Add pre-flight SSH connectivity check before update-users

users.yml

@@ -24,7 +24,7 @@
 
         - name: Build list of installed servers
           set_fact:
             server_list: "{{ server_list | default([]) + [ {'server': config.server, 'IP_subject_alt_name': config.IP_subject_alt_name} ] }}"
           loop: "{{ _configs_list.files }}"
           loop_control:
             label: "{{ item.path }}"
@@ -51,6 +51,32 @@
           include_vars:
             file: configs/{{ algo_server }}/.config.yml
 
+        - name: Test SSH connectivity to server
+          wait_for:
+            host: "{{ algo_server }}"
+            port: "{{ ansible_ssh_port | default(ssh_port) | int }}"
+            timeout: 10
+          register: ssh_check
+          ignore_errors: true
+          when: algo_server != 'localhost'
+
+        - name: Fail with helpful message if server unreachable
+          fail:
+            msg: |
+              Cannot connect to {{ algo_server }} on port {{ ansible_ssh_port | default(ssh_port) }}.
+
+              Possible causes:
+              - Server is not running (check your cloud provider console)
+              - IP address changed (common after EC2 restart without Elastic IP)
+              - Firewall/security group blocking port {{ ansible_ssh_port | default(ssh_port) }}
+
+              To diagnose:
+                nc -zv {{ algo_server }} {{ ansible_ssh_port | default(ssh_port) }}
+                ssh -vvv -p {{ ansible_ssh_port | default(ssh_port) }} -i configs/algo.pem {{ server_user | default('algo') }}@{{ algo_server }}
+          when:
+            - algo_server != 'localhost'
+            - ssh_check is failed
+
         - when: ipsec_enabled
           block:
             - name: CA password prompt