Skip to main content
Versa Networks

Configure SASE Client to Select the Best Gateway Using Concerto

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

You can use the best gateway feature in Concerto to configure the Versa Secure Access Service Edge (SASE) client to select the most optimal gateway in the network before communicating with a remote Versa SASE client. This article explains the best gateway selection process with an example use case.

Gateway Selection

The SASE client can connect to a specific gateway or it can determine the best available Versa cloud gateway (VCG). To have the SASE client select the best gateway, you must configure one or more groups of gateways based on fully-qualified domain name (FQDN) to use for selection of the best gateway.

When a SASE client makes a connection request to a gateway group, one of the gateways in the group, called the landing gateway, performs the best-gateway calculation based on the following criteria:

  • Distance of the SASE client from the gateway. The default optimal distance is less than 1000 kilometers (625 miles).
  • CPU load of the gateway is less than a threshold value. The default optimal threshold is below 75 percent.
  • Memory load of the gateway is less than a threshold value. The default optimal threshold is below 75 percent.

The landing gateway then returns a maximum of four gateways to the SASE client. The best-gateway calculation ignores the gateways that do not match the selection criteria.

To speed up tunnel setup, gateway selection occurs only if the connecting gateway group handling the request is not among the client's candidate gateways. If reachable, the tunnel reconnects to the last used gateway; otherwise, the SASE client selects a new one.

For example, if a gateway group consists of eight gateways, and five match the distance, CPU, and memory load criteria, the landing gateway rates these five gateways based on the matching criteria, assigns each a value between 1 and 100. This is known as the weightage value. The landing gateway then shares the four gateways with the highest weightage values with the SASE client. The SASE client then pings these gateways and connects to the gateway based on the matched criteria. 

If the landing gateway does not find an optimal gateway using the best-gateway calculation, it sends the SASE client a prioritized list of all available gateways, ranked by assigned values. In this scenario, for gateways running Versa Operating SystemTM (VOSTM) releases 22.1.1 and later, the SASE client connects with the most favorable non-optimal gateway based on RTT. 

 

Use Case

This use case describes how to configure the best gateway feature in Concerto based on the network shown below, and explains its behavior after the configuration is applied.

best-gateway.png

In this use case, there are two SASE gateways in the VersaSSE tenant enabled with the SSE service:

  • VCG, SSE-GW1 with gateway FQDN sse-gw.versa.com
  • VCG, SSE-GW2 with gateway FQDN sse-gw2.versa.com
  • The group FQDN, default.versa.com, resolves to gateway SSE-GW1

When the SASE client connects to the group FQDN, SSE-GW1 acts as the initial landing gateway. It calculates the best available gateways and sends them to the SASE client. A gateway is considered optimal if its distance from the client is less than 1000 km. If multiple optimal gateways are available, the landing gateway performs further calculations and sends a maximum of four of the best gateways to the SASE client. The optimal gateway criteria is based on an assigned value ranking, with higher values being preferred.

The SASE client then pings each of the gateway's WAN links and chooses the best gateway. Once the selection is made, the SASE client connects using the FQDN that is specific to the best gateway or the RTT based on the closest gateway found.

Configuration 

To configure the best gateway on Concerto:

  1. Go to Tenants, and then click the Edit icon for a tenant displayed in the list.
  2. In the Edit Tenant screen, click step 2, Security Service Edge.
  3. Click Select Region to assign your gateways. In the example below, for the VersaSSE tenant, gateways SSE-GW1 and SSE-GW2 are selected from the Default region.

    edit-tenant-region.png
  4. Click Next.
  5. Go to Configure > Security Client Access > Policy Rules. The Client-based Access Rules screen displays all configured secure client-based access rules. 
    Note: If you do not have any client-based access policy rules configured, you are prompted to configure a rule. For more information on configuring rules, see Configure SASE Secure Client-Based Access Rules.
  6. Click the Rule Name row to select the rule you want to edit. 
  7. Select the Gateway Groups and Gateways for this rule. In the example below, the Gateway Group is india, and the gateways in the VersaSSE-Enterprise VPN are SSE-GW1 and SSE-GW2.

    edit-client-based-access-rule.png
  8. Click Skip to Review to review and submit the configuration.

After publishing this rule, the best gateway selection is enabled by default and requires no additional configuration in Concerto. 

After logging into the SASE client, you see the best gateway listed on the login window. 

BestG-verify.png

Supported Software Information

Releases 12.1.2 and later support all content described in this article.
Releases 7.8.12 of Versa SASE client and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.