Domain 7: Troubleshoot OCI Networking and Connectivity Issues (10%)
Domain 7 of the 1Z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional exam covers diagnostic tools, logging infrastructure, and systematic troubleshooting of connectivity failures across VPN, FastConnect, routing, and security configurations. At 10% of the exam this domain accounts for approximately 5 questions out of 50 (90 minutes, 68% passing score). Questions in this domain test your ability to select the correct diagnostic tool for a given scenario and interpret its output.
1. Network Command Center Tools
OCI provides three primary diagnostic tools under the Network Command Center, each serving a distinct purpose. Knowing which tool to use and when is a core exam skill.
Network Path Analyzer (NPA)
Network Path Analyzer performs configuration-based analysis to determine whether traffic can reach a destination. It does not send actual packets. Instead, it uses Batfish (an open-source network configuration analysis library) to examine routing tables, security lists, NSGs, and Zero Trust Packet Routing (ZPR) policies.
What NPA analyzes: route tables, security lists, NSGs, ZPR policies, VCNs, subnets, gateways (IGW, NAT, SGW, DRG, LPG), RPCs, load balancers, and NLBs.
| Attribute | Detail |
|---|---|
| Connectivity scenarios | OCI-to-OCI, OCI-to-on-premises, on-premises-to-OCI, internet-to-OCI, OCI-to-internet |
| Source types | IP address, compute VNIC, LBaaS, NLB |
| Destination types | IP address, compute VNIC, LBaaS, NLB, PSA endpoints (destination only) |
| Protocol support | Any IP protocol in current security list; configurable destination/source port and ICMP options |
| Bi-directional | Enabled by default for TCP/UDP; disabled for other protocols |
| IPv6 | Not supported |
| Test persistence | Ad-hoc or saved for reuse |
| Work request retention | 12 hours |
Result states:
| State | Meaning |
|---|---|
| Reachable | Path exists and all security rules permit traffic |
| Not Reachable / No Route | Routing or security configuration blocks the path |
| Indeterminate | NPA cannot determine reachability (see limitations below) |
Indeterminate scenarios and workaround: When an intermediate device transforms traffic (SNAT, routing appliance), NPA cannot trace through it. The standard workaround is to split the test into two segments:
| Intermediate Entity | NPA Result | Workaround |
|---|---|---|
| Network Virtual Appliance (NVA) | Indeterminate | Source-to-NVA + NVA-to-Destination |
| NLB with SNAT (non-transparent) | No Route | Source-to-NLB + NLB-to-Destination |
| NLB transparent mode | Indeterminate | Source-to-NLB + NLB-to-Destination |
| LBaaS | No Route | Source-to-LB + LB-to-Destination |
| Firewall as a Service | Indeterminate | Source-to-FWaaS + FWaaS-to-Destination |
| Cross-region (RPC) | Indeterminate | Separate test per region |
| Cross-tenancy (LPG/RPC) | Indeterminate | Separate test per tenancy |
| DRG v1 | Indeterminate | Upgrade to DRG v2 |
Exam trap: NPA requires service-level IAM policies (principal type vnpa-service) to read virtual-network-family, instances, load-balancers, NSGs, and ZPR resources. Without these policies, analysis results are incomplete. NPA also fails in tenancies with more than 100 compartments unless a support request is raised. (Path Analyzer)
Exam trap: NPA analyzes configuration only. It cannot detect runtime issues like packet loss, latency, or bandwidth exhaustion. If the configuration looks correct but traffic still fails, NPA will report "Reachable" even though the problem exists at a different layer.
Network Visualizer
Network Visualizer generates visual topology diagrams at three levels of granularity:
| Level | Shows | Key Details |
|---|---|---|
| Regional | All VCNs, DRGs, CPEs, gateways, FastConnect, VPN connections | Cross-region RPC connections visible |
| VCN | Subnets, VLANs, gateways within a single VCN | Routing mode and Security mode toggle |
| Subnet | Compute instances, LBs, NLBs, mount targets, OKE clusters | Security list and NSG associations visible |
Export: Generates a ZIP containing a high-resolution PNG and a PDF with route table details and resource data. Useful for audits and change tracking.
