Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: All timeout nodes between probe and endpoint

NetPath graph issue: All timeout nodes between probe and endpoint

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Jan 04, 2017

Views: 319 Votes: 0 Revisions: 10

Updated December 8, 2016

Overview

The NetPath graph seems to be missing many nodes.

NetPath only captures timeout nodes between the NetPath probe and the endpoint.

Environment

  • NPM 12.0 and later

Resolution

Step 1: Check if the next node to the NetPath probe computer is a firewall

Is it a firewall?

Step 2: Check if the firewall is creating logs for NetPath probing packets

  1. Find the endpoint IP address and TCP port from the service that has the issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Locate the firewall that the NetPath probing traffic traverses. The firewall may or may not display in the NetPath graph.
  4. Make sure the log is enabled for Drop rules, including Default and Implicit Drop rules.
  5. Based on the firewall manual:
    1. For the outbound direction from agent to endpoint, find the firewall drop logs for TCP packets from the IP address of the NetPath agent and any source port, to the endpoint IP address and port of the service with the issue.
    2. For the inbound direction from endpoint to agent, find the firewall drop logs for ICMP Type 11 packets from any IP address to the IP address of the NetPath agent.

Check firewall logs

Open Check Point SmartView Tracker > All Records > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

1-checkpoint.png

The log option must be enabled for rules that can allow or deny NetPath probing traffic.

Open Web Console > Monitor > Logs > Traffic.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

2-palo-alto.gif

Open Web Console > Log > View.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

3-sonicwall.png

Open ASDM console > Monitoring > Logging > Log Buffer (or Real-Time) > View ... > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

4-asa.png

Did you find the logs?

  • Yes: This is a potential firewall issue. Locate the drop rule from the log, and consult with a firewall engineer to fix it.
  • No: Go to Step 3.

Step 3: Check if the IP ID masking rule is enabled for a Check Point firewall

  1. Open the Check Point SmartDashboard.
  2. Navigate to IPS > Protections.
  3. Search for IP ID Masking.
  4. Check if the rule is Active.

Is the IP ID masking rule enabled?

  • Yes: Add the IP address of the NetPath probe to the exception: Edit IP ID Masking > Network Exceptions > New > Add NetPath Probe to Source Network Condition.
  • No: Go to Step 4.
  • I don't have a Check Point firewall: Go to Step 4.

Step 4: Check if the NetPath probe is running on AWS

Is the NetPath probe running on Amazon Web Services (AWS), Google Compute Engine (GCE), or other Linux-based virtualization?

Step 5: Check the security policy

Does the security allow ICMP packets?

  • Yes: Follow this workaround for each AWS probe:
    1. Open C:\ProgramData\Solarwinds\Orion\NetPath\NetPathAgent.cfg with a text editor as an administrator.
    2. Save a copy of original NetPathAgent.cfg file as a backup.
    3. Stop the SolarWinds Job Engine 2 service.
    4. Change the following settings in the NetPathAgent.cfg file:
      "EnableAdvancedBpf": false,
      "TracerouteTimeout": 500,
    5. Save the file.
    6. Start the SolarWinds Job Engine 2 service.
  • No: See the Cloud Environment section of NetPath requirements.

Step 6: Capture NetPath probing packets on the NetPath probe computer

For NPM 12.0

  1. Download and install Wireshark.
  2. Find the IP address port from the service that has issue.
  3. Find the IP address of the NetPath probe that probes the service.
  4. Select the interface for your NetPath outgoing traffic.
  5. Apply the icmp Capture Filter.

    5-wireshark-1.png

  6. Apply the following display filter:

    icmp.type == 11 and ip.dst == endpoint_ip

    Replace endpoint_ip with your IP address.

    6-wireshark-2.PNG

For NPM 12.0.1 and later

  1. Open the NetPath Service page with ?debug appended to the end of the URL.
  2. Edit the path you want to troubleshoot.
  3. Select Enable logging, and click Save.
  4. Wait for two probing intervals for the selected path.
  5. Check the pcap file in the polling engine (not the Agent computer) where the selected path is collected from.

    7-netpath-debug.png

Were the packets captured?

  • Yes: Follow this workaround for each AWS probe:
    1. Open C:\ProgramData\Solarwinds\Orion\NetPath\NetPathAgent.cfg with a text editor as an administrator.
    2. Save a copy of original NetPathAgent.cfg file as a backup.
    3. Stop the SolarWinds Job Engine 2 service.
    4. Change the following settings in the NetPathAgent.cfg file:
      "EnableAdvancedBpf": false,
      "TracerouteTimeout": 500,
    5. Save the file.
    6. Start the SolarWinds Job Engine 2 service.
  • No: Submit a ticket to technical support.
Last modified
16:41, 4 Jan 2017

Tags

Classifications

Public