Professional Documents
Culture Documents
Troubleshooting ZIA Student Guide
Troubleshooting ZIA Student Guide
Welcome to Troubleshooting ZIA! In hybrid work environments, users look for a satisfying digital experience, which includes fast, secure
connectivity and seamless collaboration. However, ensuring a smooth experience has challenges and requires e ective troubleshooting
skills.
This module will help you identify the root cause of issues and troubleshoot them e ectively.
COUR SE OVER VIEW
Introduction
Learning Objectives
Troubleshooting—Overview
Key Takeaways
UR L CLASSIFICATION
Key Takeaways
Key Takeaways
ZIA ISSUES
Key Takeaways
SUMMAR Y
Recap
Lesson 1 of 16
Introduction
In this module, you will learn to solve issues related to URL classi cation,
understand the use of localizing and isolating ZIA issues, and familiarize
yourself with troubleshooting tools.
C O NT I NU E
Lesson 2 of 16
Learning Objectives
2 Examine URL classi cation and rectify issues by reclassifying the URLs
L E T ' S G E T S TA R T E D
Lesson 3 of 16
Troubleshooting—Overview
Let’s start by understanding the steps involved in the process of troubleshooting various issues that you may face.
This set of steps can help you narrow down the cause of an issue and enable a speedy response by identifying the root cause of the issue.
While troubleshooting is an important skill, documenting the resolution to the issue is equally important, as it enables the creation of an internal
knowledge base system.
With an internet access connection through Zscaler, an issue can occur in any of the following areas:
The end user’s device
Local network (either the user’s home network/corporate LAN or co ee shop, etc.)
Between the end user’s Corporate Firewall and the Zscaler Cloud
Between the end user and the identity provider (authentication issues)
Between Zscaler and the internet (i.e., the third-party website or service)
In the diagram, the primary and secondary tunnels are indicated by the colors green and red,
respectively.
Is there some form of miscon guration of either the network connections or a Zscaler policy?
2 Figure out how to test the theory (refer to internal documentation or your knowledge base).
3 Test the theory:
If the theory proves correct, step out of the process and document the solution.
If the theory is proved incorrect, go back to the rst step and work through the other possible causes of
the issue.
The troubleshooting process is a cycle.
If your hypothesis does not seem to t the data you are seeing:
2 Check with the end user and ask more follow-up questions about the issue.
3 Reiterate through the resolution steps after localizing and isolating the problem.
Finally, if you run out of options, escalate the ticket to the next support tier or to Zscaler, providing as much information as possible.
Performed tests
Test results
C O NT I NU E
Lesson 4 of 16
Any ticket raised with Zscaler will require the following information:
Issue Subject: Provide a summary of the problem with the main symptom and scope. This is a free-text eld; it should be as
concise as possible but give a complete indication of the nature of the problem.
Description: Provide a detailed description of the problem. This is a free-text eld that allows you to fully explain what the nature
of the problem is, what its symptoms are, where and when the problem occurs, what process you suspect is at fault, and what
steps you have taken to identify the problem or what corrective actions you have taken with no success.
Ticket Type: Select from the available types: “Problem,” “Question,” “Categorization,” or “Provisioning.”
Ticket Priority: Select from the available priorities: “Urgent,” “High,” “Medium,” or “Low.”
Zscaler Cloud –
Which Zscaler Cloud(s) are experiencing the issue?
Issue Scope –
What is the scope (intermittent or always; all or some data centers; all or some sites; all or some users; all or some end-user
website destinations) of the issue?
Trigger Event –
What seems to have triggered this event?
Work-Around –
Is there a work-around? Has it been applied?
Upload a File –
Are there proxy text screenshots, Zscaler Analyzer outputs, or server/ rewall/router or Zscaler Client logs?
To illustrate this better, the video below will show these ways.
C O NT I NU E
Lesson 5 of 16
Key Takeaways
1 The stages involved in the troubleshooting process are localizing, isolating, and troubleshooting the
problem based on your hypothesis.
2 A certain amount of information is needed to raise a Zscaler Support Ticket and begin the
troubleshooting process; the more information you can provide, the quicker the case will be resolved.
3 There are three ways to raise a ticket: through a phone call, help.zscaler.com, and the ZIA Admin Portal
(preferred).
