Meraki

Community

Looking to setup split tunnel on Meraki network to bypass Sase Zscaler firewall for specific Vlan

uttonw
Conversationalist
‎Mar 2 2023 8:40 AM
‎Mar 2 2023 8:40 AM

Looking to setup split tunnel on Meraki network to bypass Sase Zscaler firewall for specific Vlan

We are deploying a new VoIP system through our network. We are using Ribbon SBC 100. We also have recently deployed a new Sase Firewall on the network, Zscaler. The problem is when we turn on the Zscaler tunnel on the specific network, the SBC drops the connection. With Zscaler enabled, the “SIP/2.0 200 OK” isn’t being returned to the SBC when it sends out the OPTIONS packets. The way Zscaler works is it sends outbound traffic to Zscaler to be inspected and then returns, but with a different IP. The SBC does not recognize this traffic and therefore drops it.

 

The solution we were looking into is to bypass the Zscaler tunnel completely and set up a split tunnel. We are not sure how to do this though. We are using Meraki MX-100 for smaller sites and an MX-250 for larger sites. We have a GRE Cisco 891F we have to test as well.

 

Any help would be appreciated!

Will Utton
Labels:
0 Kudos
9 Replies 9
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 2 2023 8:54 AM
‎Mar 2 2023 8:54 AM

Did you find this KB article?    https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)

0 Kudos
In response to GreenMan
uttonw
Conversationalist
‎Mar 2 2023 8:57 AM
‎Mar 2 2023 8:57 AM

Sorry, I get a "Page not found" error message.


2023-03-02_11-57-01.png 

Will Utton
0 Kudos
In response to uttonw
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 2 2023 9:16 AM
‎Mar 2 2023 9:16 AM

Sorry - try this:    https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2... 

0 Kudos
In response to GreenMan
uttonw
Conversationalist
‎Mar 2 2023 10:26 AM
‎Mar 2 2023 10:26 AM

Thank you, I found this article: ZIA & Application Layer Gateway Enabled Applications

 

How do we bypass Zscaler by changing the configuration on the firewall or router when configuring your GRE or IPSec tunnel?

Will Utton
0 Kudos
In response to uttonw
Crocker
A model citizen
‎Mar 2 2023 11:07 AM
‎Mar 2 2023 11:07 AM

Are your zScaler tunnels stood up between your MX's and the zScaler datacenters? Or does the internet/zScaler-bound traffic traverse a Meraki AutoVPN tunnel back to a head-end somewhere?

0 Kudos
In response to Crocker
uttonw
Conversationalist
‎Mar 3 2023 5:23 AM
‎Mar 3 2023 5:23 AM

I think its the first one, we are using an IPSec tunnel, though we are looking into switching to GRE if needed.

2023-03-03_8-20-00.png

Will Utton
0 Kudos
In response to uttonw
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 3 2023 5:49 AM
‎Mar 3 2023 5:49 AM

MX does not support GRE - IPsec is indeed the protocol to use

0 Kudos
In response to GreenMan
uttonw
Conversationalist
‎Mar 3 2023 5:54 AM
‎Mar 3 2023 5:54 AM

We have a Cisco 800 series we are looking to add to our set up if GRE is required.

Will Utton
0 Kudos
uttonw
Conversationalist
‎Mar 20 2023 10:54 AM
‎Mar 20 2023 10:54 AM

We have resolved this issue by bypassing the VoIP VLan from the Zscaler tunnel altogether. 

Will Utton
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.