Sporadic "no route to host" over ssh

Question

Created 1w

Replies 3

Boosts 0

Participants 2

When connecting to my M1 mac mini over ssh, certain programs are often unable to reach network destinations in the corporate LAN, although they can usually reach external addresses like www.apple.com. For example, a java program attempting to download from teamcity.dev.corp.com:8111 often fails like:

java.net.NoRouteToHostException: No route to host

Running the exact same command from the Apple Terminal program works like normal, simply connecting over ethernet on en0 to a TeamCity server inside the same building.

Basic diagnostics from the ssh session do not show anything unusual:

> traceroute teamcity.dev.corp.com
traceroute to teamcity.dev.corp.com (10.21.4.1), 64 hops max, 40 byte packets
 1  teamcity.dev.corp.com (10.21.4.1)  1.702 ms  0.409 ms  0.336 ms

> route -n get teamcity.dev.corp.com
   route to: 10.21.4.1
destination: 10.21.4.1
  interface: en0
      flags: <UP,HOST,DONE,LLINFO,WASCLONED,IFSCOPE,IFREF>
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500      1194 

> uname -a
Darwin mac 25.1.0 Darwin Kernel Version 25.1.0: Mon Oct 20 19:32:47 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T8103 arm64

Similar problems occur in docker commands to a remote daemon ("no route to host" or "connection refused"):

docker -H tcp://<ip>:<port> ...

Most other programs are never affected by this problem. Are there other diagnostic steps that might reveal the cause?

Boost

Answer 1

DTS Engineer OP

Apple

5d

Are the problematic networks considered to be local, per the definition in TN3179 Understanding local network privacy.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

byron-hawkins OP

4d

(deleted)

0

Answer 3

DTS Engineer OP

Apple

3d

It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

Regarding this:

it doesn't seem to be an issue with DenyMulticast

I don’t think multicast is a factor here, either for good or for ill. iOS has additional restrictions around multicast, but those do not apply on macOS.

this command always works for any user

When run how? From Terminal? If so, that’s not the evidence that you think it is. Quoting TN3179:

macOS automatically allows local network access by:

Any daemon started by launchd
Any program running as root
Command-line tools run from Terminal or over SSH, including any child processes they spawn

Based on the info you’ve provided so far, it really does sound you’re bumping into local network privacy issues. This is complicated by the fact that Unix-y programs tend to do things that confuse local network privacy, for example:

Common Unix-y techniques, like calling daemon man page, can break responsible code inference.
Such programs are often unsigned, or ad hoc signed.

What I recommend in cases like this is to run a diagnostic test using Xcode. That is:

Create a tiny test app, starting with the macOS > App template.
Make sure that app is signed with an Apple-issued code-signing identity. That is, in Xcode’s Signing & Capabilities editor, enable “Automatically manage signing”, select your team in the Team popup, and then select Development from the Signing Certificate popup.
Add a button that makes an outgoing network connection to the target host and port.
Run that app and click the button.

I suspect that:

The first time you run this, it’ll display the local network alert.
Assuming you agree to allow local network access, subsequent runs will connect without user intervention.

If so, this provides two useful factoids:

It confirms that this is actually a local network privacy issue.
And that local network privacy is working in general.

From there, we can look at why things are failing with the programs you actually care about.

OTOH, if this test doesn’t behave in the way I expect, that significant undermines my local network privacy theory |-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0