04-02-2025 10:58 PM
We're looking at some interesting issues around app shift between our Prisma Access tunnel and local/DC breakout. Session starts as SSL, gets pushed over the PA tunnel, gets reidentified as an app that is set to breakout locally and the ION duly changes path and breaks the session. Most apps/devices tolerate this fine, but some refuse to reattempt a new connection and thus are broken from the user perspective.
We're looking at a few things, Path Affinity is one. The doco is pretty clear on how None and Strict work when configured in an App Override or Custom App, but looking at the predefined apps, many of them are set to Weak. But I can't find any explanation of what this default behaviour is, so can't really compare it to Strong. A full site search only gives a short summary from the API doco:
path_affinitystringrequired
This parameter defines the path affinity characteristics to consider during flow decision making. Allowed values: "none" "weak" "strict". If path affinity is none or weak and a better path is available, flows will be moved to a new path. If path affinity is strict, all application flows will continue on the same path.
Better than nothing, but also doesn't help much. Has anyone seen better doco, or done the experimenting to work out how Weak actually works compared to None?
(we have a TAC case open but it's a bit slow, this might be faster. Also aware the App Affinity might not be related to our issue if the Path Policy is higher precedence, but it's still a good knowledge gap to fill)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
