Citrix SD-WAN

Application Route

In a typical enterprise network, the branch offices access applications on the on-premises data center, the cloud data center, or the SaaS applications. The application routing feature, allows you to steer the applications through your network easily and cost-efficiently. For example, when a user on the branch site is trying to access a SaaS application the traffic can be routed such that the branch offices can access the SaaS applications on the internet directly, without having to go through the data center first.

Citrix SD-WAN allows you to define the application routes for the following services:

  • Virtual Path: This service manages traffic across the Virtual Paths. A Virtual Path is a logical link between two WAN links. It comprises a collection of WAN Paths combined to provide high service-level communication between two SD-WAN nodes. The SD-WAN appliance measures the network on a per-path basis and adapts to changing application demand and WAN conditions. A Virtual Path can be static (always exists) or dynamic (exists only when traffic between two SD-WAN Appliances reaches a configured threshold).

  • Internet: This service manages traffic between an Enterprise site and sites on the public Internet. Internet traffic is not encapsulated. When congestion occurs, the SD-WAN actively manages bandwidth by rate-limiting Internet traffic relative to the Virtual Path, and Intranet traffic.

  • Intranet: This service manages Enterprise Intranet traffic that has not been defined for transmission across a Virtual Path. Intranet traffic is not encapsulated. The SD-WAN manages bandwidth by rate-limiting this traffic relative to other service types during times of congestion. Under certain conditions, and if Intranet Fallback is configured on the Virtual Path, traffic that ordinarily travels through Virtual Path can instead be treated as Intranet traffic.

  • Local: This service manages traffic local to the site that matches no other service. SD-WAN ignores traffic sourced and destined to a local route.

  • GRE Tunnel: This service manages IP traffic destined for a GRE tunnel, and matches the LAN GRE tunnel configured at the site. The GRE Tunnel feature enables you to configure SD-WAN appliances to terminate GRE tunnels on the LAN. For a route with service type GRE Tunnel, the gateway must reside in one of the tunnel subnets of the local GRE tunnel.

  • LAN IPsec Tunnel: This service manages IP traffic destined for a LAN IPsec tunnel, and matches the LAN IPsec tunnel configured at the site. The LAN IPsec Tunnel feature enables you to configure SD-WAN Appliances to terminate IPsec tunnels on the LAN or WAN side.

To perform service steering for applications, it is important to identify an application on the first packet itself. Initially, the packets flow through the IP route once the traffic is classified and the application is known, the corresponding application route is used. First packet classification is achieved by learning the IP subnets and ports associated with application objects. These are obtained using historical classification results of the DPI classifier, and user configured IP port match types.

To view statistics data for the application routes:

  1. In the SD-WAN GUI, navigate to Monitoring > Statistics.

  2. From the Show drop-down list, select Application Routes.

    SD-WAN application steering2

You can view the following statistics:

  • Application Object: Name of the application object.
  • Gateway IP Address: The gateway IP address used by application objects with GRE Tunnel service type.
  • Service: The service type mapped to the application object.
  • Firewall Zone: The firewall zone that this route falls in.
  • Reachable: The status of the application route.
  • Site: Name of the site.
  • Type: Indicates if the route is static or dynamic.
  • Cost: The priority of the route.
  • Hit Count: The number of times the application route is used to steer the traffic.
  • Eligible: Is the application route eligible to send the traffic.
  • Eligibility Type: The type of route eligibility condition applied to this route. The eligibility type can be Path, Gateway, or Tunnel.
  • Eligibility Value: The value specified for the route eligibility condition.

Note

In the current release, applications that belong to application family, match type defined in application object, cannot be steered.

Troubleshooting

After creating the application route, you can confirm that the application is correctly routed to the intended service using the Monitoring section.

To view if the application is correctly routed to the intended service, navigate to the following pages:

  • Monitoring > Statistics > Application Routes
  • Monitoring > Flows
  • Monitoring > Firewall

If there is any unexpected routing behavior, collect the STS diagnostics bundle while the issue is being observed, and share it with the Citrix Support team.

The STS bundle can be created and downloaded using Configuration > System Maintenance > Diagnostics > Diagnostic Information.

Application Route