Zscaler troubleshooting tools for connectivity and performance/slowness issues

Hello,

Here is a fast list of some of Zscaler troubleshooting tools primary for ZIA:

  1. The first is the Zscaler Analyzer that everyone can download to test the load time and performance of a web page through the Zscaler cloud.

https://zmtr.zscaler.com/

  1. The second tool is a web tool and it is the web site https://ip.zscaler.com/ where everyone can see to which Zscaler Gateway they are connected. Be carefull as ip.zscaler.com shouldn’t be excluded from the PAC file (like *.zscaler.com “Direct” can make this happen) and also it looks at XFF header so this should be enable under Locations if GRE or IPSEC is used and not the zscaler connector app.

https://ip.zscaler.com/

  1. Another usefull web tool is the Zscaler cloud performance tool that is to measure if there is an issue between the user and the ZIA edge but again don’t bypass it in the PAC file and the Zscaler Analyzer can be used after this tool to check the connection to the web page itself. For some reason the tool does not open with Mozzila for me but with Chrome and Edge there is no issue.
  1. The Zscaler ZDX is a payed feature that is really good for testing issues with cloud application like salesforce etc.
  1. The final web tool is trust zscaler where it can be checked for known issues is parts of the Zscaler Cloud and the ZIA edge gateways.
  1. Another nice web tool is config Zscaler just for basic info about future zscaler data center locations etc.

https://config.zscaler.com/zscaler.net/cenr

  1. Also the Zscaler client connector logs and diagnostics can be checked and the Zscaler Insights logs from the admin portal for Policy action, SSL Inspected, SSL Policy Reason, Proxy Latency etc. If the Sandbox action is to scan an unknown file and then to let the user download it (not allow an scan first site), this can also cause latency expecially if there is an issue with the sandbox in that region but the Trust Zscaler site should mention if there is sandbox issue at the region.

https://help.zscaler.com/zia/documentation-knowledgebase/analytics/dashboards-reports-and-logs/logs

  1. For general ZIA troubleshooting and proxy PAC file troubleshooting or client Connector error codes ( for mozilla and zscaler client connector there is a special article Configuring Firefox Integration for Zscaler Client Connector | Zscaler ):

https://help.zscaler.com/zia/troubleshooting

  1. For ZPA the logs are even more detailed like if a AD user , AD group is blocked by the Access Policy, PolicyProcessingTime , CAProcessingTime etc. between the private application and the user :
  1. For investigating issue with Zscaler ZPA app connectors. You can send session commands to the Zscaler Connectors from the ZPA admin portal or if using ZPA private edge also commands can be send to it like ping etc.
  1. Sometimes tools like wireshark are still needed as for example the dropbox application being blocked by ZIA and having to bypass all the domains that google uses for sync of the dropbox but the Zscaler Insight logs not showing all the blocked traffic or even allowing SSL traffic that can’t be decrypted not helping (Solved: Syncing issue with Zscaler - Dropbox Community). Or using F12 or fiddler or HTTPwatch to capture web traffic from the client for maybe investigating SAML issues when the Zscaler connector is not used.

Also check the zscaler client connector release notes for known bugs with your version or with ZPA, For some reason the ZIA release notes do not include known issue information.

The Zscaler TAC can do advanced Zscaler debugs on the Edge gateways if nothing helps.

1 Like