Discover the essential guidelines for effectively troubleshooting the Cloudi-Fi captive portal solution when integrated into a Zscaler environment.
Overview
This guide provides steps to resolve common issues and ensure a seamless integration experience. Let's get started!
Instructions
Scenario 1 - Revoke authorization of a device
You may need to revoke the authorization of a device to display the portal again. Visit Delete a guest session in the Cloudi-Fi captive portal with Zscaler back-office for instructions on how to do this.
Scenario 2 - Unable to associate with the SSID or limited connectivity
If users experience difficulties associating with the SSID or encounter limited connectivity, they should first verify their private IP:
- If the IP appears as 168.254.X.X or if there is no private IP, it indicates a potential problem with the DHCP server
- In such cases, it is essential to check the DHCP Server and Layer2 connectivity within the LAN
Scenario 3 - Captive portal doesn’t show up
To address connectivity issues effectively, follow these steps:
- Disable cellular connectivity on your phone to prioritize WiFi
- Confirm if http://ip.zscaler.com/ displays "Zscaler protects you." If not, check local routing and the VPN tunnel.
- Request the user to access http://3wi.fi or http://neverssl.com for portal redirection.
- If you encounter two different websites instead of the portal, you might already be authenticated. Use " Scenario 1 - Revoke authorization of a device" to resolve this.
- If unable to revoke authorization, note your private IP and check Zscaler logs (Filter by "Client IP" in Zscaler UI Analytics Web Insight Logs).
- From the Zscaler admin console, check whether the private IP has already been assigned to a user token. If this is the case, it indicates that an IP address that was previously allowed has been reassigned to another user.
- Ensure the DHCP scope has enough IPs for all guests, with a lease time equal to or higher than the Cloudi-Fi session lifetime (the Portal's session lifetime, depending on the portal).
Scenario 4 - Unable to browse the internet
This issue can have various causes, from local network problems to Internet peering or DNS resolution issues. To troubleshoot:
- Disable cellular connectivity on your phone to prioritize WiFi
- Access http://ip.zscaler.com/
- If these pages don't display, it might indicate DHCP or DNS server problems. For further assistance, refer to the section Information to Provide to Cloudi-Fi Support. If your DHCP and DNS are fine, follow the steps of the section and reach out to Cloudi-Fi support
- If these pages load correctly, the issue could be authentication/authorization-related. In such cases, visit http://3wi.fi or http://neverssl.com. If not authenticated, you'll be redirected to the captive portal, which will grant Internet access upon successful login.
Scenario 5 - Error during the authentication process
Developer tools are utilized to gain insights into web requests made in the browser. To activate them in popular browsers like Firefox, Chrome, IE, and Edge, click on F12, go to the Network tab, and check "Persist logs" and "Disable cache."
To capture the data:
- Connect your PC to the SSID; the portal should appear automatically
- If not, it may indicate an issue with redirection
- Open a new tab, activate developer tools (F12), and visit http://3wi.fi
- You should be redirected to the captive portal, where you can log in as usual
- After troubleshooting or facing an error, export the logs from the developer tools
Provide these logs to Cloudi-Fi support for analysis. In some cases, more advanced debug logs might be necessary, requiring a Wireshark capture to retrieve all network packets, not just web requests.
Scenario 6 - The portal displayed is not the correct portal
When the user's location cannot be recognized, we display the default portal of the company account. To verify which location is detected, use the following methods:
- Cloudi-Fi Visit Menu:
If the user is authenticated on the portal:
- Go to Cloudi-Fi interface. Visits
- Search for the user's name, phone number, or email address (depending on the portal)
- The location will be displayed, and "Default" indicates an unrecognized location
- Default Location:
If a user is assigned to the "Default" location, they will see the default company portal( configured in Cloudi-Fi interface Settings Global Settings).
This behavior may occur if you have excluded Cloudi-Fi's public IP from your VPN and the public IP seen by Cloudi-Fi is not assigned to any location. To address this:
- Go to Cloudi-Fi interface Visits, search for the user, and note the "Source IP”
- Verify in Cloudi-Fi interface Location if this IP is assigned to a location
You can now route the Cloudi-Fi public IP in the Zscaler VPN. This eases the VPN configuration and avoids this kind of error. Before proceeding, contact Cloudi-Fi support to ensure your account is ready for this change.
Scenario 7 - Web surfing is slow
To provide more details on your configuration, please share information about any existing tunnels, such as GRE/IPsec, including the source and destination IP addresses of the tunnel.
If possible, submit a ticket directly to Zscaler support, and provide the output of the performed tests. Specify your Zscaler Company ID, which can be found in the Zscaler interface under Administration > Company Profile > Company ID.
To help diagnose the slowness issue, we request a screenshot from the ip.zscaler.com website when the problem occurs.
For a thorough assessment of Zscaler's impact on your network performance, follow these steps:
- Download a 100 MB file from https://www.azurespeed.com/Azure/Download, selecting a source suitable for your location.
- During the download process, capture packets using Wireshark. Save the file after completion and attach it to this case. For valid testing, perform the download twice – once with Zscaler enabled and once with Zscaler disabled (outside your tunnel). We require two files to compare performance.
- For accurate testing, both tests should be performed from the same network (either corporate or guest network). Do not conduct one test from the corporate network and another from the guest network.
- Additionally, run an MTR test from your location to the Zscaler Data Center. Ensure a minimum of 300 packets and conduct the test outside the Zscaler tunnel. This helps review your connection path.
You can also contact Cloudi-Fi support for any doubts.
Information to provide to Cloudi-Fi support
If you're experiencing issues with the captive portal not showing up and being unable to browse the Internet, we recommend capturing a Wireshark trace before contacting Cloudi-Fi support.
To gather this troubleshooting information, follow these steps:
- Download Wireshark from https://www.wireshark.org/#download.
- Install Wireshark on your Mac, Linux, or Windows computer.
- Launch Wireshark and start capturing on your computer's WiFi interface.
- Connect to the Guest's SSID.
- Attempt to access http://3wi.fi/ and http://neverssl.com/.
- Stop the Wireshark capture, save it in PCAP format, and send it to Cloudi-Fi support along with the location name.
- You can submit this information through https://admin.cloudi-fi.net/ with the botnet.
Additionally, please provide more details about your configuration to assist us in resolving the issue effectively.