ICMP: Destination Unreachable

The Destination Unreachable message indicates that a frame was discarded because it could not reach its ultimate destination. This could be the result of a router in the communications path that discarded the frame or, perhaps, the ultimate destination host computer did not have the resources to process the frame. Also, it may have been the case that the program that was being contacted was not available. This would be the case if a user tried to Telnet to a file server that didn’t support Telnet, or tried to mount an NFS file volume on a host that didn’t support NFS. This is the Destination Unreachable message. When a Destination Unreachable message is sent, it indicates that the sender could not reach the specified destination. This provides a wonderful troubleshooting opportunity. The point of failure identifies itself by sending the ICMP Destination Unreachable message.

There are six different reasons why a Destination Unreachable message may be sent. Three of them are common and very significant, three are much less common and not as significant. The reasons are:

  1. Network Unreachable
  2. Host Unreachable
  3. Port Unreachable
  4. Protocol Unreachable
  5. Fragmentation Needed and ‘Don’t Fragment’ bit set
  6. Source Route failed

Let’s talk about the three significant ones first. These are:

  • Network Unreachable – Sent by any router.
  • Host Unreachable – Sent by the last router in the path to an existing network.
  • Port Unreachable – Sent by the destination host on destination network.


“Network Unreachable

When a router sends a Network Unreachable message, it is saying that it has no way to reach the network/subnetwork as specified in the destination IP address in a frame. The destination is the locator portion of the address as calculated by using the address mask parameter configured in the router. Consequently the Network Unreachable message could be the result of a misconfigured mask value in the router. It could be as silly as a user specifying a non-existent network in the command line for an application. If you try to Telnet to when there is no network then you will end up with a Network Unreachable message from the router that finally figures it out. Remember that the frame will be forwarded from Default Gateway to Default Gateway until it figures out that it can’t forward it anywhere else. This last router will send the Destination Unreachable – Network Unreachable message. If a link is down or an interface failed (bad port) the networks that would be reached across the link or through the port are now unreachable (assuming there is no other way to reach them via some alternate path).

Summary: Network Unreachable

  1. Is the specified destination address a valid network?
  2. Is the link up from the router sending the Network Unreachable message?
  3. Is the port in the router configured with the correct address mask value?


Host Unreachable

When a router sends a Host Unreachable message it is telling you that it believed itself to be the router that was directly connected to the network on which the host was configured. That is, a frame is passed from originator to router, to router, to router, finally ending up at the last router in the path – the one that has the destination network attached to one of its ports. This last router then broadcasts an ARP frame onto the network looking for the data link (DLC) address of the host. The host should answer the ARP and the router can then forward the frame. If, however, the router ARP’s and receives no answer then it sends a Destination Unreachable – Host Unreachable message back to the originator. The significance of this is that a Host Unreachable message implies that the intervening communications infrastructure is working properly. The frame has been forwarded all the way through the interconnected network and has arrived successfully at the last router in the path. This router was able to successfully transmit an ARP command onto the correct network cable. The ARP simply wasn’t answered. The entire communications path, including the final interface and final network segment (or ring) was working properly. The host simply wasn’t there.

A Host Unreachable message could be the result of a user simply typing the wrong IP address. It could be that the host was down or otherwise off-line. It could be that there were a high number of physical errors on the destination network (but this is unlikely since the last router is able to send ARP commands). In any event, the next step in troubleshooting is to move your protocol analyzer to the last network (the one on which the host is located) and see what’s happening there.

Summary: Host Unreachable

  1. You are assured that the intervening communications infrastructure is working properly.
  2. Is the specified destination address the correct address for the host?
  3. Is the host currently on-line and active?
  4. Are there any physical problems on the destination network.


Port Unreachable

Unlike the Network Unreachable and Host Unreachable messages which come from routers, the Port Unreachable message comes from a host. The primary implication for troubleshooting is that the frame was successfully routed across the communications infrastructure, the last router ARP’ed for the host, got the response, and sent the frame. Furthermore, the intended destination host was on-line and willing to accept the frame into its communications buffer. The frame was then processed by, say, TCP or, perhaps UDP, RIP, OSPF, or some other protocol. The protocol (TCP or UDP) tried to send the data up to the destination port number (TCP or UDP port) and the port process didn’t exist. The protocol handler then reports Destination Unreachable – Port Unreachable.

One of the most common Port Unreachable errors occurs when an SNMP (Simple Network Management Protocol) console is polling a number of devices on the network. The console has been configured with a list of IP addresses to poll for the acquisition of network management data. The assumption is that each of those managed devices has been configured with an SNMP agent program assigned to a particular port number. One standard SNMP port number is 161. If you see a Port 161 Unreachable then you could reasonably assume that a console was polling a device which didn’t have an SNMP agent configured into it.

If you try to setup a NetBIOS connection (port 513) with a server that doesn’t support NetBIOS (hence, no 513 processing entity) you get a Port Unreachable. Mounting a file volume to a server that doesn’t support NFS results in the same.

When troubleshooting a Port Unreachable error it is necessary to know what is supposed to be at the indicated (unreachable) port. This may be as simple as looking up RFC 1700 (the well known number list) or as complicated as interacting with a vendors development team to figure out the operation of some proprietary application program that is using special port numbers.

One odd error that might be associated with a Port Unreachable message is seen when an otherwise normally operating conversation is interrupted by a Port Unreachable message. When you inspect the conversation you observe that the unreachable port was working without a problem. Frames were going to and from the port number when, suddenly – Port Unreachable. This is indicative of an overload condition or process priority configuration problem in the reporting host. The process in question was swapped out of memory and was not able to swap back in quickly enough to avoid the unreachable indication.

The nice thing about a Port Unreachable message is that it confirms proper operation of the intervening communications infrastructure and the presence of the destination host processor.

Summary: Port Unreachable

  • The host and the communications infrastructure are working properly.
  • The ICMP Port Unreachable message originates from a host, not a router.
  • The indicated port process was either not running or was swapped out. SNMP (Port 161) is a common port to be missing.
  • Find out what the port is used for and why it wasn’t available.


The Other ICMP Destination Unreachable Causes

These messages are rare so seeing one of them is cause for concern. Other than the three most common (and most significant) ICMP Destination Unreachable messages there are:

  • Protocol Unreachable
  • Fragmentation Needed and “Don’t Fragment” bit set
  • Source Route failed

A Protocol Unreachable message is the same as a Port Unreachable message except this time the Layer 3 processing entity was unable to locate the specified protocol. For example, an OSPF (Open Shortest Path First) frame was sent to a RIP (Routing Information Protocol) based router. Since the router doesn’t have any Layer 4 OSPF processor, the entire protocol is unreachable. It is necessary to examine the frames to see what protocol was being used in the frame sent to the reporting device. That device, for good or bad, simply didn’t support that protocol.

Remember, a Port Unreachable message says that the process that is using a Port in the Layer 4 protocol is missing, but the protocol itself is working. A Protocol Unreachable message says that a Layer 4 protocol is missing in its entirety.

If a router says that Fragmentation is Needed and the Don’t Fragment bit is set it means that the originating station has set the Don’t Fragment bit in the IP Flag field for some reason known only to the software in that originating station. As the frame moved through the communications infrastructure, it arrived at a router that needed to fragment the frame (probably because the frame was moving from an architecture with a large maximum frame size to an architecture with a smaller maximum frame size) but, because the bit was set to say “No”, fragmentation was not allowed. The frame was discarded and the ICMP message was returned to the originator.