GlobalProtect Split-Tunnel - Some Clients get Invalid Address Errors to Excluded Domains

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect Split-Tunnel - Some Clients get Invalid Address Errors to Excluded Domains

We've published GlobalProtect 5.0.5

 

I added some Exclude Domains and Applications to our Gateway's Split-Tunnel configuration over the weekend.  Afterwards, about 5-10% of our VPN clients can not access these domains at all while on VPN.  The domains work fine when disconnected.  We've had reports of problems with Mac and Windows, but all of my testing has been on Windows.

 

I've found this simple test detects the problem.  The test works with any domain in the exclude domains list.  In this case, I've added "*.zoom.us" to the list.

Open powershell and run the command

$tc = New-Object System.Net.Sockets.TcpClient("www.zoom.us",80)

On computers that are ok, that command will have no output. On computers with the problem, the output is like

New-Object : Exception calling ".ctor" with "2" argument(s): "The requested address is not valid in its context 3.235.72.190:80"

Any application that tries to access these domains fails with similar errors.  For example, some browsers show ERR_ADDRESS_INVALID

 

I'm wondering if anybody else has encountered something like this.

3 REPLIES 3

L6 Presenter

Has someone also tested the Split DNS to exclude also the  DNS traffic for the affected domains if this helps as maybe as written in the article for zoom split tunnel palo alto does not know the full ip list of the zoom domains and also the exclusion could be just if zoom is installed in the corect folder ?

 

Split DNS:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBJ5CAO&lang=en_US%E2%80%A...

 

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele...

 

 

Zoom split tunnel:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UkECAU&lang=en_US%E2%80%A...

L6 Presenter

Also atleast for zoom there is a new article that uses the enchanced spllit tunnel by app process and domain (https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...) as some fqdn like zoom have too many dinamic ip addresses that change and this could be the issue as maybe sometimes some traffic is send over the tunnel other is not. I am thinking of this as the F5 BIG-IP APM module that is also for VPN and other things has article " K91493443: Network Access - Microsoft Teams application not honoring split tunneling exclusion address space " and their solution is to block the traffic that is going to the zoom servers if it is sourced by the a VPN ip address. In other words the zoom and other applications addresses change too often and even the DNS FQDN resolution may return a different list to the clients or the Palo Alto firewall if split DNS is not enabled, so maybe this is why I think testing with excluding the application processes and split dns for zoom and other applications with many dynamic ip addresses as the best option if this is the issue.

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UkECAU&lang=en_US%E2%80%A...

 

 

Has anyone followed this article and enabled split DNS and still having the issue with zoom?

L0 Member

This is still happening even on 5.2.12-26 and in our case on an INCLUDED domain.

 

it seems that whatever the GPS service is doing to hook the kernel for intercepting tcp/udp socket attempts gets into a bad state for certain IPs on some unknown condition... and once they are in that state only a restart of the service to clear the table in memory will fix it.

  • 6920 Views
  • 3 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!