ZCTA-IA Zscaler-Troubleshooting-CommonIssues StudentGuide 6.1 v1.0

ZCTA-IA_Zscaler-Troubleshooting- Monday, April 05, 2021
CommonIssues_StudentGuide_6.1_v1.0
Slide 1 - Troubleshooting ZIA
Slide notes
Welcome to this training module on some of the common issues seen when troubleshooting ZIA.
Page 1 of 33
Slide 2 - Navigating the eLearning Module
Slide notes
Here is a quick guide to navigating this module. There are various controls for playback including play and pause,
previous, and next slide.
You can also mute the audio or enable Closed Captioning which will cause a transcript of the module to be displayed on
the screen. Finally, you can click the X button at the top to exit.
Page 2 of 33
Slide 3 - Module Agenda
Slide notes
In this module, we will look at common issues with: Traffic forwarding, authentication; the setting and assignment of
policy; and with the reporting and analytics environment.
Page 3 of 33
Slide 4 - Common Issues – Traffic Forwarding
Slide notes
In the first section, we will look at some commonly reported issues with the forwarding of traffic to Zscaler.
Page 4 of 33
Slide 5 - Common Issues – Traffic Forwarding
Slide notes
For traffic forwarding, we will look at issues in two main areas: The inability to access Web pages in general; the inability
to access Web pages for Zscaler Client Connector users.
Page 5 of 33
Slide 6 - Unable to Access Web Pages/Sites – General
Slide notes
Firstly, we will talk about common issues where a user is unable to access Web pages or sites.
Symptom: The end user has no access to The Internet at all.
Problem: There are a number of misconfigurations that may cause this, e.g. the client machine has no valid IP
configuration, a Firewall or router device is down, or a tunnel to Zscaler is inactive.
Solution: Confirm the PC has a valid IP configuration, and that the egress router is active. Load the page at
ip.zscaler.com (if possible). Record output of that page and escalate if necessary.
Page 6 of 33
Slide 7 - Unable to Access Web Pages/Sites – General
Slide notes
Another common issue, is where users are able to access The Internet in general, but there are some sites that cannot be
reached, and a Zscaler block notification message is seen instead.
Symptom: The end user is unable to access an Internet site, and receives a block message.
Problem: These messages result from the user trying to browse to a site that is blocked by a policy configuration.
Solution: Identify the site the user is trying to browse to, and verify that it is not permitted. If the user insists that they
need access to this site, then you should escalate to someone with the ability and authority to update the Policy.
Page 7 of 33
Slide 8 - Unable to Access Web Pages/Sites –
Zscaler Client Connector
Slide notes
Next, we will look at common issues with Zscaler Client Connector users who are unable to access Web pages or sites.
Symptom: The end user has no access to The Internet, and the Zscaler Client Connector displays a ‘CAPTIVE PORTAL
FAILOPEN’ message.
Problem: The Zscaler Client Connector has detected that login through a captive portal is required before accessing The
Internet, but the user has yet to login at that portal. For example, they are connecting at a Hotspot that requires login, or
acceptance of an AUP before accessing The Internet.
Page 8 of 33
Solution: Have the user click ‘Retry’ within the Client Connector , then login through the captive portal within the Client
Connector timeout period (10 mins by default). If the error persists, then you probably need to escalate the issue.
Page 9 of 33
Slide 9 - Unable to Access Web Pages/Sites –
Zscaler Client Connector
Slide notes
The Zscaler Client Connector may on occasion indicate some other error message.
Symptom: The end user has no access to The Internet, and the Zscaler Client Connector indicates an error.
Problem: The Zscaler Client Connector is able to detect various error conditions and notify the end user. Some of these
error conditions may be temporary.
Page 10 of 33
Solution: Have the user click ‘Retry’ within the Client Connector, then check to see if the problem is still present. If the
error persists, then you probably need to escalate.
Page 11 of 33
Slide 10 - Error Codes – Zscaler Client Connector
Slide notes
For a complete list of Client Connector-related error codes, check out the URL listed here.
Page 12 of 33
Slide 11 - Common Issues – Authentication
Slide notes
In the next section, we will look at some commonly reported issues when users are authenticating to Zscaler.
Page 13 of 33
Slide 12 - Common Issues – Authentication
Slide notes
We will look at issues in three main areas: SAML authentication; LDAP authentication; and Kerberos authentication.
We will generally display a user-friendly error message on an authentication failure. The applicable correct error code is
also displayed, to allow you to look-up the precise problem.
You should note that, authentication issues for Internet Access can occur on the first-time connection of the end user to
The Internet through Zscaler, or if an administrator forces the user to re-authenticate.
This can occur regardless of how they are connecting, whether: from an office location through a tunnel; or from outside
the office using a PAC file, or the Zscaler Client Connector.
Page 14 of 33
Slide 13 - Error Messages – SAML
Slide notes
Firstly, we will look at some common issues with SAML authentication.
Symptom: The end user is unable to authenticate, and sees one of the error messages listed here.
Problem: These are ‘transient’ SAML errors, which should clear themselves after a few minutes.
Solution: Have the user retry authentication in a few minutes. If the error persists, then you should escalate.
Page 15 of 33
Slide notes
The next issue we will look at, involves problems with the end user’s account.
Problem: These errors indicate problems with the user’s account on the SAML Portal, either the user does not exist (and
auto-provisioning is disabled), or has not yet been activated.
Solution: Check the user’s details and status on the SAML Portal, and activate their account if necessary. If the error
persists, then you should escalate.
Page 16 of 33
Slide notes
The last SAML problem we will look at, involves the user name format that a user enters.
Symptom: The end user is unable to authenticate, and sees an A021 error.
