Zscaler Cisco SD WAN Deployment Guide FINAL
Uploaded by
4110502abcdZscaler Cisco SD WAN Deployment Guide FINAL
Uploaded by
4110502abcdZSCALER AND CISCO SD-WAN
DEPLOYMENT GUIDE
DECEMBER 2021, VERSION 5.1 BUSINESS DEVELOPMENT GUIDE
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Contents
Terms and Acronyms 8
About This Document 9
Zscaler Overview 9
Cisco Overview 9
Audience 9
Hardware Used 9
Software Revisions 10
Request for Comments 10
About the Guide 10
Zscaler and Cisco Introduction 11
ZIA Overview 11
ZPA Overview 11
Zscaler Resources 11
Cisco SD-WAN 12
Cisco Resources 12
Define 13
Cisco SD-WAN Design Overview 13
Feature Background and History 13
Support through Cisco SD-WAN 20.3 and Cisco IOS XE SD-WAN 17.3
release versions (Manual Active/Standby Tunnels and L7 Health Checking) 13
Cisco SD-WAN 20.4 and Cisco IOS XE SD-WAN 17.4 release versions
(Active/Active ECMP Tunnels and Traffic Steering through Centralized Data Policy) 14
Cisco SD-WAN 20.5 and Cisco IOS XE SD-WAN 17.5 release versions
(Zscaler Automatic IPSec Tunnel Provisioning) 14
Cisco SD-WAN 20.6 and Cisco IOS XE SD-WAN 17.6 release versions
(L7 Health Checks for IPSec Auto Tunnels for Cisco IOS XE SD-WAN routers) 14
©2022 Zscaler, Inc. All rights reserved. 1
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Design 15
GRE and IPSec Tunnels 15
Tunnel Liveliness 15
GRE Keepalives and DPD 15
Layer 7 Health Checks 16
Zscaler Active/Standby Tunnel Combinations 16
One Active/Standby Tunnel Pair 16
Multiple Active/Active Tunnels with Equal-Cost Multi-Path 17
Multiple Active/Standby Tunnel Pairs 18
Active/Active Tunnels with Weighted Load Balancing 18
User Traffic Redirection 19
SIG Service 19
New SIG Workflow 20
Automatic IPSec Tunnels 22
Advanced Settings for Zscaler Auto Tunnels 24
Layer 7 Health Check for Auto Tunnels 25
General Configuration Steps 25
Configuration Prerequisites 26
Design Considerations 26
Basic 26
ZIA Admin Portal 26
ECMP Tunnels 26
Auto Tunnels 27
L7 Health Checks 27
GRE Keepalives 27
Cisco IOS XE SD-WAN 27
Cisco vEdge 27
Additional Features 27
©2022 Zscaler, Inc. All rights reserved. 2
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Deploy 28
Deploy: ZIA for API Access 28
Procedure 1: Log Into ZIA 29
Procedure 2: Find Zscaler Organization Domain and Partner Base URI 29
Procedure 3: Add and Verify SD-WAN Partner Key 31
Procedure 4: Add a Partner Administrator Role 34
Procedure 5: Create a Partner Administrator 36
Procedure 6: Activate Pending Changes 39
Deploy: Cisco WAN Edge Prerequisites 40
Procedure 1: Log into Cisco vManage Console 40
Procedure 2: Ensure Prerequisites are Met 40
Procedure 3: Create a SIG Credentials Feature Template 41
Deploy: Cisco WAN Edge Auto IPSec Tunnels
(One Active/Standby Pair, Hybrid Transport) 44
Procedure 1: Create a SIG Template 45
Procedure 2: Add the Tunnel Configuration to the Device Template 48
Procedure 3: Add Service Route 50
Procedure 4: Verify Tunnel Operation 51
Procedure 5: Customize L7 Health Tracker (optional) 52
Procedure 6: Enable Advanced Zscaler Features (optional) 54
Procedure 7: (Optional) Customize Zscaler Tunnel Destination
(Primary and Secondary Data Centers) 57
Deploy: Cisco WAN Edge Auto IPSec Tunnels
(Active/Active Tunnels, Hybrid Transport) 60
Procedure 1: Create two loopback interfaces, one for each active tunnel
(Cisco IOS XE SD-WAN only) 61
Procedure 2: Create a local policy-based routing policy
(Cisco IOS XE SD-WAN only) 62
Procedure 3: Create a new Sig feature template with 2 active tunnels
(Cisco IOS XE SD-WAN only) 64
Procedure 4: Modify Device Template 65
©2022 Zscaler, Inc. All rights reserved. 3
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 5: Add Centralized Data Policy instead of Service Route 67
Procedure 6: Assign Tunnel Weights (optional) 72
Operate 73
Verify Cisco SD-WAN Tunnel Operation from the Cisco vManage Console 73
Verify Cisco SD-WAN Event Logs from the Cisco vManage Console 74
Verify Zscaler Tunnel Status in ZIA Admin 75
Verify Zscaler Tunnel Event Logs in ZIA Admin 76
Tunnel Logging 76
View API Calls in Zscaler ZIA (Audit Logs) 76
Verify Zscaler ZIA Service Configuration 78
Verify Zscaler Tunnel Operation Using Cisco IOS XE SD-WAN CLI 78
Verify Zscaler Tunnel Operation using Cisco vEdge CLI 82
Appendix A: Cisco Branch Base Feature Templates and
Configuration Values Used 87
Feature Templates 87
AAA feature template (Cisco IOS XE SD-WAN) 87
AAA feature template (Cisco vEdge) 87
NTP Feature Template 88
Branch VPN0 Feature Template 88
Branch Internet Interface Feature Template (Cisco IOS XE SD-WAN) 88
Branch Internet Interface Feature Template (Cisco vEdge) 89
Branch MPLS Interface Feature Template 89
Branch VPN512 Interface Feature Template 89
Branch VPN 1 Feature Template 90
Branch VPN1 Interface Feature Template 90
Device Templates 90
Single WAN Edge Router Sites (Cisco IOS XE SD-WAN) 90
Single WAN Edge Router Sites (Cisco vEdge) 91
Device Variable Values 91
©2022 Zscaler, Inc. All rights reserved. 4
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix B: Tunnel Configuration Summary (Feature and Device Templates) 93
Prerequisites 93
Cisco VPN Interface Ethernet Feature Template 93
Cisco VPN Feature Template 93
Cisco VPN Feature Template 93
Sig Credential Information from ZIA 94
Cisco Sig Credentials Feature Template 94
Example 1: Active/Standby Tunnels 95
Cisco Secure Internet Gateway (SIG) Feature Template 95
Device Template 95
Example 2: Active/Active Tunnels (Cisco IOS XE SD-WAN Only) 96
Cisco VPN Interface Ethernet Feature Template 96
Cisco VPN Interface Ethernet Feature Template 96
Cisco CLI Add-On Feature Template 97
Cisco Secure Internet Gateway (SIG) Feature Template 97
Device Template 98
Traffic Redirection 98
Service Route 98
Branch VPN1 Feature Template 98
Centralized Policy 98
Miscellaneous 99
Customize Health Tracker 99
Enable Advanced Zscaler Features 99
Customize Zscaler Tunnel Destinations (Primary and Secondary DCs) 99
Assign Tunnel Weights (Use with Active/Active Tunnels) 100
Appendix C: Cisco IOS XE SD-WAN CLI Configuration 101
Base Connectivity 101
Prerequisites 105
©2022 Zscaler, Inc. All rights reserved. 5
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Common Tunnel Components 105
SIG Credentials 105
IKEv2 and IPSec Configuration 105
Zscaler Location Settings 107
L7 Health Check Configuration 107
Use Case Example 1: Active/Standby Tunnels 108
IPSec Tunnels Defined 108
Zscaler Tunnel Options 109
Service SIG Interface Pairs HA Pair Configuration 109
Use Case Example 2: Active/Active Tunnels 109
Tunnel Source Loopbacks Defined 109
Local Policy Route (for ISAKMP control traffic) 109
IPSec Tunnels Defined 110
Zscaler Tunnel Options 111
Service SIG Interface Pairs HA Pair Configuration 111
Traffic Redirection 111
Service SIG Route 111
Service SIG Data Policy (apply to Cisco vSmart) 111
Miscellaneous 114
Customize Health Tracker 114
Enable Advanced Zscaler Features 114
Customize Zscaler Tunnel Destinations (Primary and Secondary DCs) 114
Assign Tunnel Weights (Use with Active/Active Tunnels) 114
Appendix D: Cisco vEdge CLI Configuration 115
Base Connectivity 115
Prerequisites 117
Use Case Example 1: Active/Standby Tunnels 118
IPSec Tunnels Defined 118
Service SIG Interface Pairs HA Pair Configuration 120
SIG Credentials 120
©2022 Zscaler, Inc. All rights reserved. 6
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Traffic Redirection 120
Service SIG Route 120
Service SIG Data Policy (apply to Cisco vSmart) 120
Miscellaneous 123
Customize Health Tracker 123
Enable Advanced Zscaler Features 123
Customize Zscaler Tunnel Destinations (Primary and Secondary DCs) 123
Appendix E: Requesting Zscaler Support 124
Save Company ID 125
Enter Support Section 126
Appendix F: Document Revision Control 127
©2022 Zscaler, Inc. All rights reserved. 7
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Terms and Acronyms
The following table defines acronyms used in this deployment guide. When applicable, a Request for Change (RFC) is
included in the Definition column for your reference.
Acronym Definition
Cisco vBond Cisco SD-WAN Orchestrator which facilitates the initial bring-up authentication and
authorization of the network elements.
Cisco vEdge Cisco SD-WAN a Cisco vEdge Cloud router.
Cisco vManage console Cisco SD-WAN centralized network management system that provides a interface and REST
APIs to monitor, configure, and maintain all Cisco SD-WAN devices in the overlay network.
Cisco vSmart Cisco SD-WAN centralized control data policies.
DIA Dedicated Internet Access
DLP Data Loss Prevention
DPD Dead Peer Detection (RFC 3706)
DTLS Datagram Transport Layer Security (RFC6347)
ECMP Equal-cost Multi-path
ESP Encapsulated Security Payload
GRE Generic Routing Encapsulation (RFC2890)
IKE Internet Key Exchange (RFC2409)
INET Internet Networking
IPS Intrusion Prevention System
IPSec Internet Protocol Security (RFC2411)
ISAKMP Internet Security Association and Key Management Protocol
NAT-T Network Address Translation traversal
NMS Network Management System
NTP Network Time Protocol
OAM Operation, Administration, and Management
OMP Overlay Management Protocol (Cisco SD-WAN)
PAT Port Address Translation
PBR Policy-based Routing
PFS Perfect Forward Secrecy
SIG Secure Internet Gateway
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security (RFC5246)
URI Uniform Resource Identifier
VDI Virtual Desktop Infrastructure
VRF Virtual Routing and Forwarding
WAN Edge Cisco SD-WAN router solution
XFF X-Forwarded-For (RFC7239)
ZIA Zscaler Internet Access (Zscaler)
ZPA Zscaler Private Access (Zscaler)
©2022 Zscaler, Inc. All rights reserved. 8
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
About This Document
Zscaler Overview
Zscaler (NASDAQ: ZS), enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create
fast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers its
services 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional
appliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud
security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. To
learn more, see Zscaler’s website or follow Zscaler on Twitter @zscaler.
Cisco Overview
Cisco (NASDAQ: CSCO) helps seize the opportunities of tomorrow by proving that amazing things can happen when you
connect the unconnected. An integral part of our DNA is creating long-lasting customer partnerships, working together to
identify our customers’ needs and provide solutions that fuel their success.
Cisco has preserved this keen focus on solving business challenges since its founding in 1984. Len Bosack and wife Sandy
Lerner, both working for Stanford University, wanted to email each other from their respective offices, but technological
shortcomings did not allow such communication. A technology had to be invented to deal with disparate local area
protocols, and as a result of solving their challenge, the multiprotocol router was born.
Audience
This document is designed for network engineers and network architects interested in configuring and integrating ZIA
access with Cisco WAN edge routers. It assumes the reader has a basic comprehension of IP networking and is familiar
with Cisco SD-WAN concepts and configurations. For more information, see:
• Zscaler Resources
• Cisco Resources
• Appendix E: Requesting Zscaler Support
Hardware Used
To create this document, Cisco WAN edge router solutions were tested in various use cases. They include a C8300-1N1S-
6T, ISR4331, ISR1100-4G (Cisco Viptela), and Cisco vEdge 100b.
©2022 Zscaler, Inc. All rights reserved. 9
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Software Revisions
The following products and software versions are included as part of validation in this deployment guide. This validated
set is not inclusive of all possibilities.
Product/Part Number Software Version
Zscaler ZIA 6.1
Cisco vManage console 20.6.1
Cisco ISR4331 17.6.1a
Cisco C8300-1N1S-6T 17.6.1a
Cisco ISR1100-4G (Cisco Viptela) 20.6.1
Cisco vEdge 100b 20.6.1
Cisco 5.1 December 2021 (Updated formatting and edited for style)
Request for Comments
• For prospects and customers: Zscaler values reader opinions and experiences. Contact partner-doc-support@
zscaler.com to offer feedback or corrections for this guide.
• For Zscaler employees: Contact [email protected] to reach the team that validated and authored the integrations
in this document.
About the Guide
This document provides technical and configuration guidance for integrating ZIA and Cisco SD-WAN, successfully using
the capabilities provided by Cisco vManage console version 20.6, Cisco vEdge version 20.6, and Cisco IOS XE SD-WAN
Edge version 17.6. It includes examples to show how to provision a new service to integrate ZIA and Cisco SD-WAN IPSec
tunnels. For Cisco SD-WAN, configurations that use feature templates through Cisco vManage console and Command
Line Interface (CLI) are both shown. The following Cisco SD-WAN and ZIA use cases are discussed within this document.
• Single WAN Edge deployments
• Active/standby and active/active tunnels
• Automatic provisioning of IPSec tunnels
• Use of service route or centralized policy for traffic redirection
The Zscaler portion of this document was authored by Zscaler and the Cisco SD-WAN portion of this document was
authored by Cisco. Both companies partnered to review and validate the information in this guide.
This document contains four major sections:
• The Define section gives background on the Zscaler and Cisco SD-WAN solution.
• The Design section discusses the solution components, design aspects, and any prerequisites.
• The Deploy section provides information about various configurations and best practices.
• The Operate section shows how to manage different aspects of the solution.
©2022 Zscaler, Inc. All rights reserved. 10
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Zscaler and Cisco Introduction
Below are overviews of the Zscaler and Cisco applications described in this section.
ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of ZIA as a secure internet on-
ramp— just make Zscaler your next hop to the internet via one of the following methods:
• Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).
No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).
You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,
Sandboxing, DLP, and Browser Isolation, allowing you to start with the services you need now and activate others as your
needs grow.
ZPA Overview
ZPA is a cloud service that provides secure remote access to internal applications running on cloud or data center using
a Zero Trust framework. With ZPA, applications are never exposed to the internet, making them completely invisible
to unauthorized users. The service enables the applications to connect to users via inside-out connectivity rather than
extending the network to them.
ZPA provides a simple, secure, and effective way to access internal applications. Access is based on policies created by
the IT administrator within the ZPA Admin Portal and hosted within the Zscaler cloud. On each user device, software
called Zscaler Client Connector is installed. Zscaler Client Connector ensures the user’s device posture and extends a
secure microtunnel out to the Zscaler cloud when a user attempts to access an internal application.
Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.
Name and Link Description
ZIA Help Portal Help articles for ZIA.
ZPA Help Portal Help articles for ZPA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help
Zscaler determine your security needs.
ZIA Test Page Information on your Zscaler Cloud.
©2022 Zscaler, Inc. All rights reserved. 11
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Name and Link Description
Zscaler cloud IP data center ZIA IP and VPN host name information by data center. The following lists data
IP Information centers by cloud:
https://config.zscaler.com/zscaler.net/cenr/
https://config.zscaler.com/zscalerbeta.net/cenr/
https://config.zscaler.com/zscalerone.net/cenr/
https://config.zscaler.com/zscalertwo.net/cenr/
https://config.zscaler.com/zscalerthree.net/cenr/
https://config.zscaler.com/zscloud.net/cenr
https://config.zscaler.com/zscalergov.net/cenr
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.
Cisco SD-WAN
Cisco SD-WAN powered by Cisco Viptela and Cisco IOS XE is a highly secure, cloud-scale architecture that is open,
programmable, and scalable. Through the Cisco vManage console, you can quickly establish an SD-WAN overlay fabric.
Use it to connect data centers, branches, campuses, and colocation facilities to improve network speed, security, and
efficiency.
This document assumes you have the Cisco SD-WAN controllers already built and operational, either through the Cisco
cloud service or on-premises. Zscaler recommends that you use Cisco vManage console to configure and manage the
WAN edge routers.
Make sure that the WAN edge devices are already connected to the controllers in the SD-WAN overlay, and a basic device
template configuration from Cisco vManage console has been deployed on them. See Appendix A: Cisco Branch Base
Feature Templates and Configuration Values Used for base device and feature template configurations and Appendix
B: Tunnel Configuration Summary (Feature and Device Templates) for a summary of feature templates required to
configure the Zscaler tunnel use cases. Appendix C: Cisco IOS XE SD-WAN CLI Configuration and Appendix D: Cisco
vEdge CLI Configuration reflect CLI-equivalent configurations for Cisco IOS XE SD-WAN and Cisco vEdge, respectively.
This document requires administrator login credentials to Cisco vManage console and SSH administrator login credentials
to the WAN Edge routers.
Cisco Resources
The following table contains links to Cisco support resources.
Name and Link Description
Cisco SD-WAN Design Guide An overview on the Cisco SD-WAN solution.
Cisco SD-WAN End-to-End Additional information on deploying a Cisco SD-WAN network from
Deployment Guide end-to-end.
Cisco EN Validated Design and Simple, modular, use-case based design and deployment guidance to
Deployment Guides provide you with validated designs and best practices.
Cisco SD-WAN Communities Resource pages and discussion boards.
Cisco SD-WAN Additional Cisco SD-WAN resources.
©2022 Zscaler, Inc. All rights reserved. 12
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Define
The following section explain Cisco SD-WAN concepts.
Cisco SD-WAN Design Overview
Enterprises can take advantage of secure local internet breakout by using Cisco SD-WAN combined with Zscaler. Using
Cisco SD-WAN, the network administrator can decide what traffic to forward to Zscaler, using either GRE or IPSec tunnels.
The following example topology shows a Cisco SD-WAN network with two transports (MPLS and internet) and the SD-
WAN controllers reachable through the internet cloud. Two branch sites are shown with a data center site. SD-WAN
fabric (IPSec) tunnels are built between each WAN Edge router at each site for corporate traffic. A separate pair of GRE or
IPSec tunnels are built from each branch router to ZIA Public Service Edge for access to internet and SaaS applications. If
the local internet transport fails, traffic can traverse the SD-WAN overlay over the MPLS transport to the data center and
access the internet from there.
Figure 1. Example SD-WAN and ZIA network
Feature Background and History
The following sections discuss specifics for different versions of the Cisco SD-WAN software releases.
Support through Cisco SD-WAN 20.3 and Cisco IOS XE SD-WAN 17.3 release versions (Manual
Active/Standby Tunnels and L7 Health Checking)
Early support for Zscaler tunnels included GRE or IPSec tunnels that can be configured manually through Interface VPN
templates in Cisco vManage console, either in the transport VPN (IPSec or GRE) or service VPN (IPSec). A single active/
standby tunnel pair is supported per WAN edge router, along with L7 health check probes running between the WAN
Edge router and the respective Zscaler Private Service Edge and Zscaler Public Service Edge. The active tunnel is typically
connected to a primary node while the standby tunnel is connected to a secondary node.
©2022 Zscaler, Inc. All rights reserved. 13
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Cisco SD-WAN 20.4 and Cisco IOS XE SD-WAN 17.4 release versions (Active/Active ECMP Tunnels
and Traffic Steering through Centralized Data Policy)
In 20.4/17.4, a new Cisco vManage console Secure Internet Gateway (SIG) feature template is introduced where you can
configure up to four active/backup tunnel pairs to get the benefit of equal cost multipath (ECMP) load balancing and
allow more traffic bandwidth to be redirected to Zscaler. As needed, assign weights to the tunnels so that more traffic
can traverse one tunnel over another. Traffic redirection into the tunnels is accomplished through a new SIG service route,
which reduces the administrative overhead of configuring static routes that require site-specific next-hop IP addresses.
You can also configure traffic redirection to Zscaler through centralized data policy, giving additional flexibility and
granularity to choose specific application traffic.
Cisco SD-WAN 20.5 and Cisco IOS XE SD-WAN 17.5 release versions (Zscaler Automatic IPSec
Tunnel Provisioning)
In 20.5/17.5, there were several updates to the SIG feature template, including accommodations for automatic discovery
and tunnel provisioning to the closest Zscaler data centers based on geolocation. Layer 7 (L7) Health checking is
automated and supported for Cisco vEdge WAN Edge routers as well.
Cisco SD-WAN 20.6 and Cisco IOS XE SD-WAN 17.6 release versions (L7 Health Checks for IPSec
Auto Tunnels for Cisco IOS XE SD-WAN routers)
In 20.6/17.6, up to four pairs of active/standby IPSec tunnels are supported with automatic provisioning. L7 automated
health checking is introduced as an in-product feature for Zscaler IPSec auto tunnels for Cisco IOS XE SD-WAN routers.
Official support for Cisco IOS XE SD-WAN L7 health checking for automatic IPSec Zscaler tunnels is in version 20.6.2/17.6.2.
©2022 Zscaler, Inc. All rights reserved. 14
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Design
The following sections describe the architecture behind Cisco SD-WAN deployments.
GRE and IPSec Tunnels
Zscaler supports both Generic Routing Encapsulation (GRE) and Internet Protocol Security (IPSec) tunnels from edge
devices to transport internet traffic that first traverses the ZIA Public Service Edge.
GRE is neither TCP nor UDP. It has its own protocol number (47). Because GRE is a protocol without source or destination
ports, GRE packets can’t be translated by Port Address Translation (PAT) devices. The source IP address of a GRE packet
can, be translated with static or dynamic NAT. Using NAT, a single IP address is mapped to a single publicly routable IP
address. This is because no ports need to be mapped.
An IPSec packet uses Encapsulating Security Payload (ESP)—also a protocol without ports and unusable by PAT devices.
IPSec traffic can use NAT traversal (NAT-T) to transport packets. If both ends of the IPSec connection support NAT-T, then
Nat-Discovery packets are exchanged during the ISAKMP exchange. If NAT is detected, then ISAKMP packets change from
UDP port 500 to UDP port 4500. ESP data packets are encapsulated inside a UDP packet with source and destination
ports equal to 4500. Now the packet can be translated by a PAT device.
An active GRE or IPSec tunnel is defined by a unique 4-tuple of source IP address and interface, source port, destination
IP address, and destination port pair. Multiple tunnels can reference the same source IP address, but each tunnel
must have a unique source port or destination IP address and destination port number for the tunnel to be up and
operational.
Zscaler GRE tunnels support higher throughput than IPSec tunnels in the Zscaler cloud. Contact your Zscaler
representative for more information on bandwidth support. Bandwidth support can vary depending on the Zscaler cloud
and ZIA Public Service Edge you are connecting to.
Tunnel Liveliness
GRE Keepalives and DPD
GRE Keepalives for GRE tunnels and Dead Peer Detection (DPD) for IPSec tunnels are traditional methods for a local router
to determine whether the remote router at the end of a tunnel is reachable and able to forward traffic. Zscaler best
practices advises that you send GRE Keepalives and DPD packets no more than once every ten (10) seconds.
Clipboard-list Tech Tip
If the router sits behind any NAT device, GRE keepalives are not passed. If the router is behind a NAT device, Zscaler
recommends that you disable GRE keepalives by setting the interval and retries to zero (0). GRE data packets can’t be
translated by PAT devices, but can be translated through a NAT device. NAT devices have only one IP address mapped
to one publicly routable IP address because port mapping isn’t required.
Cisco IOS XE SD-WAN routers do not support GRE keepalives through feature templates, only Cisco vEdge routers do.
For Cisco IOS XE SD-WAN routers, you can configure GRE keepalives through the CLI or CLI add-on feature templates.
Cisco vEdge routers currently support only periodic DPD. On-demand DPD is currently the default for Cisco IOS XE SD-
WAN routers.
©2022 Zscaler, Inc. All rights reserved. 15
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Layer 7 Health Checks
GRE Keepalives and DPD can validate whether the network path is up between the tunnel source and destination, but
the mechanisms cannot verify whether a particular service or application is up and operational beyond the tunnel and
ZIA Public Service Edge.
An L7 health check monitors latency and reachability based on HTTP request and response probes to a URL that is
reachable through the Zscaler tunnels, and allows you to fail over to an alternate tunnel when reachability fails or latency
degrades beyond an acceptable threshold.
To check the health of the application stack of the ZIA Public Service Edge, Zscaler recommends not performing L7
health checks to commonly visited websites. Instead, use the following non-public URL for the tracker. It is only reachable
through a Zscaler tunnel: http://gateway.<Zscaler Cloud Name>.net/vpntest.
Zscaler Active/Standby Tunnel Combinations
The following shows examples of different active/standby tunnel combinations to ZIA over dual internet and hybrid
deployments (MPLS and internet). The deployed tunnels are either GRE or IPSec, and cannot be a combination of both.
Route or policy directs traffic out the active tunnels to Zscaler. Standby tunnels are fully up and operational. However,
traffic isn’t forwarded over these standby tunnels until their corresponding active tunnel pair partner is marked down or
exceeds the latency threshold of the L7 health checks.
One Active/Standby Tunnel Pair
The following diagram shows an example of one active and one standby tunnel deployment at sites with single and
dual internet circuits. In hybrid deployments, an MPLS path might offer a backhauled path to the internet via an internet
gateway at a data center or regional hub site. In either deployment, if the ZIA Public Service Edge or active tunnel
becomes unreachable or exceeds the latency threshold (with L7 health checks enabled), then the standby tunnel is
activated. In the hybrid deployment, if the internet networking (INET) transport goes down, or if both tunnels over the
INET transport exceed the latency thresholds (with L7 health checks enabled), then traffic can still take the default route
over the SD-WAN overlay over the MPLS transport to the data center. Traffic can access the internet, either through an on-
premises security stack or via a separate SIG tunnel originating from the data center hub router.
Figure 2. Active/Standby tunnel deployment on dual INET and hybrid transports
©2022 Zscaler, Inc. All rights reserved. 16
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Multiple Active/Active Tunnels with Equal-Cost Multi-Path
Increased cloud traffic and bandwidth limits on Zscaler tunnels require support for multiple active tunnels.
The following diagram shows an example of an active/active tunnel deployment at sites with single and dual internet
circuits. In either deployment, if an active tunnel becomes unreachable or exceeds the latency threshold (with L7 health
checks enabled), then traffic is rehashed to one of the remaining tunnels. In the hybrid deployment, if the INET transport
goes down, or if all tunnels over the INET transport exceed the latency thresholds (with L7 health checks enabled),
then traffic can still take the default route over the SD-WAN overlay over the MPLS transport to the data center. Traffic
can access the internet through an on-premises security stack or via a separate Secure Internet Gateway (SIG) tunnel
originating from the data center hub router. In either deployment, if the ZIA Public Service Edge becomes unreachable,
traffic can fall back to the data center over the SD-WAN overlay.
Figure 3. Multiple Active/Active tunnels on dual INET and hybrid transports
Clipboard-list Tech Tip
Equal-cost Multi-path (ECMP) and Active/Active Tunnels: With ECMP, traffic is routed to an interface based on hashing
of the IP flow 4-tuple (source IP address + destination IP address + source port + destination port). Because it is based
on a hash, the traffic distribution might not be exactly equal across the tunnels. With enough variability in IP addressing
and ports in the network traffic, however, traffic distribution gets closer to equal across the ECMP interfaces.
©2022 Zscaler, Inc. All rights reserved. 17
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Multiple Active/Standby Tunnel Pairs
The following diagram shows an example of a multiple active/standby tunnel pair deployment at sites with single and
dual internet circuits. In either deployment, if an active tunnel becomes unreachable or exceeds the latency threshold
(with L7 health checks enabled), then its corresponding standby tunnel is activated. In the hybrid deployment, if the
INET transport goes down or if all tunnels over the INET transport exceed the latency thresholds (with L7 health checks
enabled), then traffic can still take the default route over the SD-WAN overlay over the MPLS transport to the data center.
Traffic can access the internet through an on-premises security stack or via a separate SIG tunnel originating from the data
center hub router. In either deployment, if the ZIA Public Service Edge becomes unreachable, traffic can fall back to the
data center over the SD-WAN overlay.
Figure 4. Multiple Active/Standby tunnel pairs
Active/Active Tunnels with Weighted Load Balancing
The following diagram shows an example of an active/active tunnel deployment spread across two transports: an internet
transport and an always-on LTE transport. Available bandwidth might differ between the transports so weights can be
assigned to each tunnel and different traffic bandwidth amounts traverse each transport. In this example, weights are
configured for each tunnel so that 80% of the traffic traverses the internet transport while 20% of the traffic traverses
the LTE. If an active tunnel becomes unreachable or exceeds the latency threshold (with L7 health checks enabled), then
traffic is rehashed to one of the remaining tunnels.
Figure 5. Active/Active weighted tunnel deployment on INET and LTE transports
©2022 Zscaler, Inc. All rights reserved. 18
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
User Traffic Redirection
After the GRE or IPSec tunnels are configured and activated, there are two ways to direct user traffic to the tunnel:
• With a static route to rely on destination-based routing (typically a default route where all internet-bound traffic is
sent). 20.4/17.4 code version introduces a new type of route for Zscaler or other third-party tunnels called a Service
Route, which has a next hop that points to the SIG service.
• With a centralized data policy that allows you to customize the traffic sent to the Zscaler service. 20.4/17.4 supports
centralized policy for both Cisco vEdge and Cisco IOS XE SD-WAN devices where you can rely on prefix-lists and
applications lists to direct desired traffic to the SIG service.
Clipboard-list Tech Tip
If both service routes and centralized policy are configured to direct user traffic, centralized policy takes precedence.
You might want to configure both a SIG service route and policy because in dual-edge branches with Layer 3 routing.
The SIG service route is redistributed into a routing protocol at the local site. If the SIG tunnels become unreachable on
an edge router, the route is withdrawn so traffic is directed to the opposite edge with active SIG tunnels. After traffic
reaches the edge router with active SIG tunnels, centralized policy (or service route) is used to direct traffic to the SIG
tunnel.
SIG Service
Starting in 20.4/17.4, Zscaler tunnels can make use of the SIG service construct that was introduced in Cisco vManage
console for integration with Cisco Umbrella SIG. The SIG service keeps track of the state and next hop of the tunnels,
in addition to redirecting traffic into the tunnels from the service VPN. Traffic redirection at the branch is implemented
locally through service routing (defined in the service VPN feature templates) or as a centralized data policy action.
Figure 6. SIG service logical representation
©2022 Zscaler, Inc. All rights reserved. 19
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
New SIG Workflow
The following table provides information about the different releases and implementations.
Clipboard-list Tech Tip
Only one SIG template is allowed per device template.
Release Active/Standby Unified SIG Comments
Tunnel Pair Workflow
20.3/17.3 and Yes No Only one active/standby tunnel pair is supported for Zscaler.
earlier The implementation includes:
• (Optional) Modify the system template to create an L7
health check tracker.
• Configure two VPN Interface GRE or IPSec feature
templates (one primary, one secondary) and optionally
reference the L7 health check tracker created in the system
template.
• Add the VPN Interface GRE or IPSec templates to the
transport VPN or service VPN in a device template,
depending on whether transport-side or service-side
tunnels are desired.
• Add an IPSec or GRE route in the service VPN for transport-
side tunnels or adding IPv4 routes in the service VPN
pointing to the tunnel next-hops for service-side tunnels.
20.4/17.4 and No Yes A new Unified SIG workflow is introduced with a SIG feature
later template, which greatly simplifies the SIG tunnel configuration
process regardless of the tunnel type (Umbrella, Zscaler, other
third-party IPSec or GRE tunnels).
• Only one SIG template is allowed per device template.
• The 20.4/17.4 release offers only two tunnel types, Umbrella
and Third Party.
• The SIG template is needed to configure multiple tunnels
and is attached to the device template under the transport
VPN.
• There is no longer a separate concept of transport-side and
service-side tunnels.
• A configuration is introduced in Cisco IOS XE SD-WAN,
which provides a configuration that allows multiple service
VPNs to use the tunnel created with the SIG template
(tunnel VRF multiplexing).
©2022 Zscaler, Inc. All rights reserved. 20
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Release Active/Standby Unified SIG Comments
Tunnel Pair Workflow
20.5/17.5 and • The 20.5/17.5 and 20.6/17.6 releases offer three tunnel
20.6/17.6 types, Umbrella, Zscaler, and Generic.
• Zscaler recommends that you use automatic tunnels if
available.
• To configure automatic IPSec Zscaler tunnels, use the
Zscaler option.
• To configure manual tunnels (IPSec or GRE), use the Generic
option.
vManage 20.6 No Yes In vManage version 20.6, the SIG template is divided into
several sections:
• Tracker: Allows you to configure custom L7 health check
tracker information.
• Configuration: Allows you to select your SIG provider and
tunnel type (Umbrella, Zscaler, or Generic third party) and
allows you to specify different tunnel characteristics such
as tunnel name, tracker name, tunnel source, whether the
tunnel is attached to a primary or secondary data center
(which is specified or discovered at a later time). It also
includes advanced options, like IP MTU and IPSec tunnel
settings.
• High Availability: Allows you to choose up to four active
tunnels or four active/standby tunnel pairs by choosing
the tunnels defined in the Configuration section under the
Active or Backup column. You can also modify traffic ratios
for the tunnels.
• Advanced Settings (if applicable): Allows you to define
Zscaler primary or secondary data centers if desired and
advanced Zscaler settings such as X-Forwarded-For (XFF)
Forwarding, Enable IPS Control, etc.
Clipboard-list Tech Tip
The 20.4/17.4 release offers only two tunnel types, Umbrella and Third Party. The 20.5/17.5 and 20.6/17.6 releases offer
three tunnel types: Umbrella, Zscaler, and Generic. To configure automatic IPSec Zscaler tunnels, choose the Zscaler
option. Configure Zscaler manual tunnels (IPSec or GRE) using the Generic option. Zscaler recommends that you use
automatic tunnels if available.
©2022 Zscaler, Inc. All rights reserved. 21
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Automatic IPSec Tunnels
Release Comments
20.5/17.5 • Automatic Zscaler IPSec tunnels are supported in 20.5/17.5. The feature provides a level of
automation in configuring IPSec tunnels, such as automatic tunnel destination discovery,
location registration in ZIA, and automatic configuration of authentication parameters.
• An active/standby tunnel pair is supported.
20.6/17.6 • Up to four active/standby tunnel pairs are supported.
• For Cisco IOS XE SD-WAN, L7 health checks are automatically configured. The feature gives
you secure and simplified management and allows you to deploy Zscaler IPSec tunnels
across many branches.
After automatic tunnels (through the SIG feature template) and the SIG credentials feature template are added to the
device template and are pushed to the WAN edge device, the following API steps occur from the WAN edge router to
provision the tunnels.
1. An authenticated session request is made to the ZIA by sending an API key, username, password, and time stamp.
The requestor receives a cookie from Zscaler, which is then used in subsequent calls as part of the authenticated
session.
2. VPN credentials are added for each tunnel. Each tunnel has a unique name, FQDN, and pre-shared security key that
is generated by the WAN edge device and then shared to the Zscaler cloud. Zscaler returns a tunnel ID associated
with each tunnel. For future edits and modifications, the WAN device refers to the tunnel ID.
3. Next, the VPN credential associated with the tunnel is added to a location before it is usable by Zscaler policy. If it is
the first tunnel for a WAN edge device, create a location with a unique location name and add it to ZIA via an HTTP
POST. The tunnel VPN credentials are added to the location.
4. A final API activates the configuration changes made in ZIA.
5. Primary and secondary data centers are retrieved from ZIA.
Another sequence of API calls happens when a tunnel is deleted. API HTTP responses are received and the last response
code is recorded for troubleshooting purposes. After the APIs are completed, you get a non-zero location ID and non-
zero tunnel IDs. Whether the tunnel comes up and active depends on the Internet Key Exchange (IKE) negotiation. See
the Operate section for more information on troubleshooting.
©2022 Zscaler, Inc. All rights reserved. 22
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Figure 7. Zscaler APIs needed for IPSec Auto Tunnels
©2022 Zscaler, Inc. All rights reserved. 23
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Advanced Settings for Zscaler Auto Tunnels
In 20.6, you can enable the following Zscaler advanced features from the Cisco vManage console SIG feature template:
• Primary Data Center and Secondary Data Center: By default, the primary and secondary data centers are
automatically selected. Alternatively, manually choose the data centers. If a Global variable is selected, you can
choose from a drop-down list of data centers. This list of data centers is static at the time of this writing and the
information might not be completely current. If you choose device-specific input, an FQDN is required for the
variable. For the latest list of data centers, go to https://config.zscaler.com (then choose the cloud name from the
drop-down).
