GlobalProtect IOS split tunnel routing incorrect traffic

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect IOS split tunnel routing incorrect traffic

L0 Member

PanOS 9.1.4, GP client 5.2.7-6. 

We have a split tunnel configuration with only 2 internal /32 addresses added to the access route include list. We regularly see traffic from GP clients destined for Internet IP addresses hit the Palo over the client tunnel. This is from several IOS clients - we don't have any other client O/S'es to test with. Is there any reason destinations not included in the include list would sometimes route over the tunnel?

 

PANGps.log shows the correct routes being installed on the client. The incorrect packets don't seem to coincide with any issues in the client log like a reconnection.  We have a fairly basic configuration. Connection method - On Demand, "No direct access to local network" option not ticked. 

 

Researching the destination addresses and ports seem to indicate these are related to messaging clients and some are to apple's range on 17.x.x.x. I have also specifically added 17.0.0.0/8 to the  Exclude access rule but still receive traffic destined there.  Is it possible that some apps don't use the routing table on IOS and sometimes use the tunnel interface?

 

Thanks

Andy

1 REPLY 1

Cyber Elite
Cyber Elite

yes, I have seen vendor's IP stacks on their devices not follow the standards.

 

There is very little we can do to prevent this and I share your frustrations.

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!