This error indicates the SSH client cannot establish a network path to the remote host. It typically means the target server is unreachable due to network connectivity issues, firewall blocks, routing problems, or the host being offline.
The "No route to host" error occurs when the operating system's network stack cannot find a valid route to reach the destination IP address. Unlike "Connection refused" (which means the host is reachable but rejected the connection), "No route to host" means the networking layer cannot even reach the target machine. This can happen at various points in the network path: your local machine, intermediate routers, firewalls, or network configuration issues.
First, confirm if the target host is reachable at the network level:
ping -c 4 hostname.example.com
# or ping the IP directly
ping -c 4 192.168.1.100If ping fails with "No route to host" or "Destination unreachable", the problem is at the network layer, not SSH-specific. If ping succeeds, the issue may be SSH-specific (see next steps). If the hostname doesn't resolve, try the IP address directly.
Verify that the hostname resolves to the correct IP address:
nslookup hostname.example.com
# or
dig hostname.example.com
# or
getent hosts hostname.example.comIf the hostname doesn't resolve or resolves to an unexpected IP, update your DNS settings or /etc/hosts:
# Add entry to /etc/hosts if DNS isn't working
echo "192.168.1.100 hostname.example.com" | sudo tee -a /etc/hostsTry SSH again with the corrected hostname or by using the IP address directly.
On your local machine, verify that outbound traffic to port 22 is not blocked:
# Check UFW status (Ubuntu/Debian)
sudo ufw status
sudo ufw allow out 22/tcp
# Check iptables (generic Linux)
sudo iptables -L -n | grep 22
sudo iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
# Check macOS firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstateIf you see blocking rules, adjust them to allow SSH traffic (port 22) to your target host.
Check if your network interface is configured and has proper routing:
# View all network interfaces
ip addr
# or
ifconfig
# Check routing table
ip route
# or
route -n
# Verify default gateway is set
ip route | grep defaultIf you see "UNKNOWN" state or no default route, your network interface may not be properly configured. Restart networking:
# Ubuntu/Debian
sudo systemctl restart networking
# or
sudo systemctl restart systemd-networkd
# RHEL/CentOS
sudo systemctl restart networkConfirm the target server is actually powered on and accessible:
# Ping the target
ping -c 4 192.168.1.100
# Try telnet to port 22 (if available)
telnet 192.168.1.100 22
# Try netcat
nc -zv 192.168.1.100 22If all connectivity tests fail, the host may be offline. Check with the host administrator or try connecting later. If it's a cloud instance (AWS, GCP, Azure), verify it's running in the console.
If you have access to the target server or its firewall settings, verify SSH port 22 is open:
# On the target server, check if SSH daemon is listening
sudo netstat -tlnp | grep 22
# or
sudo ss -tlnp | grep 22
# Allow SSH through firewall
sudo ufw allow 22/tcp
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
# Restart SSH service if needed
sudo systemctl restart sshdEnsure SSH is enabled and firewall allows incoming port 22 traffic.
If basic connectivity works but SSH still fails, use verbose mode to see where it breaks:
ssh -vvv [email protected]The output will show exactly which stage fails. Look for lines showing:
- "Trying [IP]" - where it's attempting to connect
- "Connected to [IP]" - if it gets past routing
- "Authentications that can continue: publickey, password" - if it reaches SSH protocol stage
If it hangs at "Trying" stage, routing is the problem. If it connects but fails authentication, move to the authentication troubleshooting steps.
If the target host is on a private network, you may need VPN access:
# Check if VPN is active
ip route | grep -i vpn
# or check VPN status (depends on VPN client)
ifconfig | grep -i vpn
# Verify local network routes
ip route showIf the target is on a private network (10.x.x.x, 172.16.x.x, 192.168.x.x), you likely need:
- VPN connection
- Bastion/jump host
- SSH tunnel through an intermediate server
Connect to the VPN first, then attempt SSH again.
Advanced troubleshooting:
Routing via traceroute: If you suspect routing problems, use traceroute hostname to see where the connection fails. This shows each hop to the destination and can reveal where the path breaks.
IPv6 vs IPv4: Some systems have both IPv4 and IPv6 configured. If hostname resolves to IPv6 but your network doesn't support it, SSH will fail. Try ssh -4 user@hostname to force IPv4 only.
Cloud Security Groups: AWS, GCP, and Azure have security group/firewall layers separate from the OS firewall. Check:
- AWS EC2: Security Group inbound rules must allow port 22
- Azure NSG: Inbound rule for SSH must allow source IP or range
- GCP: Firewall rule must allow ingress on TCP 22
Kubernetes/Containers: If connecting to Kubernetes pods or containers, you may need to use kubectl port-forward instead of direct SSH.
SSH through Jump Host: If direct connection isn't possible, use SSH jump hosts:
Debug at kernel level: For very stubborn issues, enable kernel-level packet capture:
sudo tcpdump -i any -n 'tcp port 22'This shows if packets are even reaching your interface.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH