Product : Zscaler Private Access
| Version | 1.0 (Still in progress) |
| Date | 16/02/204 |
Author | Bong Si How |
Confidentiality | Public |
Revision History
Version | Effective Date | Prepared/ Amend By | Summary of Changes | Approved By |
1.0 | 16/02/2024 | Bong Si How |
| |
|
|
|
|
|
|
|
|
|
|
1. Introduction
To troubleshoot the issue of user unable to SSH to external server through Zscaler Private Access.
2. Before You Begin
2.1. Preparation Checklist
- Check the issue is related to Zscaler or not.
- Gather the network information such as whether it is hotspot or LAN.
- Check is it only one user or multiple users are affected.
2.2. Safety and Precautions
- Backup the configurations such as the original policy configuration to prevent future confusion.
- If going to do pilot testing policies, always rollback if things go unsuccessful.
3. Step-by-Step Troubleshooting Guides
- First, if the application has been included in ZPA Application Segment, may try to remove the application temporarily to see if it is working. This step is to ensure that when Traffic going through ZIA, it should be working.
- Second, if ZIA works and ZPA does not work, check on that application segment whether the ports number have been included or not. If not, include the particular port number and try again.
- If above mentioned still not working, replicate the error and check on either ZIA web-insight/firewall-insight or ZPA diagnostic logs to see whether the traffic actually hit any error, if yes may refer to Zscaler help portal.
- If diagnostic logs / web-insight logs / firewall-insight actually show the traffic is allowed, however, user still not able to access, it could be meaning that is targeted server dropped the request of the user.
- The cause could be regional block. For example, some government website only allowed its local user while using other region IP could be blocked, in this case we may assign the application into SIPA application segment or assign into Bypass ZPA segment.
- The cause could be anti-spam system like cloudfront/cloudflare where they have a WAF that prevent user from excessive connecting to the server. In this case, we may also assign the application Bypass ZPA application segment.
- Note, if this server is handled by the user, may ask the user to whitelist Zscaler IP from the server.
- The cause could be regional block. For example, some government website only allowed its local user while using other region IP could be blocked, in this case we may assign the application into SIPA application segment or assign into Bypass ZPA segment.
What could have been done better :
- SSH application could still be maintained inside ZPA application segment without bypass, because in a case the user's VPC firewall actually blocks Zscaler IP whether it is not related to application segment nor regional IP blocking.
4. Tool used to troubleshoot :
- Putty
- For testing SSH, can be tested with our environment if user's SSH server is facing publicly instead of private. If private, ask user to test using Putty to connect SSH, both scenario must be tested with Zscaler turned on and using same datacenter like SIN4
- Telnet
- Can command such as "telnet 192.168.x.x 22" where :
- 192.168.x.x represents targeted SSH server
- 22 means port number.
- Can command such as "telnet 192.168.x.x 22" where :
- Zscaler admin Portal
- ZIA - That is if the application has been bypassed from ZPA, then traffic should fall into ZIA, check related insight logs such as firewall, or web-insight.
- ZPA - Check App connector health, diagnostic log for error codes.