Zscaler ZPA Performance & MTU — Why Private Apps Feel Slow

Sneha's ERP app "works" but lags on every click. The connector is healthy and idle. Latency is uniform — typing, clicking, page loads all carry the same ~150–200 ms penalty.

• The client landed on a far Public Service Edge (Bengaluru user brokered through an EU/US ZEN)
• Geo/sub-cloud or steering policy points users at a distant region
• Closer ZENs are unreachable (firewall/PAC), so the client fell back to a far one

First confirm which Service Edge was chosen — ZPA Admin > Diagnostics, and ZDX Cloud Path for the user. Then measure the path from the connector host.

mtr -rwzbc20 erp.tcs.local

HOST: conn01            Loss%  Snt   Avg  Best  Wrst
  1.|-- gw.mum.dc            0.0%   20   0.4   0.3   0.9
  2.|-- zen-fra.zscaler       0.0%   20 158.6 152.1 171.0   # Frankfurt ZEN!
  3.|-- erp.tcs.local         0.0%   20   1.1   0.9   2.3
# 158 ms enters at the Service Edge, not the app — geo problem

Steer users to a near ZEN: allowlist the closer Service-Edge ranges, correct the sub-cloud/geo policy, and confirm the right region. For a critical site, deploy a Private Service Edge near the users so brokering stays local. (Connector placement is SCN-02.)

ZDX Cloud Path shows a nearby ZEN; mtr RTT drops from ~160 ms to < 20 ms. Sneha reports the app feels instant again.

The ZEN is near and fine, but the app is still laggy. The connector that serves this app sits in a different region/DC than the app server, so the connector↔app leg carries the latency.

The App Connector is deployed far from the app (e.g. a Mumbai connector serving an app hosted in Singapore over a slow inter-DC link). ZPA can't make that leg shorter — only closer placement can.

The mtr spike is now on the last hop (connector → app), not at the ZEN.

mtr -rwzbc20 erp.tcs.local

HOST: conn-mum          Loss%  Snt   Avg  Best  Wrst
  1.|-- zen-mum.zscaler       0.0%   20   3.2   2.9   4.8   # ZEN is near ✓
  2.|-- inter-dc.link         0.0%   20  74.5  71.0  89.2   # slow WAN to SG
  3.|-- erp.sg.tcs.local      0.0%   20  76.1  73.4  91.0   # app in Singapore

Deploy an App Connector in the same region/DC as the app and map that connector group to the app's server group. Keep the connector-to-app hop short — that's the leg ZPA cannot accelerate.

A local connector now serves the app; mtr to the app drops to single-digit ms, and ZDX page-load times fall for users hitting that app.

A big Infosys campus has many users on one latency-sensitive app (voice/CAD/trading). Even the nearest Public Service Edge adds enough hairpin latency to annoy them — brokering happens out in the Zscaler cloud, not on-site.

Public Service Edges are shared and live in Zscaler data centres. For a dense site with strict latency needs, the round-trip to even a regional ZEN is the floor — and a Private Service Edge on-site removes that floor.

ZDX Cloud Path shows the bulk of latency sitting on the user→ZEN leg even after picking the closest public ZEN.

ping -c5 zen-mum.private.zscaler.com

5 packets transmitted, 5 received, 0% loss
rtt min/avg/max = 22.1/24.8/29.0 ms   # ~25 ms floor to the nearest public ZEN

Deploy a Private Service Edge inside the campus/DC and steer that site's users to it. Brokering now happens locally; the user→ZEN leg drops to LAN latency.

ZDX Cloud Path shows the site's users on the Private Service Edge; the user→ZEN leg falls from ~25 ms to ~1–2 ms, and the app feels native.

"Laggy app" tickets keep coming and the team keeps guessing. You need the evidence of which Service Edge a user actually used and where the latency lives — before you change anything.

Without ZPA Diagnostics + ZDX, "slow" is a feeling. The selected ZEN, the per-leg RTT, and the page-load breakdown are all visible in the portal — guessing wastes hours.

In the ZPA Admin Portal open Diagnostics for the user's session to see the selected Service Edge and connector. In ZDX → Cloud Path / Web Probes, read per-hop latency and page-load for that exact app. Then corroborate from the connector host.

mtr -rwzbc20 erp.tcs.local
ping -c4 erp.tcs.local

ZDX Cloud Path: user→ZEN 9ms · ZEN→conn 4ms · conn→app 2ms = 15ms ✓
mtr: no hop > 15 ms, 0% loss   # latency is healthy — look at MTU/capacity next

If a far ZEN or far connector shows up, fix per SCN-01/02/03. If latency is clean (like above), you've ruled out geo — move to Bucket 2 (MTU) or Bucket 3 (capacity). Naming the bucket is the fix here.

You can state, with ZDX evidence, which ZEN and connector served the session and where each millisecond went — and route the ticket to the right bucket instead of guessing.

Rahul's small requests and ping succeed, but a large file copy, an SMB share, or RDP redraw hangs and never completes. No errors in the app — it just stalls.

The path MTU is lower than the sender assumes. The TLS-wrapped microtunnel (and any overlay/VPN/cloud underlay on the connector's path) leaves less room than 1500 B, so full-size DF packets are dropped silently at the narrow hop.

Probe the path MTU from the connector host: send a Don't-Fragment packet and shrink the size until it passes. The payload size + 28 (IP+ICMP headers) = the MTU you're testing.

ping -M do -s 1472 10.30.10.20   # 1472 + 28 = 1500
ping -M do -s 1372 10.30.10.20   # 1372 + 28 = 1400
tracepath 10.30.10.20

ping -s 1472: ping: local error: message too long, mtu=1400
ping -s 1372: 1380 bytes from 10.30.10.20: icmp_seq=1 ttl=63 time=1.9 ms
tracepath:   2:  10.30.0.1      0.6ms pmtu 1400   # this hop lowered the MTU

Size traffic to the real path MTU: clamp MSS on the connector's gateway (e.g. --set-mss 1360 for a 1400 MTU path) or lower the connector NIC MTU. MSS clamping is preferred — it fixes TCP without breaking PMTUD for everything else.

# on the connector's L3 gateway / host firewall:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
  -j TCPMSS --clamp-mss-to-pmtu
# or pin it explicitly:  -j TCPMSS --set-mss 1360

ping -M do -s 1372 10.30.10.20 succeeds, the 2 GB copy completes at full rate, and RDP stops freezing on redraw.

An app segment is noticeably slower than its neighbours on the same connector, and connectors serving it run hotter and report less health-check headroom — even though latency to the ZEN is fine.

Double Encryption is enabled on that segment. It adds a second TLS layer — more CPU per packet, ~40 B more MTU tax, and it roughly halves the connector's health-check headroom. Unless a compliance mandate requires it, it's pure overhead.

Check the segment's Double Encryption setting in the portal, and watch per-packet CPU on the connector while the slow segment is in use.

top -b -n1 | grep zpa-connector
ss -tn state established | wc -l   # active sessions on this connector

2041 zscaler  ... zpa-connector  61.0 %CPU   # high for the session count
# Portal: App Segment "Build-Farm" → Double Encryption = ENABLED

In Application Segments, disable Double Encryption for that segment unless a specific policy requires the second TLS layer. The microtunnel is already TLS-encrypted end to end — the second layer is redundant for most apps.

Per-packet CPU drops, the segment's throughput rises, usable MTU recovers ~40 B, and the connector's health-check headroom roughly doubles back.

The connector runs in a cloud VPC or behind an IPsec/SD-WAN overlay. Some apps are flawless; one app that pushes big frames intermittently hangs — and only for users whose path crosses the overlay.

The overlay/underlay (GENEVE/VXLAN/IPsec) lowers the effective MTU on that leg. PMTUD relies on ICMP "fragmentation needed" coming back — but many clouds/firewalls drop that ICMP, so the sender never learns and keeps black-holing.

tracepath names the hop that drops the MTU; confirm the ICMP "needed" message isn't being filtered.

tracepath 10.30.10.20
ping -M do -s 1422 10.30.10.20   # test the suspected overlay MTU (1450)

 1:  10.30.0.1        0.5ms
 2:  vpc-overlay-gw   0.9ms pmtu 1450   # overlay drops MTU to 1450
ping -s 1422: ... 0% packet loss   # 1450 passes; 1500 was black-holed

Clamp MSS to the overlay MTU (e.g. --set-mss 1410 for a 1450 path), and allow ICMP type 3 code 4 ("fragmentation needed") through the firewalls so PMTUD can work for the rest. Lowering the connector NIC MTU to the overlay value is the blunt fallback.

ping -M do passes at the overlay MTU, the intermittent hang disappears for overlay-path users, and big frames complete.

You lowered MTU / clamped MSS and "it seems fine now" — but you can't prove the black-hole is gone, and it sometimes comes back after a network change.

"Seems fine" isn't a test. The only deterministic proof is a Don't-Fragment ping at the corrected size succeeding, plus a real large transfer completing — not a casual click that happens to use small packets.

