Chapter 10 Practical Troubleshooting
PowerShell
Wireshark (Packet Analysis)
OpenSSL
10.1 ping
What Is ping?
ping is the most fundamental command for verifying network connectivity with a target host. It uses ICMP (Internet Control Message Protocol) to check whether packets can reach the destination and whether a response is returned.
Basic Usage
# Specify an IP address
ping 192.168.20.10
# Specify a hostname
ping lis-server.hospital.local
How to Read the Output
ping 192.168.20.10
Reply from 192.168.20.10: bytes=32 time=1ms TTL=128 ← Response received (connectivity OK)
Reply from 192.168.20.10: bytes=32 time=1ms TTL=128
Reply from 192.168.20.10: bytes=32 time=1ms TTL=128
Reply from 192.168.20.10: bytes=32 time=1ms TTL=128
Ping statistics for 192.168.20.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
When There Is No Response
ping 192.168.20.99
Request timed out. ← No response
Request timed out.
Request timed out.
Using ping with Smart Assist
| Target | Command | Purpose |
|---|---|---|
| LIS Server | ping 192.168.20.10 | Verify connectivity with the in-hospital LIS server |
| Default Gateway | ping 192.168.10.1 | Verify connectivity with the router |
| DNS Server | ping 192.168.1.53 | Verify connectivity with the DNS server |
| External Host | ping 8.8.8.8 | Verify internet connectivity |
Notes
- If ICMP is blocked by a firewall, HTTPS communication may still work even if ping fails
- A successful ping confirms "IP-level connectivity" only and does not guarantee application-layer communication
In the field, tons of people panic saying "ping isn't working!" But stay calm. Hospital firewalls often block ICMP. In particular, assume that pings to the internet will almost never go through.
Even if ping fails, HTTPS communication works fine in most cases. So for verifying external connectivity, use Test-NetConnection -Port 443 or curl -v instead of ping. The important skill is not getting stuck on "ping doesn't work" and moving on to the next step.
10.2 nslookup
What Is nslookup?
nslookup is a command for verifying DNS name resolution. It checks whether the conversion from an FQDN to an IP address is being performed correctly.
Basic Usage
# Look up the IP address of an FQDN
nslookup smartassist.example.com
How to Read the Output
nslookup smartassist.example.com
Server: 192.168.1.53 ← DNS server being queried
Address: 192.168.1.53#53
Non-authoritative answer:
Name: smartassist.example.com
Address: 52.194.10.20 ← Resolved IP address
When Name Resolution Fails
nslookup smartassist.example.com
Server: 192.168.1.53
Address: 192.168.1.53#53
** server can't find smartassist.example.com: NXDOMAIN ← Resolution failed
Querying a Specific DNS Server
# Specify a particular DNS server
nslookup smartassist.example.com 8.8.8.8
If resolution fails with the in-hospital DNS but succeeds with an external DNS (8.8.8.8), there is likely a problem with the in-hospital DNS configuration (forwarder settings, etc.).
Using nslookup with Smart Assist
| Check Item | Command | Assessment |
|---|---|---|
| Destination FQDN resolution | nslookup smartassist.example.com | If an IP is returned, DNS is working |
| In-hospital DNS operation check | nslookup smartassist.example.com <in-hospital_DNS_IP> | Can it be resolved by the in-hospital DNS? |
| External DNS verification | nslookup smartassist.example.com 8.8.8.8 | Isolate in-hospital DNS issues |
10.3 curl
What Is curl?
curl is a command-line tool for performing HTTP/HTTPS communication by specifying a URL. It can simulate actual HTTPS communication for connection testing.
Basic Usage
# HTTPS connection test
curl -v https://smartassist.example.com/health
# Connection test via proxy
curl -v --proxy http://proxy.hospital.local:8080 https://smartassist.example.com/health
How to Read the Output (Success Example)
curl -v https://smartassist.example.com/health
* Trying 52.194.10.20:443...
* Connected to smartassist.example.com (52.194.10.20) port 443 ← TCP connection successful
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 ← TLS successful
* Server certificate:
* subject: CN=smartassist.example.com ← Certificate verified
* issuer: C=US, O=Amazon, CN=Amazon RSA 2048 M01
* expire date: Mar 15 2026 GMT ← Expiration date
> GET /health HTTP/1.1
> Host: smartassist.example.com
>
< HTTP/1.1 200 OK ← 200 OK = Success
< Content-Type: application/json
<
{"status": "healthy"}
Failure Examples and Causes
| Error Message | Cause |
|---|---|
Could not resolve host | DNS resolution failure |
Connection timed out | FW block or network disconnection |
Connection refused | Destination server is not listening on the port |
SSL certificate problem | Certificate error (expired, invalid issuer, etc.) |
407 Proxy Authentication Required | Proxy authentication is required |
The foundation of troubleshooting is curl -v. If you remember just this one thing, you can isolate the majority of problems. Adding -v (verbose) shows you all of the following information:
- DNS resolution result:
Trying 52.194.10.20:443... - TCP connection:
Connected to ... - TLS handshake:
SSL connection using TLSv1.2 - Certificate information:
issuer:andexpire date: - HTTP status:
HTTP/1.1 200 OK
When you receive a report saying "communication isn't working," first have them get the output of curl -v https://smartassist.example.com/health. This output alone tells you which layer the problem is occurring at.
