Zscaler Deployment

Troubleshooting Guide - Training Aid

 Contents

ZCDS Troubleshooting Guide

Feb 2022

i Troubleshooting Guide
ZIA/ZPA: Authentication 1
Zscaler Client Connector Authentication - Troubleshoot Client Connector Authentication Error 1
Scenario/ Expected Result: User is prompted to Authenticate. 1
Problem: Authentication error is returned. Restarting the service and trying to reauthenticate fails. 1
Check Client Connector Authentication Error Log Entry 1

ZIA/ZPA: Authentication 2
Zscaler Client Connector Authentication - Troubleshoot User Credential Inconsistency Error (42000) 2
Scenario/ Expected Result: User fills in valid authentication credentials and expects to be enrolled into Zscaler. 2
Problem: [42000] error message is displayed: Inconsistency in user credentials is detected. 2
Diagnose Credential Usage Change 2
Test Client Connector Re-enroll 2

ZIA: Authentication 3
Zscaler Client Connector Authentication - Troubleshoot Authentication Internal Error 3
Scenario/ Expected Result: User attempts to authenticate with Client Connector using valid credentials. 3
Problem: Authentication fails and displays a message saying "An internal error occurred". 3
Diagnose Incorrect User Auth Domain Issue 3
Prepare Zscaler Tenant Auth Domain Provisioning Request 3

ZIA: Authentication 4
Zscaler Client Connector Authentication - Troubleshoot Authentication Server Connection Error 4
Scenario/ Expected Result: User fills in valid authentication credentials and expects to be enrolled into Zscaler. 4
Problem: Secure Connection Failed message is displayed 4
Adjust Auth Server URL SSL Exemption 4
Verify Authentication Server Exemptions 5
Adjust Auth Server URL PAC File Direct Entry 5

ZIA: Authentication 6
Zscaler Client Connector Authentication - Troubleshoot No Authentication Policy Enforcement Error 6
Scenario/ Expected Result: User browses to a website from a location where Enforce Authentication is enabled. Logs should show them as the user on the transaction. 6
Problem: Authentication is not being enforced. Transaction logs show a generic looking username for an unauthenticated user. 6
Check SSL Inspection For Authentication Required Destination 6
Check IP Surrogate Setting 6

ZIA: Traffic Forwarding 7

Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Endpoint Firewall/ Antivirus Error 7
Scenario/ Expected Result: Service Status ON in Zscaler Client Connector Connectivity 7
Problem: Zscaler Client Connector shows Endpoint FW/AV Error. 7
Verify Health Check Traffic Routing 7
Check Windows Firewall Connection Block 7

ZIA: Traffic Forwarding 8

Zscaler Client Connector Traffic Forwarding - Diagnose Client Connector Connection Failure 8
 Contents
Scenario/ Expected Result: Zscaler Client Connector processes permitted to run on the user's device. 8
Problem: Endpoint protection solutions or other permission controls prevent Zscaler Client Connector from running. 8
Check Client Connector End User Device Connectivity - Process Permissions 8

ZIA: Traffic Forwarding 9

Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Captive Portal Detection Issue 9
Scenario/ Expected Result: User connects their device to a new network and enrolls the device into Zscaler. 9
Problem: Zscaler Client Connector shows Captive Portal Detected error. 9
Check Captive Portal Detection Log Entry 9
Check Captive Portal HTTP Response Code 9
Check reachability of Captive Portal Detection URL 9
Check reachability to download default PAC file 10

ZIA: Traffic Forwarding 11

Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Network Error 11
Scenario/ Expected Result: User authenticates and device is enrolled in Zscaler. 11
Problem: Zscaler Client Connector shows Network Error 11
Retry the network connection 11
Check outbound connectivity to mobile.<cloudname>.net:443 11
Check Host Name Resolution for mobile.<cloudname>.net 11
Diagnose Host Not Found DNS Failure 11
Diagnose Connection Reset by Peer Failure 11
Check connectivity to Zscaler cloud 12
Diagnose No Route To Host Failure 12
Diagnose Network is Unreachable Failure 12
Diagnose Certificate Validation Error 12

ZIA: Traffic Forwarding 13

Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Driver Error 13
Scenario/ Expected Result: Zscaler User sees “Driver error” on Zscaler Client Connector, repair option does not help. 13
Problem: Driver Error issue occurs when the files are corrupted. 13
Repair Client Connector Driver Error 13
Re-install Client Connector 13
Re-install Client Connector (Manual) 13

ZIA: Traffic Forwarding 14

Troubleshoot Internet Traffic Forwarding - Check ZIA Public Service Edge Routing 14
Scenario/ Expected Result: Internet traffic should be routed to the closest Zscaler data center. 14
Problem: Traffic is routed to a node that is geographically distant from the user's location. User asks "Why do I get sent to LAX1 when I'm in Atlanta?". 14
Check GeoIP Coordinates 14
Check Zscaler Data Center Health 14
Check Service Edge Connection Timeout 14
Check Service Edge Subcloud 14

i Troubleshooting Guide
ZIA: Traffic Forwarding 14
Troubleshoot Internet Traffic Forwarding - Troubleshoot ZIA Network Infrastructure Issues 15
Scenario/ Expected Result: Traffic is being forwarded to a Zscaler Public Service Edge 15
Problem: Traffic is blocked by an intermediate device or some other failure. 15
Troubleshoot ZIA Network Outage 15
Troubleshoot Zscaler Public Service Edge Issue 15

ZIA: Policy 15
Troubleshoot Internet Application Access - Check Inspection Policy Bypass/ Failure 16
Scenario/ Expected Result: Access to a specific URL is expected to be controlled by a policy that defines what the user may or may not access. 16
Problem: A user is either allowed to access a website they should not be able to access, or they are restricted from accessing a site they should be able to access. 16
Check CDN URLs in HTTP Header Trace 16
Check SSL Inspection Bypass 16
Check URL Inspection Bypass 16
Check Cloud App Inspection Bypass 17
Check SSL Bypass List 17
Check SSL Wildcard Domains Bypass 17
Check Inspection Bypass List 17

