Jump to content
Welcome to our new Citrix community!

Secure Access Client Version - Reverse Split Tunneling Application not working

Recommended Posts



after an update from the gateway plugin/ secure access client version to i'm experiencing a weird issue with application we defined as split tunneled,

with our reverse split tunneled gateway.

Our VPXs are currently on the build 13.0 85.19.


For example we split tunnel webex.com via IP or DNS.

After the update the client does a name resolution for webex.com to

Which is wrong and i don't know where he learns this DNS.


But what i can see is that my client exits its local net interface when i tries to access this ip adress and not via the vpn interface.

So it split tunnels the access to the wrong ip address and therefore can't access these split tunneled website/ apps.


Other Split tunnel Apps have different IP resolutions and also don't work.


Link to comment
Share on other sites

  • 3 weeks later...

Interesting John as we are having a very similar issue.


We recently upgraded our VPX instances from 13.0 71.44 to 13.0 85.19 at the beginning of July.


Last week we started to rollout the Secure Access client version to our test users after a number of weeks of the VPX upgrading being stable. Prior to this our users were using version of the client and reporting no issues.


We have around 3800 users and 170 users in our test audience. What we have found so far is that wireless connections are no longer as stable as they had been previously on the the older client with customers reporting more frequent tunnel drops.


But also which more closely sits with your issue customers with the have DNS resolution issues for domains that are hosted on the LAN. We also have split tunnel enabled but not reverse and have DNS configured as Remote. 


What is really strange is that on a device that is effected we can resolve some hosts in a specific domain but not others, yet when resolving the same domain via nslookup the IP addresses are returned.


This looks to be an issue with how the DNS query is passed off to the VPN service, I've opened a support call this morning but waiting on someone being assigned. I was just wondering if you still have the issue or have managed to work around it? 


I've been able to reproduce the issue when I'm at home on my ISP connection but not when I tether via my mobile phone so this has me off down the IPv6 rabbit hole as I know my ISP has that enabled and there is a few articles about this but one of them is from 2016...

Link to comment
Share on other sites

  • 8 months later...

Hey guys, not sure if you resolved this but enabling the WFP driver in the plugin should sort it. 


WFP driver now enables support for FQDN based REVERSE split tunneling. It is not supported with the DNE driver. 



Link to comment
Share on other sites

Upgrading to resolved this issue for us but keeping with the DNE driver.


The Citrix engineer I spoke to at the time advised stopping away from WFP? What's your take as I was considering it for performance gains it may provide but was put off by the engineer. 

Link to comment
Share on other sites

  • 1 month later...

So the conversation was more along the lines of me asking about would it be advantageous moving to WFP due to some of the performance gains it can introduce.


To which he replied if your not having any issues with DNE, he'd advise not changing. WFP wasn't the default yet for a reason. But didn't elaborate .


I have to admit since upgrading our estate to our AlwaysOn VPN has been the most stable since we implemented it back in 2019.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...