traceroute shows stars but netcat reaches the port

Question

I have several (virtual) machines with Centos 7 in the same subnet with several instances of my app running on each of them. I need to test how the apps can reach each other by UDP.

I'm trying to access one machine from another one by tracerote. So I check on host1:

# traceroute host2 -U -p 3001

traceroute to host2 (<ip>), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

It looks like UDP packets are filtered. But then I try netcat (on host 1 again):

# nc -u host2 3001
qwerty1
qwerty2
qwerty3

And it works somehow! How can it be?

By the way, traceroute by TCP reaches the destination in one hop as it should be in one subnet:

# traceroute host2 -T -p 3001
traceroute to host2 (<ip>), 30 hops max, 60 byte packets
 1  host2 (<ip>)  0.663 ms  0.707 ms *

The question is does UDP work or not after all? Or is there a reliable way to test it? The app doesn't work correctly unfortunately and I want be sure it is or it's not the fault of the underlying infrastructure.

Answer 1

The output from netcat just shows that the packets can be send to this target and that no error comes back. This will also happen if there is a firewall in between which simply discards all UDP packets. And this kind of firewall would also produces the output you see with traceroute: if packets get discarded then they cannot fail later with ICMP TTL exceeded.