Run the DF ping at the size your clamp/MTU allows, then drive real bulk traffic and watch it finish.

ping -M do -s 1400 10.30.10.20   # NOTE: tests 1428 MTU; use a size ≤ path MTU − 28
ping -M do -s 1372 10.30.10.20   # 1400-MTU path: this must pass
# then drive real bulk traffic:
scp bigfile.iso user@10.30.10.20:/tmp/

ping -s 1372: 5 packets transmitted, 5 received, 0% packet loss
bigfile.iso  100%  2048MB  112.4MB/s   00:18   # completes at line rate

If the DF ping at the corrected size still fails, your clamp/MTU is still too high for the real path — lower it to the value tracepath reported and re-test. Bake the clamp into config so a network change can't silently undo it.

ping -M do -s 1372 10.30.10.20 succeeds with 0% loss and a multi-GB transfer completes at line rate — your proof the black-hole is gone.

Aditya's apps are perfect all day and crawl at ~6 PM. Sessions stall or new connections fail to open during the busy window, then recover on their own when load drops.

The connector host is at its limit during peak: CPU pinned, or the kernel conntrack table is full so new flows are dropped. Minimum spec is 2 vCPU / 4 GB RAM — a single under-provisioned connector for a busy site browns out at peak.

Capture load and socket/conntrack state during the slow window, not after.

top -b -n1 | head -8
ss -s
cat /proc/sys/net/netfilter/nf_conntrack_count /proc/sys/net/netfilter/nf_conntrack_max

%Cpu(s): 95.8 us  load average: 8.1, 7.6, 6.9
Total: 64210 (estab 61880)            # ~62k sockets
261888 / 262144                       # conntrack 99.9% full — new flows dropped

Add connectors to the Connector Group (the cloud load-balances across healthy members) and/or right-size the VM up. As a stopgap, raise nf_conntrack_max, but the real fix is more capacity, not a bigger table.

Per-connector peak CPU stays below ~70%, conntrack sits well under max, and the 6 PM brownout disappears — load now spreads across the group.

A site grew, user count doubled, but the Connector Group still has one (or one busy) member. Peak performance degraded gradually as adoption climbed — no single event to point at.

The Connector Group is undersized for the offered load. ZPA load-balances across healthy members of the same group — with one member, there's nothing to balance, so peak load lands entirely on it.

Check the group's member count and per-member utilisation in the portal; corroborate with host load. One hot member next to idle headroom elsewhere is the tell.

uptime
ss -tn state established | wc -l   # active sessions this member carries

conn-mum01: load average 7.9   sessions 58921   # the only member
# Portal: Connector Group "Mumbai-DC" → 1 connector, util 92%

Add one or more App Connectors to the same Connector Group (deploy in pairs minimum). The cloud immediately starts spreading new sessions across all healthy members — capacity scales horizontally.

The portal shows ≥ 2 members sharing the load, per-member sessions and CPU roughly halve, and peak-hour performance recovers.

A connector group is healthy and not CPU-bound, yet some apps intermittently look slow or "unhealthy." It started after someone added a broad *.tcs.local segment with a wide port range.

Each App Connector continuously health-checks the destinations it serves, and there's a practical per-connector ceiling (~6,000 concurrent checks). A wildcard FQDN × wide port-range segment explodes the destination count and blows past it — starving real traffic of health-check slots.

Audit the segments mapped to the group: count distinct FQDNs × ports. Wildcards over big subnets with 1-65535 ranges are the usual culprit.

# Portal: Application Segments → for this connector group
# count = (resolved FQDNs) × (ports in range)
sudo journalctl -u zpa-connector | grep -i -E "health|probe|limit"

Segment "ALL-DC": *.tcs.local : 1-65535
zpa-connector[2510]: health-check targets 8120 > soft limit 6000
zpa-connector[2510]: deferring probes — capacity exceeded

Narrow the segments: replace the wildcard with specific FQDNs/subnets and the wide range with the actual ports the apps use. Split one mega-segment into several scoped ones across more connectors. The health-check count falls back under the ceiling.

The log no longer reports exceeding the health-check limit, intermittent "unhealthy" flips stop, and probes run on time again.

Even off-peak the connector sits at high baseline CPU, and adding members only delays the brownout. The host itself is simply too small for the sustained throughput this site needs.

The VM is at or below the minimum (2 vCPU / 4 GB). High-throughput sites (lots of bulk transfer, many concurrent sessions) need more vCPU/RAM per connector — horizontal scaling helps, but undersized hosts cap each member's ceiling.

Look at the steady-state (not just peak) baseline and the throughput per vCPU.

nproc; free -m
sar -u 1 5    # steady-state CPU over a quiet window

2            # only 2 vCPU
Mem: total 3902 used 3100
Average:  %user 68.4  %idle 27.1   # 68% busy even at idle hours

Resize the connector VM up (e.g. 2→4 vCPU, 4→8 GB) per the sizing guidance for the throughput, and keep ≥ 2 members per group. Right-size + scale out together — neither alone is enough for a heavy site.

Steady-state CPU drops to a comfortable baseline (< 50%), peak headroom returns, and the brownout doesn't recur as adoption keeps growing.

