We are deploying a new VoIP system through our network. We are using Ribbon SBC 100. We also have recently deployed a new Sase Firewall on the network, Zscaler. The problem is when we turn on the Zscaler tunnel on the specific network, the SBC drops the connection. With Zscaler enabled, the “SIP/2.0 200 OK” isn’t being returned to the SBC when it sends out the OPTIONS packets. The way Zscaler works is it sends outbound traffic to Zscaler to be inspected and then returns, but with a different IP. The SBC does not recognize this traffic and therefore drops it.
The solution we were looking into is to bypass the Zscaler tunnel completely and set up a split tunnel. We are not sure how to do this though. We are using Meraki MX-100 for smaller sites and an MX-250 for larger sites. We have a GRE Cisco 891F we have to test as well.
Any help would be appreciated!
Did you find this KB article? https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)
Sorry, I get a "Page not found" error message.
Thank you, I found this article: ZIA & Application Layer Gateway Enabled Applications
How do we bypass Zscaler by changing the configuration on the firewall or router when configuring your GRE or IPSec tunnel?
Are your zScaler tunnels stood up between your MX's and the zScaler datacenters? Or does the internet/zScaler-bound traffic traverse a Meraki AutoVPN tunnel back to a head-end somewhere?
I think its the first one, we are using an IPSec tunnel, though we are looking into switching to GRE if needed.
MX does not support GRE - IPsec is indeed the protocol to use
We have a Cisco 800 series we are looking to add to our set up if GRE is required.
We have resolved this issue by bypassing the VoIP VLan from the Zscaler tunnel altogether.