By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, troubleshoot connectivity issues. Objective: Given a scenario, troubleshoot common performance issues.
The bulk of this guide will cover troubleshooting connectivity issues. This description will include common networking configuration issues and the tools that are commonly used to troubleshoot these networking issues. Topics: - Network Security Group Misconfigurations - Common Networking Configuration Issues - Network Troubleshooting Tools - Resource Utilization - Application - Incorrectly Configured or Failed Load Balancing 1. _____ are designed to protect a VPC, whereas _____ are used to protect virtual machines within a VPC. 2. With _____ a network connection is established between two VPCs. 3. What are some of the components that make up QoS? 4. You can see the gateways that the packet passes through by executing the _____ command. Answers: 1. Security groups, network ACLs 2. Peering 3. Bandwidth, latency, and jitter 4. tracert or traceroute Network Security Group Misconfigurations Recall that a network security group is designed to provide protection to a network (VPC). These groups act like virtual firewalls for your cloud-based network. However, they aren’t designed to protect everything in the VPC, but rather just the virtual machine (VM) resources. To protect the entire VPC, you can create network ACLs (access control lists). Some additional differences are demonstrated below.
TABLE: Security Group versus NACL
Feature
Security Groups
NACLs
State
Stateful (incoming rules will be applied to outgoing rules automatically)
Stateless
Allow or deny
Only allow rules are permitted
Both allow and deny rules are permitted
Rule order
Does not apply
Rules are applied in the order that they appear in the rule list
Number of rule sets
Multiple security groups can be applied to a subnet
Only one NACL can be applied to a subnet
Access Control Lists (ACLs) A misconfigured network ACL can end up blocking or allowing access to the resources, which is not the intention. Keep in mind that the order of the rules is important, so not placing rules in the correct order can result in unexpected results. For example, suppose you want to allow all systems from the 192.168.100.0/24 network to be allowed to connect to the subnet, but you don’t want to allow machine 192.160.100.200 from that subnet to have any access. A rule set like the following would work to accomplish this goal (note that these are not actual rules, but verbal descriptions of the rules, and … represents “other rules that don’t apply in this example”): … Rule 27: Block 192.168.100.200 Rule 28: Allow 192.168.100.0/24 However, the following rule set would not block 192.168.100.200: Rule 27: Allow 192.168.100.0/24 Rule 28: Block 192.168.100.200 After a rule is applied to an inbound packet, none of the subsequent rules will be applied. Inheritance In some cases you may be able to inherit NACLs from other rule sets. If this is the case, understand fully what rules the inherited rule set provides. If it is true inheritance (sometimes it is just a copy of an existing rule set), understand that changes to the inherited rule set can impact your overall rule set. Typically, inherited rule sets are applied first, so this is another complication that you need to consider when using this feature. Common Networking Configuration Issues In any network environment, a large number of things can go wrong. In this section you’ll learn about some of the common networking configuration issues that you may encounter. Note that for any of the network categories found in this section, dozens of different issues can cause problems. It is important to note that this exam objective is about focusing on “common” networking issues that are based on “configuration,” not all of the networking issues that can arise from multiple categories of problems. Within your cloud network, you may encounter situations in which you want resources in one VPC to be able to communicate with resources in another VPC. This type of communication isn’t normally configured by default. If the resources have public IP addresses, they may be able to communicate, but this communication also might be blocked by security group rules or network ACL rules. The communication might also suffer lags because the network packets are routed toward the Internet first and then back into the security group, VPC, and then the destination resource. With peering (often called VPC peering or virtual network peering), a network connection is established between two VPCs. This connection allows resources to communicate between the two VPCs, much like if they were on the same network. In this way, resources can use the cloud network instead of the Internet for communications. In terms of troubleshooting, one common issue arises when one VPC becomes associated with the peering connection. Another issue to look for is if one of the VPCs is migrated to a different region, which will likely require establishing a new peering connection. Incorrect Subnet, IP Address, and IP Space Many of the cloud resources that are assigned an IP address make use of dynamic assignment via a DHCP server. This server is normally provided by the cloud provider (or, for on-premises solutions, managed by your organization). For some situations you may want to use static IP assignment in which you manually configure the IP address, subnet mask, and other network settings. This configuration is important to ensure a