This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Global Protect and split-tunnel, strange behavior from Facetime

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect and split-tunnel, strange behavior from Facetime

arnljot
L1 Bithead

‎11-06-2014 01:58 AM

We have set up Global Protect with split-tunnel for mobile clients (iPhone, Android).  The goal is that ActiveSync is using the tunnel to reach internal servers, and all other traffic can go directly to the internet.  GP is set up to distribute routes to two internal networks to the clients through the Access Route parameter in Gateway configuration

One strange thing we observe, is that Facetime is sending traffic destined for some Apple servers over the VPN tunnel despite the fact that the routing table says otherwise.  We can observe the Facetime traffic in traffic monitor on the gateway.

Has anyone else observed this?

An other observation:  Even when we specify Google DNS servers in the GP client settings, all DNS requests seem to go over the tunnel.  It seems thatl GP always send DNS requests over the VPN tunnel, regardless of the routing.

Labels:
0 Likes Likes
5 REPLIES 5

hshah
L6 Presenter

‎11-06-2014 06:12 AM

Hi ArnliJot,

Split tunnelling is not supported with built-in IOS IPsec VPN software. However its supported with Global Protect client.

Please confirm which kind of VPN client are you using? Refer bellow article for more information.

Re: Split tunneling on iOS

Regards,

Hardik Shah

0 Likes Likes

arnljot
L1 Bithead
In response to hshah

‎11-07-2014 12:08 AM

Its the Global Protect client for IOS

0 Likes Likes

hshah
L6 Presenter
In response to arnljot

‎11-07-2014 09:21 AM

Hi Amljot,

With Global Protect Client split tunnelling should work. Could you please share snapshot for access route of Global Protect Configuration.

Regards,

Hardik Shah

0 Likes Likes

arnljot
L1 Bithead
In response to hshah

‎11-11-2014 04:20 AM

I don't have access to the device for the moment, but the Access route is to one internal network only, like:  192.168.100.0/24

We see two specific oddities, where one might be by design:

-If primary and secondary DNS for GP clients is set to i.e. 8.8.8.8 and 4.4.4.4, DNS traffic is still sent over the tunnel

-We see Facetime traffic from iPhone over the tunnel

0 Likes Likes

hshah
L6 Presenter
In response to arnljot

‎11-11-2014 05:08 AM

Hi Arnljot,

In this case split tunneling should work. This appears to be a bug so far. But I dont have any configuration or logs to verify the same.

Regards,

Hardik Shah

0 Likes Likes
  • 3233 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks