recently, users are claiming that they are having performance issue with teams and internet while on ZCC client If they turn off ZIA everything works fine. I also followed best practice from Zscaler best-practices-for-microsoft365-and-zscaler.pdf during the implementation. has anyone experience performance issue and what was solution?
We are only using ZCC forwarding pac file. We don’t have GRE/site to site tunnel setup.
are there any plans to give ZCC users the option to manually switch in between DTLS and TLS (not talking about assigning them to a different profile here)?
ZCC is not exactly good at deciding whether to use DTLS or TLS … if DTLS somewhat works but is very slow it sticks to it.
yes fallback is active
But the problem is that it can happen that an ISP supports DTLS but throttles it (in parts of their networks in worst case).
Manually fiddling with MTU sizes is just a very hacky workaround; doesn’t scale at all.
In such scenarios ZCC will use DTLS and the users eventually complain for slow speed. The only option in such cases is then to move the user to a ‘TLS only’ profile - but if that improves the speed can only be tested/confirmed by the user.
If there would be an option in ZCC for users (which are set for a ZT2 profile) to freely switch in between DTLS and TLS the admins would no longer need to play profile ping-pong.
Even with V2.0 TLS we are seeing performance issue. when users are on ZIA they are only getting between 50% to 30% bandwidth speed reduction. When they are off ZIA they are getting close to 90% of speed they signed up with their ISP provider. How is that possible?
Zscaler Support doesn’t have any input on the issue except try to change MTU size and tunnel settings.
When you access say disney.com with ZIA active that traffic likely takes a different path than what it takes without ZIA.
Could well be that your ISP has a less big pipe towards his next upstream for traffic which get sent towards the nearest ZS CENR than what it uses as upstream towards disney.com.
Do some traceroutes with/without ZIA active; maybe with that ZS can investigate a bit more and ‘wakeup’ the involved ISPs.