Reset Search
 

 

Article

KB43802 - Tunnel disconnects intermittently with Location Awareness enabled with FQDN split tunneling or Device Only DNS

« Go Back

Information

 
Last Modified Date4/26/2020 12:10 AM
Synopsis
This article describes an issue with Pulse Desktop Client where the tunnel disconnects intermittently if Location Awareness is configured with FQDN split tunneling enabled or Device Only DNS is configured under VPN Connection Profiles.
Problem or Goal
When location awareness rules are configured, the following logic will apply:
  1. When the policy evaluation is True, the Pulse Desktop client will take action to connect or disconnect the connection.
  2. When the policy evaluation is False, the Pulse Desktop client will take NO action.
  3. Any network changes will cause location awareness rules to be re-evaluated when the Pulse client is connected or disconnected for the tunnel.
For example:
  • If the location awareness rule is configured for a resolvable name with "NOT pulsesecure.net" for an internal ip address only, then the following logic will apply:
    • If the DNS name is not resolvable or resolve to a public ip address, then it will automatically connect or disconnect the tunnel
    • If the DNS name is resolvable to internal ip address, then it will leave the Pulse client in the same state regardless if the Pulse client is or is not connected to a tunnel.
Cause
This issue occur when a location awareness rule is configured and the policy is evaluated as TRUE.  This can occur under multiple conditions:
  1. Action is set to Resolve Address with Interface selection is set to Any (This configuration is not recommended)
  2. Action is set to DNS Server with Internal DNS names. (This configuration is not recommended for FQDN Split tunneling or Device DNS Only)

Considering #2, FQDN split tunneling or Device DNS only will modify the DNS setting of the physical and virtual adapter to the Tunnel DNS servers.  When this occurs, if the policy is evaluated again, it will cause the policy to be TRUE and cause the tunnel to disconnect.

The following is an example log showing that location awareness rules are evaluated again and disconnected due to the policy evaluation:
ConnectionManager p4324 t45C4 ConnectionManagerService.cpp:1565 - 'LocationManager' network settled down, so handle network events

ConnectionManager p4324 t45C4 PolicyEvaluator.cpp:60 - 'ConnectionManager' PolicyEvaluator::evaluate policy
[ NOT dns-server(physical, 10.10.10.2)] auto kEvalResultFalse connect 0 disconnect 1 transition 1

ConnectionManager p4324 t45C4 ConnectionEntry.cpp:617 - 'ConnectionManager' disconnecting ive:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXX, 
reason: policy evaluation
Solution

Pulse Secure recommendation for location awareness would be the following:

  • Configure the Location Awareness rule for Physical interface with the rule action is set for Resolve Address.
  • Create a rule for Resolvable Address for an internal dns name that is only resolvable to an internal ip address
  • Set Location awareness rule for Custom as a NOT rule.

Instructions:

  1. Login to admin console
  2. Navigate to Users > Pulse Secure Client
  3. Select the corresponding Connection set
  4. Under Connections, select the corresponding connection
  5. Under Location awareness rules, click New
User-added image
  1. Under Name, enter a friendly name
  2. From the Action drop-down menu, select Resolve address
  3. In DNS name field, enter the internal dns name
  4. Under the IP field, enter the internal ip address associated with the DNS name
  5. Under Interface, leave as Physical
User-added image
  1. Click Save Changes
  2. Under Require, select the radio button for Custom
  3. In the Custom field, enter NOT <rulename> (i.e. NOT PulseSecure)
User-added image
  1. Click Save Changes
Related Links
Attachment 1 
Created ByLokesh T K

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255