Tmobile home internet and Zscaler

Have the same issue.  Even had a conference call with IT and Zscaler support but could not resolve it.  Called Tmobile and they said they are aware of the issue and they don't know when it will be resolved.  My IT person is telling me I should get mifi from Verizon because it works with that service.

Thank you both.  I will pass along the MTU MSS information.  I should have stated that previously we used Global Protect as our VPN client and with that service the Tmobile ISP worked without issue, however this new Zscaler product has caused the issues, so its product/method specific and not all VPN's.

Glad I'm not the only one RagingBullz.. I similarly had no luck working with IT department.  We spent a long time eliminating hardware ect. but the true test was when moving to ATT hotspot, it worked and back to the T-Mobile ISP it didn't.  For the short term they reverted me back to out previous security scheme, as the corporate policy is for employees to provide their own internet, but they don't state which ISP are ok or not, and I don't have many options.  Likewise, it has all worked fine with other VPN clients, until Zscaler.

T-Mobile usually throttles VPN traffic.  For some reason, they haven't figure out a way to isolate the traffic from the modem separately from actual cellular data connections, which is why VPN traffic is throttled. 

Deleted... stupid editor was stuck on bold and would not let me highlight/reset it

They don't exactly "throttle" VPN's... I can use some just fine and still break 40mbps (my throughput is typically 40-70, depending on varying factors).

it is more that you are sort of tunneling within a tunnel.

The TMO "tunnel" is already nerfing packet sizes and resulting in screwy routing and DNS issues, then your client side VPN tunnel doubles down on that.

Try testing to a different site.  It can sometimes give very different results.  For example, my "home" location for speedtest.net is usually Charlotte, NC--that is just over a 2 hour drive from me in Florence, SC, and that area is usually very congested in general.  I can test 40 there, but turn right around and get 70 to Seattle, WA--on the opposite side of the country!  I have even broken 100 to Montreal while only pulling in 40-50 to more local sites.  The point is, there are inherent routing issues with their peering/routing in general that need to be addressed.

Your company's VPN may be setting MTU (or MSS) too high for the limit of TMO's tunnel.  One of those being too large will cause packets to have to be split into smaller pieces to get through, the other can cause packets to get discarded.  Alternatively, it could be setting it really low and not optimizing the throughput potential that is there. Either can impact throughput to varying degress...  it all depends on how often the exceptions occur.

Get in touch with your company's support chain to make them aware that the TMO service is typically defaulting to an MTU of 1420, MSS of 1380... they may be able to tweak settings to better optimize packet sizes to rule that issue out.

I just started using the T-Mobile Home 5G Gateway a few days ago.  Everything is great, except my work computer download/upload speed (I work from home).  If we log my work computer out of Zscaler, speed is about 150 Mbps.  But logged into Zscaler, the speed is about 3 Mbps.  Not using Zscaler is not an option.  Zscaler is a proxy.  I'm also using Cisco AnyConnect VPN without issue.  Did anyone find a solution or work-around specific to Zscaler?

Similar issues to report.
Internet speed tests reporting between 250-280 down and 45-55 up.

Using Zscalar speedtest Zscaler Speed Test about 25 down and 3 to 7 up.

T-Mobile PHL to zs3-was1-2a5-sme.gateway.zscalerthree.nete

I just started a new job with remote work 1-2 days a week, have a company HP, and the speeds are un-usable. Will pass this along and maybe they're willing / able to adjust the packets.

I hate having problems, but its good to learn it’s not just me.

Hola Marc

There appears to be an issue with the mtu size in the zcalar policy..  I believe the mtu size was reduced for policies associated with users that have wireless internet service.  

Since that change it has been working well for users in USA and Europe