QoS markings on packets are used to prioritize traffic. For priority traffic, if these markings are altered by a device in the network, a poor user experience can occur. APM can generate an alert if it detects that QoS markings are altered by a network device. An alert will be generated only if the following are true:
- the network path is configured with the QoS Settings field set to something other than “None”. It should be set to the QoS markings your application data uses so that the network treats AppNeta test packets the same as it does application packets.
- an alert profile with the QoS change condition configured is applied to the network path
- a QoS change is detected by the source monitoring point
For single-ended paths, QoS changes are detected using both ICMP and UDP messages as follows:
- An ICMP echo request is sent from the source monitoring point to the target.
- An ICMP echo response is returned and the QoS markings on the response are evaluated:
- If they are the same as what was sent (the typical response) - all is good and no alert is generated.
- If they are different than what was sent and are non-zero - a change took place somewhere on the path and an alert is generated
- If they are zero (i.e. cleared) - then, because some targets clear QoS markings in ICMP echo replies (and we do not want to generate an alert if the target clears the markings), we need the results of a UDP test. In this test, small UDP packets are sent to a random high port (most likely unused) at the target. The expectation is that the target will reply with an ICMP “Port Unreachable” message containing the header of the denied packet in its payload. The QoS markings in that header are then compared to the QoS markings that were sent to determine if they were altered on the outbound (source to target) path.
- If the markings are different - a change took place somewhere on the outbound path and an alert is generated.
- If the markings are the same - we know that the markings were not altered on the outbound path so either the target or a device on the return path cleared the markings in the original ICMP echo response. Because we can’t distinguish between the two, the result is indeterminate and no alert is generated.
Note: Because the “Port Unreachable” check normally occurs every five minutes, if a QoS change violation occurs, it takes at least five minutes to clear.
For dual-ended paths, QoS changes are detected using only UDP messages. The source and target monitoring points are both configured to use the user-specified QoS value. So, if the target detects a QoS change in a packet it is sent, it informs the source and the source generates an alert. If the source detects a QoS change in incoming packets it also generates an alert.