Network+ N10-009 — Advanced Module

OSI Troubleshooting
Deep Dive

Systematic diagnosis at every layer — from Physical to Application

Advanced 19 Slides N10-009 Obj 5.1 N10-009 Obj 5.2 – 5.5
Troubleshooting Approach

The Bottom-Up Methodology

Why you always start at Layer 1

  • Start at Layer 1, work up — the majority of network issues trace back to physical problems: bad cables, wrong connectors, duplex mismatches.
  • CompTIA methodology: Identify the problem → Establish a theory → Test the theory → Establish an action plan → Implement the solution → Verify functionality → Document findings.
  • Bottom-up is the most common approach on the exam. When a question gives you symptoms and asks where to start, think Layer 1 unless the scenario explicitly rules it out.

Systematic layer progression — each layer depends on the one below it:

L1 Physical
L2 Data Link
L3 Network
L4 Transport
L5 Session
L6 Presentation
L7 Application
Exam Tip If a question asks which troubleshooting approach starts at the cable and works toward the user, the answer is bottom-up. If it starts at the application and works down, that is top-down. CompTIA favors bottom-up as the default.
Layer 1 — Physical
L1

Physical Layer — What Breaks

Cable, connectors, power, and the environment

Cable Faults

  • Damaged or kinked cable causing intermittent signal loss
  • Wrong cable type — crossover vs. straight-through (less common with auto-MDIX, still tested)
  • Distance violation — Cat5e/Cat6 max is 100 m; fiber limits vary by standard
  • Wrong connector — RJ-45 vs. RJ-11, LC vs. SC fiber mismatch

Signaling & Electrical

  • Duplex / speed mismatch — one side auto, one side manual hard-set = late collisions and performance degradation
  • EMI / crosstalk — unshielded cable near power lines, fluorescent lighting, motors
  • Attenuation — signal too weak at destination, usually distance-related
  • PoE issues — budget exceeded or wrong standard (802.3af 15.4 W vs. 802.3at 30 W)

Physical Layer Indicators on a Switch

  • Link light solid green — link established, correct speed and duplex
  • Link light amber / orange — STP blocking state, port security violation, or err-disabled
  • No link light — no electrical or optical connection; cable, port, or NIC failure
  • Flashing green — normal traffic (varies by vendor)
Layer 1 — Physical
L1

Physical Layer — How to Find It

Switch# show interfaces FastEthernet 0/1 
Switch# show interfaces FastEthernet 0/1
  FastEthernet0/1 is up, line protocol is up
  Hardware is Fast Ethernet
  Full-duplex, 100Mb/s
  Input errors: 847,  CRC: 203,  frame: 12,  overrun: 0
  Output errors: 0,  collisions: 1402,  late collisions: 891

  ^-- CRC errors  = cable or connector problem
  ^-- Late collisions = duplex mismatch (one end full, one end half)
  ^-- Input errors in general = Layer 1 physical problem

Key Indicators

  • CRC errors — corrupted frames at receive; suspect cable, connector, or interference
  • Late collisions — collision after 512 bits; almost always duplex mismatch
  • Runts / giants — frames too small or too large; cable noise or misconfigured MTU
  • Input errors — general catch-all for received frame corruption

Tools

  • Cable tester — verifies continuity and pinout on copper
  • OTDR — optical time-domain reflectometer for fiber fault location
  • Tone generator / probe — traces cable runs through walls
  • Multimeter — tests voltage, continuity; not for data cabling but for power circuits
Exam Tip Late collisions = duplex mismatch. CRC errors = cable or connector problem. These two are the most frequently tested Layer 1 indicators on Network+.
Layer 2 — Data Link
L2

Data Link Layer — What Breaks

VLANs, STP, MAC tables, and ARP

VLAN Issues

  • VLAN mismatch — access port assigned to wrong VLAN; host cannot reach correct segment
  • Trunk not allowing VLAN — VLAN pruned or not added to allowed list on trunk port
  • Native VLAN mismatch — trunk ports configured with different native VLANs; untagged traffic placed on wrong VLAN

STP Issues

  • Wrong root bridge — unintended switch elected root due to default priority
  • Port stuck in blocking — STP detects a loop; port never transitions to forwarding
  • Network loop (no STP) — broadcast storm; CPU and bandwidth spike to 100%

MAC / ARP Issues

  • MAC flooding — CAM table overflow; switch falls back to hub mode (unicast flooding)
  • ARP poisoning — attacker responds to ARP requests with own MAC; MITM attack
  • Stale ARP cache — old mapping causes traffic sent to wrong or removed host