• Authentication Required: If enabled, the Surrogate IP feature can be enabled with its corresponding parameters.
• XFF Forwarding
• Enable Firewall
• Enable IPS Control
• Enable Caution
• Enable AUP and additional AUP parameters
For additional information on these advanced location features, see Configuring Locations.
Figure 8. SIG feature template Advanced Settings
©2022 Zscaler, Inc. All rights reserved. 24
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Layer 7 Health Check for Auto Tunnels
Release Comments
20.5 • Layer 7 (L7) health checks are available for vEdge routers using Zscaler auto-tunnels.
20.6/17.6 • L7 health checks are enabled by defult on all auto-tunnels provisioned with the SIG
templates (Umbrella and Zscaler).
• For Cisco IOS XE SD-WAN routers, the L7 health check is considered an in-product feature.
The L7 health check is implemented as an HTTP request. It measures route-trip latency and compares it to the threshold
set. Customize the tracker if you want to change the default parameters or use a different service URL. The default settings
are:
• Interval: 30 seconds
• Multiplier: 2
• Threshold: 1000 msec
• Service URL for Zscaler tunnel type: http://gateway.<Zscaler Cloud Name>.net/vpntest
For Cisco IOS XE SD-WAN, a Loopback 65530 interface in VRF 65530 is created and used to source the L7 health check
probes through each active and backup tunnel. You must configure a tracker source IP address, which is a private RFC 1918
address that should not overlap with other interfaces.
For Cisco vEdge, a loopback 65530 in VPN 65530 is created by default, sourced from 192.168.0.2/32. There is no need to
configure a tracker source IP address for Cisco vEdge.
For any tunnels that fail to receive a response within the interval and retransmit timers, or for any tunnels that exceed the
latency threshold, the tunnel tracker status is marked down and the VPN routes pointing to this tunnel is marked standby.
Crypto IKE stays up for the tunnel but the routes are withdrawn. When the tracker status goes up (probes become
reachable again or latency improves under the threshold), the tunnel becomes active again and you can add the VPN
routes.
General Configuration Steps
In 20.6/17.6, multiple automatic (IPSec) Zscaler tunnels are implemented by:
• Creating a SIG credentials feature template for API access to Zscaler.
• Creating a SIG feature template to define the tracker information, tunnel types, parameters, advanced settings, and
high availability information.
• Adding the SIG template and SIG Credentials feature template to the transport VPN (VPN 0) in a device template.
• Adding a SIG service route in the service VPN or adding centralized data policy to redirect user traffic to the SIG
service.
©2022 Zscaler, Inc. All rights reserved. 25
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Configuration Prerequisites
For Zscaler automatic tunnels to succeed, observe the following prerequisites:
• Configure ZIA Admin Portal with a partner key, username, and password (which belongs to the partner admin role).
• Enable NAT on the internet-facing interface on the WAN Edge router. In Cisco IOS XE SD-WAN, there is a loopback
65528 in VRF 65528 by default with an IP address of 192.168.1.1 that is used as the source interface for API calls. A NAT
Dedicated Internet Access (DIA) route is used to direct API traffic into the underlay.
• Create a DNS server configuration in the transport VPN (VPN 0). Resolve the Zscaler base URI from the WAN Edge
router for API calls, along with the Layer 7 health check URI. The Zscaler base URI is zsapi.<Zscaler Cloud Name>.net/
api/v1 where values for <Zscaler Cloud Name> are zscaler, zscalerbeta, zscalerone, zscalertwo, zscalerthree, etc. The
automated Layer 7 health check URL is http://gateway.<Zscaler Cloud Name>.net/vpntest.
• Configure Network Time Protocol (NTP) to ensure that the WAN edge router clock is accurate (for Zscaler API calls).
This isn’t required but is highly recommended.
Design Considerations
Review the following considerations:
Basic
• NAT is required on the outgoing tunnel WAN interface.
• DNS server configuration is required in VPN 0 to resolve Zscaler API and L7 heath check URLs.
• NTP configuration is highly recommended so clocks are synced to ensure successful API calls.
• Do not change Site ID or System IP Address of a WAN edge router when you have a SIG feature template attached.
Remove the SIG feature template to remove the tunnels, make the Site ID and/or System IP address change, then re-
attach the SIG feature template.
ZIA Admin Portal
Use only one organization name under the ZIA Admin Portal at Administration > Settings > Company Profile >
Organization > Domains.
ECMP Tunnels
• Several applications are known to fork off multiple sessions for a single user session (O365, Google Services,
Facebook, etc.). If you have two active SIG tunnels that are pinned to two different Zscaler data centers, ECMP can pin
flows from a single user to separate tunnels. The cloud application can see different client IP addresses for the same
session, because NAT is applied to their source IP addresses from two different data centers. This can cause resets
from the server. You must use the same SIG data center for any active/active tunnels. Zscaler does not support active/
active tunnels across ZIA data centers.
• When configuring multiple active/active tunnels, each tunnel must have a unique source IP/source port/destination
IP/destination port. All active tunnels are destined to the same data center IP address and each tunnel has the same
source port and destination port 500 or 4500 (NAT-T), so, the source IP address for the tunnels cannot be the same.
Use loopback interfaces defined in VPN 0 to source multiple active tunnels from. These addresses can be private
because NAT is turned on at the internet interface.
• Multiple active/active tunnel support for Cisco vEdge is not qualified nor supported at this time.
©2022 Zscaler, Inc. All rights reserved. 26
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Auto Tunnels
• Several advanced security features can be enabled on Zscaler through APIs from the Cisco vManage console. Zscaler
recommends you leave all features off as default, deploy the feature template, bring the tunnels up, and then go back
to edit the SIG template and enable the desired features/services. Some features might not have the proper licenses
or permissions to enable, so you can get a failed H response and a location might not get created if you are trying to
create tunnels at the same time. It simplifies troubleshooting if you enable them separately from configuring tunnels
for the first time.
• In Cisco vManage console version 20.5, values greater than 255 for Idle-time-to-dissociation and Refresh-time (part
of Authentication/Surrogate IP feature and Surrogate IP for Known Browser feature) cannot be configured in the
SIG template UI. The workaround in Cisco IOS XE SD-WAN Edge routers is to use a CLI add-on template. For more
information on Zscaler advanced features and CLI commands, see the Cisco IOS XE SD-WAN Qualified Command
Reference on Zscaler commands for additional information on Zscaler advanced features CLI commands.
L7 Health Checks
• In the 20.5 Cisco vManage console version, L7 health checks are supported only for Cisco vEdge routers. Health
checks are not supported for Cisco IOS XE SD-WAN edge routers until the 20.6 Cisco vManage console version.
• Starting in 20.5/17.5, manually configure GRE or IPSec tunnels can be configured using the generic SIG tunnel option in
the SIG feature template. L7 health checking is not supported for the generic SIG tunnel option.
• L7 health checks are sent out on all SIG tunnels across all high availability configs. L7 health checks can promote a
standby tunnel to an active tunnel, potentially impacting existing sessions.
• Do not use custom L7 health check trackers destined to commonly visited websites, because it might cause cloud
security provider IP address space to be blocked. Use http://gateway.<Zscaler Cloud Name>.net/vpntest as the
service URL. Use only HTTP:// in the service URL to Zscaler. HTTPS:// is not valid, even though the Cisco vManage
console might accept it.
GRE Keepalives
GRE Keepalives are disabled by default in Cisco IOS XE SD-WAN devices. To configure GRE keepalives, configure a CLI
add-on feature template. The command is keepalive [[seconds] retries] under the tunnel interface configuration.
Cisco IOS XE SD-WAN
On a Cisco IOS XE SD-WAN router with multiple internet interfaces accessing Zscaler tunnels or multiple active tunnels
sourced by loopbacks on a router with more than one transport of any type, you might encounter an issue where ISAKMP
traffic fails to take the correct interface outbound, which can prevent IPSec tunnel formation. To work around this, use
a CLI add-on policy to use a local policy-based routing (PBR) policy to force ISAKMP traffic to use the proper physical
interface (see the Deploy section for multiple active/active tunnels).
Cisco vEdge
Multiple active/active tunnel support for Cisco vEdge is not qualified nor supported at this time.
Additional Features
Cloud onRamp for SaaS can be used over Zscaler tunnels starting in 20.6/17.6.
©2022 Zscaler, Inc. All rights reserved. 27
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Deploy
The following basic steps are needed to configure auto tunnels successfully:
• Deploy: ZIA for API Access. This allows Cisco vManage console to send API calls to ZIA to provision IPSec tunnels and
Zscaler locations.
• Deploy: Cisco WAN Edge Prerequisites.
• Verify NAT, DNS, and clock/NTP settings.
• Create a SIG credentials feature template. This uses information obtained from ZIA you configured while setting
up ZIA for API access.
• Deploy an IPSec Auto Tunnel use case. You can choose different use cases. Active/Standby tunnels and Active/
Active tunnels using hybrid or dual-internet transports and configured with a SIG route or centralized policy are a few
examples. For each use case, the following is needed:
• Create a SIG feature template: This allows you to define multiple tunnels of certain types (Umbrella, Zscaler, or
generic), and allows you to define specific characteristics about each tunnel. Then, you can define which tunnels
are active and which are backup.
Clipboard-list Tech Tip
Note that after a tunnel type is selected in the SIG feature template, you can only configure additional tunnels of
that same type in that specific feature template. With Umbrella or Zscaler tunnels using the SIG template, only IPSec
tunnels are currently supported. With generic tunnels, IPSec or GRE tunnels are supported, but a mix of both is not
supported in the same feature template.
• Add the SIG and SIG credentials feature template to the device template of the device you want to configure with
IPSec auto tunnels.
• Add a route or modify centralized policy for traffic redirection to the Zscaler tunnels.
Clipboard-list Tech Tip
Before moving forward, ensure that the WAN Edge router has a device template deployed from Cisco vManage console
with, at minimum, basic connectivity to the internet. For details on a base template example, see Appendix A: Cisco
Branch Base Feature Templates and Configuration Values Used.
Deploy: ZIA for API Access
In this section, the Zscaler side is configured for API access. When attaching SIG templates that contain Zscaler tunnels
starting in 20.5 Cisco vManage console and above, a SIG credentials template is required as part of the device template.
This SIG credentials template needs information from the ZIA Admin Portal in order for API calls to Zscaler to succeed. In
the following sections, information is needed for the SIG credentials feature template on Cisco vManage console.
Note that login IDs and passwords in the following screens might be obscured for security reasons.
©2022 Zscaler, Inc. All rights reserved. 28
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 1: Log Into ZIA
1. Log into Zscaler using your administrator account. The login URL is https://admin.<Zscaler Cloud Name>.net,
where <Zscaler Cloud Name> is the Zscaler cloud you have admin rights to (zscalerbeta, zscalerone, zscalertwo,
zscalerthree, etc.).
Figure 9. Login to ZIA
2. If you are unable to log in using your admin account, contact Zscaler Support.
Procedure 2: Find Zscaler Organization Domain and Partner Base URI
You need the Zscaler Organization Domain and Partner Base URI for the Cisco vManage console SIG credentials feature
template.
1. Go to Administration > Settings > Company Profile. On the Organization tab, note the value in the Domains field
(ciscotest.net in this example).
Figure 10. Company profile
©2022 Zscaler, Inc. All rights reserved. 29
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Clipboard-list Tech Tip
The Domains value in this section is used in the Organization field in the Cisco vManage console SIG credentials feature
template.
Cisco vManage console SIG
Credentials ZIA Admin Portal Location Zscaler Parameter Zscaler Value
Parameter
Organization Administration > Settings Domains ciscotest.net
> Company Profile > (example)
Organization
2. Go to Administration > Authentication > API Key Management. On the API Key tab at the top of the page, copy the
base URL for your API (zsapi.zscalerthree.net/api/v1 in this example).
Figure 11. API key management
Clipboard-list Tech Tip
The base URL value in this section is used in the Partner Base URI field in the Cisco vManage console SIG credentials
feature template.
©2022 Zscaler, Inc. All rights reserved. 30
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Cisco vManage console SIG
Credentials ZIA Admin Portal Location Zscaler Parameter Zscaler Value
Parameter
Administration > Settings
ciscotest.net
Organization > Company Profile > Domains
(example)
Organization
Administration >
zsapi.zscalerthree.net/api/v1
Partner Base URI Authentication > API Key Base URL for your API
(example)
Management > API Key
Procedure 3: Add and Verify SD-WAN Partner Key
To enable ZIA for API access, the first step is to create a SD-WAN “partner key." The partner key is an API key used as
one form of authentication. The second form of authentication is an admin partner username and password, which is
explained later in this deployment guide. Use this admin credential set for API calls. It doesn't work for logging in to the
ZIA Admin Portal.
1. Navigate to Administration > Settings > Cloud Configuration > Partner Integrations.
Figure 12. Partner integrations
©2022 Zscaler, Inc. All rights reserved. 31
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
2. At the Partner Integrations section of the ZIA Admin Portal, select SD-WAN. If a key already exists with a Partner
Name Cisco Viptela, then skip to Step 6. Only one key can exist per partner name. Take care when deleting and
modifying the partner key because API calls to Zscaler fail if other Cisco vManage console instances are using the
current key.
3. Click Add Partner Key.
Figure 13. Add partner key
4. Under the Name drop-down menu, select which SD-WAN vendor you want to create a partner key. After selecting
Cisco Viptela, click Generate. The previous screen is displayed.
Figure 14. Generate partner key
©2022 Zscaler, Inc. All rights reserved. 32
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
5. See the partner key you created (Cisco Viptela in this case) in the Partner Integrations window. A red circle with a
number above the Activation icon on the bottom left-hand navigation is also displayed. Although you have created
a partner key, the configuration change is pending. Only after activation does this configuration become active.
Figure 15. Partner key complete
6. Ensure to copy the Key value as it is required in a future step when configuring the SIG credentials feature template
in the Cisco vManage console Network Management System (NMS).
Clipboard-list Tech Tip
The Cisco Viptela partner key value in this section is used in the Partner API Key field in the Cisco vManage console SIG
credentials feature template.
Cisco vManage console SIG
Credentials ZIA Admin Portal Location Zscaler Parameter Zscaler Value
Parameter
Administration > Settings
ciscotest.net
Organization > Company Profile > Domains
(example)
Organization
Administration >
zsapi.zscalerthree.net/api/v1
Partner Base URI Authentication > API Key Base URL for your API
(example)
Management > API Key
Administration > Settings
> Cloud Configuration > Partner Name (Cisco ABCdef123GHI
Partner API Key
Partner Integrations > Viptela) Key (example)
SD-WAN
©2022 Zscaler, Inc. All rights reserved. 33
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 4: Add a Partner Administrator Role
You must create a partner administrator role so it can be assigned to the administrator user that is used to authenticate
against the Zscaler ZIA Provisioning API. By creating a partner administrator role, you can define the permissions and
access to grant to a third-party partner, such as a SD-WAN partner.
1. Navigate to Administration > Authentication > Role Management.
Figure 16. Role management
2. If a partner administrator role has already been created with full access, use this role, or create a separate one. A
partner administrator role is listed as Type Partner Admin, including a Policy keyword listed under the Full Access
column. If you use a role already created, note the Name, and go to Procedure 5: Create a Partner Administrator to
create a partner administrator login ID and password.
3. To create a new partner administrator role, click Add Partner Administrator Role.
Figure 17. Add partner administrator
©2022 Zscaler, Inc. All rights reserved. 34
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
4. Enter the name of the partner administrator role you want to create.
5. Change the Access Control to Full. Full Access Control allows partner admins to view and edit VPN credentials and
locations that the Cisco vManage console NMS is managing via the ZIA Provisioning API. This is necessary for the
Cisco vManage console NMS to be able to create new VPN credentials and locations in ZIA for branches.
6. Click Save to return to the previous screen.
Figure 18. Partner administrator role
©2022 Zscaler, Inc. All rights reserved. 35
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 5: Create a Partner Administrator
The last step required is to create a partner administrator.
1. Navigate to Administration > Administration Controls > Administrator Management.
Figure 19. Administrator management
2. On the Administrator Management window, select Add Partner Administrator.
Figure 20. Add partner administrator
©2022 Zscaler, Inc. All rights reserved. 36
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
3. On the Add Partner Administrator ID window, fill in the required fields:
a. Login ID: Enter the login ID, where @domain is automatically filled in.
b. Email: Enter an address in email format, which can be identical to the login ID, but cannot already exist in the
current cloud. (It cannot be referenced anywhere.)
c. Name: Enter the name or label associated with the login ID. (It cannot be referenced anywhere.)
d. Partner Role: Select the role created in Procedure 4: Add a Partner Administrator Role.
Clipboard-list Note
Save the Login ID@Domain value and Password settings as you need to enter them in the Cisco vManage console NMS
when configuring the SIG credentials template.
4. Click Save.
Figure 21. Save partner admin
Clipboard-list Tech Tip
The Login ID @ domain value in this section is used in the Username field and the password value in this section is used
in the Password field in the Cisco vManage console SIG credentials feature template.
©2022 Zscaler, Inc. All rights reserved. 37
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Cisco vManage console SIG
ZIA Admin Portal Zscaler Zscaler
Credentials
Location Parameter Value
Parameter
Administration > Settings
ciscotest.net
Organization > Company Profile > Domains
(example)
Organization
Administration >
zsapi.zscalerthree.net/api/v1
Partner Base URI Authentication > API Key Base URL for your API
(example)
Management > API Key
Administration >
Administration Controls > Partner Admin [email protected]
Username
Administrator Management Login ID (example)
> Administrators
Administration >
Administration Controls > Partner Admin
Password (hidden)
Administrator Management Password
> Administrators
Administration > Settings
> Cloud Configuration > Partner Name (Cisco ABCdef123GHI
Partner API Key
Partner Integrations > Viptela) Key (example)
SD-WAN
©2022 Zscaler, Inc. All rights reserved. 38
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 6: Activate Pending Changes
Note that the new configurations are not enabled until activation occurs.
Click Activation on the left-hand navigation, and then click Activate to enable the pending configuration changes.
Figure 22. Activate changes
After activating pending changes, “Activation Completed!” appears.
Figure 23. Activation completed
©2022 Zscaler, Inc. All rights reserved. 39
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Deploy: Cisco WAN Edge Prerequisites
In this section, the prerequisites are checked and deployed.
Procedure 1: Log into Cisco vManage Console
1. Open a web browser and enter the URL for your vManage instance (https://<vManage IP address>:8443). For best
results, use a Google Chrome or Mozilla Firefox browser.
