Users are accessing appilcations via connector closest to them geographically rather then the connector closest to the application

We have applications hosted in different data centers across the world.

Without specifically adding the hostname of the application to an application segment then tying that to a servergroup and connector group located closes to the application the user will use a connector that is closest to their location.

Example

User in US access application in Germany.

User will use US connector to get to application in Germany.

The RTT between connector and app is over 100ms.

We have to manually set that hostname/IP within the app segment group and force it to use the connector in Germany in order to get the user connected to a connector with less then 1 ms RTT.

WHY ?

1 Like

Whenever users tries to access some application, in your example application in germany and user is sitting in US, First User will tied to nearest ZPA ZEN(near to his location in US) not the Connector, then ZPA ZEN will send the request to all connectors and choose the best Connector which has best RTT. This is how best Connector is chosen. By any chance if the connector is completely tied with all processes and is not free to accept new connectors, it will passed to next best connector.

1 Like

This has not been our experience so far, in our environment when a user tries to access an application the ZEN is always choosing the connector closest to its geographical location. No matter the RTT of the connector to the application. We have multiple connectors that have much better RTT (they are in the same location as application) Yet they are still sent to a connector in the US. The only way around this , is to create application segments and add each Application by hostname/IP then tie that to Segment group and server group so those apps are only accessible to connectors that they are closest too.

1 Like

So if we just create an Application segment *.domain.com and add all connector groups all users will just be connected to the closest location and they access the app over our SDwan since we are full mesh SD wan globally for the most part and all locations are interconnected.

1 Like

Is the ZPA ZEN taking into account latency between the ZPA ZEN and Connector as well?

So ZPA ZEN US to connector in US to app in Germany is less latency than ZPA ZEN US to connector in Germany to app in Germany.

We have the same experience but our internal network is faster than the Internet connection so traffic is preferring to route across our internal network. We are manually managing traffic flows using Application Segments and forcing them to specific Connector Groups.

3 Likes

Hey Gordon,

Thank you for the reply, we did exactly the same thing in our environment because we were seeing performance issues. We currently use the application segments to force them to connector groups as well since it seems to be better performance when going to the connector closest to the application.

1 Like