ZTunnel 2.0, DTLS/TLS, MTU

Hello community,

I hope someone can shed some light on this. We are still (sic!) in the process of switching all our users to ZTunnel 2.0.

We run/ran into multiple issues for our homeoffice users.This ranges from non-Zscaler related internet provider issues to DTLS/TLS issues and MTU/fragmentation issues (and a whole bunch more private network issues ;-)).

In the Zscaler Mobile Portal we read next to MTU in fwd profile-section:
image

Now, what should we set here when we have X homeoffice-users with - in worst case - Y different internet uplinks and therefore Z different MTU-settings?

  1. We could do a survey and ask users to do some PINGs to evaluate their personal-homeoffice-best-MTU and create and assign kind of “user-based”-profiles. Ehm. No. We won’t do that.
  2. We could in general set a “lowest possible MTU” to avoid fragmentation (lowest value would be 576 for IPv4 and 1280 for IPv6 based connections…) but increasing overhead and maybe causing other performance (?) issues. Maybe 1280 for IPv4 and IPv6 would do it…
  3. We force TLS and ignore advantages of DTLS

To ease things and we went initially for 3) and doing 2) now for some testusers.

Would be PMTUD for ZCC a solution?
Any other best practices/solutions/ideas?
Did we miss something?

BR
Manuel

Hi Manuel,

We also had to configure this MTU setting manually for Z-Tunnel 2.0 to successfully roll-out across many countries in all regions of the Globe for thousands of end-users. We have settled on 1370. Has worked well for more than 8 months now.

/Jesper

1 Like

For the sake of completeness or in case anyone else run into similar issues:

Setting the MTU to 1370 as Jesper suggested solved these unspecific and not precisely localizable issues. At least logins to various MS products work now nearly flawless, pageload and performance in general noticable improved.

Hi Manuel,

What are your settings for Z-Tunnel 2.0 now?
You are using Z-Tunnel 2.0+TLS with MTU size of 1370, right?

BR
Lutz

Hi Lutz,

right now we use the following setting (a result of uncounted try&error test and tickets and the community here), which works quite reliable until yet:

fwd-profile:

  • Packet filter based driver
  • Tunnel with Tunnel 2.0
  • Primary Transport DTLS
  • DTLS /TLS Timeouts on default
  • MTU 1370
  • Fallback to TLS allowd
  • dedicated fwd.pac-file configured (quite simple one)

app-profile

  • Enabled “Disable Loopback Restriction”
  • Enabled “Override WPAD”
  • dedicated app.pac-file configured (basically a stripped down default profile)

Initially we forced to TLS what somehow eased things, but reduction of MTU to 1370 for all Tunnel 2.0 users made this obviously unnecessary.

BR
Manuel

1 Like