Skip to main content
Versa Networks

Configure the Versa SASE Client To Select the Best Gateway

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

The Versa SASE client can connect to multiple secure access gateways. The client can connect to a specific gateway or it can determine the best available Versa cloud gateway. To have the client select the best gateway, you can configure one or more groups of gateways based on FQDN to use for selection of the best gateway.

When a user selects a gateway group for the Versa SASE client to connect to, the client selects the best gateway based on the following criteria:

  • Distance of the Versa SASE client from the gateway. The default distance is less than 1000 kilometers (625 miles).
  • CPU load of the gateway is less than a threshold value. The default threshold is 75 percent.
  • Memory load of the gateway is less than a threshold value. The default threshold is 75 percent.

When a Versa SASE client makes a connection request to a best gateway group, one of the gateways in the group, called the landing gateway, performs the best-gateway calculations and returns a maximum of four gateways to the Versa SASE client. For example, if a best-gateway group consists of eight gateways and five match the distance, CPU, and memory load criteria, the landing gateway rates these five gateways based on the matching criteria, assigns each a value between 1 and 100, and then shares the four gateways with the highest value with the Versa SASE client. (The best-gateway calculation ignores the gateways that do not match the selection criteria.) The Versa SASE client then pings these gateways and connects to the gateway that has the lowest round-trip time (RTT) value.

To configure the Versa SASE client to select the best gateway, you do the following:

  1. Enable Versa BGP TLV site information.
  2. Configure FQDNs for gateway.
  3. Configure FQDNs for gateway groups.
  4. Associate gateway servers with the server group.
  5. Configure a gateway profile to set the best gateway.

Enable Versa BGP TLV Site Information

On the provider's virtual router, you enable the BGP Versa private type-length-value (TLV) site information. Doing this distributes the gateway and group FQDNs to all the other gateways so that each gateway can learn which gateways are part of a group.

Note that in a multitenant deployment (that is, a deployment with a provider plus additional tenants), you enable the Versa Private TLV configuration in the multiprotocol BGP (MP-BGP) instance associated with the provider organization (provider control VR), not in tenant's control VRs.

To enable Versa BGP TLV site information:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a post-staging template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Networking > Virtual Routers in the left menu bar.
  4. Click the + Add icon. The Configure Virtual Router popup window displays.
  5. Select the BGP tab in the left menu bar. The Edit BGP Instance window displays.
  6. Select the Versa Private TLV tab.
  7. Click Announce Local to enable gateways or hub-controller nodes (HCN) to support best-gateway selection. If all SASE gateways (HCN, hub, or spoke) are in a full-mesh topology, enabling Announce Local is sufficient for gateways and HCNs to handle SASE client requests.
  8. Click Announce Remote only if your gateways and HCNs are not in a full-mesh topology. If there are SASE gateways in spoke topology behind HCNs, you must enable Announce Remote on HCNs so that the spokes can handle SASE client requests.

    edit-bgp-instance-versa-private-tlv-tab.png
  9. For information about configuring other BGP parameters, see Configure BGP.
  10. Click OK.

Configure FQDNs for Gateways

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Devices > Devices in the horizontal menu bar.
    3. Select an organization in left navigation panel.
    4. Select a tenant or Controller node in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > Organization > Limits in the left menu bar. The main pane displays the organizations associated with the Controller node.
  4. Click an organization name. The Edit Organization Limit popup window displays.
  5. Add the gateway FQDN (here, sase.pkversa.local). Note that the gateway FQDN must be unique for each gateway, and you can add only one gateway FQDN for an organization.
  6. Add the gateway group FQDN (here, us-eu.pkversa.local). Note that you must use the same FQDN when you create a server group in Configure FQDNs for Gateway Groups, below. To place gateways into the same group, use the same the FQDN for all gateways. For more information, see Configure Organization Limits.

    edit-org-limit-fqdn.png
  7. Click OK.

Configure FQDNs for Gateway Groups

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access > Portal > Gateway Groups in the left menu bar (In Releases 21.2.3 and earlier, gateway groups are called server groups).
  4. Click the + Add icon. The Add Gateway Groups popup window displays.

    add-gateway-groups.png
  5. Enter a name for the gateway group (here, US-Europe).
  6. Enter the group FQDN that you specified in Step Step 6 of Configure FQDNs for Gateways, above (here, us-eu.pkversa.local).
  7. Click OK.

Associate Gateways with the Gateway Group

To associate gateways with the gateway group:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access  > Portal  > Gateway in the left menu bar.
  4. Click the Add icon. The Add Gateways popup window displays.
    1. Enter a name for the gateway (here, SASE-GW).
    2. Click FQDN and then enter the host server address as a fully qualified domain name. Note that the FQDN you configured in Step 5 of Configure FQDNs for Gateways, above, is added here (here, sase-pkversa.local). The FQDN must be unique for all gateways.
    3. Enter the IPsec profile identifier of the secure access server profile. You must use the same ID for all gateways in a gateway group.
    4. In the Server Groups field, select the server group that you added in Configure FQDNs for Gateway Groups, above, (here, US-Europe) to associate with the server, and then click the add_image.png Add icon. You can add a gateway can be added to multiple groups, and multiple gateways can be part of the same group.
    5. Click OK.
  5. Repeat Steps 1 through 4 to associate other gateway servers with the group. Ensure that the gateway server certificate works with both the gateway FQDN and group FQDN. It is recommended that, for compatibility, you use wildcard certificates such as, *.versa-test.net.

Configure a Gateway Profile To Set the Best Gateway

To configure a gateway profile that sets a VPN connection to be the best gateway among the available gateways:

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access > Portal > Gateway Profiles in the left menu bar.
  4. Click the + Add icon. The Add Profiles popup window displays.
  5. Select the Client Controls tab.

    add-gateway-profiles-best-gw.PNG
  6. Click Best Gateway.
  7. For information about configuring the other fields, see Configure a Secure Access Gateway.
  8. Click OK.

Supported Software Information

Releases 21.2.1 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Director
  2. Tags
    This page has no tags.