topic Re: Anyconnect + ASA split tunneling limitation [information request] in Network Security

Anyconnect + ASA split tunneling limitation [information request]

Amen — Fri, 24 Jun 2022 13:59:52 GMT

We have the following devices for our company VPNs:

* Concentrator: Cisco Adaptive Security Appliance Software Version
9.8(4)40,
* Client: Cisco Anyconnect version 4.9.00086

We have already implemented split tunneling with a couple of subnets that
go through the tunnel and a default route 0/0 that goes to the internet
directly.

We wanted to know if there’s a limitation regarding the number of subnets
that we can configure on the split tunneling policy to go through the VPN.
Nowadays we have only 5 routes but we’ll have to configure about 150
subnets (or more).

We have not found any official documentation regarding this information.

Is there any limitation? If yes, could you please tell us what’s the limit? or if there are any documents in the cisco Portal?

Thanks

Re: Anyconnect + ASA split tunneling limitation [information request]

balaji.bandi — Fri, 24 Jun 2022 14:03:58 GMT

i do not see any Limitation as per i know.

but look at the thread :

https://community.cisco.com/t5/vpn/asa-anyconnect-restrictions-for-split-tunneling-network-list/td-p/2328881

Re: Anyconnect + ASA split tunneling limitation [information request]

Amen — Fri, 24 Jun 2022 14:20:26 GMT

Thanks, but I see it's quite old,(( ASA 5520 firmware version 9.1.1 with setting up SSL VPN Anyconnect(Anyconnect client version 2.5.605)))) but mine are ASA 9.8(4)40, and Anyconnect 4.9.+.

there must be a change now. do you have some links or formal resources?

Re: Anyconnect + ASA split tunneling limitation [information request]

balaji.bandi — Fri, 24 Jun 2022 14:29:39 GMT

Not that i can direct you, i use latest 9.14.X we have many ACL(like 100+) not see that issue, that is the reason posted that URL for reference.

Re: Anyconnect + ASA split tunneling limitation [information request]

Amen — Fri, 24 Jun 2022 14:45:46 GMT

Thanks for your reply. Did you mean 100 routes/subnets/lines maybe? The question is not how many tunnels we can configure but how many lines in the ACL (routes or subnets to be sent to the VPN connection) can be supported by the client + firewall. I suppose the limitation will come from the client, not the concentrator.

Re: Anyconnect + ASA split tunneling limitation [information request]

Rob Ingram — Fri, 24 Jun 2022 15:22:47 GMT

@Amen I've seen no documentation on the limits or recommendations of the number of split-tunnel routes. Can you not summarise the network routes, that would be more efficient than defining 100s of routes in the split tunnel ACL.

Re: Anyconnect + ASA split tunneling limitation [information request]

Amen — Wed, 13 Jul 2022 09:18:50 GMT

there are no limitations,

Subnets or prefixes are represented as objects. You can have over 500 objects created