ZPA DNS Timeouts? in China

Looking for some feedback if anyone’s dealt with similar issues.

We are positioning connectors in China region for our sites in the region and we are seeing intermittent issues with what I’m guessing is DNS timeouts when accessing applications.

We can perform an nslookup and see a response with 100.64.x.x so it appears the tunnel is there, but we will randomly see “Invalid DNS Domain” errors. We are able to resolve all app and have a group of connectors globally. Based on the error, I’m assuming that we are hitting the 3 second timeout for a DNS respoonse.

We have connectors in China and utilizing DNS servers that reside in China.

Garrett, can you please open a support case, so that engineering can review the logs and provide assistance.

Yes we saw the same issue. After Zscaler update to keep brokers within mainland China it fixed it for us.

We are seeing this issue again inside mainland china brokers. My connectors are not having an issue resolving the domains but seeing this in the diagnostics logs

INTERNAL STATUS CODE
INVALID_DOMAIN

We’ve seen a downtick of these events. But they still persist. We’ve seen a larger number ZEN timeouts now and some issues getting to the IDP page now.

My Issue was similar in China is now resolved. My issue was due to the Connector was getting resolution from a local DNS server that had a forwarder configured in the US over MPLS.

This caused the resolution of [co2br.prod.zpath.net] to be a Zscaler Broker in Ohio instead of a broker within China. We learned early on that if we cannot use a Broker outside of China as that causes all kinds of issues going through the great firewall of China.

You can check the broker/Zen the Connector uses in the under Administration/Connector and look under each connector.

Also note the resolution is done only during the restart of the service. Once the resolution is done and the connection is established, the connector keeps this connection as a persistent TCP connection to interact with ZPA cloud.

What I have done for now is configured my China connectors with only one local DNS server that points to Root Hints.

Hopefully this lesson learned will help others with the same issue.

1 Like

We’ve definitely discovered this as well unfortunately, so that’s a good call out. Ours were going to a Singapore ZEN. We’ve had to make some changes for that as well due to a similar setup you’re referencing.

Correlated some of my issues today to a bad circuit. Unfortunately APAC region has some different workarounds than we need to consider in other regions.

image001.jpg