Reset Search
 

 

Article

KB40419 - Internet sites are not reachable for VPN users while connected using Hotspot cellular service

« Go Back

Information

 
Last Modified Date2/11/2017 12:46 AM
Synopsis
This article describes an issue where VPN users are not able to reach Internet resources when connected using a Hotspot cellular service such as a Verizon MiFi device.
Problem or Goal
When an end user connects to the Internet using a Hotspot cellular service on a mobile device, such as a Verizon, using a VPN connection, all traffic is getting routed to the VPN tunnel, even though split tunneling is enabled on the user role.  The user is only able to reach internal corporate sites.

When VPN is disconnected, full Internet access is restored.
Cause
This issue can occur due to a route overlap issue where the Hotspot assigns an IP address to the wireless adapter on the endpoint that is on the same network as a network defined in the split tunneling policy, and there are no additional networks specified in the Split Tunneling policy that allow access to Internet resources.

This issue can only affect VPN tunnel configurations with split tunneling enabled.  If split tunneling is disabled, this issue would not apply since all traffic would be sent through the VPN tunnel.

For example:
  • The Hotspot network assigns the wireless adapter on the PC an IP Address of 172.20.10.7 and the default gateway for the route is 172.20.10.1.
  • The Split Tunneling policy on the PCS device has a network defined as 172.20.0.0/16.
  • The user attempts to access www.pulsesecure.net.
  • www.pulsesecure.net resolves to 54.152.92.240.
  • The Split Tunneling policy does not include a network entry allowing traffic to 54.152.92.240.
  • Since the first hop from the PC's default network is 172.20.10.1 this traffic gets tunneled because it matches the network defined in the ST policy of 172.20.0.0/16.
  • Since there is no resource defined in the ST policy allowing traffic to 54.152.92.240 the request gets dropped at the PCS device and the site cannot be reached.

 
Solution
To determine if route overlap is the reason the Hotspot user is unable to access Internet sites over the VPN tunnel, review the following steps:
  1. Before launching the VPN connection, have the user connect the endpoint using the Hotspot WAP and confirm that the user can browse to an Internet site such as www.pulsesecure.net.
  2. Have the user launch the VPN connection.
  3. Have the user open a command line window and get the route print output to the same Internet site that was confirmed to work in step 1 with the following command:
traceroute www.pulsesecure.net
  1. If the first hop in the traceroute is 10.200.200.200 (or the IP address is configured for the VPN Tunnel Server IP Address) and not the hotspot's default gateway IP (i.e. 172.20.10.1) then the traffic is being routed through the VPN tunnel. 

To resolve this issue,
  • Modify all networks defined in the split tunneling policy that would match the gateway IP of the user's Hotspot OR
  • Go to the VPN Tunneling options on the role and set the route precedence to "Endpoint Routes" OR
  • Create a new role for Hotspot users that has split tunneling disabled and allow all traffic to be tunneled over the VPN and out to the Internet through the PCS gateway.
Related Links
Attachment 1 
Created ByKaren Mayberry

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255