Knowledge Base

All hops show 100% packet loss


When I try to trace to a destination with PingPlotter, and I get "Destination Address Unreachable" at hop #1. How do I correct this situation?


With the advent of internet security threats, many firewalls lock down all outgoing network traffic. This is especially true for software firewalls.

If you're seeing "Destination Address Unreachable" at hop 1, are unable to collect any network data, or receiving an error message in PingPlotter above the graph, you might have some kind of network firewall software installed on your computer. Some examples of this are Zone Alarm, Norton Internet Security, or some other product with the name "Security" or "Firewall" in the title. Microsoft also provides a built-in firewall with newer versions of Windows called "Internet Connection Firewall," and this can be configured to block ICMP as well.

It may also be that some other piece of software was installed that added a firewall to your system. If you're using a VPN to connect to your company, there are some VPN packages that will install a firewall, one notable example of this is the AT&T Network Client.

Many of these firewalls use "by application" network blocking. In this type of firewall, you need to flag specific applications that you want to give access to the internet. Since our tools are network monitoring tools, they do need access to the network. If you're using a firewall of this type (ZoneAlarm is one of the most popular), go into that application to allow PingPlotter to have network access.

If PingPlotter or MultiPing worked fine before you updated to a new version of PingPlotter or MultiPing, then it may be that your firewall software blocks access by program and version. ZoneAlarm is one firewall product that does this. Usually, you'll get prompted when you first run the new version, but in some cases, you may not (or you may be used to saying "no, don't allow access"). In this case, you'll need to go to your firewall software and explicitly allow access to the right version of PingPlotter - or tell your firewall software not to worry about the version number and just always allow access (in ZoneAlarm, this is the "Changes Frequently" option).

If you're using a generic "block certain kinds of network traffic" firewall, you'll need to configure that to allow ICMP echo requests, ICMP echo replies, ICMP TTL Expired and ICMP TTL Destination Unreachable to pass through your firewall. The options for doing this differ between brands of firewall software, but some firewall vendors address this in their online help or knowledgebases.

In some case, you may need to disable the network firewall to allow PingPlotter (and similar applications like "PING" and "TRACERT") to work. Often, you might start out by completely disabling the firewall for a short period of time to verify the firewall is the thing blocking PingPlotter. Once you determine this is the cuplrit, re-enable the firewall and search for settings that allow PingPlotter to work.

Here are a few specific solutions for firewalls that have been known to inhibit PingPlotter results:

  • If you have a Cisco ASA Firewall, you may need to add an inbound Allow ACL. You can find some background information on how to do this here.
  • If you have a FortiGate Firewall, you may need to create a simple "Permit ICMP Any" ACL. Consult your command manual for information on correct syntax.

Article Rating (29 Votes)

Rate this article

Article Info

Article Number: 27 | Last Updated: July 30, 2018

This article has been viewed 38519 times since May 8, 2004

Filed Under: Usage


There are no attachments for this article.