The first time a user opens an app it takes several seconds; subsequent connections are instant. The app itself is fast once it's up — only the opening lag is the complaint.

The connector resolves app FQDNs itself, so a slow internal resolver (overloaded, or a primary that times out before the cache falls to a secondary) adds seconds to every cold session. Once the answer is cached, it's fast.

Time the resolution from the connector host and read dig's Query time.

dig @10.10.0.53 erp.tcs.local
dig @10.10.0.53 erp.tcs.local | grep "Query time"

;; Query time: 2412 msec       # 2.4 s — explains the cold-connect lag
;; SERVER: 10.10.0.53#53(10.10.0.53)
# a healthy resolver answers in < 20 ms

Point the connector at a fast, reachable internal resolver; add a healthy secondary so a slow primary doesn't have to time out first. Fix the resolver's own load if it's overwhelmed. Keep the app zone resolvable locally to the connector.

dig Query time drops to < 20 ms, and the first-connect lag disappears — opening the app is now as fast as re-opening it.

DNS is fast, geo is near, MTU is clean — but new sessions still take a beat to "warm up." Long-lived sessions feel fine; anything that opens a fresh connection pays a small but consistent setup tax.

TLS handshake/renegotiation cost on the microtunnel and/or the app's own TLS. If the app forces frequent renegotiation, or the connector is doing extra crypto (e.g. Double Encryption, SCN-06), every new flow carries the handshake latency.

Time the TLS handshake to the app from the connector and compare connect time vs total time.

curl -sk -o /dev/null -w 'connect:%{time_connect} tls:%{time_appconnect}\n' \
  https://erp.tcs.local:8443/

connect:0.004 tls:1.180     # TCP is 4 ms; the TLS handshake costs 1.18 s
# a healthy handshake is well under 200 ms

Remove unnecessary crypto load — disable Double Encryption if not required (SCN-06) — and address app-side TLS (avoid forced renegotiation, enable session resumption). Right-size the connector if crypto is CPU-bound.

time_appconnect falls to < 200 ms, and users stop noticing the per-session warm-up — fresh connections feel as quick as warm ones.

An app is slow for one region of users and you can't tell which leg owns the delay — the user's last mile, the ZEN, the connector, or the app. Per-host tools only see their slice of the path.

No single command on the connector sees the user→ZEN leg, and nothing on the client sees the connector→app leg. Without an end-to-end view you keep fixing the wrong leg. ZDX Cloud Path is the one tool that spans the whole journey.

In ZDX → Cloud Path for the affected app, read per-hop latency and page-load for the real user; the ZDX Score and stage breakdown name the slow leg. Corroborate the connector→app leg from the host.

mtr -rwzbc20 erp.tcs.local
curl -sk -o /dev/null -w 'dns:%{time_namelookup} ttfb:%{time_starttransfer}\n' \
  https://erp.tcs.local:8443/

ZDX Cloud Path: user→ZEN 96ms ⚠ · ZEN→conn 5ms · conn→app 2ms
# 96 ms on the user's last mile, NOT ZPA — it's the user's home/ISP link

Fix the leg ZDX names — and only that leg. User→ZEN high = geo/last-mile (SCN-01..04); ZEN→connector or connector→app high = placement/MTU/capacity (Buckets 1–3); first-hit spikes = DNS/TLS (SCN-13/14). ZDX turns guessing into routing.

After the targeted fix, the ZDX Score recovers and the previously-red leg in Cloud Path drops to normal — proven end-to-end, not just "feels better."

An internal app is inconsistently slow or routes oddly — sometimes via ZPA, sometimes via ZIA or the public internet. The same FQDN behaves differently depending on the user's PAC/forwarding state.

The FQDN is claimed by both a ZPA Application Segment and a ZIA forwarding/PAC rule — a split-DNS / wrong-lane overlap. Traffic that should ride the private ZPA path leaks to ZIA, adding internet-path latency and unpredictability.

Confirm which lane the FQDN resolves/forwards into from a client, and check for the same domain in both ZPA segments and ZIA PAC/forwarding.

dig +short erp.tcs.local         # public answer? then it's leaking to the internet
# Check: ZPA App Segments AND ZIA PAC/forwarding both list erp.tcs.local

203.0.113.40      # a PUBLIC IP — should resolve to the private 10.30.9.40
# overlap: ZPA segment + ZIA PAC both claim erp.tcs.local

Make the FQDN owned by exactly one lane: keep the internal app in the ZPA Application Segment and remove it from ZIA forwarding/PAC (or vice-versa). One FQDN, one path — no ambiguity.

The FQDN consistently resolves to the private IP and routes via ZPA for all users; ZDX shows a stable path, and the intermittent slowness/odd routing stops.