Internet Speed is Very Slow when ZCC Connected in Home Network

  • We are using Tunnel Ver 1.0
  • ZCC Connected Speed drop from 100Mbps to 1Mbps
  • System Restarted Without Zscaler No issue
  • System Restart with Zscaler works fine 10-15 min then Speen goes to 1 Mbps
  • Try to identify using ZDX by nothing happen
  • Try with help of Zscaler TAC no resolution till now
  • System IPv6 disbaled
    If anyone has any idea please share we will try to do that.
    Regards
    Hriday

Hi Hriday, please work with your Zscaler account team. They can escalate within support to help find a resolution.

-kb

Thanks kb, yes, working for the last 2-3 months, but no proper resolution
User complaining every day, If anyone has the same scenario and resolution on their tenet that would be helpful
We have premium support with Zscaler

Hi Hriday,

if you turn off ZCC IA when the speed drops down to 1Mps - does that resolve the issue?

BR
Manuel

Hi Manuel,
Thanks for your reply.
Even if we disabled ZIA, the scenario does not change during the same session, once we restart and ZIA is disabled it works perfectly.

Hi Hriday,

Apologies for the back to basics questions:

  1. Home user tried a LAN cable rather than Wi-Fi ? (to avoid wifi mesh complications etc)
  2. Tethered to mobile phone and tested ? (Removes complications of router AV security or ISP inspection module)
  3. Tunnel Driver Type - Route or Packet driver based ? (sounds route based)
  4. OS version ?
  5. ZCC version ?

G

I see the same issue. I have tried multiple versions of Tunnel 1.0 and Tunnel 2.0, TLS/DTLS modifying MTU but my bandwidth drops significantly when ZIA is on. If I turn it off I get better speeds. I know I won’t get my full bandwidth but it’s definitely something noticeable.

I have tried the wired directly to the ISP Router/Modem with the pretty much the same results. I’m going back through and rebuilding everything making sure I didn’t mess up a configuration and will check back in if I come across something.

1 Like

I am also facing the same issue, no resolution from TAC on low speed issue.
We are using V2.0 DTLS. Some users are getting 0.1 mbps speed when they are on DTLS…
However we have moved some users on V2.0 TLS they are getting actual speed.
Might be some ISPs are blocking DTLS from their end.
This is my observation, don’t know whether I am right or wrong.

I have heard that same thing about ISPs not liking the udp/443 for dtls. I’ll give a shot again and do some more testing.

Any ideas why an ISP would be throttling DTLS?

Thanks for your query please find the reply,I hope you have a solution

Hi Hriday,

  1. Okay so wifi only, do you see constant flips between 2.4 to 5G for any of these home users ?
  2. Silly one, latest supported Wi-Fi drivers for win 10 ?
  3. Packet filter, strange that a system restart is required before you see better performance. ZCC service restart doesnt give you the same result ?
  4. What are you using for system management SCCM, Intune etc ? (thinking about the 15 minutes of good performance before it degrades the TLS tunnel)
  5. ZCC x64 - Nice ! All AV bypasses or process Whitelisting done along with windows Firewall exceptions ?
  6. Does any of your home users have a fast ZCC experience ?

Sorry for all the tedious questions
G

Working with Sr. TAC Engineering and will post any updates I get.

Ok. I may have a fix. Our issue is very similar to what is going on here.

*** The problem ***
ZCC | ZTunnel 2.0 = Internet performance is terrible
ZCC | ZTunnel 1.0 = Internet performance is what is expected
ZCC off = Performance is what is expected

*** The solution ***
NOTE! This only works in ZTunnel 2.0 mode using client version 3.8.x

1.) Logon to Zscaler admin
2.) Go to client connector portal
3.) Go to Adminsitration > Forwarding Profile
4.) Edit the forwarding profile being used
5.) Under each network type in the profile (Trusted, VPN, Off Trusted Network), click on the link for “Z-tunnel 2.0 Transport Settings”
6.) In there you will see a switch called “Redirect Web Traffic to ZCC Listening Proxy”. TURN THIS ON!
7.) Do that on each network type, then save changes
8.After a few moments, update the policy on the ZCC and give it a try.

We have been working on this issue for the past 2 weeks with support and finally got it escalated to tier 3. The T3 engineer had me enable this new feature and KABOOM!!!

Now, I have only been testing this for the past few hours, but so far this looks like it is doing the trick.

Also, when testing bandwidth, etc… be sure not to use speed test sites like speedtest.net, google speedtest, etc… as most of them are not proxy aware or simply do not like testing via a proxy server period. Instead, use the link below for testing with the ZCC on.

http://127.0.0.1:9000/?ztest?q=@your root domain name

2 Likes

Why does using “Redirect Web Traffic to ZCC Listening Proxy” fix the problem?

1 Like

Same as Gordon, what does “Redirect Web Traffic to ZCC Listening Proxy” do?

Documentation just says:

  • Redirect Web Traffic to ZCC Listen Proxy: Enable this option to redirect all 80/443 traffic to the Zscaler Client Connector listening proxy.

But I don’t undersand the needed of enabling this option when using tunnel 2.0

1 Like

Maybe this topic can assist there?

@G-Man8 , @Gabriel_Sicouret can maybe shed a bit more light on the topic.

From what I was able to gather. When you enable this feature, it will then send all web traffic through tunnel1.0 (TLS). It will leave anything that is not web traffic ie:(applications) through tunnel2.0 (DTLS). By doing this, you avoid any DTLS throttling.

I don’t know enough about this, but there were some concerns with SIPA functionality by enabling this. @Shakti_Kumar1 might be able to expand on this a bit more.

With that being said.… I do not think this would help the original ask. Due to the fact that the original question mentioned they are currently using Tunnel 1.0

@hriday.dhali7 - are you able to update or provide any further updates? Thanks!

1 Like

Curiously asking, currently on version 3.6. And this option is already enabled since day 1.
Does it do anything for version lower than 3.8? Any idea?

This option is available for versions 3.8+, so nothing to do for lower versions.

Thanks to @Ben_Garrison for the anwser, reading @Gabriel_Sicouret’s post seems to avoid the needed to use a forwarding profile to bypass web domains. It’s clear now :slight_smile:

1 Like

Out of interest - anyone else getting slow download performance Tunnel 2.0 / DTLS?
Don’t recall earlier in the year being that degraded - but perhaps related to more enhanced features noted above/client updates? Still on 3.7.2.18 client version.