HireHireInterview Quizzes › Support Engineer

Support Engineer Interview Questions

Think you're ready? These are the questions that actually decide Support Engineer interviews. Warm up on Easy — then face the Hard round, where 95% of candidates crumble. 30 questions across 3 levels, instant score, completely free.

30Questions
3Difficulty levels
95%Fail the hard round
FreeInstant score
Easy
Warm-up · 10 Qs
Medium
Practical · 10 Qs
Hard
Brutal · 10 Qs
⚡ Take the Support Engineer quiz — get your score →

The Support Engineer interview questions

Below are the real questions, grouped by difficulty. Expand any one to reveal the correct answer and why — or take the timed quiz for a score you can share. Can you clear the Hard round?

Easy round 10 questions

A user reports their web application returns a '404 Not Found' error. What does this HTTP status code specifically indicate?
  • A. The server understood the request but refuses to authorize it
  • B. The requested resource could not be found on the server ✓
  • C. The server encountered an internal error
  • D. The request was redirected to another location
Correct answer: B. HTTP 404 means the server could not find the requested resource at the given URL.
In an ITSM/ticketing context, what does SLA stand for?
  • A. System Level Access
  • B. Service Level Agreement ✓
  • C. Standard Logging Application
  • D. Support Ledger Assignment
Correct answer: B. SLA stands for Service Level Agreement, defining the agreed response and resolution targets between provider and customer.
A customer cannot reach your web server, but they can reach other websites. Which command would best help you check whether the server's hostname resolves to an IP address?
  • A. chmod
  • B. nslookup ✓
  • C. top
  • D. grep
Correct answer: B. nslookup queries DNS to check whether a hostname resolves to an IP address.
Which of the following is the correct escalation practice when a support ticket exceeds your ability or authority to resolve?
  • A. Close the ticket and ask the customer to reopen it later
  • B. Escalate to the appropriate higher-tier team with full context and history ✓
  • C. Delete the ticket to avoid SLA breach
  • D. Keep retrying silently without informing anyone
Correct answer: B. Proper escalation routes the ticket to a higher tier along with complete context so it can be resolved efficiently.
A Linux application won't start and you suspect it's failing to bind to a port already in use. Which command helps you identify which process is listening on a given port?
  • A. netstat -tulpn ✓
  • B. df -h
  • C. cat /etc/passwd
  • D. uptime
Correct answer: A. netstat -tulpn lists listening TCP/UDP ports along with the owning process, revealing port conflicts.
In SQL, which statement would you run to retrieve all rows from a 'users' table where the status column equals 'active'?
  • A. SELECT * FROM users WHERE status = 'active'; ✓
  • B. UPDATE users SET status = 'active';
  • C. DELETE FROM users WHERE status = 'active';
  • D. INSERT INTO users VALUES ('active');
Correct answer: A. SELECT with a WHERE clause filters and returns only rows matching the specified condition.
A user gets 'Connection timed out' when accessing an API, while a '403 Forbidden' would mean something different. What does a connection timeout most likely indicate?
  • A. The credentials supplied were incorrect
  • B. The server could not be reached within the allotted time, often due to network or firewall issues ✓
  • C. The requested data was successfully returned
  • D. The URL was permanently moved
Correct answer: B. A connection timeout means the client got no response in time, typically from network, firewall, or server-down issues.
Which HTTP status code range indicates a server-side error?
  • A. 2xx
  • B. 3xx
  • C. 4xx
  • D. 5xx ✓
Correct answer: D. 5xx status codes (e.g., 500, 502, 503) indicate errors originating on the server side.
When troubleshooting a reported issue, which of the following is the best first step before proposing a fix?
  • A. Restart the production server immediately
  • B. Reproduce the issue and gather logs/details to understand root cause ✓
  • C. Tell the customer it is working on your end
  • D. Escalate to engineering without any investigation
Correct answer: B. Reproducing the issue and gathering evidence isolates the root cause before any fix is applied.
In a Linux system, which command would you use to view the last 50 lines of a log file and continue watching it live as new entries are written?
  • A. tail -f -n 50 logfile ✓
  • B. head -50 logfile
  • C. rm logfile
  • D. wc -l logfile
Correct answer: A. tail -f -n 50 shows the last 50 lines and then streams new lines as they are appended in real time.

