Question

Tmobile home internet and Zscaler

  • 26 March 2021
  • 6 replies
  • 126 views

Badge

Recently my company switched to ZScaler for VPN/Firewall services.  They have had some internal issues however it appears Zscaler and T-Mobile internet aren’t agreeing.  When on my home network my download speeds get reduced to .1-.3 Mbps, while other devices such as cell phones and personal computers see 20-40 Mbps.  I was curious if anyone else has seen this issue, otherwise I love the T mobile service in my area (rurual), however I need to have working internet to complete my job when at the house.  


6 replies

Userlevel 7
Badge +13

T-Mobile usually throttles VPN traffic.  For some reason, they haven't figure out a way to isolate the traffic from the modem separately from actual cellular data connections, which is why VPN traffic is throttled. 

Userlevel 4
Badge +2

Deleted... stupid editor was stuck on bold and would not let me highlight/reset it

Userlevel 4
Badge +2

They don't exactly "throttle" VPN's... I can use some just fine and still break 40mbps (my throughput is typically 40-70, depending on varying factors).

it is more that you are sort of tunneling within a tunnel.

The TMO "tunnel" is already nerfing packet sizes and resulting in screwy routing and DNS issues, then your client side VPN tunnel doubles down on that.

Try testing to a different site.  It can sometimes give very different results.  For example, my "home" location for speedtest.net is usually Charlotte, NC--that is just over a 2 hour drive from me in Florence, SC, and that area is usually very congested in general.  I can test 40 there, but turn right around and get 70 to Seattle, WA--on the opposite side of the country!  I have even broken 100 to Montreal while only pulling in 40-50 to more local sites.  The point is, there are inherent routing issues with their peering/routing in general that need to be addressed.

Your company's VPN may be setting MTU (or MSS) too high for the limit of TMO's tunnel.  One of those being too large will cause packets to have to be split into smaller pieces to get through, the other can cause packets to get discarded.  Alternatively, it could be setting it really low and not optimizing the throughput potential that is there. Either can impact throughput to varying degress...  it all depends on how often the exceptions occur.

Get in touch with your company's support chain to make them aware that the TMO service is typically defaulting to an MTU of 1420, MSS of 1380... they may be able to tweak settings to better optimize packet sizes to rule that issue out.

Badge

Thank you both.  I will pass along the MTU MSS information.  I should have stated that previously we used Global Protect as our VPN client and with that service the Tmobile ISP worked without issue, however this new Zscaler product has caused the issues, so its product/method specific and not all VPN’s.

Have the same issue.  Even had a conference call with IT and Zscaler support but could not resolve it.  Called Tmobile and they said they are aware of the issue and they don’t know when it will be resolved.  My IT person is telling me I should get mifi from Verizon because it works with that service.

 

Badge

Glad I’m not the only one RagingBullz.. I similarly had no luck working with IT department.  We spent a long time eliminating hardware ect. but the true test was when moving to ATT hotspot, it worked and back to the T-Mobile ISP it didn’t.  For the short term they reverted me back to out previous security scheme, as the corporate policy is for employees to provide their own internet, but they don’t state which ISP are ok or not, and I don’t have many options.  Likewise, it has all worked fine with other VPN clients, until Zscaler.

Reply