Global Protect messes up my DNS route table on MacOS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect messes up my DNS route table on MacOS

L3 Networker

Hello!  Quick question.

 

I just configured global protect.  When I first configured it, I was sending all traffic through the tunnel which wasn't working well.  So afterword I set it to allow split tunneling.  But here's the problem:

 

The first computer (MacOS) which I enrolled in GP when I was forcing all traffic through the tunnel, now will not connect to the internet when connected to GP, although it does connect to GP assets fine.  Another MacOS computer that I enrolled after I turned on split tunneling, works to access internet perfectly as well as GP assets  

 

 

Turns out this is a DNS issue on the first computer. The routing table in the troublesome computer reveals I have duplicate DNS entries in the routing table, two that are pointing to the IP I receive after connecting to the GP gateway (these have priority as they appear first in the list), and two more that are pointing where they should.  When I manually update my routing table to remove the DNS entries pointing to the IP I receive after connecting to the GP gateway, all my troubles vanish, I can access the GP assets, as well as my local network.  However restarting the computer and reconnecting to GP restores the routing table to the incorrect state.  When I disconnect from GP, the rogue DNS entries disappear and my routing table behaves normally allowing normal internet access. When I reconnect to GP, my DNS routing table entries again are messed up. I have deleted the GP app and re-installed, but the incorrect routing table entries are still there.  I have flushed my routing table completely, but upon connecting to GP, the rogue DNS entries in the routing table mysteriously appear. 

 

As I said above, I enrolled a second computer in GP and it connects normally and doesn't have the rogue DNS entries.  It's just the first computer that is messed up now, the one I enrolled when I was still forcing all traffic to use the GP tunnel.

 


Any idea what I can do to fix the problem?

 

 

2 REPLIES 2

L3 Networker

Here are photos showing the problem.  The first is netstat output showing DNS routing when not connected to GP, everything works as expected. 

The second photos shows what happens to DNS when I connect to GP.  10.0.0.1 is the IP I was given from the IP pool after I connected to GP.   DNS obviously doesn't work. 

 

Screen Shot 2021-05-19 at 11.22.03 AM.pngScreen Shot 2021-05-19 at 11.21.47 AM.png

L3 Networker

Well it looks like I may be wrong about my above conclusion! The netstat output of the working computer is exactly the same as the output of the non-working computer pictured above!  The only other difference between the computers is that the working computer is running MacOS 10.14.6, and the non-working is running MacOS 11.2.3.  

 

If anyone has any pointers, I'd be glad to hear.

  • 2427 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!