2. Enter the admin username and password.
Procedure 2: Ensure Prerequisites are Met
1. Verify that NAT is enabled on the internet interface that is used to access Zscaler.
This is needed for API calls requested against the ZIA Public Service Edge because a NAT DIA route is used to direct
the API traffic out of the underlay. Enable a NAT in each internet interface feature template deployed where Zscaler
tunnels are built. The following is the relevant feature template information that is required:
Modifications to Feature Template: BR_VPN0_INET
Section Parameter Type Variable/Value
NAT NAT Global On
NAT Type Global Interface
2. Verify that a primary and/or secondary DNS server is defined in the VPN 0 feature template. API calls are made to
the base URI: zsapi.<Zscaler Cloud Name>.net/api/v1 or admin.<Zscaler Cloud Name>.net/api/v1 where values for
<Zscaler Cloud Name> are zscaler, zscalerbeta, zscalerone, zscalertwo, zscalerthree, etc. The automated L7 health
check URL also needs DNS resolution. It is http://gateway.<Zscaler Cloud Name>.net/vpntest.
The following is the relevant feature template information that is required (which can be global or device-specific
values):
Modifications to Feature Template: BR_VPN0
Section Parameter Type Variable/Value
Primary DNS Address
DNS Global 208.67.222.222
(IPv4)
Secondary DNS Address
Global 208.67.220.220
(IPv4)
©2022 Zscaler, Inc. All rights reserved. 40
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
3. Verify Network Time Protocol (NTP) is enabled, synced, and the clock is correct. An authentication session can fail
with Zscaler is due to the clock time being mismatched. Configuring NTP and ensuring the NTP server time is synced
is one way to prevent authentication issues.
WAN_EdgeE#show clock
01:49:13.091 UTC Fri Sep 3 2021
WAN_EdgeE#show ntp association
address ref clock st when poll reach delay offset disp
*~64.100.100.1 127.127.1.1 5 157 1024 377 3.000 -3.500 2.050
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
NTP is configured in a separate feature template and added to the device template in the basic information section.
In the example topology, the source interface is the internet interface in VPN 0, because the NTP server is on the
internet.
Feature Template Name: NTP
Section Parameter Type Variable/Value
Server Hostname/IP address Global time.google.com
Source Interface Device Specific ntp_server_source_int
Procedure 3: Create a SIG Credentials Feature Template
1. In the top left corner of Cisco vManage console, click the three horizontal lines to pull down the menu.
2. Select the Configuration > Templates > Feature button at the top of the page.
Figure 24. Configure template
3. Click Add Template.
4. Select devices on the left-hand side of the window that potentially can use this template. To select all Cisco IOS XE
SD-WAN devices that can support SIG templates, you can select all platforms except for ISR 1100 (Cisco Viptela),
Cisco vEdge devices, CG platforms, and the IR8340 in this release.
5. Select Cisco SIG Credentials.
©2022 Zscaler, Inc. All rights reserved. 41
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Figure 25. Cisco SIG credentials
6. Enter the Template Name (xeSig_Credentials) and Description (Cisco IOS XE SIG Credentials Template).
7. Select the Zscaler radio button as the SIG provider.
8. Fill in the Organization, Partner Base URI, Username, Password, and Partner API Key. These parameters were
obtained from the Zscaler configuration section:
Cisco vManage
console SIG ZIA Admin Portal Zscaler Zscaler
Credentials Location Parameter Value
Parameter
Administration > Settings
ciscotest.net
Organization > Company Profile > Domains
(example)
Organization
Administration >
zsapi.zscalerthree.net/
Partner Base URI Authentication > API Key Base URL for your API
api/v1 (example)
Management > API Key
Administration >
Administration Controls > Partner Admin [email protected]
Username
Administrator Management > Login ID (example)
Administrators
Administration >
Administration Controls > Partner Admin
Password (hidden)
Administrator Management > Password
Administrators
Administration > Settings >
Cloud Configuration > Partner Partner Name (Cisco ABCdef123GHI
Partner API Key
Integrations > Viptela) Key (example)
SD-WAN
©2022 Zscaler, Inc. All rights reserved. 42
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Figure 26. Zscaler settings
9. Click Save.
©2022 Zscaler, Inc. All rights reserved. 43
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Deploy: Cisco WAN Edge Auto IPSec Tunnels (One Active/Standby Pair, Hybrid
Transport)
In this section, you’ll configure one active/standby auto tunnel pair on the internet transport: one to the primary Zscaler
data center and one to the secondary Zscaler data center. Traffic is forwarded on the active tunnel to the primary data
center until the active tunnel is declared to be down (through L7 health checking and/or Dead Peer Detection). After
down, the standby tunnel to the secondary data center becomes active. When the tunnel to the primary data center
recovers, it becomes active again and the tunnel to the secondary data center goes into standby.
The following deployment use case contains the following features:
• One active/standby IPSec auto tunnel pair on a single internet transport. The active tunnel connects to a primary
Zscaler data center and the standby tunnel connects to a secondary Zscaler data center.
• SIG service route for redirecting traffic to Zscaler tunnels
• Customized L7 Health Tracker (optional)
• Advanced Zscaler features (optional)
• Customized Zscaler tunnel destinations (optional)
Figure 27. Cisco WAN Edge Auto IPSec tunnels
©2022 Zscaler, Inc. All rights reserved. 44
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 1: Create a SIG Template
1. On the Configuration > Templates > Feature page, select devices and under VPN, select Cisco Secure Internet
Gateway (SIG).
Figure 28. Cisco secure internet gateway (SIG)
2. Enter the Template Name (xeSig_Zscaler) and Description (Cisco IOS XE Sig Zscaler Template).
3. (Cisco IOS XE SD-WAN ONLY) A source IP address for the L7 health tracker is required. This field is a private, unique
IPv4 address with a /32 prefix. Under the Tracker section next to Source IP Address, choose Device Specific from
the drop down. The variable for this parameter is labeled zscaler_trackersrcip. Note that this field is required for
Cisco IOS XE SD-WAN routers. You can turn off health checks under the tunnel configuration advanced settings
(not recommended), but you must still configure a global value or device specific variable for the Tracker Source IP
Address.
Figure 29. Add SIG template
Note that by default, Cisco vEdge routers use source IP address 192.168.0.2 in VRF 65530 for the L7 health tracker.
©2022 Zscaler, Inc. All rights reserved. 45
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
A tracker does not need to be explicitly configured for SD-WAN routers because it is created automatically. By default, L7
health checks are enabled on each tunnel with the following default properties.
If you choose to change any tracker parameters, configure a custom tracker. A customized tracker configuration is shown
configured in Procedure 5: Customize L7 Health Tracker (optional).
1. Under the Configuration section, select the Zscaler radio button as the SIG provider.
2. Click Add Tunnel (the IPSec tunnel type is configured because only IPSec auto tunnels are configured).
3. Interface Name cannot be set as a variable, so use the global parameter type. If you select a variable, you cannot
finish the template since you cannot refer to the tunnel in the high availability section, where you specify which
tunnels are active and which are backup. Specify an Interface Name, which defaults to ipsec, expected to be
followed by a number 1-255.
4. Next to Description, choose Global parameter and type an optional Description (e.g., Primary DC Tunnel 1).
5. Next to Tunnel Source Interface, select Device Specific and create a variable for this parameter (e.g., pri_
tunnel1_src_int).
6. Next to Data Center, select which data center at which this tunnel terminates. Each data center location (primary or
secondary) is selected automatically when the configuration is deployed, or manually assigned (described later in
this guide).
Figure 30. Add tunnel
©2022 Zscaler, Inc. All rights reserved. 46
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
7. Leave the parameters under Advanced Options as defaults. Under Advanced Options, the following default options
are set:
Section Parameter Type Variable/value
Advanced Options>General Shutdown Default No
Track this interface for SIG Default On
IP MTU Default 1400
DPD Interval Default 10
DPD Retries Default 3
Advanced Options>IKE IKE Rekey Interval (seconds) Default 14400
IKE Cipher Suite Default AES 256 CBC SHA1
IKE Diffie-Hellman Group Default 2 1024-bit modules
IPSec Rekey Interval
Advanced Options>IPSec Default 3600
(seconds)
IPSec Replay Window Default 512
IPSec Cipher Suite Default Null SHA1
Perfect Forward Secrecy Default None
8. Click Add.
9. In this use case, one additional tunnel is created (the standby tunnel to the secondary data center).
Click Add Tunnel.
Section Parameter Type Variable/value
Configuration Sig Provider Radio Button Zscaler
Interface Name (1..255) Global ipsec201
Description Global Secondary DC Tunnel 1
Tunnel Source Interface Device Specific sec_tunnel1_src_int
Data-Center Radio Button Secondary
©2022 Zscaler, Inc. All rights reserved. 47
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
10. Click Add.
11. Repeat steps 1-10 to define any additional tunnels.
12. After when you are finished adding tunnels, configure which interface you want to be active and backup. Under
High Availability, next to Pair-1 under the Active column, select ipsec101 from the drop-down menu, and under the
Backup column, select ipsec102.
Figure 31. High availability
13. In Advanced Settings, you can choose the primary and secondary data centers (the default is automatic). You also
can turn on several Zscaler features for the tunnel through the APIs. They include: Authentication Required, XFF
Forwarding, Enable Firewall, Enable IPS Control, Enable Caution, and Enable AUP. For more information on these
options, see the Configuring Locations help section.
Clipboard-list Tech Tip
Do not turn on Zscaler options under Advanced Settings when bringing up tunnels for the first time. Leave the
defaults off to bring up the tunnels. When up, go back and make feature template changes to turn on desired
features. Certain features might require certain subscriptions or licenses on Zscaler, and it can make troubleshooting
more difficult if you turn on some of the features before bringing up the tunnels for the first time.
14. Under Advanced Settings, keep the defaults and click Save at the bottom of the screen to save the feature
template.
Procedure 2: Add the Tunnel Configuration to the Device Template
1. In Cisco vManage console, go to Configuration > Templates > Device, where the Device tab is selected by default.
To the right of the device template you want to modify, click … and select Edit from the drop-down menu.
Figure 32. Cisco vManage console template
©2022 Zscaler, Inc. All rights reserved. 48
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
2. Under the Transport & Management VPN section, select Cisco Secure Internet Gateway on the right-hand side. The
Cisco Secure Internet Gateway field is inserted into the Transport & Management VPN section. In the drop-down
box, select the SIG feature template recently created (xeSig_Zscaler).
Figure 33. Cisco SIG
3. Before saving the device template, attach the SIG credentials template. Under Additional Templates, next to Cisco
SIG Credentials *, select the SIG Credentials template created earlier (xeSig_Credentials).
Figure 34. Cisco SIG credentials
4. Click Update.
5. To the right of the device configuration being updated, click … and select Edit Device Template from the drop-down
list.
Figure 35. Edit device template
©2022 Zscaler, Inc. All rights reserved. 49
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
6. Fill in the missing variable values and click Update.
Figure 36. Cisco SIG update
7. Deploy template changes: click Next, then Configure Devices. The configuration changes are pushed and Cisco
vManage console returns success.
Figure 37. Cisco vManage console SIG success
Procedure 3: Add Service Route
The last step is to redirect traffic. In this section, a SIG service route (default route) is installed into the service VPN to
direct service-side internet traffic to Zscaler. You can configure this in all service VPN templates to redirect traffic. The
SIG service route is not an optional setting, but if a SIG tunnel is not up and operational on the router, the route is not
installed. You can either modify the service VPN template currently in use or create a separate service VPN template for
routers that use the SIG service route. In this example, the current service VPN feature template is modified.
1. On the Cisco vManage console page, select the Configuration > Templates > Feature tab and find the branch
service VPN feature template to modify (e.g., xeBR_VPN1).
2. To the right of the feature template, click … and select Edit from the drop-down list.
Figure 38. Cisco vManage console feature
©2022 Zscaler, Inc. All rights reserved. 50
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
3. Click the Service Route.
4. Click the New Service Route button.
5. Next to Prefix, type 0.0.0.0/0. The Service defaults to SIG. Click Add to add the service route to the configuration,
then click Update to save the xeBR_VPN1 feature template.
Figure 39. New service route
6. Click Next, then Configure Devices. Confirm changes on multiple devices if needed and click OK. The status of the
configuration change returns with Success.
Procedure 4: Verify Tunnel Operation
1. In the Cisco vManage console under Monitor > Network, click the WAN Edge router that you want to verify the
tunnel operation on.
2. Select Applications > Interface > Real Time at the top right of the chart. You can also click the interface you are
interested in on the right-hand side of the chart.
Figure 40. WAN edge tunnel interface
©2022 Zscaler, Inc. All rights reserved. 51
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
3. If the interface you are interested in is missing from the graph, scroll down past the chart to see the entire list of
interfaces. Click the checkbox on the left for the interface you want to display on the chart. You can also view the
state and statistics of the various interfaces on the device from this list.
Figure 41. Interface state and statistics
See the Operate section of this guide for additional monitoring and troubleshooting information.
Procedure 5: Customize L7 Health Tracker (optional)
In this section, the L7 health tracker is customized.
1. In the Cisco vManage console, go to Configuration > Templates > Feature tab. To the right of the SIG template that
was created in the earlier section (xeSig_Zscaler), click … and select Edit from the drop-down menu.
2. In the Tracker (Beta) section, click the New Tracker button. Next to Name, select Global for the parameter and enter
the name for the tracker (zscaler_L7_health_check), which is a label referenced by each tunnel using the tracker.
3. For Interval, the default is 60 seconds and the minimum allowed is 20 seconds. Change the parameter to Global,
and type 20. For the API URL of endpoint, type http://gateway.<Zscaler Cloud Name>.net/vpntest for
the specific Zscaler cloud you belong to.
Figure 42. New tracker
4. Click Add.
©2022 Zscaler, Inc. All rights reserved. 52
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
5. Now, before finishing the update to the feature template, reference the new L7 health tracker by the tunnels already
created. Under Configuration next to each tunnel, click the Edit icon.
Figure 43. Add tunnel
6. Next to Tracker, choose the Global parameter, then in the drop-down menu, select the L7 health check you created,
zscaler_L7_health_check. Click Save Changes.
Figure 44. Update tunnel
7. Repeat steps 5 and 6 with each tunnel.
©2022 Zscaler, Inc. All rights reserved. 53
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
8. Click Update to save changes to the SIG feature template. Click Next, then Configure Devices. You might need to
confirm configuration changes on multiple devices. Select the checkbox and click OK. The configuration changes are
pushed out to the attached WAN Edge routers. The status returns Success.
WAN_EdgeE#show endpoint-tracker
Interface Record Name Status RTT in msecs Probe ID Next Hop
Tunnel100101 zscaler_l7_health_chec Up 11 7 None
Tunnel100201 zscaler_l7_health_chec Up 12 8 None
Procedure 6: Enable Advanced Zscaler Features (optional)
1. In the ZIA Admin Portal, you can view the gateway options enabled for a location by navigating to Administration
> Resources > Location Management and editing the location in which you are interested. You modify gateway
options via APIs from the Cisco vManage console.
Figure 45. Edit location
2. To change the settings, modify the SIG template feature template in the Cisco vManage console. Go to
Configuration > Templates > Feature. Find the name of the SIG template you want to modify (xeSig_Zscaler). Click …
to the far right of the template and select Edit from the drop-down menu.
3. Under Advanced Settings, select Global parameter and click On next to the settings you want to enable. In this
example, Enable Caution is enabled.
4. Click Update.
Clipboard-list NOTE
This enables the same Zscaler advanced settings for every device this template is attached to. If you need different
settings for different devices, a separate SIG feature template is required.
©2022 Zscaler, Inc. All rights reserved. 54
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Figure 46. Enable caution
©2022 Zscaler, Inc. All rights reserved. 55
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
5. Click Next, then Configure Devices. Confirm configuration on multiple devices if needed. Configuration changes are
pushed to the devices and Success is returned.
Figure 47. Enable caution
6. View the location gateway options in the ZIA Admin Portal for changes.
©2022 Zscaler, Inc. All rights reserved. 56
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 7: (Optional) Customize Zscaler Tunnel Destination (Primary and Secondary Data
Centers)
To change the tunnel destination settings to choose your own primary and secondary Zscaler data center locations,
modify the SIG template feature template.
1. Go to Configuration > Templates > Feature. Find the name of the SIG template you want to modify (xeSig_Zscaler).
Click … to the far right of the template and select Edit from the drop-down menu.
2. Under Advanced settings, next to Primary Data-Center, select the Device Specific parameter and use the variable
vpn_zlsprimarydc. Next to Secondary Data-Center, select Device Specific and use the variable
vpn_zlssecondarydc.
Figure 48. SIG template edit
3. Click Update to save the feature template settings.
Clipboard-list Tech Tip
If you select a global parameter, you get a drop-down box with available Zscaler data centers to choose from. Select a
data center that is part of your assigned Zscaler cloud. Note that in this version of code, the list is static and might not
be up to date. Use a device specific parameter if you need to specify a data center that is not in the list or you need to
specify different data centers for different devices attached to the same feature template. To get the most up-to-date
list of Zscaler data centers, check: https://config.zscaler.com/<Zscaler Cloud Name>.net/cenr.
In this example, the list for Zscaler cloud Three is located at https://config.zscaler.com/zscalerthree.net/cenr.
4. At the top of the page, select a device template to fill in data center values. To the right of the device, click … and
select Edit Device Template from the drop-down menu.
Figure 49. Edit device template
©2022 Zscaler, Inc. All rights reserved. 57
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
5. Fill in the values for the Primary and Secondary Data-Centers. Use VPN Host names. Note that auto is an acceptable
value for those locations where the tunnels are automatically discovered for you. This example uses the data center
locations Atlanta II (e.g., atl2-vpn.zscalerthree.net) for Primary and Dallas I (e.g., dfw1-vpn.zscalerthree.net) for
Secondary.
6. Click Update.
Figure 50. Update device template
7. Update variable values on other devices attached to device templates using the feature template you just modified.
8. Click Next, then Configure Devices. Confirm configuration changes on multiple devices if needed. Cisco vManage
console pushes the configuration changes and indicates Success.
©2022 Zscaler, Inc. All rights reserved. 58
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
9. Open a client browser at the site, navigate to http://ip.zscaler.com. Validate that the primary data center is accessed
(in this example, San Francisco IV).
Figure 51. Zscaler IP config
©2022 Zscaler, Inc. All rights reserved. 59
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Deploy: Cisco WAN Edge Auto IPSec Tunnels (Active/Active Tunnels, Hybrid
Transport)
In this section, two active auto IPSec tunnels are configured, all to the same Zscaler data center. Traffic is forwarded on
both tunnels to the primary data center until a tunnel is declared to be down (through L7 health checking and/or dead
peer detection). When down, traffic is hashed to the remaining tunnel. When the downed tunnel recovers, it becomes
active again and traffic can be hashed to it again.
This deployment use case contains the following features:
• One active/active IPSec auto tunnel pair on a single internet transport. Both tunnels connect to the same primary
Zscaler data center. This is supported on Cisco IOS XE SD-WAN devices only.
