Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5015
Views
5
Helpful
11
Replies

Anyconnect ISE Posturing with Split Tunnelling

Go to solution
chevymannie
Level 1
Level 1

‎11-03-2016 06:50 AM - edited ‎03-11-2019 12:12 AM

Has anyone been able to get Anyconnect ISE Posturing to work when split tunneling is enabled?  It works fine without it, but when I enable split tunneling the web page does not automatically popup like it does when it's disabled.  I've tried several things including a DNS record for enroll.cisco.com pointing to a dummy IP that goes across the tunnel, including the public IP for enroll.cisco.com in the split tunnel ACL, and using split dns to send the cisco.com domain across the tunnel.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
edwardwaithaka
Level 1
Level 1

‎02-23-2023 03:11 AM

The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.

1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL

2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)

3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>

The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client. 

View solution in original post

11 Replies 11

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-03-2016 07:13 AM

Hi Chevy,

Yes, it should work with split tunneling.

The ISE posture module uses several methods to discover the Policy server:

  1.  Discovery Host
  2.  Enroll.cisco.com(add its ip to which it resolves in split tunnel acl)
  3.  Default gateway

These are generally done via HTTP/HTTPS and SWISS on 8905/8909.

I’d recommend setting the discovery host in the Posture profile you configured in ISE to the inside address of the ASA, and adding the IP for “enroll.cisco.com” to your split tunnel ACL and see if that fixes the issue.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Go to solution
chevymannie
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-04-2016 07:23 AM

No luck there.  The Popup does not occur.  If I put the IP of an inside host in a browser it does redirect.  I've got the IP for enroll.cisco.com as part of my split tunnel ACL and I've tried setting my discovery host to an inside host as well, neither will work.  It only works correctly when all traffic is tunneled.

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to chevymannie

‎11-07-2016 09:01 AM

Any luck with this? I'm having the exact same issue. If "Tunnel All Networks" is selected everything works great. If I enable split tunneling I run into issue. Clients often can't find the policy server or they get marked compliant but the posture report never make is back to the PSN. I have added enroll.cisco.com to the split tunnel ACL and it doesn't seem to make a difference.

0 Helpful

Go to solution
chevymannie
Level 1
Level 1
In response to James Walsh

‎11-07-2016 09:03 AM

No luck yet.  I have a call with two TAC engineers today to see if we can come up with something.  I'll let you know how it goes.

Go to solution
James Walsh
Level 1
Level 1
In response to chevymannie

‎11-07-2016 09:19 AM

thanks!! i have a call with TAC in 45 minutes on this as well. I'll post what i find out!

Go to solution
Ralphy006
Level 1
Level 1
In response to James Walsh

‎06-13-2017 01:27 PM

I'm having a similar issue with MAC's

Currently, I have VPN posturing setup with my Anyconnect client, ISE posture client, and Compliance module pointing to ISE.

We are in a split-tunnel setup.

Upon initial connection, Posturing happens fine. My machine is marked as "compliant." When I disconnect, my posture module stays "compliant." When I reconnect, it does NOT try to re-evaluate my posture status. and ISE thinks it's in the unknown state.

If I go to an internal page, I get redirected to ISE. And when that happens, my posture module still doesn't re-evaluate.

If I change my VPN to tunnel-all, it works fine.

enroll.cisco.com's IP has been added to my split tunnel. I also have ALL DNS going through the tunnel.

Tunnel-all seems like it's a requirement for everything to work 100% properly.

0 Helpful

Go to solution
James Walsh
Level 1
Level 1
In response to chevymannie

‎11-08-2016 12:21 PM

any luck with TAC?

0 Helpful

Go to solution
chevymannie
Level 1
Level 1
In response to James Walsh

‎11-14-2016 06:41 AM

Sorry for the late response.  None at all.  The only way we can get it to work is when we tunnel all traffic.  They think it's a bug of some sort.  The engineer from the AAA team and the one from the ASA team that I have been working with are supposed to be trying to reproduce it in a lab environment and come up with a solution.

Any luck on your end?

Go to solution
anshsinh
Cisco Employee
Cisco Employee

‎06-16-2020 03:56 AM

Hi All ,

 

Please let me know if the Posture itself does not work or only the browser does not come up automatically ?

 

Because if Posture is working then it has to do with the captive Portal of windows machine .

 

When windows connect to network they send out probes to check if they have internet access (www.msftncsi.com) . Different OS have different probes .

 

While connecting to different network , you may have  the redirect ACL for all the traffic which also blocked access to the windows probe but on VPN since you are using split tunnelling windows is able to reach the internet and hence no captive portal is detected and hence no window pop up .

 

Here is a good read - 

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals

 

 

0 Helpful

Go to solution
Irving gonzalez
Level 1
Level 1

‎10-03-2020 10:39 PM

I have the same issue with ISE 2.6 Patch 7, add ip 72.163.1.80 in my split tunnel, the same I do not get the URL Redirect, any help ?

 

Regards

0 Helpful

Go to solution
edwardwaithaka
Level 1
Level 1

‎02-23-2023 03:11 AM

The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.

1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL

2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)

3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>

The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client. 

Customers Also Viewed These Support Documents