We’ve got a handful of users that fly with United Airlines and leverage their in-flight Wi-Fi. When Zscaler is turned on they get a “Connection Error” warning message in the ZCC and cannot connect to the Wi-Fi. This error means the ZIA public service edge cannot be reached. We turn ZIA services off and Wi-Fi works just fine.
This is a tough one to troubleshoot. Has anyone ran into this issue before / if so, did you determine a fix?
Yes, we are configured to fail-open for 10 minutes to allow the user to accept the captive portal. We have the same configurations as you’ve listed for all fail-open options.
We have users complaining of the same issue, and I experienced it myself last week on American Airlines. The issue isn’t with captive portal detection— we are able to connect to the wifi. The problem is that Zscaler zpa/Zia suffer constant disconnects and reconnects making it unusable. Internet connectivity is available when this happens, so it’s not that the plane is dropping the connection. Latency is high of course, like it always is on a plane, however either they are filtering/breaking something or the latency causes Zscaler to disconnect. Maybe if the relevant fligh wifi urls were bypassed in PAC?
Are you using ZTunnel1 or ZTunnel2?
ZT2 seems to be quite a bit more sensitive when it comes to latency and such.
ZCC version can also make quite difference here aka ‘the newer the less issues’ (and optional settings which can be activated in the profile to mitigate certain problems).
Ztunnel 1 tunnel with local proxy. Version 4.0.80 client. Been testing 4.1 but for some reason it appears to break UDP related domain authentication traffic.
We are using ZT2 with 3.9x
Difficult to troubleshoot you say? Gather up some laptops and book a row of first class tix to Hawaii. That should give you enough time to debug the issue. You should plan for about a week to document the results when you land as well. We look forward to your report, please include photos. 
I don’t have any first-hand experience with this issue but do recall seeing a captive portal issue fix in the release notes for ZCC 4.0 which is now GA. May be worth a try.
This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.
