Richard, thank you.  I may be using the term incorrectly.  I thought it referred to a hairpin turn that occurred at the router (or ASA), but you're implying that it's specific to the ASA devices and OS.  I assume I need to make changes to access lists to make this work.  I'll sanitize the configuration and post it.

Is this article still relevant?  Do I just need to run VPN traffic through a loopback interface?

https://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html#diag

You said "I may be using the term incorrectly." The term hairpin is correctly used for both ASA and IOS router where a packet arrives on an (outside) interface and then is forwarded out the same interface. My point is that the default logic on ASA does not allow this to happen (you must specifically allow this in the configuration) but that is not true on IOS routers (which will forward the packet without any configuration changes).

The article that you reference was written for the (very) old Cisco ipsec vpn client and not for the AnyConnect client. So I am inclined to say that it is not relevant. The point that it addresses is the need to translate addresses for the vpn client which you should be able to do without needing a loopback interface.

Thanks for clearing that up.  I'm not using Anyconnect; I'm using the Microsoft VPN client that's built into Windows as the client and the connection is L2TP/IPSec and PPP.

Sorry that I was confused about your environment. When I look back at your original post it is fairly clear that this is not AnyConnect. When I was thinking about vpn client and full tunnel vs split tunnel I made an assumption which was faulty. My apologies.

And perhaps I put a bit too much emphasis on the term hairpinning, especially in the comparison of ASA to IOS router. Clearly what you are doing with the vpn client and changing from split tunnel to full tunnel is accurately described as hair pinning. If the full tunnel is not working we need to look at possibly several things. So I have a few questions:

- does your router config use a crypto map (similar to the one in the link that you mentioned)?

- if it does use a crypto map what is in the access list used in the crypto map?

- do you have a way to verify whether packets from the client going to Internet are getting to your router?

- does the vpn client use an IP address assigned by your router for the vpn session?

- if traffic is getting to your router but not going to the Internet there are several possibilities for what is going on. My first guess is that it may be an issue about address translation for the vpn traffic going to the Internet. What can you tell us about the configuration of address translation on your router?