C O NT I NU E
Lesson 6 of 16
ZIA organizes URLs in a hierarchy of categories for granular ltering and policy creation. There are six prede ned
classes, each divided into prede ned super-categories and categories.
Select each tab below to learn about the six prede ned classes and their super-categories:
Bandwidth Loss –
The super categories in “Bandwidth Loss” are:
Entertainment/Recreation
News and Media
User-De ned
Business Use –
The super categories in “Business Use” are:
Business and Economy
Education
Information Technology
Internet Communication
Job/Employment Search
Microsoft O ce 365 (applicable only for SSL Inspection Policy)
General Sur ng –
The super categories in “General Sur ng” are:
Government and Politics
Miscellaneous
Travel
Vehicles
Legal Liability –
The super categories in “Legal Liability” are:
Adult Material
Drugs
Gambling
Illegal or Questionable
Militancy/Hate Extremism
Tasteless
Violence
Weapons/Bombs
Productivity Loss –
The super categories in “Productivity Loss” are:
Games
Health
Religion
Shopping and Auctions
Social and Family Issues
Society and Lifestyle
Special Interests/Social Organizations
Sports
Privacy Risk –
The super category in “Privacy Risk” is Security.
Custom Categories
Besides the prede ned categories, you can create custom categories based on your organization’s requirements. Using
URLs, keywords, and IP ranges, you can block speci c websites, a speci c range of IP addresses for websites, and
websites based on any words that may appear in a URL, respectively.
You can visit the Zscaler Help portal documentation for current limits of custom URLs, custom categories, keywords,
and custom IP ranges while creating Custom URL Categories.
See the help portal article here for the current limits: https://help.zscaler.com/zia/about-url-
categories.
C O NT I NU E
Lesson 7 of 16
Sometimes, there could be a situation where a website is misclassi ed, and you need to recategorize it.
To illustrate this better, the video below will show a scenario where you will have to recategorize a misclassi ed
website.
Knowledge Check
Which of the following prede ned classes does the Education, Internet Communication, and Job/Employment Search super-
categories belong to?
Bandwidth Loss
Business Use
General Sur ng
Legal Liability
SUBMIT
C O NT I NU E
Lesson 8 of 16
Key Takeaways
1 The URLs are classi ed into six prede ned classes for granular ltering and policy creation.
2 Misclassi ed websites can be recategorized by following one of the three ways of reclassifying the
URLs.
C O NT I NU E
Lesson 9 of 16
Now that you know about recategorizing and resolving URL issues, let’s look at some commonly used network troubleshooting tools.
Select each tab below to learn the use of standard troubleshooting tools:
IP Address Utility –
The ipcon g (Windows), ifcon g (Mac), or ip addr (Linux) utility allows you to review the interface con guration of the network
adapters installed on a Windows, a Mac, or a Linux PC, respectively. Use the options/all (Windows) or -a (Mac) for full details.
Verify that the device has a valid IP con guration, a valid gateway set, and a valid DNS server con guration.
Ping –
The ping utility is available at the command line on both Windows and Mac OS X machines and can be used to evaluate the
extent of a network outage. You can ping local addresses to con rm the device has connectivity, then ping the gateway IP address
to verify that the gateway is functioning.
Also, ping by FQDN to verify DNS resolution is working, and if not, ping by IP address, for example, to the 8.8.8.8 address of the
Google public DNS service. Check the round-trip time of the pings to determine the end-to-end latency on the connection.
Traceroute –
The traceroute (Mac) or the tracert (Windows) utility shows the path of the tra c from a source to a destination and the round-
trip time taken for each hop. Using this tool, you can identify problems in the route as well as trace the route to internet
destinations to validate end-to-end connectivity path with round-trip time.
nslookup –
The nslookup command-line tool helps you obtain domain name or IP address mapping for any speci c DNS record. You can also
use this utility to forward resolve an FQDN to an IP address or reverse resolve a public IP address to the matching FQDN.
WinMTR –
The WinMTR utility combines the functions of the ‘ping’ and ‘traceroute’ commands in a third-party GUI-based application for
Windows. It also allows exporting data to a le that could subsequently be uploaded to a support ticket if necessary.
Protocol Analyzer –
A Protocol Analyzer is a tool for monitoring and analyzing data tra c over a communication channel. You can use Wireshark, a
widely used protocol analyzer, to capture packets on the wire as transactions take place. The packet captures can be saved to a le
for analyzing the protocol ows or uploaded to a support ticket.
