The ‘qos change’ condition violates when qos has been altered in either the outbound or inbound direction.
For the outbound direction, AppNeta Performance Manager (APM) uses icmp port-unreachable messages to monitor for when that happens. Small udp packets are sent to a random high port at the target, which is most likely unused. This is done to elicit a port-unreachable (PU) icmp message. The PU packet contains in its payload the ip header of the denied udp packet. By comparing the qos marking in that header to the qos marking we sent, we know whether qos was altered en route: if the qos found in the payload was altered or cleared, the condition violates; if it matches what we sent, we then check the inbound direction.
In order to know whether qos was altered from target to source we compare the icmp echo and response pairs used for continuous monitoring. Generally, the target will use the same qos value as arriving packets, or it will zero the qos. If the echo-response qos is zero we have no way of determining whether the target cleared it, or it was cleared en route. So, the condition is not violated. If the echo-response qos is non-zero and different from the echo-request, we know from the PU check that the outbound direction is fine, so most likely the qos change happened inbound, and the condition is violated.
For dual-ended paths, the qos detection in the inbound direction is different since dual-ended paths use udp not icmp. The source and target appliance are both configured to use the user-specified qos value, so the source appliance simply has to inspect incoming udp packets to determine whether the qos was altered en route.
Quality of service changes are detected only if the path settings include qos markings and an alert profile with qos condition is applied. Quality of service changes are also only detected by the source appliance, so if qos is added and then stripped by your ISP, which is upstream, changes to those markings won’t be detected by the appliance.
The PU check normally occurs every 5 minutes. This means that if a qos change violation occurs, it takes this long to clear.