What is the difference between ERR_CONNECTION_TIMED_OUT and ERR_CONNECTION_REFUSED?

Timed out (Chromium net error -118) means your SYN packet got no answer at all, so the browser waits out its retries before failing. Refused (-102) means the host actively replied with a TCP RST: it is reachable, but nothing is listening on that port, or a REJECT firewall rule sent the reset.

It works on my phone but not my laptop. Where is the problem?

Almost always local to the laptop's network path: a VPN, corporate proxy, host firewall, or a stale DNS entry. A clean second network, such as phone tethering, is the fastest way to split a client-side problem from a server-side one.

Why does the page hang for so long before the error appears?

A dropped SYN produces no immediate signal, so the kernel retransmits with exponential backoff. On Linux defaults (tcp_syn_retries=6) that is about 127 seconds before it gives up, which is the hang you are watching.

Views: 20

ERR_CONNECTION_TIMED_OUT Fix Guide

ERR_CONNECTION_TIMED_OUT means packets are silently dropped. Fix it in 3 checks: port reachability, network route, origin health. Free instant check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

Problem

A page sits on a blank tab for a long time and then fails with ERR_CONNECTION_TIMED_OUT (or “This site can’t be reached”). The browser opened a TCP connection, sent a SYN, and never heard back. The long wait before the error is the diagnostic signal: a silent drop, not an active rejection.

Symptoms

The tab hangs for one to two minutes, then shows ERR_CONNECTION_TIMED_OUT.
The same URL loads fine from a different network or device.
ping may or may not respond, but the specific port never completes a handshake.
The error is not ERR_CONNECTION_REFUSED (immediate) or ERR_NAME_NOT_RESOLVED (DNS never resolved).

Top 3 Causes

A firewall or security group silently drops the SYN - A DROP rule or a closed cloud security group discards the packet with no reply, so the client retransmits and eventually times out. A REJECT rule would return a reset and produce “refused” instead.
DNS resolves to a dead or stale IP - After a server move, an old A/AAAA record still points at an address that is no longer routed or no longer answers, so the SYN goes to a number nobody picks up.
The host or network path is the fault, not the port policy - The server is down, its SYN backlog is full under load, or an MTU/routing blackhole on one path eats the handshake packets.

Diagnose with DechoNet

Port Check to test the target port (usually 443) from outside your network. A timeout there mirrors what the browser sees and points at a drop rule or unreachable host; an open result means the path works and the problem is higher up the stack.
DNS Lookup to confirm the A/AAAA record points at the current live IP and not an address left over from a previous host.
HTTP Check to see whether the request completes from an external vantage point, separating “only my network” from “everyone”.

If the port comes back closed (refused) rather than timing out, switch to the open port 443 closed checklist. If the name never resolves at all, use the DNS_PROBE_FINISHED_NXDOMAIN fix.

Resolution Checklist

Reproduce from a second network (phone tethering) to rule out a local VPN, proxy, or host firewall on your side.
Confirm the A/AAAA record resolves to the current server IP, not an address from a previous deployment.
Test the target port from outside; a timeout (not “refused”) points at a DROP rule, a closed security group, or an unreachable host.
Review cloud firewall and security group inbound rules for that port and source range.
If only some users are affected, suspect a routing or MTU blackhole on one path rather than a single server fault.
Re-run Port Check and HTTP Check after each change to confirm the handshake completes.

When to Escalate

Escalate to the hosting or cloud provider if the port times out from multiple external networks while the instance looks healthy internally - that points at a platform firewall or routing layer you may not control.
Escalate to network or infrastructure owners when the timeout is intermittent or path-dependent (MTU, asymmetric routing), since it will not be visible from a single host.