This Guide will help in troubleshooting Zscaler Cases
Case 1: Website not working :-
-Check if the website works at your end on your machine/mobile .Use website https://geopeeker.com/ to check if the website works from different Geo locations.
a. Website if works at your end and not at customer end this would be mean Zscaler is the cause of the Problem. Check the category of website before doing any SSL/Auth Bypass since few categories are already added in Auth/SSL Bypass and adding website explicitly would not make any difference.
b.Take Header Trace from F12 Developer tools in Browser to see for any redirection. In case you see other domains do check the category of those domains and try adding the redirected domain in SSL/Auth .
c.If the website still does not work then we need to check if it is working from any other customer Site. If it is working at other location than it is probable that Zscaler Public of affected location is blocked at Webserver End.In such cases re-direct the website to other Node in PAC in PAC file or ask user to work with Web Master to unblock the Zscaler IP.
d.Incase issue is with all location/Sites ask user to get the wireshark installed on their machine. Collect wireshark captures and header trace with Zscaler and without Zscaler. Look at the captures and incase you are unable to find anything then raise a case with Zscaler and provide all details.Use below while raising case:-
1.Output of ip.zscaler.com
2.Collect web insights logs for user and affected website
3.Wireshark and header trace with and without Zscaler.
e. In case if the website is internal to Customer Environment. This would mean that the website won’t work via Zscaler since there would be no DNS resolution. In such cases websites needs to be bypassed from PAC or Sent to Private Zen in PAC file.
Case 2: Issue with Application while using Zscaler APP
-To determine if Zscaler is the cause turn off Zscaler APP on user machine and check application access if it is working than Zscaler is the problem .
a. Ask user if they are aware of any URL’s binded to the Application.In case they provide than Check the category of website before doing any SSL/Auth Bypass since few categories are already added in Auth/SSL Bypass and adding website explicitly would not make any difference.
b.If URL’s are not known ask user to get the Wireshark installed on their machine. Take wireshark capture with and without Zscaler.Look at the captures for the URL domains. Try adding them in Auth/SSL bypass incase their domain are not added.
Case 3:Website has Source IP restriction
-Some websites are not accessible via open internet and needs IP whitelisting at their end.In such scenarios if the website is not working at our end ask user if they are aware of any IP restriction at web master.
a.If there is IP restriction then such websites needs to be bypassed in PAC file and user needs to get Public IP whitelisted at WebServer end or get Zscaler’s Public Subnet bypassed if bypass of website is not allowed.
Case 4:Website uses Non-Standard Port :-
-Few websites such as eg. https://icil-rams.ddns.net:89 which works on non-standard Port i.e Port 89 over https. Zscaler App does not support traffic on non-standard Port and will send the traffic direct.
-For above case if you are using Forwarding PAC file to redirect traffic to Zscaler directly and not via APP by using below Syntax which is available in all Forwarding PAC files.
Case 5:Slowness issue with Zscaler :-
Slowness issues can be divided into two parts :-
1.Slowness with particular application/website:-
-In case slowness is with particular application/website than first isolate if the issue is caused by Zscaler or not.
-Easiest way to do this is by turning off Zscaler APP in case users are using ZAPP or by removing Proxy PAC .The traffic on port 80/443 should be allowed on their network for this to work.
-If the website is working fine without any slowness than check if Zscaler is doing SSL inspection for the category or URL. If yes bypass SSL inspection and try access.
-If the above step did not resolve issue than download ZMTR tool from https://zmtr.zscaler.com/
-Use ZMTR tool to trace to the destination webserver to find out the latency to the website. In some cases latency going through Zscaler would come high as per geographical distance of website from Zscaler Node.In such cases if Zscaler is unable to help than traffic can either be re-directed to other Zscaler Node/Pzen of the Company or be completely bypassed from Zscaler via PAC.
2.Slowness with all internet traffic:-
-In some cases the whole site starts facing issue with internet slowness .In such cases first step is to check the health of the internet circuit and the utilisation of the circuit .If both are normal than follow below steps for Zscaler.
-Goto https://trust.zscaler.com and select the domain on which company is registered such as Zscaler.net or ZscalerOne.net
-Click on TAB Cloud status and Scroll down to see status of each Cloud Node .
-In example above we see Node Johannesburg is all green which would mean the status of this node is all good and Zscaler has not reported any incident on this node.
-Moreover we can also goto Incidents TAB to check if any incidents related to the Node is going on as example given below for NYC III Datacenter
-In cases like above if the Node is impacted and Zscaler is investigating the issue the best possible workaround is to divert the traffic to secondary nearest Datacenter via PAC file or GRE or IPSEC Tunnel as per deployment.
Step to Collect logs to send to Zscaler TAC for slowness investigation:-
1.Take screenshot of ip.zscaler.com
2.On ip.zscaler.com page click on Connection Quality and than click on start test.Download and save the results .
3.Goto Website https://zmtr.zscaler.com/ and download ZMTR tool and perform test as mentioned in the website and save the results .
4.Take Wireshark captures from the machine while browsing few websites.