consistent IP address for servers. However, whenever you manually configure IP settings, you run the risk of errors. You may provide the wrong address, subnet, IP space, or other networking configuration information. This can result in connectivity issues. To troubleshoot such issues, verify the network settings and make sure they are correct for the network where the resource was placed. Try to connect to the system from outside the network using the tools described in the “Network Troubleshooting Tools” section later in this guide, including the ping, ipconfig/ifconfig/ip, and tracert/traceroutecommands. Routes A route is the way a resource communicates outside the local network. This communication is sent to a router (also called a gateway). An incorrectly configured route can result in not being able to send network packets outside the local network. Use the routecommand, which is described in the “Route” section later in this guide, to see how to display the routes and make changes to the routes. Default In some cases, a resource might be in a network that has different routers connected to the network. For example, one router may provide access to another network within your infrastructure, whereas another router may provide access to the Internet. In this scenario, you would configure the resource’s routing table to specifically send any network traffic destined for the internal network directly to a specific router. Then you would have a rule in the routing table that says, “Send all other network traffic (besides traffic on the local network that the resource is a part of) to the Internet router.” In this case, the Internet router is referred to as the default router. As with any routing issue, you should use the routecommand, which is described in the “Route” section later in this guide, to help you troubleshoot issues with the default router. Static In static routing an administrator sets specific routers or gateways to route network traffic. A static route doesn’t change after it has been set, unless the administrator manually changes the configuration. The potential problem with static routing is that it creates a single point of failure. If the specified router becomes unresponsive, traffic to that network no longer works. To resolve this issue, troubleshoot issues with that router, which can include mechanical problems or a configuration change. Additionally, you can consider switching to dynamic routing. Dynamic In dynamic routing routing paths can change automatically based on algorithms that indicate the best routing path to take. While more complex than static routing, dynamic routing tends to be more robust because lost connectivity to a router results in a new routing path being chosen. Dynamic routing is normally used in large network infrastructures and can be complex to implement and administer. When issues do arise, you should focus troubleshooting efforts on the routing protocol and use tools described in the “Ping” and “Tracert/Traceroute” sections in this guide. Firewall A firewall is used to either permit or block network traffic based on conditions like the source IP of the network packet or the destination port of the network packet, for example. For further details, see “Firewall Software” in “OS and Application Security Controls.” Incorrectly Administered Microsegmentation Microsegmentation is a security feature that allows administrators to logically divide resources into groups and apply a different set of security rules to each group. In terms of firewalls, microsegmentation is the process of creating zones. To troubleshoot, start by creating a network diagram that displays all of the resources in the network and which zone each resource belongs to. Verify that the zone rules are applied correctly for each resource that resides within that zone. To test connectivity though the firewall, use tools described in the “Ping” and “Tracert/Traceroute” sections in this guide. Network Address Translation (NAT) Network Address Translation is a configuration setting found on a router that converts the private IP addresses of a network packet into public IP addresses. The goal is to be able to send network packets from internal, private networks to the Internet without exposing the internal addresses. NAT was originally designed to overcome the lack of Internet-routable IP addresses that IPv4 provides, but it has other benefits. There are several different forms of NAT: - DNAT (Destination NAT): Used when you want to place servers behind a firewall and still provide access from an external network. - SNAT(Source NAT): Used when you have an internal network with statically assigned private IP addresses. Using SNAT, you can funnel access to the Internet via a single machine that has a live IP address (an address that is routable on the Internet). This system is configured with SNAT, which is used to map internal addresses with external communication. - MASQUERADE: Used when you have an internal network with dynamically (DHCP) assigned private IP addresses. Using MASQUERADE, you can funnel access to the Internet via a single machine that has a live IP address (an address that is routable on the Internet). This system is configured with MASQUERADE, which is used to map internal addresses to external communication.
Because most internal networks use DHCP to assign IP addresses, MASQUERADE is more common than SNAT. It is also easier to configure because SNAT requires you to create rules for each internal system.
