Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: Missing firewall node

NetPath graph issue: Missing firewall node

Created by Anthony.Rinaldi_ret, last modified by Magdalena.Markova on Jun 05, 2017

Views: 110 Votes: 1 Revisions: 10

Updated December 8, 2016

Overview

The NetPath graph seems to be missing a firewall.

The expected firewall node is missing in all NetPath graphs, or it is replaced by the next node device of the firewall.

Environment

  • NPM 12.0 and later

Resolution

Step 1: Capture the outbound NetPath TCP probing packet at the inside interface of the firewall

  1. Find the IP address and TCP port from the service that has issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Locate the inside interface where the NetPath probing traffic is expected to enter the firewall.
  4. Refer to the firewall manual, and execute the command to capture TCP packets on the inside interface with matching criteria: from the IP address of the NetPath agent and any source port, to the IP address and port of the service with the issue.

Examples for packet capture commands:

Were the packets captured?

  • Yes: Go to Step 2.
  • No: The NetPath probing traffic did not reach the firewall. Missing this node is expected.

Step 2: Capture the inbound NetPath ICMP Type 11 packets at the inside interface of the firewall

  1. Find the IP address of the NetPath agent that probes the service.
  2. Locate the inside interface where the inbound ICMP packets are expected to exit the firewall.
  3. Refer to the firewall manual, and execute the command to capture ICMP Type 11 packets on the inside interface with matching criteria: from any IP address to the IP address of the NetPath agent.

Were the packets captured?

  • Yes: The firewall is configured to not respond to NetPath probing. To configure the firewall to respond, see your firewall documentation to enable a response to TTL-expired TCP packets.
    • For Cisco ASA, see this article on how to decrement the TTL field in the packet header and allow inbound ICMP packets.
    • For SonicWall, go to Advanced Firewall Settings. Select the "Decrement IP TTL for forwarded traffic" option, and clear the "Never generate ICMP Time-Exceeded packets" option. See this article for more information.
  • No: Submit a ticket to technical support.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

Last modified

Tags

Classifications

Public