Port Security / Err-Disabled

  • Port security violation — unauthorized MAC address detected; port err-disabled
  • BPDU guard triggered — STP BPDU received on PortFast port; port err-disabled
  • Recovery — requires manual shutdown then no shutdown unless auto-recovery is configured
Layer 2 — Data Link
L2

Data Link Layer — How to Find It

show vlan brief | show spanning-tree | show mac address-table 
Switch# show vlan brief
VLAN  Name              Status    Ports
1     default           active    Fa0/1, Fa0/2
10    Sales             active    Fa0/3, Fa0/4
20    Engineering       active    Fa0/5
^-- Fa0/6 not listed -- unassigned port; host gets no VLAN access

Switch# show spanning-tree vlan 10
Root ID    Priority  24586
           Address   aabb.cc00.0100
           This bridge is the root

Port   Role  Sts  Cost  Prio  Type
Fa0/1  Desg  FWD  19    128   P2p
Fa0/3  Desg  BLK  19    128   P2p   <-- Port stuck in Blocking

Switch# show mac address-table interface Fa0/24
  VLAN  MAC Address       Type     Ports
  10    aa:bb:cc:00:01    DYNAMIC  Fa0/24
  10    aa:bb:cc:00:02    DYNAMIC  Fa0/24
  ... (8000+ entries -- MAC flood attack; CAM table exhausted)
Exam Tip STP port states: Blocking → Listening → Learning → Forwarding. A port stuck in Blocking means STP detected a potential loop on that segment. An err-disabled port shows as a separate state and requires manual intervention to recover.
Layer 3 — Network
L3

Network Layer — What Breaks

IP addressing, routing, ACLs, and DHCP

IP Configuration Errors

  • Wrong subnet mask — workstation uses /16 instead of /24; ARP requests flood network as host treats everything as local
  • Missing or wrong default gateway — host can reach local subnet but cannot communicate with remote networks
  • Duplicate IP addresses — both hosts experience connectivity problems; OS displays IP conflict notification
  • DHCP scope exhaustion — no addresses available; client gets APIPA (169.254.x.x) address

Routing & ACL Problems

  • Missing route — no path to destination network in routing table; traffic silently dropped
  • ACL blocking traffic — permit/deny rules evaluated top-down; implicit deny all at end blocks unlisted traffic
  • ACL applied wrong direction — inbound vs. outbound on wrong interface causes unexpected behavior
  • TTL exceeded — routing loop or too many hops; ICMP Time Exceeded returned to sender
Exam Tip A host with a 169.254.x.x address failed to receive a DHCP response and self-assigned an APIPA address. This is a Layer 3 symptom, but the cause may be a DHCP server issue (also Layer 7) or a Layer 2 problem preventing the DHCP broadcast from reaching the server.
Layer 3 — Network
L3

Network Layer — How to Find It

ipconfig | show ip route | show access-lists 
C:\> ipconfig /all
  IPv4 Address:    10.10.20.147
  Subnet Mask:     255.255.0.0        <-- Wrong! Should be 255.255.255.0 (/24)
  Default Gateway: 10.10.20.1

Router# show ip route
  C   192.168.1.0/24 is directly connected, Gig0/0
  S   10.0.0.0/8 [1/0] via 192.168.1.1
  -- No route to 172.16.0.0/16 network; traffic to that range is dropped

Router# show access-lists
  10 permit tcp any any eq 80      (14892 matches)
  20 deny   ip  any any              (8847 matches)
  ^-- Implicit or explicit deny is blocking all non-HTTP traffic

Key Tools

  • ping — verifies basic IP reachability; ICMP Echo Request / Reply
  • traceroute / tracert — shows each hop; reveals where traffic stops or deviates
  • ipconfig / ifconfig / ip addr — shows IP, mask, gateway; look for APIPA or wrong mask
  • arp -a — shows ARP cache; confirms MAC resolution for local gateway
Exam Tip If ping reaches the gateway but fails beyond it, check routing. If ping fails to the gateway, check IP configuration and ARP. If traceroute shows the same hop repeating, there is a routing loop.
Layer 4 — Transport
L4

Transport Layer — What Breaks

TCP/UDP ports, firewalls, NAT, and connection state

Port & Service Issues

  • Port blocked by firewall — service is running and listening, but stateful firewall drops SYN packets before they arrive
  • Connection refused — port is reachable but nothing is listening; service is not started
  • Port exhaustion — ephemeral port range (1024–65535) fully consumed by high concurrent connection count