• Centralized data policy for redirecting traffic to Zscaler tunnels.
• Weighted tunnels.
Figure 52. Cisco WAN Edge auto IPSec tunnels
Clipboard-list Tech Tip
This use case illustrates how to configure multiple active/active tunnels. You can add additional active tunnels (up
to four) or add standby tunnels for any active tunnel as well. Keep in mind that due to hashing of traffic, you want
to keep all active tunnels pointing to the same Zscaler data center. If you choose to implement standby tunnels, you
want them pointing to the same Zscaler data center as the active tunnels in the event one or a subset of standby
tunnels become active. You do not want equal cost paths where traffic can hash to different Zscaler data centers.
©2022 Zscaler, Inc. All rights reserved. 60
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
To accommodate both tunnels to one Zscaler destination, two loopback interfaces are needed for source IP addresses
since each tunnel needs a unique source IP/source port/destination IP/destination port pair. If you configure standby
tunnels to the same Zscaler data center destination, each of them needs a unique source IP address as well.
Procedure 1: Create two loopback interfaces, one for each active tunnel (Cisco IOS XE SD-WAN
only)
1. In the Cisco vManage console, navigate to Configuration > Templates > Feature tab. Click Add Template, select your
devices, and under VPN, select Cisco VPN Interface Ethernet.
2. Enter a Template Name and Description. Under basic configuration next to Shutdown, choose Global parameter
and click No. Next to Interface Name, enter Loopback1, and next to IPv4 Address/prefix-length, choose Global
parameter and type the address (10.10.10.1/32 in this example).
Figure 53. Loopback interface
3. Click Save.
©2022 Zscaler, Inc. All rights reserved. 61
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
4. Copy the previous template and make modifications or create new interface Ethernet feature templates by
repeating steps 1 through 3 to create two total loopback addresses with the following characteristics:
Template Type: Feature Template > Cisco VPN Interface Ethernet
Feature Template
Section Parameter Type Variable/value
Name
Loopback1 Basic Configuration Shutdown Global No
Interface Name Global Loopback1
IPv4 Radio Button Static
IPv4 Address/prefix-
Global 10.10.10.1/32
length
Loopback2 Basic Configuration Shutdown Global No
Interface Name Global Loopback2
IPv4 Radio Button Static
IPv4 Address/prefix-
Global 10.10.10.2/32
length
Procedure 2: Create a local policy-based routing policy (Cisco IOS XE SD-WAN only)
1. Create a CLI add-on template that creates a local policy-based routing policy. This lets any control traffic (IKE traffic)
pick the proper next-hop interface generated by the router.
2. Go to Configuration > Templates > Feature tab and click Add Template. Select the devices the feature template can
apply to. Under Other Templates, click Cli Add-On Template.
Figure 54. Other templates
©2022 Zscaler, Inc. All rights reserved. 62
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
3. Type a Template Name (CLI-Template-Sig-Local-Policy) and Description (CLI Add-on Template Sig Local Policy).
4. Add the following CLI:
ip access-list extended SIG
10 permit ip host 10.10.10.1 any
20 permit ip host 10.10.10.2 any
!
route-map Tunnel-Control permit 10
match ip address SIG
set ip next-hop 64.100.215.1
ip local policy route-map Tunnel-Control
5. Highlight 64.100.215.1 as the next-hop and click (x) Create Variable.
Figure 55. CLI configuration
6. In the pop-up window, enter a variable name (Loopback-Tun-Src-Next-Hop-IP). This CLI template can apply to
several WAN Edge routers. Click Create Variable.
Figure 56. Create variable name
7. Click Save.
©2022 Zscaler, Inc. All rights reserved. 63
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Procedure 3: Create a new Sig feature template with 2 active tunnels (Cisco IOS XE SD-WAN only)
The active tunnels reference loopback interfaces as sources.
1. In the Cisco vManage console, navigate to Configuration > Templates and click Feature. Click Add Template, select
the devices the feature template can apply to. Under VPN, select the Cisco Secure Internet Gateway (SIG) template.
Add the Template Name (xeSig_Zcaler_2_Loopback_Source) and Description (Sig Zscaler 2 Tunnels
with Loopback Source).
2. Under Tracker (BETA), select Device Specific and use the variable vpn_trackersrcip.
3. Under Configuration, click the Zscaler radio button, then click Add Tunnel.
4. Next to Interface Name, name the tunnel (ipsec101).
5. Fill out the Description (Tunnel 1 to Primary DC).
6. Next to Tunnel Source Interface, ensure it is a Global value, then type Loopback1.
7. Next to Data-Center, ensure Primary is selected.
8. When a loopback interface is entered for the tunnel source, you must fill out a field called Tunnel Route-via
Interface, specifying what physical interface data traffic is routed out. Next to Tunnel Route-via Interface, select
Device Specific and indicate the variable, pri_tunnel1_route_via.
9. Click Add.
Figure 57. Add tunnel
10. Finish configuring the tunnel interfaces by repeating steps 1 thorugh 9 to configure two tunnels total with the
following characteristics. All active tunnels point to the primary data center.
Section Parameter Type Variable/Value
Configuration Interface Name Global ipsec101
Description Global Tunnel 1 to Primary DC
Tunnel Source Interface Global Loopback1
Data-Center Radio Button Primary
Tunnel Route-via Interface Device Specific pri_tunnel1_route_via
Configuration Interface Name Global ipsec201
Description Global Tunnel 2 to Primary DC
Tunnel Source Interface Global Loopback2
Data-Center Radio Button Primary
©2022 Zscaler, Inc. All rights reserved. 64
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
11. Under High Availability, add one additional tunnel pair and assign ipsec101 under the Active column for Pair-1 and
ipsec201 under the Active column for Pair-2.
Figure 58. High availability
12. Click Save to save the new Sig feature template.
Procedure 4: Modify Device Template
Add the SIG feature template to the device template. This step assumes there is no previously defined SIG feature
template configuration. If a template configuration is already defined, Zscaler recommends you delete it from the device
template and push the configuration changes to the router before adding the new tunnel configuration.
1. Go to Configuration > Templates. Under the Device tab, next to the device template you want to modify, click … on
the right-hand side, and select Edit from the drop-down menu.
2. Under Transport & Management VPN, click Cisco Secure Internet Gateway on the right-side under Additional
Cisco VPN 0 Templates.
3. Choose the new SIG template created in the last procedure (xeSig_Zscaler_2_Loopback_Source).
4. Click Cisco VPN Interface Ethernet on the right-hand side two times under Additional Cisco VPN 0 Templates and
then select xeLoopback1 for one, and xeLoopback2 for the other.
Figure 59. Transport & Management VPN
5. Under Additional Templates, choose the CLI Add-On Template and the SIG Credentials feature template created
earlier.
©2022 Zscaler, Inc. All rights reserved. 65
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
6. Click Update.
Figure 60. Additional templates
7. Next to the device you need to define values for, click … and select Edit Device Template.
8. Fill in values for the variables created in the feature template.
9. Click Update.
Figure 61. Update device template
Figure 62. Update device template
©2022 Zscaler, Inc. All rights reserved. 66
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
10. Click Next, then Configure Devices. After the configuration changes are pushed to the WAN edge, the status shows
up as Success.
11. Verify tunnel operation.
Procedure 5: Add Centralized Data Policy instead of Service Route
This section assumes a centralized policy already exists in the network and is activated on the Cisco vSmart controllers. An
example data policy is constructed which directs:
• Company destination traffic to take the SD-WAN overlay tunnels.
• DNS requests to use the DIA (if the internet transport fails, traffic is routed over the overlay).
• Box application traffic to use the DIA (if the internet transport fails, traffic is routed over the overlay).
• The remaining traffic over the SIG tunnels.
1. Go to Configuration > Policies > Custom Options > Lists (under Centralized Policy).
Figure 63. Cisco vManage console custom options
2. Select Data Prefix on the left-hand pane and create a Prefix List called Overlay that contains the 10.0.0.0/8 prefix
and any other site prefix/summary advertised into the SD-WAN overlay.
Figure 64. Define lists
©2022 Zscaler, Inc. All rights reserved. 67
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
3. Select Application on the left-hand pane and create a New Application List called Box.
Figure 65. Application list name
4. Ensure the WAN edge router to which you are applying the policy is defined in a site list and there is a VPN list that
contains the VPN to which you want to apply the policy. If not, create the site list.
Figure 66. VPN policy
5. The service VPN for Zscaler traffic is VPN1. Create the VPN list if needed.
Figure 67. New VPN list
©2022 Zscaler, Inc. All rights reserved. 68
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
6. To edit or create a new traffic policy for a WAN edge router, go to Custom Options and under Centralized Policy,
select Traffic Policy.
Figure 68. Configuration policies
7. Click the Traffic Data tab at the top of the page.
Figure 69. Traffic data
8. If there is already a data policy attached to the WAN edge router site to which you want to add a SIG data policy,
choose to edit the existing policy, or create a new data policy and import it into the master policy already attached
to the Cisco vSmart controllers. In this example, a new data policy is created and imported into a master policy
already attached to the Cisco vSmart controllers.
9. Click Add Policy and select Create New from the drop-down menu.
Figure 70. Add policy
10. Name the Data Policy (Sig_Data) and give it a Description (Data Policy for Sig Data).
©2022 Zscaler, Inc. All rights reserved. 69
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
11. Click Sequence Type and select Custom.
Figure 71. Sequence type
12. Click Sequence Rule. Select Match Conditions and Actions, then click Save Match and Actions. Repeat as needed
to complete the policy.
Figure 72. Sequence rule
In this example, the following policy is configured:
Sequence Rule Match Parameter Match Value Action/s
1 Destination Data Prefix Overlay Accept
2 DNS Request Accept/NAT VPN with Fallback
3 Application/Application Family List Box Accept/NAT VPN with Fallback
4 <empty> Accept/Secure Internet Gateway
13. (Optional) Change Default Action from Drop to Accept for your policy if necessary.
©2022 Zscaler, Inc. All rights reserved. 70
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Clipboard-list Tech Tip
In 20.6.1/17.6.1 code, there is no fallback support for policy, which means if all the SIG tunnels go down on the
router the data policy still forwards traffic to the SIG service, resulting in traffic blackholing. You can redesign the
policy so SIG traffic is routed normally by using an “accept” action and then configuring a SIG service route so SIG
traffic is directed to the SIG tunnel, which does support fallback routing. If the SIG tunnels fail, the SIG service
route is removed so traffic can follow routes in the SD-WAN overlay.
14. Click Save Data Policy.
15. Now this new data policy can be imported into the master policy already attached to the Cisco vSmart controllers. In
the Cisco vManage console, go to Configuration > Policies. Ensure Centralized Policy is selected. Choose to Edit the
master policy (Central_Policy) that is currently activated.
Figure 73. Edit policy
16. Click Traffic Rules at the top of the page so the new data policy is imported into the master policy. Click the Traffic
Data tab. Click Add Policy and choose Import Existing from the drop-down menu.
Figure 74. Traffic data policy
17. In the pop-up window, select the policy name created and click Import.
©2022 Zscaler, Inc. All rights reserved. 71
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
18. After the policy is imported, apply it to a site list and VPN list. Click Policy Application at the top of the page. Click
the Traffic Data tab. Under Sig_Data, click New Site List and VPN List.
19. Ensure radio button From Service is chosen so data policy is applied to traffic coming from the service VPN. Select
Site list (Zscaler-DataPolicy-Sites) and VPN List (VPN1). Click Add, then Save Policy Changes.
Figure 75. Policy application
20. A pop-up window appears to push the update policy to the Cisco vSmarts. Click Activate.
Procedure 6: Assign Tunnel Weights (optional)
In this section, different tunnel weights are assigned to the active tunnels.
1. In the Cisco vManage console, go to Configuration > Templates > Feature tab. To the right of the SIG template that
was created in the earlier section (xeSig_Zcaler_2_Loopback_Source), click … and select Edit from the drop-down
menu.
2. Under the High Availability section, configure the Active Weight column for each active tunnel.
Section Parameter Type Variable/value
High Availability/Pair-1 Active Global ipsec101
Active Weight Global 80
High Availability/Pair-2 Active Global ipsec201
Active Weight Global 20
3. Click Update to save changes to the SIG feature template.
4. Click Next, then Configure Devices. You might need to confirm configuration changes on multiple devices. Select
the checkbox and click OK. The configuration changes are pushed out to the attached WAN Edge routers.
©2022 Zscaler, Inc. All rights reserved. 72
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Operate
The following shows different ways to monitor the Zscaler IPSec tunnels.
Verify Cisco SD-WAN Tunnel Operation from the Cisco vManage Console
1. In the Cisco vManage console under Monitor > Network, click the WAN Edge router on which you want to verify the
tunnel operation.
2. Select Applications > Interface > Real Time at the top right of the chart. You can also click the interface you are
interested in on the right-hand side of the chart.
Figure 76. Interface real time
3. If the interface you are interested in is missing from the graph, scroll down past the chart to see the entire list of
interfaces. Select the checkbox on the left for the interface you want to display on the chart. You can also view the
state and statistics of the various interfaces on the device from this list.
Figure 77. Interface details
©2022 Zscaler, Inc. All rights reserved. 73
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Verify Cisco SD-WAN Event Logs from the Cisco vManage Console
1. In the Cisco vManage console, navigate to Monitor > Events.
2. In the top right-hand corner, you can select the timeframe over which to see the events. The default is over the last
three hours.
3. In the search bar, type something to narrow down your search. In this example, you see all the WAN_EdgeB device
events in the last hour.
Figure 78. Select resource group
Events are generated when a location is created, VPN credentials are associated with the tunnel, and when the tunnel
state comes up.
©2022 Zscaler, Inc. All rights reserved. 74
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Verify Zscaler Tunnel Status in ZIA Admin
If you want to check the status of tunnels to ZIA from your sites, ZIA shows the traffic volume sent / received from your
SD-WAN appliances to see the current state of the tunnels via logging.
In the ZIA Admin Portal, navigate to Analytics > Insights > Tunnel Insights.
Figure 79. Tunnel insights
In the Insights screen, you can visualize and filter data in various ways. You can select how to categorize all tunnel traffic
to graph from the drop-down menu under Tunnel Insights (by Overall Traffic, Location, Location Group, Location Type,
Tunnel Destination IP, Tunnel Source IP, Tunnel Type, or by VPN Credential). You can also configure the Timeframe,
ChartType, and Metrics you want to view. Additionally, you can filter the data shown in the chart even further by clicking
the Add Filter drop-down menu and selecting various filter types and values.
Figure 80. Tunnel insights
For further information, see ZIA Tunnel Insights.
©2022 Zscaler, Inc. All rights reserved. 75
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Verify Zscaler Tunnel Event Logs in ZIA Admin
Tunnel Logging
To assist in troubleshooting, you can also view the state of all tunnels for your tenant from the ZIA Admin Portal.
Click Logs. From this screen, you can then filter and change the timeframe for the tunnels and sites you would like to
investigate.
Figure 81. Insights log
For more information, see ZIA Tunnels Insights Logs: Columns.
View API Calls in Zscaler ZIA (Audit Logs)
ZIA can view what changes are made to the tenant environment using the Audit Logging feature. This can also be used to
view API calls into the platform.
1. Navigate to Administration > Authentication > Audit Logs.
Figure 82. Audit logs
©2022 Zscaler, Inc. All rights reserved. 76
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
2. In the Audit Logs window, you can filter out all changes to only view the API calls by selecting API under the
Interface drop-down menu.
A list of all the API interactions is displayed, where the Result column shows whether the call was successful or failed.
Figure 83. Audit logs
The icons on the right of the Result column when clicked show the API data that was created or updated from the call.
Figure 84. Configuration changes
©2022 Zscaler, Inc. All rights reserved. 77
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Verify Zscaler ZIA Service Configuration
Use the URL https://ip.zscaler.com from a host PC at a site to validate if you are transiting ZIA. This is what you see if you
are not transiting ZIA:
Figure 85. ZIA transit traffic fail
If you are transiting ZIA, you see the following:
Figure 86. ZIA transit traffic success
Verify Zscaler Tunnel Operation Using Cisco IOS XE SD-WAN CLI
SSH to the WAN edge router either directly or through the Cisco vManage console (Tools > SSH Terminal) and run the
following command to verify the Zscaler tunnel operation using Cisco IOS XE SD-WAN CLI. Note that after the Zscaler
API calls are successfully completed, IKEv2 and IPSec phase 2 can establish sessions. When this completes successfully, L7
health checks can start running over the tunnels.
• show ip interface brief: Shows interface state.
• show sdwan secure-internet-gateway zscaler tunnels: Shows ZIA tunnel information and last API state.
• show crypto ikev2 session: Shows crypto Internet Security Association and Key Management Protocol (ISAKMP) (v2)
sessions.
• show crypto ipsec sa: Shows ipsec encryption/decryption statistics.
• show ip route vrf <service vpn>: Shows routing information for the service VPN.
• show interface <tunnel>: Shows traffic statistics.
• show endpoint-tracker: Shows L7 health tracker information.
• show endpoint-tracker records: Shows L7 health tracker information.
• show ip sla statistics: Shows L7 health tracker information.
