TTechclick All lessons
Zscaler · ZCC · TroubleshootingInteractive · L1 / L2 / L3

Troubleshooting Zscaler Client Connector — 16 Real Scenarios, Fixed

"ZCC stuck on Authenticating." "Internet Security is Off." "Captive portal detected" — and the user can't work. This is the field guide: pick a symptom, see exactly where the enroll → auth → tunnel → forward chain breaks, then fix it with the real More-menu path and the expected output. No theory dumps. Just the playbook.

📅 30 May 2026 · ⏱ 12 min · 16 scenarios · 🏷 10-Q assessment + AI Tutor inline
🎯 By the end of this lesson, you'll be able to

⚡ Quick Answer

Troubleshoot Zscaler Client Connector the fast way — 16 real ZCC failure scenarios with symptom, cause, the exact More-menu diagnostic path, expected output, fix, and verify. Auth loops, Z-Tunnel, captive portal, posture, SSL and upgrades in 12 minutes.

⚡ Your XP
0%

Pick your symptom — jump straight to the fix

1

Enrollment & Auth

Stuck on Authenticating, login loop, SAML redirect, device-cert errors.

 2

Tunnel & Forwarding

Z-Tunnel won't come up, service not running, traffic not forwarding.

 3

Network Detection

Trusted-network wrong, captive-portal hell, AV/VPN conflicts, slow ZEN.

 4

SSL, Posture & Upgrades

Apps break on inspection, posture fails, stuck updates, fail-open vs closed.

The wrong belief that wastes your first hour

Most engineers open a ZCC ticket and immediately blame the Zscaler cloud. Wrong — and that reflex burns your first hour on the one thing least likely to be broken. The Zscaler cloud is a globally redundant platform. Your problem is almost always closer to the user: the device, the local Wi-Fi, the IdP, or one mis-set toggle in the forwarding profile.

The Zscaler Digital Transformation Administrator (ZDTA) blueprint teaches this as the first move: localize the fault. There are seven places a ZCC flow can die — end-user device, local network, corporate firewall, the IdP, the Zero Trust Exchange, between Zscaler and the internet, and the Zscaler service itself. Knowing the chain turns a 3-hour guessing game into a 10-minute walk.

👉 So far: don't blame the cloud first. ZCC failures localize to one of seven hops. Next: the one toolbar that solves 80% of tickets — the More menu.

Your two best friends: the More menu and connection status

Before any scenario, learn these two. They appear in every fix below.

More → Troubleshoot
tap to flip

The 3-dots menu (top-right of ZCC). Holds Start/Stop Packet Capture, Restart Service, Repair App, Update Policy. So what: 80% of fixes start here.

📦
More → Support → Export Logs
tap to flip

Bundles a ZIP into %ProgramData%\Zscaler\. So what: this is what Zscaler support asks for first — collect it before you restart anything.

🟢
Service Status
tap to flip

Per-service ON/OFF on the ZCC home tab: Internet Security (ZIA), Private Access (ZPA), Digital Experience (ZDX). So what: tells you which service is down, not just "ZCC is broken".

🔐
Authentication Status
tap to flip

Shows Authenticated vs Authenticating vs a login prompt. So what: distinguishes an IdP/SAML problem from a tunnel problem in one glance.

🧪 Lab it ZCC Troubleshooting Simulator →
Warm-up · 3 questions to prime you (no score)

Quick gut-check before we dive — you'll see the real answers as you read. 1. Z-Tunnel 2.0 prefers which transport? 2. Where does ZCC save its log ZIP? 3. If "Internet Security" shows OFF but the user has internet, is the user protected?

Hold those guesses. By the tunnel and lifecycle sections you'll know: (1) DTLS over UDP/443, (2) %ProgramData%\Zscaler\, (3) usually NO — OFF often means fail-open let them straight onto the internet, unprotected.

① Enrollment & Authentication failures

This is where new ZCC rollouts spend most of their pain. The agent installs fine, then can't prove who the user is. The tell is the Authentication Status — if it never reaches Authenticated, the tunnel will never come up, no matter what you do downstream.

Scenario context: Sneha, an L1 helpdesk engineer at Infosys, gets five tickets on Monday after a weekend ZCC push. Each is an auth variant. Here's how she clears them.
An architecture diagram showing the endpoint with ZSATunnel and ZSAService, the Z-Tunnel to the nearest ZEN Service Edge in the Zero Trust Exchange, the IdP for SAML authentication, and forks out to the internet for ZIA and to App Connectors for ZPA private apps. ZCC is the on-ramp: it authenticates the user, then tunnels traffic to the nearest ZEN Laptop (Sneha) ZSATunnel ZSAService IdP (Okta / Entra) SAML assertion ①auth ZEN / Service Edge Zero Trust Exchange 80·443·9400·9480·9443 ②Z-Tunnel (DTLS/443) Internet (ZIA) web / SaaS App Connector (ZPA) private apps ③forward
Figure 1 — Read it left to right: ZCC authenticates to the IdP (①), brings up the Z-Tunnel to the nearest ZEN (②), then forwards to the internet or private apps (③). A failure is always at one of these three joints.
Scenario 1 · Auth

ZCC stuck on "Authenticating…" — endless login / registering loop

Likely causes
  • Stale device token or corrupt local enrollment cache after an OS reimage or clone.
  • System clock skew > 5 minutes — SAML assertions fail signature validation.
  • An SSL-inspecting middlebox (school/hotel proxy, another security agent) breaking the auth TLS.
Diagnosis

On the ZCC home tab, the Authentication Status cycles Authenticating → Registering → back. Open More → Troubleshoot → Export Logs and grep the bundle for the auth handshake.