ZIA: Policy 17
Troubleshoot Internet Application Access - Troubleshoot Website Loading Issue 18
Scenario/ Expected Result: User should be able to connect to a website according to the policies in place. 18
Problem: Website is unreachable through Zscaler. 18
Check Network Access Control List (ACL) Blocks 18
Check Destination Webmaster Denylist 18
Analyze Internet Access Issue HTTP Headers File Capture 19
Analyze Internet Access Issue Packet Capture 19

ZPA: Authentication 19
Zscaler Client Connector Authentication - Check ZPA Authentication 20
Scenario/ Expected Result: SAML attributes for enrolled users are received in ZPA and available as criteria of use in policies. 20
Problem: SAML attributes are not received or have incorrect details. 20
Check ZPA Enablement on Mobile Portal 20
Verify User SAML Setup 20

ZPA: Traffic Forwarding 20

Troubleshoot Private Application Traffic Forwarding - Troubleshoot ZPA Application Traffic Failure 21
Scenario/ Expected Result: Access policies are configured for a user to be able to access a private application. 21
Problem: User is unable to access a private application. ZPA Diagnostics Data shows status code such as CA: Application not reachable . 21
Test Application Host Reachability From App Connector 21
Test App Connection From App Connector 21
 Contents
ZPA: Traffic Forwarding 21
Troubleshoot Private Application Traffic Forwarding - Troubleshoot App Connector 22
Scenario/ Expected Result: App Connector starts and is enrolled for use within ZPA. 22
Problem: zpa-connector status shows enrollment error. Messages such as cannot decrypt data indicated issues with the provisioning key. 22
Check App Connector Enrollment 22

ZPA: Policy 22
Troubleshoot Private Application Access - Diagnose Private Application Access Error 23
Scenario/ Expected Result: User is granted access to a private application. 23
Problem: User is unable to access the application, and ZPA diagnostics indicate that a policy is not configured. 23
Diagnose SE: Policy Not Configured For Access Error 23

ZPA: Policy 23
Troubleshoot Private Application Access - Check Private Application Reachability 24
Scenario/ Expected Result: User is granted access to a private application. 24
Problem: Unable to access application and ZPA diagnostic logs show error “SE: Policy not configured for access” 24
Verify Application Domain Seen By Client Connector is ZPA Domain 24
Check App Segment Configuration 24

ZIA: User Experience 24

Troubleshoot Zscaler User Experience 25
Scenario/ Expected Result: Applications should be usable through Zscaler without any noticeable extra delays or rendering issues. 25
Problem: User complains that access to a private application is "slow". 25
Test ISP to Zscaler Data Center Latency 25
Capture Web Page Load Time Records 25
Check Packet Retransmission Rates / Fragmentation 26

ZIA: Logging & Reporting 26

Troubleshoot Zscaler Log Streaming Issue 27
Scenario/ Expected Result: Log streams feeds are received at the destination such as a SIEM 27
Problem: Log entries are missing at the SIEM. They may not be arriving at all or are missing for a period of time. 27
Check NSS Connectivity 27
Check NSS SIEM reachability 27

i Troubleshooting Guide
ZIA/ZPA: Authentication
Zscaler Client Connector Authentication - Troubleshoot Client Connector Authentication Error
Scenario/ Expected Result: User is prompted to Authenticate.

Problem: Authentication error is returned. Restarting the service and trying to reauthenticate fails.

Tips for avoiding this issue: Educate users to be aware that this can occur if something changes the device fingerprint, and is part of the security. Logging out and re-enrolling should validate a changed device fingerprint that might prompt this error.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check Client Connector Authentication Examine log file:
Error Log Entry C:\ProgramData\Zscaler\ZSATunn
el_<date>.log for ERROR entries.
ERR zpn_client_authenticate error: Zscaler Client Connector collects device information and sends it
BRK_MT_AUTH_SAML_FINGER_PRINT_FAIL to Zscaler which enables fingerprinting of the device for security
and reporting purposes. The fingerprint contains key unique data
from the device, to prevent any possibility of cloning the machine
for unauthorized access. Any update in the user's device
attributes triggers Zscaler to re-enforce authentication for that
user.

Troubleshooting Guide 1
ZIA/ZPA: Authentication
Zscaler Client Connector Authentication - Troubleshoot User Credential Inconsistency Error (42000)
Scenario/ Expected Result: User fills in valid authentication credentials and expects to be enrolled into Zscaler.

Problem: [42000] error message is displayed: Inconsistency in user credentials is detected.

Tips for avoiding this issue: Ensure that all of the needed user domains are provisioned on the Zscaler tenant.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Diagnose Credential Usage Change
Help article: Authentication error codes and error messages are
Zscaler Client Connector: ZPA documented on the help portal. In this example
Authentication Errors the possible resolutions are:
● check the username initially used and
verify that the same is being used for
re-enrollment.
● verify the IdP SAML response.
● have the user logout and retry.

Test Client Connector Re-enroll
User logs out with the Log Out button on Since authentication is a sequence of multiple
the Client Connector. steps be sure to start from a fully logged out device
when troubleshooting. Carefully check the
credentials entered at each step of the enrollment
to make sure they are for an authorized user on a
valid domain.

2 Troubleshooting Guide
ZIA: Authentication
Zscaler Client Connector Authentication - Troubleshoot Authentication Internal Error
Scenario/ Expected Result: User attempts to authenticate with Client Connector using valid credentials.

Problem: Authentication fails and displays a message saying "An internal error occurred".

