Hi, 

We have an existing Network Tunnel between ASA and Umbrella SIG , the tunnel is up and we can see the requests going to the tunnel. The SIG policy works fine when the traffic is using IPSec VPN tunnel, the documentation of Umbrella suggests to use PBR which is fine.( We are using Trusted Network Detection so cannot use SWG so we are using PBR to push VPN pool segment to SIG DC after remote access VPN is connected )

I have a situation in which I need to exempt the MS office/specific URLs/FQDNs to be exempted from the IPSec VPN. So it put a Deny statement on line 1 like as below

access-list umbrella-acl line 1 extended deny ip any object-group block-list

access-list umbrella-acl line 2 permit ip object-group ( VPN pool) any 

route-map umbrella PBR permit 100

match ip address umbrella-acl

set ip next hop ....

The below statement when put under route-map only works for deny statement , the next acl never gets evaluated. I tried using 2 different route-map but the deny is never getting hit

Not sure if it is a BUG or documentation is incorrect from Umbrella engineering team. Also I note that ASA will prefer to use standard ACL rather than extended and it gives a warning when using extended as destination any will not have any effect on route-map

Regards,

Sameer