Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: Intermittent endpoint is unreachable

NetPath graph issue: Intermittent endpoint is unreachable

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Jan 04, 2017

Views: 99 Votes: 0 Revisions: 7

Updated December 8, 2016

Overview

The NetPath graph does not seem to be accurate.

Occasionally an endpoint is unreachable. This mostly happens to HTTPS or another protocol that requires SSL or TLS. This is potentially caused by NetPath not handling SSL/TLS handshaking, and possible interference from the firewall with NetPath probing.

Environment

  • NPM 12.0 and later

Resolution

Step 1: Test TCP connectivity

  1. Download and extract PSTools.zip from Microsoft.
  2. Identify the IP address from the endpoint with the issue.
  3. Run psping from the command prompt to test end-to-end latency and packet loss to the NetPath service.

    psping -t endpoint_ip_address:endpoint_port

  4. After receiving 20 results, press Ctrl+C to stop.
  5. Look at the packet loss in the results. Check if it reads "Access is Denied" or if the packet loss less than 5%.

Did the TCP connectivity test successfully?

  • Yes: Go to Step 2.
  • No: This confirms a connectivity problem. Further investigation is needed, starting from the device just before the red dotted line.

Step 2: Test the HTTP port on the endpoint

  1. Identify the IP address from the endpoint with the issue.
  2. Add a new NetPath service using port 80 and that IP address.
  3. Wait two or more probing intervals to get the NetPath probing results.
  4. Check if the issue with intermittent endpoint connectivity exists here as well.

Does the connectivity issue exist on the HTTP port of the endpoint?

Step 3: Check if the firewall is creating logs for NetPath probing packets

  1. Find the endpoint IP address and TCP port from the service that has the issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Locate the firewall that the NetPath probing traffic traverses. The firewall may or may not display in the NetPath graph.
  4. Make sure the log is enabled for Drop rules, including Default and Implicit Drop rules.
  5. Based on the firewall manual:
    1. For the outbound direction from agent to endpoint, find the firewall drop logs for TCP packets from the IP address of the NetPath agent and any source port, to the endpoint IP address and port of the service with the issue.
    2. For the inbound direction from endpoint to agent, find the firewall drop logs for ICMP Type 11 packets from any IP address to the IP address of the NetPath agent.

Check firewall logs

Open Check Point SmartView Tracker > All Records > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

1-checkpoint.png

The log option must be enabled for rules that can allow or deny NetPath probing traffic.

Open Web Console > Monitor > Logs > Traffic.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

2-palo-alto.gif

Open Web Console > Log > View.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

3-sonicwall.png

Open ASDM console > Monitoring > Logging > Log Buffer (or Real-Time) > View ... > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

4-asa.png

Did you find the logs?

Last modified
16:26, 4 Jan 2017

Tags

Classifications

Public