GlobalProtect Client connection flaps continuously.

• The GP client establishes connection correctly and disconnects within the first minute.
• This process repeats indefinitely:
• The  following messages are seen in the PANGPS.log

Dump (1623): Received an IP packet with a non-tunnel source IP 10.10.x.x >> IP address assigned by the GP gateway.
Dump (1857):  the packet received from virtual interface is discarded
Dump (1623):  Received an IP packet with a non-tunnel source IP 10.10.x.x
Dump (1857):  the packet received from virtual interface is discarded

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect (GP) Gateway
• GlobalProtect (GP) App

• Gateway's IP address in added in the "include" route list of the Split Tunnel configuration. 
• The keepalives to the gateway need to be routed through the physical interface.
• In this case, the client is sending the packets through the GP virtual interface, but with a source IP address of the physical link, hence the firewall will drop those packets.

GUI: Network > GlobalProtect > Gateways > [gateway-config] > Agent > [agent-config] > Client Settings > [client-setting-config] > Split Tunnel

1. Under the "Access Route" of Split Tunnel, Remove the gateway IP from "Include" list.
2. Commit the configuration.

GUI: Network > GlobalProtect > Gateways > [gateway-config] > Agent > [agent-config] > Client Settings > [client-setting-config] > Split Tunnel