Troubleshoot Split Tunnel Domain & Applications and Exclude Video Traffic

Printer Friendly Page

GlobalProtect Troubleshooting Tips:
Split Tunnel Domain & Applications and Exclude Video Traffic Features

 

 

Background

GlobalProtect with on-premise firewall is utilized by employees to securely connect to their enterprise environment and access their corporate applications. GlobalProtect supports Split Tunnel Domain & Applications and Exclude Video Traffic features to exclude certain bandwidth clogging applications and domains to help enterprises with business continuity during high Work From Home (WFH) scenarios because of a COVID-19 pandemic or any other type of calamity.

 

 

Objective

The objective of this document is to provide enterprise administrators with troubleshooting tips and tricks related to Split Tunnel Domain & Applications and Exclude Video Traffic features. This will help administrators during implementation and operational maintenance of these features. For a configuration guide of this feature, refer to Optimized Split Tunneling for GlobalProtect and GlobalProtect: Implement Split Tunnel Domain and Applications.

 

 

Verification and Troubleshooting

 

The following verification and troubleshooting steps are written with consideration of the configuration specified in GlobalProtect: Implement Split Tunnel Domain, Applications, Exclude Video Traffic Configuration and applies to any such configurations.

 

Split Tunnel Domain & Application

To verify and troubleshoot the split tunnel domain and application traffic features, you can utilize the following steps:

  1. First step is to verify whether the configuration on the gateway for ‘Split Tunnel Domain’ or ‘Split Application’ has been pushed correctly on the GlobalProtect app or not. This can be verified by collecting GlobalProtect logs. For steps on collecting GlobalProtect logs refer to: How to Collect Logs From GlobalProtect Clients.

  2. Within GlobalProtect logs bundle, review PanGPS.log and verify that based on the configuration on the gateway GlobalProtect receives:
    1. ‘Split Tunnel’ configuration:
      <exclude-split-tunneling-domain>
             <member>*.ringcentral.com</member>
      </exclude-split-tunneling-domain>​

       

    2. ‘Split Application' configuration:
      <exclude-split-tunneling-application>
             <member>%AppData%\Local\RingCentral\SoftPhoneApp\Softphone.exe</member>
             <member>%AppData%\Local\RingCentral\SoftPhoneApp\SoftPhoneMapiBridge.exe</member>
             <member>/Applications/RingCentral for Mac.app/Contents/MacOS/Softphone</member>
      </exclude-split-tunneling-application>​

       

  3. Within the GlobalProtect logs bundle, also review gpsplit.log and see the split tunnel and application rules applied. In the logs below, we can see that ‘.ringcentral.com’ application is bound to physical interface en0. Thus, traffic for the RingCentral application will be excluded from the VPN tunnel. Here, Rule 0 to 3 corresponds to the IP address of the domain and application we have configured on the gateway.
    gpsplit [0x52bc2520] :860 Rule   0: 1TCP v4 50.239.202.198 0 > 2PHY (83115)
    gpsplit [0x52bc2520] :860 Rule   1: 3APP %AppData%\Local\RingCentral\SoftPhoneApp\SoftPhoneMapiBridge.exe > 2PHY (0)
    gpsplit [0x52bc2520] :860 Rule   2: 3APP %AppData%\Local\RingCentral\SoftPhoneApp\Softphone.exe > 2PHY (0)
    gpsplit [0x52bc2520] :860 Rule   3: 3APP /Applications/RingCentral for Mac.app/Contents/MacOS/Softphone > 2PHY (0)
    gpsplit [0x5fd50a40] :933 0x59bc4620 binding to interface en0, index 3
    NOTE: If an FQDN resolves to multiple IP addresses, all the IP addresses will be added to the exclude rules.

  4. You can also verify the connection table on the client machine and confirm that specific application connections are going via physical interface and not the tunnel interface. On macOS, use ‘netstat -arn’ command, and on a Windows machine, this ‘netstat -anob’ command can be used.

  5. We can also utilize 'whois' lookup utility to find the public IP address associated with specific domains or ISPs. 
    whois lookup for IP addresswhois lookup for IP address

  6. For application visibility on Windows platforms, Microsoft Network Monitor can also be utilized. More information can be found in this article: Information about Network Monitor 3.

  7. To track traffic for a specific domain, enable wireshark packet captures on the client machine on the physical and tunnel (gpd0) interface. This is considered the most reliable method to track the traffic for specific domains. To find an IP address for a specific domain, resolve the IP address of the specific domain using nslookup as shown below. Apply the resulting IP address as a filter in wireshark.
    $ nslookup ringcentral.com
    Non-authoritative answer:
    Name: ringcentral.com
    Address: 216.146.46.11
    Name: ringcentral.com
    Address: 216.146.46.10

 

Exclude Video Traffic

To verify and troubleshoot exclude video traffic from the tunnel (Windows and macOS only) feature, you can utilize following steps:

 

  1. Verify whether the configuration you have on your gateway for ‘Exclude video traffic from the tunnel (Windows and macOS only)’ has been pushed correctly on the GlobalProtect or not. This can be verified by collecting GlobalProtect logs. For steps on collecting GlobalProtect logs, refer to this knowledge article: How to Collect Logs From GlobalProtect Clients.

  2. Within the GlobalProtect logs bundle, you can review PanGPS.log and verify that ‘Exclude video traffic from the tunnel (Windows and macOS only)’ configuration is received from the gateway as shown below:
    <exclude-video-redirect>yes</exclude-video-redirect>​
  3. The firewall will send a redirect message to GlobalProtect once it understands that the specific video application needs to be excluded from the VPN tunnel. In our example, we are excluding YouTube traffic. It determines the application as video based on the initial http/https request from the client, and it also matches the destination domain in the request with the one configured. Review of PanGPS.log file within the GlobalProtect logs bundle will confirm the video redirect message received by GlobalProtect client from the gateway. Same can be seen in the logs below:
    Split tunneling is enabled: 0 include app, 2 exclude app, 0 include domain, 3 exclude domain, video-redirect yes
    Debug(1732): SP set exclude ip 74.125.166.167, port 443 for video redirect
    Debug(1732): SP set exclude ip 173.194.167.166, port 443 for video redirect
    Debug(1732): SP set exclude ip 173.194.167.166, port 443 for video redirect

  4. On the firewall, you can filter the session based on a specific application by using command ‘show session all filter application <application-name>’. The example below is filtering ‘youtube-base’ application:
    Admin view of PA-3260 in show session all filter application commandAdmin view of PA-3260 in show session all filter application command

  5. Review the specific session details based on the output from Step 4 by using command ‘show session id <session id>’. Look for 'tracker stage firewall: split tunnel' in the session detail output, which confirms that the traffic is being excluded from the VPN tunnel.

  6. Browser verification can also be performed for HTTP 302 redirect response received from the gateway for the URL or video application, which we have excluded. In Chrome, Firefox, or Internet Explorer, you can utilize the Web Developer/Developer tools and Network option within them for such verification. HTTP 302 URL redirect message is seen under the status or result column when the gateway sends a redirect message. The below snapshot provides an example for Firefox Web Developer tool where under status column 302 redirect received from the gateway is seen for video playback. 
    Example of the Firefox Web Developer tool showing status column 302 resultsExample of the Firefox Web Developer tool showing status column 302 results