Symptoms

Public routes to excluded domain scope resolved IP addresses (by DNS relay proxy) do not get added on the second subsequent connection, if user connects to VPN and accesses excluded domain scope host-names (so that exclude routes get added the first time), disconnects and then connects very quickly again and then accesses those same host-names.

Impact

Depending on the configuration, the traffic to the excluded DNS may end up inside the tunnel, and if it is not reachable via tunnel, then there is no connectivity to these destinations. For example, this might occur in a split tunnel configuration that has include scope as 0.0.0.0/0 and some exclude address space like 8.8.8.8/32 and has excluded DNS as site-not-reachable-via-tunnel.com, *.site-not-reachable-via-tunnel.com. If exclude routes are not added for IP addresses resolved for site-not-reachable-via-tunnel.com, traffic to site-not-reachable-via-tunnel.com will go inside the tunnel due to the routing table.

Conditions

- Split tunnel configuration. - Excluded Domain scope. - DNS relay proxy is running on the client. - User connects to VPN the first time, accesses excluded domain scope host-names (so that exclude routes to the resolved IP addresses get added the first time), user disconnects and then connects to VPN again very quickly and accesses those same host-names.

Workaround

- Wait 30 seconds to 1 minute before establishing subsequent VPN connections after disconnecting. (Sometimes it takes a full minute or more for the dialer to unload.) - After Disconnect, exit Edge Client from the system tray and start it again to establish the connection.

Fix Information

The DNS Relay Proxy component now correctly handles quick connect/disconnect operations when using the Windows Edge Client.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips