Try 10 focused CompTIA Network+ N10-009 questions on Network Troubleshooting, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Network+ N10-009 on Web View full CompTIA Network+ N10-009 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Network+ N10-009 |
| Topic area | Network Troubleshooting |
| Blueprint weight | 20% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Network Troubleshooting for CompTIA Network+ N10-009. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 20% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Network Troubleshooting
A branch office reports that access to a cloud-based CRM application is very slow. The network technician can successfully ping the CRM server, but round-trip times sometimes spike from 30ms to over 500ms. The technician now needs to identify which network hop along the path is introducing this delay. Which tool should the technician use first?
Options:
A. An IP configuration utility such as ipconfig or ip addr
B. A DNS lookup utility such as nslookup or dig
C. A traceroute/tracert utility
D. An ARP table inspection using the arp command
Best answer: C
Explanation: In this scenario, basic connectivity has already been confirmed because pings to the cloud-based CRM server succeed, though with intermittent high latency. The remaining task is to determine where along the network path the delay is introduced.
A traceroute-style utility is designed for exactly this purpose. It sends packets with gradually increasing Time To Live (TTL) values and listens for ICMP time-exceeded messages from each router that decrements the TTL to zero. This reveals each hop along the route and the round-trip time to that hop. By examining where latency suddenly increases, the technician can see whether the issue is inside the local network, at the ISP edge, or deeper in the internet path, and can then escalate or investigate accordingly.
Other tools like DNS lookup, IP configuration, or ARP inspection address different layers or types of problems and do not provide hop-by-hop latency information, so they are not the most appropriate choice here.
Topic: Network Troubleshooting
A network administrator recently migrated the corporate SSID Corp-Secure from WPA2-PSK to WPA2-Enterprise using 802.1X and a RADIUS server, as shown below:
SSID: Corp-Secure
Security mode: WPA2-Enterprise (802.1X)
EAP method: PEAP (MSCHAPv2)
RADIUS server: 10.10.50.5
After the change, many laptops can still see Corp-Secure but repeatedly prompt for the Wi-Fi password and fail to connect. On one affected laptop, the saved Corp-Secure profile is configured for WPA2-Personal with an old pre-shared key.
Which of the following actions/solutions will best address this issue or requirement? (Select TWO.)
Options:
A. Change the SSID name from Corp-Secure to Corp-Secure-8021X so devices treat it as a new network and prompt users to reconnect.
B. Manually delete and recreate the Corp-Secure network on affected laptops, selecting WPA2-Enterprise/802.1X with PEAP and logging in with the user’s directory credentials.
C. Reconfigure all access points so that Corp-Secure uses WPA2-PSK again with the old pre-shared key, restoring the previous security settings.
D. Push a new Wi-Fi profile via group policy or MDM that configures Corp-Secure for WPA2-Enterprise (PEAP) using user credentials instead of a pre-shared key.
E. Create a new open SSID without encryption and temporarily move affected users to it until they can be reconfigured.
Correct answers: B and D
Explanation: The key symptom is that clients can see the SSID but fail authentication and keep asking for a Wi‑Fi password. The access point is configured correctly for WPA2‑Enterprise with 802.1X (PEAP), but the inspected laptop still has the old profile using WPA2‑Personal (PSK) and a pre‑shared key. This security mismatch between client and AP prevents successful authentication.
To restore connectivity, you must update client configurations so that Corp-Secure is treated as an 802.1X/WPA2‑Enterprise network using user credentials, not as a PSK network.
Option review:
Corp-Secure for WPA2‑Enterprise (PEAP) using user credentials instead of a pre‑shared key.Corp-Secure network on affected laptops, selecting WPA2‑Enterprise/802.1X with PEAP and logging in with the user’s directory credentials.Corp-Secure uses WPA2‑PSK again with the old pre‑shared key, restoring the previous security settings.Corp-Secure to Corp-Secure-8021X so devices treat it as a new network and prompt users to reconnect.The two correct actions both fix the actual root cause: the client WLAN profiles are still configured for WPA2‑Personal with a pre‑shared key, while the APs now expect WPA2‑Enterprise with 802.1X authentication.
