GlobalProtect Split-Tunnel - Some Clients get Invalid Address Errors to Excluded Domains

Reply
Highlighted

GlobalProtect Split-Tunnel - Some Clients get Invalid Address Errors to Excluded Domains

We've published GlobalProtect 5.0.5

 

I added some Exclude Domains and Applications to our Gateway's Split-Tunnel configuration over the weekend.  Afterwards, about 5-10% of our VPN clients can not access these domains at all while on VPN.  The domains work fine when disconnected.  We've had reports of problems with Mac and Windows, but all of my testing has been on Windows.

 

I've found this simple test detects the problem.  The test works with any domain in the exclude domains list.  In this case, I've added "*.zoom.us" to the list.

Open powershell and run the command

$tc = New-Object System.Net.Sockets.TcpClient("www.zoom.us",80)

On computers that are ok, that command will have no output. On computers with the problem, the output is like

New-Object : Exception calling ".ctor" with "2" argument(s): "The requested address is not valid in its context 3.235.72.190:80"

Any application that tries to access these domains fails with similar errors.  For example, some browsers show ERR_ADDRESS_INVALID

 

I'm wondering if anybody else has encountered something like this.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!