GlobalProtect VPN blocks/discards pakets to broadcast

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect VPN blocks/discards pakets to broadcast

L0 Member

Hi all!

We have here a strange behavour with GlobalProtect and i hope someone here as a solution.

We use GlobalProtect for Windows (Version 6.2.8) as VPN Client for our remote workers in combination with a PA-460 with Pan-OS 11.1.6-h with a IPSec full-tunnel with Pre-Logon.
Now we have a client application that sends UDP pakets throught lokal link address 127.0.0.1 to the broadcast address 255.255.255.255 on port 28882 where an other local application/service is listening (listener running on 127.0.0.1:28882) for input to do something. Please just don't ask why this application is built this way, but it is what it is.
Without VPN this works very well, also with other VPN Clients like Cisco Secure Client this works without any problems.
And now here comes the problem, this pakets seem to completly dissappear when the VPN tunnel is established with GlobalProtect, even with tools like wireshark this pakets dont show up on any interface, on firewall side in the logs these pakets also don't show up.

We now have a workaround to exclude the local application thats sending the pakets from the VPN tunnel (split tunnel exclusion for application in vpn gateway config), most time this works as expected, but from time to time it suddenly stops working. Then the only thing that works is to clear the local GlobalProtect Config files (.dat files) from local appdata and GlobalProtect folder and restarting the PanGPS service.
I also tried to split-exclude traffic to 255.255.255.255 from vpn but its not possible to set this.

Is there any setting in GlobalProtect App or on firewall side to not block/discard this pakets to 255.255.255.255?

Any help would be appreciated.

Thank you.

1 REPLY 1

Cyber Elite
Cyber Elite

@CEhrl,

I think your best course of action here is to pursue why the application split-tunneling isn't working consistently. You'll likely have an easier time chasing that with TAC than you will trying to get GlobalProtect agent/adapter behavior modified since that would be seen as a feature request. 

  • 471 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!