Path is not reachable Request not valid codes

VPC Reachability Analyzer explanation codes

If a destination is not reachable, Reachability Analyzer provides one or more explanation codes to help you diagnose and address network misconfiguration.

Contents

Path is not reachable
Request not valid codes

Path is not reachable

If you receive one of these explanation codes, the path analysis determined that the path is not reachable.

BAD_STATE: This component is not in a functional state.
BAD_STATE_ATTACHMENT: The attachment between these components is not in a functional state.
BAD_STATE_ROUTE: This route is not in a functional state.
BAD_STATE_VPN: This VPN connection is not in a functional state.
CANNOT_ROUTE: This route can't transmit traffic because its destination CIDR or prefix list does not match the destination address of the packet.
COMPONENT_FILTER_RESTRICTION: The source, destination, or intermediate components specified for the path prevent some components from being used.
ELB_ACL_RESTRICTION: Classic Load Balancers apply network ACLs to outbound traffic, even if it's destined for a target in the same subnet as the load balancer.
ELB_INSTALLED_AZ_RESTRICTION: This load balancer can send traffic only to targets in Availability Zones that are enabled for the load balancer.
ELB_LISTENER_PORT_RESTRICTION: This Classic Load Balancer listener allows only inbound traffic destined for the specified port, and outbound traffic with the specified destination port.
ELB_LISTENERS_MISMATCH: This Classic Load Balancer does not have a listener that accepts the traffic.
ELB_NOT_CROSSZONE: This load balancer can't send traffic to some targets because cross-zone load balancing is disabled.
ELBV2_LISTENER_HAS_NO_TG: This listener is associated with target groups that have no targets.
ELBV2_LISTENER_PORT_RESTRICTION: This listener does not accept traffic unless it has the specified destination port.
ELBV2_LISTENER_REQUIRES_TG_ACCEPT: This listener does not have a target group that accepts the traffic.
ELBV2_LISTENERS_MISMATCH: This load balancer does not have a listener that accepts the traffic.
ELBV2_SOURCE_ADDRESS_PRESERVATION: If source address preservation is enabled, the outgoing source address is unaltered while traversing the Network Load Balancer.
ENI_ADDRESS_RESTRICTION: This network interface does not allow inbound or outbound traffic unless the source or destination address matches its private IP address.
ENI_SG_RULES_MISMATCH: This security group has no inbound or outbound rules that apply.
ENI_SOURCE_DEST_CHECK_RESTRICTION: Network interfaces with source/destination check enabled reject inbound traffic if the destination address does not match one of its private IP addresses, and reject outbound traffic if the source address does not match one of their private IP addresses.
GATEWAY_REJECTS_SPOOFED_TRAFFIC: Gateways reject traffic from network interfaces if the source IP address is not a public IP address associated with the network interface.
GATEWAY_REQUIRES_ENI_WITH_PUBLIC_IP: The gateway drops traffic unless the network interface has a private IP address with an associated public IP address.
HIGHER_PRIORITY_ROUTE: This route table contains a route to the destination that cannot be used because there is a higher priority route with the same destination CIDR.
IGW_DESTINATION_ADDRESS_IN_VPC_CIDRS: Internet gateways accept traffic only if the destination address is within the VPC CIDR block.
IGW_DESTINATION_ADDRESS_NOT_IN_RFC1918_EGRESS: Internet gateways reject outbound traffic with destination addresses in the private IP address range (see RFC1918).
IGW_NAT_REFLECTION: Internet gateways do not model NAT reflection. Without NAT reflection, traffic originating in a VPC and destined for the public IP address of an instance in the same VPC cannot be redirected back to the VPC.
IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS: Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC.
IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS: Traffic cannot reach the internet through the internet gateway if the source address is not paired with a public IP address.
IGW_SOURCE_ADDRESS_NOT_IN_RFC1918_INGRESS: Internet gateways reject inbound traffic with source addresses in the private IP address range (see RFC1918).
INGRESS_RTB_NO_PUBLIC_IP: A middlebox appliance can't receive traffic from the internet through an ingress route table if it does not have a public IP address.
INGRESS_RTB_NO_ROUTE_TO_GATEWAY: Bidirectional traffic between the gateway and the middlebox appliance requires a route to the gateway in the route table for the subnet of the middlebox appliance.
INGRESS_RTB_TRAFFIC_REDIRECTION: Subnets whose traffic is redirected to a middlebox appliance can't use a direct route to the internet gateway even when the subnet route table provides one.
MORE_SPECIFIC_ROUTE: The specified route can't be used to transmit traffic because there is a more specific route that matches.
NGW_DEST_ADDRESS_PRESERVATION: NAT gateways do not alter destination addresses.
