Intermittent connectivity issues with domain split tunnel traffic

Intermittent connectivity issues with domain split tunnel traffic

12311
Created On 07/29/21 14:03 PM - Last Modified 11/01/24 02:27 AM


Symptom


  • Intermittent connectivity issues caused by traffic not following the rules in the domain split-tunneling configuration.
  • The below PanGPS dump logs show that "www.youtube.com" matched an include domain rule and therefore its IP address '216.58.212.238' was added to the list of IP addresses that are bound to the GlobalProtect virtual interface. (Note: The time to live for this IP entry is 60 seconds which is obtained from the DNS response.)
P1824-T26147 Jul 23 08:12:48:324208 Dump (  91): Received DNS request for www.youtube.com with type 1
P1824-T26147 Jul 23 08:12:48:324214 Dump (1259): Domain name www.youtube.com matches include wildcard domain
P1824-T26147 Jul 23 08:12:48:324218 Dump (1355): Insert CNAME youtube-ui.l.google.com(Ex).
P1824-T26147 Jul 23 08:12:48:324224 Dump ( 504): SP added an include ip 216.58.212.238, port 0, ttl 60 for domain www.youtube.com, original ttl=60, infinite ttl=no
 
  • The below logs from PanNExt.log demonstrate that a new traffic flow for 216.58.212.238 had been initiated but the TTL for the split-tunnel IP rule had expired and this caused the new traffic flow to be bound to the physical interface instead of the GlobalProtect virtual interface.
P2575-T287 Jul 23 08:13:56:962874 Dump (2544): (0x7fcf9c40d510)handle new flow 216.58.212.238:443.
P2575-T287 Jul 23 08:13:56:962985 Dump ( 223): (flow-0x7fcf9c40d510)(0x7fcf9c40fa40) Flow initialize NetCli (TCP)-SP Domain, via Phy interface, remote 216.58.212.238:443
P2575-T287 Jul 23 08:13:56:963049 Dump ( 230): (0x7fcf9c40fa40) remote network address 216.58.212.238:443
P2575-T287 Jul 23 08:13:56:963074 Dump (1225): check sp policy, remote addr 216.58.212.238:443
P2575-T287 Jul 23 08:13:56:963100 Dump (1758): find sp ipp rule 4 match 216.58.212.238 bind_if Virtual
P2575-T287 Jul 23 08:13:56:963105 Dump (1770): The sp ipp rule is expired.
P2575-T287 Jul 23 08:13:56:963350 Dump ( 369): (0x7fcf9c40fa40) openWithLocalEndpoint success.
P2575-T287 Jul 23 08:13:57:45084 Dump ( 479): (0x7fcf9c40fa40) connected to remote.
P2575-T287 Jul 23 08:13:57:45109 Dump ( 623): (0x7fcf9c40fa40) create sock wr source.
P2575-T287 Jul 23 08:13:57:45116 Dump ( 883): (0x7fcf9c40fa40) call receive_from_flow
P2575-T13103 Jul 23 08:13:57:45151 Dump ( 887): (0x7fcf9c40fa40) tcp flow read 517 bytes
P2575-T287 Jul 23 08:13:57:45158 Dump ( 571): (0x7fcf9c40fa40) local address 192.168.20.222:51935 <<<<==== Physical interface

Note: The configuration in this scenario had some configured subnets under the split-tunnel include routes which is why '216.58.212.238' was bound to the physical interface based on the default route entry pointing to the physical adapter. 

 

Environment


  • GlobalProtect agent
  • MacOS and Windows OS system

Resolution


GlobalProtect 5.1.5+ now supports configuring infinite DNS TTL for split-tunneling. This can be done by adding port '1' to any FQDN in the domain split-tunneling list under Network> GlobalProtect> Gateways> Agent> Client Settings> Split tunnel> Domain and Application. The results of such configuration can be seen in the log below:
  
SP added an exclude ip 216.58.212.238, port 0, ttl 0 for domain www.youtube.com, original ttl=60, infinite ttl=yes

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VzLCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language