Medium round 10 questions

A customer reports your web app is 'down,' but your monitoring shows all servers healthy and other users are unaffected. What is the most effective first troubleshooting step?
  • A. Immediately restart the production application servers
  • B. Ask the customer for specifics: exact error, URL, browser, and when it started, ideally with a screenshot ✓
  • C. Tell the customer it's working fine on your end and close the ticket
  • D. Escalate directly to the senior backend engineering team
Correct answer: B. When symptoms aren't reproducible system-wide, gathering concrete reproduction details from the reporter is the fastest path to isolating whether it's environmental, user-specific, or a real bug.
You need to check whether a web server is returning the correct HTTP status and headers for a given URL from the command line. Which command is most appropriate?
  • A. ping example.com/api/health
  • B. curl -I https://example.com/api/health ✓
  • C. traceroute example.com
  • D. netstat -an | grep 443
Correct answer: B. curl -I sends a HEAD request and prints the response status line and headers, which is exactly what you need to inspect an endpoint's HTTP response.
A user gets a '403 Forbidden' error on a page that other users can access normally. Which cause is most consistent with this symptom?
  • A. The server is completely down and unreachable
  • B. The user's account lacks the permission or role required for that resource ✓
  • C. There is a DNS resolution failure for the domain
  • D. The database has run out of disk space
Correct answer: B. A 403 means the server understood the request but refuses to authorize it, which for a single affected user typically points to missing permissions rather than an outage or infrastructure failure.
While tailing application logs to diagnose an intermittent error, which command lets you watch new log lines appear in real time and filter for the word 'ERROR'?
  • A. cat app.log | grep ERROR
  • B. grep ERROR app.log | wc -l
  • C. tail -f app.log | grep ERROR ✓
  • D. head -n 100 app.log | grep ERROR
Correct answer: C. tail -f streams new lines as they are written, and piping to grep ERROR filters that live stream to only matching lines.
A customer says their API requests started failing with '401 Unauthorized' this morning, though nothing changed on their side. What is the most likely explanation to check first?
  • A. The API endpoint URL was permanently deleted
  • B. Their API key or access token expired or was rotated/revoked ✓
  • C. The customer's monitor has a rendering glitch
  • D. Their local machine ran out of RAM
Correct answer: B. A 401 indicates missing or invalid authentication credentials, and an expired or rotated token is the most common reason previously working requests suddenly fail with 401.
You suspect a slow page load is caused by one specific backend call. Which browser tool gives you the clearest per-request timing breakdown?
  • A. The browser's Console tab
  • B. The browser's Network tab (DevTools) ✓
  • C. The browser's bookmarks manager
  • D. The operating system's task manager
Correct answer: B. The Network tab in DevTools lists each request with its status, size, and timing waterfall, letting you pinpoint which call is slow.
A customer reports data they entered 'disappeared,' but you can see the record exists in the database with correct values. What is the most likely front-end explanation to investigate?
  • A. The database dropped the table and recreated it
  • B. The user is viewing a stale cached page or is logged into a different account/environment ✓
  • C. The server's CPU is overheating
  • D. The record was encrypted and cannot be shown
Correct answer: B. When the backend clearly has the data but the user can't see it, caching, session/account mismatch, or wrong environment are the usual causes to check first.
When writing a public reply to a frustrated customer whose issue you've confirmed is a real bug now scheduled for a fix, which response is best?
  • A. 'This isn't really a bug, you're just using it wrong.'
  • B. Acknowledge the impact, confirm it's a known bug, give a realistic ETA or workaround, and offer to follow up ✓
  • C. Promise it will be fixed within the hour to calm them down
  • D. Copy and paste a generic canned apology with no specifics
Correct answer: B. Good support acknowledges the customer's experience, sets honest expectations, and provides a concrete path forward, which builds trust without overpromising.
A SQL query a customer relies on is returning zero rows unexpectedly. You want to verify their data exists without risking any changes. Which query is safest to run first?
  • A. DELETE FROM orders WHERE customer_id = 42
  • B. UPDATE orders SET status = 'active' WHERE customer_id = 42
  • C. SELECT COUNT(*) FROM orders WHERE customer_id = 42 ✓
  • D. TRUNCATE TABLE orders
Correct answer: C. A SELECT COUNT(*) is read-only and safely confirms whether matching rows exist, whereas DELETE, UPDATE, and TRUNCATE all modify or destroy data.
A customer's requests are intermittently failing and you see '429 Too Many Requests' in their logs. What does this indicate?
  • A. The server crashed and needs a reboot
  • B. They are hitting a rate limit and should throttle or batch their requests ✓
  • C. Their SSL certificate is invalid
  • D. The request body was malformed
Correct answer: B. HTTP 429 signals the client has sent too many requests in a given window, so the fix is to respect the rate limit by slowing down or spacing out requests.

