Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Anyconnect ISE Posturing with Split Tunnelling

Has anyone been able to get Anyconnect ISE Posturing to work when split tunneling is enabled?  It works fine without it, but when I enable split tunneling the web page does not automatically popup like it does when it's disabled.  I've tried several things including a DNS record for pointing to a dummy IP that goes across the tunnel, including the public IP for in the split tunnel ACL, and using split dns to send the domain across the tunnel.

Kanwaljeet Singh
Cisco Employee

Hi Chevy,

Yes, it should work with split tunneling.

The ISE posture module uses several methods to discover the Policy server:

  1.  Discovery Host
  2. its ip to which it resolves in split tunnel acl)
  3.  Default gateway

These are generally done via HTTP/HTTPS and SWISS on 8905/8909.

I’d recommend setting the discovery host in the Posture profile you configured in ISE to the inside address of the ASA, and adding the IP for “” to your split tunnel ACL and see if that fixes the issue.



Note: Please mark answers if they are helpful.

No luck there.  The Popup does not occur.  If I put the IP of an inside host in a browser it does redirect.  I've got the IP for as part of my split tunnel ACL and I've tried setting my discovery host to an inside host as well, neither will work.  It only works correctly when all traffic is tunneled.

Any luck with this? I'm having the exact same issue. If "Tunnel All Networks" is selected everything works great. If I enable split tunneling I run into issue. Clients often can't find the policy server or they get marked compliant but the posture report never make is back to the PSN. I have added to the split tunnel ACL and it doesn't seem to make a difference.

No luck yet.  I have a call with two TAC engineers today to see if we can come up with something.  I'll let you know how it goes.

thanks!! i have a call with TAC in 45 minutes on this as well. I'll post what i find out!

I'm having a similar issue with MAC's

Currently, I have VPN posturing setup with my Anyconnect client, ISE posture client, and Compliance module pointing to ISE.

We are in a split-tunnel setup.

Upon initial connection, Posturing happens fine. My machine is marked as "compliant." When I disconnect, my posture module stays "compliant." When I reconnect, it does NOT try to re-evaluate my posture status. and ISE thinks it's in the unknown state.

If I go to an internal page, I get redirected to ISE. And when that happens, my posture module still doesn't re-evaluate.

If I change my VPN to tunnel-all, it works fine.'s IP has been added to my split tunnel. I also have ALL DNS going through the tunnel.

Tunnel-all seems like it's a requirement for everything to work 100% properly.

any luck with TAC?

Sorry for the late response.  None at all.  The only way we can get it to work is when we tunnel all traffic.  They think it's a bug of some sort.  The engineer from the AAA team and the one from the ASA team that I have been working with are supposed to be trying to reproduce it in a lab environment and come up with a solution.

Any luck on your end?

Cisco Employee

Hi All ,


Please let me know if the Posture itself does not work or only the browser does not come up automatically ?


Because if Posture is working then it has to do with the captive Portal of windows machine .


When windows connect to network they send out probes to check if they have internet access ( . Different OS have different probes .


While connecting to different network , you may have  the redirect ACL for all the traffic which also blocked access to the windows probe but on VPN since you are using split tunnelling windows is able to reach the internet and hence no captive portal is detected and hence no window pop up .


Here is a good read -



Irving gonzalez

I have the same issue with ISE 2.6 Patch 7, add ip in my split tunnel, the same I do not get the URL Redirect, any help ?



Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube