Zscaler Across Site to Site VPN

Good morning,
I thought I read about this somewhere but cant find it. We are utilizing Zapp and ZPA to allow users to access internal Resources. Some of our resources are in other datacenters, and this traffic goes across a site to site vpn. We are short on connectors atm , otherwise we would simply place a connector in the datacenter.
Resources in this remote datacenter will disconnect or cause a reconnect frequently across zscaler. We are trying to figure out a way to stop this. Has anyone ran into this?

Once again the flow is like this : User on laptop with ZPA > ZEN > Connector in Datacenter 1 > Across VPN to Datacenter 2 > Resource > Usually RDP or other protocols where you notice a reconnect.

Hi @Odysseus, a few questions:

  • Is there anything on the S2S VPN circuit that’s Stateful?
  • What are the SA lifetimes, can the underlying apps tolerate a SA reset?
  • Can this be repeated for a specific app, consistently? If so, it would be handy to have a PCAP on the connecter and/or the destination App (Support can help debit)

Generally, ZPA itself if very fault tolerant when it comes to connection handling, so my initial suspicion is it’s something in the path between the connecter and the app that’s causing a reset. Of course, evidence will help :slight_smile:

I think you’ve already identified the ideal solution, that’s to put connectors in the DC alongside the apps and drop the S2S VPN from the data path. Hopefully you get the space freed up to permit such a topology.