CRITICAL

How to Fix Linux EHOSTUNREACH: No Route to Host

Quick Fix Summary

TL;DR

Check routing tables and firewall rules, then verify the destination host is reachable via ICMP.

EHOSTUNREACH indicates the kernel cannot find a valid route to the destination host. This is a network-layer failure where packets cannot be forwarded to their intended target.

Diagnosis & Causes

  • Missing or incorrect default gateway.
  • Firewall blocking ICMP or all traffic to the host.
  • Destination host is powered off or disconnected.
  • Incorrect subnet mask or routing table entry.
  • Network interface is down or misconfigured.

    • Recovery Steps

    1

    Step 1: Verify Basic Network Connectivity

    First, confirm the destination host is online and reachable from another system. This isolates the problem to your host.

    bash 
    ping -c 4 <destination_ip>
telnet <destination_ip> <port>
    2

    Step 2: Check Local Routing Table

    The kernel uses the routing table to decide where to send packets. Verify a route exists for the destination network or host.

    bash 
    ip route show
ip route get <destination_ip>
netstat -rn
    3

    Step 3: Inspect Interface and ARP State

    Ensure the local network interface is UP and has the correct IP. Check if the ARP table has an entry for the next-hop gateway or host.

    bash 
    ip addr show <interface>
ip link show <interface>
arp -an | grep <gateway_ip>
    4

    Step 4: Diagnose with Traceroute

    Traceroute shows the path packets take and where they fail. This identifies the exact hop where the 'No route to host' occurs.

    bash 
    traceroute -n <destination_ip>
tracepath <destination_ip>
mtr --report <destination_ip>
    5

    Step 5: Audit Firewall and Security Groups

    Local firewall (iptables/nftables) or cloud security groups can block all traffic, including ICMP, causing EHOSTUNREACH.

    bash 
    sudo iptables -L -n -v
sudo nft list ruleset
# For AWS/GCP/Azure: Check Security Group/NSG/Firewall rules
    6

    Step 6: Check Kernel Parameters and ICMP

    Some networks or security policies filter ICMP 'Destination Unreachable' messages. Verify the kernel can send/receive them.

    bash 
    sysctl net.ipv4.icmp_echo_ignore_all
sysctl net.ipv4.conf.all.accept_redirects
# Ensure ICMP is not blocked upstream
    7

    Step 7: Add a Temporary Static Route (If Needed)

    If the route is missing, add it manually. This is a temporary fix; identify why the route wasn't learned automatically.

    bash 
    sudo ip route add <destination_network> via <gateway_ip> dev <interface>

    Architect's Pro Tip

    "In cloud environments (AWS, GCP), EHOSTUNREACH often points to a Security Group or VPC Route Table issue, not the local OS. Always check the cloud console first."

    Frequently Asked Questions

    What's the difference between EHOSTUNREACH and ENETUNREACH?

    EHOSTUNREACH means there's no route to a specific *host*. ENETUNREACH means there's no route to the entire destination *network*, often indicating a missing default gateway.

    Can a firewall cause EHOSTUNREACH?

    Yes. If a firewall on the source host, destination host, or an intermediate router is configured to drop *all* packets (including ICMP), it can manifest as EHOSTUNREACH.

    Why do I get EHOSTUNREACH even though the host is pingable?

    This indicates an asymmetric routing or policy-based routing issue. The return path for the ping (ICMP Echo Reply) may differ from the path your application's traffic is trying to use.

    Related Linux Guides

    502 Bad Gateway

    How to Fix 502 Bad Gateway in Nginx/Apache on Ubuntu 24.04
    502 Bad Gateway

    How to Fix 502 Bad Gateway in NGINX on Ubuntu 24.04 LTS
    ImagePullBackOff

    Kubernetes Troubleshooting Guide: Diagnosing ImagePullBackOff on Linux Nodes