ZPA - Licenser Server Traffic issue


(Venkat) #1

Hi,

We have a one of a kind issue while accessing licensing application through ZPA from Zscaler App. This licensing application is residing in a windows server in our datacenter and it uses 27000 and 27001 ports as server and daemon listening ports.This application works fine on our corporate network and other vpn services (Crosslink./Anyconnect) , the only issue is when we are using Zscaler App. Strangely, in ZPA admin portal diagnostics it shows the communication tunnel is being established but no in and out bytes (just shws 0 KB) are being transferred. We have tried the followed troubleshooting ways but none resolved the issue. Firewall on our network allows complete access

  1. We have changed the listening ports to 1700 & 1701, behavior is same no data transfer
  2. We have disabled windows firewall on server end and client PC
  3. We have changed MTU size on laptop to 1300
  4. We have created FLEX_LM variable to allow the timeout value of license server to 100sec
  5. We have bypassed ZIA
  6. We have allowed all TCP ports (1-65535) for this application segment
  7. We have allowed IP add and domain name under app segment
  8. We have allowed all our existing connectors under one group for this app segment

License App name: Petrel Studio
Listening ports: 27000 & 27001

We have been troubleshooting the issue with Zscaler support since past 1 month and tried all the above ways with no resolution. Seeking some help here or thoughts.

Thanks guys


(Kunal) #2

Hey Venkat,

Thanks for reaching out. Sorry for the trouble you are experiencing with ZPA. I understand it can be a frustrating when troubleshooting an issue with limited success. In reviewing the Support case and the associated information, it seems we need additional information specific to the functioning of Petrel Studio to troubleshoot the issue further. I am reviewing the issue with the relevant internal teams and will send you an email with next steps.

Kunal Shah,
Product Manager


(Venkat) #3

Kunal,

I am still trying to get significant updates on our case. The process of scheduling the time with end users, extracting logs, uploading them to the case, support team sending it to engineering and engineering getting back with updates/additional logs is consuming a lot of time. Its been over a month now with this case, I have been sending different log files but I didn’t get the exact root cause or fix for the issue. And pressure is being mounting up internally with application being communicating over corporate network and other vpn alternatives but not on Zscaler. Is there anything else that we can do to receive faster response/resolution as this issue being heated up already.


(Todd) #4

Venkata,

Perhaps support could help with a tcpdump from the connector? It would certainly show you any issues, or server to client traffic that may be breaking? I would highly recommend also taking a simultaneous Wireshark on the client, which could show you things that may need to be defined. The problem could be anywhere in the packet flow, from DNS, an undefined domain, or an IP query instead of an FQDN.

Regards,

-Todd Harcourt-


(Kunal) #5

Hey Venkat,

Thanks for sharing the FlexLM documentation with Zscaler support. This is the crucial piece of information that has helped to narrow down the issue. Based on our analysis, the Petrel-Studio App Segment is configured to only allow TCP/UDP-Ports: 1521/27000/27001/27002, and does not allow port: **59489. **According to FlexLM document, the License server needs to explicitly specify the Port for Vendor, otherwise it is automatically selected by FlexLM at Run Time ! From the provided packet captures, we see that the FlexLM server is returning the vendor port back as hex 0xe861 == decimal 59489 . Since this port is not present in the Petrel-Studio App Segment configuration, client is not able to communicate on this port. Also, it is possible that if the Flex server was restarted, it may return a vendor port other than 59489.

Recommended Actions:

  1. Please update the FlexLM Vendor config to use a fixed port number (preferable)
  2. Alternatively, you can use a wildcard and allow all port numbers in the Petrel-Studio App Segment.

Zscaler Support has updated your case in Zendesk with additional details and instructions. Please review and let us know via Zendesk, once you are able to update the configuration and verify the results.

Kunal Shah


(Venkat) #6

Hi Kunal,

FlexLM already have defined ports for server and vendor daemon.
Server port - 27000
Vendor daemon - 27001

And we have already allowing wildcard by including all ports (1-65535) and tested the application as well earlier with negative result.

And we changed back to selected ports after this action item


(Kunal) #7

Hi Venkata,

What was the result after you made the change on the FlexLM server to explicitly specify the Port for Vendor? Did this configuration change in FlexLM allow access to the server over ZPA? Can you share details of the testing?

Kunal


(Venkat) #8

Kunal,

We have made the suggested changes on license config file by fixing the vendor daemon port to be 27001 and the test was successful. Users have tested with multiple public networks and they can access licenses over Zscaler Network. This is a breakthrough for us.

Thank you very much for the support!!!


(Venkat) #9

Also,

I would like take time and appreciate the efforts of engineers involved with us through the issue. They were really helpful.


(Kunal) #10

Venkata, glad to hear that your testing was successful! Appreciate your patience and willingness to work through the issue with Zscaler. Please do not hesitate to send me a note if you have additional qns.

Good luck!

Kunal Shah

Product Manager