I hope someone can shed some light on this. We are still (sic!) in the process of switching all our users to ZTunnel 2.0.
We run/ran into multiple issues for our homeoffice users.This ranges from non-Zscaler related internet provider issues to DTLS/TLS issues and MTU/fragmentation issues (and a whole bunch more private network issues ;-)).
In the Zscaler Mobile Portal we read next to MTU in fwd profile-section:
Now, what should we set here when we have X homeoffice-users with - in worst case - Y different internet uplinks and therefore Z different MTU-settings?
- We could do a survey and ask users to do some PINGs to evaluate their personal-homeoffice-best-MTU and create and assign kind of “user-based”-profiles. Ehm. No. We won’t do that.
- We could in general set a “lowest possible MTU” to avoid fragmentation (lowest value would be 576 for IPv4 and 1280 for IPv6 based connections…) but increasing overhead and maybe causing other performance (?) issues. Maybe 1280 for IPv4 and IPv6 would do it…
- We force TLS and ignore advantages of DTLS
To ease things and we went initially for 3) and doing 2) now for some testusers.
Would be PMTUD for ZCC a solution?
Any other best practices/solutions/ideas?
Did we miss something?