# java.net.ConnectException: Connection refused (Connection refused) at org.apache.kafka.clients.NetworkClient

- **ID:** `kafka/network-exception-connection-refused`
- **Domain:** kafka
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 95%

## Root Cause

Kafka client cannot establish a TCP connection to the broker because the broker port is not listening or a firewall is blocking the port.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kafka 3.0.0 | active | — | — |
| Kafka 3.1.0 | active | — | — |
| Kafka 3.2.0 | active | — | — |
| Kafka 3.5.0 | active | — | — |

## Workarounds

1. **Verify broker is listening on the correct port and address.
Command:
netstat -tlnp | grep 9092
# Should show LISTEN with Kafka process
# If not, check broker logs:
grep -i 'listener' /var/log/kafka/server.log
# Ensure listeners=PLAINTEXT://0.0.0.0:9092 in server.properties
# Restart broker:
kafka-server-stop.sh && kafka-server-start.sh -daemon config/server.properties** (95% success)
   ```
   Verify broker is listening on the correct port and address.
Command:
netstat -tlnp | grep 9092
# Should show LISTEN with Kafka process
# If not, check broker logs:
grep -i 'listener' /var/log/kafka/server.log
# Ensure listeners=PLAINTEXT://0.0.0.0:9092 in server.properties
# Restart broker:
kafka-server-stop.sh && kafka-server-start.sh -daemon config/server.properties
   ```
2. **Check firewall rules and allow inbound traffic on port 9092.
Command:
sudo ufw status | grep 9092
# If not allowed:
sudo ufw allow 9092/tcp
# For iptables:
iptables -A INPUT -p tcp --dport 9092 -j ACCEPT
# Test connectivity from client:
telnet broker-host 9092** (93% success)
   ```
   Check firewall rules and allow inbound traffic on port 9092.
Command:
sudo ufw status | grep 9092
# If not allowed:
sudo ufw allow 9092/tcp
# For iptables:
iptables -A INPUT -p tcp --dport 9092 -j ACCEPT
# Test connectivity from client:
telnet broker-host 9092
   ```

## Dead Ends

- **Change advertised.listeners to localhost** — If broker is on a different host, localhost prevents external connections; the issue is port, not hostname. (80% fail)
- **Increase request.timeout.ms in client config** — Timeout does not fix connection refusal; the TCP handshake fails immediately. (95% fail)
- **Disable SSL/TLS in broker config** — If broker expects SSL, disabling it causes auth errors; connection refusal is often port-based. (60% fail)