topic Re: Bandwidth issues with Zscaler clients behind FTD1120 in Network Security

Bandwidth issues with Zscaler clients behind FTD1120

Michael Bartholomæussen — Wed, 11 Feb 2026 12:06:50 GMT

Hi All,

I'm having a bit of a oddity with our Zscaler clients and download speed from our local office.

Clients have Zscaler Client Connector enabled with ZPA and ZIA. Download from public sites are seeing horrible download speeds, when they sit behind our firewall. The DIA is 1Gig for the users.

Client download speeds vary from 1-5MB/s behind the firewall, and bypassing the firewall (a client gets an IP in the public range), download speed are a steady 20 - 25MB/s.

Clients on our local network are running tunnel v1, meaning that they'll use TCP for transport. They see the network as trusted due to DNS reachability.
If they are connected to our guest VLAN, they move to tunnel v2 as they are not able to reach their defined DNS record. (Similar to secure client) For v2 client, transport is DTLS, so UDP

v1 or v2 clients on the internal network experience the same download performance.

I've tried to configure fastpath for the internal clients and in the logs in the FMC, I see that traffic to Zscaler is Fastpath!

I would have guessed that the firewall could have discarded UDP traffic (it shouldn't) due to some hidden-secret setting, but with the TCP traffic, it's not the case. A capture on the firewall, between the client and zscaler, shows a steady TCP stream with minor TCP flags - at least not in a magnitude that would slice download speeds down by 4-5.

The firewall config is a pair of FTD1120 in HA, managed by FMC

Any thoughts or ideas....?

Re: Bandwidth issues with Zscaler clients behind FTD1120

Kasun Bandara — Wed, 11 Feb 2026 13:12:55 GMT

@Michael Bartholomæussen hi, are you getting same speed issue for zscaler tunnel v1 and v2 when it behind the FW?

Re: Bandwidth issues with Zscaler clients behind FTD1120

Michael Bartholomæussen — Thu, 12 Feb 2026 09:12:10 GMT

@Kasun Bandara Yes, the speed is almost 1:1.

I did a test on our Lab firewalls, a pair of 1010 with our ISP. Here I don't see the issue.

Re: Bandwidth issues with Zscaler clients behind FTD1120

Kasun Bandara — Thu, 12 Feb 2026 09:29:01 GMT

@Michael Bartholomæussen hi, is there any OS version or rule difference between your LAB test and Production network? if you try to match with the same or latest OS in firewall in production.

additionally, check the route path from your locations to zscaler. If your policy set to select auto Zscaler DC, depends your public IP you may redirect to different DC. which may give different results based on the routing path.

Re: Bandwidth issues with Zscaler clients behind FTD1120

Michael Bartholomæussen — Thu, 12 Feb 2026 09:34:51 GMT

Both in our Lab and Prod we connect to the same ZS DC, CPH02, route paths are the same. There are differences in rules, but it very generic ACEs as they were lifted from an ASA on the FTD a couple of years ago. No IDS/IPS on the prod firewall for egress traffic.

OS versions are the same.

I'm beginning to suspect packet defrag on the firewall or maybe the client. To my knowledge ZCC does PMTUD, but perhaps it's not working as expected?

Re: Bandwidth issues with Zscaler clients behind FTD1120

Michael Bartholomæussen — Tue, 17 Feb 2026 07:18:43 GMT

With the latest testing on the firewall, I've configured our ISP used for backup traffic as an additional outside zone. With PBR via the secondary ISP, I've tested ZS from a single client. The download speed via the secondary ISP is performing just as well as in our lab and test firewall. To test throughput via the secondary ISP, a new NAT and ACE was configured, together with the routing and PBR.

With this it leads me to believe that some programming in hardware have gone wrong.

For a client on the "bad" ISP, i did a trace (system support trace), and captured the logon to ZS and a download. No errors in the trace. It does identify traffic as Office, Teams, Azure Auth, Microsoft, Zscaler, for the same src - dst. We're not using application inspection on ingress/egress public traffic, so i don't think this matters.

Re: Bandwidth issues with Zscaler clients behind FTD1120

balaji.bandi — Tue, 17 Feb 2026 08:20:05 GMT

Looks for me - Path MTU (Maximum Transmission Unit) Discovery (PMTUD) failure or fragmentation issues on the Cisco FTD

, as far as I know - Zscaler Client Connector (ZCC) wraps traffic in its own tunnel (Tunnel v1 uses HTTP CONNECT/TCP, Tunnel v2 uses DTLS/UDP), it adds overhead.

try adjusting the MTU to a lower value, such as 1370 or 1400 (default is often 1500)

Try TLS, only see if that helps here.

Even though the fast path enables you to make changes for ICMP

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/advanced-access-prefilter.html

also refer zscaler path optimisation :

https://help.zscaler.com/zia/determining-the-optimal-mtu-for-gre-or-ipsec-tunnels

if possible bypass the firewall and test is this speed are ok ?

Re: Bandwidth issues with Zscaler clients behind FTD1120

mgrzesia — Tue, 17 Feb 2026 08:34:09 GMT

Hi @Michael Bartholomæussen
If you suspect the FW drops the packets, capture the packets before and after the FW.

Choose a file to download, not to big, not to small.
Check what is the Zscaler IP.
Capture the traffic between the PC and the ZS - on FTD inside and primary ISP (here FTD outside IP -> ZS IP).
Switch PBR.
Capture the traffic between the PC and the ZS - on FTD inside and backup ISP(here FTD outside backup IP -> ZS IP).

If there is a difference in throughput, there must be a difference seen in the captures.
You need sync the inside to outside captures, to make sure you are looking at the same TCP flow. You can use timestamps to find the relevant tcp source ports. You can also find the source ports numbers from the commands taken during the transfer:

show conn long detail address <PC IP> address <ZS IP>
show xlate local <PC IP>

- Filter the captures for the relevant TCP ports.
- Compare inside and outside captures for number of packets. The number of captured packets should be the same.
- Compare the TCP handshake for primary and backup - MSS advertised, round trip time.
- Compare the TCP statistics in Wireshark - throughput, TCP receive window size.

Cisco FW TAC can help you with the analysis of the TCP packets flow through the FW - from a through the box TCP flow perspective.
If you are not able to find anything from the FW perspective, then ask ZS support for help with tshooting from client perspective.

I don't like troubleshooting throughput, but I hope it helps!