NAT rules are often implemented on a router that acts as a firewall. The rules of the firewall perform the modification of the source and destination IP addresses in the metadata of the network packets. As a result, when you’re troubleshooting issues with NAT, the configuration of the firewall that performs the NAT function should be the first place you look. For details about VPNs, see “Virtual Private Networks (VPNs)” in “Cloud Networking Solutions.” Load Balancers and DNS Records For more details, see the “Load Balancers” and “Domain Name Service (DNS)” sections here. VLAN/VxLAN/GENEVE and Proxy For more information, see “Virtual LAN (VLAN)/Virtual Extensible LAN (VxLAN)/Generic Network Virtualization Encapsulation (GENEVE)” and “Proxy Servers” in “Secure a Network in a Cloud Environment.” Maximum Transmission Unit (MTU) When packets are sent on the network, there needs to be an agreement between the different nodes on the network as to the maximum size of the packet. As a result, an attribute called the maximum transmission unit, or MTU, is normally assigned to the network. The MTU tells the system that when it puts together network packets they should not exceed the size indicated by this value. On most modern systems, this value is automatically assigned when the network interface (network interface card, or NIC) first connects to the network. A query is sent to the node attached to the local node to determine what the maximum packet size should be. This value can also be configured manually, but the risk with that is the value might not be the same as other nodes on the network. The standard MTU size is 1500 bytes, but this value can be adjusted to provide better network performance. For troubleshooting, ensure that all nodes in the network are using the same MTU. Quality of Service (QoS) Quality of service is a term that is applied to networks to ensure that the overall performance of a network is within an acceptable range. QoS is closely related to other terms, including bandwidth, latency, and jitter. See “Network” in “Optimize Cloud Environments” for more details on these terms. Time Synchronization Issues For more details on time synchronization issues, see the “Network Time Protocol (NTP)” section here. Network Troubleshooting Tools In this section you’ll explore a collection of troubleshooting tools that you can use to determine the cause of networking issues. The examples provided are executed on a Linux-based system. In most cases these tools will also function on Windows or MacOS. ping The pingcommand is used to verify that a remote host can respond to a network connection: [root@OCS ~]# ping -c 4 google.com PING google.com (172.217.5.206) 56(84) bytes of data. 64 bytes from lax28s10-in-f14.1e100.net (172.217.5.206): icmp_seq=1 ttl=55 time=49.0 ms 64 bytes from lax28s10-in-f206.1e100.net (172.217.5.206): icmp_seq=2 ttl=55 time=30.2 ms icmp_seq=3 ttl=55 time=30.0 ms icmp_seq=4 ttl=55 time=29.5 ms --- google.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3008ms rtt min/avg/max/mdev = 29.595/34.726/49.027/8.261 tracert/traceroute When you send a network packet to a remote system, especially across the Internet, it often needs to go through several gateways before it reaches its destination. You can see the gateways that the packet passes through by executing the traceroutecommand: # traceroute onecoursesource.com traceroute to onecoursesource.com (38.89.136.109), 30 hops max, 60 byte packets - 1 10.0.2.2 (10.0.2.2) 0.606 ms 1.132 ms 1.087 ms - 2 b001649-3.jfk01.atlas.cogentco.com (38.104.71.201) 0.738 ms 0.918 ms 0.838 ms - 3 154.24.42.205 (154.24.42.205) 0.952 ms 0.790 ms 0.906 ms - 4 be2629.ccr41.jfk02.atlas.cogentco.com (154.54.27.66) 1.699 ms 1.643 ms 1.347 ms - 5 be2148.ccr41.dca01.atlas.cogentco.com (154.54.31.117) 8.053 ms 7.719 ms 7.639 ms - 6 be2113.ccr42.atl01.atlas.cogentco.com (154.54.24.222) 18.276 ms 18.418 ms 18.407 ms - 7 be2687.ccr21.iah01.atlas.cogentco.com (154.54.28.70) 32.861 ms 32.917 ms 32.719 ms - 8 be2291.ccr21.sat01.atlas.cogentco.com (154.54.2.190) 38.087 ms 38.025 ms 38.076 ms - 9 be2301.ccr21.elp01.atlas.cogentco.com (154.54.5.174) 48.811 ms 48.952 ms 49.151 ms 10 be2254.ccr21.phx02.atlas.cogentco.com (154.54.7.33) 57.332 ms 57.281 ms 56.896 ms 11 te2-1.mag02.phx02.atlas.cogentco.com (154.54.1.230) 56.666 ms 65.279 ms 56.520 ms 12 154.24.18.26 (154.24.18.26) 57.924 ms 58.058 ms 58.032 ms 13 38.122.88.218 (38.122.88.218) 79.306 ms 57.740 ms 57.491 ms 14 onecoursesource.com (38.89.136.109) 58.112 57.884 ms 58.299 ms