Tips for avoiding this issue: Verify that the domains provisioned on the ZIA tenant cover all of the domains of the credentials that the users have been instructed to use to enroll into Zscaler services.
Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause
Diagnose Incorrect User Auth Domain Issue Check the provisioned domain on the ZIA Tenant. Some possible scenarios:
● some users in the organization may be on
https://admin.<cloud_name>.net/#adminis a different domain that has not yet been
tration/company-profile provisioned; or
● this user is confused about which
credentials to use.

Prepare Zscaler Tenant Auth Domain Zscaler Help - Submit a ticket Opening a Provisioning support case with the
Provisioning Request https://help.zscaler.com/submit-ticket Zscaler Global Support team is the most direct
method to get a needed domain provisioned.
Case Type: Provisioning

Troubleshooting Guide 3
ZIA: Authentication
Zscaler Client Connector Authentication - Troubleshoot Authentication Server Connection Error
Scenario/ Expected Result: User fills in valid authentication credentials and expects to be enrolled into Zscaler.

Problem: Secure Connection Failed message is displayed

Tips for avoiding this issue: Ensure that all authentication traffic goes direct to the Identity Provider destination URL. This should not be an issue for users who are off the trusted network and will
have traffic forwarded with the Client Connector, but check for any other forwarding that may send the authentication traffic to Zscaler (e.g. PAC file or GRE/IPSec tunnel) instead of directly to the IdP.
Make sure that the authentication traffic is not being intercepted for inspection by Zscaler.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Adjust Auth Server URL SSL Exemption Create a custom URL category and add the IdP host Traffic for IdP URLs in the custom URL category
domain: (SSL Bypass in this example) will bypass
https://admin.<cloud>.net/#administration inspection, allowing the traffic to go direct and
/url-categories unchanged to the IdP.

Create an SSL rule to bypass inspection on the custom URL

category:
https://admin.<cloud>.net/#policy/web/ssl
-inspection

4 Troubleshooting Guide
Verify Authentication Server Exemptions
Adjust Auth Server URL PAC File Direct
Entry
https://admin.zscloud.net/#administration Authentication traffic exemptions are needed to
/advanced-network-settings prevent authentication loops. In this example with
no exempted URL Categories, URLs, or Applications
it is very likely that authentication will be
interfered with and fail.
https://admin.<cloud>.net/#administration In this example Okta is being used as the IdP. Rules
/hosted-pac in the PAC file are directing all web traffic to
Zscaler, so this bypass is needed for the Okta IdP
hosts.
Troubleshooting Guide 5
ZIA: Authentication
Zscaler Client Connector Authentication - Troubleshoot No Authentication Policy Enforcement Error
Scenario/ Expected Result: User browses to a website from a location where Enforce Authentication is enabled. Logs should show them as the user on the
transaction.

Problem: Authentication is not being enforced. Transaction logs show a generic looking username for an unauthenticated user.

Tips for avoiding this issue: Ensure that ZIA is configured to require authentication for all traffic. Get all users to use Client Connector (users must authenticate before forwarding traffic). Also ensure that an SSL inspection policy is in place that covers the URL.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check SSL Inspection For Authentication
Required Destination
Check IP Surrogate Setting
https://admin.<cloud>.net/#insight Web Insights log entries in this example show a real
s/web user name indicating that they were authenticated.
SSL Policy Reason shows that the traffic is being
SSL inspected.For an entry showing an
unauthenticated user check the SSL Inspected
and SSL Policy Reason fields for indications of it
not being inspected because of SSL policies.
https://admin.<cloud>.net/#adminis For tunneled traffic from a location there may be
tration/locations traffic that could be identified for the user that is
being missed. Enable IP Surrogate to help add
some context that may be helpful to identify the
user.

6 Troubleshooting Guide
ZIA: Traffic Forwarding
Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Endpoint Firewall/ Antivirus Error
Scenario/ Expected Result: Service Status ON in Zscaler Client Connector Connectivity

Problem: Zscaler Client Connector shows Endpoint FW/AV Error.

Zscaler sends TCP/UDP probes on the default NIC on IP addresses 100.64.0.6 and 100.64.0.8 on TCP and UDP port 80 to check for Firewall(FW) or Antivirus(AV) blocks.

If the probe fails, Client Connector concludes this as an interruption from FW/AV application in the host machine and notifies it as Endpoint FW/AV error on Client
Connector.

Tips for avoiding this issue:

● Check with the Desktop management team on the expected profile for the target devices in terms of VPN, firewall, antivirus, and endpoint protection agent configurations. See Zscaler Client Connector Help - Interoperability

Troubleshooting Activity/ Symptom Tools Sample Output Analysis

Verify Health Check Traffic Routing Find-NetRoute -RemoteIPAddress 100.64.0.6 PS C:\WINDOWS\system32> Find-NetRoute -RemoteIPAddress 100.64.0.6 Client Connector health check traffic is routed to
(Powershell) 100.64.0.6. In this case the result is good in that the
IPAddress : 192.168.15.180 InterfaceAlias shows that it is going out through
InterfaceIndex : 6
the Ethernet0 interface. Wi-Fi would be another
InterfaceAlias : Ethernet0
valid interface.

A bad result would be If this health traffic is seen to

be routed to a VPN adapter - that would need to be
corrected.
Check Windows Firewall Connection netsh advfirewall firewall show rule name = PS C:\WINDOWS\system32> netsh advfirewall firewall show rule name = Windows Firewall rule Zscaler App Rule is
Block "Zscaler App Rule" verbose "Zscaler App Rule" verbose configured, enabled, and set to allow traffic to the
(Powershell) ZSATunnel.exe process.
Rule Name: Zscaler App Rule
---------------------------------------------------------------------
- Other resources:
Description: Allow incoming network traffic Zscaler Client Connector Processes to Allowlist
to ZSATunnel
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping: ZSATunnel Rule Group
LocalIP: Any
RemoteIP: Any
Protocol: Any
Edge traversal: No
Program: C:\Program Files
(x86)\Zscaler\ZSATunnel\ZSATunnel.exe
InterfaceTypes: Any
Security: NotRequired
Rule source: Local Setting
Action: Allow
Ok.