Problem: The user is not inputting the login name in a valid format (as an email address).
Solution: Have the user retry using the correct email address format for their login name. If the error persists, then
escalate.
Page 17 of 33
Slide notes
For a complete list of SAML error codes and more information on common authentication issues, check out the URL
listed here.
Page 18 of 33
Slide 17 - Error Messages – LDAP
Slide notes
Next, we will look at some common issues with LDAP authentication.
Symptom: The end user is unable to authenticate, and sees a 101 error.
Problem: This error indicates that the password provided is incorrect.
Solution: Have the user retry authentication using the correct password. If necessary, reset the user’s password. If the
error persists, escalate.
Page 19 of 33
Slide notes
The next issue relates to account problems on the LDAP server.
Problem: These errors indicate that the user’s account cannot be found on the LDAP server.
Solution: Check the user’s details and status on the LDAP server. If necessary, create/re-create the user’s account. If the
error persists, escalate.
Page 20 of 33
Slide notes
The last LDAP issue we will look at, are some possible temporary conditions.
Problem: These errors are usually temporary, and should clear themselves after a few minutes.
Solution: Have the user retry authentication in a few minutes. If the error persists, escalate.
Page 21 of 33
Slide notes
For a complete list of LDAP/AD error codes and more information on common authentication issues, check out the URL
listed here.
Page 22 of 33
Slide 21 - Error Messages – Kerberos
Slide notes
Finally, we will look at a common issue with Kerberos authentication.
Symptom: The end user is unable to authenticate, and sees any of the errors listed.
Problem: These errors indicate that the user’s account cannot be found.
Solution: Check the user’s details and status on the authentication server. If necessary create/re-create the user’s
account. If the error persists, escalate.
Page 23 of 33
Slide 22 - Common Issues – Policy Settings and Assignment
Slide notes
In the next section, we will look at some commonly reported issues with the setting and assignment of Zscaler policies.
Page 24 of 33
Slide 23 - Common Issues – Policy Settings and Assignment
Slide notes
We will look at issues in three main areas: users blocked by policy; the incorrect assignment of policy; and the incorrect
assignment of a policy to Zscaler Client Connector users.
Page 25 of 33
Slide 24 - Blocked by Policy
Slide notes
Firstly, we will look at a common issue with users being blocked by policy (although we have seen this one already).
Symptom: The end user is unable to access the Internet, and receives a block message.
Problem: These messages result from the user trying to browse to a site that is blocked by a policy configuration.
Solution: Identify the site the user is trying to browse to, and verify that it is not permitted. If the user insists that they
need access to this site, then you should escalate to someone with the ability and authority to update the Policy.
Page 26 of 33
Slide 25 - Incorrect Policy Assignment
Slide notes
Next, we will look at a common issue with users being assigned the incorrect policy.
Symptom: Either, a user is blocked from sites that they are supposed to have access to, or, they are permitted to access
pages that should be blocked.
Problem: Either of these situations can occur if the user’s account has incorrect ‘Department’, or ‘Group’ assignments.
Solution: Check the user’s ‘Department’, and ‘Group’ memberships, correct them if necessary, and retry. If the error
persists, escalate.
Page 27 of 33
Slide 26 - Incorrect Zscaler Client Connector Policy Applied
Slide notes
Finally, we will look at a common issue with Zscaler Client Connector users being assigned the incorrect App Policy.
Symptom: An incorrect App Profile is applied to the Zscaler Client Connector on a device, so it receives the wrong
configuration settings, and/or the wrong Forwarding Profile settings.
Problem: This can occur if the user Group assignments are out of date on the Zscaler Client Connector Portal. Note that
the group assignments are updated periodically from the Zscaler Admin Portal.
Solution: In the Zscaler Client Connector portal, use the manual Sync Groups option on the Administration > Zscaler
App Support > ADVANCED CONFIGURATION page. If the error persists, escalate.
Page 28 of 33
Slide 27 - Common Issues – Reporting and Analytics
Slide notes
In the final section, we will look at some commonly reported issues with Zscaler reporting and analytics.
Page 29 of 33
Slide 28 - Common Issues – Reporting and Analytics
Slide notes
Here we will look at issues in two main areas: The inability to access a report; user data incorrectly missing from, or
appearing in a report.
Page 30 of 33
Slide 29 - Unable to Access a Report
Slide notes
Firstly, we will look at a common issue with admin or Helpdesk users being unable to access a report.
Symptom: You are unable to generate, or access a report, or perform analysis under the Analytics menu.
Problem: This may be due to you not having sufficient permissions on the Zscaler Admin Portal due to your ‘Admin
Rank’.
Solution: Request the appropriate ‘Admin Rank’ and permissions to allow you to perform the necessary reporting
actions.
Page 31 of 33
Slide 30 - User Incorrectly Missing From/Appearing In a Report
Slide notes
Finally, we will look at a common issue with user data incorrectly missing from, or appearing in a report.
Symptom: Either, a user appears in a report when they shouldn’t, or, they are missing from the report when they should
appear in it.
Problem: Either of these situations can occur if the user’s account has incorrect ‘Department’, or ‘Group’ assignments.
Solution: Check the user’s ‘Department’, and ‘Group’ memberships, correct if necessary, and regenerate the report. If
the error persists, escalate.
Page 32 of 33
Slide 31 - Thank you & Quiz
Slide notes
Thank you for following this training module on common issues when troubleshooting ZIA. We hope this module has
been useful to you and thank you for your time.
What follows is a short quiz to test your knowledge of the material presented during this module. You may retake the
quiz as many times as necessary in order to pass.
Page 33 of 33