Hard round 10 questions

A service intermittently returns HTTP 502 from an Nginx reverse proxy sitting in front of an upstream Node.js app. `ss -s` on the proxy shows a growing number of sockets in TIME_WAIT, and `dmesg` is clean. The 502s correlate with traffic spikes. Which cause is most consistent with this evidence?
  • A. The upstream is closing keep-alive connections faster than Nginx expects, so Nginx sends requests on a half-closed connection and gets RST/EOF before a response ✓
  • B. The TLS certificate on the upstream has expired, causing handshake failures under load
  • C. The Linux conntrack table is full, silently dropping new connections to the upstream
  • D. DNS resolution for the upstream hostname is timing out during spikes
Correct answer: A. 502 Bad Gateway with EOF/RST on reused keep-alive sockets is the classic upstream-closed-idle-connection race, aggravated at high request rates.
You run `dig +trace example.com A` and it resolves correctly, but `dig example.com A @10.0.0.53` (your internal resolver) returns SERVFAIL. `dig example.com A @10.0.0.53 +cd` (checking disabled) succeeds. What is the most likely root cause?
  • A. The authoritative nameserver is rate-limiting the internal resolver
  • B. DNSSEC validation is failing on the internal resolver, likely due to a broken chain of trust or a clock skew problem ✓
  • C. The internal resolver has an empty root hints file
  • D. The A record TTL expired and the zone was not re-signed
Correct answer: B. SERVFAIL that disappears with +cd (checking disabled) is the signature of a DNSSEC validation failure on the validating resolver.
A Java service under load throws no OutOfMemoryError but latency P99 climbs from 40ms to 3s. The GC log shows frequent lines like `[Full GC (Ergonomics) ... 7800M->7750M(8000M), 5.2 secs]` recurring every few seconds. What does this pattern indicate?
  • A. Normal young-generation churn that can be ignored
  • B. A native memory leak outside the Java heap
  • C. The heap is nearly exhausted and the collector is in a GC-thrashing / 'GC overhead' state, reclaiming almost nothing per Full GC ✓
  • D. Metaspace is undersized and should be increased
Correct answer: C. Repeated multi-second Full GCs that free only ~50M of an 8G heap mean the live set nearly fills the heap, so the JVM thrashes reclaiming almost nothing.
A pod is repeatedly restarted. `kubectl describe pod` shows `Last State: Terminated, Reason: OOMKilled, Exit Code: 137`, and the container's `resources.limits.memory` is 512Mi. The app is a JVM with no `-Xmx` set. What is the most precise explanation?
  • A. Kubernetes killed the pod because a liveness probe failed
  • B. The JVM defaulted its max heap to a fraction of the 512Mi limit but total process memory (heap + metaspace + threads + native) exceeded 512Mi, so the kernel cgroup OOM-killed it ✓
  • C. The node ran out of memory and evicted the pod
  • D. Exit code 137 means the app called System.exit(137) on a fatal error
Correct answer: B. 137 = 128+9 (SIGKILL); the cgroup memory limit was breached because JVM total footprint (not just heap) exceeded 512Mi even with container-aware heap sizing.
Given this Postgres plan fragment for a slow query: `Seq Scan on orders (cost=0.00..48210.00 rows=1 width=8) Filter: (customer_id = 4821) Rows Removed by Filter: 2399999`. An index on `orders(customer_id)` already exists. Why might the planner still choose a sequential scan here?
  • A. Sequential scans are always faster than index scans in Postgres
  • B. Stale statistics cause the planner to mis-estimate selectivity, or the index is unusable (e.g., customer_id column type differs from the literal, disabling the index) ✓
  • C. The index is on the wrong table and cannot be used
  • D. Postgres never uses an index when the filter removes more than a million rows
Correct answer: B. The estimate `rows=1` vs 2.4M removed signals a bad estimate (stale ANALYZE) or a type mismatch preventing index use; correct estimates would favor the index for a single-row result.
