Zcc updates resulting in broken ZIA or ZPA

Client Connector
,
#1

We’ve been testing rollout of ZApp 3.1.0.88 and .96 for Windows only (no Macs here) in a ZIA+ZPA environment, and across about 100 users, we’ve seen 3 that end up in an unusable state. Specifically, ZPA may give a Connection Error, or fail authentication. Maybe Retry will work, maybe Reboot, but more often it is Logout/Login that is required. For one user, we also tripped over the bug where the one-time logout password wouldn’t work, so we had to force remove them.

We’re using Azure AD for SAML auth. Are any other organizations encountering this? Are you also using Azure AD? I’m looking for commonalities, as I’m not sure there’s anything specific we can raise a ticket for.

#2

Hi, i had no Problem with 3.1.0.88, but upgrade to 3.1.0.103 had similar problems. e.G. Login to ZIA works, but ZPA had problems. Reboot of PC don’t solve the problem, only manual uninstalling and reinstalling the ZAPP works. Only tested on 2 PCs in the moment.

We also use AzureAD SAML authenticaton.
no further deep testing was done from my site in the moment, because i am on vaction now :slight_smile:

#3

We have about 100 machines deployed for testing and not seen any issues so far with upgrades from 2.1.2.71.

#4

We have the same issue with some clients (also using Azure AD SAML) and latest ZCC. Also on complete fresh out-of-the-box clients. We turned off all automatic user login detections in Mobile App Portal and requested affected users to logout with the OTP and then to relogin again. Until yet this solved the issues. But of course this is not a permanent solution…

BTW, happy new year to everyone! Stay healthy!

#5

I’m now at 1540 machines at the latest version (3.1.0.103), and I’ve had report of maybe 2 or 3 machines needing assistance. I say maybe because we have other reasons why I’d have to provide a logout password. Based on this, we’re not having a problem.

It’s odd that, when we’re doing it onesey/twosey it’s had such a bad error rate (~5%).

For clarity, we’re currently set up with auto-update to latest, and did “Group Based” rather than “Always Latest Version”. This setting could cause issues down the road, due to unexpected updates, but it’s what’s currently requested.

1 Like
#6

Hi,

I’ve tried to deploy over 5 machines the 3.1.0.103 from 2.1.2.113 (manual install), 2 had problems, asking to reenroll completely. I need to re-install the package after each hibernation at least for one of them;

#7

@bpetitfour I’ve never had that problem. Hibernation, sleep, log in/out of Windows - these should all be uneventful with Win10. Is it still a problem?

#8

@Tachyon, I 've found the issue, this was due to old ZCC forced by a SCCM deployment on some pilot machines . Since this deployment was stopped, no issue was raised during our tests and we will deploy the new one with confidence on all our devices.

Best,

B.

1 Like
#9

All, replying to my previous post, we had no issue during the deployment.

#10

We’ve seen a very small percentage of upgrades that required a re-install to fix. I’m talking less than 0.5%

#11

Of 30 testusers we have luckily only one user left where whether re-install of ZCC nor ReAuth nor “Restart service” nor “Repair app” solves the issue. Only manual logout/login to ZCC helps. It seems somehow ZCC is not able to “update” the user auth token by itself as the issue always arise in the morning when booting the client for the first time.

In the logs we see an error “BRK_MT_AUTH_SAML_FINGER_PRINT_FAIL” and suggested solution to logout/login solves the issue, but everyday? Noteworthy: the SAML-testurl works flawless and reponds with correct SAML-attributes.

ZScaler support is also working on that issue. I will post here as soon as we have a solution.

#12

Manuel,

Which IdP are you using? Have you tried turning off Sign SAML Request?

Regards,

-Todd-

PastedGraphic-2.tiff

#13

Hello Todd,

we are using AzureAD as IdP. And yes, Sign SAML Request is turned off.

I do not understand why the issue only affects this one particular user. The only thing we did not test yet is a manual deployment of ZCC by directly installing via MSI or EXE. Until yet we just uninstalled manually and let Azure Intune do the automatic installation again. Maybe something on this machine is weird…

BR
Manuel

#14

Manuel,

I’m sure you saw this but does the user have uppercase letters in his login?

Ask the user to logout of the Zscaler Client Connector and log in again. Make sure that the username portion of their email address is being entered using lowercase letters

image007.png

1 Like
#15

Hey Todd,

just double-checked with the user. No uppercase letters.

#16

Manuel,

I would look in the Zscaler logs at this point to see what is going on. That is going to be your best hope in my opinion.

Sorry I could be more help.

-Todd-

PastedGraphic-2.tiff

2 Likes
#17

Quick update as some other users are affected by this reauth-issues:

  1. Interesting fact 1: it happens only occassionally and NOT everyday. Probably the problem may not occur if the time between switching off and switching on again in the morning is too short.
  2. Interesting fact 2: ALL the affected machines are AMD based Lenovos with AMD Ryzen5 4500U

Maybe we are “just” facing a HW related issue. I will post here if we get any evidence on that.

#18

Bingo, ZCC Release 3.2.0.87:

  • Fixes an issue where the user had to log in to Client Connector after reboot, even though the user was previously logged in for special hardware scenarios.

https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2021

Zscaler Facebook  Linkdin  Zscaler Twitter  Zscaler Youtube  Zscaler Blogs
 

Copyright 2008-2020 Zscaler™, Inc.Zscaler™, SHIFT™, Direct-to-Cloud™, ZPA™, and The Cloud-First Architect™ are trademarks or registered trademarks of Zscaler, Inc.in the United States and/or other countries. All other trademarks are the property of their respective owners.