We’ve had constant compaints about the speed people are getting through our older Cisco Meraki VPN and have been trialing zScaler for replacing it. We went through with an engineer and configured policy to allow all for now so we can get an idea of what is blocked and what will work and won’t. One thing I’ve noticed is that the speed of zScaler ZPA is about half of what the old Cisco VPN is. Our workload is mainly Windows file shared (SMB) and we use the Cisco VPN to connect directly to an office for remote workers. If, say, an office is Denver, CO, the user connects to a Colorado POP and can get to the office via an App Connector I deployed there, no issue. The speed when trialing a worker’s workflow takes twice as long though. I’ve measured with various tools. What gives? Is this just the technology? I was under the impression that it should be somewhat faster because of the lower overhead of the encryption. Advice?
Are you using Quick ACK on the app connectors? If you are local then I would be putting PSE’s in the datacenter to be close to them for the SMB traffic.
Cade said:
Are you using Quick ACK on the app connectors? If you are local then I would be putting PSE’s in the datacenter to be close to them for the SMB traffic.
I don’t know what quick ACK is or have seen that option.
I thought about setting up a PSE in each office, but we have many offices in the same geographical reason and remote workers all across the US. Each office has it’s own specific server that each remote worker would need to connect to. As I understand it, you can’t really tell zScaler to point a specific person to a PSE. It only uses it according to some zScaler proximity or via an override telling it distance from the PSE to use, which won’t work for a worker on the East coast that needs to connect to a file server in California.
@Milo
Always do two minimum. Is easy to do and can be done on not super expensive hardware.
@Milo
I wouldn’t do it at every office I would be looking at them where your SMB shares are primarily. Which is probably a few datacenters. Also you pin AC’s in particular to certain segments which I see quite a bit. In your example I wouldn’t want someone on the east coast connecting to say an east coast AC that is going to the west coast destination which I have seen customers do.
You can sorta force PSE traffic by using trusted networks for example.
@Cade
Each office has shares that need to be accessed by a particular group. We use Nasuni, which is a caching appliance and it exports file shares for that office.
Milo said:
@Cade
Each office has shares that need to be accessed by a particular group. We use Nasuni, which is a caching appliance and it exports file shares for that office.
Interesting how many offices roughly you talking? Are some of them connected via a WAN or close enough proximity? I mean you could go hog wild and put PSE’s everywhere but meh not sold on that if I could say put them closest to a largish number of offices that may have a private link. I am thinking something like
We have four offices in NYC each with metro ethernet, drop a PSE there in one of them vs having each of the four offices have a AC that reaches out to a NY ZPA cloud.
@Cade
We have 32 offices all connected via SD-WAN with 100-1Gb symmetrical connections. None are closer than about 100 miles to each other.
Milo said:
@Cade
We have 32 offices all connected via SD-WAN with 100-1Gb symmetrical connections. None are closer than about 100 miles to each other.
Any of them not in prime ZPA cloud territory? Like rural KS or something wild? The 1gb link may not be “good enough” depending on user count and such.
Ideally I always want to get away from like your traditional SMB shares and move towards more holistic cloud storage but if that isn’t feasible I start looking at proximity vs bandwidth. Like my backbone as a cloud doesn’t matter if you are in Hawaii and you have to go to San Jose or something to get to an SMB share.
So if I can strategically place PSE’s and AC’s where the majority of that stuff may live it makes it much more like for like. SMB historically is a chatty Kathy of a protocol and tons of posts around how slow it is even on traditional VPN’s. Like do your Merakis today connect to every site with a VPN concentrator or how are those distributed?
Also what version of ZCC? We have made enhancements to file transfers I think in 4.5 but I would need to go grab release notes.
@Cade
I’ve tested with users in Denver connected to a Denver POP to our Denver office. Same issue. We have about 500TB of project files that we have to keep on-prem for the foreseeable future, so can’t move it to the cloud. On ZCC 4.5.0.337.
@Milo
Yeah that is where I would say maybe put a PSE and test it just to see if it indeed gets better I mean atleast we will have some proof one way or another.
Cade said:
@Milo
Yeah that is where I would say maybe put a PSE and test it just to see if it indeed gets better I mean atleast we will have some proof one way or another.
I did try a PSE already and it gets better, but not great. I go from transferring at about 150Mbps to about 200Mbps on average.
Cade said:
Are you using Quick ACK on the app connectors? If you are local then I would be putting PSE’s in the datacenter to be close to them for the SMB traffic.
>I would be putting PSE’s in the datacenter to be close to them for the SMB traffic.
This is your answer
@Tavi
Sure, but how do I get the clients to connect to that PSE exclusively? I don’t think there is a way. The client shows the IP jumps around between different PSE and Public POPs.
Milo said:
@Tavi
Sure, but how do I get the clients to connect to that PSE exclusively? I don’t think there is a way. The client shows the IP jumps around between different PSE and Public POPs.
You attach PSE to Policies, sorta, so if you have people not on x trusted network accessing x server use x pse. If user IS on x trusted network, bypass x pse and go the local route. If user is on trusted network but server is not on trusted network, direct to x pse in servers network.
You get the picture. Not quite how it is done but pretty close for a quick explanation. We love Zscaler accept for the issue we are having with a specific program that has yet to get resolved, for some reason it is taking 5 minutes to open or switch a location over zscaler even with a PSE but if on site it takes seconds.
Milo said:
@Tavi
Sure, but how do I get the clients to connect to that PSE exclusively? I don’t think there is a way. The client shows the IP jumps around between different PSE and Public POPs.
I think you can use a DNS load balancer which could resolve the PSE domain to the desired ip address based on the clients geo location. So all clients use the same PSE FQDN but the resolution differs based on the clients location.
We just did a identical implementation!
we turned off our Client VPN in Meraki, and transitioned to zscaler, however we have had 0 speed issues, im actually posting this connected to zpa right now.
Just performed a speed test(isp connection is about 200/200 but theres definitely load on my local network currently so i would expect to get about 150 up and down currently)
Speedtest.net is reporting 153 down, and 184 up
Run an iperf test from my machine to a linux vm back at hq, and im getting 147 down and 172 up.
New York is my Geo area fwiw
@Sutton
Yeah, for a single file, it runs OK, but the problem is that our workload includes many files for a project, all which get loaded at once. One example is AutoCAD. On a 1Gb up/down connection I’m seeing about 150Mbps. Not great. This is in the Denver metro area.
@Milo
See thats where i find things interesting, we have a remote graphics designer who is working with some large adobe and cad files and she has no issues with accessing files, or them opening timely.
She actually had stated she is getting better performance now, and the kicker she is located in Canada, and our file servers are at the HQ here in NY.
Could it be a performance issue of the connectors themselves? Did they get sized appropriately with the right quantity?
Our engineer had us deploy 6 app connectors in our environment to handle our load and bandwidth.
@Sutton
You deployed 6 in one location? I have 7 deployed, but in 7 different offices. The “engineer” didn’t say anything about deploying multiple in an office. We have users in Denver accessing a Denver office and still get horrible speeds.