Skip to content

Range Troubleshooting

VM Cannot Reach Another Service

Check the range inventory first. The cockpit can only show traffic that is explicitly routed through a Seam listener.

  • Confirm source VM points at the Seam listener, not directly at the upstream.
  • Confirm the Seam listener points at the correct upstream VM and port.
  • Confirm firewall rules allow the routed path.

No Traffic In The Cockpit

The cockpit reads artifacts. If no transcript grows, traffic is not crossing Seam.

seam session tail --transcript /var/ait/transcripts/edge.json --follow

If the transcript is empty, test with a direct curl through the listener.

Assay Does Not Prove Impact

Assay only accepts oracle evidence. A target response saying "done" is not proof by itself.

  • Check the tripwire file or callback oracle.
  • Check direct route remains 0/N.
  • Check laundered or rewritten route is >0/N.
  • Check transcript refs in the finding point to records that crossed Seam.

meshmapper Shows Too Many Paths

meshmapper emits unproven hypotheses. Use filters by class and selected path. The next operator step is to bind a specific path into an Assay case, not to treat every path as a finding.

Ludus Deploy Fails

  • Verify template names exist on the Ludus host.
  • Verify VLANs and IP octets do not conflict with existing ranges.
  • Validate the selected profile before deployment.
  • Tail deployment logs with ludus range logs -f.
  • Start with compact, then move to standard, then full-split.
lab/range/scripts/check_range.sh --profile compact
lab/range/scripts/check_range.sh --profile standard
lab/range/scripts/check_range.sh --profile full-split

Artifact Collection Does Not Fetch Remote Files

collect_artifacts.sh creates the local run directory by default. Add --fetch only after the range VMs are reachable over SSH.

lab/range/scripts/collect_artifacts.sh \
  --profile standard \
  --out .ait/runs/range-standard \
  --fetch