C O NT I NU E
Lesson 10 of 16
While the standard troubleshooting tools deal with common network issues, you need separate tools for ZIA-speci c issues.
Select each tab below to learn about the ZIA-speci c troubleshooting tools:
Proxy Test –
You can check the Proxy Test page (https://ip.zscaler.com) to see the status of the user’s connection, along with key data about it.
You can view the output on the Proxy Test page.
ZIA Analyzer –
The ZIA Network Analyzer analyzes the path between your location and the ZIA Public Service Edge you are connected through or
the time your browser takes to load a web page. The results can be saved to a le and uploaded to a support ticket. You can
download this tool from the Help Portal Tools page or the Proxy Test page.
C O NT I NU E
Lesson 11 of 16
Finally, let’s look at the troubleshooting tools available on the More tab of Client Connector.
These tools can be enabled on the Client Connector portal under Policy > Mobile > Zscaler Client Connector
Con guration > Zscaler Client Connector Portal. Besides clearing log les, you can set di erent log modes to specify
the type of information stored in the various logs. For example, as shown in the image below, the Debug mode logs
all Client Connector activities that could assist ZIA Support with troubleshooting issues.
In normal cases, Info or Warning log modes are used. Debug mode is used only for detailed logging to support
troubleshooting.
It is recommended to collect log les manually by using the Export Logs function, as shown in the image below. The
log les are then exported as a zip le, which can be attached to a support ticket.
Listed in the table below are the log le names and the type of information each le contains:
Knowledge Check
Which of the following troubleshooting tools is used to capture packets on the wire as transactions take place?
Traceroute
WinMTR
HTTP Header Trace
Protocol Analyzer
SUBMIT
C O NT I NU E
Lesson 12 of 16
Key Takeaways
1 Using standard troubleshooting tools helps isolate the cause of connectivity issues.
2 Using ZIA-speci c troubleshooting tools helps isolate the cause of ZIA-related issues.
C O NT I NU E
Lesson 13 of 16
By now, you are familiar with the di erent standard and ZIA-speci c troubleshooting tools. So, let’s turn your
attention to resolving connectivity issues.
When an end user device fails to connect with the ZIA cloud, you must rst localize the issue by identifying its root
cause and capturing the maximum data from the a ected end user.
Let’s look at two scenarios where you will have to localize the connectivity issues between the users and ZIA.
Scenario One
You are assigned an incident ticket from the local IT team at your organization. As per the ticket, the users at the
location cannot access the internet and this location is connected to ZIA through a functional GRE tunnel.
In this scenario, you can begin troubleshooting the issue by following the steps listed below:
1 Ask one of the users at this location to show you any end user message (EUN) they see while
accessing the internet:
If there is an EUN, then the issue is more likely due to policy miscon guration on Zscaler. You need
to x the policy issue.
If there is no EUN and you could see only normal “No internet” message on the browser, then you
need to look further to isolate the issue.
2 Access Zscaler connectivity tool (http://ip.zscaler.com) to determine what the issue might be from
a user device on the location:
If you are not able to reach Zscaler connectivity tool, then the issue could be at your local network.
Check DNS or Firewall rule or routing on the local network and resolve the issue.
If you could reach Zscaler connectivity tool, verify Zscaler Cloud, virtual IP, and your Gateway IP
address.
3 You can check the performance from the client to the Zscaler data center (the client is connected to)
using the Zscaler Speed Test site (http://speedtest.zscaler.com/):
You can use the Zscaler Speed Test tool to verify Datacenter info, HTTP Ping, HTTP Jitter,
Download Bandwidth, Upload Bandwidth, Cloud Path, etc.
You can share the information gathered on the Zscaler Speed Test tool with Zscaler support or with
your peers in the organization for advance troubleshooting.
4 There could be issues with DNS if you are using an internal DNS or a third-party public DNS service:
To test DNS resolution, you can either use the nslookup command on the user device or ping to a
public FQDN, which will resolve the IP address and send an ICMP request.
You can ping to the DNS Server IP and validate RTT to check if there is any latency. You can also try
traceroute/tracert utility to check the path to the DNS IP and any delay in the path.
Scenario Two
Take another scenario. A few employees from a certain location reported slow internet connection and di culty
accessing websites.
