11-03-2016 06:50 AM - edited 03-11-2019 12:12 AM
Has anyone been able to get Anyconnect ISE Posturing to work when split tunneling is enabled? It works fine without it, but when I enable split tunneling the web page does not automatically popup like it does when it's disabled. I've tried several things including a DNS record for enroll.cisco.com pointing to a dummy IP that goes across the tunnel, including the public IP for enroll.cisco.com in the split tunnel ACL, and using split dns to send the cisco.com domain across the tunnel.
Solved! Go to Solution.
02-23-2023 03:11 AM
The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.
1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL
2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)
3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>
The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client.
11-03-2016 07:13 AM
Hi Chevy,
Yes, it should work with split tunneling.
The ISE posture module uses several methods to discover the Policy server:
1. Discovery Host
2. Enroll.cisco.com(add its
3. Default gateway
These are generally done via HTTP/HTTPS and SWISS on 8905/8909.
I’d recommend setting the discovery host in the Posture profile you configured in ISE to the inside address of the ASA, and adding the IP for “enroll.cisco.com” to your split tunnel ACL and see if that fixes the issue.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
11-04-2016 07:23 AM
No luck there. The Popup does not occur. If I put the IP of an inside host in a browser it does redirect. I've got the IP for enroll.cisco.com as part of my split tunnel ACL and I've tried setting my discovery host to an inside host as well, neither will work. It only works correctly when all traffic is tunneled.
11-07-2016 09:01 AM
Any luck with this? I'm having the exact same issue. If "Tunnel All Networks" is selected everything works great. If I enable split tunneling I run into issue. Clients often can't find the policy server or they get marked compliant but the posture report never make is back to the PSN. I have added enroll.cisco.com to the split tunnel ACL and it doesn't seem to make a difference.
11-07-2016 09:03 AM
No luck yet. I have a call with two TAC engineers today to see if we can come up with something. I'll let you know how it goes.
11-07-2016 09:19 AM
thanks!! i have a call with TAC in 45 minutes on this as well. I'll post what i find out!
06-13-2017 01:27 PM
I'm having a similar issue with MAC's
Currently, I have VPN posturing setup with my Anyconnect client, ISE posture client, and Compliance module pointing to ISE.
We are in a split-tunnel setup.
Upon initial connection, Posturing happens fine. My machine is marked as "compliant." When I disconnect, my posture module stays "compliant." When I reconnect, it does NOT try to re-evaluate my posture status. and ISE thinks it's in the unknown state.
If I go to an internal page, I get redirected to ISE. And when that happens, my posture module still doesn't re-evaluate.
If I change my VPN to tunnel-all, it works fine.
enroll.cisco.com's IP has been added to my split tunnel. I also have ALL DNS going through the tunnel.
Tunnel-all seems like it's a requirement for everything to work 100% properly.
11-08-2016 12:21 PM
any luck with TAC?
11-14-2016 06:41 AM
Sorry for the late response. None at all. The only way we can get it to work is when we tunnel all traffic. They think it's a bug of some sort. The engineer from the AAA team and the one from the ASA team that I have been working with are supposed to be trying to reproduce it in a lab environment and come up with a solution.
Any luck on your end?
06-16-2020 03:56 AM
Hi All ,
Please let me know if the Posture itself does not work or only the browser does not come up automatically ?
Because if Posture is working then it has to do with the captive Portal of windows machine .
When windows connect to network they send out probes to check if they have internet access (www.msftncsi.com) . Different OS have different probes .
While connecting to different network , you may have the redirect ACL for all the traffic which also blocked access to the windows probe but on VPN since you are using split tunnelling windows is able to reach the internet and hence no captive portal is detected and hence no window pop up .
Here is a good read -
https://docs.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals
10-03-2020 10:39 PM
I have the same issue with ISE 2.6 Patch 7, add ip 72.163.1.80 in my split tunnel, the same I do not get the URL Redirect, any help ?
Regards
02-23-2023 03:11 AM
The following has to be done to make enroll.cisco.com activate the posture when doing split tunneling.
1) Add the enroll.cisco.com public IP 72.163.1.80 to the split tunnel ACL
2) Configure NO-NAT for the IP 72.163.1.80 as it goes from outside (ravpn) to inside (lan)
3) Configure a route on the INSIDE leg e.g. route IF_INSIDE 72.163.1.80 255.255.255.255 <inside P2P next hop>
The above will "fool" AC client to send traffic towards the LAN but will instead get redirected and hence activate posture client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide