Zscaler Troubleshooting ZPA and ZIA

Case 1: Website not working :-

-Check if the website works at your end on your machine/mobile .Use website https://geopeeker.com/ to check if the website works from different Geo locations.

a. Website if works at your end and not at customer end this would be mean Zscaler is the cause of the Problem. Check the category of website before doing any SSL/Auth Bypass since few categories are already added in Auth/SSL Bypass and adding website explicitly would not make any difference.

b.Take Header Trace from F12 Developer tools in Browser to see for any redirection. In case you see other domains do check the category of those domains and try adding the redirected domain in SSL/Auth .

c.If the website still does not work then we need to check if it is working from any other customer Site. If it is working at other location than it is probable that Zscaler Public of affected location is blocked at Webserver End.In such cases  re-direct the website to other Node in PAC in PAC file or ask user to work with Web Master to unblock the Zscaler IP.

d.Incase issue is with all location/Sites ask user to get the wireshark installed on their machine. Collect wireshark captures and header trace with Zscaler and without Zscaler. Look at the captures and incase you are unable to find anything then raise a case with Zscaler and provide all details.Use below while raising case:-

1.Output of ip.zscaler.com

2.Collect web insights logs for user and affected website

3.Wireshark and header trace with and without Zscaler.

e. In case if the website is internal to Customer Environment. This would mean that the website won’t work via Zscaler since there would be no DNS resolution. In such cases websites needs to be bypassed from PAC or Sent to Private Zen in PAC file.

Case 2: Issue with Application while using Zscaler APP

-To determine if Zscaler is the cause turn off Zscaler APP on user machine and check application access if it is working than Zscaler is the problem .

a. Ask user if they are aware of any URL’s binded to the Application.In case they provide than Check the category of website before doing any SSL/Auth Bypass since few categories are already added in Auth/SSL Bypass and adding website explicitly would not make any difference.

b.If URL’s are not known ask user to get the Wireshark installed on their machine. Take wireshark capture with and without Zscaler.Look at the captures for the URL domains. Try adding them in Auth/SSL bypass incase their domain are not added.

Case 3:Website has Source IP restriction 

-Some websites are not accessible via open internet and needs IP whitelisting at their end.In such scenarios if the website is not working at our end ask user if they are aware of any IP restriction at web master. 

a.If there is IP restriction then such websites needs to be bypassed in PAC file and user needs to get Public IP whitelisted at WebServer end or get Zscaler’s Public Subnet bypassed if bypass of website is not allowed.

Case 4:Website uses Non-Standard Port :- 

-Few websites such as eg. https://icil-rams.ddns.net:89 which works on non-standard Port i.e Port 89 over https. Zscaler App does not support traffic on non-standard Port and will send the traffic direct. 

-For above case if you are using Forwarding PAC file to redirect traffic to Zscaler directly and not via APP by using below Syntax which is available in all Forwarding PAC files.

Case 5:Slowness issue with Zscaler :- 

Slowness issues can be divided into two parts :- 

1.Slowness with particular application/website:- 

-In case slowness is with particular application/website than first isolate if the issue is caused by Zscaler or not. 

-Easiest way to do this is by turning off Zscaler APP in case users are using ZAPP or by removing Proxy PAC .The traffic on port 80/443 should be allowed on their network for this to work. 

-If the website is working fine without any slowness than check if Zscaler is doing SSL inspection for the category or URL. If yes bypass SSL inspection and try access. 

-If the above step did not resolve issue than download ZMTR tool from https://zmtr.zscaler.com/ 

-Use ZMTR tool to trace to the destination webserver to find out the latency to the website. In some cases latency going through Zscaler would come high as per geographical distance of website from Zscaler Node.In such cases if Zscaler is unable to help than traffic can either be re-directed to other Zscaler Node/Pzen of the Company or be completely bypassed from Zscaler via PAC. 

2.Slowness with all internet traffic:-

-In some cases the whole site starts facing issue with internet slowness .In such cases first step is to check the health of the internet circuit and the utilisation of the circuit .If both are normal than follow below steps for Zscaler. 

-Goto https://trust.zscaler.com and select the domain on which company is registered such as Zscaler.net or ZscalerOne.net 

-Click on TAB Cloud status and Scroll down to see status of each Cloud Node

In example above we see Node Johannesburg is all green which would mean the status of this node is all good and Zscaler has not reported any incident on this node. 

-Moreover we can also goto Incidents TAB to check if any incidents related to the Node is going on as example given below for NYC III Datacenter 

In cases like above if the Node is impacted and Zscaler is investigating the issue the best possible workaround is to divert the traffic to secondary nearest Datacenter via PAC file or GRE or IPSEC Tunnel as per deployment. 

Step to Collect logs to send to Zscaler TAC for slowness investigation:-

1.Take screenshot of ip.zscaler.com 

2.On ip.zscaler.com page click on Connection Quality and than click on  start test.Download and save the results .

3.Goto Website https://zmtr.zscaler.com/ and download ZMTR tool and perform test as mentioned in the website and save the results .

4.Take Wireshark captures from the machine while browsing few websites.

5.Zip all Outputs/logs and upload it to the Zscaler case.