cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5890
Views
5
Helpful
11
Replies

Anyconnect ISE Posturing with Split Tunnelling

chevymannie
Level 1
Level 1

Has anyone been able to get Anyconnect ISE Posturing to work when split tunneling is enabled?  It works fine without it, but when I enable split tunneling the web page does not automatically popup like it does when it's disabled.  I've tried several things including a DNS record for enroll.cisco.com pointing to a dummy IP that goes across the tunnel, including the public IP for enroll.cisco.com in the split tunnel ACL, and using split dns to send the cisco.com domain across the tunnel.

1 Accepted Solution

Accepted Solutions

edwardwaithaka
Level 1
Level 1

The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.

1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL

2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)

3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>

The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client. 

View solution in original post

11 Replies 11

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Chevy,

Yes, it should work with split tunneling.

The ISE posture module uses several methods to discover the Policy server:

  1.  Discovery Host
  2.  Enroll.cisco.com(add its ip to which it resolves in split tunnel acl)
  3.  Default gateway

These are generally done via HTTP/HTTPS and SWISS on 8905/8909.

I’d recommend setting the discovery host in the Posture profile you configured in ISE to the inside address of the ASA, and adding the IP for “enroll.cisco.com” to your split tunnel ACL and see if that fixes the issue.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

No luck there.  The Popup does not occur.  If I put the IP of an inside host in a browser it does redirect.  I've got the IP for enroll.cisco.com as part of my split tunnel ACL and I've tried setting my discovery host to an inside host as well, neither will work.  It only works correctly when all traffic is tunneled.

Any luck with this? I'm having the exact same issue. If "Tunnel All Networks" is selected everything works great. If I enable split tunneling I run into issue. Clients often can't find the policy server or they get marked compliant but the posture report never make is back to the PSN. I have added enroll.cisco.com to the split tunnel ACL and it doesn't seem to make a difference.

No luck yet.  I have a call with two TAC engineers today to see if we can come up with something.  I'll let you know how it goes.

thanks!! i have a call with TAC in 45 minutes on this as well. I'll post what i find out!

I'm having a similar issue with MAC's

Currently, I have VPN posturing setup with my Anyconnect client, ISE posture client, and Compliance module pointing to ISE.

We are in a split-tunnel setup.

Upon initial connection, Posturing happens fine. My machine is marked as "compliant." When I disconnect, my posture module stays "compliant." When I reconnect, it does NOT try to re-evaluate my posture status. and ISE thinks it's in the unknown state.

If I go to an internal page, I get redirected to ISE. And when that happens, my posture module still doesn't re-evaluate.

If I change my VPN to tunnel-all, it works fine.

enroll.cisco.com's IP has been added to my split tunnel. I also have ALL DNS going through the tunnel.

Tunnel-all seems like it's a requirement for everything to work 100% properly.

any luck with TAC?

Sorry for the late response.  None at all.  The only way we can get it to work is when we tunnel all traffic.  They think it's a bug of some sort.  The engineer from the AAA team and the one from the ASA team that I have been working with are supposed to be trying to reproduce it in a lab environment and come up with a solution.

Any luck on your end?

anshsinh
Cisco Employee
Cisco Employee

Hi All ,

 

Please let me know if the Posture itself does not work or only the browser does not come up automatically ?

 

Because if Posture is working then it has to do with the captive Portal of windows machine .

 

When windows connect to network they send out probes to check if they have internet access (www.msftncsi.com) . Different OS have different probes .

 

While connecting to different network , you may have  the redirect ACL for all the traffic which also blocked access to the windows probe but on VPN since you are using split tunnelling windows is able to reach the internet and hence no captive portal is detected and hence no window pop up .

 

Here is a good read - 

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals

 

 

Irving gonzalez
Level 1
Level 1

I have the same issue with ISE 2.6 Patch 7, add ip 72.163.1.80 in my split tunnel, the same I do not get the URL Redirect, any help ?

 

Regards

edwardwaithaka
Level 1
Level 1

The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.

1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL

2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)

3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>

The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client.