Reset Search



KB40419 - Internet sites are not reachable for VPN users while connected using Hotspot cellular service

« Go Back


Last Modified Date2/11/2017 12:46 AM
This article describes an issue where VPN users are not able to reach Internet resources when connected using a Hotspot cellular service such as a Verizon MiFi device.
Problem or Goal
When an end user connects to the Internet using a Hotspot cellular service on a mobile device, such as a Verizon, using a VPN connection, all traffic is getting routed to the VPN tunnel, even though split tunneling is enabled on the user role.  The user is only able to reach internal corporate sites.

When VPN is disconnected, full Internet access is restored.
This issue can occur due to a route overlap issue where the Hotspot assigns an IP address to the wireless adapter on the endpoint that is on the same network as a network defined in the split tunneling policy, and there are no additional networks specified in the Split Tunneling policy that allow access to Internet resources.

This issue can only affect VPN tunnel configurations with split tunneling enabled.  If split tunneling is disabled, this issue would not apply since all traffic would be sent through the VPN tunnel.

For example:
  • The Hotspot network assigns the wireless adapter on the PC an IP Address of and the default gateway for the route is
  • The Split Tunneling policy on the PCS device has a network defined as
  • The user attempts to access
  • resolves to
  • The Split Tunneling policy does not include a network entry allowing traffic to
  • Since the first hop from the PC's default network is this traffic gets tunneled because it matches the network defined in the ST policy of
  • Since there is no resource defined in the ST policy allowing traffic to the request gets dropped at the PCS device and the site cannot be reached.

To determine if route overlap is the reason the Hotspot user is unable to access Internet sites over the VPN tunnel, review the following steps:
  1. Before launching the VPN connection, have the user connect the endpoint using the Hotspot WAP and confirm that the user can browse to an Internet site such as
  2. Have the user launch the VPN connection.
  3. Have the user open a command line window and get the route print output to the same Internet site that was confirmed to work in step 1 with the following command:
  1. If the first hop in the traceroute is (or the IP address is configured for the VPN Tunnel Server IP Address) and not the hotspot's default gateway IP (i.e. then the traffic is being routed through the VPN tunnel. 

To resolve this issue,
  • Modify all networks defined in the split tunneling policy that would match the gateway IP of the user's Hotspot OR
  • Go to the VPN Tunneling options on the role and set the route precedence to "Endpoint Routes" OR
  • Create a new role for Hotspot users that has split tunneling disabled and allow all traffic to be tunneled over the VPN and out to the Internet through the PCS gateway.
Related Links
Attachment 1 
Created ByKaren Mayberry



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255