GlobalProtect IOS split tunnel routing incorrect traffic

Andy123B — Tue, 09 Feb 2021 18:02:41 GMT

PanOS 9.1.4, GP client 5.2.7-6.

We have a split tunnel configuration with only 2 internal /32 addresses added to the access route include list. We regularly see traffic from GP clients destined for Internet IP addresses hit the Palo over the client tunnel. This is from several IOS clients - we don't have any other client O/S'es to test with. Is there any reason destinations not included in the include list would sometimes route over the tunnel?

PANGps.log shows the correct routes being installed on the client. The incorrect packets don't seem to coincide with any issues in the client log like a reconnection. We have a fairly basic configuration. Connection method - On Demand, "No direct access to local network" option not ticked.

Researching the destination addresses and ports seem to indicate these are related to messaging clients and some are to apple's range on 17.x.x.x. I have also specifically added 17.0.0.0/8 to the Exclude access rule but still receive traffic destined there. Is it possible that some apps don't use the routing table on IOS and sometimes use the tunnel interface?

Thanks

Andy

Re: GlobalProtect IOS split tunnel routing incorrect traffic

S.Cantwell — Wed, 17 Feb 2021 13:54:16 GMT

yes, I have seen vendor's IP stacks on their devices not follow the standards.

There is very little we can do to prevent this and I share your frustrations.

topic Re: GlobalProtect IOS split tunnel routing incorrect traffic in General Topics

GlobalProtect IOS split tunnel routing incorrect traffic

Re: GlobalProtect IOS split tunnel routing incorrect traffic