NGW_REQUIRES_SOURCE_IN_VPC: NAT gateways can only transmit traffic that originates from network interfaces within the same VPC. NAT gateways cannot transmit traffic that originates from peering connections, VPN connections, or AWS Direct Connect.
NGW_SOURCE_ADDRESS_REASSIGN: NAT gateways transform the source's addresses in outbound traffic to match its private IP address.
NO_ROUTE_TO_DESTINATION: The route table does not have an applicable route to the destination resource.
PATH_THROUGH_TGW_UNSUPPORTED: Reachability Analyzer does not support transit gateways as intermediate components, only as a source or destination. Use Route Analyzer instead.
PCX_REQUIRES_ADDRESS_IN_VPC_CIDR: Traffic can traverse this peering connection only if the destination or source address is within the CIDR block of the destination VPC.
PROTOCOL_RESTRICTION: This component only accepts traffic with specific protocols.
REMAP_EPHEMERAL_PORT: Outbound traffic from a NAT gateway or load balancer has the source port remapped to an ephemeral port in the range [1024–65535].
RTB_ACL_ROUTE_RESTRICTION: Packets using routes to network interfaces (or to components with attached network interfaces) must be allowed by the ACL of the network interface subnet.
RTB_ACL_SUBNET_RESTRICTION: This network ACL does not allow traffic, so traffic cannot ingress from the route table to a destination subnet.
SG_HAS_NO_RULES: This security group has no inbound or outbound rules.
SUBNET_ACL_RESTRICTION: Inbound or outbound traffic for a subnet must be admitted by the network ACL for the subnet.
TARGET_ADDRESS_RESTRICTION: This target group can only emit packets that are destined for the target address.
TARGET_PORT_RESTRICTION: This target group can only route traffic that's destined for the target port.
TGW_ATTACH_VPC_AZ_RESTRICTION: Traffic from a VPC attachment in the default mode cannot be forwarded to the network interface in this Availability Zone because it comes from an Availability Zone where the attachment has a different network interface. Traffic from a VPC attachment in appliance mode cannot be forwarded to the network interface in this Availability Zone because on the forward path it used a different Availability Zone.
TGW_BAD_STATE_VPN: This VPN connections is in a non-functional state.
TGW_RESPONSE_PATH_UNSUPPORTED: Analyzing response traffic through a transit gateway is not supported. Change the protocol from TCP to UDP.
TGW_ROUTE_AZ_RESTRICTION: This transit gateway is not registered in the Availability Zone where the traffic originates.
TGW_RTB_BAD_STATE_ROUTE: This transit gateway route table has a route to the destination that is in a bad state.
TGW_RTB_CANNOT_ROUTE: This transit gateway route table has a route to the intended destination, but the route does not match the package destination address.
TGW_RTB_HIGHER_PRIORITY_ROUTE: This transit gateway route table contains a route to the intended destination that cannot be used because there is a higher-priority route with the same destination CIDR.
TGW_RTB_MORE_SPECIFIC_ROUTE: This transit gateway route table has a route to the destination, but there is a more specific route.
TGW_RTB_NO_ROUTE_TO_TGW_ATTACHMENT: This transit gateway route table has no route to this transit gateway attachment.
TGW_RTB_ROUTES_ARE_UNKNOWN: The routes of this transit gateway route table are not known. This might be due to an internal error or because the transit gateway route table does not belong to the account running the analysis.
UNKNOWN_PEERED_SGS: One of the VPCs in the VPC peering connection is unknown. This is typically because the VPC is in a different account. Access controls referencing security groups are treated as inaccessible and deny traffic crossing this peering connection.
VGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS: Virtual private gateways can't accept inbound traffic if the destination address is not the private IP address of a component in the VPC.
VPC_LOCAL_ROUTE_CIDR_RESTRICTION: Local routes apply only to packets with a destination address within the VPC CIDR block.
VPCE_GATEWAY_EGRESS_SOURCE_ADDRESS_RESTRICTION: VPC gateway endpoints emit only traffic with source addresses within the CIDRs of their corresponding prefix lists.
VPCE_GATEWAY_PROTOCOL_RESTRICTION: VPC gateway endpoints accept only TCP or ICMP ECHO traffic, and emit only TCP or ICMP ECHO reply traffic.

Request not valid codes

If you receive one of these explanation codes, the specified request is not valid and no path is possible.

DISCONNECTED_VPCS: The source and destination are in separate VPCs with no peering connection.
NO_PATH: There is no path from the source to the destination.
NO_SOURCE_OR_DESTINATION: The source or destination resource does not exist.
UNASSOCIATED_COMPONENT: The component is not associated with any VPC in your account.
UNSUPPORTED_COMPONENT: This component is not supported by Reachability Analyzer.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started using the CLI

Identity and access management