PA500 split tunnelling DNS question

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA500 split tunnelling DNS question

Not applicable


Have a PA 500 set up for split tunnelling - so clients access internet locally and all other traffic is passed over VPN tunnel to our office

I have DHCP set up on PA box so clients get primary DNS server (local ISP one) and secondary DNS (office one)

I have set up a rule from trust to untrust to allow application DNS and service DNS however i am getting errors saying failed to resolve domain name

so I SSH to the box and cannot ping host nor can i ping host by IP

any ideas please?




L4 Transporter


if you cannot ping by IP as well, it is unlikely to be a DNS problem. Would you check the traffic log to see if any traffic has been denied?


I am seeing traffic denied from untrust to untrust per my last global deny rule application not applicable

dosent seem to be any other deny



Hi Sue,

Try to do this:

1. go to to check the public IP you are using before you connect to the SSLVPN.

2. start the vpn connection, check if there is any deny traffic from your public ip address

3. most likely you will see there is traffic from your public IP address from untrust to untrust running on port 443 being denied. for that case you should add the SSL as the app and app. default as the port no.

4. remember to add the NAT policy for your client.

thanks for your reply....but the traffic over the VPN tunnel into the companys network is working ok

the issue is just with internet access and DNS it seems...


Hi Sue,

so would you run ipconfig to see if the DNS setting is well populated? Also check if the "route print" output to see if the routing to SSLVPN gateway just cover the corporate network subnet, and run a traceroute to see check which is the next hop for traffic to

just to let you know this is resolved

the issue was that the default route was set to go via an interface rather than IP address - once i changed it to IP, all web browsing and DNS worked fine

just for info

thanks for replies


Hi Sue,

Good to know that Smiley Happy

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!