TCP Session Issues

  • TCP retransmissions — SYN sent, no SYN-ACK received; congestion, packet loss, or firewall filtering
  • Window size problems — receiver advertises zero window; sender stalls (flow control operating correctly but causing delay)
  • NAT / PAT misconfiguration — inside/outside interface reversed, or NAT pool exhausted; outbound traffic drops

UDP Considerations

  • No error recovery — UDP has no retransmission; packet loss equals data loss; application must handle it or not at all
  • UDP services affected: DNS (port 53), DHCP (67/68), SNMP (161/162), TFTP (69), streaming media, VoIP (RTP)
  • Firewall state tracking — stateful firewalls may not properly track UDP sessions; asymmetric routing can cause drops
Layer 4 — Transport
L4

Transport Layer — How to Find It

netstat | ss | telnet port test 
C:\> netstat -an | findstr :443
  TCP  0.0.0.0:443        0.0.0.0:0           LISTENING
  TCP  10.0.1.50:49201    93.184.216.34:443    ESTABLISHED
  TCP  10.0.1.50:49202    93.184.216.34:443    TIME_WAIT

$ ss -tlnp
State   Recv-Q  Send-Q  Local Address:Port   Process
LISTEN  0       128     0.0.0.0:22           sshd
LISTEN  0       128     0.0.0.0:80           nginx
                                             <-- Port 443 NOT in the list; HTTPS not listening

Quick port reachability test (no dedicated tool needed):
$ telnet 10.0.5.20 443
Connected to 10.0.5.20     <-- Port is open and accepting connections
$ telnet 10.0.5.20 8443
telnet: connect to address 10.0.5.20: Connection refused  <-- RST received

Connection State Meanings

  • LISTENING — service is bound and ready to accept connections
  • ESTABLISHED — active connection in progress
  • TIME_WAIT — connection closed, waiting for delayed packets; normal state
  • SYN_SENT — client sent SYN, no response yet; possible firewall block
Exam Tip Connection refused = port closed, RST received (service not running). Connection timeout = port filtered (firewall silently dropping). Service running but still failing = look higher at L5–L7.
Layer 5 — Session
L5

Session Layer — What Breaks

Authentication, TLS sessions, and VPN tunnels

TLS / SSL Session Failures

  • Certificate expired — TLS handshake fails at certificate validation step; browser shows security warning
  • Session timeout too short — server terminates idle sessions prematurely; file transfers or long uploads fail mid-transfer
  • Session ticket mismatch — session resumption fails after server restart or key rotation; full renegotiation required

Authentication Session Issues

  • RADIUS / TACACS+ unreachable — authentication server down; users cannot log in to network devices or VPN
  • Wrong shared secret — RADIUS authentication rejected silently; logs show "Access-Reject" on server side
  • Session hijacking — unexpected RST packets or sequence number anomalies; attacker injecting into established session

VPN Tunnel Drops

  • IKE Phase 1 failure — ISAKMP SA not established; mismatched encryption, hash, or DH group
  • IKE Phase 2 failure — IPsec SA not established; mismatched transform sets or lifetime
  • Dead Peer Detection (DPD) — tunnel drops due to keepalive timeout on idle connection

NetBIOS / SMB Issues

  • File share disconnects — Windows disconnects idle SMB sessions; mapped drives appear disconnected
  • NetBIOS name resolution — WINS server unavailable; name resolution falls back to broadcast (limited to local subnet)
Layer 5 — Session
L5

Session Layer — How to Find It

openssl s_client | mail server log | show crypto isakmp sa 
$ openssl s_client -connect server:443
  Verify return code: 10 (certificate has expired)
  SSL handshake has read 0 bytes and written 0 bytes

  Session-ID: 3A7F...
  Session Timeout: 20 (seconds)  <-- Very short; uploads >20s will fail

Mar 27 08:22:38 mail01 postfix/smtpd:
  TLS session renegotiation requested
  SSL_accept error: session ticket expired
  lost connection after DATA (23 seconds)

  ^-- Session timed out during message delivery (DATA phase)

Router# show crypto isakmp sa
  dst              src              state         conn-id slot
  192.168.1.254    10.0.0.1         MM_NO_STATE   1001    0
  ^-- IKE Phase 1 failed; Main Mode did not complete