IAM requirement: Requires READ all-resources in tenancy. Network Visualizer does not belong to virtual-network-family and has no more granular permission model. (Network Visualizer)
Display limits: Regional view enforces limits per resource type (25 VCNs, 5 DRGs, 10 CPEs, etc.). If limits are exceeded, a partial topology displays with an error message. Limit increases can be requested.
Exam trap: Network Visualizer is read-only visualization. It does not diagnose reachability. Candidates confuse it with Path Analyzer. Use Visualizer to understand topology; use Path Analyzer to test connectivity.
VCN Flow Logs
VCN Flow Logs capture actual network traffic metadata at the VNIC level. Unlike NPA (configuration analysis), flow logs show what traffic actually happened.
Enablement levels:
| Level | Scope |
|---|---|
| VCN | All existing and future VNICs in all subnets |
| Subnet | All existing and future VNICs in that subnet |
| VNIC | Specific VNICs |
| Resource | Targeted instances or network load balancers |
Capture filters: 1-10 rules per filter, evaluated sequentially (first match wins). Configurable sampling rate as a percentage of flows.
Log record schema (Flow Log Details):
| Field | Description |
|---|---|
data.action |
ACCEPT or REJECT |
data.protocol / data.protocolName |
IANA protocol number and name |
data.sourceAddress / data.destinationAddress |
IPv4 or IPv6 |
data.sourcePort / data.destinationPort |
IANA port numbers |
data.packets / data.bytesOut |
Volume within capture window |
data.startTime / data.endTime |
Unix epoch seconds |
data.status |
OK, NODATA, or SKIPDATA |
oracle.vnicocid |
VNIC OCID |
Capture window: Each record covers a 60-second interval. A single TCP connection generates two records (one per direction: ingress and egress).
Traffic exclusions: VCN DNS, DHCP, block storage (169.254.0.0/16 link-local), and ARP are not logged.
Exam trap: Flow logs record the private IP address, not the public IP, even for traffic using public IPs. The oracle.vnicocid identifies the VNIC but does not indicate which service (LB, DB, etc.) manages it.
Exam trap: SKIPDATA status means some traffic was dropped from logging due to system capacity, not that the traffic itself was dropped. NODATA means no traffic occurred during that capture window.
Selecting the Right Tool
| Scenario | Tool |
|---|---|
| "Can instance A reach instance B?" (configuration check) | Network Path Analyzer |
| "What does our VCN topology look like?" | Network Visualizer |
| "What traffic actually hit this VNIC in the last hour?" | VCN Flow Logs |
| "Is this security list rule blocking traffic?" (proof) | VCN Flow Logs (look for REJECT entries) |
| "Is this security list rule blocking traffic?" (config check) | Network Path Analyzer |
| "Where does traffic route through this DRG?" | Network Visualizer (topology) then Path Analyzer (path) |
| "Which NLB backend is receiving traffic?" | VCN Flow Logs on backend VNICs |
| "Document current network for audit" | Network Visualizer (export ZIP) |
| "What is inside the packet payload?" | VTAP (full packet capture) |
| "Deep protocol analysis or IDS/IPS feed" | VTAP to NLB → capture appliance |
2. OCI Logging Service
The OCI Logging service is the backbone for all log storage and analysis. VCN Flow Logs are a specific type of service log managed through Logging.
Log Types
| Type | Source | Writeable | Key Characteristics |
|---|---|---|---|
| Audit logs | OCI Audit service | No (read-only) | All API calls to public endpoints (Console, CLI, SDK, API). Fixed 365-day retention (tenancy-level, not configurable). |
| Service logs | OCI native services | Enable/disable per resource | Predefined categories per service. VCN Flow Logs, LB access logs, Object Storage events, API Gateway logs, etc. |
| Custom logs | Applications, other clouds, on-premises | Yes (PutLogs API or Unified Monitoring Agent) | Fluentd-based agent for ingestion. |
Log Organization
Logs are stored in log groups (logical containers within a compartment). Each log has a unique OCID. Log groups can be moved between compartments; logs move with them.
Service log retention: 30-day increments up to 180 days maximum. (Creating a Log)
Audit log retention: Fixed at 365 days (tenancy-level, applies to all regions, non-configurable). (Audit Log Retention Period)
Log Archival and Integration
For retention beyond the service limits, use Service Connector Hub to route logs to:
- Object Storage (long-term archival)
- Streaming (real-time processing)
- Logging Analytics (advanced search, correlation, ML-based anomaly detection)
- Databases (structured storage)
Exam trap: The Logging service itself has a 180-day maximum retention for service logs. If a question asks about long-term log retention, the answer involves Service Connector Hub archiving to Object Storage, not increasing the Logging service retention.
