Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.

 

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: Missing firewall node

NetPath graph issue: Missing firewall node

Created by Anthony.Rinaldi, last modified by Magdalena.Markova on Jun 05, 2017

Views: 39 Votes: 1 Revisions: 10

Updated December 8, 2016

Overview

The NetPath graph seems to be missing a firewall.

The expected firewall node is missing in all NetPath graphs, or it is replaced by the next node device of the firewall.

Environment

  • NPM 12.0 and later

Resolution

Step 1: Capture the outbound NetPath TCP probing packet at the inside interface of the firewall

  1. Find the IP address and TCP port from the service that has issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Locate the inside interface where the NetPath probing traffic is expected to enter the firewall.
  4. Refer to the firewall manual, and execute the command to capture TCP packets on the inside interface with matching criteria: from the IP address of the NetPath agent and any source port, to the IP address and port of the service with the issue.

Examples for packet capture commands:

Were the packets captured?

  • Yes: Go to Step 2.
  • No: The NetPath probing traffic did not reach the firewall. Missing this node is expected.

Step 2: Capture the inbound NetPath ICMP Type 11 packets at the inside interface of the firewall

  1. Find the IP address of the NetPath agent that probes the service.
  2. Locate the inside interface where the inbound ICMP packets are expected to exit the firewall.
  3. Refer to the firewall manual, and execute the command to capture ICMP Type 11 packets on the inside interface with matching criteria: from any IP address to the IP address of the NetPath agent.

Were the packets captured?

  • Yes: The firewall is configured to not respond to NetPath probing. To configure the firewall to respond, see your firewall documentation to enable a response to TTL-expired TCP packets.
    • For Cisco ASA, see this article on how to decrement the TTL field in the packet header and allow inbound ICMP packets.
    • For SonicWall, go to Advanced Firewall Settings. Select the "Decrement IP TTL for forwarded traffic" option, and clear the "Never generate ICMP Time-Exceeded packets" option. See this article for more information.
  • No: Submit a ticket to technical support.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

Last modified
00:50, 5 Jun 2017

Tags

Classifications

Public