Forum Discussion

Andrii's avatar
Andrii
Comet
2 months ago

Always on VPN and troubleshooting connectivity issues

Hi,

I wanted to check if anyone else have experienced issues with the users enabled for Always On when their SDP client can not connect. Ocasionaly we see clients can not connect showing different errors, like username not recognized, can not connect, etc. The problem is that our Zoho Assist remote management software is not available if the user laptop is not connected to Internet which it is not when using Always On. How do you guys provide support in this scenario? What we usually do is first disable Always on policy for that user and then re-install the CAto client using either local admin or service desk user account. The problem is that we need to change the passwords to those accounts after giving out to the user by phone.

Basically we just need Zoho Assist client traffic to bypass Cato tunnel, we will be testing split tunnel feature and adding Zoho IPs to bypass.

Curious to hear your thoughts. Thanks!

  • Nath's avatar
    Nath
    Meteor
    2 months ago

    Hi.  Have you tried disabling IPv6 on the network adaptors used to connect to the internet (wired/wifi)?

    We find doing this solves many of our issues with remote VPN users.

    Also, it's worth having another review of the requirements list on the knowledgebase.  Sounds basic, but there might be something there relevant.  For us, we had to add some bypasses to our EDR solution to stop some connection problems with our Mac devices.  And we've the odd Windows device useing the Intel Killer NIC we have had to sort out.

    Currently you cannot split-tunnel via domain name, although Cato recently brought in the ability to split-tunnel via a handful of built-in applications such as Teams or Zoom.  Our organisation never had an issue accessing those over Cato so that isn't useful for us.

    We have a long-standing RFE to allow split-tunneling via domain name, to solve the same problem you are having.  We use always-on and our remote access application for our end-user support team to access devices is Splashtop.  Our support team cannot access a device when it is at the prelogin, or Windows log-in state.  This is because always-on + prelogin blocks all internet access apart from anything to the iDP (Entra in our case).  Problem is, Splashtop use a CDN and so cannot publish a definitive list of their IPs as this dynamically changes often, as proved by our frequent nslookups.  As such we cannot add their IPs into the split-tunnel list but a domain object would work fine.

    • Andrii's avatar
      Andrii
      Comet
      2 months ago

      Hi Nath, yes, IPv6 is usually first thing we check. With the 5.12.9 client version routing to IPv6 supposed to be fixed according to support. The particular issue we have is when we disable employee for extended LOA and they come back, the client will not connect. That user gets removed from Cato since its disabled and when they are added back something must be off between what was on their machine cato client and what is in the cloud, it will not connect giving error username mismatch.

      We are really looking forward to the feature for split tunnel via domain name. I will file RFE from our end to push it forward.

      Thanks for your input!

      • PrakashRIndia's avatar
        PrakashRIndia
        Meteor
        30 days ago

        We are also facing issue due to no splitting of tunnel via domain name and we raised RFE for the same on 3rd Dec 2024 and the ticket is PM-11467 with RFE name as "Split Tunnel basis FQDN/Domain" but since there is no platform to check status of raised RFE nor showing in the product road map as well. Though in one of the video released by Cato on Split Tunnel for specific applications, they have said regarding split tunnel basis domain name.