https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49590#M36545 <HTML><HEAD></HEAD><BODY><P>I don't have access to the device for the moment, but the Access route is to one internal network only, like:&nbsp; 192.168.100.0/24</P><P>We see two specific oddities, where one might be by design:</P><P>-If primary and secondary DNS for GP clients is set to i.e. 8.8.8.8 and 4.4.4.4, DNS traffic is still sent over the tunnel</P><P>-We see Facetime traffic from iPhone over the tunnel</P></BODY></HTML> Tue, 11 Nov 2014 12:20:36 GMT arnljot 2014-11-11T12:20:36Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49586#M36541 <HTML><HEAD></HEAD><BODY><P>We have set up Global Protect with split-tunnel for mobile clients (iPhone, Android).&nbsp; The goal is that ActiveSync is using the tunnel to reach internal servers, and all other traffic can go directly to the internet.&nbsp; GP is set up to distribute routes to two internal networks to the clients through the Access Route parameter in Gateway configuration</P><P></P><P>One strange thing we observe, is that Facetime is sending traffic destined for some Apple servers over the VPN tunnel despite the fact that the routing table says otherwise.&nbsp; We can observe the Facetime traffic in traffic monitor on the gateway.</P><P>Has anyone else observed this?</P><P></P><P>An other observation:&nbsp; Even when we specify Google DNS servers in the GP client settings, all DNS requests seem to go over the tunnel.&nbsp; It seems thatl GP always send DNS requests over the VPN tunnel, regardless of the routing.</P></BODY></HTML> Thu, 06 Nov 2014 09:58:08 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49586#M36541 arnljot 2014-11-06T09:58:08Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49587#M36542 <HTML><HEAD></HEAD><BODY><P>Hi ArnliJot,</P><P></P><P>Split tunnelling is not supported with built-in IOS IPsec VPN software. However its supported with Global Protect client. </P><P></P><P>Please confirm which kind of VPN client are you using? Refer bellow article for more information.</P><P><A href="https://live.paloaltonetworks.com/message/41951">Re: Split tunneling on iOS</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Thu, 06 Nov 2014 14:12:34 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49587#M36542 hshah 2014-11-06T14:12:34Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49588#M36543 <HTML><HEAD></HEAD><BODY><P>Its the Global Protect client for IOS</P></BODY></HTML> Fri, 07 Nov 2014 08:08:29 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49588#M36543 arnljot 2014-11-07T08:08:29Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49589#M36544 <HTML><HEAD></HEAD><BODY><P>Hi Amljot,</P><P></P><P>With Global Protect Client split tunnelling should work. Could you please share snapshot for access route of Global Protect Configuration.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 07 Nov 2014 17:21:48 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49589#M36544 hshah 2014-11-07T17:21:48Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49590#M36545 <HTML><HEAD></HEAD><BODY><P>I don't have access to the device for the moment, but the Access route is to one internal network only, like:&nbsp; 192.168.100.0/24</P><P>We see two specific oddities, where one might be by design:</P><P>-If primary and secondary DNS for GP clients is set to i.e. 8.8.8.8 and 4.4.4.4, DNS traffic is still sent over the tunnel</P><P>-We see Facetime traffic from iPhone over the tunnel</P></BODY></HTML> Tue, 11 Nov 2014 12:20:36 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49590#M36545 arnljot 2014-11-11T12:20:36Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49591#M36546 <HTML><HEAD></HEAD><BODY><P>Hi Arnljot,</P><P></P><P>In this case split tunneling should work. This appears to be a bug so far. But I dont have any configuration or logs to verify the same.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 11 Nov 2014 13:08:37 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-and-split-tunnel-strange-behavior-from-facetime/m-p/49591#M36546 hshah 2014-11-11T13:08:37Z