Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Overlapping local/remote network issues with Pulse

SOLVED
Go to solution
em_platinum_
Contributor
‎01-29-2014 10:00:AM
‎01-29-2014 10:00:AM

Overlapping local/remote network issues with Pulse

Ran into an issue today where a user could not access a tunnelled network that he was able to access yesterday.  No changes were made on the tunnel side.  User is running Pulse 5.0 on Windows 7 connecting to Secure Access Service 8.0R1.0

 

User's home network of 192.168.1.0/24 with the home WiFi Router at 192.168.1.1

Overlapping Remote network is 192.168.0.0/23

Other Remote network is 10.10.0.0/16, 10.100.0.0/16 and 172.16.10.0/24

Split tunneling is enabled and route precedence is set to "Endpoint route". 

Secure Access Service Internal IP is 10.10.1.11 and VPN Tunneling Server IP is 10.10.1.12

Users assigned IP from Secure Access Service is 10.10.201.7

 

The user can access all of the "other" remote networks listed above, but they can't access remote network I have listed as "overlapping"

 

When the user tries to ping IP's in the 192.168.0.0/23 subnet (ex: 192.168.1.11 and 192.168.1.6) the user gets no response, and traceroutes get no response either.

 

The user said this was working fine yesterday, but today, no luck. No changes were made ont he Secure Access Service side.

 

Here is the users current route table. I don't have a table from yesterday to look at.

 

IPv4 Route Table =========================================================================== Active Routes: Network Destination        Netmask          Gateway       Interface  Metric           0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.5     25         10.10.0.0      255.255.0.0         On-link       10.10.201.7      1       10.10.201.7  255.255.255.255         On-link       10.10.201.7    256     10.10.255.255  255.255.255.255         On-link       10.10.201.7    256        10.100.0.0      255.255.0.0         On-link       10.10.201.7      1    10.100.255.255  255.255.255.255         On-link       10.10.201.7    256         127.0.0.0        255.0.0.0         On-link         127.0.0.1    306         127.0.0.1  255.255.255.255         On-link         127.0.0.1    306   127.255.255.255  255.255.255.255         On-link         127.0.0.1    306       172.16.10.0    255.255.255.0         On-link       10.10.201.7      1     172.16.10.255  255.255.255.255         On-link       10.10.201.7    256     192.65.XXX.XX  255.255.255.255      192.168.1.1      192.168.1.5     25       192.168.0.0    255.255.254.0         On-link       10.10.201.7      1       192.168.1.0    255.255.255.0         On-link       192.168.1.5    281       192.168.1.5  255.255.255.255         On-link       192.168.1.5    281     192.168.1.255  255.255.255.255         On-link       192.168.1.5    281     192.168.1.255  255.255.255.255         On-link       10.10.201.7    256         224.0.0.0        240.0.0.0         On-link         127.0.0.1    306         224.0.0.0        240.0.0.0         On-link       192.168.1.5    281         224.0.0.0        240.0.0.0         On-link       10.10.201.7    256   255.255.255.255  255.255.255.255         On-link         127.0.0.1    306   255.255.255.255  255.255.255.255         On-link       192.168.1.5    281   255.255.255.255  255.255.255.255         On-link       10.10.201.7    256 ===========================================================================

 

 

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
spuluka
Super Contributor
‎01-29-2014 03:13:PM
‎01-29-2014 03:13:PM

Re: Overlapping local/remote network issues with Pulse

On your user role try setting the route precedence:

 

Role -- VPN tunneling Tab

Route Precedence-- select the tunnel option

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

View solution in original post

0 Kudos
3 REPLIES 3
spuluka
Super Contributor
‎03-30-2009 05:12:PM
‎03-30-2009 05:12:PM

Re: Overlapping local/remote network issues with Pulse

You have correctly identified the trade off involved.  the computer can only accept one side as authoritative for the address space, so you get either local subnet or the remote subnet.

If you know the users and computers, you can sometimes overcome the printing issue by installing /32 routes on the windows machine.  As long as the users printer address is not the same as the servers they need to access.

I've created batch files they could run install the printer address as a /32 so that it is more specific than the /24 subnet and still work locally while the rest of the traffic is routed out the tunnel.





Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
0 Kudos
em_platinum_
Contributor
‎12-31-2013 04:32:PM
‎12-31-2013 04:32:PM

Re: Overlapping local/remote network issues with Pulse


@spuluka wrote:

On your user role try setting the route precedence:

Role -- VPN tunneling Tab

Route Precedence-- select the tunnel option




I'm idealyl looking for users in this situation to be able to access their local subnets as well as subnets across the VPN when any overlap occurs.  This would allow them to do something such as print to their local printer or access local files while also accessing remote resources.  Is that even possible?

There are two options: "Tunnel" and "Tunnel with local subnet access"

With split-tunneling enabled, the Admin Guide indicates that the difference in the route precedence s in regard to directly connected endpoint routes, as follows:



Endpoint - Does not go through tunnel 

Tunnel - Routes are modified to go through the tunnel only if they overlap with the split-tunneling subnets. Otherwise the routes do not go through the tunnel.

Tunnel with local subnet access - Does not go through tunnel.

If I understand this correctly, I wold need to use "Tunnel" for the user to be able to access the subnet across the tunnel, but this would end up causing the user to lose local subnet acess, would it not?  

if I used "Tunnel with local subnet access", then it's no different than the "Endpoint" route precedence currently defined, and the user would have local subnet access but not remote subnet access for the overlap.


0 Kudos
spuluka
Super Contributor
‎01-29-2014 03:13:PM
‎01-29-2014 03:13:PM

Re: Overlapping local/remote network issues with Pulse

On your user role try setting the route precedence:

 

Role -- VPN tunneling Tab

Route Precedence-- select the tunnel option

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.