Windows — confirm clock skew first (the #1 silent cause)
w32tm /query /status
Expected output
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference)
Source: time.windows.com
Last Successful Sync Time: 11/05/2026 09:41:55
Phase Offset: 412.7s   <-- 6+ min skew = SAML will reject
Fix
  • Fix time: w32tm /resync /force (offset must be < ~5 min).
  • Clear the stale enrollment: More → Troubleshoot → Restart Service; if it persists, More → Logout then re-authenticate. Last resort: Repair App.
  • If a middlebox is in the path, allowlist the Zscaler auth domains so they bypass third-party inspection.
Verify

Authentication Status reads Authenticated and the username is correct. Service Status for Internet Security flips ON within ~10 seconds.

Pause & Predict

A user is cloned from a golden image and 40 laptops all show the SAME device in the portal, flapping Authenticating. What single property is shared that shouldn't be?

The device token / machine identity baked into the golden image. ZCC must enrol per-device. If the image was captured with ZCC already enrolled, every clone inherits the same identity and they fight over one registration. Fix: capture images with ZCC installed but not enrolled, or run a SYSPREP/cleanup step that clears the Zscaler device cache before sealing.
Scenario 2 · Auth

SAML / IdP redirect never completes — blank page or "page can't be displayed"

Likely causes
  • Embedded browser vs system browser mismatch — the IdP requires a modern browser ZCC's embedded view doesn't satisfy (common with Conditional Access / device-bound MFA).
  • The user's domain doesn't map to the right IdP (multi-IdP tenant).
  • IdP-side certificate expired — affects all users at once.
Diagnosis

If only some users fail, it's domain→IdP mapping. If everyone fails simultaneously at the same minute, it's an IdP cert/outage. In the ZCC Portal, use the IdP SAML attribute test link to confirm the assertion is returned and well-formed.

Test the IdP SSO URL reachability from the device
curl -I https://<your-org>.okta.com/app/zscaler/sso/saml
Expected output
HTTP/2 200
content-type: text/html; charset=utf-8
strict-transport-security: max-age=31536000
x-okta-request-id: Yc8a...   <-- reachable; if 5xx/timeout, IdP-side
Fix
  • Switch the ZCC app profile to browser-based authentication (system browser) so Conditional Access and passkeys work.
  • Multi-IdP: verify the user's UPN domain maps to the correct IdP, or pre-assign with the installer's --userDomain option.
  • Expired IdP cert → rotate it in the IdP and re-import metadata into the ZCC Portal.
Verify

The SAML round-trip lands back in ZCC as Authenticated; the SAML attribute test shows the expected NameID and group claims.

Scenario 3 · Auth

ZPA "Unable to validate device certificate" — Private Access won't authenticate

Likely causes
  • An intermediate device is doing SSL inspection on ZCC's own traffic, so the cert ZPA sees isn't the cert Zscaler issued.
  • Faulty / expired certificate on the IdP affecting all users.
  • Device posture profile expects a client cert with a non-exportable private key that's missing.
Diagnosis

Check Service Status → Private Access is OFF while Internet Security is ON — that split points at ZPA-specific cert/posture, not the whole stack. Export logs and look for the cert-validation line.

Confirm nothing is re-signing Zscaler's cert (should be the Zscaler chain)
openssl s_client -connect 10.20.30.40:443 -servername gateway.<cloud>.net </dev/null 2>/dev/null | openssl x509 -noout -issuer
Expected output
issuer=C=US, O=Zscaler Inc., CN=Zscaler Root CA
# If you instead see issuer=O=AcmeProxy or a corporate CA,
# a middlebox is inspecting ZCC traffic — that breaks ZPA cert validation.
Fix
  • Add ZCC processes and Zscaler domains to the inspection-bypass on any other security agent / proxy in the path.
  • Rotate the IdP cert if expired; re-push the device-posture profile so the client cert is re-issued.
Verify

Private Access Service Status flips ON; a known internal app (e.g. jira.corp.local) resolves and loads.

Quick check · Q1 of 10 · Analyze

Rahul at TCS sees ZCC flip Authenticating → Registering in a loop on exactly the 12 laptops that were imaged from one golden VM last night. Every other laptop is fine. What's the root cause?

Correct: b. "Only the cloned batch, everyone else fine" rules out the cloud (a) and the IdP cert (d — that hits everyone). Cloning a ZCC-enrolled image duplicates the device identity. Capture images with ZCC installed-but-not-enrolled, or clear the Zscaler device cache before sealing.

② Tunnel & Traffic-forwarding failures

Auth is green but the user still has no protected internet — or no internet at all. Now the fault is the Z-Tunnel or the forwarding profile. First, the mental model: watch a ZCC session start up and see exactly where it can stall.

▶ Watch a ZCC session start — and break

Press Play. Each stage lights up; the stage where most tickets die turns red.