3. VPN Tunnel Troubleshooting
Site-to-Site VPN troubleshooting follows a layered approach. The exam tests your ability to diagnose from IKE logs and tunnel states.
Tunnel Down: Common Causes
| Symptom (Log Message Pattern) | Root Cause | Fix |
|---|---|---|
60 second timeout...No response to our first IKEv2 message |
IKE version mismatch (v1 vs v2) | Align IKE version on both sides |
AUTHENTICATION_FAILED / computed hash does not match |
Pre-shared key mismatch | Verify PSK on both ends |
NO_PROPOSAL_CHOSEN |
Phase 1 or Phase 2 encryption/DH group mismatch | Match algorithms and DH groups |
TS_UNACCEPTABLE / No IKEv2 connection found with compatible Traffic Selectors |
Subnet/proxy ID mismatch | Align proxy IDs (use 0.0.0.0/0 for simplicity) |
Peer ID mismatched on first found connection |
CPE IKE identifier mismatch | Update remote IKE ID in Oracle Console to match CPE |
ignoring...NO_PROPOSAL_CHOSEN (Phase 2 context) |
PFS group mismatch | Align PFS settings |
Tunnel Up, No Traffic
- Verify Phase 2 (IPSec) parameters match
- Check VCN security lists: default list does not allow ICMP ping (type 8/0)
- Check on-premises firewalls allow UDP 500, UDP 4500, IP protocol 50, and TCP 179 (BGP)
- Asymmetric routing: Oracle uses asymmetric routing across redundant tunnels. Configure CPE firewalls to accept traffic from any active tunnel, not just the one that sent outbound traffic.
BGP Session Issues
| State | Cause | Resolution |
|---|---|---|
| BGP DOWN | IPSec tunnel down | Fix tunnel first |
| BGP DOWN | TCP 179 blocked by firewall | Open TCP 179 bidirectionally |
| BGP DOWN | Wrong ASN configured | Oracle commercial ASN: 31898 (Serbia Central: 14544) |
| BGP DOWN | MD5 authentication enabled | MD5 is not supported on OCI VPN; disable on CPE |
| BGP FLAPPING | IPSec tunnel instability | Stabilize tunnel (ensure interesting traffic, fix MTU) |
| BGP FLAPPING | Exceeding prefix limit | Do not advertise more than 2000 prefixes |
| BGP UP, no traffic | Routes not propagated correctly | Verify CPE receives and uses OCI routes, and advertises on-premises routes |
Exam trap: Oracle's BGP ASN for commercial cloud is 31898. This is a frequently tested fact. The exception is Serbia Central (Jovanovac) at ASN 14544.
Exam trap: Oracle does not support MD5 authentication for BGP over Site-to-Site VPN. If a question describes a BGP session that will not establish and mentions MD5, the answer is to disable MD5.
Tunnel Flapping
Primary causes: no interesting traffic (idle tunnels tear down), multiple IPSec connections with overlapping default routes causing asymmetric splits, and MTU/fragmentation issues. Resolution: configure keepalive traffic (Cisco ASA: IP SLA monitor; Palo Alto: path monitoring), use specific routes for primary and default route for backup. (VPN Troubleshooting)
4. FastConnect Troubleshooting
FastConnect troubleshooting follows a layer-by-layer approach from physical through application.
Layer-by-Layer Checklist
| Layer | Check |
|---|---|
| L1 Physical | Port allocation and UP status, correct optics/transceiver, Tx/Rx fiber (try flipping strands), end-to-end signal path |
| L2 Data-Link | BGP peering IP under correct VLAN, ARP table has Oracle router MAC, LAG and LACP both configured and enabled |
| L3/L4 Network | Correct BGP peering IP, correct ASNs (Oracle: 31898), MD5 password if enabled, prefix limits (public: 200, private: 2000), TCP 179 not blocked |
Prefix Limits
| Virtual Circuit Type | Maximum Prefixes |
|---|---|
| Public | 200 |
| Private | 2,000 |
Exceeding these limits causes BGP establishment failure.
