Hi. Have you tried disabling IPv6 on the network adaptors used to connect to the internet (wired/wifi)?
We find doing this solves many of our issues with remote VPN users.
Also, it's worth having another review of the requirements list on the knowledgebase. Sounds basic, but there might be something there relevant. For us, we had to add some bypasses to our EDR solution to stop some connection problems with our Mac devices. And we've the odd Windows device useing the Intel Killer NIC we have had to sort out.
Currently you cannot split-tunnel via domain name, although Cato recently brought in the ability to split-tunnel via a handful of built-in applications such as Teams or Zoom. Our organisation never had an issue accessing those over Cato so that isn't useful for us.
We have a long-standing RFE to allow split-tunneling via domain name, to solve the same problem you are having. We use always-on and our remote access application for our end-user support team to access devices is Splashtop. Our support team cannot access a device when it is at the prelogin, or Windows log-in state. This is because always-on + prelogin blocks all internet access apart from anything to the iDP (Entra in our case). Problem is, Splashtop use a CDN and so cannot publish a definitive list of their IPs as this dynamically changes often, as proved by our frequent nslookups. As such we cannot add their IPs into the split-tunnel list but a domain object would work fine.
Hi Nath, yes, IPv6 is usually first thing we check. With the 5.12.9 client version routing to IPv6 supposed to be fixed according to support. The particular issue we have is when we disable employee for extended LOA and they come back, the client will not connect. That user gets removed from Cato since its disabled and when they are added back something must be off between what was on their machine cato client and what is in the cloud, it will not connect giving error username mismatch.
We are really looking forward to the feature for split tunnel via domain name. I will file RFE from our end to push it forward.
Thanks for your input!
We are also facing issue due to no splitting of tunnel via domain name and we raised RFE for the same on 3rd Dec 2024 and the ticket is PM-11467 with RFE name as "Split Tunnel basis FQDN/Domain" but since there is no platform to check status of raised RFE nor showing in the product road map as well. Though in one of the video released by Cato on Split Tunnel for specific applications, they have said regarding split tunnel basis domain name.