Key Tools

  • openssl s_client — tests TLS handshake, shows certificate chain and session details
  • show crypto isakmp sa — Cisco IKE/ISAKMP session state
  • Event Viewer / syslog — authentication failures, TLS errors, session terminations
Exam Tip Session layer issues present as "it connects then drops" or "it works for small transfers but fails for large ones." Initial connection succeeds but the session cannot be maintained — think L5 before L7.
Layer 6 — Presentation
L6

Presentation Layer — What Breaks

Encoding, encryption format, and data representation

Encoding & Compression

  • Encoding mismatch — server sends gzip-compressed response; client does not advertise gzip support; decompression fails
  • Character encoding conflict — server returns UTF-8; client interprets as Latin-1 or ASCII; special characters rendered as garbage
  • Compression failure — corrupted compressed stream; partial downloads or mid-transfer corruption

Certificate & Encryption Format

  • Certificate chain incomplete — intermediate CA certificate missing from server response; client cannot build trust chain to root CA
  • Cipher suite mismatch — client and server share no common cipher; TLS handshake fails with "handshake failure" alert
  • Data format incompatibility — application expects JSON; integration partner sends XML; parsing error at receiver

Why Layer 6 Is Rarely Isolated

  • Modern protocols blend L5 and L6 functions — TLS handles both session establishment and encryption (format). Symptoms often appear as L5 or L7 problems.
  • Garbled or visually correct but unreadable data arriving at the application is the clearest sign of a Presentation layer problem.
  • Certificate chain issues are the most frequently tested L6 scenario on Network+.
Layer 6 — Presentation
L6

Presentation Layer — How to Find It

curl -v | openssl verify 
$ curl -v https://intranet.local/image.png
> Accept-Encoding: identity
< Content-Encoding: gzip
< HTTP/1.1 415 Unsupported Media Type

curl: (61) Error while processing content unencoding: false
^-- Client declared identity encoding; server sent gzip; decode failed

$ openssl verify -CAfile chain.pem server.crt
  error 20 at 0 depth lookup: unable to get local issuer certificate
  ^-- Intermediate CA certificate is missing from the chain file

Re-test after adding intermediate cert to chain.pem:
$ openssl verify -CAfile chain-complete.pem server.crt
  server.crt: OK

Key Tools

  • curl -v — shows full request and response headers; reveals Content-Encoding, Content-Type, Accept headers
  • openssl verify — validates certificate chain; identifies missing intermediate certificates
  • Browser DevTools → Network tab — shows response encoding, MIME type, content headers
  • file command (Linux) — identifies actual encoding of a downloaded file regardless of declared type
Exam Tip Layer 6 is the least-tested layer on Network+, but encoding and certificate chain issues do appear. If data arrives but looks wrong — garbled text, corrupted images, unexpected errors — think Presentation layer before blaming the application.
Layer 7 — Application
L7

Application Layer — What Breaks

DNS, HTTP errors, service config, DHCP, and email authentication

DNS Issues

  • Missing or wrong record — A, AAAA, CNAME, or MX record absent or pointing to wrong IP
  • DNS server unreachable — queries time out; all name resolution fails; users report "site not found" even though IP access works
  • Negative cache poisoning — incorrect NXDOMAIN response cached; correct record added but cached failure persists

HTTP Errors

  • 403 Forbidden — server received request but authorization or filesystem permissions deny it
  • 404 Not Found — resource does not exist at requested path; deployment issue or wrong URL
  • 500 Internal Server Error — application-side failure; check service logs
  • 502 Bad Gateway — proxy or load balancer cannot reach upstream application server

Email Authentication

  • SPF failure — sending IP not listed in domain's SPF record; mail rejected or flagged as spam
  • DKIM failure — signature validation fails; message modified in transit or wrong private key used
  • DMARC failure — both SPF and DKIM fail; policy (p=reject or p=quarantine) applied to message

Service Configuration

  • Service not started — daemon not running; port not open; appears as L4 problem
  • Wrong config file — service running but misconfigured; errors in application log
  • Rogue DHCP server — unauthorized server assigning wrong gateway or DNS; users get incorrect configuration
Layer 7 — Application
L7

Application Layer — How to Find It

nslookup | curl -I | dig MX | nginx error.log 
C:\> nslookup app.company.local
  *** can't find app.company.local: Non-existent domain

C:\> nslookup 10.0.5.88
  Name: app-legacy.company.local   <-- Reverse works; forward A record is missing or renamed

