Recently my company switched to ZScaler for VPN/Firewall services. They have had some internal issues however it appears Zscaler and T-Mobile internet aren’t agreeing. When on my home network my download speeds get reduced to .1-.3 Mbps, while other devices such as cell phones and personal computers see 20-40 Mbps. I was curious if anyone else has seen this issue, otherwise I love the T mobile service in my area (rurual), however I need to have working internet to complete my job when at the house.
Userlevel 7
+15
T-Mobile usually throttles VPN traffic. For some reason, they haven't figure out a way to isolate the traffic from the modem separately from actual cellular data connections, which is why VPN traffic is throttled.
Deleted... stupid editor was stuck on bold and would not let me highlight/reset it
They don't exactly "throttle" VPN's... I can use some just fine and still break 40mbps (my throughput is typically 40-70, depending on varying factors).
it is more that you are sort of tunneling within a tunnel.
The TMO "tunnel" is already nerfing packet sizes and resulting in screwy routing and DNS issues, then your client side VPN tunnel doubles down on that.
Try testing to a different site. It can sometimes give very different results. For example, my "home" location for speedtest.net is usually Charlotte, NC--that is just over a 2 hour drive from me in Florence, SC, and that area is usually very congested in general. I can test 40 there, but turn right around and get 70 to Seattle, WA--on the opposite side of the country! I have even broken 100 to Montreal while only pulling in 40-50 to more local sites. The point is, there are inherent routing issues with their peering/routing in general that need to be addressed.
Your company's VPN may be setting MTU (or MSS) too high for the limit of TMO's tunnel. One of those being too large will cause packets to have to be split into smaller pieces to get through, the other can cause packets to get discarded. Alternatively, it could be setting it really low and not optimizing the throughput potential that is there. Either can impact throughput to varying degress... it all depends on how often the exceptions occur.
Get in touch with your company's support chain to make them aware that the TMO service is typically defaulting to an MTU of 1420, MSS of 1380... they may be able to tweak settings to better optimize packet sizes to rule that issue out.
Thank you both. I will pass along the MTU MSS information. I should have stated that previously we used Global Protect as our VPN client and with that service the Tmobile ISP worked without issue, however this new Zscaler product has caused the issues, so its product/method specific and not all VPN’s.
Have the same issue. Even had a conference call with IT and Zscaler support but could not resolve it. Called Tmobile and they said they are aware of the issue and they don’t know when it will be resolved. My IT person is telling me I should get mifi from Verizon because it works with that service.
Glad I’m not the only one RagingBullz.. I similarly had no luck working with IT department. We spent a long time eliminating hardware ect. but the true test was when moving to ATT hotspot, it worked and back to the T-Mobile ISP it didn’t. For the short term they reverted me back to out previous security scheme, as the corporate policy is for employees to provide their own internet, but they don’t state which ISP are ok or not, and I don’t have many options. Likewise, it has all worked fine with other VPN clients, until Zscaler.
I just started using the T-Mobile Home 5G Gateway a few days ago. Everything is great, except my work computer download/upload speed (I work from home). If we log my work computer out of Zscaler, speed is about 150 Mbps. But logged into Zscaler, the speed is about 3 Mbps. Not using Zscaler is not an option. Zscaler is a proxy. I’m also using Cisco AnyConnect VPN without issue. Did anyone find a solution or work-around specific to Zscaler?
Similar issues to report.
Internet speed tests reporting between 250-280 down and 45-55 up.
Using Zscalar speedtest Zscaler Speed Test about 25 down and 3 to 7 up.
T-Mobile PHL to zs3-was1-2a5-sme.gateway.zscalerthree.nete
I just started a new job with remote work 1-2 days a week, have a company HP, and the speeds are un-usable. Will pass this along and maybe they’re willing / able to adjust the packets.
I hate having problems, but its good to learn it’s not just me.
Hi Marc
There appears to be an issue with the mtu size in the zcalar policy.. I believe the mtu size was reduced for policies associated with users that have wireless internet service.
Since that change it has been working well for users in USA and Europe
Hi Marc
There appears to be an issue with the mtu size in the zcalar policy.. I believe the mtu size was reduced for policies associated with users that have wireless internet service.
Since that change it has been working well for users in USA and Europe
I’m sorry, I’m not very technical. I can see there’s a problem w/ MTU size (but I don’t know what that means). When you say “I believe the mtu size was reduced...” what does that mean, who reduced it? T-Mo? Because as of Monday this week, my work Win PC was literally un-usable on my TMHI connection (wired or wifi). As is the case with most corporate PC users, it’s locked down w/ only admin access to changing things like MTU, and as a typical PC user, I don’t have the skills to do it, even if I had admin access. I have requested our IT support to help, not heard back. *If there’s anything I can do to reach out to T-Mo tech support to get MY connection to work w/ this PC w/ z scaler, please let me know?*
The zcalar policy mtu size would need to be adjusted by those who managed the deployment. It is not something that is t-mobile would adjust or you on your pc. I was not involved with the policy deployment just worked with our security group as they figured out the best value. The default may be 1500 but since you are using wireless internet the value may need to be reduced by 28 bytes values until you are able to work.
The zcalar policy mtu size would need to be adjusted by those who managed the deployment. It is not something that is t-mobile would adjust or you on your pc. I
Got it, thanks for clarifying! I thought you were saying or implying T-Mo could do something on the tower end, obv they cant do anything to a local PC.
Reply
New badge winners
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.