We’ve had constant compaints about the speed people are getting through our older Cisco Meraki VPN and have been trialing zScaler for replacing it. We went through with an engineer and configured policy to allow all for now so we can get an idea of what is blocked and what will work and won’t. One thing I’ve noticed is that the speed of zScaler ZPA is about half of what the old Cisco VPN is. Our workload is mainly Windows file shared (SMB) and we use the Cisco VPN to connect directly to an office for remote workers. If, say, an office is Denver, CO, the user connects to a Colorado POP and can get to the office via an App Connector I deployed there, no issue. The speed when trialing a worker’s workflow takes twice as long though. I’ve measured with various tools. What gives? Is this just the technology? I was under the impression that it should be somewhat faster because of the lower overhead of the encryption. Advice?
Are you using Quick ACK on the app connectors? If you are local then I would be putting PSE’s in the datacenter to be close to them for the SMB traffic.
We just did a identical implementation!
we turned off our Client VPN in Meraki, and transitioned to zscaler, however we have had 0 speed issues, im actually posting this connected to zpa right now.
Just performed a speed test(isp connection is about 200/200 but theres definitely load on my local network currently so i would expect to get about 150 up and down currently)
Speedtest.net is reporting 153 down, and 184 up
Run an iperf test from my machine to a linux vm back at hq, and im getting 147 down and 172 up.
New York is my Geo area fwiw
Pay attention to AppConnector placement relative to apps, turn on TCP ack.
Look in the dashboard and make sure you are running out of memory/cpu.
Remember AppC supports about 500mb of bandwidth a box. Scale out horizontally they are small VMs
Don’t listen to deploying PSEs. Those are only needed if you care about on-prem segmentation or DR
Are you speaking about download speeds or some type of bandwidth speed test?
Also remember that ZPA and ZIA are both proxies and act much different than a VPN and also had to go through the cloud. Also, set the expectation that each individual connection will not see line rate and that normal speed tests are widowed through a proxy by nature. In tell folks 150Mbps and 25ms latency is an awesome connection and anything better is gravy and not expected.
My company recently trialed checkpoint Sase and performance was really good. Comes with full mesh network so you won’t have issues with bouncing around IPs
I don’t know what quick ACK is or have seen that option.
I thought about setting up a PSE in each office, but we have many offices in the same geographical reason and remote workers all across the US. Each office has it’s own specific server that each remote worker would need to connect to. As I understand it, you can’t really tell zScaler to point a specific person to a PSE. It only uses it according to some zScaler proximity or via an override telling it distance from the PSE to use, which won’t work for a worker on the East coast that needs to connect to a file server in California.
I would be putting PSE’s in the datacenter to be close to them for the SMB traffic.
This is your answer
Yeah, for a single file, it runs OK, but the problem is that our workload includes many files for a project, all which get loaded at once. One example is AutoCAD. On a 1Gb up/down connection I’m seeing about 150Mbps. Not great. This is in the Denver metro area.
App Connector is in the same place as the SMB server. TCP Ack is on. VMs are not running out of mem/cpu. Bandwidth is under 500Mbps, I’m not even getting 150Mbps.
Yeah, bandwidth. I’ve tried all types of speed tests and timing file opening. One example application is AutoCad. It takes about 7 minutes to open a file on the Cisco VPN and about 12 minutes to open the same file using zScaler. Really weird.
Quick ACK didn’t seem to make a difference when I enabled it on the application connector group. Times are still the same.
I tested at work on a 1Gb up/down and got maybe 100Mbps up/down. That’s terrible speed, especially when considering most home users have about 150Mb connection and get about 10Mbps down.
We tried that as well, but were looking for more features than what they could provide. The trial was just OK, nothing too amazing. Netfoundry would have been our second choice if we were looking for just ZTNA. They were by far the fastest implementation.
Always do two minimum. Is easy to do and can be done on not super expensive hardware.
I wouldn’t do it at every office I would be looking at them where your SMB shares are primarily. Which is probably a few datacenters. Also you pin AC’s in particular to certain segments which I see quite a bit. In your example I wouldn’t want someone on the east coast connecting to say an east coast AC that is going to the west coast destination which I have seen customers do.
You can sorta force PSE traffic by using trusted networks for example.
Sure, but how do I get the clients to connect to that PSE exclusively? I don’t think there is a way. The client shows the IP jumps around between different PSE and Public POPs.
See thats where i find things interesting, we have a remote graphics designer who is working with some large adobe and cad files and she has no issues with accessing files, or them opening timely.
She actually had stated she is getting better performance now, and the kicker she is located in Canada, and our file servers are at the HQ here in NY.
Could it be a performance issue of the connectors themselves? Did they get sized appropriately with the right quantity?
Our engineer had us deploy 6 app connectors in our environment to handle our load and bandwidth.
This is possible, I’d open a ticket and be prepared to work with support if this is a PoC you have great evidence as to not buy the product. If you are invested I’d show this as the product being unusable.