Reset Search
 

 

Article

KB44602 - IP & FQDN Based Split Tunneling - FAQ's on Resource Access Issues

« Go Back

Information

 
Last Modified Date10/14/2020 9:24 PM
Synopsis

IP & FQDN Based Split Tunneling Best Practices to Avoid Resource Access Issues

This article summarizes the FAQs related to IP & FQDN Based Split Tunneling to avoid resource access issues.

IP Based Tunneling: IP Based Tunneling provides granular access to access the IP and FQDN based resources.
FQDN Based Tunneling: FQDN Based Tunneling provides granular access to FQDN Host/Cloud based applications.

 
Problem or Goal
The goal is to implement split tunneling and avoid resource breaking through the tunnel or outside the tunnel.
Cause

 


 
Solution

Recommended version to fix all the Split Tunneling Problems

Upgrade Pulse Desktop Client to version 9.1R8.2 or above to fix all known Split Tunneling Problems.


Known Bugs and the Cause

Why does Pulse Desktop Client (Windows/MAC) not honor the configured Split-Tunneling policies (Allow or Deny)?
Below are the reasons, we have observed with multiple customers who reported this issue.
Note: To resolve the issue, upgrade to the latest Pulse Desktop Client 9.1R8.2 and above
  • If the DNS responses are not compressed, Pulse Client will not be able to handle appropriately. This will impact the split tunnel traffic whether it is allow/deny. To verify this, take a look at the packet capture from the Virtual Adapter and look for compression label C0. This is fixed in Pulse Desktop Client 9.1R7 and above. 
Note: To resolve the issue, upgrade to the latest Pulse Desktop Client 9.1R8.2 and above
  • If the DNS responses are in TCP mode instead of UDP mode, it will break. This will impact the split tunnel traffic whether it is allow/deny. Currently there is no fix and it is a work in progress. To verify TCP or UDP mode, take a look at the packet capture from the Virtual Adapter. 



FAQs on Resource Access Issues on IP/FQDN Based Split Tunneling 

1. What is the recommendation on using IP subnets or FQDN for Split Tunnel networks for Zoom / Office365 / Azure / Webex?
The best practice would be to go for FQDN split tunneling. Upgrade to Pulse Desktop Client 9.1R8 and above.
For more information, refer section 
Why does Pulse Desktop Client (Windows/MAC) not honor the configured Split-Tunneling policies (Allow or Deny)?

2. How to determine which split tunneling implementation is ideal (IP or FQDN Based)?
From an administrator perspective, you can opt either for IP based or FQDN based. When you opt for either one of these options, it will be easy to manage the resources from within the admin console as well as for troubleshooting.

3. Is it recommended to use both IP & FQDN based tunneling as combined?
Yes, you can use these options as combined (both IP&FQDN). This is a supported use case.

4. When you allow the same resources in both IP and FQDN policies, which one takes preference?
FQDN ACLs will receive the highest preference.

5. What happens when the Domain name resolves to multiple IP Address?
If the FQDN is resolved to multiple IPs (DNS response contains multiple IPs), the Pulse Connect Secure server will add all those IPs into the ACL with the appropriate rules configured in the FQDN policy.

6. What happens when slowness is identified through the Split Tunnel?
Ensure the tunnel profile DNS is configured in the Pulse Connect Secure, resolving the resource IP Addresses to the closest location.

7. What is the maximum number of IP based split tunneling limit?
Currently the limit is 256. See KB16725 - What is the maximum number of split tunnel networks per tunnel? 


8. If we use FQDN domains for Zoom, Office365 (many domains) & Azure (for cloud CMS) in Pulse VPN Split Tunnel configuration; is there any limits on URL / routes?
Currently there are no limits until the ACL reaches 60,000.

Note: This is applicable only for 'Allow' policy and not 'Deny' policy.

If you set a FQDN SPLIT Tunnel 'Deny', the Pulse Connect Secure will send this information to the Pulse Desktop Client as an exclude URL. Once the DNS response matches this FQDN, then the Pulse Desktop Client knows this must go through a Physical Adapter/Virtual Adapter.


9. The Pulse Connect Secure (PCS) cannot be added into the ACL when Split tunneling (Either IP/FQDN) Deny rule is configured. Why does this happen?
When it comes to Split Tunneling Deny rules, there is no ACL added to the PCS. This is because the Pulse Connect Secure has already sent this information to the Pulse client as exclude URL based on the DNS response matched to the list. It will send the traffic to the appropriate interface.

For IP based, the Pulse Desktop Client will modify the route table during the tunnel creation and modify the routes to the appropriate interface.

 

10. Is it possible to check in real time the total ACL count in our VPN gateways?
No, It's not possible in real time. The maximum number of allowed ACL list is 60000.
 

Limitations

  • TCP DNS not supported
  • Secure DNS not supported
Related Links
Attachment 1 
Created BySudhakar Damodaran

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255