Looking to setup split tunnel on Meraki network to bypass Sase Zscaler firewall for specific Vlan

uttonw
Conversationalist

Looking to setup split tunnel on Meraki network to bypass Sase Zscaler firewall for specific Vlan

We are deploying a new VoIP system through our network. We are using Ribbon SBC 100. We also have recently deployed a new Sase Firewall on the network, Zscaler. The problem is when we turn on the Zscaler tunnel on the specific network, the SBC drops the connection. With Zscaler enabled, the “SIP/2.0 200 OK” isn’t being returned to the SBC when it sends out the OPTIONS packets. The way Zscaler works is it sends outbound traffic to Zscaler to be inspected and then returns, but with a different IP. The SBC does not recognize this traffic and therefore drops it.

 

The solution we were looking into is to bypass the Zscaler tunnel completely and set up a split tunnel. We are not sure how to do this though. We are using Meraki MX-100 for smaller sites and an MX-250 for larger sites. We have a GRE Cisco 891F we have to test as well.

 

Any help would be appreciated!

Will Utton
9 REPLIES 9
GreenMan
Meraki Employee
Meraki Employee
uttonw
Conversationalist

Sorry, I get a "Page not found" error message.


2023-03-02_11-57-01.png 

Will Utton
uttonw
Conversationalist

Thank you, I found this article: ZIA & Application Layer Gateway Enabled Applications

 

How do we bypass Zscaler by changing the configuration on the firewall or router when configuring your GRE or IPSec tunnel?

Will Utton
Crocker
Building a reputation

Are your zScaler tunnels stood up between your MX's and the zScaler datacenters? Or does the internet/zScaler-bound traffic traverse a Meraki AutoVPN tunnel back to a head-end somewhere?

uttonw
Conversationalist

I think its the first one, we are using an IPSec tunnel, though we are looking into switching to GRE if needed.

2023-03-03_8-20-00.png

Will Utton

MX does not support GRE - IPsec is indeed the protocol to use

uttonw
Conversationalist

We have a Cisco 800 series we are looking to add to our set up if GRE is required.

Will Utton
uttonw
Conversationalist

We have resolved this issue by bypassing the VoIP VLan from the Zscaler tunnel altogether. 

Will Utton
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels