App Connector (On-premises) to Azure DC subnet Not getting connected with RDP/LDAP protocols fails

Recently my company deployed a New domain controller where it’s a new subnet distribution range. it deployed on Azure our on-prem App connectors stopped responding to the new subnets. RDP fails. Sometimes it works and sometimes/mostly not. The traffic will use theOn-prem-> IPS path to reach the Azure DC. All the checks related to routing FW rules are verified and all allowed. from the App connector Telnet is possible and no problems with connectivity and pings. Any solution or alternate fix for the RDP setup ?

Have you created the correct applications and application segments in Zscaler ZPA portal for the new IP addresses or FQDN of the applications? Maybe if using FQDN try the IP address range instead for the new AWS based apps as App Connectors use DNS to discover applications as well as enumerate each of the IP addresses that an application DNS name resolves to as a separately tracked and load balanced server. During dynamic application discovery, DNS is used as the initial reachability check from each App Connector in an App Connector group. It is possible for App Connectors to function in partitioned environments where a subset of App Connectors are able to resolve a given DNS name without additional configuration. App Connectors must also be able to resolve external DNS names, such as those of the ZPA cloud infrastructure.

Also you can log in the app connectors and do pcap capture when trying to connect to the new applications.

Also telnet working does not mean that a Next generation Firewall will notblock traffic based on Application and not port, so double check your next generation firewalls with pcap logs and so on and if you see that the traffic reaches the app connectors and then the firewalls, you may need to see AWS flow logs if you see the traffic there. Also just see the site to site VPN config if it inserts the app connector traffic in the tunnel.

You mentioned something about LDAP and this is a nice article:

As a final option just install app connectors in AWS as it always better to have them as close as possible to the servers and this will help with the traffic path optimization.