πŸ”§ How to Troubleshoot Zscaler Client Connector (ZCC) Logs

Audience: IT support staff and engineers Purpose: Help you quickly locate and resolve application or connectivity issues using ZCC logs and basic diagnostic tools.

🧰 Step 1: Orientation Before You Dive In

Before jumping into logs:

  • Make sure support staff understands PAC files (used for web traffic routing) and how they work with ZCC.

  • Know the basics of Z-Tunnel 1.0 vs 2.0, even if you don’t manage tunnels directly.

  • Understand that PCAPs (packet captures) can be aligned with ZCC logs by timestamp β€” even without deep packet inspection skills.


πŸ“‚ Step 2: Open and Search ZCC Logs Like a Pro

Unzip the logs and open the most recent ZSATunnel.log file.

Use a good text reader β€” Notepad++ is great, but for even easier navigation, try cmtrace.exe (from Microsoft Endpoint Configuration Manager). It’s a lightweight, high-speed log viewer that highlights errors automatically.

πŸ” Search for keywords:

  • Exception

  • Fail

  • Error

  • Down

  • Crashed

  • Invalid

  • Compromised

  • Detected

➑️ Pro Tip: Look 5–10 lines above and below any match β€” the cause often sits nearby.


🌐 ZIA-Specific Log Checks

When troubleshooting Zscaler Internet Access (ZIA):

  • Search for FindProxyForURL to see how URLs are routed.

  • Check PAC Parse Host and PAC Parse Action for logic issues in the PAC file.


πŸ”’ ZPA-Specific Log Checks

When working with Zscaler Private Access (ZPA) logs, these terms are gold:

Keyword Why it Matters
QRY=SRV(33) DNS lookups for Active Directory β€” check against PCAP for match
mtunnel Core ZPA tunnel status
NXDOMAIN DNS failure (non-existent domain)
ERR Connection to ZPN Tunnel routing failure
100.64.0.6 Sign of firewall or AV interference with SYN packets
Connection Reset by Peer Session closed by remote system
ZPA Session Status Codes Always worth reviewing for policy or network mismatches

πŸ–₯️ Ronnie Meekers, a longtime Zscaler partner, recommends:

Run netstat -an 1 | find /I "SYN" on Windows or similar commands on macOS to find apps using hardcoded IPs. These often bypass ZPA, especially in legacy VPN environments.


🧠 Helpful Community Tips

πŸ“š Original Article: Learning How to Troubleshoot ZCC – Zscaler Community


πŸ“€ Sharing Logs with Support

  1. Open ZCC > click the gear icon.

  2. Select β€œAbout” > β€œCollect Logs.”

  3. Save the ZIP file and email it to your SecureDynamics engineer or support contact.


We are Zscaler Delivery Services Authorized, providing the best deployment experience possible.
Thanks for choosing SecureDynamics, Zscaler's most trusted and comprehensive partner.