① START ZSAService launches, ZSATunnel driver loads. Service Status: starting…
② ENROLL Device posts its identity; portal returns policy (App Profile + Forwarding Profile + PAC).
③ AUTH Redirect to IdP → SAML assertion → Authentication Status = Authenticated.
④ TUNNEL Z-Tunnel 2.0 tries DTLS over UDP/443 to the nearest ZEN; falls back to TLS over TCP/443.
⑤ FORWARD Forwarding Profile decides per-network: Tunnel / Tunnel-with-Local-Proxy / Enforce-PAC / None.
⑥ PROTECTED Traffic reaches ZEN. ip.zscaler.com confirms you're on-cloud.
Press Play to step through startup. Each Next advances one stage; the red stage is the most common failure point.

The four Forwarding-Profile actions — tap to learn each

Stage 5 above is the Forwarding Profile. It picks one of four actions per network. Get this wrong and the user is online but unprotected (Scenario 6).

🚇
Tunnel
tap to flip

Native Z-Tunnel interception — no system proxy needed. The production default with Z-Tunnel 2.0. So what: most reliable; survives apps that ignore proxy settings.

🔀
Tunnel + Local Proxy
tap to flip

Web traffic goes to a local listener via system proxy settings. So what: if the proxy/PAC isn't applied, apps bypass ZCC entirely — the classic "not protected" cause.

📄
Enforce PAC
tap to flip

Forces the device to use a PAC file for routing. So what: a stray DIRECT rule in the PAC sends a destination straight out, skipping Zscaler.

None
tap to flip

No traffic control — traffic goes direct. So what: legitimate on a trusted LAN; a disaster if it leaks to off-net, where users browse unprotected.

Scenario 4 · Tunnel

Z-Tunnel won't establish — Authenticated, but no protected traffic

Likely causes
  • A local firewall blocks UDP/443, so DTLS can't form and TLS fallback isn't enabled — tunnel dies.
  • The DTLS connection timeout is too aggressive on a high-latency link.
  • Egress firewall doesn't allow the ZEN ports (80, 443, 9400, 9480, 9443).
Diagnosis

Many guest/corporate firewalls permit TCP/443 but silently drop DTLS on UDP/443. Test it directly.

Is UDP/443 reachable to the ZEN? (PowerShell)
Test-NetConnection gateway.zscalertwo.net -Port 443
# TCP works but DTLS (UDP/443) may still be blocked — confirm with capture
Expected output
ComputerName     : gateway.zscalertwo.net
RemoteAddress    : 165.225.x.x
RemotePort       : 443
TcpTestSucceeded : True   <-- TCP ok; if tunnel still down, UDP/443 is the culprit
Fix
  • Open UDP/443 outbound on the local/egress firewall, OR enable TLS fallback in the forwarding profile (ZCC 3.4+/macOS 3.9+) so it drops to TCP/443 when DTLS fails.
  • Raise the DTLS Connection Timeout (5–60s) on flaky links.
  • Allowlist all ZEN ports (80/443/9400/9480/9443) on the corporate firewall.
Verify

Browse to https://ip.zscaler.com → it reports your ZEN node and "you are connected". Tunnel shows established in logs.

Quick check · Q2 of 10 · Analyze

On hotel Wi-Fi, Priya's ZCC is Authenticated but every site times out. Test-NetConnection gateway:443 returns TcpTestSucceeded: True. Z-Tunnel 2.0 is set to DTLS-only. Most likely cause?

Correct: a. TCP/443 succeeds, so it's not a cert (b — auth was green anyway) or a total block. DTLS-only + UDP/443 dropped = no tunnel. Enable TLS fallback so ZCC drops to TCP/443. If the action were None (d) traffic would go direct and work, not time out.
Scenario 5 · Tunnel

ZSAService / ZSATunnel not running — driver fault, ZCC tray greyed out

Likely causes
  • The ZSATunnel network driver (LWF) failed to load after a Windows update.
  • ZSAService crashed or was stopped by another endpoint tool.
  • Corrupt install after an interrupted upgrade.
Diagnosis

The Windows ZCC processes are ZSATray.exe (UI), ZSATrayManager.exe (SYSTEM service), ZSATunnel.exe and ZSAService.exe. On macOS: ZscalerTunnel, ZscalerService. Check they're alive.

Windows — is the service running?
sc query ZSAService
tasklist | findstr /i "ZSATunnel ZSAService ZSATrayManager"
Expected output
SERVICE_NAME: ZSAService
        STATE              : 4  RUNNING
ZSATunnel.exe                  7220 Services    0    44,128 K
ZSATrayManager.exe             6184 Services    0    51,402 K
# If STATE is STOPPED or ZSATunnel is absent, the driver/service failed.
Fix
  • First try More → Troubleshoot → Restart Service — reloads ZSAService and the tunnel driver without a reboot.
  • Driver still won't load → More → Troubleshoot → Repair App, then reboot.
  • Persistent crash → collect logs, uninstall (you may need the ZCC uninstall/disable password), reinstall the matched build.
Verify

sc query ZSAService shows RUNNING and ZSATunnel.exe is in the task list; the ZCC tray icon goes from grey to active.

Pause & Predict

A developer says "ZCC is on and Authenticated, but my git clone over SSH (port 22) fails while the browser works fine." Z-Tunnel 1.0 is in use. Why?