WAN_EdgeE#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 64.100.215.2 YES other up up
GigabitEthernet0/0/1 10.215.10.1 YES other up up
GigabitEthernet0/0/2 192.168.215.2 YES other up up
©2022 Zscaler, Inc. All rights reserved. 78
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Service-Engine0/4/0 unassigned YES unset up up
GigabitEthernet0 192.168.255.135 YES other up up
Sdwan-system-intf 10.255.255.215 YES unset up up
Loopback65528 192.168.1.1 YES other up up
Loopback65530 10.11.11.1 YES other up up
NVI0 unassigned YES unset up up
Tunnel0 64.100.215.2 YES TFTP up up
Tunnel2 192.168.215.2 YES TFTP up up
Tunnel100101 64.100.215.2 YES TFTP up up
Tunnel100201 64.100.215.2 YES TFTP up up
WAN_EdgeE#show sdwan secure-internet-gateway zscaler tunnels
----------------------------------------------------------------------------
Tunnel100101 site215sys10x255x255x215ifTunnel100101 30556720 <removed> add-vpn-creden-
tial-info 30558350 location-init-state get-data-centers 200
Tunnel100201 site215sys10x255x255x215ifTunnel100201 30556721 <removed> add-vpn-creden-
tial-info 30558350 location-init-state get-data-centers 200
WAN_EdgeE#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:6, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
2 64.102.254.147/500 104.129.206.161/500 none/none READY
Encr:AES-CBC, keysize:256, PRF:SHA256, Hash:SHA256, DH Grp:14, Auth sign:PSK, Auth
verify:PSK
Life/Active Time: 86400/949 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x99AD50D4/0x3F86E386
Session-id:5, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 64.102.254.147/500 165.225.8.35/500 none/none READY
Encr:AES-CBC, keysize:256, PRF:SHA256, Hash:SHA256, DH Grp:14, Auth sign:PSK, Auth
verify:PSK
Life/Active Time: 86400/949 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x75ABF7D3/0x25E5276B
©2022 Zscaler, Inc. All rights reserved. 79
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
WAN_EdgeE#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-vesen-head-0, local addr 64.102.254.147
protected vrf: (none)
local ident (addr/mask/prot/port): (64.102.254.147/255.255.255.255/0/12387)
remote ident (addr/mask/prot/port): (64.102.254.146/255.255.255.255/0/12426)
current_peer 64.102.254.146 port 12426
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32144, #pkts encrypt: 32144, #pkts digest: 32144
#pkts decaps: 32144, #pkts decrypt: 32144, #pkts verify: 32144
WAN_EdgeE#show ip route vrf 1
…
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 [2/65535], Tunnel100101
10.0.0.0/8 is variably subnetted, 26 subnets, 3 masks
m 10.4.0.0/30 [251/0] via 10.255.255.202, 2d03h, Sdwan-system-intf
[251/0] via 10.255.255.201, 2d03h, Sdwan-system-intf
m 10.4.0.4/30 [251/0] via 10.255.255.202, 2d03h, Sdwan-system-intf
[251/0] via 10.255.255.201, 2d03h, Sdwan-system-intf
m 10.4.0.8/30 [251/0] via 10.255.255.202, 2d03h, Sdwan-system-intf
[251/0] via 10.255.255.201, 2d03h, Sdwan-system-intf
WAN_EdgeE#sh interface Tunnel100101
Tunnel100101 is up, line protocol is up
Hardware is Tunnel
Description: Primary DC Tunnel 1
Interface is unnumbered. Using address of GigabitEthernet0/0/0 (64.100.215.2)
MTU 9950 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 51/255, rxload 5/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 64.100.215.2 (GigabitEthernet0/0/0), destination 165.225.48.10
WAN_EdgeE#show endpoint-tracker
Interface Record Name Status RTT in msecs Probe ID Next Hop
Tunnel100101 #SIGL7#AUTO#TRACKER Up 10 5 None
©2022 Zscaler, Inc. All rights reserved. 80
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Tunnel100201 #SIGL7#AUTO#TRACKER Up 11 6 None
WAN_EdgeE#show endpoint-tracker records
Record Name Endpoint EndPoint Type Threshold(ms) Multiplier Interval(s) Tracker-Type
#SIGL7#AUTO#TRACKER http://gateway.zscalerthree.net/vpn API_URL 1000 2 30 interface
WAN_EdgeE#show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 11
Latest RTT: 32 milliseconds
Latest operation start time: 03:02:28 UTC Wed Nov 24 2021
Latest operation return code: OK
Latest DNS RTT: 10 ms
Latest TCP Connection RTT: 11 ms
Latest HTTP Transaction RTT: 11 ms
Number of successes: 69
Number of failures: 1
Operation time to live: Forever
IPSLA operation id: 12
Latest RTT: 37 milliseconds
Latest operation start time: 03:02:28 UTC Wed Nov 24 2021
Latest operation return code: OK
Latest DNS RTT: 11 ms
Latest TCP Connection RTT: 15 ms
Latest HTTP Transaction RTT: 11 ms
Number of successes: 69
Number of failures: 1
Operation time to live: Forever
©2022 Zscaler, Inc. All rights reserved. 81
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Verify Zscaler Tunnel Operation using Cisco vEdge CLI
SSH to the WAN Edge router either directly or through the Cisco vManage console (Tools > SSH Terminal) and run the
following command to verify the Zscaler tunnel operation using Cisco vEdge CLI. Note that after the Zscaler API calls
are successfully completed, IKEv2 and IPSec phase 2 can establish sessions. When this completes successfully, L7 health
checks can start running over the tunnels.
• show interface | tab | in ipsec: Shows tunnel state.
• show secure-internet-gateway zscaler tunnels: Shows ZIA tunnel information and last API state.
• show ipsec ike sessions: Shows crypto ISAKMP (v2) sessions.
• show tunnel statistics ipsec: Shows ipsec encryption/decryption statistics.
• show ip route vpn <service vpn>: Shows routing information for the service VPN.
• show ip fib vpn <service vpn>: Shows next hop information for the service VPN.
• show ip nat filter or show ip nat filter | tab: Shows active nat translations.
• show interface statistics: Shows traffic statistics for each interface.
• show support tracker interface monitors: Shows L7 health tracker information.
WAN_EdgeB# show interface | tab | in ipsec
0 ipsec101 ipv4 - Up Up Up vlan service 1400 00:00:00:00:00:01 1000 full 1316
0:05:32:03 4002 2524
0 ipsec201 ipv4 - Up Up Up vlan service 1400 00:00:00:00:00:01 1000 full 1316
0:05:32:03 4009 2512
©2022 Zscaler, Inc. All rights reserved. 82
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
WAN_EdgeB# show secure-internet-gateway zscaler tunnels
zscaler tunnels ipsec101
tunnel-name site212sys10x255x255x212ifipsec101
tunnel-id 33685023
fqdn (REMOVED)
tunnel-fsm-state add-vpn-credential-info
location-id 33685046
location-fsm-state location-init-state
last-http-req get-data-centers
http-resp-code 200
zscaler tunnels ipsec201
tunnel-name site212sys10x255x255x212ifipsec201
tunnel-id 33685030
fqdn (REMOVED)
tunnel-fsm-state add-vpn-credential-info
location-id 33685046
location-fsm-state location-init-state
last-http-req get-data-centers
http-resp-code 200
WAN_EdgeB# show ipsec ike sessions
ipsec ike sessions 0 ipsec101
version 2
source-ip 64.100.212.2
source-port 4500
dest-ip 104.129.206.161
dest-port 4500
initiator-spi 11e994148c8c114c
responder-spi ba604f6bfa667181
cipher-suite aes256-cbc-sha1
dh-group “2 (MODP-1024)”
state IKE_UP_IPSEC_UP
uptime 0:02:17:35
tunnel-uptime 1:01:16:19
ipsec ike sessions 0 ipsec201
version 2
source-ip 64.100.212.2
source-port 4500
©2022 Zscaler, Inc. All rights reserved. 83
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
dest-ip 165.225.34.44
dest-port 4500
initiator-spi 0a977da74a8ca235
responder-spi dc36839e3b9138e4
cipher-suite aes256-cbc-sha1
dh-group “2 (MODP-1024)”
state IKE_UP_IPSEC_UP
uptime 0:02:15:45
tunnel-uptime 1:01:16:19
WAN_EdgeB# show tunnel statistics ipsec
IPSEC IPSEC RX IPSEC IPSEC TX
TUNNEL SOURCE DEST DECRYPT AUTH IPSEC RX ENCRYPT AUTH IPSEC TX
PROTOCOL SOURCE IP DEST IP PORT PORT IN FAIL FAIL OUT FAIL FAIL
----------------------------------------------------------------------------
ipsec 64.100.212.2 64.100.1.23 12346 10424 370572 1 0 370570 0 8
ipsec 64.100.212.2 64.100.1.24 12346 65008 370594 1 0 370593 0 7
ipsec 64.100.212.2 104.129.206.161 4500 4500 15168 0 0 18970 0 0
ipsec 64.100.212.2 165.225.34.44 4500 4500 15176 0 0 18977 0 0
WAN_EdgeB# show ip route vpn 1
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
----------------------------------------------------------------------------
1 0.0.0.0/0 std-ipsec - ipsec101 - 0 - - - F,S
1 0.0.0.0/0 omp - - - - 10.255.255.201 mpls ipsec -
WAN_EdgeB# show ip fib vpn 1
NEXTHOP NEXTHOP NEXTHOP NEXTHOP SA
VPN PREFIX IF NAME ADDR LABEL VPN INDEX TLOC IP COLOR
----------------------------------------------------------------------------
1 0.0.0.0/0 ipsec 165.225.48.10 - - 34 - -
1 10.4.0.0/30 ipsec 10.4.1.2 1003 - 7 10.255.255.201 mpls
1 10.4.0.0/30 ipsec 64.100.1.23 1003 - 28 10.255.255.201 biz-internet
WAN_EdgeB# show ip nat filter (or show ip nat filter | tab)
ip nat filter nat-vpn 0 nat-ifname ge0/0 vpn 0 protocol udp 64.100.212.2 64.102.254.147
public-source-address 64.100.212.2
©2022 Zscaler, Inc. All rights reserved. 84
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
public-dest-address 64.102.254.147
public-source-port 12346
public-dest-port 12367
filter-state established
idle-timeout 0:00:00:59
outbound-packets 3296
outbound-octets 519226
inbound-packets 3294
inbound-octets 593424
ip nat filter nat-vpn 0 nat-ifname ge0/2 vpn 0 protocol udp 10.10.10.1 104.129.206.161
public-source-address 192.168.212.2
public-dest-address 104.129.206.161
public-source-port 4500
public-dest-port 4500
filter-state established
idle-timeout 0:00:00:52
outbound-packets 15105
outbound-octets 1851428
inbound-packets 15077
inbound-octets 1846978
WAN_EdgeB# show interface statistics
AF RX RX RX RX TX TX TX TX RX RX TX TX
VPN INTERFACE TYPE PACKETS OCTETS ERRORS DROPS PACKETS OCTETS ERRORS DROPS PPS Kbps PPS
Kbps
0 ge0/0 ipv4 423562 70604112 0 213 437205 74796702 0 0 17 22 17 23
0 ipsec101 ipv4 4333 536138 0 0 2731 340154 0 0 0 0 0 0
0 ipsec201 ipv4 4336 536532 0 0 2717 337982 0 0 0 0 0 0
WAN_EdgeB# show support tracker interface monitors
Interface: ipsec101/#SIGL7#AUTO#TRA#ZIA
Monitor: 65530/http://gateway.zscalerthree.net/vpntest/80 via ipsec101
Monitor state : UP (flapped 0 times)
Ref count : 1
Monitor type : httping
Probe / DNS SIP : 192.168.0.2 / ::
Nameserver IP : 208.67.222.222
Src Port Base : 49172
Num of probes : 1
©2022 Zscaler, Inc. All rights reserved. 85
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Max Re-transmit : 2
First Probe : 0 secs
Probe interval : 30 secs
Probe timeout : 1000 msecs
DNS TTL : 96 secs
DNS query/ok/fail : 611/611/0
Peer: 165.225.48.11 (UP - flapped 0 times, nretries 0)
Total requests : 0 Total responses : 0
Total Tx errors : 0 Total Rx errors : 0
Total Tx skipped: 0 Total Rx ignored: 0
Total timeout : 0 Connect errors : 0
RTT min/avg/max : 0.00/0.00/0.00 ms
Conn min/avg/max: 0.00/0.00/0.00 ms
Interface: ipsec201/#SIGL7#AUTO#TRA#ZIA
Monitor: 65530/http://gateway.zscalerthree.net/vpntest/80 via ipsec201
Monitor state : UP (flapped 0 times)
Ref count : 1
Monitor type : httping
Probe / DNS SIP : 192.168.0.2 / ::
Nameserver IP : 208.67.222.222
Src Port Base : 49173
Num of probes : 1
Max Re-transmit : 2
First Probe : 0 secs
Probe interval : 30 secs
Probe timeout : 1000 msecs
DNS TTL : 96 secs
DNS query/ok/fail : 611/611/0
Peer: 165.225.48.11 (UP - flapped 0 times, nretries 0)
Total requests : 0 Total responses : 0
Total Tx errors : 0 Total Rx errors : 0
Total Tx skipped: 0 Total Rx ignored: 0
Total timeout : 0 Connect errors : 0
RTT min/avg/max : 0.00/0.00/0.00 ms
Conn min/avg/max: 0.00/0.00/0.00 ms
©2022 Zscaler, Inc. All rights reserved. 86
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix A: Cisco Branch Base Feature Templates and
Configuration Values Used
This appendix shows the branch non-default base device and feature template configurations used and referenced in
this guide. Zscaler tunnel configurations in the main body of this paper are built on top of these configurations. For step-
by-step instructions on configuring device and feature templates, see the Cisco End-to-End Deployment Guide.
Feature Templates
Note that these branch base configuration feature templates can be applied to Cisco vEdge or Cisco IOS XE SD-WAN
routers. When you define them, however, they must be defined for Cisco vEdge devices or Cisco IOS XE SD-WAN devices
and not both. From Cisco vManage console version 20.1 and higher, feature templates cannot apply to both Cisco vEdge
and Cisco IOS XE SD-WAN devices–they must have separate feature templates. Each template name below is preceded
by either v or Cisco vEdge_ if the device type is a Cisco vEdge device, or an xe or xeEdge_ if the device type is a Cisco IOS
XE SD-WAN device.
When creating feature templates for Cisco vEdge routers, if you want to cover the most models possible when selecting
devices, select all ISR 1100 models with Cisco Viptela, and all Cisco vEdge devices (all Cisco vEdge 100 types, Cisco vEdge
1000, Cisco vEdge 2000, Cisco vEdge 5000, and Cisco vEdge Cloud).
When creating feature templates for Cisco IOS XE SD-WAN routers, if you want to cover the most models possible when
selecting devices, select all models except the ISR 1100 models with Cisco Viptela, all Cisco vEdge devices, CG (Cellular
Gateway) devices, Cisco vManage console, and Cisco vSmart devices. When creating SIG feature templates, you must also
exclude the IR8340 from the device model list.
AAA feature template (Cisco IOS XE SD-WAN)
Template: Basic Information/Cisco AAA
Template Name: xeAAA
Description: AAA Template for WAN Edge Routers
Section Parameter Type Variable/Value
Local Username Global netadmin
Password Global (hidden)
Privilege Level Global 15
AAA feature template (Cisco vEdge)
Template: Basic Information/AAA
Template Name: vAAA
Description: AAA Template for WAN Edge Routers
Section Parameter Type Variable/Value
Local/New User Name Global netadmin
Password Global (hidden)
User Groups Global netadmin
©2022 Zscaler, Inc. All rights reserved. 87
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
NTP Feature Template
Template: Basic Information/Cisco NTP
Template Name: xeNTP
Description: NTP Template for WAN Edge Routers
Section Parameter Type Variable/Value
Server Hostname/IP address Global time.google.com
Source Interface Device Specific ntp_server_source_int
Branch VPN0 Feature Template
Template: VPN/VPN
Template Name: BR_VPN0
Description: VPN 0 Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Basic Configuration VPN Global 0
Name Global Transport VPN
Enhance ECMP Keying Global On
DNS Primary DNS Address Global 208.67.222.222
Secondary DNS Address Global 208.67.220.220
Hostname Global vbond.cisco.net
List of IP Addresses Global 64.100.100.113
IPv4 Route Prefix Global 0.0.0.0/0
Gateway Radio Button Next Hop
Next Hop Device Specific vpn0_next_hop_ip_addr_inet
Next Hop Device Specific vpn0_next_hop_ip_addr_mpls
Branch Internet Interface Feature Template (Cisco IOS XE SD-WAN)
Template: VPN/VPN Interface Ethernet
Template Name: xeBR_VPN0_INET
Description: VPN 0 INET Interface Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Basic Configuration Shutdown Device Specific vpn0_inet_shutdown
Interface Name Device Specific vpn0_inet_int_name
Description Global INET Interface
IPv4 Configuration IPv4 Address Radio Button Static
IPv4 Address Device Specific vpn0_inet_ipv4_addr
Tunnel Tunnel Interface Global On
Color Global biz-internet
Tunnel>Allow Service NTP Global On
NAT NAT Global On
NAT Type Global Interface
©2022 Zscaler, Inc. All rights reserved. 88
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Branch Internet Interface Feature Template (Cisco vEdge)
Template: VPN/VPN Interface Ethernet
Template Name: vBR_VPN0_INET
Description: VPN 0 INET Interface Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Basic Configuration Shutdown Device Specific vpn0_inet_shutdown
Interface Name Device Specific
Description Global INET Interface
IPv4 Configuration IPv4 Address Radio Button Static
IPv4 Address Device Specific vpn0_inet_ipv4_addr
Tunnel Tunnel Interface Global On
Color Global biz-internet
Tunnel>Allow Service NTP Global On
NAT NAT Global On
Branch MPLS Interface Feature Template
Template: VPN/VPN Interface Ethernet
Template Name: BR_VPN0_MPLS
Description: VPN 0 MPLS Interface Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Basic Configuration Shutdown Device Specific vpn0_mpls_shutdown
Interface Name Device Specific vpn0_mpls_int_name
Description Global MPLS Interface
IPv4 Configuration IPv4 Address Radio Button Static
IPv4 Address Device Specific vpn0_mpls_ipv4_addr
Tunnel Tunnel Interface Global On
Color Global mpls
Restrict Global On
Allow Service NTP Global On
Branch VPN512 Interface Feature Template
Template: VPN/VPN Interface Ethernet
Template Name: VPN512_MGT_INT
Description: VPN 512 Management Interface Template for WAN Edge Routers
Section Parameter Type Variable/Value
Basic Configuration Shutdown Global No
Interface Name Device Specific vpn512_int_name
Description Global MGT Interface
IPv4 Configuration IPv4 Address Radio Button Static
IPv4 Address Device Specific vpn512_int_ipv4_addr
©2022 Zscaler, Inc. All rights reserved. 89
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Branch VPN 1 Feature Template
Template: VPN/VPN
Template Name: BR_VPN1
Description: VPN 1 Template for the WAN Edge Branch Routers
Section Parameter Type Variable/Value
Basic Configuration VPN Global 1
Name Global LAN
Branch VPN1 Interface Feature Template
Template: VPN/VPN Interface Ethernet
Template Name: BR_VPN1_LAN_INT1
Description: VPN 1 LAN Interface Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Basic Configuration Shutdown Device Specific vpn1_int1_shutdown
Interface Name Device Specific vpn1_int1_name
Description Device Specific vpn1_int1_description
IPv4 Configuration IPv4 Address Radio Button Static
IPv4 Address Device Specific vpn1_int1_ipv4_addr
Device Templates
The following device templates are used in this guide. The table indicates what non-default feature template is used.
