Linux Error: Destination Host Unreachable — Cause, Fix, and Troubleshooting Guide
How to fix the Linux 'Destination Host Unreachable' ping error: diagnose ARP failures, wrong gateways, subnet mask mistakes, and firewall drops on the same LAN.
- #linux
- #troubleshooting
- #networking
Summary
Destination Host Unreachable is an ICMP message (type 3, code 1) that ping prints when a router — or your own host — cannot deliver the packet to the final target on the local link. Most often it means an ARP resolution failure: the host has a route to the destination’s subnet but gets no MAC address for the next hop. Crucially, the reply usually comes From a specific IP, and that address tells you which device gave up.
Common Symptoms
pingprintsFrom 192.168.1.1 icmp_seq=1 Destination Host Unreachable.- Some hosts on the LAN respond, others report unreachable.
- A newly added host is unreachable until its ARP entry populates.
ip neighshows the target inFAILEDorINCOMPLETEstate.
Most Likely Causes of the ‘Destination Host Unreachable’ Error
The common production causes of the Destination Host Unreachable error:
- ARP resolution failed — the target IP has no live host answering ARP (host down, wrong IP, or unplugged), so the last-hop router/host cannot build the frame.
- Wrong subnet mask — the host thinks the target is on-link when it is not (or vice versa), so it ARPs on the wrong segment.
- Gateway can’t reach the target’s segment — the
Fromaddress is your gateway, which itself has no route/ARP to the destination. - Firewall/switch port security dropping ARP — the target replies but the reply is filtered.
- Duplicate or stale ARP entry — a cached MAC points at a device that has since moved or gone away.
Quick Triage
# Ping and note the 'From' address in the reply
ping -c3 192.168.1.50
# Who does the kernel think the next hop is?
ip route get 192.168.1.50
# Is there a valid ARP/neighbor entry for the target?
ip neigh show 192.168.1.50
If the From address is your own default gateway, the router could not reach the target’s segment. If it is your own host’s IP, your box could not ARP the target on-link.
Diagnostic Commands
# Routing decision + source interface for the target
ip route get 192.168.1.50
# Neighbor (ARP) table — look for FAILED / INCOMPLETE
ip neigh show
ip neigh show dev eth0
# Interface addresses and subnet mask (prefix length)
ip -br addr
# Force a fresh ARP by deleting the stale entry, then ping
sudo ip neigh del 192.168.1.50 dev eth0
ping -c2 192.168.1.50
ip neigh show 192.168.1.50
# Confirm link/carrier is actually up
ethtool eth0 | grep -E 'Link detected'
ip neigh show in state FAILED next to the target IP is the smoking gun: the host is asking “who has this IP?” and getting no answer.
Fix / Remediation
-
Confirm the target host is actually up and using the expected IP:
ip route get 192.168.1.50 ping -c2 -b 192.168.1.255 # broadcast ping the subnet (if permitted) -
Fix an incorrect subnet mask so on-link/off-link decisions are right. Temporary:
sudo ip addr flush dev eth0 sudo ip addr add 192.168.1.10/24 dev eth0Persist on Ubuntu/Debian via netplan (
addresses: [192.168.1.10/24]) thensudo netplan apply; on RHEL/Rocky viasudo nmcli con mod eth0 ipv4.addresses 192.168.1.10/24 && sudo nmcli con up eth0. -
Clear a stale ARP entry pointing at a moved/removed device:
sudo ip neigh flush dev eth0 -
Fix the gateway’s routing if the
Fromaddress was the router — the target’s segment needs a route on that router. -
Check firewall/switch port security on both the target and any intermediate device for ARP or ICMP drops:
sudo nft list ruleset 2>/dev/null | grep -i drop sudo iptables -L -n -v | grep -i drop
Warning:
ip addr flush dev eth0on a remote host drops all addresses on that NIC and will disconnect your SSH session. Run it only from console/IPMI or wrap add/flush in a single scripted command with a rollback timer.
Validation
ip neigh show 192.168.1.50 # should show state REACHABLE with a MAC
ping -c3 192.168.1.50 # clean replies, no 'Destination Host Unreachable'
A REACHABLE neighbor entry with a real MAC address plus clean ping replies confirms the fix.
Prevention
- Standardize subnet masks across the LAN in your netplan/NetworkManager config to avoid on-link miscalculations.
- Use DHCP reservations or IPAM so IPs are unique and hosts answer ARP on the expected address.
- Monitor for
FAILEDneighbor entries on gateways and critical hosts. - Keep switch port-security and MAC-filtering rules documented so they are not mistaken for network faults.
Related Errors
Final Notes
Destination Host Unreachable almost always means ARP could not resolve the target’s MAC on the local link. Read the From address in the ping reply to learn who gave up — your own host (an on-link ARP failure) or the gateway (a downstream routing problem) — then check ip neigh for a FAILED entry. Fix the mask, clear stale ARP, or bring the target host back, and the ICMP unreachable stops.
Want faster Linux incident response? Use DevOps AI Toolkit to turn production errors into clear diagnostics, remediation steps, and reusable runbooks.
Download the Free 500-Prompt DevOps AI Toolkit
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.