Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TCP(HTTPS) connections failing using SPLIT VPN config with IP and FQDN policy

mdebusschere
New Contributor
‎01-20-2023 11:34:AM
‎01-20-2023 11:34:AM

TCP(HTTPS) connections failing using SPLIT VPN config with IP and FQDN policy

Setup:

Split VPN - traffic defaults through tunnel.

IP addresses / FDQN policy set to deny so specific traffic does not travel via tunnel (AWS/Office)

Client: Version 9.1.15 (15819)  desktops Windows 10/11

 

We have two server instances running this config without issue.

We create two new server instances with the config copied.

When connecting to the new servers - random issues with traffic which match the deny/exclusion policy.

 

I can see in the PulseClient.log that  DNS matches are made and then

an EXCLUDE route is made for the related IP address.

The route table shows the route is correct and traffic should go direct.

Using tracert to the endpoint shows traffic going direct

but

The web browser AND/OR curl can't connect to endpoint - https for all !!

wireshark capture shows no TCP connection attempts on both the local and tunnel interfaces !

the problem is not consistent - works once then later it doesn't

 

Comparing the logs from working instance to the new instance seem relative similar.

 

Why would connections fail (timeout) ? 

 

 

0 Kudos
3 REPLIES 3
zanyterp
Moderator
Moderator
‎01-24-2023 12:12:PM
‎01-24-2023 12:12:PM

Re: TCP(HTTPS) connections failing using SPLIT VPN config with IP and FQDN policy

on the new instance, do you have an allow defined?
does it connect for any duration?
0 Kudos
mdebusschere
New Contributor
‎01-27-2023 10:50:AM
‎01-27-2023 10:50:AM

Re: TCP(HTTPS) connections failing using SPLIT VPN config with IP and FQDN policy

the new instance is configured similar to working instance, 

everything in the split is configured as a deny (ip addresses and FQDN)

 

we can see in the local pulse logs that it is execuded as an EXCLUDE ROUTE

and it adds a related route through local interface - not throught the tunnel.

 

the behavior on the new instance - TCP connections do not complete.

We can not see the TCP (HTTPS) request start in the wireshark capture.

It appears it is being blocked by local stack or sometype ofrouting issue.   

But ICMP will go out the route as expected to same destination IP.

 

0 Kudos
zanyterp
Moderator
Moderator
‎01-27-2023 10:54:AM
‎01-27-2023 10:54:AM

Re: TCP(HTTPS) connections failing using SPLIT VPN config with IP and FQDN policy

do you have the split dns option enabled on the other two?
if you have not already done so, please open a case with our support team
0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.