Split VPN - traffic defaults through tunnel.
IP addresses / FDQN policy set to deny so specific traffic does not travel via tunnel (AWS/Office)
Client: Version 9.1.15 (15819) desktops Windows 10/11
We have two server instances running this config without issue.
We create two new server instances with the config copied.
When connecting to the new servers - random issues with traffic which match the deny/exclusion policy.
I can see in the PulseClient.log that DNS matches are made and then
an EXCLUDE route is made for the related IP address.
The route table shows the route is correct and traffic should go direct.
Using tracert to the endpoint shows traffic going direct
The web browser AND/OR curl can't connect to endpoint - https for all !!
wireshark capture shows no TCP connection attempts on both the local and tunnel interfaces !
the problem is not consistent - works once then later it doesn't
Comparing the logs from working instance to the new instance seem relative similar.
Why would connections fail (timeout) ?
the new instance is configured similar to working instance,
everything in the split is configured as a deny (ip addresses and FQDN)
we can see in the local pulse logs that it is execuded as an EXCLUDE ROUTE
and it adds a related route through local interface - not throught the tunnel.
the behavior on the new instance - TCP connections do not complete.
We can not see the TCP (HTTPS) request start in the wireshark capture.
It appears it is being blocked by local stack or sometype ofrouting issue.
But ICMP will go out the route as expected to same destination IP.