SSH port forwarding fails when the client cannot bind to a local or remote port. This typically happens when the port is already in use, you lack permissions, or there are conflicting SSH configurations.
This error occurs when SSH attempts to establish port forwarding (either local or remote) but cannot create a listening socket on the specified port. The ssh daemon reports 'channel_setup_fwd_listener: cannot listen to port' when it tries to set up the forwarding tunnel but the kernel refuses the bind operation. This is a configuration or system state issue, not a network connectivity problem.
First, verify if another process is holding the port:
lsof -i :8080
# or
netstat -tulpn | grep 8080Replace 8080 with your actual port number. If another process is using it, either stop that process or choose a different port for your SSH forwarding.
Ensure you're using a port number higher than 1024. Ports below 1024 require root privileges:
# Wrong (if not root):
ssh -L 80:localhost:8080 [email protected]
# Correct:
ssh -L 8080:localhost:8080 [email protected]If you need to forward privileged ports, either run SSH with sudo or use setcap to grant capabilities to your SSH client.
If you recently disconnected an SSH session, it may still hold the port. Kill hanging SSH processes:
pkill -f 'ssh.*-L.*8080'
# or forcefully
pkill -9 sshWait a few seconds for the port to be fully released before reconnecting.
Check ~/.ssh/config for conflicting LocalForward or RemoteForward directives:
cat ~/.ssh/configIf you have duplicate forwarding rules for the same port, remove or comment out the conflicting ones:
Host myhost
# Remove duplicate LocalForward lines
LocalForward 8080 localhost:8080If the above steps don't work, switch to a different port in the ephemeral range (40000-60000):
ssh -L 54321:destination.com:8080 [email protected]This is often the quickest workaround while investigating the root cause.
If you're on a system with SELinux enabled, it might be blocking the port binding:
semanage port -l | grep sshFor firewall rules, check:
sudo iptables -L -n
# or on systems with firewalld:
sudo firewall-cmd --list-portsAdd your port to SELinux or firewall if needed.
For RemoteForward (reverse tunnels), ensure GatewayPorts yes is set in the remote SSH server's /etc/ssh/sshd_config if you want the port accessible from outside localhost. Otherwise, remote listeners only bind to 127.0.0.1. Additionally, some systems experience issues with TCP_TIME_WAIT lingering connections; you can temporarily set sudo sysctl -w net.ipv4.tcp_tw_reuse=1 to allow port reuse, but this is a system-level change. For IPv6 issues, force IPv4 with the -4 flag: ssh -4 -L 8080:.... If port forwarding mysteriously fails after months of working correctly, it's often due to stale SSH connections from a service restart or kernel issue—rebooting the system sometimes resolves the problem when nothing else does.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH