So it is now 2022, has there been a resolution to this issue or is Zscaler just ignoring it and tell customers to use a work around? As we are having the exact same issue.
Probably you have all configured a fail-open for couple of minutes Configuring Fail-Open Settings for Zscaler Client Connector | Zscaler and you still have the issues.
As I have seen similar issue with VPN agents in that case it was the operational system and the web browsers issue not the vpn agent or zscaler app as for Windows and mac you may need to bypass the web url that the operational systems use for a captive portal that has self-signed SSL certificate as this seems why the issue is seen. Try bypassing in the PAC file or as domains for tunnel 2.0 the URLs
You can check:
Also for mozilla to allow self-signed certificates to not be blocked see:
Also if the captive portal is redirecting to external URL as for payment for using the Internet like on some airports then there is no solution than just stopping the Zscaler agent app or I have seen some issues with Cisco Wi-Fi where the Wi-Fi options need to be changed but when you don’t control the network good luck with telling the coffe shop to change this.
As a final thing test with different web browsers as with some it may work or not.