Why the VPN keeps falling over and what ZTNA fixes
Why the VPN keeps falling over and what ZTNA fixes
Last updated: 8 July 2026
Why the VPN keeps falling over is rarely a mystery once you look past the dashboard. The real reason is usually a session ceiling well below the number printed on the concentrator’s spec sheet, because CPU and memory run out on encryption overhead long before the licensed limit is reached. The fix is not a bigger box. It is taking the concentrator out of the picture for the traffic that never needed it in the first place.
Why the VPN keeps falling over on a Monday morning
There was a whiteboard in the server room at a 240-person health insurance claims processor in Hyderabad, with four numbers written on it in four different pens. 380. 310. 250. 190. Nobody could say for certain who had written three of them, or when.
Kavya ran network and infrastructure for the company. Every Monday around 9:45 AM, the claims floor logged in at roughly the same time, sixty-odd people, a third of them working from home that day. Every Monday, a chunk of them sat at a spinning login screen while the rest of the floor wondered why the claims queue had gone quiet. The dashboard said the concentrator was healthy. The forty people staring at that spinning screen disagreed.
She had already tried the obvious things. Restarting the box mid-morning. Asking people to stagger their logins, which nobody did, because nobody staggers a login on purpose. Raising a ticket with the vendor, who asked for the CPU graph, which looked fine, because the graph measures the box, not the queue behind it.
What was actually maxing out
A VPN concentrator terminates every encrypted tunnel itself. Each session it holds costs CPU cycles for encryption and memory for session state. The number on the licence or the spec sheet describes a best-case load. The number where things actually start dropping is usually a fraction of that, and it is rarely written down anywhere. NIST’s Zero Trust Architecture guidance (SP 800-207) describes this the same way: a perimeter device that terminates every session is a bottleneck by design, not by accident.
That is also why the monitoring lied to Kavya every Monday. Health checks on a VPN concentrator usually track CPU load, memory, and uptime. None of those track how long it takes a new connection to establish, or whether the fortieth login of the morning ever completes. A box can report green while the actual experience, for the person trying to open a claim file, is a login screen that never resolves.
Why a bigger VPN box does not fix it
I did the easy thing first. On my first pass I speced a bigger concentrator, more SEP capacity, a proper licence bump. It would have worked, for a while. Then Kavya mentioned headcount was budgeted to grow another 20% this year, and that the claims floor had started allowing two work-from-home days instead of one, and that this was the monsoon season everyone in Hyderabad quietly plans their commute around anyway.
A bigger box buys you a few more months before the same Monday jhamela shows up again, at a slightly later hour. It is a capacity chase against headcount and a season that floods the roads twice a year. Every rupee spent on a bigger concentrator solves this month’s ceiling and hands next year’s ceiling to whoever is doing this job in twelve months, which was going to be Kavya again. This is the ordinary reality for a lot of Indian mid-size companies going into the second half of 2026: more remote days, tighter budgets, and the same decade-old concentrator sitting in the rack.
What ZTNA actually changes
A VPN puts a user on the network. Once connected, they can typically reach anything the network allows, and the network team enforces the boundaries after the fact with firewall rules and hope. ZTNA does not put anyone on the network at all. An identity-aware proxy sits in front of each application. A user requests access to one specific app, the request is checked against their identity and their device’s health, and only that one connection is allowed through. There is no concentrator in the middle holding open thousands of tunnels, because there is no tunnel to the network to begin with.
| Aspect | VPN | ZTNA |
|---|---|---|
| Access granted to | The whole network segment | One application at a time |
| Capacity ceiling | Fixed by the concentrator’s hardware | Elastic, handled in the cloud |
| Device check happens | Once, at login | On every request, continuously |
| If a password leaks | Attacker reaches whatever the network allows | Attacker reaches one app, and only if the device also passes the health check |
| Legacy on-prem systems with no modern login | Works, because it never checked | Needs a gateway in front of the app, or stays on VPN for now |
The concentrator disappearing is the part that matters for a Monday morning. Cato’s platform runs the access proxy in the cloud, so the ceiling moves with demand instead of sitting fixed inside a box in a Hyderabad server room.