$ curl -I https://intranet.local/admin
  HTTP/1.1 403 Forbidden
  Server: nginx/1.24

$ tail /var/log/nginx/error.log
  [error] directory index of "/var/www/admin/" is forbidden
  ^-- nginx has autoindex off; no index.html present; access denied

$ dig company.com MX
  company.com.  MX  10 mail.company.com.
  -- dig mail.company.com A
  NXDOMAIN  <-- MX record exists but the A record for mail.company.com is missing

Key Tools

  • nslookup — queries DNS; tests both forward (name to IP) and reverse (IP to name) lookups
  • dig — detailed DNS query output; shows TTL, record type, authoritative vs. cached; preferred on Linux/macOS
  • curl / wget — tests HTTP/HTTPS; reveals response codes, headers, redirect chains
  • systemctl status / journalctl -u — service status and application logs on systemd-based Linux
Exam Tip If all lower layers check out (ping works, port is open, session establishes), the problem is in the application itself. Check DNS first — it is the most common Layer 7 culprit and the most frequently tested on N10-009.
Decision Framework

The Troubleshooting Flowchart

A systematic bottom-up decision tree — work through every question before moving up

Can you see link lights? NO [L1 Physical] Check cables, connectors, PoE budget, NIC YES Can you see MAC addresses in the ARP / CAM table? NO [L2 Data Link] Check VLAN assignment, STP state, trunk config, err-disabled ports YES Can you ping the default gateway? NO [L3 Network] Check IP address, subnet mask, gateway config, ARP resolution YES Can you ping the remote destination host? NO [L3 Network] Check routing table, ACLs, firewall rules, NAT YES Can you connect to the service port (telnet host port)? NO [L4 Transport] Check firewall port rules, service status (netstat -an), NAT mapping YES Does the session stay established over time? NO [L5 Session] Check session timeout, certificate expiry, VPN IKE phase, auth server YES Is the data arriving readable and correctly formatted? NO [L6 Presentation] Check encoding, compression, certificate chain, cipher suite YES Does the application behave correctly end-to-end? NO [L7 Application] Check DNS records, HTTP error codes, service config, app logs YES Not a network problem — escalate to application / server team
Exam Reference

Key Exam Points

Layer-by-layer quick reference for N10-009

Layer First Thing to Check Key Command(s) Common Exam Scenario
L1 Physical Link lights and cable condition show interfaces Late collisions = duplex mismatch; CRC errors = cable fault
L2 Data Link VLAN assignment on the port show vlan brief Host unreachable on same switch = wrong VLAN or STP blocking
L3 Network IP address, subnet mask, and gateway ping + traceroute Can reach local but not remote = wrong mask or missing route
L4 Transport Port reachability from the client netstat -an + telnet Service runs but unreachable = firewall blocking the port
L5 Session Certificate validity and session timeout openssl s_client Connects then drops = VPN IKE failure or expired certificate
L6 Presentation Content-Encoding and certificate chain curl -v Data arrives but is garbled = encoding or cipher mismatch
L7 Application DNS resolution for the target name nslookup + service logs All lower layers pass but app fails = missing DNS record or misconfigured service
Exam Tip When a Network+ scenario question lists multiple symptoms, map each symptom to a layer using this table. The layer that explains the most symptoms is where you start. Bottom-up eliminates lower layers before you invest time in upper-layer diagnosis.
Module Complete

Summary & What You Learned

Core Takeaways

  • You now have a systematic approach to troubleshoot at every OSI layer, from Physical up to Application.
  • Start at the bottom. The majority of real-world and exam network problems are physical: cables, connectors, duplex mismatches, PoE issues.
  • The troubleshooting flowchart is your roadmap — follow it in order, do not skip layers or assume the problem is at the top.
  • Each layer has a small set of definitive commands that confirm or rule it out in under 60 seconds.

Layer Signatures to Remember

  • Late collisions = duplex mismatch (L1)
  • Port in wrong VLAN = no same-network access (L2)
  • 169.254.x.x address = DHCP failure, APIPA fallback (L3)
  • Connection timeout = firewall dropping packets (L4)
  • Connects then drops = session or VPN issue (L5)
  • Garbled data = encoding mismatch (L6)
  • All layers pass, app fails = DNS or service config (L7)

Objectives Covered

This module maps directly to the following CompTIA Network+ N10-009 exam objectives:

5.1 Troubleshooting Methodology 5.2 Cabling & Physical Plant 5.3 Network Services 5.4 Performance Issues 5.5 Tools & Commands