During a tcpdump on a client that reports 'connection hangs', you see: client sends SYN, server replies SYN-ACK, client sends ACK, client sends a data segment, then the client retransmits that same data segment repeatedly with no ACK from the server, and finally an RST. The handshake completed fine. What is the most likely fault?
  • A. A firewall or middlebox is dropping established-connection data packets but allowed the handshake, or there is asymmetric routing so the server's ACKs never reach the client ✓
  • B. The server's DNS record points to the wrong IP
  • C. TLS negotiation failed because of a cipher mismatch
  • D. The client's TCP window size is set to zero
Correct answer: A. A completed handshake followed by unacknowledged data retransmits points to a stateful device/asymmetric path dropping data-carrying packets or return ACKs, not a name or TLS issue.
A curl to an HTTPS endpoint fails with `SSL certificate problem: unable to get local issuer certificate`, but the same URL loads fine in a browser on the same machine. What is the most accurate explanation?
  • A. The server certificate has expired
  • B. The server is not sending the intermediate CA certificate(s) in the chain; the browser fills the gap via cached/AIA-fetched intermediates, but curl's trust store only has the root and cannot build the chain ✓
  • C. The hostname does not match the certificate's SAN
  • D. curl does not support TLS 1.3 while the browser does
Correct answer: B. Browsers cache or fetch missing intermediates via AIA, masking a server that omits the intermediate cert; curl builds strictly from the presented chain plus roots, so it fails to find the issuer.
An L7 load balancer uses round-robin across 4 backends. One backend has a subtle bug that makes ~25% of requests return HTTP 500. Health checks (GET /healthz returning 200) pass. Users complain of sporadic errors. Which change best mitigates while you fix the root cause?
  • A. Switch the algorithm to least-connections
  • B. Enable sticky sessions so affected users stay on one backend
  • C. Make health checks deeper/outlier-detection based (eject a backend that returns a high rate of 5xx on real traffic), not just a static /healthz probe ✓
  • D. Increase the health check interval
Correct answer: C. A shallow /healthz masks a partially-failing backend; passive health checks / outlier detection on real 5xx rates will eject the bad instance from rotation.
A Kafka consumer group's lag is steadily growing on one partition while other partitions of the same topic stay near zero. Throughput of producers is uniform across keys. What is the most likely cause?
  • A. The broker holding that partition's leader is down
  • B. A single 'hot key' (or skewed partitioning) routes disproportionate messages to that partition, and/or one consumer instance handling it is slow/blocked on a poison message ✓
  • C. The consumer group's offset was reset to earliest
  • D. Replication factor is too low for that partition
Correct answer: B. Lag isolated to one partition while producer load is uniform points to key skew concentrating messages there or a single slow/stuck consumer for that partition.
You need to find, in a 20GB access log, the top 5 client IPs by request count only for requests that returned 503, where the IP is field 1 and status is field 9 (space-delimited). Which pipeline is correct and memory-efficient?
  • A. awk '$9==503{print $1}' access.log | sort | uniq -c | sort -rn | head -5 ✓
  • B. grep 503 access.log | awk '{print $1}' | head -5
  • C. awk '{print $1, $9}' access.log | grep 503 | wc -l
  • D. sort access.log | awk '$9=503{print $1}' | uniq | head -5
Correct answer: A. Only option A filters on the exact status field, counts per IP via sort|uniq -c, and orders descending; grep 503 would also match bytes/latency fields and `$9=503` is an assignment, not a comparison.

Prep for another role

Questions are original, written and independently verified for HireHire's role interview quizzes. They reflect the kind of knowledge Support Engineer interviews test, not any specific company's questions. HireHire maps live tech & IT jobs across India, updated regularly. Last updated: July 2026.