Global Protect is blocking my internet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect is blocking my internet

L0 Member

Help! I recently relocated to another state for a few months. My company laptop requires Global Protect VPN. It's always worked fine on any network I've used as well as my wifi hotspot or tethered to my phone. But, with the new Nextlink service, I can log into global protect and use all company resources normally. Teams, Outlook etc all work great. But, I have zero access to the web or, any web based apps that I need to do my job.

Another clue is that my firestick works great with the Nextlink service unless I turn on that VPN. 

I've worked with Nextlink for 2 weeks to solve this and I was assigned a static IP address. It made no difference at all. I've studied MTU rates etc but haven't found anything to work. I REALLY need this to be corrected but, none of the tech folks seem to know how to fix it. Any ideas at all would help. 

PS I've done all the tests, bypassed the router, used a cord instead of wireless etc.

 

1 accepted solution

Accepted Solutions

Hi @Fenderbender 

Looking at the provided information it seems your company is applying "full-tunnel" mode for your GlobalProtect connection. This means that when GlobalProtect is connected, all of your traffic is forwarded over the tunnel, that includes traffic to internal resources as well as any traffic to public internet.

 

- From picture T-shooting1 you can see that your PC has two default routes (0.0.0.0), first one is pointing to your local internet provider. The second one is assigned by GlobalProtect and pointing to the tunnel. On the far right you see column called "metric", this is similar to priority (lower is better). Metric is used to choose which route to use when similar routes are poiniting in different directions. In your case default route pointing to GP tunnel is preferable, which means all access to public internet is routed over the tunnel.

- From picture T-shooting3 and 4 we can see that DNS for public sites is actually working (my first assumption was wrong). I am not sure which DNS are you using - "server" from pic 3 is different from your local internal network (based on the gateway from pic 1), but probably doesn't matter at this point since we know DNS is working.

 

Mainly because of the routing table of your PC it looks like your internet access is routed over the tunnel and sent to your company firewall. It is better to contact the IT in your company so they can check the logs, there could be a ton of reasons and if we don't know the firewall configuration it will be shooting in the dark.

 

View solution in original post

3 REPLIES 3

Hi @Fenderbender ,

When you said GlobalProtect connects and you can reach internal resources, but no internet, this should means two thinks:

- You company is applying split-tunnel (route only internal/specific networks over GlobalProtect tunnel, while anything else is routed locally). You should be able to confirm this by opening command prompt (or powershell) and run command "route print". From this output most important information is to check where the route for 0.0.0.0 pointing to (is it your local gateway ip, are there two routes for 0.0.0.0)

- You  internet is indeed actually working - because if it doesn't GlobalProtect wouldn't  be able to connect and stay connected

 

If my guess for the split tunnel is correct I would start with potential DNS issues.

While you are connected to GlobalProtect check the following with command prompt (powershell):

- ping 8.8.8.8 - do you see replies?

- ping google.com - do you see replies?

- nslookup google.com - do you see resolved IP? what server IP you see when replying

- route print - where does 0.0.0.0 point? are there two entries?

 

If you could provide some screenshots/output it will be useful, but I would suggest you to hide some part of the actuall ip addresses, especially the addresses related to the GP VPN.

Thank you for the reply! I appreciate any help you can provide.

Here are the screen shots you mentioned with personal info blocked.

 

Hi @Fenderbender 

Looking at the provided information it seems your company is applying "full-tunnel" mode for your GlobalProtect connection. This means that when GlobalProtect is connected, all of your traffic is forwarded over the tunnel, that includes traffic to internal resources as well as any traffic to public internet.

 

- From picture T-shooting1 you can see that your PC has two default routes (0.0.0.0), first one is pointing to your local internet provider. The second one is assigned by GlobalProtect and pointing to the tunnel. On the far right you see column called "metric", this is similar to priority (lower is better). Metric is used to choose which route to use when similar routes are poiniting in different directions. In your case default route pointing to GP tunnel is preferable, which means all access to public internet is routed over the tunnel.

- From picture T-shooting3 and 4 we can see that DNS for public sites is actually working (my first assumption was wrong). I am not sure which DNS are you using - "server" from pic 3 is different from your local internal network (based on the gateway from pic 1), but probably doesn't matter at this point since we know DNS is working.

 

Mainly because of the routing table of your PC it looks like your internet access is routed over the tunnel and sent to your company firewall. It is better to contact the IT in your company so they can check the logs, there could be a ton of reasons and if we don't know the firewall configuration it will be shooting in the dark.

 

  • 1 accepted solution
  • 17195 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!