Troubleshooting Guide 7
ZIA: Traffic Forwarding
Zscaler Client Connector Traffic Forwarding - Diagnose Client Connector Connection Failure
Scenario/ Expected Result: Zscaler Client Connector processes permitted to run on the user's device.

Problem: Endpoint protection solutions or other permission controls prevent Zscaler Client Connector from running.

Tips for avoiding this issue:

● Check with the Desktop management team on the expected profile for the target devices in terms of allowlists for Zscaler Client Connector operation. See https://help.zscaler.com/z-app/zscaler-app-processes-allowlist

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check Client Connector End User Device
Connectivity - Process Permissions
Examine log file: ZSATray is being continuously killed and initiated.
C:\ProgramData\Zscaler\ZSAServ
ice_<date>.log Endpoint protection solutions may not have been
for signs of the ZSATray process being configured to allow the process to run.
started and failing on each try to connect.

8 Troubleshooting Guide
ZIA: Traffic Forwarding
Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Captive Portal Detection Issue
Scenario/ Expected Result: User connects their device to a new network and enrolls the device into Zscaler.

Problem: Zscaler Client Connector shows Captive Portal Detected error.

Device is connected to a network where users are redirected to a captive portal to manage their connection. Client Connector Connectivity Status displays Captive Portal Detected error.
They may be on a public Wi-Fi point, or

Tips for avoiding this issue: Rollout plans should include steps for user awareness of captive portals on public Wi-FI and the need to get connected before enrolling Client Connector into ZIA.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis

Check Captive Portal Detection Navigate to C:/Program Data/Zscaler and find the latest Sort by Date Modified to see the latest ZSATunnel
Log Entry ZSATunnel.log log.

Check Captive Portal HTTP
Response Code
Check reachability of Captive
Portal Detection URL
Search for keyword “detectCaptive” in ZSATunnel log files. DBG ZCPM detectCaptive: Response Status 204 Length: 0 Client Connector reaches out to
DBG ZCPM detectCaptive: Captive not detected. http://gateway.zscloud.net/generate_204 and
INF ZCPM Captive portal not detected. expects an HTTP Connection Response Status 204.
Response Status 302 indicates captive portal
connection was detected instead.
curl PS C:\WINDOWS\system32> curl http://gateway.zscalertwo.net/generate_204 204 Response Status code indicates that the
http://gateway.<zscloud>.net/generate_204 captive portal detection URL is reachable.
StatusCode : 204
StatusDescription : No Content
Content : {}
RawContent : HTTP/1.1 204 No Content
Connection: close
Content-Length: 0
Date: Mon Feb 14 21:33:37 2022 GMT

Troubleshooting Guide 9
 Check reachability to download
default PAC file
curl http://pac.<zscloud>.net/proxy.pac PS C:\WINDOWS\system32> curl http://pac.zscalertwo.net/proxy.pac 200 Response Status code indicates that the
default PAC file download URL is reachable.
StatusCode :200
StatusDescription :OK
Content :{10, 9, 102, 117...}
RawContent :HTTP/1.1 200 OK
Connection: close
Content-Type: application/x-ns-proxy-autoconfig
function FindProxyForURL(url, host) {
var privateIP =
/^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3...
Headers : {[Connection, close], [Content-Type,
application/x-ns-proxy-autoconfig]}
RawContentLength : 2611

10 Troubleshooting Guide
ZIA: Traffic Forwarding
Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Network Error
Scenario/ Expected Result: User authenticates and device is enrolled in Zscaler.

Problem: Zscaler Client Connector shows Network Error

Zscaler Client Connector is unable to connect to the Zscaler cloud. Connectivity issues between the user's device and the Zscaler mobile server mobile.<cloudname>.net .

Tips for avoiding this issue:

1. Check that Zscaler Client Connector has unrestricted outbound access to the Internet on port 443. This is needed to ensure access to all Zscaler nodes as the infrastructure evolves and expands.
2. Click Retry to see if the issue was temporary. if retry doesn’t fix the issue use the tools shown below to diagnose and further isolate the issue.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis

Retry the network connection Client Connector: Internet Security / Private Access -> Connectivity -> Users see the Retry button displayed in Zscaler
Service Status -> Retry Client Connector when a connection cannot be
established to the Zscaler cloud.

Check outbound connectivity to
mobile.<cloudname>.net:443
Check Host Name Resolution for
mobile.<cloudname>.net
Diagnose Host Not Found DNS
Failure
Test-NetConnection -ComputerName PS C:\> Test-NetConnection -ComputerName Run from the user's device, this example shows
mobile.<cloudname>.net -Port 443 mobile.zscalertwo.net -Port 443 that the needed access to the Zscaler cloud
(Powershell) (Zscalertwo in this case) is available on port 443 .
ComputerName : mobile.zscalertwo.net
RemoteAddress : 104.129.202.233
RemotePort : 443
InterfaceAlias : Ethernet0
SourceAddress : 192.168.15.180
TcpTestSucceeded : True
nslookup mobile.<cloudname>.net PS C:\WINDOWS\system32> nslookup mobile.zscalertwo.net Run from the user's device, this example shows
(Command Prompt or Powershell) … that the mobile server host name is being properly
Non-authoritative answer: resolved.
Name: mobile.zscalertwo.net
Addresses: 104.129.202.233
104.129.202.231
Examine log file: C:\ProgramData\Zscaler\ZSATray_<date>.log for Sample Log Entry: Retry failed.
ERROR entries. #NORMAL #ERROR : Error checking updates: Log file shows DNS resolution to
{"error":-8,"errorMessage":"Host not found. mobile.<cloudname>.net is failing.
mobile.zscalertwo.net","response":"","success":"false"}