Note that on some systems, like Microsoft Windows, the traceroutecommand is called tracert. flushdns DNS entries are often cached for a period of time. This can cause problems if the DNS records change. To remove the cached DNS entries in Microsoft Windows, execute the ipconfig /flushdnscommand. ipconfig/ifconfig/ip The ifconfigcommand displays basic IP network settings for devices: [root@localhost ~]# ifconfig enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.26 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::a00:27ff:feb0:dddc prefixlen 64 scopeid 0x20<link> ether 08:00:27:b0:dd:dc txqueuelen 1000 (Ethernet) RX packets 103224 bytes 17406939 (16.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 16408 bytes 3008229 (2.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 4891 bytes 257583 (251.5 KiB) TX packets 4891 bytes 257583 (251.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Table below describes important options for the ifconfigcommand. TABLE: Common ifconfig Options
Option
Description
-a
Displays all interfaces, even interfaces that are currently down
-s
Displays output like the netstat -i command
-v
Turns on verbose mode
The ifconfigcommand can also be used to manually define network settings for a specific device. For example: ifconfig enp0s3 192.168.1.26 netmask 255.255.255.0 broadcast 192.168.1.255
These changes are temporary and will survive only until the next time the system is booted. Permanent changes are made within your system’s configuration files, which vary from one distribution to another. Note that on some systems, like Microsoft Windows, the ifconfigcommand is called ipconfig. The newer ipcommand is designed to replace a collection of commands related to network interfaces. Table below describes some of the more important options. TABLE: Important ip Options
Object
Refers to
addr
IPv4 or IPv6 address
link
Network device
route
Routing table entry
TABLE: Important ip Commands
Command
add
Adds an object
delete
Deletes an object
show (or list)
Displays information about an object
The following example displays network information for devices, much like the ifconfigcommand: [root@OCS ~]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever - inet6 ::1/128 scope host 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 - link/ether 08:00:27:b0:dd:dc brd ff:ff:ff:ff:ff:ff - inet 192.168.1.26/24 brd 192.168.1.255 scope global dynamic enp0s3 valid_lft 2384sec preferred_lft 2384sec inet 192.168.1.24/16 brd 192.168.255.255 scope global enp0s3 inet6 fe80::a00:27ff:feb0:dddc/64 scope link valid_lft forever preferred_lft forever nslookup/dig The nslookupcommand is designed to perform simple queries on DNS servers: [root@OCS ~]# nslookup google.com Server:8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name:google.com Address: 216.58.219.238
Although this command has often been referred to as obsolete or deprecated, it is still often used on modern distributions. The nslookupcommand is normally run without any options. The digcommand is useful for performing DNS queries on specific DNS servers. The format of the command is demonstrated here: [root@OCS ~]# dig google.com ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56840 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;google.com.INA ;; ANSWER SECTION: google.com. 268INA216.58.217.206 ;; Query time: 36 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Mar 05 17:01:08 PST 2017 ;; MSG SIZE rcvd: 55
To query a specific DNS server rather than the default DNS servers for your host, use the following syntax: dig @server host_to_lookup. Table 25.5 describes common options for the digcommand.
TABLE: Common dig Options
-f file
Uses the content of file to perform multiple lookups; the file should contain one hostname per line.
-4
Performs only IPv4 queries.
-6
Performs only IPv6 queries.
-x address
Performs a reverse lookup (returns the hostname when provided an IP address).
netstat/ss The netstatcommand is useful for displaying a variety of network information. It is a key utility when troubleshooting network issues. Table 25.6 describes common options for the netstatcommand.
TABLE: Common netstat Options
-t or --tcp
Displays TCP information
-u or --udp
Displays UDP information
-r or --route
Displays the routing table
-v or --verbose
Turns on verbose mode; displays additional information
-i or --interfaces
Displays information based on a specific interface
-a or --all
Applies to all
-s or --statistics
Displays statistics for the output
For example, the following command will display all active TCP connections: [root@OCS ~]# netstat -ta Active Internet connections (servers and established) Proto Recv-Q Send-QLocal AddressForeign Address State tcp 0 0 192.168.122.1:domain0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh0.0.0.0:* LISTEN tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp0.0.0.0:* LISTEN tcp60 0 [::]:ssh[::]:* LISTEN tcp60 0 localhost:ipp [::]:* LISTEN tcp60 0 localhost:smtp[::]:* LISTEN The sscommand is used to display socket information. Without any options, it lists all open sockets. For example: [root@OCS ~]# ss | wc -l 160 [root@OCS ~]# ss | head Netid StateRecv-Q Send-Q Local Address:PortPeer Address:Port u_str ESTAB00 /var/run/dovecot/anvil 23454966* 23454965 u_str ESTAB00 /var/run/dovecot/anvil 23887673* 23887672 u_str ESTAB00 /run/systemd/journal/stdout 13569 * 13568 u_str ESTAB00 * 13893* 13894 u_str ESTAB00 * 13854* 13855 u_str ESTAB00 * 13850* 13849 u_str ESTAB00 * 68924* 68925 u_str ESTAB00 * 17996* 17997 u_str ESTAB00/var/run/dovecot/config 9163531 * 9163871
TABLE: Common ss Options
-lt
Lists open TCP sockets
-lu
Lists open UDP sockets
-lp
Lists the process ID that owns each socket
-n
Doesn’t resolve IP addresses to hostnames or port numbers to port names
Displays all information
Displays a summary
route The routecommand can be used to display a routing table: [root@OCS ~]# route Kernel IP routing table Destination GatewayGenmask Flags Metric Ref Use Iface default192.168.1.1 0.0.0.0 UG 10000enp0s3 192.168.0.0 0.0.0.0255.255.0.0U 10000enp0s3 192.168.1.0 0.0.0.0255.255.255.0 U10000enp0s3 This information can also be displayed with the ipcommand: [root@OCS ~]# ip route show default via 192.168.1.1 dev enp0s3 proto static metric 100 192.168.0.0/16 dev enp0s3 proto kernel scope link src 192.168.1.24 metric 100 192.168.1.0/24 dev enp0s3 proto kernel scope link src 192.168.1.26 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 The routecommand can also be used to modify the default router: route add default gw 192.168.1.10 To add a new router, execute the following command: route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.100 This command will send all network packets destined for the 192.168.3.0/24 network to the 192.168.3.100 router. These changes are temporary and will survive only until the next time the system is booted. Permanent changes are made within your system’s configuration files, which vary from one distribution to another. arp The arpcommand is used to view the Address Resolution Protocol (ARP) table or make changes to it. This table is used on a local network to keep track of which IP addresses are associated with Media Access Control (MAC) addresses, because within a local network, MAC addresses are used to communicate between network devices. Note that MAC addresses are often referred to as hardware addresses. When executed with no arguments, the arpcommand displays the ARP table: # arp Address HWtype HWaddress Flags MaskIface 192.168.1.11ether30:3a:64:44:a5:02Ceth0 In the event that a remote system has its network card replaced (or if a virtual network device has been assigned a new MAC address), you might need to delete an entry from the ARP table. You can accomplish this by using the -doption to the arpcommand: # arp -i eth0 -d 192.169.1.11
After the address is removed from the ARP table, there should be no need to add the new address manually. The next time the local system uses this IP address, it will send a broadcast request on the appropriate network to determine the new MAC address. curl The curlcommand allows for noninteractive data transfer from a large number of protocols, including - FTPS - SCP - SFTP - SMB - SMBS - TFTP In the following example, data from the http://onecoursesource.com URL is downloaded to the local system: # curl http://onecoursesource.com <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.onecoursesource.com/">here</a>.</p> </body></html> Packet Capture When you’re troubleshooting network issues or performing network security audits, it can be helpful to view the network traffic, including traffic that isn’t related to the local machine. The tcpdumpcommand is a packet capture utility, and it enables you to view local network traffic. By default, the tcpdumpcommand displays all network traffic to standard output until you terminate the command. Running this command could result in a dizzying amount of data flying by on your screen. You can limit the output to a specific number of network packets by using the -coptions: # tcpdump -c 5 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:32:59.630873 IP localhost.43066 > 192.168.1.1.domain: 16227+ A? onecoursesource.com. (37) 11:32:59.631272 IP localhost.59247 > 192.168.1.1.domain: 2117+ PTR? 1.1.168.192.in-addr.arpa. (42) 11:32:59.631387 IP localhost.43066 > 192.168.1.1.domain: 19647+ AAAA? 11:32:59.647932 IP 192.168.1.1.domain > localhost.59247: 2117 NXDomain* 0/1/0 (97) 11:32:59.717499 IP 192.168.1.1.domain > localhost.43066: 16227 1/0/0 A 38.89.136.109 (53) 5 packets captured 5 packets received by filter 0 packets dropped by kernel Packet Analyzer Wireshark is an amazing network capture and analyzer tool that provides both graphical user interface (GUI) and text-based user interface (TUI) tools. To start the GUI tool, execute the wiresharkcommand. The output should be similar to the figure below: The wiresharkCommand
