Zscaler IPsec tunnel automation fails if domestic preference is enabled in Cloud security service profile
Article ID: 375783
Updated On:
Products
Issue/Introduction
++ Edge will receive an invalid IP "0.0.0.0" from VCO when domestic preference flag is selected for Zscaler IPSEC tunnel Automation.
++ Under VCO > Monitor > network services > CSS profile, we can observe Zscaler peer IP as "0.0.0.0"
Environment
All SDWAN VECO software versions
Cause
After the launch of the Domestic Preference feature, users have noticed differing behaviors between GRE and IPsec endpoints.
For GRE endpoints, when domestic preference is enabled, Zscaler provides available in-country endpoints. If there are none or only one available, it adds a nearby endpoint from outside the country.
In contrast, when the same is configured for an IPsec endpoints and there are none or only one available, the response includes 0.0.0.0 addresses for the unavailable items.
Resolution
As a workaround, please disable the "domestic preference" flag in the CSS tunnel configuration for IPsec and save the changes.
For a permanent resolution, an enhancement request has been submitted to Engineering and is being tracked under #149289.
Feedback
