Reset Search



KB40385 - Layer 4 (L4) Per App VPN does not tunnel UDP based traffic on iOS devices.

« Go Back


Last Modified Date12/7/2016 9:16 PM
This article describes an issue where UDP based traffic (i.e. Kerberos traffic) is not sent through the L4 Per App VPN tunnel on iOS devices.
Problem or Goal
After an end user connects to the Pulse Connect Secure device using Pulse Mobile client, certain applications may fail to connect or work properly due to UDP based traffic is not sent through the Per App VPN tunnel.
This issue occurs due to a limitation to the Layer 4 Per App VPN tunnel on iOS devices.  Due to a limitation from Apple, only DNS and TCP based traffic will be sent through the L4 Per App VPN tunnel.
To resolve this issue, please change the MDM configuration to support Layer 3 (L3) Per App VPN.  

L3 Per App VPN does support sending and receiving UDP traffic over the Per App VPN tunnel.  To support L3 Per App VPN, the following requirement must be met: 
  • Endpoint is running iOS 9.0 and above
  • Endpoint has installed the latest Pulse Mobile for iOS client
  • Configure Pulse Workspace policy with Use L3 VPN set to true.
User-added image
Note:  MobileIron does support L3 Per App VPN.  For other MDM vendors, please check with the vendor if packet-tunnel is supported for ProviderType in the VPN profile.
Related Links
Attachment 1 
Created ByK. Kitajima



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255