Z-Tunnel 1.0 only tunnels web ports (80/443). SSH on TCP/22 isn't carried, so it leaks direct and the corporate firewall may drop it. Z-Tunnel 2.0 tunnels all ports and protocols. Fix: move the forwarding profile to Z-Tunnel 2.0 — this is exactly why 2.0 is the production default.
Scenario 6 · Forwarding

Traffic not forwarding to Zscaler — user has internet, but it's not protected

Likely causes
  • Forwarding Profile action for the current network is set to None (often the on-trusted-network setting bleeding to off-net).
  • Tunnel with Local Proxy chosen but the system proxy / PAC isn't applied, so apps ignore the local listener.
  • A PAC file DIRECT rule is sending the destination straight out.
Diagnosis

ip.zscaler.com says "you are not using Zscaler". In Tunnel with Local Proxy mode, ZCC forwards web traffic to a local listener via system proxy settings; if those aren't set, traffic bypasses. Confirm the profile and the PAC.

Where is my traffic actually going? (Windows)
curl -s https://ip.zscaler.com/getZpaServerInfo 2>/dev/null & echo --- & netsh winhttp show proxy
Expected output
Current WinHTTP proxy settings:
    Proxy Server(s) :  127.0.0.1:9000   <-- ZCC local listener = forwarding active
    Bypass List     :  <-loopback>
# If "Direct access (no proxy server)" in TWLP mode, proxy wasn't applied.
Fix
  • Set the off-trusted-network Forwarding Profile action to Tunnel (Z-Tunnel 2.0) so it works without relying on system proxy.
  • Staying on Tunnel-with-Local-Proxy → enable "Redirect Web Traffic to Zscaler Client Connector Listening Proxy" under Z-Tunnel 2.0 Transport Settings so web requests hit the local listener.
  • Audit the PAC for a DIRECT rule matching the destination.
Verify

ip.zscaler.com reports your ZEN; the Web Insights log in the ZIA portal shows the user's requests arriving.

Scenario 7 · Forwarding

Teams / Zoom calls drop or stutter only on ZCC — MTU / fragmentation

Likely causes
  • Tunnel encapsulation overhead pushes packets over the path MTU; large frames fragment or get dropped.
  • UCaaS (Teams/Zoom) not bypassed, so latency-sensitive media rides the tunnel.
Diagnosis

Calls fail specifically when ZCC is ON; turning ZCC off "fixes" it (a classic MTU tell). Find the largest unfragmented packet to the ZEN.

Find the path MTU (don't-fragment ping)
ping -f -l 1472 gateway.zscalertwo.net
Expected output
Packet needs to be fragmented but DF set.   <-- 1472 too big
# Step down (1452, 1422...) until replies succeed; that + 28 = path MTU.
Reply from 165.225.x.x: bytes=1422 time=24ms TTL=54   <-- works
Fix
  • Configure recommended UCaaS bypasses so Teams/Zoom media goes direct (Zscaler publishes the bypass list).
  • If media must stay tunnelled, lower the tunnel MTU to the discovered path MTU.
Verify

A 10-minute Teams call holds with ZCC ON; the UCaaS app shows direct media, no tunnel hop.

🧪 Lab it Reproduce tunnel + forwarding faults →

③ Network detection & environment failures

Now the trickiest class: ZCC works perfectly in the office, breaks on the road — or the reverse. The agent is making a where am I? decision, and getting it wrong. Use this decision tree as your first 30-second triage.

A decision tree: start at the symptom, branch on whether Authentication Status is Authenticated, then whether the tunnel is up, then whether traffic is forwarded, ending in the likely root cause for each branch. "ZCC not working" Authentication = Authenticated? NO Clock skew · IdP/SAML ·stale device token YES Z-Tunnel established? NO UDP/443 blocked · no TLSfallback · service stopped YES Traffic reaching ZEN? NO Forwarding=None · trusted-netwrong · captive portal · PAC YES Look at policy: SSL inspect,posture, URL/app rules
Figure 2 — Walk it top-down: each NO sends you to a specific root-cause cluster. If everything is YES, the problem is policy (SSL inspection / posture / rules), not the agent — jump to section ④.
Scenario 8 · Detection

Trusted-network detected wrong — on-network treated as off (or vice-versa)

Likely causes
  • Trusted Network Criteria rely on a dynamic property (Hostname/IP resolution) that fails during a network transition, so ZCC mis-classifies the network.
  • VPN or split-DNS makes a remote network resolve the internal DNS suffix, so off-net looks on-net.
Diagnosis

Zscaler recommends static criteria — DNS Server and DNS Search Domains — over dynamic hostname resolution, precisely because a failed resolve makes ZCC apply the wrong forwarding action. Check what the device actually resolves.

What DNS suffix + server does the device see right now?
ipconfig /all | findstr /i "Search Suffix DNS Servers"
Expected output
   Connection-specific DNS Suffix  . : corp.infosys.local
   DNS Servers . . . . . . . . . . . : 172.16.10.10
                                       172.16.10.11
# On-net should match Trusted Network Criteria; off-net must NOT.
Fix
  • Rebuild Trusted Network Criteria on static properties (DNS Server IPs + DNS Search Domains) instead of hostname/IP resolution.
  • If a VPN leaks the internal suffix off-net, scope criteria with multiple conditions (ALL logic) so a single leaked attribute can't flip the verdict.
Verify

ZCC shows On Trusted Network only at the office and Off Trusted Network elsewhere; the matching forwarding action applies each time.

Quick check · Q3 of 10 · Apply

Aditya's laptop randomly flips between On/Off Trusted Network at his desk, applying the wrong forwarding action. The criteria use a Hostname that must resolve to 172.16.10.50. What's the most robust fix?

