Solved

VPN and NPA Not Happy Together

  • 23 November 2023
  • 4 replies
  • 24 views

Badge +7

Hi Everyone,

 

Have an issue where remote NS clients have the following environment and in this order:

1. IPv4 and IPv6 addresses assigned (eg. from home wifi or mobile hotspot)

- The IPv6 address assigned (global internet address starts with 2001:xxx)

2. NPA Tunnel is established

3. Connect to corporate VPN service

4. Clients are then unable to access applications via the VPN

 

NPA applications continue to operate successfully but the NS client service appears to interfere with the VPN tunnel.

 

Stop the NS client service and there is no issue with the VPN.

 

Disable IPv6 and the VPN and NPA work successfully, this is not recommended by Microsoft so not really a desirable option.

 

Have tried to configure clients to 'Prefer IPv4 over IPv6' this was looking promising but not producing reliable results. Issue still appears to randomly occur, still testing this.

 

Anyone else experience this issue?

icon

Best answer by Curious 5 December 2023, 02:27

View original

4 replies

Badge +4

We have been experiencing this issue as well. We would just disable ipv6 on the workstations that it occurred on, but like you said it's not recommended by Microsoft so it's not desirable. 

Badge +7

Hi @csowell 

 

Which VPN solution are you using?

 

Ours is F5 which has been solid for many years now. Issue has recently occurred with the use of NPA. Our NPA published apps are ok. It appears the Netskope client is not playing nicely with the use of the F5 VPN... but only when I published AD/Domain Services as per the Netskope KB.

 

Disabling IPv6 resolves the issue but I don't want to disable this for hundreds of users.

 

Thank you

Badge +7

Issue has now been resolved.

 

On the F5 VPN configuration

Enforce DNS search order : enable
DNS Default Domain Suffix : remove all items

 

Can now publish the AD Domain Services via NPA as per the NS KB. 

Badge +4

We are using Global Protect, after talking with our Netskope SE he was saying to make a steering exception. Fortunately we haven't had any more issues with it, at least none reported to me anyways. 

 

https://docs.netskope.com/en/netskope-help/netskope-client/netskope-client-interoperability/vpn-applications/palo-alto-globalprotect/

Reply