Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
You could use routing with metrics to accomplish that. You could, for instance, use BGP with local preferences to have routes over both fabrics with the preferred method having the higher local.
We are using Zscaler as well. We route to primary and backup GRE tunnels, then use a bypass filter for our services that need to bypass Zscaler and come from a static source address. So the basic statement on the vEdges is:ip gre-route 0.0.0.0/0 vpn ...
From the tools page of the MX, can you ping the MS? I would also look through the logs of the MX and see if you can see anything in the logs. You can filter by types or filter by the MAC address of the MS switch port.
