Reset Search
 

 

Article

KB16725 - What is the maximum number of split tunnel networks per tunnel?

« Go Back

Information

 
Last Modified Date11/14/2016 9:27 PM
Synopsis
This article provides information about the maximum number of split tunnel routes per tunnel.
Problem or Goal
Cause
Solution
The current limitation for each tunnel is 256 Split Tunneling routes. If there is more than 256 split tunnel routes assigned to a tunnel, Network Connect and Pulse Secure Desktop client will fail to connect until the split tunnel routes are reduced.  


Prior to 8.1R7 and below:


The following assertion will appear in the event logs:

dsagentd(3724) vc0  0  assert.cc:482 - * assertion in IkeMessage.cpp:476, 
void ifttls::IkeTrafficSelectorPayload::addTrafficSelector(uint8_t, uint32_t, uint32_t), 
assert (m_numSelectors < 255), 19 frames

The impact of the assertion is minimal.  After the assertion is created, the dsagentd process will no longer be able to handle tunnel creation request or IP address assignments for tunnels until a new dsagentd process is created.  The new process should be created within 1 to 2 seconds.


After 8.1R7 and above:

The assertion no longer occurs and the following message will appear in the event log:
 
Failed to set Split-Tunneling networks for user XXXXX. There can only be up to a maximum 
of 256 split-tunneling routes applied per VPN tunnel.
The impact of this message is limited to the specific user who exceeds the 256 split tunnel routes.  Until the split tunnel routes are reduced, the following end user will continue to fail and produce the following message in the event logs.
 

How to reduce the number of split tunnel routes?

The total number of split tunnel routes are calculated by the total number of split tunnel routes for each assigned user role.  For example, user A is assigned may be assigned to multiple roles.  
  • ROLE A (15 split tunnel routes)
  • ROLE B (20 split tunnel routes)
  • ROLE C (10 split tunnel routes)
If user A is assigned to all 3 roles, the total split tunnel routes would be 45 split tunnel routes.  If user A is assigned to ROLE A and ROLE B, then the total split tunnel routes would be 35 split tunnel routes. The administrator should evaluate all user roles the problematic end user is assigned to and consolidate individual split tunnel routes and ports by ranges or eliminate duplicate or unnecessary routes.  

For example:

192.168.1.2, 192.168.1.3, 192.168.1.4 can be converted to 192.168.1.2-192.168.1.4

 

Note: There is no limitation on the total number of split tunnel networks/policies that can be configured on the PCS device.

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255