Split tunnel VPN doesn't seem to work (SecuExtender and USG Flex Firewall)

Rimfire

The customer has Cloud Authentication Setup using default settings (Remote access VPN)) available for the USG FLEX 200 FW. Some 20 SecuExtender licenses. They do use MFA (Google Authenticator).

The split tunnel doesn't work imo. What ever I do to the SecuExtender Client the laptop will always result having the public IP of the USG FLEX 200 Firewall, not the local Internets public IP (what is my ip test via browser). All Win 10 laptops, no Win7/Win11 at all.

Further more, the tunnel doesn't stay up! Very problematic and the client is going away if we can't fix this.

Any ideas?

Rimfire

The ZyXEL's Second Level Support provided a new conf file for the SecuExtender Client and now the split tunnel function is working.

CHS

Remote access VPN is "Client to Site" VPN tunnel.
The VPn tunnel will offer VPN IP address after client after building VPN tunnel.
So VPN client traffic will fully transmit to VPN gateway. It is doesn't support split tunnel.

If you would like to split Internet and VPN traffic, you can consider create "Non-Nebila VPN peers" in Site to Site VPN tunnel.

Rimfire

"..create Non-Nebila VPN peers" in Site to Site VPN tunnel." What does this mean in practice? Can you plese provide additional details?

Further more. Do you have better answer to my question regarding keeping VPN tunnel open. ZyXEL first level support suggested to ping GW's LAN address through VPN tunnel but the customer reports it doesn't help. 

Rimfire

The ZyXEL's Second Level Support provided a new conf file for the SecuExtender Client and now the split tunnel function is working.