KB44602 - IP & FQDN Based Split Tunneling - FAQ's on Resource Access Issues

« Go Back

Information

Last Modified Date	6/7/2022 6:26 PM

Synopsis

IP & FQDN Based Split Tunneling Best Practices to Avoid Resource Access Issues

This article summarizes the FAQs related to IP & FQDN Based Split Tunneling to avoid resource access issues.

IP Based Tunneling: IP Based Tunneling provides granular access to access the IP and FQDN based resources.
FQDN Based Tunneling: FQDN Based Tunneling provides granular access to FQDN Host/Cloud based applications.

Problem or Goal

The goal is to implement split tunneling and avoid resource breaking through the tunnel or outside the tunnel.

Cause

Solution

Recommended version to fix all the Split Tunneling Problems

Upgrade Pulse Desktop Client to version 9.1R8.2 or above to fix all known Split Tunneling Problems.

Known Bugs and the Cause

Why does Pulse Desktop Client (Windows/MAC) not honor the configured Split-Tunneling policies (Allow or Deny)?
Below are the reasons, we have observed with multiple customers who reported this issue.

If the DNS responses are separated by a compression label at the end of each domain name, the response can break and it affects the split tunnel traffic whether it is allow/deny. This is fixed in 9.1R8 and above. Refer to KB44565 - FQDN-Split-tunnel-breaks-due-to-DNS-Compression at the end of the Domain name response for technical details.

Note: To resolve the issue, upgrade to the latest Pulse Desktop Client 9.1R8.2 and above

If the DNS responses are not compressed, Pulse Client will not be able to handle them appropriately. This will impact the split tunnel traffic whether it is allowed/denied. To verify this, take a look at the packet capture from the Virtual Adapter and look for compression label C0. This is fixed in Pulse Desktop Client 9.1R7 and above.

Note: To resolve the issue, upgrade to the latest Pulse Desktop Client 9.1R8.2 and above

If the DNS responses are in TCP mode instead of UDP mode, it will break. This will impact the split tunnel traffic whether it is allowed/denied. Currently, there is no fix and it is a work in progress. To verify TCP or UDP mode, take a look at the packet capture from the Virtual Adapter.

FAQs on Resource Access Issues on IP/FQDN Based Split Tunneling

1. What is the recommendation on using IP subnets or FQDN for Split Tunneling networks for Zoom / Office365 / Azure / WebEx?
The best practice would be to go for FQDN split tunneling. Upgrade to Pulse Desktop Client 9.1R8 and above.
For more information, refer section Why does Pulse Desktop Client (Windows/MAC) not honor the configured Split-Tunneling policies (Allow or Deny)?

2. How to determine which split tunneling implementation is ideal (IP or FQDN Based)?
From an administrator perspective, you can opt either for IP based or FQDN based. When you opt for either one of these options, it will be easy to manage the resources from within the admin console as well as for troubleshooting.

3. Is it recommended to use both IP & FQDN-based tunneling as combined?
Yes, you can use these options as combined (both IP&FQDN). This is a supported use case.

4. When you allow the same resources in both IP and FQDN policies, which one takes preference?
FQDN ACLs will receive the highest preference.

5. What happens when the Domain name resolves to multiple IP Addresses?
If the FQDN is resolved to multiple IPs (DNS response contains multiple IPs), the Pulse Connect Secure server will add all those IPs into the ACL with the appropriate rules configured in the FQDN policy.

6. What happens when slowness is identified through the Split Tunnel?
Ensure the tunnel profile DNS is configured in the Pulse Connect Secure, resolving the resource IP Addresses to the closest location.

7. What is the maximum number of IP-based split tunneling limit?
With 9.1R14 and 9.1R15, the limit is 512. See KB16725 - What is the maximum number of split tunnel networks per tunnel?

8. What is the maximum limit for FQDN-based split tunneling?
With 9.1R14 and 9.1R15 the limit is 512

9. What is the maximum route limit that can be supported when IP & FQDN based Split-tunneling are configured?
IPV4 supports a maximum of 512 per tunnel, If it exceeds more than 512 tunnel breaks.
IPV6 supports a maximum of 512 per tunnel, If it exceeds more than 512 tunnel breaks
FQDN supports a maximum of 512 per tunnel, If it exceeds more than 512 tunnel breaks
A total of 512 * 3 routes can be supported when using both IP & FQDN split tunneling.

10. If we use FQDN domains for Zoom, Office365 (many domains) & Azure (for cloud CMS) in Pulse VPN Split Tunnel configuration; are there any limits on URL / routes?
Currently, there are no limits until the ACL reaches 60,000.

Note: This is applicable only for the 'Allow' policy and not the 'Deny' policy.

If you set an FQDN SPLIT Tunnel 'Deny', the Pulse Connect Secure will send this information to the Pulse Desktop Client as an exclude URL. Once the DNS response matches this FQDN, then the Pulse Desktop Client knows this must go through a Physical Adapter/Virtual Adapter.

11. The Pulse Connect Secure (PCS) cannot be added into the ACL when the Split tunneling (Either IP/FQDN) Deny rule is configured. Why does this happen?
When it comes to Split Tunneling Deny rules, there is no ACL added to the PCS. This is because the Pulse Connect Secure has already sent this information to the Pulse client as exclude URL based on the DNS response matched to the list. It will send the traffic to the appropriate interface.

For IP-based, the Pulse Desktop Client will modify the routing table during the tunnel creation and modify the routes to the appropriate interface.

12. Is it possible to check in real-time the total ACL count in our VPN gateways?

No, It's not possible in real time. The maximum number of allowed ACLs is 60000.

13. Is PDC Client support TCP-based Requests and Response?
Yes, from the 9.1R12 version

Limitations

Secure DNS not supported

Related Articles