When analyzing network paths, traceroute remains the go-to diagnostic tool. However, encountering "!Z" or "!X" responses often leaves engineers scratching their heads. These codes represent specific ICMP message types that reveal crucial information about network behavior.
Here's what these codes actually signify:
!X - Communication Administratively Prohibited (Type 3, Code 13) !Z - Communication Prohibited by Filtering (Type 3, Code 10)
Consider this traceroute snippet showing firewall interference:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 192.168.1.1 1.234 ms 1.123 ms 0.987 ms 2 10.20.30.1 5.678 ms 5.432 ms 5.210 ms 3 203.0.113.45 10.111 ms !X 10.098 ms !X 4 198.51.100.67 15.765 ms !Z 16.543 ms !Z
These responses typically originate from:
- ACL (Access Control List) violations on routers
- Stateful firewall policies dropping packets
- Misconfigured security groups in cloud environments
When facing persistent !Z/!X responses, combine traceroute with tcpdump:
# On Linux systems: sudo tcpdump -i eth0 'icmp[0] == 3 and (icmp[1] == 10 or icmp[1] == 13)' -vv
AWS Security Group example that could cause !Z responses:
{
"SecurityGroupRule": {
"IpProtocol": "icmp",
"FromPort": -1,
"ToPort": -1,
"CidrIp": "192.0.2.0/24",
"RuleAction": "deny"
}
}
Python script to test connectivity through problematic hops:
import socket
from scapy.all import *
def test_hop(destination, ttl):
pkt = IP(dst=destination, ttl=ttl)/ICMP()
reply = sr1(pkt, timeout=2, verbose=0)
if reply:
if reply.type == 3:
if reply.code == 10:
return "!Z - Filtered"
elif reply.code == 13:
return "!X - Admin prohib"
return reply.src
return "Timeout"
# Test first 10 hops to 8.8.8.8
for i in range(1, 11):
result = test_hop("8.8.8.8", i)
print(f"Hop {i}: {result}")
For Cisco devices showing !X responses, check ACLs with:
show access-list | include deny show ip interface | include policy
Potential fix for ACL issues:
access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any port-unreachable
When analyzing traceroute outputs, you might encounter cryptic codes like !Z or !X that indicate communication issues with intermediate routers. These are ICMP response codes that reveal specific network conditions.
The !Z code (ICMP Type 3 Code 10) means the router is explicitly blocking your traceroute packets due to firewall rules or ACLs. This commonly occurs in:
- Enterprise networks with strict security policies
- Cloud providers protecting their infrastructure
- ISPs filtering ICMP traffic
# Example traceroute output with !Z
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
1 192.168.1.1 1.234ms 1.456ms 1.678ms
2 10.10.10.1 2.345ms 2.567ms 2.789ms
3 203.0.113.45 3.456ms !Z !Z !Z
The !X code (ICMP Type 3 Code 13) indicates packets are being filtered by security devices, often silently dropped by:
- Stateful firewalls
- IPS/IDS systems
- Rate-limiting configurations
When you encounter these codes while debugging network issues:
# Try alternative traceroute methods:
# TCP-based traceroute (useful for web servers)
sudo traceroute -T -p 80 example.com
# UDP-based traceroute (traditional method)
traceroute -U example.com
# ICMP-based traceroute (Linux default)
traceroute -I example.com
For persistent issues, consider these approaches:
- Test from different network locations (VPN, cloud instances)
- Verify if the target service is actually reachable via curl/wget
- Check firewall rules on intermediate hops (if accessible)
# Verify end-to-end connectivity despite !Z/!X
curl -v https://example.com
wget http://example.com
telnet example.com 80
In many cases, !Z/!X responses are normal when:
- The final destination is reachable
- Only certain middle hops are filtered
- Your application works despite traceroute anomalies
Remember that modern networks often filter ICMP for security reasons, and these codes don't necessarily indicate a real connectivity problem.