Skip to main content

SDP Client Can't Connect to Remote WAN Resources

Issue

The SDP Client can't connect to remote WAN resources via Cato, such as a network drive. The connection times out or fail to ping these remote resources.

Answer

This problem is commonly caused by overlapping subnets between the SDP client's home network and the site hosting the remote resources. Many home wireless routers use default IP ranges like 192.168.0.0/24, 192.168.1.0/24, or 10.0.0.0/24, which can conflict with remote sites using the same IP ranges. As a result, the SDP Client may struggle to route traffic correctly, causing timeouts and connection failures.

Troubleshooting steps:

  1. Compare the local subnet of the client with the subnet of the remote resources to see if there's an overlap.
  2. For Windows Clients (v5.3 and higher) that support the LAN Access feature, you can resolve the overlap issue by blocking LAN Access. This will prevent traffic from going to the local subnet and ensure it is routed through the tunnel.
  3. SDP Clients in other OSs, such as macOS and Linux, do not support LAN Access blocking. Instead, you can force LAN traffic through the tunnel by defining specific subnets in a Split Tunnel policy, as explained in Centralized Management of Remote Traffic Routing. Here’s how:
    • Explicitly define the required subnet for remote resources as IP Ranges in CMA.
    • Include the IP Ranges under the "Include specific IPs" section of a Split Tunnel policy and define the desired OS platform.
    • To ensure all traffic goes through the tunnel, add a default route (0.0.0.0/0) along with the necessary LAN subnet, as shown below.
    • In some cases, you may need to define /32 subnets for specific hosts on the client’s LAN network to direct traffic accurately.

Best Practice Recommendations:

  • If possible, reconfigure the corporate network's IP range to avoid overlaps with common home LAN ranges.
  • Alternatively, the user can change the DHCP settings on their home router to use a less common IP range.

Following these steps will help resolve connectivity issues related to overlapping subnets, ensuring a more stable connection to remote resources. For other issues related to accessing internal resources at Cato, see Access to Internal Resources Troubleshooting.

Was this article helpful?

0 out of 3 found this helpful

3 comments

  • Comment author
    Nathan

    Can this be updated now the LAN Blocking feature is available?  I have had users at a Hotel WiFi where their Local IP overlaps with our internal WAN address space.  Enabling LAN Blocking for the user resolved the issue.

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Nathan!

    Thank you for highlighting this!  I will contact our documentation team and ask them to update the article appropriately.

     

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded.  They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Nathan!

    The article has been updated to reflect the fact that the "LAN Blocking" feature is now available.  Thank you again for highlighting this for us.

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

Add your comment