Why is the users' traffic not going to the nearest ZEN?

At times, users may experience slower than expected performance because their traffic is not being routed to the nearest ZEN (Zscaler Enforcement Node). Zscaler determines the closest available ZEN based on the geolocation information associated with the IP address that sent the request to resolve the Zscaler gateway name (for example, zscaler.net) or the IP address from which the PAC file was downloaded. Following are some reasons and tips on how you can edit your PAC file to resolve this issue.

  • The PAC file uses "gateway.<zscaler_cloud>" to define the ZEN (for example, gateway.zscaler.net:80), and the DNS server is not in the same geographic region as your Internet gateway location. This is not recommended because the resolution of this domain name is based on the DNS server used. When the DNS server receives a request to resolve the host name, it returns the IP address of the ZEN in the Zscaler data center that it is closest to, which may not be the closest ZEN to the user. You can determine the IP address of the DNS server that resolved the Zscaler gateway name by resolving the following hostname: whoami.akamai.net
    To resolve this issue, edit the PAC file and use ${GATEWAY}:80 for the primary proxy and ${SECONDARY_GATEWAY}:80 for the secondary proxy. 
  • The PAC file specifies the IP address of a Zscaler data center. This is not recommended either, as this might cause problems when the user is a road warrior and is far from the ZEN. Please edit the PAC file and use ${GATEWAY}:80 for the primary ZEN and ${SECONDARY_GATEWAY}:80 for the secondary ZEN.  
  • The PAC file uses ${GATEWAY}:80 for the primary ZEN and ${SECONDARY_GATEWAY}:80 for the secondary ZEN. This is the preferred method because the service uses the GeoIP coordinates of the source IP address to determine the nearest ZEN. Zscaler uses MaxMind databases to associate the longitude/latitude coordinates with the source IP address. If the GeoIP coordinates are incorrect in the database, the user's traffic might be forwarded to a farther node. If this occurs, please open a support ticket so that Zscaler Support can override the GeoIP coordinates accordingly.