Topic: Network Troubleshooting
A network engineer notices that traffic from subnet 10.10.10.0/24 to an application server in another site passes through Router R1, but return traffic from the server back to 10.10.10.0/24 leaves through a different router, R2. Stateful firewalls on each path are dropping these flows because the forward and return paths do not match. Which routing problem does this situation BEST describe?
Options:
A. Asymmetric routing
B. Route flapping
C. Incorrect default gateway on the client
D. Missing route
Best answer: A
Explanation: The scenario describes traffic from a subnet taking one router on the way to a remote server and a different router on the way back. Because stateful firewalls track connections by seeing both directions of the flow on the same path, they may drop packets if the return traffic uses a different device or interface.
This behavior is the definition of asymmetric routing: the forward and reverse paths of the same session are not symmetric. It is a routing design or configuration issue, often due to multiple exit points, overlapping routes, or inconsistent static or dynamic routing policies.
Other issues like missing routes, incorrect default gateways, or route flapping cause different symptoms: outright loss of connectivity, traffic that never leaves the subnet, or unstable paths that change over time. None of those precisely match the described, consistent mismatch of forward and reverse paths.
Topic: Network Troubleshooting
A small office has a flat LAN (single VLAN) with one router providing DHCP, NAT, and internet access through an ISP cable modem. A user cannot reach any websites. To avoid unnecessary reconfiguration, you run basic tests from the user’s PC:
ping 127.0.0.1 -> Reply
ping 10.0.0.25 -> Reply
ping 10.0.0.1 -> Reply
ping 8.8.8.8 -> Request timed out.
Which action is the most appropriate next step to address this issue?
Options:
A. Check the router’s WAN interface status and contact the ISP if the external link is down.
B. Reinstall the TCP/IP stack on the user’s PC to fix a local protocol issue.
C. Replace the Ethernet patch cable between the PC and the switch to fix a physical issue.
D. Change the PC’s default gateway to 8.8.8.8 so it can reach the internet directly.
Best answer: A
Explanation: The test sequence checks connectivity at increasing scopes: the local TCP/IP stack, the local NIC/IP, the local default gateway, and then an external host on the internet.
ping 127.0.0.1 succeeding shows the TCP/IP stack on the host is operating correctly.Therefore, the correct next step is to investigate the router’s external interface and, if it is down or cannot reach the ISP, escalate the issue to the ISP. This aligns with the goal of distinguishing local host problems from wider network or ISP issues, and avoids unnecessary changes to a working local configuration.
Topic: Network Troubleshooting
A network technician applies a planned firewall ACL change during a maintenance window. Immediately afterward, users report that a critical internal web application is unreachable. Monitoring confirms the firewall is the only device changed, and no other issues are reported. The maintenance window is still open, and a tested rollback procedure for this change is documented in the change ticket. To restore service as quickly as possible, what should the technician do next?
Options:
A. Create a temporary static route on the firewall to bypass the suspected blocked path
B. Open a priority support case with the firewall vendor and wait for guidance
C. Begin capturing traffic with a packet analyzer to identify which ports are being blocked
D. Use the documented rollback procedure to revert the firewall ACL to the previous configuration
Best answer: D
Explanation: In a structured troubleshooting and change-management process, when a new issue appears immediately after a specific change, the first priority for a critical service is to restore availability as quickly and safely as possible.
Because the firewall ACL change is the only identified difference and the outage began right after this change, the most logical conclusion is that the change caused the problem. The organization has a documented, tested rollback procedure and the maintenance window is still open, which means it is both allowed and expected to use that rollback if the change leads to an outage.
Rolling back to the last known good configuration quickly restores service and keeps you within the approved change plan. After service is restored, you can schedule a follow-up change or troubleshooting session to identify and implement the correct ACL. Escalation, deep analysis, or improvised workarounds are slower and riskier than simply reverting the change in this scenario.
Topic: Network Troubleshooting
A network technician is troubleshooting why users in the new remote office (subnet 10.20.30.0/24) can successfully ping an internal web server at 10.10.10.50 but cannot browse to https://10.10.10.50. The firewall ACL between the sites is shown below.
Firewall ACL (top to bottom):
| Rule | Source | Destination | Protocol | Port | Action |
|---|---|---|---|---|---|
| 1 | 10.10.0.0/16 | 10.10.10.50 | TCP | 443 | Allow |
| 2 | 10.0.0.0/8 | 10.10.10.50 | ICMP | N/A | Allow |
| 3 | Any | Any | Any | Any | Deny |
Which of the following actions will best address this issue or requirement? (Select TWO.)
