This issue can occur due to a route overlap issue where the Hotspot assigns an IP address to the wireless adapter on the endpoint that is on the same network as a network defined in the split tunneling policy, and there are no additional networks specified in the Split Tunneling policy that allow access to Internet resources.
This issue can only affect VPN tunnel configurations with split tunneling enabled. If split tunneling is disabled, this issue would not apply since all traffic would be sent through the VPN tunnel.
- The Hotspot network assigns the wireless adapter on the PC an IP Address of 172.20.10.7 and the default gateway for the route is 172.20.10.1.
- The Split Tunneling policy on the PCS device has a network defined as 172.20.0.0/16.
- The user attempts to access www.pulsesecure.net.
- www.pulsesecure.net resolves to 18.104.22.168.
- The Split Tunneling policy does not include a network entry allowing traffic to 22.214.171.124.
- Since the first hop from the PC's default network is 172.20.10.1 this traffic gets tunneled because it matches the network defined in the ST policy of 172.20.0.0/16.
- Since there is no resource defined in the ST policy allowing traffic to 126.96.36.199 the request gets dropped at the PCS device and the site cannot be reached.