ZTNA integrated with Cloud SWG for segment based applications.

users reporting problems running WSS Agent on macOS and Windows.

Users have been accessing segment applications without issues for a long time, when one of the main applications started failing.

Not all users accessing the same application from the same network reported seeing the issue.

HAR file confirms that failing application main page seems to work, but users never get the expected login page.  it requires SSO with an on premise SAML Identity provider seems to fail as shown below:

ZTNA.

Cloud SWG.

WSS Agent.

New IDP server IP addresses were added without notifying all the teams depending on the information.

Traffic destined for these new IP addresses were not sent into ZTNA service, but upstream to the Cloud SWG service where it failed.

Add the new IP addresses to the segment application list of IP addresses.

PCAPs generated with Symdiag (visible with Symdiag reader) showed the outbound TCP SYN request sent into the WSS Agent tunnel fail to get any response.

The destination IP address of these failing connection requests resolved to the IDP server hostname.

Looking at the PCAPs, the IP reserved flags were not set, implying that the request would never get forwarded to ZTNA service.

The markIpAddresses, generated by the segment application IP addresses did not have a matching IP address and hence the reserved flag was not set. Only when this reserved flag is set will Cloud SWG forward the request into ZTNA.

  "markIpAddresses": [
    "10.212.126.19/32",
    "10.212.126.151/32",
    "10.212.126.23/32",
    "10.212.126.79/32",
    "10.212.126.91/32"
    "10.212.126.166/32" 

As soon as we added the new IP addresses to the ZTNA application, all traffic for the IDP IP addresses were correctly forwarded.