Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
7
Replies

AnyConnect blocks ssh connections

JBBIntel
Level 1
Level 1

‎08-03-2022 02:04 PM

I am using Mobaxterm terminal emulator on a Windows machine, to connect to various HPC clusters. I also have a corporate VPN using AnyConnect. When the VPN is connected, I can access my company's machines, but SSH connections to external machines time out. If I disconnect the VPN, I can connect to the external machine. Using the -vv flag on the ssh command, I can see that when the VPN is disconnected, the SSH connection completes immediately. With the VPN connected, the URL resolves to the same IP address and port (22), but the connection times out.      

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎08-03-2022 02:26 PM

Hello,

which Windows (10/11) and which AnyConnect client version are you running ?

0 Helpful

JBBIntel
Level 1
Level 1
In response to Georg Pauwen

‎08-03-2022 03:20 PM

Windows 10 Enterprise, Cisco AnyConnect Secure Mobility Client 4.10.05085

0 Helpful

MrButton
Level 1
Level 1

‎08-03-2022 02:35 PM - edited ‎08-03-2022 03:20 PM

In the split tunnel of the interesting traffic do you have the trusted network listed in AnyConnect?  If you open any connect while connected click on the gear icon, click Route Details, do you see your subnetwork listed?

0 Helpful

JBBIntel
Level 1
Level 1
In response to MrButton

‎08-03-2022 03:27 PM

I have no idea what your first question means. Route Details displays a lot of IP/port entries. I am not sure what you mean by "your subnetwork". If you mean, the IP/port of the remote machine I am trying to contact, no, it's not in the list.

0 Helpful

Georg Pauwen
VIP
VIP
In response to JBBIntel

‎08-04-2022 12:14 AM

Hello,

as far as I recall, and I could be off here, the older versions of AnyConnect had an option to enable split tunneling (which allows you to maintain unencrypted access to the Internet, and that is most likely the cause of your issue), but on the newer ones, this can only be set in the group policy on the server (e.g. ASA side), for security reasons.

Not sure if that is an option, but the native Windows 10 VPN client lets you configure split tunneling. How to set this up is described in the link below:

https://windowsreport.com/vpn-split-tunneling-windows-10/

0 Helpful

JBBIntel
Level 1
Level 1
In response to Georg Pauwen

‎08-04-2022 11:23 AM

Thanks, that sounds like it would be a solution, if I had control of this machine. Unfortunately, it belongs to my employer, and is pretty tightly locked down. I will need to see what tech support says about the issue, but it sounds as if "split tunneling" is what I need.

0 Helpful

Georg Pauwen
VIP
VIP
In response to JBBIntel

‎08-05-2022 11:55 PM

Hello,

do the 'external' machines you want to reach belong to that same company ? Judging from what you say about your employer's security policy, you would probably need to make the business case as to why you need to access these external devices...

0 Helpful
Customers Also Viewed These Support Documents