Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: Missing Internet nodes, where connection stops at internal node

NetPath graph issue: Missing Internet nodes, where connection stops at internal node

Created by Anthony.Rinaldi, last modified by Anthony.Rinaldi on Jan 04, 2017

Views: 482 Votes: 0 Revisions: 9

Updated December 8, 2016

Overview

The NetPath graph seems to be missing Internet nodes.

NetPath traces constantly end at internal intermediate nodes. The issue happens to external endpoints only. The issue happens to all web traffic, such as HTTP, HTTPS, well-known ports, and alternative ports. Normal application traffic can reach the endpoint without issue.

Environment

  • NPM 12.0 and later

Resolution

Step 1: Check if the web proxy is enabled

  1. Open an RDP session to the NetPath probe computer.
  2. Run inetcpl.cpl from the Windows Start Menu.
  3. Click Connections > LAN settings.
  4. Check the following settings:
    • Automatically detect settings
    • Use automatic configuration script
    • Use a proxy server for your LAN

Is the web proxy enabled?

Step 2: Check the NetPath graph for the same endpoint but non-web traffic

  1. Create a new service for the same endpoint on the same NetPath probe, but with the following settings:
    • Five-minute interval
    • A well-known non-web port, such as 25 or 53 (It is OK if those ports are not open on the endpoint)
  2. Wait 5 - 10 minutes, and then check the graph.
  3. Check if the graph contain external nodes, or if it has the same problem without any external nodes.

Does the issue go away for non-web traffic?

  • Yes: Known limitation. NetPath version 1 does not support a local web proxy. To work around this:
    1. Deploy the NetPath probe on another VM with the local proxy disabled.
    2. Check the firewall to make sure the web traffic is allowed from the NetPath probe to external endpoints.
  • No: Submit a ticket to technical support.

Step 3: Check if the firewall is creating logs for NetPath probing packets

  1. Find the endpoint IP address and TCP port from the service that has the issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Locate the firewall that the NetPath probing traffic traverses. The firewall may or may not display in the NetPath graph.
  4. Make sure the log is enabled for Drop rules, including Default and Implicit Drop rules.
  5. Based on the firewall manual:
    1. For the outbound direction from agent to endpoint, find the firewall drop logs for TCP packets from the IP address of the NetPath agent and any source port, to the endpoint IP address and port of the service with the issue.
    2. For the inbound direction from endpoint to agent, find the firewall drop logs for ICMP Type 11 packets from any IP address to the IP address of the NetPath agent.

Check firewall logs

Open Check Point SmartView Tracker > All Records > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

1-checkpoint.png

The log option must be enabled for rules that can allow or deny NetPath probing traffic.

Open Web Console > Monitor > Logs > Traffic.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

2-palo-alto.gif

Open Web Console > Log > View.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

3-sonicwall.png

Open ASDM console > Monitoring > Logging > Log Buffer (or Real-Time) > View ... > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

4-asa.png

Did you find the logs?

Last modified
16:21, 4 Jan 2017

Tags

Classifications

Public