Correct: b. The flip is caused by intermittent hostname resolution — a dynamic property. Zscaler explicitly recommends static criteria (DNS Server, DNS Search Domains) because a failed resolve makes ZCC mis-detect the network. Reinstalling (a) doesn't change the criteria; (c) and (d) break protection.
Scenario 9 · Detection

"Captive Portal Detected" — stuck on hotel / airport Wi-Fi ("captive-portal hell")

Likely causes
  • ZCC tries to tunnel before the user signs in to the Wi-Fi splash page, so the portal never loads — and ZCC stays in captive-portal detention even after the portal is gone.
  • Older ZCC builds kept showing the portal even when detection was disabled (a long-standing bug across 3.6–4.2).
Diagnosis

The user sees a persistent "Captive Portal Detected" state. Pasting the splash URL into a browser works — proof ZCC is intercepting the portal it should be letting through.

Confirm a captive portal is actually present
curl -sI http://www.gstatic.com/generate_204
Expected output
HTTP/1.1 302 Found
Location: https://hotel-wifi.example.com/login   <-- redirect = captive portal
# A clean network returns: HTTP/1.1 204 No Content (no redirect)
Fix
  • Train users to complete Wi-Fi sign-in before ZCC fully enrolls/connects; tap the ZCC captive-portal prompt to open the splash page.
  • Tune captive portal detection in the app profile (hostname/IP it probes) so it correctly releases once the portal clears.
  • Upgrade to a build with the captive-portal fixes (4.2.0.198+); the toggle to disable detection actually works there.
Verify

After Wi-Fi sign-in, ZCC leaves the captive-portal state on its own and the tunnel comes up; generate_204 returns 204.

Scenario 10 · Coexistence

Partner AV / firewall / VPN conflict — ZCC and another agent fight over the stack

Likely causes
  • A third-party VPN or EDR also installs a network filter driver; two filters mangle the same packets.
  • Another agent SSL-inspects ZCC's traffic, breaking auth/tunnel.
  • Endpoint firewall blocks ZSATunnel from opening its listener.
Diagnosis

ZCC works after a clean boot, then degrades when the VPN/EDR starts. Capture both adapters with More → Troubleshoot → Start Packet Capture and look for double-encapsulation or resets.

List network filter drivers (Windows) — who else is in the stack?
netsh winsock show catalog | findstr /i "Zscaler VPN Layered"
Expected output
Winsock Catalog Provider Entry
  Description       : Zscaler LSP
  Description       : AcmeVPN Layered Service Provider   <-- 2nd filter = conflict risk
# Two layered providers competing on the same flows = packet mangling.
Fix
  • Follow Zscaler's VPN-interoperability best practice: order the agents, or set the third-party VPN to split-tunnel so it doesn't grab Zscaler's traffic.
  • Add ZCC processes to the AV/EDR allowlist and exclude Zscaler domains from any other SSL inspection.
Verify

ZCC stays connected with the other agent running; the capture shows clean single-encapsulated tunnel traffic.

Scenario 11 · Performance

Everything slow — ZCC connected to a far-away ZEN data center

Likely causes
  • ZCC latched onto a distant ZEN (e.g. a Mumbai user pinned to a Singapore node) after travel or a DNS quirk.
  • ISP routing the user to a sub-optimal Zscaler region.
Diagnosis

ip.zscaler.com shows the connected ZEN city. If it's far from the user, latency is the problem, not bandwidth.

Which ZEN am I on, and how far?
curl -s https://ip.zscaler.com | findstr /i "Zscaler City"
Expected output
Your request is arriving at this server from the IP address 165.225.x.x
You are connected to Zscaler. ZEN: SINGAPORE   <-- a Lucknow user should be on a closer node
RTT to ZEN: 78 ms   <-- high for a domestic user
Fix
  • More → Troubleshoot → Restart Service forces re-selection of the nearest ZEN.
  • If it keeps picking a far node, raise a Zscaler support case to check sub-cloud / geo steering for that egress IP.
Verify

ip.zscaler.com now shows a nearby ZEN; ZDX (Digital Experience) page-load scores recover.

④ SSL inspection, device posture & lifecycle

Read as:

L1 view: do the safe, reversible steps — restart service, check time, escalate with logs. The deeper fixes below are tagged for L2/L3.

When auth, tunnel and forwarding are all green but specific apps misbehave, the agent is fine — your policy is the problem. This is the aha-moment of ZCC support: a perfectly healthy ZCC will still "break" apps if SSL inspection or posture is wrong. Stop poking the client; read the policy.

Scenario 12 · SSL

Teams / banking app breaks under SSL inspection — cert-pinning conflict

Likely causes
  • The app uses certificate pinning; Zscaler re-signs the TLS, the app sees a "wrong" cert and refuses.
  • The Zscaler intermediate CA isn't trusted on the device.
Diagnosis

Browser sites work but the pinned app (Teams desktop, a banking app) fails with a TLS/cert error. The ZIA SSL Inspection log shows the flow being decrypted.

What cert does the app's endpoint present right now?
openssl s_client -connect teams.microsoft.com:443 </dev/null 2>/dev/null | openssl x509 -noout -issuer
Expected output
issuer=O=Zscaler Inc., CN=Zscaler Intermediate CA   <-- being inspected
# A pinned app wants Microsoft's own issuer; the Zscaler issuer trips the pin and the app dies.
Fix
  • Add the app's domains to the SSL Inspection bypass (Do Not Inspect) so the original cert reaches the app. Keep the bypass tight — bypassing also blinds IPS/File-Type/DLP for that flow.
  • Ensure the Zscaler intermediate CA is deployed to the device trust store for everything you do inspect.
Verify

The app connects; openssl ... -issuer on the bypassed domain shows the app's own CA, not Zscaler's.