Single WAN Edge Router Sites (Cisco IOS XE SD-WAN)
Device Model: ISR4331 [E], C8300-1N1S-6T [G]
Template Name: xeEdge_Remote_[E,G]
Description: WAN Edge router remote site [E,G]
Template Type Template Subtype Template Name
Basic Information Cisco NTP xeNTP
Cisco AAA xeAAA
VPN 0 Cisco VPN xeBR_VPN0
Cisco VPN Interface xeBR_VPN0_INET
Cisco VPN Interface xeBR_VPN0_MPLS
VPN 512 Cisco VPN Interface xeVPN512_MGT_INT
VPN 1 Cisco VPN1 xeBR_VPN1
Cisco VPN Interface xeBR_VPN1_LAN_INT1
©2022 Zscaler, Inc. All rights reserved. 90
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Single WAN Edge Router Sites (Cisco vEdge)
Device Model: Cisco vEdge-100b [A], ISR1100-4G [B]
Template Name: Cisco vEdge_Remote_[A,B]
Description: WAN Edge router remote site [A,B]
Template Type Template Subtype Template Name
Basic Information Cisco NTP vNTP
Cisco AAA vAAA
VPN 0 VPN vBR_VPN0
VPN Interface vBR_VPN0_INET
VPN Interface vBR_VPN0_MPLS
VPN 512 VPN Interface vVPN512_MGT_INT
VPN 1 VPN1 vBR_VPN1
VPN Interface vBR_VPN1_LAN_INT1
Device Variable Values
Cisco vEdge_ Cisco vEdge_ Cisco vEdge_
Variable Cisco vEdge_RemoteE
RemoteA RemoteB RemoteG
Hostname WAN_EdgeA WAN_EdgeB WAN_EdgeE WAN_EdgeG
System IP 10.255.255.211 10.255.255.212 10.255.255.215 10.255.255.217
Site ID 211 212 215 217
Interface Name (vpn1_
ge0/0 ge0/3 GigabitEthernet0/0/0 GigabitEthernet0/0/0
int1_name)
Description (vpn1_
LAN Interface LAN Interface LAN Interface LAN Interface
int1_description)
IPv4 Address (vpn1_
10.211.10.1/24 10.212.10.1/24 10.215.10.1/24 10.217.10.1/24
int1_ipv4_addr)
Shutdown (vpn1_int1_
False False False False
shutdown)
Interface
Name(vpn512_int_ ge0/1 ge0/1 GigabitEthernet0 GigabitEthernet0
name)
IPv4 Address(vpn512_
192.168.255.153/23 192.168.255.181/23 192.168.255.135/23 192.168.255.93/23
int_ipv4_addr)
Address(vpn0_next_
64.102.254.151 64.100.212.1 64.102.254.151 64.100.217.1
hop_ip_addr_inet)
Address(vpn0_next_
192.168.211.1 192.168.212.1 192.168.215.1 192.168.217.1
hop_ip_addr_mpls)
Interface
Name(vpn0_mpls_ ge0/2 ge0/2 GigabitEthernet0/0/2 GigabitEthernet0/0/2
int_name)
IPv4 Address(vpn0_
192.168.211.2/30 192.168.212.2/30 192.168.215.2/30 192.168.217.2/30
mpls_ipv4_addr)
©2022 Zscaler, Inc. All rights reserved. 91
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Cisco vEdge_ Cisco vEdge_ Cisco vEdge_
Variable Cisco vEdge_RemoteE
RemoteA RemoteB RemoteG
Shutdown (vpn0_
False False False False
mpls_shutdown)
Interface
Name(vpn0_inet_int_ ge0/4 ge0/0 GigabitEthernet0/0/0 GigabitEthernet0/0/0
name)
IPv4 Address(vpn0_
64.102.254.146/28 64.100.212.2/28 64.102.254.147/28 64.100.217.2/28
inet_ipv4_addr)
Shutdown (vpn0_
False False False False
inet_shutdown)
Source Interface (ntp_
ge0/4 ge0/0 GigabitEthernet0/0/0 GigabitEthernet0/0/0
server_source_int)
©2022 Zscaler, Inc. All rights reserved. 92
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix B: Tunnel Configuration Summary (Feature and Device
Templates)
For Cisco tunnel configuration, observe the following prerequisites.
Prerequisites
• Verify that NAT is enabled on the internet interface that is used to access Zscaler.
• Verify that a primary and secondary DNS server is defined in the VPN 0 feature template.
• Verify NTP is enabled, synced, and the clock is correct.
Cisco VPN Interface Ethernet Feature Template
Template: VPN/VPN Interface Ethernet
Template Name: xeBR_VPN0_INET
Description: VPN0 INET Interface Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
NAT NAT Global On
NAT Type Global Interface
Cisco VPN Feature Template
Template: VPN/Cisco VPN
Template Name: xeBR_VPN0
Description: VPN0 Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
DNS Primary DNS Address (IPv4) Global 208.67.222.222
Secondary DNS Address
Global 208.67.220.220
(IPv4)
Cisco VPN Feature Template
Template: Basic Information/Cisco NTP
Template Name: xeNTP
Description: NTP Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Server Hostname/IP address Global time.google.com
Source Interface Device Specific ntp_server_source_int
©2022 Zscaler, Inc. All rights reserved. 93
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Sig Credential Information from ZIA
Section Parameter Type Variable/Value
Administration > Company
Organization Domains ciscotest.net (example)
Profile > Organization
Administration >
zsapi.zscalerthree.net/api/v1
Partner Base URI Authentication > API Key Base URL for your API
(example)
Management > API Key
Administration >
Administration Controls > [email protected]
Username Partner Admin Login ID
Administrator Management (example)
> Administrators
Administration >
Administration Controls >
Password Partner Admin Password (hidden)
Administrator Management
> Administrators
Administration > Settings
> Cloud Configuration> Partner Name (Cisco
Partner API Key ABCdef123GHI (example)
Partner Integrations > SD- Viptela) Key
WAN
Cisco Sig Credentials Feature Template
Template: Other Templates/Cisco SIG Credentials
Template Name: xeSig_Credentials
Description: Cisco IOS XE Sig Credentials Template
Section Parameter Type Variable/Value
Basic Details SIG Provider Radio Button Zscaler
Organization Global ciscotest.net (example)
zsapi.zscalerthree.net/api/v1
Partner Base URI Global
(example)
[email protected]
Username Global
(example)
Password Global (hidden)
Partner API Key Global ABCdef123GHI (example)
©2022 Zscaler, Inc. All rights reserved. 94
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Example 1: Active/Standby Tunnels
• Create a Cisco Secure Internet Gateway (SIG) feature template.
• Add SIG credential feature template and Cisco SIG feature template to the device template.
Cisco Secure Internet Gateway (SIG) Feature Template
Template: VPN/Cisco Secure Internet Gateway (SIG)
Template Name: xeSig_Zscaler
Description: Cisco IOS XE Sig Zscaler Template
Section Parameter Type Variable/Value
Tracker (Beta) Source IP Address Device Specific vpn_trackersrcip
Configuration SIG Provider Radio Button Zscaler
Tunnel Name (ipsec101) Interface Name Global ipsec101
Description Global Primary DC Tunnel 1
Tunnel Source Interface Device Specific pri_tunnel1_src_int
Data-Center Radio Button Primary
Tunnel Name (ipsec201) Interface Name Global ipsec201
Description Global Secondary DC Tunnel 1
Tunnel Source Interface Device Specific sec_tunnel1_src_int
Data-Center Radio Button Secondary
High Availability/Pair-1 Active Global ipsec101
Backup Global ipsec201
Device Template
Template Type Template Subtype Template Name
Basic Information Cisco NTP xeNTP
Cisco AAA xeAAA
VPN 0 Cisco VPN xeBR_VPN0
Cisco Secure Internet Gateway xeSig_Zscaler
Cisco VPN Interface xeBR_VPN0_INET
Cisco VPN Interface xeBR_VPN0_MPLS
VPN 512 Cisco VPN Interface xeVPN512_MGT_INT
VPN 1 Cisco VPN1 xeBR_VPN1
Cisco VPN Interface xeBR_VPN1_LAN_INT1
Additional Templates Cisco SIG Credentials* xeSig_Credentials
Basic Information Cisco NTP xeNTP
Cisco AAA xeAAA
©2022 Zscaler, Inc. All rights reserved. 95
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Example 2: Active/Active Tunnels (Cisco IOS XE SD-WAN Only)
• Create loopback interfaces to use as tunnel sources.
• Create a local policy-based routing policy via CLI add-on template.
• Create a Cisco SIG feature template.
• Add loopback interface feature templates, CLI add-on template, SIG credential feature template, and Cisco SIG
feature template to the device template.
Cisco VPN Interface Ethernet Feature Template
Template: VPN/Cisco VPN Interface Ethernet
Template Name: xeLoopback1
Description: Loopback 1 Tunnel Source
Section Parameter Type Variable/Value
Basic Configuration Shutdown Global No
Interface Name Global Loopback1
IPv4 Radio Button Static
IPv4 Address/prefix-length Global 10.10.10.1/32
Cisco VPN Interface Ethernet Feature Template
Template: VPN/Cisco VPN Interface Ethernet
Template Name: xeLoopback2
Description: Loopback 2 Tunnel Source
Section Parameter Type Variable/Value
Basic Configuration Shutdown Global No
Interface Name Global Loopback2
IPv4 Radio Button Static
IPv4 Address/prefix-length Global 10.10.10.2/32
©2022 Zscaler, Inc. All rights reserved. 96
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Cisco CLI Add-On Feature Template
Template: Other Templates/CLI Add-On Template
Template Name: CLI-Template-Sig-Local-Policy
Description: CLI Add-On Template Sig Local Policy
ip access-list extended SIG
10 permit ip host 10.10.10.1 any
20 permit ip host 10.10.10.2 any
!
route-map Tunnel-Control permit 10
match ip address SIG
set ip next-hop {{Loopback-Tun-Src-Next-Hop-IP}}
!
ip local policy route-map Tunnel-Control
Cisco Secure Internet Gateway (SIG) Feature Template
Template: VPN/Cisco Secure Internet Gateway (SIG)
Template Name: xeSig_Zscaler_2_Loopback_Source
Description: Cisco IOS XE Sig Zscaler with 2 Active Active Tunnels Template
Section Parameter Type Variable/Value
Configuration Interface Name Global ipsec101
Description Global Tunnel 1 to Primary DC
Tunnel Source Interface Global Loopback1
Data-Center Radio Button Primary
Tunnel Route-via Interface Device Specific pri_tunnel1_route_via
Configuration Interface Name Global ipsec201
Description Global Tunnel 2 to Primary DC
Tunnel Source Interface Global Loopback2
Data-Center Radio Button Primary
Tunnel Route-via Interface Device Specific pri_tunnel2_route_via
High Availability/Pair-1 Active Global ipsec101
Backup Global None
High Availability/Pair-2 Active Global ipsec201
Backup Global None
©2022 Zscaler, Inc. All rights reserved. 97
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Device Template
Template Type Template Subtype Template Name
Basic Information Cisco NTP xeNTP
Cisco AAA xeAAA
VPN 0 Cisco VPN xeBR_VPN0
Cisco Secure Internet Gateway xeSig_Zscaler_2_Loopback_Source
Cisco VPN Interface xeBR_VPN0_INET
Cisco VPN Interface xeBR_VPN0_MPLS
Cisco VPN Interface xeLoopback1
Cisco VPN Interface xeLoopback2
VPN 512 Cisco VPN Interface xeVPN512_MGT_INT
VPN 1 Cisco VPN1 xeBR_VPN1
Cisco VPN Interface xeBR_VPN1_LAN_INT1
Additional Templates CLI Add-On Template CLI-Template-Sig-Local-Policy
Cisco SIG Credentials* xeSig_Credentials
Traffic Redirection
Service Route
Branch VPN1 Feature Template
Template: VPN/VPN Interface Ethernet
Template Name: xeBR_VPN1
Description: VPN 1 Template for WAN Edge Branch Routers
Section Parameter Type Variable/Value
Service Route Prefix Global 0.0.0.0/0
Service Default SIG
Centralized Policy
Configuration > Policies > Custom Options > Centralized Policy > Lists
List Type Name Entries
Data Prefix Overlay 10.0.0.0/8
Application Box Application/Box
Site Zscaler-DataPolicy-Sites 212,214,215
VPN VPN1 1
©2022 Zscaler, Inc. All rights reserved. 98
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Configuration > Policies > Custom Options > Centralized Policy > Traffic Policy > Traffic Data
Sequence Type (Custom)
Sequence Rule Match Parameter Match Value Action/s
1 Destination Data Prefix Overlay Accept
Accept/NAT VPN with
2 DNS Request
Fallback
Application/Application Accept/NAT VPN with
3 Box
Family List Fallback
Accept/Secure Internet
4 <empty>
Gateway
Go to Configuration > Policies > Centralized Policy and Edit the master policy that is currently activated on the Cisco
vSmart controllers.
Under Traffic Rules > Traffic Data, import the newly-created data policy.
Under Policy Application > Traffic Data, choose radio button From Service, and add Site List Zscaler-DataPolicy-Sites
and VPN List VPN1.
Miscellaneous
In the following section, the Cisco Secure Internet Gateway (SIG) feature template is modified.
Customize Health Tracker
Section Parameter Type Variable/Value
Section Parameter Type Variable/value
Service Route Prefix Global 0.0.0.0/0
Service Default SIG
Enable Advanced Zscaler Features
Section Parameter Type Variable/Value
Advanced Settings Enable Caution Global On
Customize Zscaler Tunnel Destinations (Primary and Secondary DCs)
Section Parameter Type Variable/Value
Advanced Settings Primary Data-Center Device Specific vpn_zlsprimarydc
Secondary Data-Center Device Specific vpn_zlssecondarydc
©2022 Zscaler, Inc. All rights reserved. 99
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Assign Tunnel Weights (Use with Active/Active Tunnels)
Section Parameter Type Variable/Value
High Availability/Pair-1 Active Global ipsec101
Active Weight Global 80
Backup Global None
High Availability/Pair-2 Active Global ipsec201
Active Weight Global 20
Backup Global None
©2022 Zscaler, Inc. All rights reserved. 100
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix C: Cisco IOS XE SD-WAN CLI Configuration
This section demonstrates the CLI configuration to interoperate with Zscaler. These are equivalent to the feature and
device templates shown earlier. Note that the recommended way to configure Cisco SD-WAN devices is through feature
and device templates from Cisco vManage console.
To complete the CLI configuration, configure:
• Base connectivity
• Prerequisites
• Common tunnel components
• Use case example 1 or 2 (active/standby or active/active tunnel definitions)
• Traffic redirection (service SIG route, service DIG data policy, or both)
• Miscellaneous (optional features)
Base Connectivity
The following is a basic connectivity configuration for the Cisco IOS XE SD-WAN router. It includes one other transport
(MPLS), which is not essential to the connectivity to Zscaler (except for internet access across the SD-WAN overlay to
the data center in case the local internet fails). Some default configurations have been removed. These configurations
correspond to feature and device templates shown in Appendix B: Tunnel Configuration Summary (Feature and Device
Templates).
system
system-ip 10.255.255.215
site-id 215
organization-name “ENB-Solutions - 216151”
vbond vbond.cisco.net port 12346
!
hostname WAN_EdgeE
vrf definition 1
description LAN
rd 1:1
address-family ipv4
route-target export 1:1
route-target import 1:1
exit-address-family
!
address-family ipv6
exit-address-family
!
!
ip host vbond.cisco.net 64.100.100.113
©2022 Zscaler, Inc. All rights reserved. 101
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
ip name-server 208.67.220.220 208.67.222.222
ip route 0.0.0.0 0.0.0.0 64.102.254.151
ip route 0.0.0.0 0.0.0.0 192.168.215.1
ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet0/0/0
overload
!
interface GigabitEthernet0
description MGT Interface
no shutdown
vrf forwarding Mgmt-intf
ip address 192.168.255.135 255.255.254.0
exit
interface GigabitEthernet0/0/0
description INET Interface
no shutdown
ip address 64.102.254.147 255.255.255.240
exit
interface GigabitEthernet0/0/1
description LAN Interface
no shutdown
vrf forwarding 1
ip address 10.215.10.1 255.255.255.0
exit
interface GigabitEthernet0/0/2
description MPLS Interface
no shutdown
ip address 192.168.215.2 255.255.255.252
exit
interface Tunnel0
no shutdown
ip unnumbered GigabitEthernet0/0/0
no ip redirects
ipv6 unnumbered GigabitEthernet0/0/0
no ipv6 redirects
tunnel source GigabitEthernet0/0/0
tunnel mode sdwan
exit
interface Tunnel2
©2022 Zscaler, Inc. All rights reserved. 102
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
no shutdown
ip unnumbered GigabitEthernet0/0/2
no ip redirects
ipv6 unnumbered GigabitEthernet0/0/2
no ipv6 redirects
tunnel source GigabitEthernet0/0/2
tunnel mode sdwan
exit
!
ntp server time.google.com source GigabitEthernet0/0/0 version 4
ntp source GigabitEthernet0/0/0
!
sdwan
interface GigabitEthernet0/0/0
tunnel-interface
encapsulation ipsec weight 1
color biz-internet
no allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
interface GigabitEthernet0/0/2
tunnel-interface
encapsulation ipsec weight 1
color mpls restrict
no allow-service all
no allow-service bgp
©2022 Zscaler, Inc. All rights reserved. 103
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
no allow-service snmp
no allow-service bfd
exit
exit
©2022 Zscaler, Inc. All rights reserved. 104
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Prerequisites
The base configuration enables NTP to ensure an accurate clock and DNS. Enable NAT under the internet transport.
interface GigabitEthernet0/0/0
ip nat outside
Common Tunnel Components
The following are common tunnel components between the two use cases.
