@Kramos @Ethan-TP 

So a little update... I am on to support with this, they as you suggested, wanted a wireshark capture, which, i am unable to do with my wife's laptop as it is against her companies IT rules (for the moment anyway) - but I have forwarded on a capture from my computer at home.....

it seems that there are other things at play here, not limited to Zscaler for eg!

https://community.tp-link.com/en/home/forum/topic/848156?sortDir=ASC&page=1

this thread started off talking about apple log ins and I was also having the same issues as described in this thread. I also had issues with my Nvidia Shield not loading apple screen savers... Apple mail (particularly on iOS) not loading and getting mail etc...

I have purchased a second ER8411 (at expense that could have done without), which came loaded with firmware v.1.2.3 and it worked flawlessly - Zscaler was back up and running as it should... all my apple services worked instantly with no timeouts etc.. which to me points straight to the firmware - anything after v.1.2.3 breaks these things (and likely more.

I am no networking expert and so my knowledge is limited, so we'l see what support come back with. I will keep both my ER8411s as I don't feel confident enough to apply a firemware update without having the safety of one that works, we can't afford downtime on our network as we are both working fro home, but it seems bonkers to have to buy 2 routers to ensure that if we upgrade, we have a failsafe.

  @gskips @Ethan-TP 

gskips wrote

@Kramos @Ethan-TP 

 

So a little update... I am on to support with this, they as you suggested, wanted a wireshark capture, which, i am unable to do with my wife's laptop as it is against her companies IT rules (for the moment anyway) - but I have forwarded on a capture from my computer at home.....

 

it seems that there are other things at play here, not limited to Zscaler for eg!

 

https://community.tp-link.com/en/home/forum/topic/848156?sortDir=ASC&page=1

 

this thread started off talking about apple log ins and I was also having the same issues as described in this thread. I also had issues with my Nvidia Shield not loading apple screen savers... Apple mail (particularly on iOS) not loading and getting mail etc...

 

I have purchased a second ER8411 (at expense that could have done without), which came loaded with firmware v.1.2.3 and it worked flawlessly - Zscaler was back up and running as it should... all my apple services worked instantly with no timeouts etc.. which to me points straight to the firmware - anything after v.1.2.3 breaks these things (and likely more.

 

I am no networking expert and so my knowledge is limited, so we'l see what support come back with. I will keep both my ER8411s as I don't feel confident enough to apply a firemware update without having the safety of one that works, we can't afford downtime on our network as we are both working fro home, but it seems bonkers to have to buy 2 routers to ensure that if we upgrade, we have a failsafe.

I had a session of about two hours and a half with Enginerring team member Limz, a couple of things were tweak on my gateway 707 and my speed went from 3Mbps to around 150Mbps still a little low from the usual speeds i used to get, but it got me out of the bad performance issues, i provided them with around a gig of data from wireshark, with multiple test scenarios, in fact there is an issue with the Firmware, probably something was added to remediate vulnerabilities and maybe some firewall rules or nat changes were made that are causing the issues.  They are currently working on analyzing further the issue, lets see what happens and if they came with a solution. 

    @gskips @Ethan-TP 

Hello guys,

I’m back from an extended vacation, and during that time I worked closely with technical support to investigate the issue in more depth. As part of the troubleshooting process, a custom firmware build was provided for my ER707‑M2 to help isolate the problem. Although the firmware did not resolve the behavior, we were able to confirm that the root cause is related to the Shortcut Forwarding Engine (SFE).
SFE is an acceleration mechanism used in various router platforms (such as DD‑WRT and OpenWrt) to enhance NAT throughput, particularly on high‑speed connections. When SFE is disabled—following the CLI steps provided by technical support—my Zscaler bandwidth limitations are fully resolved. However, disabling SFE also results in a significant performance drop on my gigabit connection, with overall throughput reduced by roughly 70%, since the CPU must process all packets without the benefit of hardware acceleration.
For now, I’m toggling SFE on and off as needed until a permanent fix is released by TP‑Link engineering. It may be worth revisiting the behavior seen in firmware version 1.2.3, which handled this scenario without issues.

  @Kramos 

Heya,

Wow, this is interesting and you've clearly been really helpful to get to this stage, thanks for helpink us all out. I'm really limited to availble downtime to do a lot of testing as our connection is critcal most of the time, however, i am in touch with engineering who are looking into it also. Where I'm using an ER8411, it sees that this is likely a similar, if not the same, potential cause that you've been experiencing.

Along with ZScaler, did you ever have issues logging in to Apple accounts etc? I was hardly ever able to sucessfully log into my Apple account while on firmware v.1.3.5, and similarly on my nvidia sheild, when using a screensaver that connected to Apple to get thier drone shots, it wasn't able to connect and never managed to display them... but drop down to v1.2.3 on my ER8411 and everything is back working as it was... Zscaler, Apple, etc all working brilliantly.

I have ended up getting a 2nd ER8411 for redundancy, as we can't afford to be down for very long (I'm remote film editing, so need a stable, fast connection), however if new firmware comes out that hoefully fixes the issues, then trying it out shouldn't be too much of a problem... swapping out the box with v1.2.3 from the one with v1.3.5 wasn't too painful, so hopefully switcing out again will also be strightforward as they are the same models. (fingers crossed, ha!)

Thanks for your update, if i hear anything I'll also let you know, however, seems you are further along than i am... I have sent them this thread incase it's helpful.

Cheers

  @gskips 

Hello,

I haven’t experienced issues with any services other than my work Zscaler instance, though I am aware that others have encountered problems with different services. Since you performed a rollback, you should be fine. Support advised me not to roll back due to several vulnerability fixes included in the update, but enabling or disabling SFE is straightforward if needed, following the instructions in the guide.

To proceed, open PuTTY and connect to your device using the Gateway IP along with your username and password. Once connected, enter the following commands:

enable
sfe off

You should receive a confirmation message with the command results. This process will not interrupt your internet connection. Afterward, you can run a Zscaler performance test at:

http://speedtest.zscaler.com/perf

Let me know how it goes.