This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

traffic not following the route

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

traffic not following the route

JoergSchuetter
L4 Transporter

‎03-05-2021 06:27 AM

Hello

 

We have set split tunnel for our Win10 clients, GP is version 5.1.6 and 5.2.5. PAN-OS is 9.1.7.

- default route to firewall

- bypass tunnel for some network ranges (e.g. MS-Teams)

- bypass tunnel for some URLs (e.g. MS-Teams)

- enable DNS-Split

 

For a small fractions of the users I see the MS-Teams traffic sent back to the firewall (expected was it is bypassing the tunnel).

The routing table on the client looks correct. Based on the routes the traffic should never be sent via the tunnel.

We tried to remedy a potential issue with the network interface with "netsh int ip reset" as administrator, same result.

 

Any idea what could cause such a strange behavior?

0 Likes Likes
4 REPLIES 4

Pawel_G
L1 Bithead

‎03-05-2021 08:57 AM

Hello,

 

I would recommend to you to take logs from the Global Protect Client at the time when user is trying to connect to Teams.

I would also collect logs from FW from user IP to see what is destination of Teams Server that user is trying to connect. Microsoft is adding IP ranges all the time for different servers around the world. How many Agents Portals, Gateways did you create?

 

 

0 Likes Likes

JoergSchuetter
L4 Transporter
In response to Pawel_G

‎03-06-2021 11:21 AM

Hello @Pawel_G 

Unfortunately there is nothing in the logs which raises my attention.

The traffic seen on the firewal is sent to an IP address which is covered by split tunnel.

0 Likes Likes

Pawel_G
L1 Bithead
In response to JoergSchuetter

‎03-07-2021 08:59 PM

Hello Joerg,

 

I would also check your User ID Agent for logs. Sometimes when User ID loose connection to Agent, GP will not pickup Group that you specify.

Also I would  collect packet captures.

 

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite

‎03-07-2021 10:43 PM

@Pawel_G group mapping is not controlled through the User-ID agent, so losing connection can't impact group mapping

@JoergSchuetter have you tried reinstalling+upgrading to 5.1.8 the GP agent on one of the affected devices? I've seen something similar both with a bug in the GP agent, and an install that somehow failed to properly bind the gp virtual interface

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2739 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks