Issue with ZScaler Datacenter node, when forwarding traffic via IP-SEC to ZIA

We are using IPSEC to forward web traffic to Chicago ZScaler (Fedramp) datacenter. When connections appears to be slow we use to identify an issue with the connection. It appears there is a 250ms delay between and Both IPs belong to ZScaler infrastructure. ZScaler support does not see anything wrong with this delay even though the delays between other hops do not exceed 4ms.
We are just wondering if other ZScaler customers experience the same issue?


I don’t know if this will relate to you or not but the network I manage also uses an IP-SEC Tunnel to a Zscaler Chicago Datacenter and in a way had an issue that may be similar to yours.
To sum it up the best I can, we had an issue where a lot of HTTPS traffic would not make it through correctly. For example, websites such as and would not load correctly or would take forever to load the first few times and after multiple refreshes they would then load just fine and continue to then load fine for a short while until the same issue reoccurred and it was back to multiple refreshes/attempts.
This caused a huge issue with our Autodesk Cloud Licensing let alone anytime we needed to login and do something with our accounts in one of those sites. Also, those websites are just a couple examples of the several we had problems with or were aware of.
After working with Zscaler support over multiple months, it was found that the traffic did not like one of the specific Zscaler SME’s in which the traffic would usually traverse. Zscaler support resolved this by creating PAC file that told our traffic to only traverse one SME and not the SME we had problems with. I took the PAC file and added it the Internet Options for all users via Group Policy. While I can’t say I was super thrilled with this resolve, it did the trick.

Hopefully this information can help you in some way.

Thank You,

Hi Matt, were you forwarding to node when you experienced the issue?

Sorry, no, I totally missed the government part. We use ZscalerTwo.
But after just going through my case notes again I realize that the problem might not have been a specific SME but instead was that traffic didn’t like bouncing through multiple SME’s. The PAC file was to tell our traffic to use a dedicated SME whereas without it the traffic would traverse multiple SME’s.

Case notes below:

Hello Matt,

I hope you doing good.

Please find the summary of our last call below :

  • On call we checked the that websites (,, having issue while loading. After refreshing thrice it respective sides loads.

  • Traffic forwarding method is IPSEC.

  • All other websites loads without any issue.

  • We also checked that with ZCC it was working fine but than issue was seen with ZCC also.

  • We tried to use PAC explicitly where we direct the concerned traffic but still no luck.

  • We tested by defining dedicated sme and it started working.

  • Suggested to use the PAC file where we can define these traffic to go to dedicated sme.

Reduce the MTU below 1400 and it should resolve. (Even 1399 will work)