What is System Application Cache?

An application cache is used to store resource and enable faster retrieval and loading of the same from the cache when compared to loading the resource from the network. Versa's system application cache maps the “VRF or destination IP or Port” of the traffic to one or more applications. Versa's DPI engine identifies an application after inspecting the first few packets of a new session. The number of packets scanned to identify an application differs for each application. For example, all the traffic from Source A is routed to Link 1 except for Office 365 application traffic, which is routed to Link 2. During the traffic flow, the Versa DPI engine scans the traffic, identifies and stops the Office 365 application traffic from flowing to Link 1 and creates a cache for Office 365 traffic for future reference.

Versa identifies the application by looking up the packets VRF/Destination IP/Port in the application cache for scenarios where a correct match is required for the first packet itself.

Policy rules like Security policy, SD-WAN policy, PBF policy and other such policies that are applicable to the traffic are evaluated only after application identification. During this process, the disposition of a session in unknown and this causes a problem for policies based on the Local Breakout (LBO) for certain applications. For example, SD-WAN policy or the PBF policy.


 

How is the Application Cache Created?

The DPI engine detects all the applications associated with a session and creates an application cache entry. It updates the cache if it already exists. The application cache entries are created only for those applications that are referenced by the SD-WAN or PBF or Service Chaining policy rule. An application cache entry is not created when none of the policy rules refer to an application.

Do the Entries in the Application Cache Expire?

Yes. An entry in the application cache will timeout if it is not referenced in the last hour. The application cache entry is refreshed when users initiate new sessions that match an application cache entry. This prevents it from expiry. Application cache entries are purged when the Versa services restart.

Enabling PBF Application Cache 

Follow these steps to enable Application Cache using Versa Director GUI:

  1. Select Administration > Appliance and click on the appliance in the dashboard to navigate to the appliance context.
  2. In Appliance context, select Configuration > Networking > Policy Based Forwarding > Application Detection.
    NOTE: Application cache is enabled by default in the Application Detection dashboard.
  3. Click Edit icon to modify the Application Detection configuration.

 

Enabling SD-WAN Application Cache 

Follow these steps to enable Application Cache using Versa Director GUI:

  1. Select Administration > Appliance and click on the appliance in the dashboard to navigate to the appliance context.
  2. In the Appliance context, select Configuration > Services > SDWAN > Application Detection.
    NOTE: Application cache is enabled by default in the Application Detection dashboard.
  3. Click the Edit icon to modify the Application Detection configuration.

 

Viewing Application Cache Entries

Run the show <org-service> application cache 1 CLI command in the debug mode to view the application cache entries.

Example:

vsm-vcsn0> show pbf application-cache 1
ID   Vrf  Dst-Addr        Proto Dst-Port Hits     Age Application/URL Category
======================================================================================
0    8    10.40.23.12     6     80       0        0   App http (211)
0    8    10.40.23.12     6     80       0        0   App cnn (1522)
1    8    10.40.23.6      6     80       0        1   App http (211)
1    8    10.40.23.6      6     80       0        1   App salesforce (1222)


 In the example above:

  • 10.40.23.12 is associated with the application HTTP and CNN.
  • 10.40.23.6 is associated with the application HTTP and Salesforce.
  • Each entry in the cache has a hit count that indicates the number of times the entry was looked up for. 
    • 0 indicates that the entry is present but has not yet been referenced, and
    • 1 indicated that the entry has been referenced.

Policy Rule Lookup

When there are multiple applications associated with an IP address, the system performs a policy rule lookup with all the applications associated with the server, and the best matching rule is returned. 


Consider these rules in the above example:

  • Rule 1—Match for application Salesforce.
  • Rule 2—Match for application HTTP.
  • Rule 3—Match for application CNN.


A Salesforce session (session to 10.40.23.6:80) will match Rule 1.

A CNN session (session to 10.40.23.12:80) will match Rule 2 and will not match Rule 3.

Place Rule 3 above Rule 2 for the CNN traffic to match Rule 3.

Troubleshooting Application Detection

Local Breakouts (LBO) configured on some applications do not work though the session is active over SD-WAN. How do I resolve this?


Check for these to resolve the above issue:

  • Ensure the policy is configured under the correct service (SDWAN or PBF).
  • A lot of SaaS applications are served from a lot of different IP addresses, and it can take some time for all the IP addresses to make their way into the cache. Always refer to these:
    • The first session to each new IP address will miss the correct rule. Therefore, check which IP address the session in question is destined to. 
    • Check whether the IP address is present in the application cache. If present, check the hit count. If the hit count is 0, the entry just got created.