Z-App -8 Network Error when users log in on Windows 10

Hello, has anyone experienced the networking error -8 when the app runs on certain versions of windows 10 Enterprise? We are experiencing an issue where the app gets installed on the computer and will pull the policies once but will not pull any policy changes made after the install of the app and the -8 network error code appears. I’ve created a ticket with Zscaler, but none of the techs have given anything that resolves the error on multiple computers. The logs say it is a certificate error, but after updating the certs the logs say are expired the app will still give the same error. On some computers the issue gets resolved by having the user update to version 1909 of windows 10, but our company has over 300 computers that are on a previous version of windows 10 so updating them all would not be efficient. Does anyone have any suggestions on what to try? Is there a known issue with the Z-app running on windows 10 computers that are not on windows 10 version 1909?

What error are the app logs showing after you upgrade the certificates? I’ve typically seen the -8 error be more network related and be some sort of inability to reach gateway.zscalertwo.net etc.

It gives a certificate error for “Entrust.net Secure Server Certification Authority”. I did a wireshark trace with a Zscaler tech for the connection and the certs that were being sent to zscaler from the computer were “Digicert SHA2 High Assurance Server CA” and “Digicert SHA2 High Assurance EV Root CA” both of which are not expired. The “Entrust.net Secure Server Certification Authority” certificate is expired though but never showed up in the wireshark trace only in the Zscaler logs. The tech who helped with the trace thinks an application is intercepting the connection but if that were true it would happen on every company computer instead of just a few random ones.

Do you have ipv6 enabled and if so, can you try with that disabled?

Ipv6 is enabled. We disabled it a few weeks ago and the computer still couldn’t make the connection.

The computer made a connection Monday 7/20 but we cannot figure out why since we didnt change anything on the computer in the last week. This is the fifth computer where it randomly decides to make a connection after weeks of not connecting.

Hmmm…have you tried disabling the Windows firewall? And you have sent the logs to Zscaler support?

Hi Chris,

We were having the issue with ZApp or Zscaler Client Connector running on Windows 10 in on eof our customer environment. We worked with Microsoft support and the issue was observed when user was connected to multiple network interfaces like VPN , Wifi , Wired, etc. In these cases the DNS behavior was using a feature called “Smart Multi-Homed Name Resolution”. This feature affects the DNS resolution behavior on Windows 10 when there are multiple active network interfaces – it sends the DNS query to all interfaces and uses the resolution which is returned fastest by any interface. Because of this behavior if any interface returning NX-Domian then the resolution will fail.
Microsoft Engineer advised to try the below commands(with elevated privileges in power shell) on one of the affected users for testing:

Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient” -Name DisableSmartNameResolution -Value 1 -Type DWord

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters” -Name DisableParallelAandAAAA -Value 1 -Type Dword

We had to create the Dword manually in registry for the first command which was not working as the Dword didn’t exist.

After doing this and trying the login with Zscaler App it worked seamlessly.

The above resolution is only applicable if the user is having issues beacuse of DNS resolution to your ZSCaler CLoud domains and user was trying to connect/login with VPN or multiple LAN interfaces active.

Do let us know if this helps.

I’ve been sending logs to support for this issue for 2 months. We have disabled the firewall and nothing changed. It also looks like it is only affecting users on windows 7 or windows 10 version 1809. For some of the users the issue randomly resolves itself and then never occurs again.

The issue in the logs is from a certificate error but the app logs and wireshark are showing different certificates being checked. We have updated both certificates and neither has resolved the problem.

Hi, Chris - what version of Zap?

zapp version

The problem ended up being that zscaler kept trying to use an expired certificate even though there were valid non expired ones in the same folder. Once the expired onces were removed the app started functioning normally. You’d think the app would be smart enough to grab the unexpired certificate that it installs durrinf the install process but I guess thats not the case.

1 Like