02-09-2021 10:02 AM
PanOS 9.1.4, GP client 5.2.7-6.
We have a split tunnel configuration with only 2 internal /32 addresses added to the access route include list. We regularly see traffic from GP clients destined for Internet IP addresses hit the Palo over the client tunnel. This is from several IOS clients - we don't have any other client O/S'es to test with. Is there any reason destinations not included in the include list would sometimes route over the tunnel?
PANGps.log shows the correct routes being installed on the client. The incorrect packets don't seem to coincide with any issues in the client log like a reconnection. We have a fairly basic configuration. Connection method - On Demand, "No direct access to local network" option not ticked.
Researching the destination addresses and ports seem to indicate these are related to messaging clients and some are to apple's range on 17.x.x.x. I have also specifically added 17.0.0.0/8 to the Exclude access rule but still receive traffic destined there. Is it possible that some apps don't use the routing table on IOS and sometimes use the tunnel interface?
Thanks
Andy
02-17-2021 05:54 AM
yes, I have seen vendor's IP stacks on their devices not follow the standards.
There is very little we can do to prevent this and I share your frustrations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