Here, to localize the issue, you must verify the connections between the users and the ZIA cloud.
Select each tab below to learn about the information that you will need when troubleshooting latency issues:
Using Zscaler tools, you can capture the dynamic data in real time when the problem is occurring.
Select each tab below to learn how Zscaler tools are used to capture the real-time data:
Z-Speed Output –
Navigate to the Connection Quality test page (from ip.zscaler.com) and run the test against the ZIA Public Service Edge that the
user connects to.
Real-time performance data can also be captured by third-party tools to assist in troubleshooting latency issues.
Select each tab below to learn more about the usage of third-party tools to capture the real-time performance:
MTR/WinMTR Output –
Use the native MTR utility on Macs or install WinMTR on Windows; then, test to the destination in question both with and
without Zscaler.
cSpeed Output –
Install the cSpeed plug-in for Chrome, connect to the destination in question, and record the results both with and without Zscaler.
The connectivity issues do not end with the users and can occur between ZIA and destinations on the internet. They
can happen even due to an outage at a destination. Other issues are related to authentication, ZIA service policies,
and settings con guration.
The following data is required by Zscaler when raising a latency related ticket:
Output from ip.zscaler.com Performance data from Zscaler Speed Test site
Host name/IP of destination Zscaler Client Connector packet captures and logs
C O NT I NU E
Lesson 14 of 16
After localizing a connectivity issue, your next step is to isolate it and nd the failing logical process.
First, let’s discuss the predominant issue faced by the users—network connectivity. This issue is best solved by
spotting the root cause.
Select each tab below to learn about the root causes of not having internet access:
You need to verify that the DNS query is correctly resolved to the required hosts.
For a user device with explicit proxy settings (a PAC le is applied to it), the following need to be resolved:
The server on which the PAC le is stored
The ZIA Public Service Edge
For the transparent proxy scenario, where the user connects through a tunnel at a xed location, the host in
the URL that the client is attempting to access must be resolvable.
“Firewall blocking access to the location” and “Firewall blocking the client from outbound connections” are
policies related to the rewall con guration.
In such scenarios, the customer’s rewall may be either:
Blocking access to the location the user is trying to access (either a URL or the ZIA Public Service Edge)
Blocking the client from all outbound connections
The next user issue arises when tra c from the user does not reach the ZIA Public Service Edge. The ZIA proxy test
page may state: “The request received from you did not have an XFF header, so you are quite likely not going through
the Zscaler proxy service.”
There are four main methods for sending tra c from the user devices to the ZIA Public Service Edge—GRE tunnels,
IPSec VPN, PAC le or proxy settings, and Zscaler Client Connector. The common issues with these methods have at
least ve potential main root causes.
Select each tab below to take a detailed look at these root causes:
Another common scenario where you need to isolate the issue is when a user cannot authenticate.
Select each tab below to look at the root causes for a user failing to authenticate:
At times, a user is prompted for their credentials, and yet the authentication is unsuccessful. This is most
likely due to cookies. If the user agent has cookies disabled, you will not be able to complete the
authentication process.
The following are other less likely causes:
SAML is not con gured correctly. Con guring SAML entails several steps and complexities.
The Lightweight Directory Access Protocol (LDAP)/AD server cannot be reached.
The ZIA Public Service Edge has temporarily lost connectivity to the Central Authority.
The user may type an incorrect (or nonexistent) username, the password may be inaccurate or might have
expired, or the account may be disabled.
Which of the following is a root cause of a user experiencing the No Internet Access issue when connected via GRE tunnel at an
o ce location?
SAML failure
SUBMIT
C O NT I NU E
Lesson 15 of 16
Key Takeaways
1 Localizing ZIA issues is essential to identify the actual cause of an issue and x it e ectively by
capturing the maximum data.
2 An issue can be isolated by identifying the failed logic behind the process and addressing issues in
network connectivity, infrastructure entities, and miscon guration.
C O NT I NU E
Lesson 16 of 16
Recap
In Summary
This module has introduced you to the root cause of issues and troubleshooting tools.
You now have a better understanding of how to solve issues related to URL classi cation. You also explored the use of localizing and isolating ZIA
issues.
2 Examine URL classi cation and rectify issues by reclassifying the URLs
C O NT I NU E
Thank You!