We have a situation where our users are working from a corporate office in Malaysia.
When ever they are connected to that Corporate Wi-Fi, ZCC is throwing an error as “Captive Portal Detected” & after some time users are losing the Internet Access.
We also verified that there is no Authentication required on that WiFi network once they are connected. We have also added the DNS Servers IPs in our Forwarding Profile to make ZCC understand that its a trusted network & to go DISABLED.
Even though the ZCC Status is showing as Trusted Network, but still Captive Portal Error is throwing.
Note: gateway.zscaler.net & pac.zscaler.net is not reachable from that Corporate Wi-Fi Network. We are unable to ping both from that corporate Wi-Fi Network.
We would required some suggestions on this issue.
gateway.zscaler.net is one of the domains which is used to identify if there is connectivity. If the connection does not return the correct HTTP response code then the Captive Portal failsafe will trigger.
Do you have a custom PAC file in place at all?
Does DNS resolve those domains internally?
You may also take a look at this Captive Web Portal issues - #23 by Niokolay_Dimitrov . Also as you own the Wi-Fi as it is a corporate portal you can try using CA signed trusted certficate for the captive portal that the workstations trust. Also it is good to see if the VPN agents have the same issue as for example Cisco Wi-Fi had some issues with a captive portal and self-signed cert if I am not wrong, so it could be issue with the devices that generate the captive portal.
Thanks for your reply.
Yes, we do have a custom PAC File and yes we are able to to resolve (nslookup) gateway.zscaler.net & pac.zscaler.net from that corporate WiFi network.
But as per my forwarding policy, I have added the DNS servers of that Wi-Fi network as TRUSTED CRITERIA & action for ZIA as NONE.
Hence Zscaler should go DISABLED identifying it as a trusted network. Its working as expected & we are able to see the status in ZCC as Trusted Network as well.
But still the Captive Portal Error is throwing.
It sounds like you have two options here:
- raise a support ticket to validate if this is expected behaviour. I suspect it currently is expected and may require an enhancement request to change this behaviour so that Captive Portal checks are not performed when the Forward Profile is set to “NONE”.
Are you a ZPA customer?
No we are not a ZPA Customer.
But traffic is permitted on both gateway.zscaler.net & pac.zsacler.net. I am able to resolve both & able to do telnet on 443.
Which version of ZCC are you running ?
When you run “curl http://gateway.zscaler.net/generate_204” what response are you getting when using the same wifi ?
And just out of curiosity are you Tunnel 1.0 or 2.0 customer ?
We are using version 126.96.36.199