The part everyone gets nervous about
Nobody should switch off the VPN on a Friday and switch on ZTNA on a Monday. The claims processor had one system, the core adjudication platform, that was eleven years old and had never heard of a modern identity protocol. It was not going anywhere quickly. That system stayed behind the VPN. Everything else, the CRM, the document store, the HR portal, the remote desktop sessions the claims team used from home, moved to ZTNA over about eight weeks, one application group at a time.
That is also the boring, useful part for anyone thinking about DPDP. Claims data is health data, which sits squarely inside sensitive personal data under the Act. ZTNA’s per-application, per-request logging gives an auditor an actual trail of who touched what and when, instead of a VPN log that only shows who was on the network at what time and has to be trusted for everything after that. It is the same trail CERT-In expects an organisation to produce quickly after any reportable incident. A regulator asking “prove you controlled access to this file” gets a much better answer from ZTNA logs than from VPN logs.
Three Mondays later
The whiteboard in the server room got wiped. One number is written on it now, and it is not a session count. It is the date of the next quarterly access review, because that is the kind of thing a network team gets to worry about once the concentrator stops falling over every Monday.
Kavya still comes in early on Mondays. Old habit, she said, arre, some things take longer to unlearn than the actual problem took to fix. The claims floor logs in the same way it always did. Nobody notices anymore, which is the actual goal of any network change that works.
Key takeaways
- If your VPN fails at a predictable time of day or week, the concentrator is hitting a session ceiling, not experiencing a random fault.
- Check the experience, not the box. A green dashboard and a stuck login screen can both be true at the same time.
- A bigger concentrator buys months, not years, against growing headcount and more work-from-home days.
- ZTNA replaces network-level access with per-application, continuously verified access, which removes the concentrator as a single point of failure.
- Keep the VPN for the one legacy system that cannot speak modern identity yet. Migrate everything else in phases, not overnight.
Talk to us about your VPN’s real session ceiling
Frequently asked questions
Is ZTNA just a fancier VPN?
No. A VPN puts a device on the network and trusts it from then on. ZTNA never puts the device on the network. It checks identity and device health on every single request to every application, separately.
Do we have to remove the VPN completely on day one?
No, and most companies should not try. A phased move, starting with remote access and SaaS applications and leaving one or two legacy on-prem systems behind the VPN for now, is the realistic path for most Indian mid-size companies.
Does ZTNA slow things down the way our VPN does during peak hours?
The opposite is more common. Because there is no single concentrator holding every session, the capacity scales with demand instead of hitting a fixed hardware ceiling at the exact hour everyone logs in.
What does moving to ZTNA typically cost per user in India?
It depends on how many applications you are protecting and whether you are consolidating SD-WAN and ZTNA onto one platform or buying them separately. A single-vendor SASE platform like Cato usually costs less than running a VPN concentrator, a separate ZTNA point product, and the licensing and controller stack that comes with a do-it-yourself build.
How long does a realistic ZTNA migration take for a 200 to 300 person company?
Six to twelve weeks for the applications that move first, remote access and SaaS being the fastest. Legacy on-prem systems that need a gateway in front of them, or that stay on VPN by design, can take longer and should not be rushed to hit an arbitrary date.
Get my free quote for a network access review
We have run this same conversation with a dozen Indian companies now: the VPN failing on a schedule, the dashboard staying green, the fix nobody wanted to hear was “not a bigger box.” Cato Networks SASE in India is the platform we use to run SD-WAN, ZTNA, and one policy engine off a single console instead of three separate boxes with three separate support contracts.
Related reading: a Bengaluru SaaS company’s Cato-versus-Fortinet bake-off, what SASE actually means for an Indian business buyer, and when to switch from MPLS to SD-WAN, and when not to.
Book a discovery call before your next Monday
Free network access review, no card and no contract. We have done this for 200+ Indian businesses. Reach us on WhatsApp at +91 91375 93228 during 10 to 7 IST if you would rather just ask a question first.
P.S. Naveen here. I still think about that whiteboard with four different session counts on it. Every Monday-morning VPN outage I have looked into since has the same shape: a box with a real ceiling nobody wrote down, and a dashboard that never once told the truth about it. Count your real ceiling, not your box’s spec sheet. Then design around removing the box, not resizing it.

