GlobalProtect users cannot access excluded domains when split tunnel is configured

GlobalProtect users cannot access excluded domains when split tunnel is configured

6068
Created On 10/21/20 02:22 AM - Last Modified 01/06/25 19:59 PM


Symptom


  • GlobalProtect has been deployed with split tunnelling traffic to exclude a list of domains.
  • The GlobalProtect logs shows the excluded domains are correctly excluded.
  • Few of the users cannot reached these excluded domains.
  • On browser Google Chrome, the error displayed is "ERR_ADDRESS_INVALID".
  • When GlobalProtect is disabled, users can access to the excluded domains.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • GlobalProtect (GP) App
  • Split-tunnel configured with domain exclusion

Cause


  • The client is located in a IPv6 native network.
  • DNS Server is in the IPv4 Network.
  • The client is trying to reach the IPv4 DNS Server over the IPv6 network.
  • To check, disconnect the GP App on client and ping one excluded domain to see the IP contacted is IPv4 or IPv6 format.

    the computer is trying to connect to the IPv4 address from an IPv6 network.

Resolution


  1. The resolution is to enable the Split DNS feature.
  2. When Split tunnel feature is enabled, the excluded domains / URLs are resolved using the public DNS server.

    With Split DNS, the computer can reach excluded domains.

Additional Information


IPv4 format: 32 bits represented by 4 decimal number separated by dots.
IPv6 format: 128 bits represented by up to 8 hexadecimal numbers separated by colons.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBGBCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language