If you have a firewall filtering traffic on your network, you may have to take certain steps to enable Qcheck to run tests between endpoints. Firewalls located in either of the following two locations can prevent Qcheck tests from completing:
Many types of firewalls will not allow Qcheck tests to run without additional configuration. Even the test setup information Qcheck sends from the Console to Endpoint 1 may be blocked, causing the entire test to fail. If the test fails, Qcheck returns an error message after 2 minutes from the start of the test.
But because Qcheck uses fixed port numbers to communicate with the endpoints, it's easy to configure your firewall to allow Qcheck data flows. Keep a record of the test setup you had entered when a Qcheck test failed to complete. Qcheck uses different ports for tests that use different protocols. In addition, different ports are used for data that instructs Endpoint 1 which type of test to perform and how to perform it, for data that actually flows between the endpoint computers to test their connection, and for data informing the Console what results the test returned.
When deciding which ports to open, keep in mind that test setup, streaming test results and collecting CPU utilization always require a connection-oriented protocol.
Relevant Ports for Firewall Testing
The table below describes the data flows that may be affected and the corresponding port numbers used by Qcheck that you may need to configure at your firewall:
Qcheck Data Flow |
Port Number Used |
Qcheck to Endpoint 1, test setup (TCP) |
10115 |
Qcheck to Endpoint 1, test setup (SPX) |
10117 |
Endpoint 1 to Endpoint 2, test data (all protocols) |
10113 |
Endpoint 2 to Endpoint 1, streaming test results (TCP), CPU utilization |
10115 |
Endpoint 2 to Endpoint 1, streaming test results (SPX), CPU utilization |
10117 |
Endpoint 1 to Qcheck, test results (TCP, SPX) |
10114 |
When a firewall is not configured to allow the Qcheck test data to pass, you will typically see one of the following error messages, depending on where in the test the connection failed:
Be sure to press the Help for this message button at the bottom of an error message dialog to find out more about why the test failed to complete normally.
See the chapter entitled "Troubleshooting" for more information about Qcheck messages.
Traceroute tests and Firewalls
Traceroute depends on ICMP echo requests and replies. In order to run traceroute tests across a firewall, ICMP echo requests and replies must be opened at the firewall. If your firewall is configured not to let ICMP echo requests into your network and Endpoint 1 is outside the firewall, Qcheck traceroute tests will fail. (Endpoint 1 can't send an ICMP echo request through the firewall).
However, configuring the firewall as follows allows ICMP echo replies (rather than requests) into your network and lets you run Qcheck traceroute tests by choosing as Endpoint 1 a computer inside the firewall. Use the following steps:
Opening ICMP echo requests from outside the firewall to the network inside the firewall jeopardizes network security, because it lets any application using the ICMP protocol enter your network behind the firewall.
Qcheck and Firewalls: Known Limitations
Tests run with firewalls performing network address translation (NAT) will fail if the Console is on the secure side of a firewall and a test runs between Endpoint 1 on the unsecure side and Endpoint 2 on the secure side. The test times out after two minutes from the start of the test. With the same configuration, however, and NAT disabled, tests will complete normally. We've noticed this behavior when attempting to run tests for throughput or response time with TCP or UDP.
