Reset Search



KB43688 - Pulse users are unable to access resources for up to 15 minutes after VPN tunnel is connected

« Go Back


Last Modified Date3/31/2018 12:39 AM
This article provides a possible cause and solution for an issue where resources are not available via VPN tunneling for up to 15 minutes after the tunnel is up.  
Problem or Goal
  • Pulse users connect to the PCS device and start a VPN tunnel.  
  • Users are unable to access any protected resources for up to 15 minutes, at which time all resources are available.  
  • Issue occurs even though a virtual IP is assigned to the virtual adapter, the routes configured on the PCS device are correct, and the ACL allows access to resources that are not accessible.  
  • When monitoring the switch while the issue is occurring, and users are unable to access resources, it is noticed that the routing table is not immediately updated with the ARP response for the internal VPN IP range.
When monitoring the switch, the ARP table does not update immediately with the VPN IP for the user; after this is updated to point to the PCS internal port, access is successful
This issue can occur under the following conditions:
  • VPN tunneling access is configured on an A/A cluster and VPN Tunneling IP Address filters have not been created.
  • The PCS device is on a different subnet than the Virtual Tunneling IP pool and a route has not been added to the edge switches to route traffic properly.
To resolve this issue:
  • For an A/A cluster configure VPN Tunneling IP filters for each node that are unique to that node.  This would apply for 2 or more A/A cluster nodes that all use the same virtual IP address range.  To do this go to System > Network > VPN Tunneling > IP filter and configure filters on each node that are unique to that node.
  • For IP Pools that are not on the same subnet as the internal interface of the PCS device, it is necessary to create manual routes on edge routers that route the VPN tunneling pool to the internal port of the PCS device.  
If there is no route on the network that points virtual IP pool to the appropriate appliance or appliance interface, it is possible that ARP will eventually learn the routes and populate them, but until this occurs, VPN tunneling users will not have access to resources because a route is missing.
Related Links
Attachment 1 
Created ByNick Christen



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255