Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 11706 views
  • Users 0 members are here
Options
Suggested

BigSur EAP - Compatibility with Zscaler client

Nicholas Secrier

Hello, I have reported this in the past on a different thread but, given the small number of occurrences, I decided to wait to see if subsequent releases would address the situation.

Since upgrading to BigSur one of the key applications in our at this end,  Zscaler Client Connector, has started to stop working on some BigSur devices and other others to take quite a bit of time until will establish a connection. I have isolated the issue to the Web Network Extension that seems to either fight for resources or conflict with the Zscaler ZPA ( Private Access component). As soon as I remove Sophos everything works fine and once I install Sophos back and do not install/allow Web Network Extension things are back to normal - no issues reported by Zscaler. 

With the release of 10.0.3, one of the devices that was running fine has started to exhibit the same behaviour. Fail to connect to ZPA and then become unusable until Zscaler was completely turned off.  I have read a considerable amount of details and it looks like this Web Network Extension is causing a significant amount of issues with other applications like other VPN providers, OneDrive, Google Drive etc.

It is very frustrating to see that instead of going in the right direction we seem to be going backwards and I would like to know how do you intend to address this situation.

For us, Zscaler is critical and I have around 100 devices that should be updated to BigSur in the near future, with Sophos being the only thing preventing this from happening. I would appreciate if someone from Sophos can find some time to help as raising support tickets doesn't get you anywhere given the product is still on EAP.

Another annoying issue, noticed since updating to Sophos EAP, is related to the One Drive Finder Extensions which seem to conflict with Sophos Extensions where the Office Extensions that help you identify if the file is file is local or in the cloud are no longer visible. If you disable the Sophos Extensions and then enable it back this seems to work but disappear again at the next restart.

Thank you.

  • 0

    Hi Nicholas,

    I'm genuine sorry to hear about your issues, I understand how frustrating this can be - we have struggled with some compatibility issues with VPN clients ourselves. We are aware of an API issue in the OS that caused compatibility problems with other network extensions but from our testing and other users' feedback we believed they were fixed in Big Sur 11.2

    We would love to investigate your issue more, could you please provide us with an SDU from an affected machine?

    You can upload this as follows:

    • Go into Central, find the device, and click on the generate SDU button
    • Once the sdu is uploaded, post the file name here so we can extract it and take a look
    Thank you, and sorry for the inconvenience.
  • 0 in reply to David Lancaster

    Hi David,

    Thank you for the prompt response. I had to exit Zscaler to be able to access the internet and trigger the SDU.

    This is the SDU: edbe1689-3e69-f423-6865-32865592a6a9_2021-02-11-22-52-40.zip

    The problem is that Zscaler fails to fully start and it is going through repetitive connect/disconnect cycles which makes accessing the internet nearly impossible.

    If you have a look at the device crash reports you can see loads of issues with Zscaler, almost every other minute and in the end the Sophos network extension crashed my device...

  • 0 in reply to David Lancaster

    Hi David, Can you please let me know if you were able to get what you wanted out of the provided SDU? The challenge that we have here is that we need to either stop Zscaler or remove Sophos to get a device connected to the internet and to get the SDU. Is there a way to generate one from the device itself when the issues occur? Maybe we can build a more complete picture using this approach?

    Another important aspect that I have seen of the devices running Big Sur is the need to do SMC resets as their passwords to make changes to the system was no longer working... To make changes to Privacy and Security settings you have to "unlock" the config mode and the passwords were not recognised/accepted. To fix this I had to advise my colleagues to do SMC resets and in some instances even to reset the passwords....

    The interesting part is that these were reported shortly after Sophos was installed...

  • 0 in reply to Nicholas Secrier

    Hi Nicholas,

    The SDU can be run locally, while Internet access is unavailable, using the following instructions:

    1. From the Sophos GUI, click About (lower right)
    2. Click Run Diagnostic Tool
    3. Click "Launch SDU..."

    Once an SDU is generated, you can private message me with your SDU and I'll have it analyzed.

    Also, are you using Zscaler Client Connector 1.5 (or later)? If so would you mind following the instructions provided here: Enabling Packet Capture for Zscaler Client Connector to collect the packet capture for us to analyze?

    Thank you for on going feedback and I'm very sorry to hear about the continued issues. I assure you, we're working hard to understand what's going on and to come up with a fix.

    Regards,

    Eric

  • 0 in reply to Eric Keung

    Thank you Eric. I was able to find and generate a local SDU. Unfortunately, I have not heard back any encouraging news on the issue reported here. My devices have not updated yet to 10.0.4 but from other people comments it does not seem this has added any changes to the issues when it comes to clashes with other VPN's ...

  • 0 in reply to Eric Keung

    Hi Eric, I can run a diagnostic locally and happy to do this when required.

    Regarding Zscaler, we are using version 2.2.4 on our Mac devices. The issue was reported on most devices that have been updated to BigSur once the system extensions were installed and activated.

    Currently, we have to run with the custom policy that blocks the culprit extension to load as advised by your colleagues.

    As mentioned to David and Richard I am happy to demonstrate the issues on a remote session as this is a big problem for us as both solutions should run without impacting each other. I'll prepare a packet capture as advised and I can share this with you.

    Hope this helps,

    Nicholas

  • 0 in reply to Nicholas Secrier

    Hi Nicholas,

    Thank you for the feedback. We would like to take you up on the offer of a remote session to diagnose the problem. I'll DM and coordinate with you on that effort.

    Regards,
    Eric

  • 0 in reply to Eric Keung

    Was there any resolution to this? We're having the exact same issue. Happy to also provide logs and/or remote sessions.

  • 0 in reply to Arjun Asokan

    hi Arjun, so far I do not have a resolution for this. I am using a dedicated policy to block this extension from the BigSur devices as it is rendering them unusable. I am waiting to confirm a remote session to demo the issues on one of my devices as I do not believe the team at Sophos have access to Zscaler....

Unfiltered HTML