Scenario 13 · Posture

Device posture failing — access denied even though ZCC is connected

Likely causes
  • A posture check no longer matches: disk-encryption off, AV (CrowdStrike/Defender/SentinelOne) not running, OS below the required version, or a missing client cert / registry / file artifact.
  • CrowdStrike ZTA score below the configured threshold.
Diagnosis

ZPA access to a posture-gated app is blocked while non-gated apps work. The ZCC/ZPA log names the specific failed posture profile.

Check the artifacts posture usually validates (Windows)
manage-bde -status C: | findstr /i "Conversion Protection"
sc query CSFalconService
Expected output
    Conversion Status:    Fully Encrypted
    Protection Status:    Protection On       <-- disk-encryption posture PASS
SERVICE_NAME: CSFalconService
        STATE              : 4  RUNNING        <-- AV posture PASS
Fix
  • Remediate the failed artifact (enable BitLocker, start the AV service, patch the OS).
  • If the posture profile is over-strict, adjust the criteria or the ZTA threshold in the portal and re-evaluate.
Verify

The posture-gated app loads; ZPA Diagnostics shows the posture profile as Satisfied.

Pause & Predict

Auth, tunnel, forwarding all green. ip.zscaler.com confirms on-cloud. But the in-house HR app at hr.corp.local throws a cert error only on managed laptops. Where do you look — client or policy?

Policy — not the client. A fully healthy ZCC still resigns TLS if SSL Inspection covers that domain. The in-house app's cert (or pinning) clashes with the Zscaler-resigned cert. Add hr.corp.local to SSL Inspection bypass, or deploy the Zscaler intermediate CA to those laptops. Restarting ZCC would waste your time here.
Scenario 14 · Lifecycle

ZCC upgrade / auto-update stuck or failing

Likely causes
  • The ZSAUpdater can't reach the update host, or an antivirus is quarantining the new build.
  • The app-profile update rule (gradual rollout) hasn't reached this device yet — it isn't actually stuck.
  • Insufficient privileges / a previous partial install left a lock.
Diagnosis

ZCC checks for software updates roughly every 2 hours. Confirm whether the device is even targeted before assuming failure; then check updater reachability.

Force a policy refresh, then confirm version
"C:\Program Files (x86)\Zscaler\Zscaler\ZSATray.exe" --updatePolicy
# then read the running version
reg query "HKLM\SOFTWARE\WOW6432Node\Zscaler Inc.\Zscaler" /v ProductVersion
Expected output
ProductVersion    REG_SZ    4.2.0.198
# Compare against the target build in the ZCC Portal's update rule.
Fix
  • More → Troubleshoot → Update Policy to pull the latest update rule immediately.
  • Allowlist the Zscaler update host on the firewall/AV; exclude ZCC install paths from quarantine.
  • Stuck partial upgrade → Repair App, or uninstall (with disable password) and install the target build.
Verify

ProductVersion matches the portal's target build; the tray reports the new version with no pending-update banner.

Scenario 15 · Lifecycle

"Internet Security is Off" — and the user is browsing happily (fail-open trap)

Likely causes
  • ZCC couldn't reach a ZEN, so fail-open let traffic go direct — the user is online but unprotected.
  • A user with the disable password turned the service off, or strict enforcement isn't configured.
Diagnosis

This is the dangerous one — it looks healthy. Internet works, so no one raises a ticket, but Web Insights shows zero traffic for that user. Fail-open trades security for uptime; fail-close would have blocked internet instead.

Are they actually protected? (the only test that matters)
curl -s https://ip.zscaler.com | findstr /i "not using"
Expected output
The request is NOT going through the Zscaler service.
# Confirmed: fail-open let them out direct. "Internet works" != "protected".
Fix
  • Fix the underlying tunnel/reachability problem (sections ② / ③) so ZCC reconnects and Internet Security flips back ON.
  • Review Fail-Open settings: for high-security tenants prefer fail-close (or a short fail-open timeout). Remove the user-facing disable password unless support genuinely needs it; enforce strict-enforcement so users can't simply switch protection off.
Verify

ip.zscaler.com reports "you are connected to Zscaler"; Web Insights shows the user's requests flowing again.

Scenario 16 · Toolbox

Nothing obvious — you need to escalate: export logs + packet capture the right way

When to use

You've localized the hop but the root cause isn't visible from the UI — or Zscaler support asks for a log bundle. Do it in the right order so the capture actually contains the failure.

Procedure (order matters)
  • 1. More → Clear Logs — start fresh so the bundle isn't 90% noise.
  • 2. More → Troubleshoot → Start Packet Capture.
  • 3. Reproduce the issue.
  • 4. More → Troubleshoot → Stop Packet Capture.
  • 5. More → Support → Export Logs → save the ZIP.
CLI alternative + where the files land (Windows)
"C:\Program Files (x86)\Zscaler\Zscaler\ZscalerSupportTool.exe" /log
dir "%ProgramData%\Zscaler\"
Expected output
Directory of C:\ProgramData\Zscaler
log-48172\
CaptureAdapters_20260530T1144.pcap
CaptureLWF_20260530T1144.pcap
ZSALogs_20260530.zip      <-- attach this to the support case
# macOS path: /Library/Application Support/com.zscaler.Zscaler
Verify

The ZIP and both .pcap files exist with a timestamp inside your repro window. Packet capture must be enabled for the device in the ZCC Portal first.

