Skip to main content

SDP Client Fails to Connect to Remote WAN Resources

Issue

The SDP Client is unable to connect to remote WAN resources via Cato, such as network drives. Connection attempts either time out or fail to reach the destination (e.g., ping fails).

Root Cause

This issue is typically caused by overlapping subnets between the SDP Client's local (home) network and the remote site hosting the WAN resources. Most home routers use default IP ranges like 192.168.0.0/24, 192.168.1.0/24, or 10.0.0.0/24. If the remote network is configured with the same range, the client may misroute traffic locally instead of through the Cato tunnel, resulting in failed connections.

Troubleshooting

  1. Compare the client’s local subnet with the subnet of the remote resources. If they overlap, the issue is likely related to routing conflicts.
  2. For Windows Clients (v5.3 and higher), use the LAN Access feature to block access to the local LAN. This forces all traffic, including LAN-routed traffic, through the secure Cato tunnel, avoiding conflicts with local resources.
  3. SDP Clients in other OSs, such as macOS and Linux, do not support the LAN Access block feature. Instead, configure a Split Tunnel policy in CMA to explicitly direct traffic through the tunnel:
    • Define the necessary remote subnet(s) as IP Ranges in CMA (e.g., name the range Home-LAN).
    • Add a second IP Range as a default route (0.0.0.0/0) to ensure all traffic can be tunneled.
    • Apply these IP Ranges under the “Exceptions” section of a Split Tunnel policy that is set to “Route all traffic Out-of-Tunnel”. Specify the applicable OS platforms in the policy.
    • In some cases, you may need to define /32 IP ranges for individual remote hosts if only specific systems are affected.

Best Practice Recommendations

  • If possible, configure the corporate or branch office network to use less common IP ranges, minimizing the risk of conflicts with home LANs.
  • Alternatively, instruct users to change their home router’s DHCP settings to assign a less typical IP range.

By identifying and resolving subnet overlap issues, you can significantly improve the reliability and consistency of remote WAN access via the SDP Client. For additional help with internal resource access issues, see Access to Internal Resources Troubleshooting.

Was this article helpful?

1 out of 4 found this helpful

3 comments

Date Votes
  • Comment author
    Nathan

    Can this be updated now the LAN Blocking feature is available?  I have had users at a Hotel WiFi where their Local IP overlaps with our internal WAN address space.  Enabling LAN Blocking for the user resolved the issue.

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Nathan!

    Thank you for highlighting this!  I will contact our documentation team and ask them to update the article appropriately.

     

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)

  • Comment author
    Dermot - Community Manager Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer The chief of community conversations. Community manager

    Hello Nathan!

    The article has been updated to reflect the fact that the "LAN Blocking" feature is now available.  Thank you again for highlighting this for us.

    Kind Regards,

    Dermot Doran (Cato Networks Community Manager)