Forward Traffic from ZIA (ZCC) to Cisco AnyConnect Client

Hello Everyone,

We are currently implementing ZIA company wide. One issue we are having is trying to off load traffic from ZIA to Cisco AnyConnect Client for certain domains. In the PAC File I have configured following settings

/* Redirect traffic to vpn
   if (shExpMatch(host, “gs1us.XXX”) || shExpMatch(host, “*.gs1us.XXX”)) ||
      (shExpMatch(host, “windows.XXX”) || shExpMatch(host, “*.windows.XXX”))
    return "50.236.XXX.XXX"; < vpn gateway ip address

We could see that traffic for domain .gs1us.org is routing the the vpn ip address but windows.net is still going over Zscaler ip address vs cisco AnyConnect client.

Please see below continuation of this post

C:\Windows\system32>tracert

Tracing route to xx.xxxxxxxx.xxxxxxxxxxxxxx.database.windows.net [23.96.XXX.XXX]
over a maximum of 30 hops:

1 * * * Request timed out.
2 968 ms 21 ms 20 ms 136.226.48.197
3 21 ms 21 ms 111 ms 136.226.48.3
4 351 ms 313 ms 326 ms 165.225.254.30
5 ^C
C:\Windows\system32>tracert XXX.XXXX.gs1us.XXX

Tracing route to 44285ph.impervadns.net [45.60.240.208]
over a maximum of 30 hops:

1 * * * Request timed out.
2 15 ms 11 ms 9 ms 50.236.XXX.XXX
3 14 ms 8 ms 8 ms 50.236.XXX.XXX
4 15 ms 11 ms 13 ms 162.151.210.125

C:\Windows\system32>

Can you tell me what I might be doing wrong?

Were you able to solve this by chance? @DTheMan

Hi Ben,

@Ben_Garrison I resolved the redirect traffic to VPN for gs1us.xxx websites by creating Application PAC File and Forward PAC File for tunnel 2.0

As for the Azure SQL for now I just bypassed the Azure SQL Server name in the Zscaler Client App Profile. I was told by Support Engineer I am working with that I should be able to do PAC file bypass. Waiting for the engineer to test and confirm.

1 Like

That’s great. I am going to mark this as solved with your instructions. If you would like to provide more in-depth detail that would be huge!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.