Professional Documents
Culture Documents
Day 5 ZPA Bootcamp Slides - New Hire Version
Day 5 ZPA Bootcamp Slides - New Hire Version
1 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Troubleshooting 101
2 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Module 5 Objectives
By the end of the module, you will be able to identify the most common
issues related to the ZPA connectivity
Objectives
● Being able to isolate the main issues related to each specific situation
● Apply best practices to avoid misconfiguration issues
3 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Using ZPA Diagnostics
What can you do on your side first before asking customer for data
4 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Identifying the ZPA Domain and App Segment
What can you do on your side first before asking customer for data
• Identify if Domain is ZPA:
• Using ZCC ZSATunnel.log file, search file for domain name of application and look for
these type messages:
• “DBG DNS: Domain=your.domain.com is ZPN!” – This message shows that a
domain is seen by ZCC as a ZPA domain
• “ZPN: Control Message Response Data: {"zpn_client_app:” – This message will also
show domain , type of transport protocol (TCP/UDP) and the configured ports that
are part of application segment
5 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Auth / SAML Issue
What can you do on your side first before asking customer for data
6 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
SCIM Issues
What can you do on your side first before asking customer for data
SCIM failures
7 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Common Issues
8 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Case 1 : “Connection Error”
Problem: Zscaler Client Connector shows “Connection Error”
Cause:
Connection error appears in Zscaler Client Connector when there is a connectivity issue from the user's machine to Zscaler
ZPA Cloud.
Solution:
Step 1: Identify the Nearest Broker
1.) In order to get the nearest data center node or broker ZPA does a DNS resolution to any.broker.prod.zpath.net and the
DNS response contains the nearest broker IP address. Below steps can be taken to identify broker IP address.
Clear Zscaler App logs and gather a fresh set of logs with captures along with enabling packet captures on the App make sure
that we capture the connection error event.
Looks for ZSATunnel log
Search for any.broker.prod.zpath.net.
2.) Ensure access to Zscaler brokers IP is not restricted by any corporate firewalls, as our infrastructure evolves and expands.
Zscaler strongly recommends that the Zscaler Client Connector have unrestricted outbound access to the Internet on port 443,
to ensure access to all Zscaler brokers as our infrastructure evolves and expands.
3.) In some cases, the DNS resolution to any.broker.prod.zpath might fail in which case we will get the Connection Error on
ZPA, Please ensure that DNS resolver is functioning properly
9 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Case 2 : “SE: Policy Not Configured For Access”
Problem: Unable to access application ZPA diagnostic logs show error “SE: Policy not configured
for access”
Cause:
There could be multiple reason why ZPA couldn’t find access-policy for the application. Some of the reasons are below
a.) No access policy created for the user.
b.) Access-policy is defined based on SAML and SCIM attributes.
c.) Access-policy is defined on the basis of posture profile.
d.) Access policy is defined based on the trusted network criteria
e.) Access-policy is defined based on the client type.
Solution:
1.) Verify the above policies by navigating to ZPA Portal> Administration > Access-policy
10 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Case 3 : “CA: Application Not Reachable”
Problem: Unable to access application ZPA Diagnostic logs show error below “CA: Application not
reachable”
Cause:
This means none of the configured app connectors for the application either cannot resolve the server or cannot reach the
server.
Solution:
1.) Login to ZPA connector check below command in order to identify a DNS or a network problem
a.) Ping the destination server and see if we have connectivity and DNS resolution. For example, ping <destination
server ip or domain>
b.) telnet on specified port number and see if the TCP socket is open. For example, telnet <destination server>:<port>
c.) Run a tracepath to identify the network path in order to troubleshoot the transit network. For example, tracepath
<destination server>
11 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Case 4 : “SE: Timeout Policy Blocked Access”
Problem: Unable to access application ZPA Diagnostic logs show below error “SE: Timeout policy
blocked access”
Cause:
This means the timeout policy has triggered the Z-App to re-authenticate into the application.
Solution:
1.) Please ask the user to re-authenticate to the ZPA on ZCC. If the ZCC shouldn’t be prompted for re-authentication, please
review the timeout policy under ZPA Portal > Administration > Timeout Policy
12 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Case 5 : “SE: Application Policy Blocked Access”
Problem: Unable to access application ZPA Diagnostic logs show below error “SE: Application
policy blocked access”
Cause:
This means that the access has been denied by an access policy and could be result of multiple overlapping policies
Solution:
1.) Review the Access-policy configuration, Name of the access-policy can be found in the same Diagnostic log under
Access Policy Name.
13 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Troubleshooting Tools Overview
Key tools for you to troubleshoot issues with customers
• CloudView
• Cloudy/Grafana (ZPA-Triage Team has access)
• Looking Glass for MTRs (from )
• Wireshark Tips using filters
• Fiddler Tips (Application Issues)
14 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Troubleshooting Tools Overview
Key tools for you to troubleshoot issues with customers
15 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Lab Exercises
16 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Lab Exercise #1
Create a SetUp
17 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Thank you
21 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION