Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: Nodes are missing between a Cisco ASA firewall and the endpoint

NetPath graph issue: Nodes are missing between a Cisco ASA firewall and the endpoint

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Dec 14, 2016

Views: 317 Votes: 0 Revisions: 7

Updated December 14, 2016

Overview

Nodes are missing between a Cisco ASA firewall and the endpoint on a NetPath graph. The last internal hop could be the Cisco ASA firewall, or an internal router before the Cisco ASA firewall.

Two types of graphs indicate this issue:

Has timeout nodes

1-one-hop.png

No timeout nodes

2-missing-asa.png

Environment

  • NPM 12.0 and later

Resolution

Step 1: Check if the last visible intermediate hop is a Cisco ASA firewall or a router right before the Cisco ASA firewall

Is it a firewall?

Step 2: Check if the the graph has timeout nodes

Compare your NetPath graph to the two images in the Overview section.

Does the graph have timeout nodes?

Step 3: Check if the Cisco ASA firewall is creating logs for NetPath probing packets

  1. Find the endpoint IP address and TCP port from the service that has the issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Make sure the Cisco ASA deny rules with the log option is enabled.
  4. Based on the ASA manual:
    1. For the outbound direction from agent to endpoint, find the firewall drop logs for TCP packets from the IP address of the NetPath agent and any source port, to the endpoint IP address and port of the service with the issue.
    2. For the inbound direction from endpoint to the agent, find the firewall drop logs for ICMP Type 11 packets from any IP address to the IP address of the NetPath agent.

Check logs from ASDM

Open the ASDM console > Monitoring > Logging > Log Buffer (or Real-Time) > View ... > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

3-log-buffer.png

Did you find the logs?

  • Yes: This is a potential firewall issues. Locate the drop rule from the log and consult with a firewall engineer to fix it. See this Cisco article for more information.
  • No: Check steps 3 - 7 in this article.

Step 4: Check for duplicate endpoint IP addresses in a trace route

Run a trace route from the last internal router. Check the results of the trace route for duplicate endpoint IP addresses.

4-trace.png

Did you find duplicate endpoint IP addresses in the trace route results?

 

Last modified

Tags

Classifications

Public