Hi @tony.f,
I am confused by requirement when you said "My goal is to disable VPN Tunneling, so that traffic be sent by default over the Pulse VPN Tunnel, while also having access to internet for Web browsing, etc." I believe you'd like to get split tunnel access which will allows you to access selected intranet resources and internet resources like web browsing, which can be done by disabling the split tunnel under Users roles >> role name >> VPN tunneling >> Split Tunneling >> disable. Is that what you did on the user role 2 settings?
In either way, connecting to Pulse VPN should not disconnect the Wi-Fi connection. When you say the Wi-Fi got disconnected, you mean the Wi-Fi icon changes to a "red x mark" or does it says "No internet access" with a yellow excalamation icon on it.
Ok, when you see the Wi-Fi disconnects... what happens to the VPN connection? Is it getting disconnected too?
Thanks,
Ray.
Hi @tony.f,
It could be ACL configuration done on the VPN server which might block the Microsoft's Network Connection Status Indicator (NCSI) messages.
If any network change is detected, Windows will use the Network Connection Status Indicator (NCSI) technology to:
- Check the connectivity to an Intranet
- Check the connectivity to the Internet
NCSI determines connectivity using the following process:
- The adapter will send a DNS query for www.msftconnecttest.com*.
- If successful, an http GET request is sent for www.msftconnecttest.com/connecttest.txt.
- If the client receives an HTTP 200 OK response, NCSI sends a standard DNS query for an A record of dns.msftncsi.com and subsequently a standard DNS query is sent for an AAAA record of dns.msftncsi.com.
If the DNS request in step 1 fails, or the HTTP response is anything other than HTTP 200 OK in step 2, then the LAN adapter and/or the Pulse virtual adapter will display a status of "No Internet access".
Since the tunnel mode is full tunnel (split tunnel disabled), please check the VPN tunneling ACL of the user role 2 on the VPN server and make sure you allow the traffic to "www.msftconnecttest.com."
If you want to access all internet resources through the pulse VPN tunnel, please use *:* (wildcard allow) entry on the VPN tunneling policies to resolve the issue.
Let me know how it goes.
Thanks,
Ray.
Hi Tony,
@tony.f wrote:Hello Ray,
I tried allowing access to all resources (*:*) for all roles but the full tunnel VPN is still disconnecting my wifi connection... With no internet access, the VPN is down and of course the www.msftconnecttest.com/connecttest.txt test fails.
Tony
Ok. Allowing all *:* on the VPN ACL should made it work. Hmm...
# What is the windows version? -- open cmd > type winver > let me know the four digit version.
# what is the pulse client version? -- open pulse client > help > about > version (x.x.x) (y) > tell me both x and y values.
When you say "With no internet access, the VPN is down and of course the www.msftconnecttest.com/connecttest.txt test fails." so you are not able access "www.msftconnecttest.com/connecttest.txt" through web browser after connecting to the VPN???
Thanks,
Ray.
Hmm Ok. What is the first hop IP address that you see, when you do a traceroute to 8.8.8.8?
Is it 10.200.200.200 and what about the next hops? Are they timing out?