To view network traffic, you need to start a capture. Click Capture+ Start. You can also limit what is captured by setting filters and options (click Capture+ Options). To use the TUI-based form of Wireshark, execute the tsharkcommand as the root user: # tshark Capturing on 'enp0s3' 1 0.00000000010.0.2.15 → 68.105.28.11 DNS 81 Standard query 0xeec4 A google.com OPT 2 0.00103127910.0.2.15 → 68.105.28.11 DNS 81 Standard query 0x3469 AAAAgoogle.com OPT 3 0.017196416 68.105.28.11 → 10.0.2.15DNS 109 Standard query response 0x3469 AAAA google.com AAAA 2607:f8b0:4007:800::200e OPT 4 0.017265061 68.105.28.11 → 10.0.2.15DNS 97 Standard query response 0xeec4 A google.com A 172.217.14.110 OPT 5 0.01848238810.0.2.15 → 172.217.14.110 ICMP 98 Echo (ping) request id=0x122c, seq=1/256, ttl=64 6 0.036907577 172.217.14.110 → 10.0.2.15ICMP 98 Echo (ping) replyid=0x122c, seq=1/256, ttl=251 (request in 5) 7 1.02105281110.0.2.15 → 172.217.14.110 ICMP 98 Echo (ping) request id=0x122c, seq=2/512, ttl=64 8 1.039492225 172.217.14.110 → 10.0.2.15ICMP 98 Echo (ping) replyid=0x122c, seq=2/512, ttl=251 (request in 7) OpenSSL Client Secure communication over SSL is an important component of cloud-based networking. To troubleshoot SSL issues, you may need to make use of the openssl clientutility. For example, to test an SSL connection, you can execute the following command: openssl s_client -connect <hostname>:<port>
Replace <hostname> with the SSL server’s hostname and <port> with the network port that the server is listening on. Resource Utilization As previously mentioned, you’ll notice several redundancies in the CompTIA Cloud+ objectives. This section is a good example because many of these topics were covered in previous guides: - CPU, GPU, and Memory: “Compute Sizing for Deployment” - Storage and I/O: “Storage in Cloud Environments” - Capacity: “Operation of a Cloud Environment” - Network Bandwidth and Latency: “Optimize Cloud Environments” - Replication: “Disaster Recovery Tasks” - Scaling: “High Availability and Scaling in Cloud Environments”
Application configuration consists of providing resources to the application so that the application is able to perform its tasks. In this section you’ll learn about two troubleshooting categories of application configuration: memory management and service overload. Memory Management Like all compute operations, applications need memory to store information. When you deploy an application in a cloud environment, you also assign a specific amount of memory to the application. This requirement might not meet the needs of the application, however. Because most cloud environments provide tools to monitor memory usage for an application, the way you troubleshoot this sort of problem is to view the metrics for memory utilization. You can also set warnings when memory utilization reaches a specific value to receive advance warning of potential problems. Adding more memory for the application might seem like an easy solution, but remember that memory, like most cloud resources, comes at a cost. You might also want to consider optimizing the application so that it doesn’t require much memory. This task might be something that you can do in a configuration file for the application, but also might require working with the developers who maintain the application. Service Overload An application service overload can be the result of the application using more CPU or vCPU resources than it has been allocated. As with memory resources, most cloud environments allow you to monitor vCPU utilization. Troubleshooting this issue is similar to troubleshooting a lack of memory: determine whether the application can be modified to use less vCPU resources or allocate more vCPU resources. Incorrectly Configured or Failed Load Balancing To learn more about incorrectly configured or failed load balancing, see the “Load Balancers” here. Quiz: 1. In which of the following cloud components is the order of the rules unimportant? A.Network ACL C.Security group D.The order of the rules is important in all of these components. 2. Which type of NAT is used when you want to place servers behind a firewall and still provide access from an external network? A.DNAT B.SNAT C.MASQUERADE D.FWALL 3. The standard MTU size is _____ bytes. A.700 B.2100 C.1400 D.1500 4. Which of the following can be used to display basic IP network settings for devices? (Choose all that apply.) A.ipconfig B.ifconfig C.if D.ip Answers: 1. Security group 2. DNAT 3. 1500 4. ipconfig, ifconfig, and ip
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.