Diagnose Connection Reset by Examine log file: C:\ProgramData\Zscaler\ZSATray_<date>.log for Sample Log Entry: Retry failed.
Peer Failure ERROR entries. #NORMAL #ERROR : Error checking updates: Log file shows connectivity from user's device and
{"error":-8,"errorMessage":"Connection reset by peer. Mobile Server has been intercepted
","response":"1.4.3.1","success":"false"}

Troubleshooting Guide 11
 Check connectivity to Zscaler
cloud
Diagnose No Route To Host Failure
Diagnose Network is Unreachable
Failure
Diagnose Certificate Validation
Error
12
Find service discovery and login hosts for each cloud at:
https://config.zscaler.com/zscaler.net/zscaler-app
Examine log file: C:\ProgramData\Zscaler\ZSATray_<date>.log for
ERROR entries.
Examine log file: C:\ProgramData\Zscaler\ZSATray_<date>.log for
ERROR entries.
Examine log file: C:\ProgramData\Zscaler\ZSATray_<date>.log for
ERROR entries.
Sample Log Entry:
#NORMAL #ERROR : Error checking updates: {"error":-8,"errorMessage":"Net
Exception. No route to host","response":"","success":"false"}
Sample Log Entry:
#NORMAL #INFO : Keep Alive Response: {"error":-8,"errorMessage":"Net Exception.
Network is unreachable","success":"false"}
Sample Log Entry:
#NORMAL #INFO : Keep Alive Response: {"error":-8,"errorMessage":"Net Exception.
Network is unreachable","success":"false"}
Troubleshooting Guide
Cloud selected in this example is zscalertwo.net
Hosts that must be reachable are:
mobile.zscalertwo.net
login.zscalertwo.net
They will respond to ping if they are reachable
from the user's device.
Retry failed.
Log file shows Zscaler Couldn’t find a route to
mobile.<cloudname>.net in the routing table.
Retry failed.
Log file show that Zscaler Client Connector is
unable to reach mobile.<cloudname>.net
Traffic to mobile.<cloudname>.net, should not be
intercepted. This error may be caused by an
intermediate device performing SSL Decryption.
ZIA: Traffic Forwarding
Zscaler Client Connector Traffic Forwarding - Troubleshoot Client Connector Driver Error
Scenario/ Expected Result: Zscaler User sees “Driver error” on Zscaler Client Connector, repair option does not help.

Problem: Driver Error issue occurs when the files are corrupted.

Uninstalling and reinstalling the Zscaler Client Connector, without rebooting the machine after uninstallation may result in Driver Error on the Zscaler Client Connector.

Tips for avoiding this issue:

Troubleshooting Activity/ Symptom Tools Sample Output Analysis

Repair Client Connector Driver Error
In the More window, click Repair. This When an error is detected the REPAIR option is
option is available under the Troubleshoot offered to enable the application to try and
menu. recover. If the repair option continues to report a
driver error the application may need to be
reinstalled.

Re-install Client Connector MSI package - Reinstall Zscaler Client Connector and force the driver re-installation using the command line option REINSTALLDRIVER=1.

See help.zscaler.com topic on Customizing Zscaler Client Connector with Install Options for EXE

Re-install Client Connector (Manual) Perform a fresh install manually

Uninstall the Zscaler Client Connector from the user device.
See help.zscaler.com topic on Manually uninstall Zscaler Client Connector on Windows

Delete the mentioned folders at the following location:

C:\Windows\System32\DriverStore\FileRepository
zapprd.inf_xxxxxxx
ztap.inf_xxxxxxx

Troubleshooting Guide 13
ZIA: Traffic Forwarding
Troubleshoot Internet Traffic Forwarding - Check ZIA Public Service Edge Routing
Scenario/ Expected Result: Internet traffic should be routed to the closest Zscaler data center.

Problem: Traffic is routed to a node that is geographically distant from the user's location. User asks "Why do I get sent to LAX1 when I'm in Atlanta?".

Tips for avoiding this issue: Recognize that traffic routing can be very dynamic and is influenced potentially by many factors. Stay aware of outages or issues that are prompting temporary changes
to keep services working. Be able to quantify if the routing has any measurable impact on the user's experience. Check the user's DNS settings as well since users may configure something like 8.8.8.8 which is based in California and could incorrectly influence
traffic routing.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check GeoIP Coordinates https://ip.zscaler.com/ Cross-reference the maxmind coordinates of egress
http://www.maxmind.com IP against the MaxMind Database. If MaxMind has
incorrect coordinates, you can submit a GeoIP data
correction request with MaxMind. Alternatively,
You can open a case with Zscaler Support to
override MaxMind coordinates to route to the
closest Zscaler Primary DC.

Check Zscaler Data Center Health
https://trust.zscaler.com/cloud-status This example was for a two hour period in a
Montreal DC. If users noticed issues it might have
already failed over to the secondary, so by the time
they checked they might have seen their traffic
going to a distant data center. They might conclude
(incorrectly) that this was the cause of any issues
they were seeing. History from the Trust site helps
to fill in the context for what they may have
experienced.

Check Service Edge Connection Timeout
Check Service Edge Subcloud
https://admin.<cloud>.net/#administration/ho
sted-pac
https://help.zscaler.com/zia/what-subcloud
https://admin.<cloud>.net/#administration/ho
sted-pac
return "PROXY ${GATEWAY}:9490; PROXY In this example there is a typo in the primary
${SECONDARY_GATEWAY}:9400; DIRECT"; gateway port (9490 instead of 9400). This would
cause a poor user experience while the connection
times out and then fails over to the secondary.
${GATEWAY.Europe.zscaler.net} and In this example users are restricted by the PAC file
${SECONDARY.GATEWAY.Europe.zscaler.net} to Service Edges in a specific set of nodes in a
subcloud called Europe. If the subcloud does not
include nodes close to the user's location it may
cause issues.

