This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Has anyone been able to get Anyconnect ISE Posturing to work when split tunneling is enabled? It works fine without it, but when I enable split tunneling the web page does not automatically popup like it does when it's disabled. I've tried several things including a DNS record for enroll.cisco.com pointing to a dummy IP that goes across the tunnel, including the public IP for enroll.cisco.com in the split tunnel ACL, and using split dns to send the cisco.com domain across the tunnel.
Yes, it should work with split tunneling.
The ISE posture module uses several methods to discover the Policy server:
1. Discovery Host
2. Enroll.cisco.com(add its
3. Default gateway
These are generally done via HTTP/HTTPS and SWISS on 8905/8909.
I’d recommend setting the discovery host in the Posture profile you configured in ISE to the inside address of the ASA, and adding the IP for “enroll.cisco.com” to your split tunnel ACL and see if that fixes the issue.
Note: Please mark answers if they are helpful.
No luck there. The Popup does not occur. If I put the IP of an inside host in a browser it does redirect. I've got the IP for enroll.cisco.com as part of my split tunnel ACL and I've tried setting my discovery host to an inside host as well, neither will work. It only works correctly when all traffic is tunneled.
Any luck with this? I'm having the exact same issue. If "Tunnel All Networks" is selected everything works great. If I enable split tunneling I run into issue. Clients often can't find the policy server or they get marked compliant but the posture report never make is back to the PSN. I have added enroll.cisco.com to the split tunnel ACL and it doesn't seem to make a difference.
I'm having a similar issue with MAC's
Currently, I have VPN posturing setup with my Anyconnect client, ISE posture client, and Compliance module pointing to ISE.
We are in a split-tunnel setup.
Upon initial connection, Posturing happens fine. My machine is marked as "compliant." When I disconnect, my posture module stays "compliant." When I reconnect, it does NOT try to re-evaluate my posture status. and ISE thinks it's in the unknown state.
If I go to an internal page, I get redirected to ISE. And when that happens, my posture module still doesn't re-evaluate.
If I change my VPN to tunnel-all, it works fine.
enroll.cisco.com's IP has been added to my split tunnel. I also have ALL DNS going through the tunnel.
Tunnel-all seems like it's a requirement for everything to work 100% properly.
Sorry for the late response. None at all. The only way we can get it to work is when we tunnel all traffic. They think it's a bug of some sort. The engineer from the AAA team and the one from the ASA team that I have been working with are supposed to be trying to reproduce it in a lab environment and come up with a solution.
Any luck on your end?
Hi All ,
Please let me know if the Posture itself does not work or only the browser does not come up automatically ?
Because if Posture is working then it has to do with the captive Portal of windows machine .
When windows connect to network they send out probes to check if they have internet access (www.msftncsi.com) . Different OS have different probes .
While connecting to different network , you may have the redirect ACL for all the traffic which also blocked access to the windows probe but on VPN since you are using split tunnelling windows is able to reach the internet and hence no captive portal is detected and hence no window pop up .
Here is a good read -