Ping Troubleshooting on Cisco IOS

This topic is to discuss the following lesson:

Hello Rene ,

I have below doubt regarding ICMP error codes as below for type 3:

  • 0 - Destination network unreachable
  • 1 - Destination host unreachable
  • 6 - Destination network unknown
  • 7 - Destination host unknown

These all seem to be same. Can you please differentiate all code values and for which scenario each one is generated?

Thank You!!

Regards,
Sameer

Hi Sameer,

The RFC has a detailed explanation for these error codes. Sometimes these are hard to find but here’s a good example:

https://tools.ietf.org/html/rfc1812#page-81

0 = Network Unreachable - generated by a router if a forwarding path (route) to the destination network is not available;

1 = Host Unreachable - generated by a router if a forwarding path (route) to the destination host on a directly connected network is not available (does not respond to ARP);

6 = Destination Network Unknown - This code SHOULD NOT be generated since it would imply on the part of the router that the destination network does not exist (net unreachable code 0 SHOULD be used in place of code 6);

7 = Destination Host Unknown - generated only when a router can determine (from link layer advice) that the destination host does not exist;

I did some testing and on Cisco IOS, I only see Type 3 Code 1…nothing else. For example, you can test this with a simple setup. Something like this:

H1 - R1

On H1, configure R1 as a default gateway.

  • If you ping a destination that R1 doesn’t have a route for, I would expect a type 3 code 0 but in reality, I get a type 3 code 1 in return.
  • If you ping a destination that R1 has a directly connected network for but it doesn’t get an ARP reply, the RFC says that the router should return type 3 code 1 but in reality, it doesn’t return anything.

Even though these codes exist, it doesn’t mean that they are always implemented and implemented in the same way on all different vendor devices :slight_smile:

Hope this helps!

Rene

1 Like

Hi Rene ,

Thank you!! , I tested to get these codes but only seen “Type 3 Code 1” ,may be these are not implemented thank you for details hints .

Regards,
Sameer.

1 Like

can someone please explain detailed working of Ping and Traceroute

Hello Raunak

Take a look at these two lessons that describe these utilities in depth:


If you have any further questions, let us know!

Laz

Hi Team,
Would you please confirm while during ping to telnet or FTP server and that external machine is unreachable somehow .Is it reply back to sender by showing destination machine is unreachable like wise as through ICMP protocal the destination machine will reverted back to sender host about the unreachablity issue and I generally observed in real scenerio that message .Will it reflect any pop up to sender if the Receiver end is telnet or ftp server .
Please share your point of view with real application snapshot to find the difference.
Thanks
Shivam Chaudhary

Hello Shivam

If you use ping to attempt to see if a particular server (FTP, Telnet, or whatever else) is reachable, and you get “destination host unreachable” this is actually a response from a router along the path of the ping, and not from the destination host itself. For example, take a look at the same topology as that from the lesson:


Imagine that H1 is trying to ping 192.168.2.55. Note that this host does not exist in this topology. So what will happen?

  • H1 will send the ping to 192.168.2.55 to the default gateway which is R1
  • R1 will see that it has a routing table entry for the destination IP and will send it to R2, which is the next hop router
  • R2 sees that the destination address is on a subnet directly connected to Gi0/1 so it prepares to send it out.
  • It will send an ARP request for the MAC address of the host to which the 192.168.2.55 address belongs, but it will get no answer, because the host doesn’t exist.
  • R2 sends an ICMP response back to the original sender (H1) with a response code of “1” which is “host unreachable”
  • H1 receives the response and outputs the “host unreachable” statement.

You see here that the ICMP echo request is responded to, but not by the destination, but by a router along the path. You can also get the “destination host unreachable” response if the default gateway of H1 is not configured correctly.

The “request timed out” message will appear when no ICMP responses come from any host during an ICMP echo request.

Now on the Internet, you will find that many routers are configured not to respond to ICMP packets of any type, in order to conserve CPU and memory resources. For this reason, the most common response you’ll get when pinging on the Internet is “request timed out.” Even if a
router determines that the “destination host is unreachable” it won’t inform you in most cases.

I hope this has been helpful!

Laz

1 Like

Hi laz ,
I have a question when icmp response back with type code 3 ?
and if i m telnet or ssh the external machine and that was unreachable or unavailable , so what message they responed back to sender ?

Hello Shivam

If you have connected to another device remotely, using Telnet or SSH, and you initiate a ping from the Telnet/SSH command line to, say a web server on the Internet, then the ping that takes place is between the Telnet/SSH device and the web server. If you receive an echo reply with a Type of 3, then this means that some router between the Telnet/SSH device and the web server determines that the specific IP address does not exist, so it will send an ICMP echo reply with Type 3, stating that the device is unreachable.

Remember, that the ping in this case takes place from the point of view of the Telnet/SSH device, and not from your local PC.

I hope this has been helpful!

Laz

1 Like

Hi Laz ,
Suppose in above figure if somehow the destination network is not present in the routing table of R1 then what R1 behave ?
How can we relate that the destination unreachable message is with type 1 and 3 .I think both of type have different meaning .
Could u please share the snap for reference of both type code and ssh/ Telnet .
I think router don’t send back destination unreachable message in case of ssh / telnet the remote server (If static route not configured as above figure )
Rgds
Shivam Chahal

Hello Shivam

First of all, ICMP echo requests have type designations and code sub-designations. Type 3 means “Destination Unreachable”. This type has 16 code sub-designations from 0 to 15. When you refer to type 1 and 3 I believe you mean code 1 and 3 within the Destination Unreachable Type 3, correct?

In the above figure, If H1 sends a ping to H2, but R1 does not have a route to that destination, then R1 will reply with a Type 3 Code 0 “Destination Network Unreachable” response.

Yes, these do have different meanings, but they are clearly stated in RFC 1812. Some notable codes for Type 3 responses are:

0 = Network Unreachable - generated by a router if a forwarding path
(route) to the destination network is not available;

1 = Host Unreachable - generated by a router if a forwarding path
(route) to the destination host on a directly connected network
is not available (does not respond to ARP);

2 = Protocol Unreachable - generated if the transport protocol
designated in a datagram is not supported in the transport layer
of the final destination;

3 = Port Unreachable - generated if the designated transport protocol
(e.g., UDP) is unable to demultiplex the datagram in the
transport layer of the final destination but has no protocol
mechanism to inform the sender;

I’m not sure how Telnet and SSH are involved in the procedure of ICMP echo request and replies. Can you clarify what you mean with this? Thank you!

I hope this has been helpful!

Laz

Hi,
I have a question i want to ping 10.156.X.X/29 from my Remote desktop but it’s not pinging. but the gateway 10.156.X.X is pinging from Remote desktop .what would be the problem.Do i need to configure access list. Please help me on this .
Note- Remote desktop ip is 172.26.X.X
Can i execute this command in my cisco router permit ip 172.26.X.X 0.0.0.7 10.156.X.X 255.255.255.248

Thanks

Hello Sai

There can be many reasons for which a ping fails. One is access lists. Another could be that the host you are pinging is configured not to respond to pings. If you can’t ping 10.159.X.X but you can ping the gateway of that subnet seems to indicate that either that host is indeed down, is misconfigured, or is simply configured not to respond to pings.

Before you check the network, check to see that the host is alive and that no firewall or other feature is preventing it from responding. Once you check that, then you should begin troubleshooting by pinging from various other locations, like from the 10.156.X.X gateway to the host.

Hopefully this will give you some more insight to continue your troubleshooting.

I hope this has been helpful!

Laz

For the ping codes 0 and 1 seem pretty straight forward but on a ccna practice test I see that for code 2 they say the answer is beyond scope of source address and for code 3: address unreachable and code 4: port unreachable Is this accurate as I have seen it explained differently in wikipedia on ping?

Hello Daniel

When in doubt it’s always best to go back to the RFC. Take a look at this post to see the definitions as stated by RFC 1812

I hope this has been helpful!

Laz

R1#ping 192.168.2.2 source 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
.....
Success rate is 0 percent (0/5)

This ping is failing but it does tell us a lot. We know that R1 is able to reach H2, we also know that H1 can reach external networks. There are two options left:

R2 doesn’t know how to reach the 192.168.1.0 network.
R2 is filtering traffic from network 192.168.1.0.

I guess there is a third option:
H2 doesn’t have a default gateway configured

Hello Giacomo

Yes, you are correct. However, that statement is contained within the first option that Rene states:

R2 doesn’t know how to reach the 192.168.1.0/24 network.

This means that the routing table of R2 doesn’t have any statements matching this network, including a default gateway.

But it is good and important that you pointed this out!

I hope this has been helpful!

Laz

Can these two computers ping each other? Or do they need to go through a layer 3 device? Please explain whatever your reasoning is.

Computer 1 (192.168.1.5/24) <---------> Computer 2 (192.168.1.15/27)

Hello Animesh

The short answer is yes, they can ping each other. The long answer will need some explaining.

First of all, if two hosts are on the same network segment/VLAN/layer 2 domain, they will be able to ping each other as long as their IP addresses are in the same subnet. So if computer 1 has an IP address of 192.168.1.5/24 and computer 2 had an address of 192.168.1.15/24, then no question, they can ping each other. Because they are in the same subnet, they do not require an intervening router to route traffic from one subnet to the other.

Now in your case, computer 2 has a different subnet mask of /27. How will that affect the ping? Well, when a host gets ready to send a packet to a particular IP address, it first checks to see if the destination IP of that packet is in its own subnet. Here’s the process:

  1. Computer 1 sees a destination IP of 192.168.1.15. It checks its own IP and subnet mask combination of 192.168.1.5/24 which gives a subnet range of 192.168.1.0 to 192.168.1.255. Is the destination in that range? Yes. So we don’t send the packet to the default gateway, but we send it directly to the destination IP address. We do an ARP lookup, determine the MAC of the destination host, and encapsulate and send it on its way.
  2. Computer 2 receives the packet and sees it is a ping echo request. It prepares a packet to send back to 192.168.1.5. It checks its own IP and subnet mask combination of 192.168.1.15/27 which gives a subnet range of 192.168.1.0 to 192.168.1.31. Since the destination is in that range, there is no need to send it to the default gateway, so it simply sends it directly to the destination, doing an ARP request to get the MAC address of the destination host, encapsulating, and sending it on its way.

Now, this worked, however, using a different subnet mask can introduce problems. What if Computer 2 had an address of 192.168.1.35/27? If that was the case, it would try to send an echo reply to 192.168.1.5. And when it checks its own IP and subnet mask combination, it will see that its own subnet has a range of IP addresses from 192.168.1.32 to 192.168.1.63. That means that 192.168.1.5 is outside of its own subnet, so it will send the packet to the default gateway configured in its IP parameters. This would result in a breakdown of communications. For this reason, all hosts on a particular network segment must have the same subnet mask for communication to work correctly.

I hope this has been helpful!

Laz