Skip to content
DevOps AI ToolKit
Newsletter
All guides
AI for Linux Admins By James Joyner IV · · 10 min read

Linux Error: No route to host — Cause, Fix, and Troubleshooting Guide

How to fix the Linux 'No route to host' error (EHOSTUNREACH): diagnose missing routes, firewall REJECTs, ARP failures and down interfaces with ip route and ss.

  • #linux
  • #troubleshooting
  • #networking
  • #routing

Summary

No route to host is errno EHOSTUNREACH (113): the kernel determined it cannot deliver a packet to the destination host and failed immediately. It differs from Network is unreachable (no route to the whole subnet) and from Connection timed out (packets sent but dropped silently). EHOSTUNREACH is usually local and fast — a missing route, a firewall REJECT with an ICMP host-unreachable, a down interface, or an ARP failure on the local segment.

Common Symptoms

  • The error appears almost instantly (not after a long timeout).
  • One host is unreachable while others on the same or different subnets work.
  • Follows an interface, IP, VLAN, or routing change.
  • ping <host> returns Destination Host Unreachable from your own host or the gateway.

Most Likely Causes of the ‘No route to host’ Error

  1. Firewall REJECT with icmp-host-unreachable — an iptables/nftables/firewalld rule actively rejects the traffic (very common; looks like a routing issue but is a firewall).
  2. Missing or wrong route — no route to the destination host and no usable default gateway.
  3. Interface down or misconfigured — the egress NIC is down or has the wrong IP/mask.
  4. ARP failure on the local subnet — the target IP does not answer ARP (host down, wrong VLAN, or wrong subnet mask).
  5. Gateway down or unreachable — the next hop itself is offline.
  6. Wrong subnet mask making an on-link host look off-link (or vice versa).

Quick Triage

# Instant failure = EHOSTUNREACH (local), long hang = timeout (dropped)
time curl -v --connect-timeout 5 http://<host>:<port>/

# What route (if any) does the kernel choose for this destination?
ip route get <host-ip>

# Is the egress interface up?
ip -br addr

Diagnostic Commands

# The single most useful command: which route/iface/source the kernel picks
ip route get <host-ip>

# Full routing table and default gateway
ip route
ip route show default

# Interface/link state and addresses
ip -br addr
ip -br link

# ICMP probe — 'Destination Host Unreachable' confirms EHOSTUNREACH
ping -c3 <host-ip>

# ARP: is the on-link host/gateway resolving to a MAC?
ip neigh show
ip neigh show <gateway-ip>          # FAILED/INCOMPLETE = ARP problem

# Firewall REJECT rules that emit host-unreachable
sudo iptables -S | grep -iE 'reject|host-unreach'
sudo nft list ruleset 2>/dev/null | grep -i reject
sudo firewall-cmd --list-all         # RHEL/Rocky
sudo ufw status verbose              # Ubuntu/Debian

# Confirm it is not a service/port issue (those need routing to work first)
nc -vz -w 5 <host> <port>

# DNS is not the cause here, but verify you target the right IP
getent hosts <host>

ip route get <host-ip> is the fastest triage: it prints the chosen route, interface, and source IP, or an error if no route exists.

Fix / Remediation

  1. Remove/fix the offending firewall REJECT rule (often the real cause):

    sudo iptables -S | grep -i reject          # find the rule
    # RHEL/Rocky firewalld:
    sudo firewall-cmd --add-port=<port>/tcp --permanent && sudo firewall-cmd --reload
    # Ubuntu ufw:
    sudo ufw allow to <host-ip> port <port> proto tcp
  2. Add or repair the route / default gateway:

    ip route get <host-ip>
    sudo ip route add <net>/<mask> via <gateway> dev <iface>
    sudo ip route add default via <gateway> dev <iface>     # if no default route

    Make it persistent — Netplan on Ubuntu (/etc/netplan/*.yaml), or NetworkManager on RHEL/Rocky:

    sudo nmcli con mod "<CONN>" +ipv4.routes "<net>/<mask> <gateway>"
    sudo nmcli con up "<CONN>"

    Warning: Changing routes or the default gateway on a remote host can drop your SSH connection instantly. Keep console access, or apply the change with an auto-reverting timer, before touching routing.

  3. Bring the interface up / fix its addressing if ip -br link shows it DOWN:

    sudo ip link set <iface> up
    sudo ip addr add <ip>/<mask> dev <iface>     # if the mask/IP was wrong
  4. Fix ARP/L2 issues — if ip neigh shows FAILED for an on-link host, verify VLAN, subnet mask, and that the target is actually up; flush a stale entry:

    sudo ip neigh flush dev <iface>
    ping -c3 <host-ip>
  5. Correct the subnet mask if an on-link host is being routed via the gateway (or vice versa).

Validation

ip route get <host-ip>                        # returns a route, no error
ping -c3 <host-ip>                             # replies, no 'Host Unreachable'
nc -vz -w 5 <host> <port>                      # port now reachable

Prevention

  • Manage routes and gateways declaratively (Netplan / NetworkManager / IaC) so ad hoc ip route changes do not drift or vanish on reboot.
  • Audit firewall REJECT rules — prefer explicit, documented rules and avoid blanket reject-with icmp-host-unreachable.
  • Monitor interface link state and default-route presence; alert when a NIC goes DOWN or the default route disappears.
  • Validate subnet masks and VLAN assignments in provisioning to prevent on-link/off-link mismatches.

Final Notes

No route to host fails fast and is almost always local: a missing route, a down interface, an ARP failure, or — most deceptively — a firewall REJECT dressed up as a routing error. Start with ip route get, check ip neigh and interface state, then rule out firewall REJECTs before blaming the network.

Want faster Linux incident response? Use DevOps AI Toolkit to turn production errors into clear diagnostics, remediation steps, and reusable runbooks.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.