5.Zip all Outputs/logs and upload it to the Zscaler case.
A corporate iPhone device is having “Authentication error” in the service status of Zscaler app. We checked there is only one VPN profile in the device, and everything looks fine from the MDM Console end.
Do you guys have anything else to check please let me know. Thank you!!!
You can try exporting logs from the Iphone and look at the zscaler tray logs.
where does zscaler store log files on a “client” side computer. that would be help to internal IT support in determining what connectivity issues might be present? we commonly see (46k empl) employees calling in support, stating that they cant connect to their HOME wireless, but can connect to their work wireless when they are onsite, most work remotely- Iv used this cmd but it does tell me what the “triggers” might be netsh wlan show wlanreport, in trying to rule out a zscaler block or config issue
It can depend on multiple config issue.If you are using tunnel 2.0 and sending all ports and protocol to Zscaler including RFC 1918 , this could block communication the home wireless.You can try excluding the DHCP ports in the destination exclusions.
Excellent Article.
I am facing an issue “ User is accessing egyptian government website and it is throwing error ‘the requested url was rejected. Please consult with your administrator’.
I have checked websights but all Allowed logs, url class is Goveent, web surfing.
Anyone faced any similar issue?
I have asked user to whitelist zen edge gateway ips at remote end
You are on the right path however government agency might not allow Zscaler Ip address.In this case you can use Source IP anchoring feature of Zscaler and whitelist your organisation’s ip address.
Hello All
Observing slowness issue one of the application over one of zscaler node however that application checked with other zscaler node then see better performance. What is the cause and how to fix it
A new imaged computer has been deployed to a user (cant login to the machine)mand confirmed connected to the Home network but ZScaler is not connected (Off and Refresh is all the user can do).
Is Zscaler suppose to connect automatically to the server even the user is not logged in to the machine yet?
If you are using Zscaler app and I am assuming you are speaking of machine tunnels,it should get connected ,provided your administrator has configured appropriate rules on the Zscaler Portal
I am having same issue after upgrading to 3.7.1.54 , Newly imaged Machines are not connecting to Zscaler to register and thus download the Policy. I have a ticket in with them. I am able to show trace route , wireshark traffic to Zscaler . We split tunnel via ASA and traffic is not going that route so its nothing on internal network.
A new imaged computer has been deployed to a user and confirmed connected to the Home network but ZScaler is not connected (Off and Refresh is all the user can do).
*All* I need to know? Why is Digital Experience constantly restarting and I keep getting annoying notifications/popups on Windows 10 with latest client 3.7.1.44? Can’t clear ZDX cache or disable the darn thing. This even happened on my 3.5x client and has apparently followed me to 3.7. Melp!
I am afraid I do not know the answer to this yet.Howvwer I notice that 3.7.1.44 is not the official GA version on Zscaler portal.Where did you get it from and what is the feedback from Zscaler?
Hello! Had a similar issue. In my case, Wireshark was the culprit. Uninstalled it and the issue with ZDX went away. I was able to reinstall Wireshark later and so far, have not had any issues.
Really appreciate the work on this, its very usefull.
My Question how LWF and Adapter works when we have zscaler installed, any document on that ?
ZCC listens to port 9000 , what if the any other application using the same port, will it conflict and how we can fix the issue
Hello,
Has this question been answered ? I am also looking for solution for the same issue.
Thank you
If you have an application that listens on same port as ZCC then you would have difficulty in connecting to the application.This is simply because if the ZCC is started earlier it will use the port.
The default port on ZCC can be changed from 9000 to any other port which is not active in your environment.The settings are in the mobile portal and you would need to make sure that the users logout and log back in to use new port.
I’m not able to see website error like 503, 302, 403 and others in the Wireshark.
Could you please help me on it.
Noman you could use below wireshark queries to start with .
http.request.method== CONNECT
http.response.code
tcp.flags.reset
tcp contains “”
ip.addr==x.x.x.x && ip.addr==x.x.x.x
tcp contains
tcp.analysis.retransmission(to find slowness)
ssl.handshake.extensions_server_name
frame contains ” “
Please create some more articles on how zscaler authenticate users , deployment scenarios etc
Hey Krishna ,I will add those articles shortly.Meanwhile you can browse to as a start help.zscaler.com as it has articles explaining these concepts
Hello!
Let me add one:
When you get a non working website, absolutely not traces in the FW or Proxy logs and error message:
“Hmm… Your internet access is blocked. Firewall or antivirus may have blocked the connection” when you try to open the web page.
Then it is the goddamn windows firewall.
Ping, check system32LogFilesFirewallpfirewall.log ctrl f for the IP
Yes Erkki .Thanks for the feedback.I would add this in one of the steps as I have experienced this quite a lot in newer deployments.
Like!! Really appreciate you sharing this blog post.Really thank you! Keep writing.
Fantastic beat ! I would like to apprentice while you amend your website, how could
i subscribe for a blog website? The account aided me a acceptable deal.
I had been a little bit acquainted of this your broadcast offered bright clear
concept
Please create an article on how Zscaler work.