Symptoms:
After an event that may cause a service restart or a reboot (such as an upgrade or configuration change) a Zscaler tunnel configured with FQDN may go down.
DNS queries are successful
DNS cache contains no entries for the zscaler service

SD-WAN by VeloCloud

Issue is caused by Defect ID:  60073

Defect ID: 60073 is fixed by upgrading the SD-WAN Edge to any of the following releases:
4.2.2 release R422-20210923-GA or later
4.3.1 release R431-20211208-GA or later
4.5.0 release R450-20210922-GA or later
 

For information on how to upgrade please check the following article: VMware SD-WAN Software Upgrade FAQs

Workaround:
To recover the tunnel perform a ping to the zscaler peer FDQN (examples: chi1-2-vpn.zscaler.net or dfw1-2-vpn.zscaler.net ). This will create a DNS entry and restore the tunnel.

1. Click on Diagnostics
2. Under "Remote Diagnostics", select the affected edge
3. Scroll down to Ping Test
4. Select the appropriate segment and interface
5. Enter the FQDN in the Destination field
6. Click "Run"