Performance issue with ZCC

Hello Everyone,

recently, users are claiming that they are having performance issue with teams and internet while on ZCC client If they turn off ZIA everything works fine. I also followed best practice from Zscaler best-practices-for-microsoft365-and-zscaler.pdf during the implementation. has anyone experience performance issue and what was solution?

We are only using ZCC forwarding pac file. We don’t have GRE/site to site tunnel setup.

Any particular region?

we changed the tunnel from DTLS to TLS which shows improvements.

Some ISP doesn’t support dtls , it’s good to leverage tls on those locations or set of users.

are there any plans to give ZCC users the option to manually switch in between DTLS and TLS (not talking about assigning them to a different profile here)?
ZCC is not exactly good at deciding whether to use DTLS or TLS … if DTLS somewhat works but is very slow it sticks to it.

1 Like

Do you have this option selected in the Forwarding Proffile?


You might also consider enabling the MTU discovery and setting a smaller MTU size.

yes fallback is active
But the problem is that it can happen that an ISP supports DTLS but throttles it (in parts of their networks in worst case).
Manually fiddling with MTU sizes is just a very hacky workaround; doesn’t scale at all.

In such scenarios ZCC will use DTLS and the users eventually complain for slow speed. The only option in such cases is then to move the user to a ‘TLS only’ profile - but if that improves the speed can only be tested/confirmed by the user.

If there would be an option in ZCC for users (which are set for a ZT2 profile) to freely switch in between DTLS and TLS the admins would no longer need to play profile ping-pong.

1 Like

I think with the upcoming ZCC release performance based selection of public service edge will be available. I don’t think this uses tests via TLS and/or DTLS which might be a good ER to add.

which reminds me to ask for an ER for ‘make pending ERs public’ :wink:

With that other interested customers could easily check if there already is an ER in the pipeline and then either ask their TAM to be added to it or to create a new one.



Even with V2.0 TLS we are seeing performance issue. when users are on ZIA they are only getting between 50% to 30% bandwidth speed reduction. When they are off ZIA they are getting close to 90% of speed they signed up with their ISP provider. How is that possible?

Zscaler Support doesn’t have any input on the issue except try to change MTU size and tunnel settings.

generally speaking:
When you access say with ZIA active that traffic likely takes a different path than what it takes without ZIA.
Could well be that your ISP has a less big pipe towards his next upstream for traffic which get sent towards the nearest ZS CENR than what it uses as upstream towards
Do some traceroutes with/without ZIA active; maybe with that ZS can investigate a bit more and ‘wakeup’ the involved ISPs.