Options:
A. Add a firewall rule allowing 10.20.30.0/24 to reach 10.10.10.50 over TCP port 443 and place it above the deny-all rule.
B. Add a rule allowing Any source to reach 10.10.10.50 on TCP port 443.
C. Disable the firewall temporarily and rely on host-based firewalls on the clients and server.
D. Move the deny-any rule to the top of the ACL so it is evaluated first.
E. Modify the existing HTTPS rule to use 10.0.0.0/8 as the source network instead of 10.10.0.0/16.
Correct answers: A and E
Explanation: The exhibit shows a firewall ACL evaluated from top to bottom. Users on 10.20.30.0/24 can ping the web server at 10.10.10.50, which means ICMP is allowed by the rule that permits 10.0.0.0/8 to 10.10.10.50 for ICMP. However, HTTPS (TCP 443) is only allowed from 10.10.0.0/16. Because the new remote office subnet (10.20.30.0/24) is not part of 10.10.0.0/16, its HTTPS traffic is not matched by the existing HTTPS rule and therefore hits the final deny-any rule.
To fix this, the technician must add or adjust an allow rule so that HTTPS from the remote office subnet (or from all internal 10.x networks) is explicitly permitted on TCP 443, while still keeping the firewall policy reasonably restrictive. Both adding a targeted rule for 10.20.30.0/24 or broadening the existing 10.10.0.0/16 source to 10.0.0.0/8 accomplish this, whereas the other options either break connectivity or create unnecessary security risk.
Topic: Network Troubleshooting
Which symptom most strongly suggests that a DHCP scope has run out of available IPv4 addresses on a subnet?
Options:
A. Some switches show high CPU utilization during spanning tree recalculations.
B. Clients receive an incorrect default gateway address from the DHCP server.
C. New DHCP-enabled clients obtain 169.254.x.x addresses instead of an address from the expected subnet.
D. DHCP clients obtain valid IP addresses, but DNS queries for internet hosts fail.
Best answer: C
Explanation: A DHCP scope contains a finite pool of IP addresses that the DHCP server can lease to clients. When the scope is exhausted—meaning all addresses are in use—new DHCP clients that send a DHCPDISCOVER may not receive a DHCPOFFER.
On many client operating systems, if a host is configured to use DHCP but does not receive a lease after trying, it assigns itself an Automatic Private IP Addressing (APIPA) address in the 169.254.0.0/16 range. Seeing multiple clients with 169.254.x.x addresses on a network where DHCP is expected is a strong indicator that the DHCP server is not handing out addresses, often because the scope is out of free addresses or the server is unreachable.
Other symptoms like incorrect default gateways or DNS failures point to misconfigured DHCP options or DNS problems, not specifically to an empty IP pool.
Topic: Network Troubleshooting
A network technician is troubleshooting a user’s desk where an IP phone and a PC share a single wall jack connected to switch interface Gi0/10. After the phone and PC are connected, the user loses network connectivity. The technician runs the following command:
Switch# show port-security interface gi0/10
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Max MAC Addresses : 1
Total MAC Addresses : 1
Security Violation Count : 3
Which of the following actions should you AVOID while resolving this issue? (Select TWO.)
Options:
A. Clear sticky or learned MAC addresses on interface Gi0/10, then re-enable the port and reconnect the phone and PC
B. Disable port security on all access ports to prevent them from going into an err-disabled state
C. Convert interface Gi0/10 to an 802.1Q trunk port allowing all VLANs so the phone and PC can connect without further port-security violations
D. Change the violation mode on interface Gi0/10 from shutdown to restrict, then monitor for further violations
E. Increase the maximum allowed MAC addresses to 2 on interface Gi0/10 and then re-enable the port
Correct answers: B and C
Explanation: The CLI output shows that port security is enabled on interface Gi0/10, and the port is in a secure-shutdown state with a violation mode of shutdown and Max MAC Addresses: 1. When both an IP phone and a PC are connected to the same access port, more than one MAC address appears on that port, causing a port-security violation and shutting the port down.
The correct troubleshooting approach is to adjust the configuration of this specific interface so that it can legitimately support both devices while preserving port security. This usually means allowing more than one MAC address on the port or clearing incorrect MAC entries, not weakening security across the entire switch or turning the port into a trunk to an end user.
