icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Troubleshooting Users' Traffic not Going to the Nearest ZIA Public Service Edge

At times, users may experience slower than expected performance because their traffic is not being routed to the nearest ZIA Public Service Edge. Zscaler determines the closest available ZIA Public Service Edge based on the geolocation information associated with the IP address that sent the request to resolve the Zscaler gateway name (for example, zscaler.net) or the IP address from which the PAC file was downloaded. You can edit your PAC file to resolve this issue.

The following are some potential causes and solutions:

  • The PAC file uses gateway.<zscaler_cloud> to define the ZIA Public Service Edge (for example, gateway.zscaler.net:80), and the DNS server is not in the same geographic region as your Internet gateway location. This is not recommended because the resolution of this domain name is based on the DNS server used. When the DNS server receives a request to resolve the hostname, it returns the IP address of the ZIA Public Service Edge in the Zscaler data center that it is closest to, which may not be the closest ZIA Public Service Edge to the user. You can determine the IP address of the DNS server that resolved the Zscaler gateway name by resolving the following hostname: whoami.akamai.net
    To resolve this issue, edit the PAC file and use ${GATEWAY}:80 for the primary proxy and ${SECONDARY_GATEWAY}:80 for the secondary proxy.
  • The PAC file specifies the IP address of a Zscaler data center. This is not recommended, as this might cause problems when the user is remote and is far from the ZIA Public Service Edge. Edit the PAC file and use ${GATEWAY}:80 for the primary ZIA Public Service Edge and ${SECONDARY_GATEWAY}:80 for the secondary ZIA Public Service Edge.
  • The PAC file uses ${GATEWAY}:80 for the primary ZIA Public Service Edge and ${SECONDARY_GATEWAY}:80 for the secondary ZIA Public Service Edge. This is the preferred method because the service uses the GeoIP coordinates of the source IP address to determine the nearest ZIA Public Service Edge. Zscaler uses MaxMind databases to associate the longitude/latitude coordinates with the source IP address. If the GeoIP coordinates are incorrect in the database, the user's traffic might be forwarded to a farther node. If this occurs, please open a support ticket so that Zscaler Support can override the GeoIP coordinates accordingly.
Related Articles
Choosing Traffic Forwarding MethodsBest Practices for Traffic ForwardingHandling DNS Resolution for Various Traffic Forwarding MethodsUnderstanding Zscaler Authoritative DNS ServersAbout SubcloudsUnderstanding SubcloudsEditing a SubcloudAbout Data Center Exclusion Based on Traffic Forwarding MethodExcluding a Data Center Based on Traffic Forwarding MethodAbout Static IPSelf-Provisioning of Static IP AddressesImporting Static IP Address from a CSV FileUnderstanding Multi-Cluster Load SharingUnderstanding Proxy ModeDetermining Optimal MTU for GRE or IPSec TunnelsImplementing Zscaler in No-Default Route EnvironmentsVerifying a User's Traffic is Being Forwarded to the Zscaler ServiceAlternative Options to Caching Web TrafficTroubleshooting Users' Traffic not Going to the Nearest ZIA Public Service EdgeConfiguring Disaster RecoveryZscaler Traffic Bypasses