🧪 Lab it Practice log export + capture →
Quick check · Q4 of 10 · Evaluate

A 6,000-seat BFSI tenant debates Fail-Open vs Fail-Close for ZCC. Compliance demands no unprotected internet; the business wants no hard outages. What's the defensible call?

Correct: b. "No unprotected internet" rules out fail-open (a) and self-serve disable (c) — both let users onto the internet without inspection. Fail-close with a short fail-open timeout + strict enforcement satisfies compliance while a small grace window prevents transient blips from becoming outages. Disabling SSL inspection (d) guts the security model.

One-glance cheat-sheet — symptom → first action

Pin this. When a ticket lands, match the symptom and do the first action before anything else.

Six tiles mapping a common ZCC symptom to the first diagnostic action: stuck authenticating to check clock and restart service; tunnel down to test UDP 443 and enable TLS fallback; not protected to check ip.zscaler.com and forwarding profile; captive portal to sign in to Wi-Fi first; app breaks to bypass SSL inspection; internet security off to verify with ip.zscaler.com. ZCC field cheat-sheet — symptom → first move Stuck "Authenticating" → w32tm /resync /force → More ▸ Restart Service → Logout / re-auth Tunnel won't come up → test UDP/443 to ZEN → enable TLS fallback → allow 80/443/9400/9480/9443 Online but not protected → check ip.zscaler.com → Forwarding ≠ None → verify PAC / proxy set Captive portal stuck → sign in to Wi-Fi FIRST → tap portal prompt → upgrade to 4.2.0.198+ One app breaks → check cert issuer → SSL Inspection bypass → deploy Zscaler CA "Internet Security Off" → ip.zscaler.com (real test) → fix tunnel reachability → review fail-open policy Always start here: More ▸ Troubleshoot (Restart Service · Repair App · Update Policy · Packet Capture) Logs ▸ %ProgramData%\Zscaler\ · macOS ▸ /Library/Application Support/com.zscaler.Zscaler Truth test for "am I protected?" = https://ip.zscaler.com
Figure 3 — Six top symptoms, the first action for each, and the two constants: the More menu and ip.zscaler.com. Print this for the helpdesk wall.
A left-to-right sequence: install and enroll, authenticate via IdP, build Z-Tunnel, apply forwarding profile, reach ZEN. Below each step a red marker lists the failure that happens at that step. The five steps — and what kills each one 1. Enroll 2. Authenticate 3. Z-Tunnel 4. Forward 5. ZEN ✓ Fails: cloned devicetoken, stalecache, nopolicy pulled Fails: clock skewSAML / IdP certembedded vssystem browser Fails: UDP/443 blockedno TLS fallbackZSAService /driver stopped Fails: action = Nonetrusted-net wrongcaptive portalPAC DIRECT
Figure 4 — The same five steps as the visualizer, now with each step's failure list underneath. Find your step, read its failures, and you've shortlisted the cause.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this ZCC lesson. No login, no waiting.

Pre-curated from Zscaler Help docs + community Q&A + the ZDTA blueprint. For live prod issues, paste your ip.zscaler.com output + log bundle into chat.techclick.in.

📝 Wrap-up assessment — six more

You answered 4 inline. Six left. 70% (7 of 10) marks this lesson complete on your profile. Answer all, then tap Submit all answers.

Q5 · Remember

Z-Tunnel 2.0's preferred (primary) transport is:

Correct: a. Z-Tunnel 2.0 prefers DTLS (TLS over UDP) on port 443 for low latency, falling back to TLS over TCP/443 when UDP is blocked. That fallback is exactly why DTLS-only configs break on firewalls that drop UDP/443.
Q6 · Apply

A user reports ZCC "stuck on Authenticating". Before escalating, which single check most often resolves it on the spot?

Correct: c. Clock skew is the most common silent cause of auth loops — SAML signatures fail when the device time drifts. Check and resync first. Reinstalling (a) or disabling the firewall (d) are over-corrections; bandwidth (b) is unrelated to auth.
Q7 · Apply

You need to send Zscaler support a useful capture of an intermittent issue. What's the correct order?

Correct: b. Clear logs first so the bundle isn't noise, start the capture, reproduce, stop, then export. Exporting before reproducing (a) misses the event; a screenshot (c) lacks the packet/log detail; rebooting (d) destroys the very state you need.
Q8 · Analyze

Auth, tunnel and forwarding are all green; ip.zscaler.com confirms on-cloud. Only the Teams desktop app fails with a certificate error. Root cause?

Correct: d. When the agent is fully healthy but one pinned app throws a cert error, it's policy: SSL inspection resigned the cert and cert-pinning rejected it. Add the domain to SSL Inspection bypass. The tunnel (a), posture (b) and trusted-network (c) are all green here.
Q9 · Analyze

A user's ZCC home tab shows "Internet Security: Off" but they're browsing the internet normally and raised no ticket. What is most likely true?

Correct: c. "Off" + working internet is the fail-open trap — ZCC lost the cloud and let traffic out direct to preserve uptime. They are unprotected even though nothing looks broken; ip.zscaler.com will say "not going through Zscaler". (a) is the dangerous misread; (b) contradicts "Off"; (d) would block internet, not allow it.
Q10 · Evaluate

A team plans a ZCC golden image to deploy 500 laptops, and wants to "pre-enrol" ZCC in the image so users skip first-run auth. Is this sound?