SIG Credentials
secure-internet-gateway
zscaler organization ciscotest.net
zscaler partner-base-uri zsapi.zscalerthree.net/api/v1
zscaler partner-key ABCdef123GHI
zscaler username [email protected]
zscaler password (REMOVED)
IKEv2 and IPSec Configuration
crypto ikev2 policy policy1-global
proposal p1-global
!
crypto ikev2 profile if-ipsec101-ikev2-profile
no config-exchange request
dpd 10 3 on-demand
dynamic
lifetime 86400
!
crypto ikev2 profile if-ipsec201-ikev2-profile
no config-exchange request
dpd 10 3 on-demand
dynamic
lifetime 86400
!
crypto ikev2 proposal p1-global
encryption aes-cbc-128 aes-cbc-256
group 14 15 16
integrity sha1 sha256 sha384 sha512
!
crypto ipsec transform-set if-ipsec101-ikev2-transform esp-null esp-sha-hmac
mode tunnel
©2022 Zscaler, Inc. All rights reserved. 105
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
!
crypto ipsec transform-set if-ipsec201-ikev2-transform esp-null esp-sha-hmac
mode tunnel
!
crypto ipsec profile if-ipsec101-ipsec-profile
set ikev2-profile if-ipsec101-ikev2-profile
set transform-set if-ipsec101-ikev2-transform
set security-association lifetime kilobytes disable
set security-association lifetime seconds 3600
set security-association replay window-size 512
!
crypto ipsec profile if-ipsec201-ipsec-profile
set ikev2-profile if-ipsec201-ikev2-profile
set transform-set if-ipsec201-ikev2-transform
set security-association lifetime kilobytes disable
set security-association lifetime seconds 3600
set security-association replay window-size 512
©2022 Zscaler, Inc. All rights reserved. 106
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Zscaler Location Settings
sdwan
service sig vrf global
zscaler-location-settings
auth-required false
xff-forward-enabled false
surrogate ip false
surrogate idle-time 0
surrogate display-time-unit MINUTE
surrogate ip-enforced-for-known-browsers false
surrogate refresh-time 0
surrogate refresh-time-unit MINUTE
ofw-enabled false
ips-control false
aup disabled
aup block-internet-until-accepted true
aup force-ssl-inspection false
aup timeout 0
caution-enabled false
L7 Health Check Configuration
vrf definition 65530
address-family ipv4
exit-address-family
!
interface Loopback65530
no shutdown
vrf forwarding 65530
ip address 10.11.11.1 255.255.255.255
exit
ip sdwan route vrf 65528 10.0.0.1/32 service sig
©2022 Zscaler, Inc. All rights reserved. 107
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Use Case Example 1: Active/Standby Tunnels
IPSec Tunnels Defined
interface Tunnel100101
description Primary DC Tunnel 1
no shutdown
ip unnumbered GigabitEthernet0/0/0
no ip clear-dont-fragment
ip mtu 1400
tunnel source GigabitEthernet0/0/0
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec101-ipsec-profile
tunnel vrf multiplexing
exit
interface Tunnel100201
description Secondary DC Tunnel 1
no shutdown
ip unnumbered GigabitEthernet0/0/0
no ip clear-dont-fragment
ip mtu 1400
tunnel source GigabitEthernet0/0/0
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec201-ipsec-profile
tunnel vrf multiplexing
exit
©2022 Zscaler, Inc. All rights reserved. 108
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Zscaler Tunnel Options
sdwan
interface Tunnel100101
tunnel-options tunnel-set secure-internet-gateway-zscaler tunnel-dc-preference prima-
ry-dc source-interface GigabitEthernet0/0/0
exit
interface Tunnel100201
tunnel-options tunnel-set secure-internet-gateway-zscaler tunnel-dc-preference second-
ary-dc source-interface GigabitEthernet0/0/0
Service SIG Interface Pairs HA Pair Configuration
sdwan
service sig vrf global
ha-pairs
interface-pair Tunnel100101 active-interface-weight 1 Tunnel100201 backup-inter-
face-weight 1
Use Case Example 2: Active/Active Tunnels
Tunnel Source Loopbacks Defined
interface Loopback1
ip address 10.10.10.1 255.255.255.255
!
interface Loopback2
ip address 10.10.10.2 255.255.255.255
Local Policy Route (for ISAKMP control traffic)
ip access-list extended SIG
10 permit ip host 10.10.10.1 any
20 permit ip host 10.10.10.2 any
route-map Tunnel-Control permit 10
set ip next-hop 64.102.254.151
match ip address SIG
ip local policy route-map Tunnel-Control
©2022 Zscaler, Inc. All rights reserved. 109
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
IPSec Tunnels Defined
interface Tunnel100101
description Tunnel 1 to Primary DC
no shutdown
ip unnumbered Loopback1
no ip clear-dont-fragment
ip mtu 1400
tunnel source Loopback1
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec101-ipsec-profile
tunnel vrf multiplexing
tunnel route-via GigabitEthernet0/0/0 mandatory
exit
interface Tunnel100201
description Tunnel 2 to Primary DC
no shutdown
ip unnumbered Loopback2
no ip clear-dont-fragment
ip mtu 1400
tunnel source Loopback2
tunnel destination dynamic
tunnel mode ipsec ipv4
tunnel protection ipsec profile if-ipsec201-ipsec-profile
tunnel vrf multiplexing
tunnel route-via GigabitEthernet0/0/0 mandatory
©2022 Zscaler, Inc. All rights reserved. 110
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Zscaler Tunnel Options
sdwan
interface Tunnel100101
tunnel-options tunnel-set secure-internet-gateway-zscaler tunnel-dc-preference prima-
ry-dc source-interface Loopback1
exit
interface Tunnel100201
tunnel-options tunnel-set secure-internet-gateway-zscaler tunnel-dc-preference prima-
ry-dc source-interface Loopback2
exit
Service SIG Interface Pairs HA Pair Configuration
sdwan
service sig vrf global
ha-pairs
interface-pair Tunnel100101 active-interface-weight 1 None backup-interface-weight 1
interface-pair Tunnel100201 active-interface-weight 1 None backup-interface-weight 1
Traffic Redirection
Service SIG Route
ip sdwan route vrf 1 0.0.0.0/0 service sig
Service SIG Data Policy (apply to Cisco vSmart)
viptela-policy:policy
data-policy _VPN1_Sig_Data
vpn-list VPN1
sequence 1
match
destination-data-prefix-list Overlay
!
action accept
!
!
sequence 11
match
dns request
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
©2022 Zscaler, Inc. All rights reserved. 111
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
nat fallback
!
!
sequence 21
match
app-list Box
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
nat fallback
!
!
sequence 31
match
destination-data-prefix-list Default
!
action accept
sig
!
!
default-action drop
!
lists
app-list Box
app box
app box_net
!
data-prefix-list Default
ip-prefix 0.0.0.0/0
!
data-prefix-list Overlay
ip-prefix 10.0.0.0/8
!
site-list Zscaler-DataPolicy-Sites
site-id 214
site-id 215
!
©2022 Zscaler, Inc. All rights reserved. 112
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
vpn-list VPN1
vpn 1
!
!
!
apply-policy
site-list Zscaler-DataPolicy-Sites
data-policy _VPN1_Sig_Data from-service
!
!
©2022 Zscaler, Inc. All rights reserved. 113
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Miscellaneous
Customize Health Tracker
endpoint-tracker zscaler_l7_health_check
endpoint-api-url http://gateway.zscalerthree.net/vpntest
tracker-type interface
interval 20
interface Tunnel100101
endpoint-tracker zscaler_l7_health_check
exit
interface Tunnel100201
endpoint-tracker zscaler_l7_health_check
exit
Enable Advanced Zscaler Features
sdwan
service sig vrf global
zscaler-location-settings
caution-enabled true
Customize Zscaler Tunnel Destinations (Primary and Secondary DCs)
sdwan
service sig vrf global
zscaler-location-settings
data centers primary-data-center atl2-vpn.zscalerthree.net
data centers secondary-data-center dfw1-vpn.zscalerthree.net
Assign Tunnel Weights (Use with Active/Active Tunnels)
sdwan
service sig vrf global
ha-pairs
interface-pair Tunnel100101 active-interface-weight 80 None backup-interface-weight 1
interface-pair Tunnel100201 active-interface-weight 20 None backup-interface-weight 1
©2022 Zscaler, Inc. All rights reserved. 114
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix D: Cisco vEdge CLI Configuration
This section demonstrates the CLI configuration to interoperate with Zscaler. These are equivalent to the feature and
device templates shown earlier. Note that the recommended way to configure Cisco SD-WAN devices is through feature
and device templates from Cisco vManage console.
To complete the CLI configuration, configure:
• Base connectivity
• Prerequisites
• Use case example 1 (active/standby tunnel definitions)
• Traffic redirection (service SIG route, service SIG data policy, or both)
• Miscellaneous (optional features)
Base Connectivity
The following is a basic connectivity configuration for the Cisco vEdge router. It includes one other transport (MPLS), which
is not essential to the connectivity to Zscaler (except for internet access across the SD-WAN overlay to the data center in
case the local internet fails). Some default configurations have been removed. These configurations correspond to feature
and device templates shown in Appendix B: Tunnel Configuration Summary (Feature and Device Templates).
system
host-name WAN_EdgeB
system-ip 10.255.255.212
site-id 212
organization-name “ENB-Solutions - 216151”
vbond vbond.cisco.net
!
ntp
server time.google.com
source-interface ge0/0
exit
!
!
vpn 0
name “Transport VPN”
dns 208.67.220.220 secondary
dns 208.67.222.222 primary
ecmp-hash-key layer4
host vbond.cisco.net ip 64.100.100.113
interface ge0/0
ip address 64.100.212.2/28
nat
©2022 Zscaler, Inc. All rights reserved. 115
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
!
tunnel-interface
encapsulation ipsec
color biz-internet
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/2
ip address 192.168.212.2/30
tunnel-interface
encapsulation ipsec
color mpls restrict
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 64.100.212.1
ip route 0.0.0.0/0 192.168.212.1
!
©2022 Zscaler, Inc. All rights reserved. 116
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
vpn 1
name LAN
interface ge0/3
ip address 10.212.10.1/24
no shutdown
!
!
vpn 512
name “Transport VPN”
interface ge0/1
ip address 192.168.255.181/23
no shutdown
!
!
Prerequisites
The base configuration enables NTP to ensure an accurate clock and DNS. Enable NAT under the internet transport.
vpn 0
interface ge0/0
nat
©2022 Zscaler, Inc. All rights reserved. 117
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Use Case Example 1: Active/Standby Tunnels
IPSec Tunnels Defined
vpn 0
interface ipsec101
description “Primary DC Tunnel 1”
ip unnumbered
tunnel-source-interface ge0/0
tunnel-destination dynamic
tunnel-set secure-internet-gateway-zscaler
tunnel-dc-preference primary-dc
ike
version 2
rekey 14400
cipher-suite aes256-cbc-sha1
group 2
authentication-type
pre-shared-key-dynamic
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite null-sha1
perfect-forward-secrecy none
!
mtu 1400
no shutdown
!
interface ipsec201
description “Secondary DC Tunnel 1”
ip unnumbered
tunnel-source-interface ge0/0
tunnel-destination dynamic
tunnel-set secure-internet-gateway-zscaler
tunnel-dc-preference secondary-dc
ike
version 2
rekey 14400
©2022 Zscaler, Inc. All rights reserved. 118
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
cipher-suite aes256-cbc-sha1
group 2
authentication-type
pre-shared-key-dynamic
!
!
ipsec
rekey 3600
replay-window 512
cipher-suite null-sha1
perfect-forward-secrecy none
!
mtu 1400
no shutdown
!
©2022 Zscaler, Inc. All rights reserved. 119
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Service SIG Interface Pairs HA Pair Configuration
vpn 0
name “Transport VPN”
dns 208.67.220.220 secondary
dns 208.67.222.222 primary
ecmp-hash-key layer4
host vbond.cisco.net ip 64.100.100.113
service sig
ha-pairs interface-pair ipsec101 active-interface-weight 1 ipsec201
backup-interface-weight 1
exit
exit
SIG Credentials
secure-internet-gateway
zscaler organization ciscotest.net
zscaler partner-base-uri zsapi.zscalerthree.net/api/v1
zscaler partner-key ABCdef123GHI
zscaler username [email protected]
zscaler password <hidden>
Traffic Redirection
Service SIG Route
vpn 1
ip service-route 0.0.0.0/0 vpn 0 service sig
Service SIG Data Policy (apply to Cisco vSmart)
viptela-policy:policy
data-policy _VPN1_Sig_Data
vpn-list VPN1
sequence 1
match
destination-data-prefix-list Overlay
!
action accept
!
!
sequence 11
match
©2022 Zscaler, Inc. All rights reserved. 120
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
dns request
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
nat fallback
!
!
sequence 21
match
app-list Box
source-ip 0.0.0.0/0
!
action accept
nat use-vpn 0
nat fallback
!
!
sequence 31
match
source-ip 0.0.0.0/0
!
action accept
sig
!
!
default-action drop
!
lists
app-list Box
app box
app box_net
!
data-prefix-list Overlay
ip-prefix 10.0.0.0/8
!
site-list Zscaler-DataPolicy-Sites
site-id 212
©2022 Zscaler, Inc. All rights reserved. 121
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
site-id 214
site-id 215
!
vpn-list VPN1
vpn 1
!
!
!
apply-policy
site-list Zscaler-DataPolicy-Sites
data-policy _VPN1_Sig_Data from-service
!
!
©2022 Zscaler, Inc. All rights reserved. 122
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Miscellaneous
Customize Health Tracker
vpn0
tracker SIG zscaler_l7_health_check
endpoint-api-url http://gateway.zscalerthree.net/vpntest
interval 20
interface ipsec101
tracker zscaler_l7_health_check
interface ipsec201
tracker Zscaler_l7_health_check
Enable Advanced Zscaler Features
vpn 0
service sig
zscaler-location-settings caution-enabled true
Customize Zscaler Tunnel Destinations (Primary and Secondary DCs)
vpn 0
service sig
zscaler-location-settings data centers primary-data-center atl2-vpn.zscalerthree.net
zscaler-location-settings data centers secondary-data-center dfw1-vpn.zscalerthree.net
©2022 Zscaler, Inc. All rights reserved. 123
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix E: Requesting Zscaler Support
You might need Zscaler Support for provisioning certain services, or to help troubleshoot configuration and service issues.
Zscaler Support is available 24/7/365.
To contact Zscaler Support, select Administration > Settings > Company Profile.
Figure 87. Collecting details to open support case with Zscaler TAC
©2022 Zscaler, Inc. All rights reserved. 124
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Save Company ID
Copy the Company ID.
Figure 88. Company ID
©2022 Zscaler, Inc. All rights reserved. 125
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Enter Support Section
Now that you have your company ID, you can open a support ticket. Navigate to Dashboard > Support > Submit a
Ticket.
Figure 89. Submit a Ticket
©2022 Zscaler, Inc. All rights reserved. 126
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
Appendix F: Document Revision Control
Revision Date Change Log
1.0 August 2017 Initial document by Zscaler and Cisco Viptela.
1.1 August 2017 Updated Viptela references to Cisco SD-WAN.
1.2 September 2017 Minor edits.
Updated ZIA screen captures to ZIA 5.6 and added IPSec section and other
1.3 September 2018
supporting edits.
2.0 March 2019 Added GRE and IPSec template creation.
Cisco SD-WAN: Updated for 19.2.099 and 19.3.0 Cisco vManage console
code, added Cisco IOS XE SD-WAN router information, added design
3.0 January 2020
information, added L7 health checking, and tested the ISR1100-4G running
Cisco vEdge code.
3.1 February 2020 Incorporated review feedback.
Cisco SD-WAN: Updated for 20.3.4 Cisco vManage console and Cisco vEdge
code and 17.3.4a Cisco IOS XE SD-WAN Edge code (manual GRE and IPSec
4.0 September 2020
tunnels). Updated ZIA screen captures for ZIA 6.1 and added instructions for
GRE tunnel provisioning through ZIA.
Cisco SD-WAN: Updated for 20.6 Cisco vManage console and Cisco vEdge
code and 17.6 Cisco IOS XE SD-WAN Edge code, added new information
5.0 November 2021
on Cisco vManage console SIG templates, auto tunnels (active/standby and
active/active tunnels), sig service routes, and data policy.
5.1 December 2021 Updated formatting and edited for style.
©2022 Zscaler, Inc. All rights reserved. 127
ZSCALER AND CISCO SD-WAN DEPLOYMENT GUIDE
©2022 Zscaler, Inc. All rights reserved. 128
You might also like
- Zscaler Cisco SD WAN Deployment Guide FINALNo ratings yetZscaler Cisco SD WAN Deployment Guide FINAL124 pages
- Zscaler Cisco SD WAN Deployment Guide FINALNo ratings yetZscaler Cisco SD WAN Deployment Guide FINAL147 pages
- Zscaler Extreme Networks Deployment Guide FINALNo ratings yetZscaler Extreme Networks Deployment Guide FINAL32 pages
- Implementing+Cisco+SD WAN+Solutions+ (SDWAN300) +v1100% (1)Implementing+Cisco+SD WAN+Solutions+ (SDWAN300) +v1500 pages
- Basic To Advance SDWAN Training UpdatedNo ratings yetBasic To Advance SDWAN Training Updated13 pages
- CISCO Catalyst 8300 Series Edge Platforms Software Configuration GuideNo ratings yetCISCO Catalyst 8300 Series Edge Platforms Software Configuration Guide444 pages
- Cisco Sdwan Application Aware Routing Deploy GuideNo ratings yetCisco Sdwan Application Aware Routing Deploy Guide75 pages
- Master All Steps of Deployment, Seamless Integration, and Migration of Large SDA and SD-WAN Networks - BRKENS-3834No ratings yetMaster All Steps of Deployment, Seamless Integration, and Migration of Large SDA and SD-WAN Networks - BRKENS-383442 pages
- Cisco SD-WAN Feature Review - Day1-Part2No ratings yetCisco SD-WAN Feature Review - Day1-Part235 pages
- 300-415 ENSDWI - Implementing Cisco SD-WAN Solutions0% (1)300-415 ENSDWI - Implementing Cisco SD-WAN Solutions2 pages
- Implementing Cisco SD-WAN Solutions (SDWAN300) v1.0: What You'll Learn in This CourseNo ratings yetImplementing Cisco SD-WAN Solutions (SDWAN300) v1.0: What You'll Learn in This Course4 pages
- Data Center Networking Internet Edge Design ArchitecturesNo ratings yetData Center Networking Internet Edge Design Architectures178 pages
- Toni Pasanen - Cisco SD-WAN Toni Pasanen (2021)No ratings yetToni Pasanen - Cisco SD-WAN Toni Pasanen (2021)305 pages
- Cisco 4D Secure SD WAN Viptela v32 - 101004No ratings yetCisco 4D Secure SD WAN Viptela v32 - 10100467 pages
- Cisco SD-WAN Getting Started Guide: Americas HeadquartersNo ratings yetCisco SD-WAN Getting Started Guide: Americas Headquarters370 pages
- Implementing and Operating Cisco Service Provider Network Core Technologies (300-501)0% (2)Implementing and Operating Cisco Service Provider Network Core Technologies (300-501)4 pages
- Cisco SBA BN MPLSWANDeploymentGuide-Feb2013No ratings yetCisco SBA BN MPLSWANDeploymentGuide-Feb201376 pages
- Zsiga Z Cisco Certified Design Expert CCDE 400 007 Official Cert Guide 2023100% (2)Zsiga Z Cisco Certified Design Expert CCDE 400 007 Official Cert Guide 20231,115 pages
- STEELHEAD APPLIANCE RIOS VERSION: 7.0.5bNo ratings yetSTEELHEAD APPLIANCE RIOS VERSION: 7.0.5b32 pages
- Haramaya University College of Computing and Informatics Department of Computer ScienceNo ratings yetHaramaya University College of Computing and Informatics Department of Computer Science48 pages
- Extended ACL Cisco Configuration On GNS3 - 4 Steps IpCiscoNo ratings yetExtended ACL Cisco Configuration On GNS3 - 4 Steps IpCisco14 pages
