Slow access DFS via ZPA


My customer have ZIA and ZPA, they reported high delay accessing file on their DFS via ZPA. We took wireshark and it shows " KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ". Is this Kerberos error related to having ZIA proxy thus making Domain Controllers having DNS resolution issues? Appreciate good advise here.


I’d need to see the full PCAP, however what I’d question at the outset is why it’s accessing something on an adjacent subnet (i.e. client is, server is Is this actually going through ZPA?
you should look at the TGS REQ and RESP to see what the principal is. Does this match the DFS host?
Happy to take a look - DM me on Slack.

Hi @mryan ,
Thanks big time.


I can only assume that this is a pcap from their connector.

zulfadli, when looking at latency, what is making you target the kerberos messages specifically?

Have you looked at response measurements between packets? I am not able to tell based upon your filter as it provides only a portion of the picture.

ZPA also offers metrics for application setup time within diagnostics. You have more in depth information in LSS logs if you ingest these. ServerConnectionSetupTime and ConnectorZenSetupTime. These are recorded in microseconds so make sure to adjust accordingly.