Solved.
It was DNS. It’s always DNS.
After reviewing the policy traffic logs, I could see DNS requests coming from iOS devices over the tunnel, which were destined for their own local DNS (typically home router). Not sure why this behaviour was not present for other OSes. Changed the DNS settings in SSL VPN to specify the upstream ISP DNS servers, and all is right with the world.
Original:
I have a full tunnel SSL VPN set up for a customer. They use it purely for remote access to their development (access to customer sites via S2S VPN, testing apps where the testing endpoints are whitelistd to their office IP only, etc).
Authentication is done via SAML to Google Workspace. Likely doesn’t pertain to the issue, but good to know in context.
All devices work just fine over this VPN. Except iOS. I have read that there is an iOS limitation on VPNs with DNS search domains, but that does seem to pertain here, as this is affecting things that use FQDN (even just trying to navigate to google.com, for example). DNS is provided by the upstream ISP, so nothing internal.
When iOS devices connect, they have no internet at all. Other devices connected at the same time are fine.
I don’t have access to the Gate (or an iOS device) right now to gather details, but will do in the next few days. What are some things I can check? Am I better off just setting up an IPSEC tunnel, or will I run into the same issue?