Hi folks,
We're currently in the process of rolling out Anyconnect 4 with NAM and ISE agents to handle our 802.1x requirements. As part of this we're also interoperating with Anyconnect VPN on 5585-x firewalls to take advantage of the CoA on this platform.
Everything seems to be working really well, which is great, except for one thing. We have two VPN Profiles - one which tunnels all traffic and one which split-tunnels corporate ranges (all RFC 1918) allowing other-stuff directly out to the internet.
When we use a LAN cable to connect to the VPN, the both work ok and the system scan triggers for both profiles and the laptop is marked as compliant. When we switch over to wireless and connect the VPN only the profile that tunnels all traffic triggers the posture scan. The Split tunnel profile does not trigger the system scan and sits in "unknown" status. The module reports that "System scan is not required on current WiFi" even though the option to allow system scan on non 802.1x networks is enabled in the configuration XML.
The names of the PSN's are looked up internally and in our RFC 1918 range. and if I open a web-browser to our intranet the PSN is located by the HTTP redirect, which can't force the system scan to trigger so the laptop remains stuck in unknown state.
If I change the split tunnel to "tunnel all traffic" the PSN is located and the compliance works ok. So it's something to do specifically with the split tunnel while on WiFi not triggering the redirect.
Is there any place I should start to further my investigation (other than not using split-tunnel!) to resolve this? I would imagine that the client is attempting to call something to trigger a redirect but it's going outside of the VPN Tunnel, but wireshark is drawing a blank.
Thanks in advance
Kev