ZCTA-IA Zscaler-Troubleshooting-CommonIssues StudentGuide 6.1 v1.0

Uploaded by

Copyright:

Available Formats

ZCTA-IA Zscaler-Troubleshooting-CommonIssues StudentGuide 6.1 v1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ZCTA-IA Zscaler-Troubleshooting-CommonIssues StudentGuide 6.1 v1.0

Uploaded by

Copyright:

Available Formats

ZCTA-IA_Zscaler-Troubleshooting- Monday, April 05, 2021

Slide 1 - Troubleshooting ZIA

Slide 2 - Navigating the eLearning Module

Slide 3 - Module Agenda

Slide 4 - Common Issues – Traffic Forwarding

Slide 5 - Common Issues – Traffic Forwarding

Slide 6 - Unable to Access Web Pages/Sites – General

Symptom: The end user has no access to The Internet at all.

Slide 7 - Unable to Access Web Pages/Sites – General

Slide 8 - Unable to Access Web Pages/Sites –

Zscaler Client Connector

Slide 9 - Unable to Access Web Pages/Sites –

Zscaler Client Connector

Slide 10 - Error Codes – Zscaler Client Connector

Slide 11 - Common Issues – Authentication

Slide 12 - Common Issues – Authentication

Slide 13 - Error Messages – SAML

Firstly, we will look at some common issues with SAML authentication.

Slide 14 - Error Messages – SAML

Slide 15 - Error Messages – SAML

Slide 16 - Error Messages – SAML

Slide 17 - Error Messages – LDAP

Next, we will look at some common issues with LDAP authentication.

Problem: This error indicates that the password provided is incorrect.

Slide 18 - Error Messages – LDAP

The next issue relates to account problems on the LDAP server.

Slide 19 - Error Messages – LDAP

Slide 20 - Error Messages – LDAP

Slide 21 - Error Messages – Kerberos

Finally, we will look at a common issue with Kerberos authentication.

Slide 22 - Common Issues – Policy Settings and Assignment

Slide 23 - Common Issues – Policy Settings and Assignment

Slide 24 - Blocked by Policy

Slide 25 - Incorrect Policy Assignment

Slide 26 - Incorrect Zscaler Client Connector Policy Applied

Slide 27 - Common Issues – Reporting and Analytics

Slide 28 - Common Issues – Reporting and Analytics

Slide 29 - Unable to Access a Report

Slide 30 - User Incorrectly Missing From/Appearing In a Report

Slide 31 - Thank you & Quiz

You might also like