The actions to avoid are those that significantly reduce security or violate standard design practices, such as disabling port security everywhere or converting a user port into a trunk that carries all VLANs. Focused, per-port adjustments are considered best practice in this scenario.
Topic: Network Troubleshooting
A technician is troubleshooting why internal users cannot resolve external websites while still being able to resolve internal hostnames. The technician runs the following commands from a user’s workstation:
nslookup www.example.com
Server: 192.168.10.10
Address: 192.168.10.10#53
** server can't find www.example.com: NXDOMAIN
nslookup www.example.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.example.com
Address: 203.0.113.50
All workstations receive 192.168.10.10 as their DNS server via DHCP, and the company wants to keep using this internal DNS server for logging and internal name resolution, not point clients directly to public DNS. Based on this information, which action is the MOST appropriate next step?
Options:
A. Reconfigure the firewall to allow outbound HTTPS from client workstations to the internet
B. Flush the DNS cache on the user’s workstation and retry the lookup
C. Update DHCP so clients use public DNS servers instead of 192.168.10.10
D. Configure correct DNS forwarders on the 192.168.10.10 server to use public resolvers for external lookups
Best answer: D
Explanation: The nslookup output is the key evidence. When the workstation queries its normal DNS server at 192.168.10.10, the response is NXDOMAIN for www.example.com, indicating that this internal DNS server is not able to resolve the external name. However, when the query is sent directly to the public resolver 8.8.8.8, a valid non-authoritative answer is returned.
This comparison shows that internet connectivity is fine and that public DNS resolution works. The issue is specific to how the internal DNS server handles external queries. In a typical small/medium enterprise, an internal DNS server is authoritative for internal zones and either uses forwarders (such as public DNS servers) or root hints to recursively resolve external names. If external lookups fail on this internal server but succeed on public resolvers, the internal server’s forwarders or recursion settings are likely misconfigured.
Because the company explicitly wants to continue using the internal DNS server for internal records and logging, the correct approach is to fix that server so it can again resolve external domains, rather than bypassing it from the clients. That means configuring proper forwarders or otherwise correcting its external resolution settings.
Topic: Network Troubleshooting
You are troubleshooting poor Wi‑Fi performance reported in a conference room. On the WLAN controller, you review the following client statistics for devices connected to the same SSID on the same AP:
| Client | RSSI (dBm) | SNR (dB) | Retry % |
|---|---|---|---|
| A | -82 | 12 | 35 |
| B | -60 | 28 | 3 |
| C | -65 | 30 | 4 |
Client A is the device with the performance complaint.
Which of the following actions should you AVOID while attempting to resolve this issue? (Select TWO.)
Options:
A. Add an additional AP closer to the conference room or adjust AP placement to improve signal quality for Client A.
B. Force all SSIDs in the area to use the same 2.4GHz channel to “boost” coverage for Client A.
C. Check for neighboring Wi‑Fi networks on the same channel and adjust channel assignments to reduce interference.
D. Increase the transmit power on all nearby APs to the maximum level without performing a site survey.
E. Investigate physical obstructions around the conference room and consider repositioning the AP or Client A’s device.
Correct answers: B and D
Explanation: The WLAN controller statistics show that Client A has an RSSI of -82dBm, an SNR of 12dB, and a retry rate of 35%. These values indicate a weak and noisy signal with many retransmissions, which explains the poor performance report. In contrast, Clients B and C show stronger RSSI, higher SNR, and low retry percentages, so the problem is localized to Client A’s RF conditions.
To improve performance, you typically want to increase usable signal quality for the affected client while minimizing interference. Good actions include adjusting AP/client placement, adding coverage where needed, and optimizing channel assignments to reduce interference. Poor actions are those that increase interference or ignore proper RF design, such as cranking transmit power to maximum or forcing many APs onto the same channel.
The actions that should be avoided are the ones that worsen co-channel interference and do not address the underlying low SNR and high retries for Client A. The other options are standard, recommended troubleshooting steps aligned with best practices for wireless performance tuning.
Use the CompTIA Network+ N10-009 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Network+ N10-009 on Web View CompTIA Network+ N10-009 Practice Test
Read the CompTIA Network+ N10-009 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.