ZTunnel 2.0 DTLS and Vodafone Cable

Products Zscaler Client Connector
#1

Hello all,

just solved one issue which haunted us last week: we had 3 (homeoffice) users having trouble connecting to ZPA, Sharepoint Online, sometimes Outlook just disconnected and various unspecific laggy performance when ZCC was in place. No issues with their private PCs. Since we found no salvation in configuring all possible profiles-settings we switched back to ZTunnel 1.0, what immediatly solved the issue. But as we do not want to use ZTunnel 1.0 anymore I found no peace :wink:

Via some extra work and asking users about their providers we found that all these users had one thing in common in their homeoffices: a Vodafone Cable Broadband Internet Access (via Coax).

As one of the differences between ZTunnel 1.0 and 2.0 is usage of TCP vs UDP (by default DTLS) we forced this users via fwd-profile settings to use TLS. Although this is a fallback option for DTLS it seems it never fell back to TLS automatically, maybe because it worked for initialization of ZCC. After the new policy was applied to the clients everything instantly worked. No issues anymore.

The only caveat seems to be that the users do not get their full bandwidth when ZCC is up&running. At least ip.zscaler.comā€™s connection quality test results are always reporting around 80/40 Mbit down/up inspite of the users are claiming they have a 1000 mbit connection. One of the users has an 250 mbit connection and get the same results. And yes, they are using different ZENs. And yes, there are obvioulsy no ā€œUDPā€-specific configuration switches on the home-routers.

Maybe thats a Vodafone Germany specific issue but in case you also happen to have support your homeoffice-users with their private internet infrastructure this is possibly something to keep in mind.

BR
Manuel

1 Like
#2

Hi Manuel,
Thanks for Sharing. We have seen such issues as well. At times, same provider in some region does throttling/deprioritize DTLS packets, while in other regions it works good.

Btw, the best way to test the speed is by using a file download website(with and without Zscaler).
One of the tools, which can be used is Azure Speed Test.

You can select a 100MB file from a region the user is close to, and check what is the download speed without Zscaler. And what is the speed with TLS+ZCC. If there is a considerable difference, then its something we need to check via Zscaler Support case.

-Prajith

2 Likes
#3

Hello Prajith,

thanks for your reply. Do you also know of any issues with Dual-Stack Lite internet connections? These are quite popular here. Are there any recommendations how to configure zTunnel-2.0 for that kind of connections?

Thanks and BR
Manuel

Zscaler Facebook  Linkdin  Zscaler Twitter  Zscaler Youtube  Zscaler Blogs
 

Copyright 2008-2020 Zscalerā„¢, Inc.Zscalerā„¢, SHIFTā„¢, Direct-to-Cloudā„¢, ZPAā„¢, and The Cloud-First Architectā„¢ are trademarks or registered trademarks of Zscaler, Inc.in the United States and/or other countries. All other trademarks are the property of their respective owners.