[V18 SD WAN] Application routing does not work

Hello,

I currently testing the SD WAN functionnalities, and one of the most interesting thing for me does not work in our LAB...

Let's imagine i have two wan links, one production, and one backup, configured in the wan link manager active/backup.

I don't want Streaming Application to be routed by the backup link, so i created this SDWAN policy

(heavy trafic includes the cathegory Streaming Application)

=> when the production link ADSL is disconnected,i have access to youtube (for example) through the backup link.

Youtube Video is correctly identified in the application list, and should not be routed through the backup link.. by it does !

Any ideas ?

 

 

  • In reply to Keyur:

    hello  

    Thanks for the links, but this does not help me to solve this issue, i followed the video to build my sd route policy, which is the exact thing i want to do !

    but this does not work, streaming is routed regarless of the policy through the backup link.

  • In reply to guillaume bottollier:

    Same thing is happening to me. I followed the information in the video, but all traffic is still going to a single WAN interface.

    My goal:

    • all streaming to go to a specific WAN link (DSL)
    • all other traffic to the main WAN link (LTE)

    Based on the System Graphs, XG is simply not routing the streaming traffic to the other interface.

     

     

     

  • In reply to Arie:

    Hi,

    looking at your rules you have them in the wrong order, but it is very difficult to tell because you have masked the internal IP addresses.

    Ian

  • In reply to rfcat_vk:

    Both rules use the same subnet, as I'm trying to target only applications. In other words, different applications from the same addresses.

    Since the web sites that drive streaming traffic generally use HTTPS (e.g. YouTube) I figured I'd put the rule for streaming traffic first.

  • In reply to Arie:

    Hi,

    with that rule order nothing will get to the second rule, so as it is the  https and http will go out the any rule.

    Ian

  • In reply to Arie:

    Some more information.

    I have created a rule for ICMP to it's easier to test. A tracert to google.com responds exactly the way I would expect the rule to work; when I set the gateway to DSL (Verizon) it follows that route and when I set it to LTE it uses Sprint. The results are very consistent:

    6 64 ms 50 ms 50 ms sl-crs1-dc-.sprintlink.net 
    7 76 ms 41 ms 38 ms sl-mst30-ash-be14.sprintlink.net

     

    4 40 ms 35 ms 38 ms g101-0-0-2.rcmdva-lcr-22.verizon-gni.net

     

    In other words, the routing engine functions properly. However, targeting applications fails.

    I have not yet tried separating other types of traffic.

  • In reply to rfcat_vk:

    with that rule order nothing will get to the second rule, so as it is the  https and http will go out the any rule.

    What I have now is:

    1. Rule 1 - criterion is Application (Streaming). WAN interface: DSL
    2. Rule 2 - HTTP and HTTPS. WAN interface: LTE

    I assumed that the application/streaming rule would take precedence since it's the first rule.

    Are you saying that rule 2 (HTTP/HTTPS) takes precedence even though the first rule specifies the application?

    If this is the case, how would I configure the rules so Streaming is routed to a specific interface?

  • In reply to Arie:

    Hi,

    what I am saying is the rule order takes precedence, not the rule number. You had "any" service in the higher placed rule which would allow http/s out.

    Also I assume you have a linked NAT rule for each firewall rule?

    Ian

  • In reply to rfcat_vk:

    what I am saying is the rule order takes precedence, not the rule number. You had "any" service in the higher placed rule which would allow http/s out.

    Also I assume you have a linked NAT rule for each firewall rule?

     

    OK - I understand where you're coming from now. However, the first rule "Force streaming to DSL", while having the criterion "any service", does have the Application Object set to "Streaming Media".

    That's why I figured this rule would fire on streaming media.

    As far a the NAT-config, I'd have to take a look. I haven't looked at it since I upgraded from v17.

     

  • In reply to Arie:

    Hi Arie,

    this is a comment and I cannot remember where I got it from. "The application function in  a firewall rule is primarily designed as DENY and is not very good at ALLOW."

    I would suggest you change your destination to some streaming sites and add the ports they use to improve your testing.

    Ian

  • In reply to rfcat_vk:

    this is a comment and I cannot remember where I got it from. "The application function in  a firewall rule is primarily designed as DENY and is not very good at ALLOW."

    I would suggest you change your destination to some streaming sites and add the ports they use to improve your testing.

    Hi Ian,

    Okay - I remember reading something like that also, but since Sophos has instructions specifically for the scenario in question (routing streaming media) I figured this would be fully supported. Judging by the questions people are posting about it I wonder if it is all working as intended, though.

     

    By the way, here's the official Sophos video I am referring to: https://vimeo.com/390800287.

     

    As far as adding the ports for streaming, I doubt that would work since the initial client request for the video would be over 443.

    I have, however, added a category "Search Engines" in the application section. No luck so far, though. It's possible that I need to wait for the TTL to expire (3600 seconds). Aside from rebooting the XG I don't know of a way to clear the tables. Anything in the CLI?

     

  • In reply to Arie:

    Hi Aria,

    I had some issues with that video, it does not really apply to the v18 GA SR2 eg there is no troubleshooting tab.

    I would suggest you try changing your destination to a specific site.

    I have one of my streaming radio station applications point at the station server, it also uses a specific port.

    If you have a rule allowing https (443) to allow initial connection/setup and then a rule with the actual application streaming port and redirect that using SD-WAN.

    Ian

     

    Late breaking thought - something you said in an earlier post about migration, have you deleted all of your SD-WAN migration policies?

  • In reply to rfcat_vk:

    hi  hi  

    After doing some debug with sophos support, it's clear that this SDWAN routing by application feature is a crap... by design.

    When you are going on youtube website, XG will consider trafic is port 443 for sdwan routing policy, and not youtube video application.

    this feature is useless, unless a real improvement on the way it has been implemented.

  • In reply to rfcat_vk:

    Hi Ian,

    I had some issues with that video, it does not really apply to the v18 GA SR2 eg there is no troubleshooting tab.

    I had noticed the discrepancy also, but given that Sophos went through the trouble of specifically linking this video from the admin interface you'd think the information would be reliable.

    I would suggest you try changing your destination to a specific site.

    That may be the only way to get this to work.

    I have one of my streaming radio station applications point at the station server, it also uses a specific port.

    Does it use a specific port even for the client request? I.e. not 80/443?

    If you have a rule allowing https (443) to allow initial connection/setup and then a rule with the actual application streaming port and redirect that using SD-WAN.

    Would that work? I'd imagine that the behavior would be unpredictable at best if 'regular' (443/80) traffic goes out on a different egress IP-address than you want the response (i.e. streaming) to come in on. The server is going to send the response to whichever public address made the request. 

    Late breaking thought - something you said in an earlier post about migration, have you deleted all of your SD-WAN migration policies?

    I've started looking at that a bit more. After migration I cleaned up a bunch of stuff, but it looks like I never got around to cleaning up NAT. There might be more migration-stuff lurking in other places.

    I did, however, clone my FW-rule and create a new NAT (MASQ) policy for it to replace the migrated policy. Unfortunately, no luck so far.

    Troubleshooting is cumbersome, though, since there doesn't seem to be a way to clear the persistence other than rebooting the XG.