# “Can’t Reach the App” Troubleshooting Guide ## ## “Can’t Reach the App” Troubleshooting Guide **Dashboards: `kibana-8.14.x-flow-codex.ndjson`** All filtering is done with the builtin dropdown controls. Selecting an item adds a **blue filter pill** that persists as you move between dashboards. *** ### 0 Set the Scene 1. **Analytics → Dashboard** in Kibana. 2. **Time‑picker** → set to the period when users reported the failure (e.g. **“Last 30 minutes”**). The workflow follows the menu bar visible at the top of each dashboard: `Overview | Top‑N | Core Services | Threats | Flows | Graph | Geo IP | AS Traffic | Exporters | Traffic Details | Flow Records` *** ### 1 Top‑N → **Top Applications** *(Do any flows exist?)* Menu path: **Top‑N ▸ ElastiFlow (flow): Top Applications** | Step | What to do | Why | | ---- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | | 1 | Open **Top Applications**. | — | | 2 | In the control **“Exporter, Locality, Application – input list”** start typing the application name or port, tick it, then **Apply**. | Adds a blue filter pill that scopes every subsequent dashboard. | | 3 | Inspect the stacked‑area charts **Throughput / Applications (bits/s)** | **Flat line = no flows exported → jump to § 4 (network path).** Traffic visible? continue to § 2. | *** ### 2 Flow Records → **Flow Records (src/dst)** *(Did flow volume dive?)* Menu path: **Flow Records ▸ ElastiFlow (flow): Flow Records (src/dst)** | Look at | Why it matters | | --------------------------------------- | -------------------------------------------------------------------- | | **Flow Records/s (src/dst)** line chart | A sudden drop or spike pins the exact time flows stopped or started. | | **Flow Record Count (src/dst)** metric | Quick numerical cross‑check that should match the chart. | If flows fall to zero here, the exporter never saw the sessions – a network or firewall device is blocking. Proceed to § 4. *** ### 3 Flows → **Flows (src/dst)** *(Are replies returning? Are sessions established?)* Menu path: **Flows ▸ ElastiFlow (flow): Flows (src/dst)** | Step | What to do | Diagnostic meaning | | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Open **Flows (src/dst)**. | — | | 2 | *Optional*: In **“Destination IP input list”** choose the **server IP**, then **Apply**. Otherwise, the already applied app name filter will suffice. Clone the tab here. Now, set Source IP to the server IP. | Narrows the Sankey to the affected host(s). | | 3 | Examine the **Sankey “Flows (src/dst)”**. | **If you see traffic going to and from the server in both directions** (src→dst & dst→src) ⇒ replies arrive ⇒ handshake OK ⇒ likely **application tier**. \*\*One‑way only\*\* ⇒ replies missing ⇒ \*\*network return‑path\*\* problem. | | 4 | Use the embedded **“Session Established”** dropdown → select **No** → **Apply**. | Filters to half‑open TCP attempts. • A surge when the incident began ⇒ SYNs sent but SYN‑ACKs not returned ⇒ \*\*network issue\*\*. • No surge ⇒ handshake completes; see § 4 A for deeper app clues. | Leave the **Session Established** filter set to **No** or **Yes** as you pivot to other dashboards—the blue cell persists. *** ### 4 Locate the Culprit #### 4 A If clues point to the **Application** 1. Menu **Traffic Details ▸ ElastiFlow (flow): Traffic Details (attributes)** 2. (Optional) narrow further with **VLAN / DSCP / TCP Flags / TCP Options – input list**. 3. Inspect **TCP Flags – donut**: * **RST / RST,ACK spike** → listener closed, app crashed, or overloaded. * **Normal flags but throughput collapsed** → app still running but stalled (DB wait, thread pool saturation, etc.).\ Hand off to the application owner with the timestamp and the affected client list (see tables at the foot of the **Top Applications** dashboard). #### 4 B If clues point to the **Network** 1. Stay on **Flows (src/dst)** and scroll: *Sources* / *Destinations* donuts show where traffic last appeared. 2. Use **Geo IP ▸ Geo Location (src/dst)** for cross‑WAN issues—the map pins the last visible ASN/country. 3. Check **Exporters ▸ Flow Exporters (traffic)** to confirm an exporter isn’t throttling flows.\ Escalate to NetOps with the exporter name, last‑seen interface, and the exact minute flows ceased. *** ### 5 90‑Second Drill (Cheat‑Sheet) | Dashboard | Action | Answers | | ------------------------------------------------------------------ | ------------------------------------------------------- | ------------------------------------------------------------- | | **Top Applications** | Filter via *Exporter / Locality / Application* list | “Are **any** flows reaching the exporter?” | | **Flow Records (src/dst)** | Watch **Flow Records/s** | “Did overall flow volume drop?” | | **Flows (src/dst)** | • Sankey edges • \*\*Session Established = No / Yes\*\* | “Are replies missing?” “Handshake or post‑handshake failure?” | | **Traffic Details (attributes)** *or* **Geo Location / Exporters** | Drill‑down | Pinpoints app crash vs. network segment | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/additional-resources-reference-articles/guides/using-elastiflow-dashboards-in-elastic-to-solve-real-world-problems/cant-reach-the-app-troubleshooting-guide.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.