Joining the Conversation
Staying InvolvedHi. Have you tried disabling IPv6 on the network adaptors used to connect to the internet (wired/wifi)?
We find doing this solves many of our issues with remote VPN users.
Also, it's worth having another review of the requirements list on the knowledgebase. Sounds basic, but there might be something there relevant. For us, we had to add some bypasses to our EDR solution to stop some connection problems with our Mac devices. And we've the odd Windows device useing the Intel Killer NIC we have had to sort out.
Currently you cannot split-tunnel via domain name, although Cato recently brought in the ability to split-tunnel via a handful of built-in applications such as Teams or Zoom. Our organisation never had an issue accessing those over Cato so that isn't useful for us.
We have a long-standing RFE to allow split-tunneling via domain name, to solve the same problem you are having. We use always-on and our remote access application for our end-user support team to access devices is Splashtop. Our support team cannot access a device when it is at the prelogin, or Windows log-in state. This is because always-on + prelogin blocks all internet access apart from anything to the iDP (Entra in our case). Problem is, Splashtop use a CDN and so cannot publish a definitive list of their IPs as this dynamically changes often, as proved by our frequent nslookups. As such we cannot add their IPs into the split-tunnel list but a domain object would work fine.
