Monitoring, Log Triage, and Route or Service Troubleshooting Lab
Key Takeaways
- Separate monitoring evidence, log evidence, path evidence, and service evidence to triage PBQs faster.
- Interface counters, syslog, SNMP, flow data, and packet captures each answer a different question.
- Routing issues surface as missing routes, wrong gateways, ACL blocks, or asymmetric paths.
- Service failures require checking name resolution, port reachability, process health, certificates, and dependencies in order.
- A clear escalation note states scope, symptoms, timestamps, tests performed, findings, and the next action.
Monitoring and Troubleshooting Lab
Many N10-009 performance-based questions hand you a small set of logs, counters, route tables, or command outputs. Your job is to decide what changed, where the failure begins, and which fix matches the evidence. CompTIA's published troubleshooting methodology (identify the problem, establish a theory, test the theory, plan and implement, verify, document) frames the correct answer - PBQs often reward following that order rather than jumping to a fix.
Scenario
Users in VLAN 10 report the intranet is unavailable. Users in VLAN 30 reach the same intranet server. Internet access still works for VLAN 10.
| Evidence | Result |
|---|---|
| User IP | 172.20.10.55/24 |
| User gateway | 172.20.10.1 |
| Intranet server | 172.20.30.25 |
| Ping gateway | Success |
| Ping intranet server | Fails |
| DNS lookup of intranet name | 172.20.30.25 (correct) |
| TCP 443 test to intranet | Timeout |
| Firewall log | Deny 172.20.10.55 to 172.20.30.25 TCP 443, rule 90 |
DNS resolves correctly, the local gateway responds, and the destination IP is known. The firewall deny log is the strongest clue. The next action is to review the rule set and move or add an approved user-to-intranet HTTPS allow rule above the deny.
Evidence Types
| Tool or source | Best for | Example clue |
|---|---|---|
| Syslog | Device events and severity | Interface down, denied traffic, auth failure |
| SNMP | Health and performance polling | Interface utilization, errors, CPU, memory |
| NetFlow / flow data | Who talked to whom and how much | Top talkers, unusual destination ports |
| Packet capture | Packet-level proof | TCP SYN retransmits, TLS alert, ARP behavior |
| Interface counters | Link quality and errors | CRC errors, drops, duplex mismatch |
| Route table | Path selection | Missing default route, wrong next hop |
| DNS tools | Name resolution | Wrong record, no response, split-DNS issue |
Syslog uses severity levels 0 (emergency) through 7 (debug); a level-3 (error) link-down message outranks a level-6 informational message when triaging. SNMP polls device health, while NetFlow records conversations - use SNMP for "is the link saturated" and NetFlow for "who is saturating it."
Route Triage
| Symptom | Likely issue | Useful commands |
|---|---|---|
| Reach local gateway, not remote network | Route, ACL, firewall, or upstream | ping, traceroute, route table |
| Traceroute stops at the firewall | Policy block or missing route past it | firewall logs, route table |
| One direction works, return fails | Asymmetric routing, missing return route | route tables on both sides |
| Only one subnet affected | VLAN interface, ACL, route advertisement, DHCP | interface status, ACL, DHCP lease |
Service Triage
Work bottom-up through the stack so you do not chase the wrong layer.
| Layer | Question | Test |
|---|---|---|
| DNS | Does the name resolve to the expected IP? | nslookup or dig |
| Network path | Can the client reach the destination network? | ping or traceroute where allowed |
| Transport | Is the expected port reachable? | tcping, nc, Test-NetConnection, capture |
| Application | Is the service process healthy? | service status, HTTP response, logs |
| Security | Is a firewall, ACL, certificate, or auth control blocking it? | firewall logs, TLS details, auth logs |
Do not stop at "ping fails" when ICMP is blocked by policy. For web services a TCP 443 test plus firewall logs is far more useful than ping, because many networks drop ICMP while permitting HTTPS.
Example Log Triage
| Log line | Interpretation |
|---|---|
| %LINK-3-UPDOWN: Gi1/0/24 changed state to down | Physical or data-link event on a switchport |
| Deny TCP 172.20.10.55:51512 to 172.20.30.25:443 | Firewall policy blocked a web session |
| DHCPDISCOVER from client, no DHCPOFFER observed | DHCP server, relay, VLAN, or trunk issue |
| OSPF neighbor down, dead timer expired | Routing adjacency failure |
| High CRC errors on Gi1/0/12 | Cable, transceiver, interference, or duplex |
A duplex mismatch (one side full, the other half) produces late collisions and CRC errors that look like a bad cable - check both interface speed/duplex settings before swapping hardware.
Escalation Note Template
When a PBQ asks you to document the issue, keep it concise and actionable:
- Scope: VLAN 10 users cannot reach intranet HTTPS; VLAN 30 users can.
- Time: Reports began after the 09:15 firewall change.
- Tests: Gateway ping succeeds; DNS resolves; TCP 443 times out.
- Evidence: Firewall denies VLAN 10 to 172.20.30.25 TCP 443 on rule 90.
- Next action: Review rule 90; place an approved HTTPS allow rule above the deny, then verify and document.
Common PBQ Traps
- Replacing cabling when logs show an explicit firewall deny.
- Treating DNS as broken after the name resolved correctly.
- Assuming ping failure means the server is down when ICMP is blocked.
- Ignoring return routes and asymmetric routing.
- Watching only average bandwidth and missing interface errors or drops.
- Escalating without timestamps, affected scope, or supporting evidence.
A client resolves a server name correctly, reaches its gateway, but TCP 443 to the server times out and firewall logs show a deny. What is the most likely cause?
An interface shows high CRC errors and late collisions, but the cable tests fine. What should you check before replacing hardware?
Which evidence source is best for identifying CRC errors and drops on a physical switch interface?
Which details belong in a useful network escalation note? Select three.
Select all that apply