Correct: d. ZCC enrolment must be per-device. A pre-enrolled golden image clones one identity, and the clones collide in a registration loop. Install ZCC in the image but enrol on first boot (or clear the Zscaler device cache pre-seal). A shared token (b) is the same mistake; disabling 2.0 (c) is unrelated and harmful.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10). Re-read the section that tripped you up and tap "Try again".
🧠 In your own words (the step that locks it in)

In 2 lines: a user says "ZCC is on but I have no internet, and it's NOT a captive portal." What are the first two things you check, and why?

Model answer: (1) ip.zscaler.com — is traffic even going through Zscaler, or did fail-open let it out direct? (2) The Forwarding Profile action for this network — is it accidentally None, or is Tunnel-with-Local-Proxy not applying the system proxy? Auth being green means the problem is downstream of authentication: tunnel or forwarding.
📣 Teach a friend (you understand it when you can explain it)

Tap to generate a one-liner you can paste to a colleague — then tweak it in your own voice.

Paste this: "ZCC troubleshooting in one line: don't blame the cloud — localize the fault. Check Authentication Status, then is the Z-Tunnel up (DTLS UDP/443, with TLS fallback), then is traffic actually forwarded (ip.zscaler.com). The More menu (Restart Service / Repair App / Packet Capture) fixes most of it."
📩 Quiz me again later (spaced recall)

Memory fades in 48 hours unless you revisit. Opt in and we'll email you 3 micro-questions on this lesson at Day 1, Day 7 and Day 30.

Done. You're on the spaced-recall list for this lesson. Watch your inbox — 3 quick questions, no spam.

📚 Sources

  1. Zscaler Help — Troubleshooting Zscaler Client Connector & Connection Status Errors. help.zscaler.com
  2. Zscaler Help — Zscaler Client Connector Traffic Forwarding Troubleshooting Runbook. help.zscaler.com
  3. Zscaler Help — About Z-Tunnel 1.0 & Z-Tunnel 2.0 + Best Practices for Deploying Z-Tunnel 2.0 (DTLS UDP/443, TLS fallback). help.zscaler.com
  4. Zscaler Help — Configuring Trusted Networks & Configuring Forwarding Profiles (static vs dynamic criteria). help.zscaler.com
  5. Zscaler Help — ZPA / Private Access Authentication Errors & Configuring Fail-Open Settings. help.zscaler.com
  6. Zscaler Help — Enabling Packet Capture & Zscaler Client Connector Processes to Allowlist (ZSATunnel / ZSAService / ZSATrayManager; macOS ZscalerTunnel). help.zscaler.com
  7. Zscaler Community (Zenith) — "ZCC in Authentication/Registering constant loop", "Captive Web Portal issues", "Long-Standing Captive Portal Issue", "ZTunnel 2.0, DTLS/TLS, MTU". community.zscaler.com
  8. Zscaler — ZDTA (Digital Transformation Administrator) Exam Blueprint (Basic Connectivity 20%, Platform Services 15%; localize-the-fault method, ZCC packet-capture path). zscaler.com
  9. SecureDynamics / SMU IT KB — Exporting Logs from Zscaler Client Connector with Packet Captures (More → Support → Export Logs; %ProgramData%\Zscaler; CaptureAdapters/CaptureLWF .pcap). securedynamics.net
  10. Nexthink Docs — Zscaler troubleshooting usage guide (Get Zscaler status / Start Zscaler remote actions; ZSAService). docs.nexthink.com

📖 Glossary

ZCC (Zscaler Client Connector)
The endpoint agent that authenticates the user and forwards their traffic into the Zscaler Zero Trust Exchange.
ZEN / Service Edge
The Zscaler enforcement node the tunnel connects to. Accepts traffic on 80, 443, 9400, 9480 and 9443.
Z-Tunnel 1.0 vs 2.0
1.0 tunnels only web ports (80/443) over TLS. 2.0 tunnels all ports/protocols, preferring DTLS over UDP/443 with TLS fallback.
DTLS
Datagram TLS — TLS over UDP. Lower latency than TCP-based TLS; Z-Tunnel 2.0's primary transport.
Forwarding Profile
The per-network rule that decides how ZCC sends traffic: Tunnel, Tunnel-with-Local-Proxy, Enforce-PAC, or None.
Trusted Network
A network ZCC recognises as your corporate LAN (via DNS server, search domains, etc.), so it can apply on-net behaviour.
SAML / IdP
The identity handshake. The IdP (Okta, Entra ID…) returns a signed SAML assertion that ZCC uses to authenticate the user.
Fail-open / Fail-close
What ZCC does when it can't reach a ZEN: fail-open lets traffic out direct (online but unprotected); fail-close blocks internet (protected but offline).
Device Posture
Checks (disk encryption, AV running, OS version, client cert) a device must pass before ZPA grants access.
ZSATunnel / ZSAService
Core Windows ZCC processes — the tunnel driver and the main service. macOS equivalents: ZscalerTunnel, ZscalerService.

What's next?

Now you can fix the client. Next, go up the stack: how the ZIA policy pipeline decides allow/deny once traffic reaches the ZEN — Cloud Firewall, DNS Control, File Type and IPS, in order.

Next · ZIA Security Controls Deep-Dive → Practice on exam.techclick.in

— Techclick Team