14 Troubleshooting Guide
ZIA: Traffic Forwarding
Troubleshoot Internet Traffic Forwarding - Troubleshoot ZIA Network Infrastructure Issues
Scenario/ Expected Result: Traffic is being forwarded to a Zscaler Public Service Edge

Problem: Traffic is blocked by an intermediate device or some other failure.

Tips for avoiding this issue: Review and be familiar with the resources available on trust.zscaler.com and config.zscaler.com that provide updates and status of all Zscaler infrastructure.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Troubleshoot ZIA Network Outage https://trust.zscaler.com/clou Status the current week on Zscalertwo.net
d-status (selected in the list at the top).

In this example we see everything has been

available except for a noted outage related to the
Admin UI on Feb 8.

Troubleshoot Zscaler Public Service Edge https://config.zscaler.com/<cl Public IPs and all of the access needed for
Issue oud>/cenr communications with service edges are listed on
these pages.
https://config.zscaler.com/<cl
oud>/zia-sedge

Troubleshooting Guide 15
ZIA: Policy
Troubleshoot Internet Application Access - Check Inspection Policy Bypass/ Failure
Scenario/ Expected Result: Access to a specific URL is expected to be controlled by a policy that defines what the user may or may not access.

Problem: A user is either allowed to access a website they should not be able to access, or they are restricted from accessing a site they should be able to access.

Tips for avoiding this issue: Configure the SSL inspection policies to inspect as much of the traffic as possible, since any traffic that bypasses SSL inspection could also potentially be missed by other types of rules that need the context about the user or the
transaction that are encrypted. Keep policies as simple and as specific as possible, and try to minimize the use of bypasses and exceptions. Always check the Web Insights log entry for a transaction to get insight into all of the factors that may be affecting access.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check CDN URLs in HTTP Header Trace In Chrome: In this example the network view of the HTTP
View > Developer > Developers Tools - Network Tools transactions shown in the developer tools view
shows that the shopping site (primarche.ca) uses
cdn.shopify.com to deliver site content.

There could be issues with access controls for

primarche.ca if they are bypassed or overridden by
other rules that govern the delivery of
cdn.shopify.com.

Check SSL Inspection Bypass
https://admin.<cloud>.net/#policy/web/ssl Any traffic hitting this rule will not be SSL
-inspection inspected. Ensure that there are other rules higher
in the list that will ensure that inspection is done
for all traffic that should not be explicitly excluded
from inspection.

If an expected policy is not being enforced on some

traffic it could be that URL categorization or Cloud
App identification end up being too general to
match the criteria in a URL Filtering or Cloud App
control rule. Always check the Web Insights log
entries for the traffic to see if it is being SSL
inspected or not.

Check URL Inspection Bypass
https://admin.<cloud>.net/#administration Traffic for any safemarch.com URL would match
/url-categories this URL category. Typically this might be done to
include this category in a URL Filtering Allowlist
type rule that permits traffic to these destinations.
All traffic to safemarch.com would match this URL
category and any corresponding URL Filtering rule
using the category in its criteria.

16 Troubleshooting Guide

Check Cloud App Inspection Bypass
Check SSL Bypass List
Check SSL Wildcard Domains Bypass
Check Inspection Bypass List
Always check for custom URL categories and the
URLs and wildcards defined to be aware of traffic
that may be included in a rule that bypasses the
required policy.
https://admin.<cloud>.net/#policy/web/url Policy exceptions configured here for Office 365,
-and-cloud-app-control Skype, and UCAAS such as Zoom will bypass all
(Advanced Policy Settings tab) inspections. If there was a more granular Cloud
App Control Policy rule in place to block something
specific like OneDrive for a group of users, this
would override that rule and OneDrive access
would be allowed.
https://admin.<cloud>.net/#policy/web/ssl This SSL inspection rule would bypass inspection
-inspection for any URLs in the User-Defined URL categories.
Be sure to check what is in the user-defined
categories to know what will be bypassed.
https://help.zscaler.com/zia/url-format-g .safemarch.com This would match almost anything in
uidelines safemarch.com. For example:
● atlanta.safemarch.com
● serv1.atlanta.safemarch.com/webinars
● app.safemarch.com:10443
A leading period (".") functions as a wildcard to the
left of the named URL. Note that the asterisk ("*")
character is not used as a wildcard.
Policy > Malware Protection .shopify.com could have been added to a category
and that is being used in an inspection bypass to work
Policy > Advanced Threat Protection around an access issue for a page on the
shopify.com domain.
(Security Exceptions tabs)
Unfortunately this matches something like
cdn.shopify.com, which could be the content
distribution network for content for many other
sites that use the Shopify platform for delivering
their web apps.
Troubleshooting Guide 17
ZIA: Policy
Troubleshoot Internet Application Access - Troubleshoot Website Loading Issue
Scenario/ Expected Result: User should be able to connect to a website according to the policies in place.

Problem: Website is unreachable through Zscaler.

Tips for avoiding this issue: Check for overlaps between firewall and URL and Cloud App rules for conflicting blocks. Best practices of keeping the rule sets small and as specific as possible will help to avoid hidden conflicts.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check Network Access Control List (ACL) https://admin.<cloud>.net/#policy/firewall Even if LinkedIn was permitted by the URL & Cloud
Blocks /firewall-control App control policies, the traffic would be blocked
by this firewall rule.

Firewall rules are evaluated and applied before

further inspection of web content and application
of other rules.

Check Destination Webmaster Denylist https://ip.zscaler.com/ Content is being proxied by Zscaler via
165.225.210.177. Check with the host or public
checking sites that access is not being denied
based on traffic originating from that IP.

