VMware VeloCloud SD-WAN Application Classification - How it works, and how to troubleshoot flows from the same application taking different paths.
search cancel

VMware VeloCloud SD-WAN Application Classification - How it works, and how to troubleshoot flows from the same application taking different paths.

book

Article ID: 344871

calendar_today

Updated On: 05-07-2025

Products

VMware VeloCloud SD-WAN

Issue/Introduction

In this KB article we will share insights into the internal workings of the application classification process, its limitations, and potential workarounds.


Symptoms:
A business policy configured with a specific application as the selected match criterion may fail to adhere to the configured action; instead, it is bypassed, and an alternate business policy is chosen.

The same application at other times is observed to adhere to the configured business policy.

For example: a Customer configures a business policy rule for APP_TIKTOK(3497) to use Internet backhaul.


Most of the flows of APP_TIKTOK(3497) are matching the correct policy rule, but the customer found that some flows are being steered via Direct to Cloud.

CLI output is accessible only for partners managing Orchestrator, Gateway, and Edges on their own. Customers utilizing VMware-hosted services do not have CLI access but can still view this output under Remote Diagnostics > List Active Flows or partner users who have access to download the diagnostic bundle can find the above output in the file "optvcbindebugpy--limitflow_dump_limit--timeout30--flow_dumpallallall.out.txt" in under COMMANDS/ directory. More information about "Roles and Privileges" can be found here

Environment

VMware VeloCloud SD-WAN supported versions

Cause

If users encounter any of the issues described in the aforementioned symptoms, it may be due to the absence of entries in the ip_port_cache that match the specified destination IPs and/or ports. Alternatively, there might be no entries in the ip_port_db or proto_port_db (Static). In such cases, it is expected that DPI will be kicked in to identify the application.

 

Deep Packet Inspection (DPI):

The application classification process is handled by our DPI engine, known for its accuracy in identifying flows. Typically, DPI requires multiple packets to accurately classify flows. A sufficient number of packets containing the application's signature are needed for correct classification, after which the results are inserted into the ip_port_cache.

For instance, a standard TCP 443 flow undergoes three stages of classification based on the received packets (initial SYN/SYN-ACK/ACK messages during the TCP handshake). Ultimately, web traffic flows are classified as APP_SSL or more specific applications like APP_FACEBOOK, APP_LINKEDIN, and so forth.

  1. Stage 1: App-id: 205, App-name: APP_TCP
  2. Stage 2: App-id: 199, App-name: APP_SSL, App-class: VPN and tunnel
  3. Stage 3: App-id: 1448, App-name: APP_OFFICE365, App-class: Business Collaboration

As DPI is a process that necessitates the inspection of several packets for accurate application identification, the example application mentioned earlier (APP_TIKTOK(3497)), being a TCP 443 flow, the current expected behavior indicates that the first packet of the initial flow will be classified as APP_TCP, causing the first flow to follow the path defined by the business policy for APP_TCP which was classified under a default business rule "Default-Internet-Other." The configured action for this rule was to directly send the traffic out.

Even if subsequent classifications change, the Edge will update the flow's matching app ID, but the route policy and link steering for the first flow will remain unchanged. Subsequent or new flows are expected to adhere to the configured business rule.

Resolution

This is expected behavior per design.

Workaround:

  1. Minimize differences in Route/Link Steering policies between the final classified application and the first packet (APP_TCP or APP_UDP).
  2. Configure IP addresses for business policy matching. Utilize Address Groups (Object Groups) or IP subnets defined in the application map to match the destination IP address of the application.



Additional Information

If a customer observes the symptoms mentioned above and encounters difficulties in narrowing down the issues, they can initiate a support ticket with VMware for troubleshooting assistance. Please refer to this article for guidance on filing a support ticket: https://kb.vmware.com/s/article/2006985

Impact/Risks:
The initial flow alone might not align with the intended route policy. In cases where applications like "Microsoft Office 365" or "Microsoft Teams" utilize a random IP address from a vast address pool, they could have an impact.