ZPA Authentication issue in China

Random users in China reports authentication issues in China. Upon verification we noticed authentication request to ZPA fails.

Further analysis in packet capture, shows that DNS response to samlp.private.zscaler.com resolves to Ip which are hosted in AWS Korea.

Zscaler TAC says China’s Great firewall is often behind this issue and its out of their control.

Knowing these challenges in China, does Zscaler come up with any preventive measures that prevails the Service, like in-housing the supporting services (auth servers) in china?

Note: Due to Corona Outbreak, more of our end users tend to use remote access capabilities and we couldn’t commit a 100% available service.

Ganesh Krishnan

Hi Ganesh,

You are not alone here. We too still having many problems in China. Any more news or updates or improvements from from Zscaler are welcomed here. I am looking forward for it.

Best Regards,

Hi Ganesh,

In early March, an enhancement was made so that User auth requests are no longer proxied through China brokers, and instead go directly over the internet. Several customers have confirmed that this change has eliminated delays and issues observed during authentication into ZPA.

1 Like

We are still facing similar issues with authentication to ZPA for our China users and so could you please clarify what enhancement was made and how we can benefit from that to avoid such issues during authentication?

Sajitha, originally user authentication requests were sent to ZPA authentication microservice through ZPA DCs in China. We were observing that these requests experienced traffic degradation, thus affecting the user experience. So these requests are now sent directly to ZPA auth service over the internet, instead of sending through ZPA DC.

I recommend opening a Support case, so that we can review the issue and provide assistance.