):7687, ensure the database is running and that there is a working network connection to it."
with
cypher-shell -a 'neo4j://(IPaddressofneo4jserver):7687' -u neo4
I get:
"Connection refused"
I have no idea, how to fix it or where to look after a solution. I realized though that netstat on the db server outputs
tcp6 0 0 127.0.0.1:7687 :::* LISTEN
tcp6 0 0 127.0.0.1:7688 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 127.0.0.1:7474 :::* LISTEN
Apparently neo4j sets by default an IPv6 connection as requirement and I wonder whether this would be a problem and if so, how to modify this then.
I would be grateful to any hint even to further reading, but ideally, how to debug this.
Thanks a lot in advance,
Alex
@alexander_diab
with the neo4j.conf settings you describe I am not able to replicate the issue.
Further with said settings my netstat output is different than yours
netstat -a | grep -i listen | grep 7687
tcp6 0 0 [::]:7687 [::]:* LISTEN
is there a reference to 127.0.0.1 in your conf/neo4j.conf?
Hi Dan,
Thanks a lot for coming back to me. When I execute netstat only with -a (instead of -an) flag, I get the same
output, I get something similar:
tcp6 0 0 localhost:7688 [::]:* LISTEN
but the local address still points to localhost, which is the same as 127.0.0.1, which yours does not.
I forgot to mention another network setting in my conf file:
server.default_advertised_address="myneo4jserveraddress"
Here I tried both the domain name and the ipv4 address. Could that be the reason?
But again, reading the conf description, I understand that I am supposed to set this value.
Is there perhaps a log, which I could analyze to identify the cause for refused connection?
Thanks again,
Alex
The advertised address should not impact what IP/port the server actually listens on. Is there any chance that you have multiple default_listen_address lines in the config? You could also try setting the server.bolt.listen_address to a specific IP:port to see if that helps.
Hi John,
Indeed, I found another entry at the very bottom
server.default_listen_address=0.0.0.0=true
I commented it out and restarted. No change.
I have set
server.default_listen_address="ipaddress"
to the ip address of the machine from which I want to connect
No change in netstat output and no success either.
But I do understand that I need to get rid of the locahost address on the server machine? Perhaps I find a way to change this on OS level and overwrite what neo4j has set. I need to investigate there. Still, if there is any tool, which can do some surveillance, that would help a lot.
Cheers, gentlemen,
Alex
DId you try server.bolt.listen_address=yourIP:7687
Also, found out something new today:
This will help you catch those "I put the option in there twice" issues.
Hi Dan, John,
Thanks a lot for your input. It helped a lot to chase down the problem.
Just to let you know. The problem has been, that the environment variable for NEO4J_CONF was never set. That is why no change on the file has ever had an effect. I found this by invoking >neo4j help
which lists the commands but also the environment variables to be set. Unfortunately launching and connecting to the server the default configs work just fine and there is no warning that the environment vars are not complete.
Nonetheless, thanks again,
alex