How to troubleshoot SD-WAN degraded application performance

How to troubleshoot SD-WAN degraded application performance

16719
Created On 01/18/23 21:21 PM - Last Modified 08/23/23 21:00 PM


Objective


Troubleshooting SD-WAN degraded application performance

Environment


  • SD-WAN
  • Application Performance

Procedure


  1. Check which application is impacted and which SD-WAN link health metric is the cause of this negative impact on its performance from your detection tool or by using Panorama > SD-WAN > Monitoring and following the first six steps listed in Troubleshoot App Performance. The view in Step 5 will give you an idea on how many Bytes were Impacted versus the Total Bytes.
  2. If this application traffic is not matching the correct SD-WAN Policy Rule which can be verified from the Panorama UI SD-WAN monitoring once you drill down to the impacted application, then check the configuration of your SD-WAN Policy Rules under Panorama > Device Groups > POLICIES > SD-WAN.
  3. Consult your internet service provider (ISP) to determine if there are impacts to your network outside of your control that they can resolve.
  4. Check if you need to adjust the Jitter, Latency and Packet Loss Threshold configured under the Path Quality Profile attached to that SD-WAN policy rule.
    1. In case those thresholds are too strict, this would result in unnecessary link failover. Test if the user experience of that application would be impacted with more relaxed threshold; If the user experience is not impacted then consider increasing the values of those thresholds.
    2. As a reference, you can use the pre-defined Path Quality Profile that you can find under PanoramaDevice Groups > OBJECTS > SD-WAN Link Management > Path Quality Profile which are based on the applications sub-category. To know to which sub-category your application belongs use applipedia.
  5. Check which Traffic Distribution Profile  is used in the SD-WAN Policy Rule and check its configuration under Panorama Device Groups > OBJECTS > SD-WAN Link Management > Traffic Distribution Profile
    1. If the traffic distribution is Top Down Priority, then verify that the link tags listed are in the correct order.
    2. Consider adding additional links to the traffic distribution profile. By adding additional links for app traffic to failover to, you help ensure that the app traffic and user experience are not impacted by links with degraded health.
    3. If the link(s) in the traffic distribution profile are down, then troubleshoot and bring back up those links to a healthy state.
  6. Configure QOS if possible on the hub, branch FW and any device in the path of the traffic in order to prioritize this application traffic over other applications along its way. Starting PAN-OS 10.2.1 and SD-WAN plugin 3.0.1, the feature Copy ToS Header was introduced to enable the network devices to read the ToS field of the original packet prior to tunnel encapsulation. 
  7. If you have access to the CLI then use the below additional troubleshooting: 
    1. If possible, trigger a new session of the impacted application this will help guide the troubleshooting effort as you will then be able to determine a session id using: 
      show session all filter application <name of the application>
    2. Using the session id filter the SD-WAN events on that FW using:  
      show sdwan event | match <session id>
    3. Using the session id filter the SD-WAN session path selection to check which SD-WAN policy rule this session has matched which egress interface and what was the Latency, Jitter and Packet Loss calculated at this time. 
      show sdwan session path-select session-id <session id>
    4. To check the configured SD-WAN rules from the CLI: 
      show sdwan rule
      This will help in quickly checking the configured Path Quality Profile for a particular SD-WAN rule where L,M,H (Represent low, medium and high sensitivity).
    5. To check the SD-WAN connection status: 
      show sdwan connection all
    6. Debug logs: sdwan.log on Panorama, ms.log and sdwand.log on FW.
 


     

    Additional Information


    • Every SD-WAN policy should have a "Catch All" rule that will deal with any applications that do not match a rule in the SD-WAN policy.
    • Without the "Catch All" rule, traffic is distributed in a round-robin fashion to the SD-WAN interface that matched the route lookup.
    • In some cases the impacted application is configured to match a general SD-WAN rule in that case you should consider adding a specific SD-WAN rule as a top rule for this application in order to specify the specific Path Quality Profile and Traffic Distribution Profile that can help improve the performance of this application.
    • Make sure that Panorama has the latest SD-WAN plugin compatible with Panorama SW version so you can take advantage of all the features introduced.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGM1CAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language