When you perform a ping or nslookup for the FQDN, does this return as carrier grade NAT IP?
I would suggest looking at the client connector ZSAtunnel logs, and a packet capture. Here are some example logs of the DNS, and request for tunnel.
DBG getTunnelRequestTypeJson: Request url: https://app.company.com host: app.company.com protocol: 6 port: 443
DBG getTunnelRequestTypeJson: System Proxy from pac is null!
DBG DNS: MSG=Request from=100.64.0.1:58308 Family=IPv4 Size=39, Qcount=1
INF DNS: QRY=A(1), Name=app.company.com
INF DNS: Send local A response for ZPN domain: app.company.com → 100.64.1.1
DBG DNS: MSG=Request from=100.64.0.1:58297 Family=IPv4 Size=39, Qcount=1
INF DNS: Domain: app.company.com is never bypass domain.
DBG DNS: ZPN Domain=app.company.com State=zpn valid (257) TTL: 180
INF DNS: Send local empty AAAA/HTTPS response for ZPN domain: app.company.com
INF getTunnelRequestTypeJson: Sending ZPA response for tcp host: app.company.com ip: 100.64.1.1
Additionally, the depending on the application, occasionally the initial communication to the application may occur using FQDN, and within the application the server instructs the client to connect to a server based upon IP address. An example of when this may happen might be with an ICA file, which is referencing an IP address rather than FQDN.