Virtual Circuit States
A virtual circuit in PROVISIONED state with BGP DOWN typically means the CPE has not been configured or is misconfigured. Required CPE configuration: BGP peering addresses, local ASN and Oracle ASN, MD5 string (if applicable), and maximum prefix setting.
Exam trap: FastConnect requires both LAG and LACP to be configured and enabled. Missing LACP configuration is a common L2 troubleshooting scenario.
Exam trap: When both IPSec VPN and FastConnect carry identical routes, traffic may only flow over one connection. Configure more-specific routes for the preferred path and less-specific (default) for backup.
5. VTAP (Virtual Test Access Point)
VTAP provides full packet capture for deep traffic analysis. While VCN Flow Logs capture metadata (source, destination, ports, action), VTAP captures actual packet payloads -- essential for protocol-level debugging, intrusion detection, and performance analysis.
VTAP Architecture
| Component | Purpose |
|---|---|
| VTAP | Capture point attached to a source VNIC, subnet, or NLB |
| Capture Filter | Rules defining which traffic to capture (protocol, source/destination CIDR, port) |
| Target | Destination for mirrored traffic: NLB, VNIC on a network appliance, or another subnet |
VTAP Specifications
| Parameter | Limit |
|---|---|
| VTAPs per VNIC | 1 |
| VTAPs per subnet | 1 |
| Capture filter rules | 10 per filter |
| Encapsulation | VxLAN (adds ~50 bytes overhead) |
| Target types | Network Load Balancer, VNIC, subnet |
| Source types | VNIC, subnet, NLB |
| Cross-VCN capture | Not supported (source and target must be in same VCN) |
When to Use VTAP vs. Flow Logs
| Need | Tool |
|---|---|
| "Was traffic allowed or blocked?" | VCN Flow Logs |
| "What was in the packet payload?" | VTAP |
| "Is this SQL injection in the HTTP request?" | VTAP |
| "How many bytes transferred between A and B?" | VCN Flow Logs |
| "What is the TLS handshake doing?" | VTAP |
| "Which IPs are communicating on port 443?" | VCN Flow Logs |
Exam traps:
- VTAP mirrors traffic using VxLAN encapsulation, which adds overhead. The target must support the increased packet size.
- VTAP source and target must be in the same VCN. Cross-VCN capture is not supported.
- Only one VTAP per source (VNIC or subnet). You cannot attach multiple VTAPs to the same source.
- VTAP captures are real-time only -- there is no built-in storage. You must run a capture tool (tcpdump, Wireshark, or an IDS/IPS appliance) on the target to record packets.
6. Common Networking Issues Quick Reference
| Issue | Diagnostic Approach |
|---|---|
| Blocked traffic | Check security lists AND NSGs (both apply). Use Path Analyzer for config check, Flow Logs for evidence (REJECT entries). |
| Asymmetric routing | Expected behavior with redundant tunnels/circuits. Configure stateless firewall rules or ensure stateful inspection handles both paths. |
| Black-holed traffic | Route table points to a non-existent or down target. Check route table entries against actual gateway/appliance status. |
| LB health check failures | Verify security list allows health check traffic on the configured port. Check NSG rules on backend instances. Confirm backend application is listening. |
| DNS resolution failures | Verify VCN DNS resolver configuration. Check if custom DNS is configured in DHCP options. Ensure DNS traffic (UDP/TCP 53) is allowed in security rules. |
| Cross-tenancy connectivity | Path Analyzer returns Indeterminate for cross-tenancy. Test each side independently. Verify DRG attachment and route table policies in both tenancies. |
7. Tool Selection Matrix
| What You Need | Primary Tool | Secondary Tool |
|---|---|---|
| Verify config allows traffic | Network Path Analyzer | - |
| Prove traffic was allowed/blocked | VCN Flow Logs | Audit Logs (for API calls) |
| Visualize topology | Network Visualizer | - |
| Debug VPN tunnel state | VPN Service Logs + IPSec log messages | Path Analyzer (routing config) |
| Debug FastConnect BGP | FastConnect Service Logs + CPE BGP logs | Path Analyzer (routing config) |
| Long-term traffic analysis | Flow Logs via Service Connector Hub to Logging Analytics | Object Storage archive |
| Audit who changed a route table | Audit Logs | - |
| Deep packet inspection | VTAP | - |
| Real-time alerting on network events | OCI Events + Notifications | Service Connector Hub |