Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
When a Mobile VPN with SSL tunnel successfully establishes, but the client cannot reach internal networks, the most common causes are routing conflicts or missing VPN‑pushed routes (the routes the Firebox provides to the VPN client). These issues occur when:
- The local network of the client overlaps with Firebox‑defined VPN routes.
- Route metrics prioritize the wrong interface.
- The Firebox fails to send the expected routes to the client.
The Firebox manages all Mobile VPN with SSL routing behavior. Administrators can route all traffic, only trusted or optional networks, or selected subnets through the tunnel. Routing all traffic creates a full‑tunnel configuration, while routing specific networks creates a split‑tunnel configuration.
Most routing conflicts occur on the client device when its local network overlaps with VPN‑assigned subnets.
Symptoms
These symptoms show that the Mobile VPN with SSL tunnel is up, but routing prevents the client from reaching internal networks:
- Mobile VPN with SSL shows as Connected in the client, but internal hosts do not respond.
- Only some internal networks or subnets are reachable.
- Traffic unexpectedly exits to the local network instead of the tunnel.
- Applications fail to connect to internal sites or services.
Diagnostic Steps for Windows
Use these steps to identify whether routing conflicts on a Windows computer prevent traffic from using the Mobile VPN with SSL tunnel.
From a Windows computer, run these commands to view IPv4 and IPv6 routing entries:
route print
netstat -rn
From a Windows computer, you can also run this PowerShell command to view IPv4 and IPv6 routing entries:
Get-NetRoute
Compare the routing table to the expected VPN‑pushed routes and look for:
- Local subnets that overlap VPN subnets.
- More‑specific local routes with a longer subnet mask that override tunnel routes.
- Incorrect metrics that prioritize local interfaces.
- Static routes that take priority over VPN‑assigned routes.
Remove or update conflicting routes as necessary.
Diagnostic Steps for macOS
Use these steps to identify whether routing conflicts on a macOS computer prevent Mobile VPN with SSL tunnel traffic from reaching internal systems.
From a macOS computer, run this command to view IPv4 and IPv6 routing information:
netstat -rn
Review the routing table and look for:
- Local network overlaps.
- More‑specific local routes with a longer subnet mask that bypass the tunnel.
- Missing split‑tunnel routes.
Update or remove conflicting routes as necessary.
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| Local LAN or Wi‑Fi subnet overlaps VPN‑pushed CIDRs. | Disconnect from the conflicting network or change addressing. Make sure VPN routes are more specific, when possible. For example, a /24 route takes precedence over a broader /16 route. |
| Firebox does not push expected routes. |
Verify the Mobile VPN with SSL route and policy configuration on the Firebox, then reconnect the client. For more information for a locally-managed Firebox, go to About Mobile VPN with SSL. For more information for a cloud-managed Firebox, go to Configure Mobile VPN with SSL for a Cloud-Managed Firebox. |
| Incorrect metrics or split‑tunnel configuration. |
Adjust route metrics, remove lower‑priority static routes, or update split‑tunnel entries. For more information for a locally-managed Firebox, go to Read the Firebox Route Tables. For more information for a cloud-managed Firebox, go to Configure Firebox Routes. |
Related Log Messages
Because Mobile VPN with SSL routing problems usually occur on the Windows or macOS computer, the Firebox might not generate log messages for routing issues.
To diagnose routing issues on the computer, you can use:
- Windows or macOS routing tables.
- Packet captures (Wireshark, tcpdump).