https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551975#M189 <P>check this article and sub chapters. these destinations should be exempted from VPN:<BR /><A href="https://securitydocs.cisco.com/docs/csa/olh/118928.dita" rel="noopener" target="_blank">Network Requirements for Secure Access</A></P> Mon, 11 May 2026 06:38:32 GMT cludwigd 2026-05-11T06:38:32Z https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5549076#M174 <P>Hello everyone,<BR />We are currently conducting an Always On Test in Secure Access.
When the PC is turned on, all internet connectivity is blocked, and after enforcing SSL VPN, the internet becomes available once the VPN is connected.<BR />In the VPN profile settings, we have verified that through auto VPN-related configurations, internet access is allowed on trusted networks, and blocked on untrusted networks.<BR />However, when attempting to initiate VPN on an untrusted network, there is no internet connectivity, so DUO cannot perform SSO authentication. It seems like DUO SSO needs to be treated as an exception. Which setting should be configured for this?<BR />Also, what is the purpose of the machine tunnel feature?<BR />We would appreciate your expert advice.</P> Wed, 29 Apr 2026 13:40:21 GMT https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5549076#M174 msbang 2026-04-29T13:40:21Z https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551711#M186 <P>Hello.</P><P>You can enable DUO SSO by registering the FQDN required for DUO SSO access in the “Accessible hosts with VPN disconnected” option of the VPN Profile.</P><P>For more information on “Accessible hosts with VPN disconnected,” please refer to the following link:<BR /><A href="https://securitydocs.cisco.com/docs/csa/olh/121141.dita" target="_blank">https://securitydocs.cisco.com/docs/csa/olh/121141.dita</A></P><P>For information on machine tunnels, please refer to the following link.<BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/secure-access/223193-configure-machine-tunnel-on-cisco.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/secure-access/223193-configure-machine-tunnel-on-cisco.html</A></P><P>&nbsp;</P> Sat, 09 May 2026 01:50:43 GMT https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551711#M186 nop-tk 2026-05-09T01:50:43Z https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551718#M187 <P>Good infomartion for&nbsp;<SPAN>DUO SSO by registering</SPAN></P> Sat, 09 May 2026 04:13:26 GMT https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551718#M187 iqbalfadjarudin93 2026-05-09T04:13:26Z https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551923#M188 <P class=""><SPAN>Even after adding exceptions for Duo SSO, APIs, and related services, it still seems unable to retrieve the SSO authentication properly during testing.</SPAN></P><P class=""><SPAN>Do you happen to know which specific domains, services, or traffic should be exempted so that SSL VPN can be enforced while the device is still offline from general internet access, but able to complete Duo SSO authentication successfully?</SPAN></P><P><SPAN>We would really appreciate your guidance and support on this.</SPAN></P> Mon, 11 May 2026 03:59:22 GMT https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551923#M188 msbang 2026-05-11T03:59:22Z https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551975#M189 <P>check this article and sub chapters. these destinations should be exempted from VPN:<BR /><A href="https://securitydocs.cisco.com/docs/csa/olh/118928.dita" rel="noopener" target="_blank">Network Requirements for Secure Access</A></P> Mon, 11 May 2026 06:38:32 GMT https://community.cisco.com/t5/secure-access-discussions/secure-access-always-on/m-p/5551975#M189 cludwigd 2026-05-11T06:38:32Z