STUN Traffic Being Routed Through GlobalProtect Tunnel Even Though Split Tunneling Is Configured

STUN Traffic Being Routed Through GlobalProtect Tunnel Even Though Split Tunneling Is Configured

24300
Created On 09/20/21 21:44 PM - Last Modified 10/12/25 23:58 PM


Symptom


  • GlobalProtect has split tunneling configured for STUN application over port 2478.
  • Application is excluded outside GlobalProtect but the traffic is still seen over the tunnel.
  • Access route based split tunnelling is configured as well and still some stun traffic is observed over the GlobalProtect tunnel. 

Environment


  • Domain split tunnel
  • Globalprotect
  • Access route based split tunnel

Cause


  • For 'stun' when the videoconference tries to be established, the host sends a broadcast to all networks adapters. Since users are using GlobalProtect as the main networks connection, stun goes above routing (in our case split-route) and sends the traffic across the tunnel.

 

Resolution


  1. This is by expected behavior for STUN traffic. Here is the google patent document explaining stun's adapter discovery feature.
  2. Globalprotect split tunnel does not support this protocol and As you know STUN uses UDP and STUN servers typically listen for UDP requests on port 3478, unfortunately windows split tunnel does not support UDP and thats the whole reason domain exclude does not work for this traffic. https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application
  3. Even with the access route based split tunnelling, the Stun protocol may still send some traffic over to the Global Protect tunnel. 
  4. For the route based split tunneling, as long as GP client installs the route, GP works expected.
  5. GP does not enforce an application to follow Windows routing table.
  6. An application can still specifically bind to specific NIC and by-pass routing table. 
  7. An administrator may need to work with the  VOIP (voice over internet protocol) vendor to understand why their application uses all the interfaces and does not follow windows routing table. 

 

Additional Information


Configure a Split Tunnel Based on the Access Route
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LpxCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language