ZDX behind GRE - how does it know the path?


Not sure if this is the right forum, but there’s no dedicated one for ZDX. So, I’d like to confirm few things. We’re trying to troubleshoot MS Teams issue and we use ZDX as our primary source of QoUE score. However, we aren’t sure the data it gives is valid.

Our offices have Silver-Peak (Aruba) SD-WAN appliances which have GRE tunnels configured pointing to Zscaler PSENs. We also use Tunnel 2.0 on-prem. So, traffic from the user is encapsulated twice (ZCC, then GRE). However, ZDX shows is a traceroute from SD-WAN appliance (it’s WAN interface) all the way to PSEN.

My question is how does it know what path looks like in the underlay if there’s no way traffic can bypass GRE. I accept the fact that ZDX can bypass tunnel 2.0, but GRE is transparent for it. Yet, it shows us hop by hop path in the underlay. I just don’t understand where this data comes from and how to treat it. Anyone from Zscaler please?

1 Like

Just in case others wonder, I have the following response from Zscaler TAM:

After I had a discussion internally I came to know that we perform a reverse MTR from the ZEN to the public IP of the customer’s gateway. The public IP is retrieved by the ZCC using our location API endpoint. This is implied by the direction of the arrows in the trace.

We’ve raised ER to improve visibility of this from a customer’s perspective to avoid confusion as it’s not obvious from the UI. Hope this helps


Thanks for the information - I’ve often been curious about this.