We have recently implemented OpenVPN for our users so that they can routed through the US when a requirement for that pops up. The problem is that while testing the VPN we witnessed that the policies implemented through ZIA stop working whenever the VPN is connected. How do we resolve this? We want the traffic to be routed from the US and want the policies to work as well.
Do you have SIPA enabled? Otherwise, you need to “split-tunnel” that traffic out from Client Connector and then make sure the VPN has routes to pick up that traffic that Client Connector is leaving on the table.
Also, don’t be our company. Use the destination excluded routes for naked IP traffic and FQDNs, use the app PAC for wildcard pattern matching, and leave the forwarding profile PAC alone as much as possible.
Oh, and if you’re running a VPN client at the same time, make sure it isn’t intercepting DNS requests for zpath.net. That will mess with your tunnel connectivity something fierce.
What happens to the traffic when it gets to the US? Are you tunneling it? You should be able to see in the ZIA logs which policies the traffic is hitting (if any), and why they wouldn’t hit your other policies.
Likely you don’t have policies for this type of traffic.
When you say routed through the US, do you just mean your Company US locations or just US for egress?
If the first, I suggest using SIPA.
If latter, you can use subclouds in ZIA to route through specific data centers.
What Forwarding method are you using? Tunnel 2.0 with routed mode?
ZScaler stop to tunnel the traffic through it once the VPN is enabled, I have checked the logs and no traffic is being logged after the VPN is enabled.
When you say routed through the US, do you just mean your Company US locations or just US for egress?
Our environment is a little complex, so the issue is that we are a service provider located out of Pakistan and we provide tech services to clients in the US mostly. Many of our clients provide their own VPNs and we have to use them to access their environment. We are using SIPA for URLs that have only whitelisted our company’s public IP.
If the traffic isn’t getting to ZIA then it could be something in your ZCC config is stopping it, or it’s going to your on-prem equipment and not being forwarded out via tunnel. You’ll need to look through your ZCC logs to determine where that traffic is going, and what’s happening to it, and/or try some basic troubleshooting to see what happens to the traffic. Have you tried a PCAP yet?