Split and Full Tunnel in GlobalProtect Causes Users to Connect Through SSL on Loopback
Resolution
Issue
Under Network > GlobalProtect > Portals there are two GlobalProtect gateways; Gateway1 (GW1) terminated on physical interface ethernt1/1 IP 88.88.88.88, and Gateway2 (GW2) terminated on loopback IP 1.1.1.1. Under the Client Configuraion tab, GW1 is being used for Split tunnel and GW2 for Full tunnel, as shown below:
Inside User Information for GW2, notice the users connecting on the GlobalProtect gateway terminated on loopback interface will always connect through SSL, (although users using GW1 can connect through IPSec).
Cause
This is expected behavior. The GlobalProtect client will make an SSL VPN connection to IP address 88.88.88.88 on port 443 for Split tunnel or IP address 88.88.88.88 on port 444 (NATed to 1.1.1.1 port 443) for Full tunnel, depending upon which GlobalProtect client configuration the user logging in matches. With respective connections being successful, GlobalProtect will then make a IPSec connection on port 4501 internally. The internal IP address and port connection will remain the same, for example 88.88.88.88 on port 4501 for both Split and Full tunnel.
This request can be received either by Split tunnel on the physical interface ethernet 1/1, or by Full tunnel on the loopback interface by NATing 88.88.88.88:4501 to 1.1.1.1:4501. Both Split and Full tunnel cannot receive the IPSec request.
For more information on GlobalProtect with one Gateway, Split and Full Tunnel, reference the following document: Using Global Protect with One Gateway and Both Split - Full Tunnel
owner: csharma