Bug ID 1084917: Excluded domain public route to excluded DNS-resolved IP addresses is not added

Last Modified: May 29, 2024

Affected Product(s):
APM-Clients APM(all modules)

Known Affected Versions:, 7.2.2,,, 7.2.3,, 7.2.4,,,,,,

Opened: Mar 03, 2022

Severity: 3-Major


Public routes to excluded domain scope resolved IP addresses (by DNS relay proxy) do not get added on transition from machine tunnel to EdgeClient or from Edge Client to machine tunnel.


Depending on the configuration, the traffic to the excluded DNS may end up inside the tunnel, and if it is not reachable via the tunnel, then there is no connectivity to these destinations. For example, this might occur in a split tunnel configuration that has an include scope as and some exclude address space like and has excluded DNS as site-not-reachable-via-tunnel.com, *.site-not-reachable-via-tunnel.com. If exclude routes are not added for IP addresses resolved for site-not-reachable-via-tunnel.com, traffic to site-not-reachable-via-tunnel.com will go inside the tunnel due to the routing table.


-- Split tunnel configuration. -- Excluded Domain scope. -- DNS relay proxy is running on the client. -- User connects to the machine tunnel, accesses excluded domain scope host-names (so that exclude routes to the resolved IP addresses get added the first time) -- User transitions to Edge Client and then connects to the VPN and accesses those same host-names.



Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips