QoS Policy Criteria Not Matching For App-id unknown-udp, unknown-tcp and incomplete.
2834
Created On 11/02/23 03:41 AM - Last Modified 07/16/24 03:14 AM
Symptom
- In the Network tab, under "Qos Statistics" and "QoS Rules", the QoS rule name is sometimes listed with no rule name or a blank rule name.
- When filtering the sessions by qos-class 4, the traffic with app-id "unknown-udp", "unknown-tcp" or "incomplete" will be populated.
> show session all filter ingress-interface ethernet1/x qos-class 4
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
4xxx unknown-udp ACTIVE FLOW 10.x.x.x[5XXX]/Test/17 (10.x.x.x[5XXX])
vsys1 10.x.x.x[5xxx]/Test (10.x.x.x[5xxx])
6xxxx unknown-tcp ACTIVE FLOW 172.x.x.x[6XXX]/Test/6 (172.x.x.x[6XXX])
vsys1 10.x.x.x[2xxx]/Test (10.x.x.x[2xxx])
- In the session details, application will be shown as "insufficient-data" or "insufficient" and the session qos rule will be "N/A" capped to class 4.
> show session id 6xxx
------(Output Omitted)------
vsys : vsys1
application : unknown-tcp (insufficient)
rule : Test
........
ingress interface : ethernet1/x
egress interface : ae1.xx
session QoS rule : N/A (class 4)
end-reason : unknown
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- QoS Settings
Cause
- As per the PAN-OS Packet flow, the app-id should be identified before qos is assigned
- When the traffic on the firewall is "unknown", it means the firewall app-id engine does not have enough data to identify the application
- In these cases the app-id is assigned as "unknown-udp", "unknown-tcp" or "incomplete"
- by default all such unidentified traffic is mapped to class 4 and No QoS policy will be matched for class 4.
Resolution
This behavior is as designed.