18 Troubleshooting Guide
Analyze Internet Access Issue HTTP
Headers File Capture
Analyze Internet Access Issue Packet
Capture
In Chrome: There is a lot of useful information in the Network
View > Developer > Developers Tools - view that is helpful for tracking down web access
Network Tools issues. In this example
HTTP 307 - Temporary Redirect and 403 -
Forbidden responses indicate access controls are
being applied.
Timing data also will show where there may be
timeouts or long delays.
Download and save this data in an HTTP Archive
(HAR) file to have a record for further analysis if
needed.
In Wireshark: Wireshark has some tools in the Statistics and
Statistics > HTTP > Requests Analysis menus that can help to isolate
transactions of interest and see related details. In
this example the HTTP Requests summary shows
hosts that are being requested and related details
for each host.
Troubleshooting Guide 19
ZPA: Authentication
Zscaler Client Connector Authentication - Check ZPA Authentication
Scenario/ Expected Result: SAML attributes for enrolled users are received in ZPA and available as criteria of use in policies.

Problem: SAML attributes are not received or have incorrect details.

Tips for avoiding this issue: Test the receipt of SAML attributes when initially configuring the Identity Provider relationship with ZPA.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check ZPA Enablement on Mobile Portal Client Connector Portal -> Administration -> In this example ZPA is set up for user in the groups
Zscaler Service Entitlement selected (Service Admin, Marketing, Test_Group,
etc.)

Verify User SAML Setup Access this link from the user's device https://samlsp.private.zscaler.com/auth/v2/login?domain=training.safemar This response shows details returned for the user
while enrolled into ZPA. Substitute the real ch.com&ssotype=test shown ([email protected]) on the
value for CUSTOMERDOMAIN training.safemarch.com domain. It shows:
{"nameid":"[email protected]","orgId":null,"idpEntityID":
https://samlsp.private.zscaler null,"idpId":null,"saml_attributes":{"http://schemas.microsoft.com/ident givenname: Katsu
.com/auth/v2/login?domain=CUST ity/claims/tenantid":"5a934f03-f005-4f48-95b5-f304bf2353ef","http://sche surname: Kay
OMERDOMAIN.TLD&ssotype=test mas.microsoft.com/identity/claims/objectidentifier":"21b63e09-cadd-46b5- name: [email protected]
bf35-b7085bae9962","http://schemas.microsoft.com/identity/claims/display Department: Buildings & Grounds
name":"Katsu
For Admin users authenticated via SAML Kay","http://schemas.microsoft.com/identity/claims/identityprovider":"ht
the link is different: tps://sts.windows.net/5a934f03-f005-4f48-95b5-f304bf2353ef/","http://sch
emas.microsoft.com/claims/authnmethodsreferences":"http://schemas.micros
https://adminsamlsp.private.zs oft.com/ws/2008/06/identity/authenticationmethod/password","http://schem
caler.com/auth/v2/login?domain as.xmlsoap.org/ws/2005/05/identity/claims/givenname":"Katsu","http://sch
=CUSTOMERDOMAIN&ssotype=test emas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Kay","http://schem
as.xmlsoap.org/ws/2005/05/identity/claims/name":"[email protected]
march.com","Department":"Building & Grounds"},"samlassertion":null}

20 Troubleshooting Guide
ZPA: Traffic Forwarding
Troubleshoot Private Application Traffic Forwarding - Troubleshoot ZPA Application Traffic Failure
Scenario/ Expected Result: Access policies are configured for a user to be able to access a private application.

Problem: User is unable to access a private application. ZPA Diagnostics Data shows status code such as CA: Application not reachable .

Tips for avoiding this issue: App connector VM should be installed on the same network segment as the application server and be set to use the DNS server that will resolve the application host names.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Test Application Host Reachability From
App Connector
Test App Connection From App Connector
From the App Connector:
ping <app fully qualified
domain name>
From the App Connector:
telnet <app fully qualified
domain name> <port>
[admin@zpa-connector ~]$ ping intranet.patraining.safemarch.com Ping response shows that the DNS lookup of the
PING intranet.patraining.safemarch.com (10.0.0.9) 56(84) bytes of data. app server host name
64 bytes from host-1.patraining.safemarch.com (10.0.0.9): icmp_seq=1 (intranet.patraining.safemarch.com) resolved to
ttl=128 time=2.68 ms 10.0.0.9. Also the ping response indicates that the
connector can reach the app server.
[admin@zpa-connector ~]$ telnet 10.0.0.9 443 App connector is able to reach the server at
Trying 10.0.0.9... 10.0.0.9 and connect on port 443.
Connected to 10.0.0.9.
Escape character is '^]'.

Troubleshooting Guide 21
ZPA: Traffic Forwarding
Troubleshoot Private Application Traffic Forwarding - Troubleshoot App Connector
Scenario/ Expected Result: App Connector starts and is enrolled for use within ZPA.

Problem: zpa-connector status shows enrollment error. Messages such as cannot decrypt data indicated issues
with the provisioning key.

Tips for avoiding this issue: Check zpa-connector status after initial provisioning. Issues with incorrect or corrupted keys
will usually result from issues in copying the provisioning key.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check App Connector Enrollment
1) Create a new provisioning key in the ZPA Admin portal [admin@zpa-connector ~]$ sudo systemctl stop zpa-connector Clearing out the files in the
[admin@zpa-connector ~]$ sudo find "/opt/zscaler/var" -mindepth 1 -delete /opt/zscaler/var directory removes files
[admin@zpa-connector ~]$ sudo cp provision_key /opt/zscaler/var/ that were generated using the old
2) Stop zpa-connector: [admin@zpa-connector ~]$ sudo systemctl start zpa-connector
provisioning key. After the new key was
$ sudo systemctl stop zpa-connector [admin@zpa-connector ~]$ sudo systemctl status zpa-connector
● zpa-connector.service - Zscaler Private Access Connector copied in the zpa-connector process
Loaded: loaded (/usr/lib/systemd/system/zpa-connector.service; enabled; restarted and was able to enroll in ZPA.
3) Remove old key data: vendor preset: enabled)
$ sudo find "/opt/zscaler/var" -mindepth 1 Active: active (running) since Tue 2022-02-15 10:57:58 PST; 11s ago
Main PID: 3982 (zpa-connector)
-delete
CGroup: /system.slice/zpa-connector.service
├─3982 /opt/zscaler/bin/zpa-connector
4) Add in the new provisioning at: └─3990 zpa-connector-child
sudo cp provision_key /opt/zscaler/var/
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Initializing
assista...
5) Restart zpa-connector Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Assistant
$ sudo systemctl stop zpa-connector capability...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Adding name
resoluti...
Feb 15 10:58:09 zpa-connector zpa-connector-child[3990]: Waiting for
connecto...

