Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Network Performance Monitor (NPM) > NetPath graph issue: Nodes are missing between a Cisco ASA firewall and the endpoint

NetPath graph issue: Nodes are missing between a Cisco ASA firewall and the endpoint

Created by Anthony.Rinaldi_ret, last modified by Anthony.Rinaldi_ret on Dec 14, 2016

Views: 170 Votes: 0 Revisions: 7

Updated December 14, 2016

Overview

Nodes are missing between a Cisco ASA firewall and the endpoint on a NetPath graph. The last internal hop could be the Cisco ASA firewall, or an internal router before the Cisco ASA firewall.

Two types of graphs indicate this issue:

Has timeout nodes

1-one-hop.png

No timeout nodes

2-missing-asa.png

Environment

  • NPM 12.0 and later

Resolution

Step 1: Check if the last visible intermediate hop is a Cisco ASA firewall or a router right before the Cisco ASA firewall

Is it a firewall?

Step 2: Check if the the graph has timeout nodes

Compare your NetPath graph to the two images in the Overview section.

Does the graph have timeout nodes?

Step 3: Check if the Cisco ASA firewall is creating logs for NetPath probing packets

  1. Find the endpoint IP address and TCP port from the service that has the issue.
  2. Find the IP address of the NetPath agent that probes the service.
  3. Make sure the Cisco ASA deny rules with the log option is enabled.
  4. Based on the ASA manual:
    1. For the outbound direction from agent to endpoint, find the firewall drop logs for TCP packets from the IP address of the NetPath agent and any source port, to the endpoint IP address and port of the service with the issue.
    2. For the inbound direction from endpoint to the agent, find the firewall drop logs for ICMP Type 11 packets from any IP address to the IP address of the NetPath agent.

Check logs from ASDM

Open the ASDM console > Monitoring > Logging > Log Buffer (or Real-Time) > View ... > Add filters.

For outbound NetPath probing packets, add the filter for:

  • Service: TCP service specified in NetPath Services
  • Source: NetPath probe
  • Destination: Endpoint

For inbound NetPath probing packets, add the filter for:

  • ICMP Type 11
  • Destination: NetPath probe

3-log-buffer.png

Did you find the logs?

  • Yes: This is a potential firewall issues. Locate the drop rule from the log and consult with a firewall engineer to fix it. See this Cisco article for more information.
  • No: Check steps 3 - 7 in this article.

Step 4: Check for duplicate endpoint IP addresses in a trace route

Run a trace route from the last internal router. Check the results of the trace route for duplicate endpoint IP addresses.

4-trace.png

Did you find duplicate endpoint IP addresses in the trace route results?

Last modified
16:12, 14 Dec 2016

Tags

Classifications

Public