10.4 Port Connectivity Verification
Why Is Port Connectivity Verification Necessary?
Even when ping succeeds, HTTPS communication may fail. This occurs when ICMP (ping) is allowed but TCP port 443 is blocked.
Verification Method with PowerShell (Windows)
# TCP port 443 connectivity check
Test-NetConnection -ComputerName smartassist.example.com -Port 443
How to Read the Output
ComputerName : smartassist.example.com
RemoteAddress : 52.194.10.20
RemotePort : 443
TcpTestSucceeded : True ← True = Port connectivity OK
ComputerName : smartassist.example.com
RemoteAddress : 52.194.10.20
RemotePort : 443
TcpTestSucceeded : False ← False = Port connectivity NG (failed)
Verification Method with telnet
# If telnet is installed
telnet smartassist.example.com 443
If the screen goes blank, the connection was successful. If "Could not open connection" is displayed, the connection failed.
10.5 DNS Failure Isolation
Symptoms of a DNS Failure
If communication from the Smart Assist PC to the cloud fails and nslookup cannot resolve the FQDN, suspect a DNS failure.
Isolation Flowchart
10.6 Proxy Failure Isolation
Symptoms of a Proxy Failure
- Connection timeout occurs with curl
- 407 Proxy Authentication Required is returned
- 403 Forbidden is returned
Isolation Flowchart
A surprisingly common oversight in proxy environment troubles is checking the proxy bypass list (exclusion list). If the Smart Assist destination is in the proxy bypass list, the system will try to connect directly even though proxy settings exist.
On Windows, check the following:
netsh winhttp show proxyto display the system proxy settings and bypass list- Check the value of the
NO_PROXYenvironment variable - Check the "Exceptions" field in the IE proxy settings dialog
The reverse pattern also occurs. If "communication should go through a proxy but it times out trying to connect directly," there is a good chance the HTTPS_PROXY environment variable is not set.
10.7 SSL Inspection Failures
Symptoms
- curl displays
SSL certificate problem: unable to get local issuer certificate - The Smart Assist client fails to connect with a "certificate error"
Verification Method
# Check certificate details with curl
curl -v https://smartassist.example.com/health 2>&1 | grep -i "issuer"
* Server certificate:
* issuer: CN=Hospital Proxy CA ← Not an AWS certificate, but the hospital's proxy CA
If the issuer is not a public CA such as AWS or Let's Encrypt but instead shows an internal hospital CA name, SSL inspection is being performed.
Resolution Steps
| Step | Action |
|---|---|
| 1 | Use curl's -v option to check the certificate issuer |
| 2 | If the issuer is the hospital's internal CA, SSL inspection is the cause |
| 3 | Request the hospital IT administrator to add Smart Assist's destination FQDN to the SSL inspection exclusion list |
| 4 | If exclusion is difficult, install the proxy CA certificate into the trusted root certificate store on the Smart Assist PC |
When you get a call saying "Smart Assist isn't connecting," checking in this order is the most efficient approach. Go through them top to bottom -- the first point of failure is the cause.
- IP address check: Use
ipconfigto verify the IP address and gateway are correct - Gateway connectivity:
ping default gateway - DNS resolution:
nslookup smartassist.example.com - Port connectivity:
Test-NetConnection smartassist.example.com -Port 443 - HTTPS connection:
curl -v https://smartassist.example.com/health - Certificate check: Check the issuer and expire date in curl -v output
Write these 6 steps on a note and stick it next to your PC so you can smoothly give instructions even while on a phone call.
10.8 Certificate Expiration
Symptoms
- Smart Assist communication that was working normally suddenly fails
- curl displays
SSL certificate has expired
Verification Method
# Check the certificate expiration date
curl -v https://smartassist.example.com 2>&1 | grep "expire"
* expire date: Jan 15 2025 GMT ← Expiration date is in the past
Detailed Verification with OpenSSL
# Display server certificate details
openssl s_client -connect smartassist.example.com:443 -servername smartassist.example.com < /dev/null 2>/dev/null | openssl x509 -noout -dates
notBefore=Jan 15 2024 00:00:00 GMT
notAfter=Jan 15 2025 00:00:00 GMT ← Expiration date
Resolution Steps
| Cause | Resolution |
|---|---|
| Smart Assist server certificate expired | Request the Smart Assist operations team to renew the certificate |
| SSL inspection CA certificate expired | Request the hospital IT administrator to renew it |
| Smart Assist PC clock is out of sync | Set the PC clock correctly (check NTP) |
Preventive Measures
- Build a system to regularly monitor certificate expiration dates
- Configure alerts to trigger 30 days before expiration
- Even when automatic renewal is configured, establish a process to verify that renewal succeeded
Comprehensive Troubleshooting Flowchart
In the next chapter, we will learn about the practical processes from Smart Assist deployment to production operation.