Global Protect and split-tunnel, strange behavior from Facetime

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect and split-tunnel, strange behavior from Facetime

L1 Bithead

We have set up Global Protect with split-tunnel for mobile clients (iPhone, Android).  The goal is that ActiveSync is using the tunnel to reach internal servers, and all other traffic can go directly to the internet.  GP is set up to distribute routes to two internal networks to the clients through the Access Route parameter in Gateway configuration

One strange thing we observe, is that Facetime is sending traffic destined for some Apple servers over the VPN tunnel despite the fact that the routing table says otherwise.  We can observe the Facetime traffic in traffic monitor on the gateway.

Has anyone else observed this?

An other observation:  Even when we specify Google DNS servers in the GP client settings, all DNS requests seem to go over the tunnel.  It seems thatl GP always send DNS requests over the VPN tunnel, regardless of the routing.

5 REPLIES 5

L6 Presenter

Hi ArnliJot,

Split tunnelling is not supported with built-in IOS IPsec VPN software. However its supported with Global Protect client.

Please confirm which kind of VPN client are you using? Refer bellow article for more information.

Re: Split tunneling on iOS

Regards,

Hardik Shah

Its the Global Protect client for IOS

Hi Amljot,

With Global Protect Client split tunnelling should work. Could you please share snapshot for access route of Global Protect Configuration.

Regards,

Hardik Shah

I don't have access to the device for the moment, but the Access route is to one internal network only, like:  192.168.100.0/24

We see two specific oddities, where one might be by design:

-If primary and secondary DNS for GP clients is set to i.e. 8.8.8.8 and 4.4.4.4, DNS traffic is still sent over the tunnel

-We see Facetime traffic from iPhone over the tunnel

Hi Arnljot,

In this case split tunneling should work. This appears to be a bug so far. But I dont have any configuration or logs to verify the same.

Regards,

Hardik Shah

  • 3232 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!