cancel
Showing results for 
Search instead for 
Did you mean: 

Weird local route change with split tunneling

SOLVED
Highlighted
Occasional Contributor

Weird local route change with split tunneling

Hi guys, 

We're facing a weird issue. Scenario: VPN tunneling enabled, split tunneling enabled, Route Precedence set as Tunnel routes, Route Monitor disabled. 

My testing profile's Resource policies for VPN tunneling: access control set to allow any (*.*), connection profile DNS set to 'Search the device's DNS servers first, then client', split-tunneling networks: 10.10.10.0/24.

When I connect from Pulse Client on my laptop, I get the IP e.g. 10.50.50.50. Run route print and see that a new entry has been injected, route to 10.10.10.0/24, interface 10.50.50.50, which is totally fine. 

Then I ping a host of the remote network, e.g. 10.10.10.10, and get reply. If I run nslookup of that host, e.g. mail.contoso.local, I get the right IP, 10.10.10.10. But if I then ping the FQDN mail.contoso.local, it won't get a reply, and then when I check again the laptop routing table, I see that the route to that specific IP has been changed, now there is an entry towards 10.10.10.10 that drives the traffic to my laptop physical WiFi interface IP, instead of keeping the tunnel one. 

Any idea?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Moderator

Re: Weird local route change with split tunneling

@trasgu Yes, that's it. None of the FQDNs are related to contoso.local domain, hence it considered as EXCLUDE ACCESS and Pulse Client adds a route for all *.contoso.local resources to use the physical interface for traversing out.

 

In a nutshell, FQDN based split tunneling should be used when you're having cloud applications whose IP address are not static and you would like that traffic to be tunneled through VPN, otherwise, please go with the static IP/Subnet based ST policies.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

5 REPLIES 5
Highlighted
Moderator

Re: Weird local route change with split tunneling

You should be having FQDN based split tunneling enabled, and *.contoso.local / mail.contoso.local is not added to allow access, hence it's being considered as implicit deny which create a specific route for the resource and points it to the physical interface.

 

Please remove any FQDN policy and keep only the IPv4 split tunneling routes, and that should do the trick.

PCS Expert
Pulse Connect Secure Certified Expert
Highlighted
Occasional Contributor

Re: Weird local route change with split tunneling

Hi Ray, 

In the Split-tunnelling policy, I have only the network 10.10.10.0/24 (under IPv4 Resources column, and  the action 'Allow'), and also a couple of FQDN, none of them related at all with contoso.local.

 

Thanks

Highlighted
Moderator

Re: Weird local route change with split tunneling

@trasgu Yes, that's it. None of the FQDNs are related to contoso.local domain, hence it considered as EXCLUDE ACCESS and Pulse Client adds a route for all *.contoso.local resources to use the physical interface for traversing out.

 

In a nutshell, FQDN based split tunneling should be used when you're having cloud applications whose IP address are not static and you would like that traffic to be tunneled through VPN, otherwise, please go with the static IP/Subnet based ST policies.

PCS Expert
Pulse Connect Secure Certified Expert

View solution in original post

Occasional Contributor

Re: Weird local route change with split tunneling

Hi Ray, 

Much better now, thanks a lot. However, when I connect to our Skype for Business through the Pulse, it get's disconnected/reconnected every around 5-7 minutes when it reauthenticates,  I don't know why. I guess this is not easy to troubleshoot, any idea welcomed.

 

Thanks!

Highlighted
Moderator

Re: Weird local route change with split tunneling

Thank you for the confirmation with regards to the ST issue Smiley Happy

 

Oh! that's weird. So you're saying that the Skype for Business is getting disconn/reconn frequently after you reauthenticate to the VPN server or to the Skype server? Is it stable when connected to VPN and you want the Skype traffic to be tunneled through VPN coz. it will not work without VPN?

PCS Expert
Pulse Connect Secure Certified Expert