22 Troubleshooting Guide
ZPA: Policy
Troubleshoot Private Application Access - Diagnose Private Application Access Error
Scenario/ Expected Result: User is granted access to a private application.

Problem: User is unable to access the application, and ZPA diagnostics indicate that a policy is not configured.

Tips for avoiding this issue: Check the configured access policies to be aware of what has been configured as criteria. Check that users and devices will meet any criteria
related to device posture, trusted networks, or SCIM attributes configured in the access rules.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Diagnose SE: Policy Not Configured For Expand to log entry in the Diagnostics view Posture profile evaluation result in this example
Access Error of the ZPA Admin Portal. Check for shows that the device posture was evaluated
indications of underlying errors or against the criteria of needing to be a domain
unresolved references. For example the joined device, and this was not verified. This
User Metadata will show information on provides context for examining the configured
criteria such as SCIM attributes, posture access policy to see what criteria are configured for
profiles, and trusted networks. access. In this case since the device was not
domain joined it did not match the criteria for
access and the unsuccessful attempt was logged.

Troubleshooting Guide 23
ZPA: Policy
Troubleshoot Private Application Access - Check Private Application Reachability
Scenario/ Expected Result: User is granted access to a private application.

Problem: Unable to access application and ZPA diagnostic logs show error “SE: Policy not configured for access”

Tips for avoiding this issue: Ensure that testing exercises all of the access rules to all of the configured apps. Check Client Connector logs and diagnostic results to see what criteria are checked and the results for each
test.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Verify Application Domain Seen By Client Check Client Connector ZSATunnel.log for
Connector is ZPA Domain results of any DNS and application domain
lookups.
Forwarding Profile: These log entries show that the Client Connector is
DnsHostname: [] not seeing any specific configurations related to
Condition Match Type: [Any] configuration such as DNS for domain matches or
Predefined Networks: [0] use in trusted network criteria. This can be
Trusted DNS Servers: [] checked against the configuration in the portal for
DNS Resolved IPs: [] items like configured DNS Search Domains for the
DNS Search Domain: [] App Segments.

Check App Segment Configuration
ZPA Admin Portal > Administration > In this example DNS Search Domains are not
Application Segments > DNS Search configured and the Client Connector is not set to
Domains validate the domain. If these were configured there
will be entries in the Client Connector logs for the
results of any validation.

24 Troubleshooting Guide
ZIA: User Experience
Troubleshoot Zscaler User Experience
Scenario/ Expected Result: Applications should be usable through Zscaler without any noticeable extra delays or rendering issues.

Problem: User complains that access to a private application is "slow".

Tips for avoiding this issue: Be aware of any need to optimize MTU settings to avoid packet fragmentation that may result from tunnel overheads. For example see: Determining Optimal MTU for GRE or IPSec Tunnels.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Test ISP to Zscaler Data Center Latency
ip.zscaler.com to check which data Connectivity from the user's device looks good in
center a user is currently this example. Ping times look ok. Network
forwarding through. conditions between the user and the ISP do not
appear to be an issue.
Ping to test for any current network
issues.

$ ping 165.225.210.25
PING 165.225.210.25 (165.225.210.25): 56 data bytes
64 bytes from 165.225.210.25: icmp_seq=0 ttl=64 time=25.134 ms

Capture Web Page Load Time Records Browser Development Tools: Network tab shows all of the objects loaded for a
Chrome for example: page along with timing details.
Customize > More Tools >
Developer Tools See for example:
https://help.zscaler.com/zia/capturing-http-header
Export results to an HTTP Archive s-google-chrome
(HAR) file for a record and follow up
investigation. HTTP archive files are the records that will be
needed to submit from a test showing user
experience issues.

Troubleshooting Guide 25
Check Packet Retransmission Rates / Packet Capture from Client Packet capture files get stored with the Client
Fragmentation Connector: Connector log files. For example in
More > Start Packet Capture C:\ProgramData\Zscaler

See Enabling Packet Capture for Zscaler Client

Connector

Packet captures and HTTP archive files are the

records that will be needed to submit from a test
showing user experience issues.

26 Troubleshooting Guide
ZIA: Logging & Reporting
Troubleshoot Zscaler Log Streaming Issue
Scenario/ Expected Result: Log streams feeds are received at the destination such as a SIEM

Problem: Log entries are missing at the SIEM. They may not be arriving at all or are missing for a period of time.

Tips for avoiding this issue: Check server host names, IP addresses and ports provided by the SIEM team. Ensure that the NSS server is placed in the network where it is able to reach the SIEM server and that there are no intermediate firewalls or proxies that
will interfere.

Troubleshooting Activity/ Symptom Tools Sample Output Analysis/ Cause

Check NSS Connectivity Troubleshooting Deployed NSS Servers Tested from the NSS server VM. This example shows that
the NSS server is not able to establish a connection to the
sudo nss test-firewall configured SIEM server. We would want to check with the
sudo nss troubleshoot netstat SIEM administrators on the server address and that it is
sudo nss troubleshoot connection up and able to receive the streams.
sudo nss troubleshoot feeds

Check NSS SIEM reachability
telnet <SIEM Host> <port> Tested from the NSS server. The host (10.0.0.3) is
reachable, but does not have anything listening that may
be connected to on port 514. We would want to check
with the SIEM administrator for the correct port to
configure for the log streaming.

Troubleshooting Guide 27
28 Troubleshooting Guide