we currently have issues with the Zscaler Client Connector at our company sites where the ZCC at apparently random times reconnects to the Zscaler Infrastructure. This results in an interruption of network connectivity for eg. Microsoft Teams and Azure Virtual Desktop. Also the “Time connected” field in the ZCC resets to the time of the reconnect.
We are using Tunnel 2.0 DTLS via the Packet Filter Based Driver Type. The traffic is routed via our firewall into the vpn tunnel to Zscaler. The problem only occurs in this constellation on the company network. When we are working from home the problem does not occur.
Has anyone already met such an issue?
I have already opened a ticket with the Zscaler support but as of now without any success.
Hi Raphael, please also reach out to your ZS sales team. There could be many reasons for the behavior. We should be giving you every bit of assistance possible.
Hi Keith, thanks for the response. We already did that. I guess I will just stay in touch with the support.
Raphael - In case you haven’t heard back from support yet, the most common cause of this issue is that you are using Tunnel 2.0 on the client and the tunnel 2.0 protocol to Zscaler. Running ZCC behind a tunnel to ZS is valid, but can often cause problems with performance and disconnects for long-lived connections because of the conflict between the DTLS tunnels in this case, especially on long-lived connections over ports other than 80/443.
Changing the client to tunnel 1.0 while on the local network via the forwarding policy (configured in the mobile portal admin under “forwarding profiles”) will likely do the trick. Since this is set based on the trusted network criteria (DNS Search domain, DNS Server, Host IP Address) your client should revert to tunnel 2.0 once you’ve left the network.
we have discussed the same with our customer. We also thought about bypassing the Tunnel 2.0 traffic (Zscaler Datacenter IPs) from the IPSec/VPN tunnel and using the “Global ZEN IP addresses” to route certain (non-ZCC) traffic in the IPSec/VPN tunnel.
Check your packet size as well.
Thanks everyone for the answers. We tested excepting all ZCC client traffic from the VPN tunnel for a few weeks now and this seems to have solved the issue.
I just wanted to share, that we also used a configuration with Tunnel 2.0 that got routed via GRE-Tunnels in our Headquarter. A few weeks/months ago we had some users, in some local networks in our Headquarter, that got sometimes disconnected. We have searched through all kind of logs and tried to find a logical explination, but failed terribly and it seemed like it got worse and worse.
We also talked to the Support, our zscaler contacts and even started an ZDX POC to evaluate this issue.
While going through the ZDX deployment and the first logs, he saw the Tunnel 2.0 Configuration via GRE and mentioned that this could be a problem.
As @mharris30 described, we have changed our configuration to tunnel 1.0 in our Headquarter. Traffic that isn’t forwarded via 1.0 Tunnel will be routed directly through the GRE-Tunnels to Zscaler.
Now the app reconnects much less often and the quality of the service overall increased.
But I would really love to understand, how this very inconsistent behaviour of the app in some cases came to be and why it wasn’t a problem the months before. But I guess I will just have to make my peace with it.