cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Dynamic Split Tunneling in AnyConnect VPN

17118
Views
10
Helpful
10
Comments

 

  • The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel dynamically, at run time
    • Use case when you have a public cloud service with wide range of public IPs which needs to be excluded from VPN connection such as O365 in run time and dynamically.
  • Depending on split tunneling policy configured, dynamic split tunneling exclusion is applied as follow:
    • Tunnel All Networks—All exclusions from the VPN tunnel are dynamic.
    • Exclude Specific Networks—Dynamic exclusions are added to preconfigured static ones.
    • Include Specific Networks—Dynamic exclusions are only relevant if at least one IP address of the excluded host names overlaps with a split include network. Otherwise, the traffic is already excluded from the VPN tunnel, and no dynamic exclusion is performed.

 

  • Configuration steps

 

Step 1

Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains

Step 2

Define the custom attribute names for each cloud/web service that needs access by the client outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be in comma-separated-values (CSV) format using the following as an example:anyconnect-custom-data dynamic-split-exclude-domains webex_service_domains webex.com, webexconnect.com, tags.tiqcdn.com

Step 3

Attach the previously defined custom attribute to a certain policy group with the following command, executed in the group-policy attributes context:anyconnect-custom dynamic-split-exclude-domains value webex_service_domains

Comments
ED PAQUETTE
Beginner

Hello Mohammed I found these same instruction also in one of Cisco's setup guides, but it does not seem to work. I set it up to not use the tunnel when going to webex.com, but my trace is the same as before (via the tunnel). Any thoughts?

nidamen
Cisco Employee

Hey Ed

 

I am not sure why your are having an issue. There is a good chance of configuration issue. If you have this as a production problem please generate a Dart file and work with tac to ensure you have a successful deployment. 

How can you tell from the AnyConnect client this works? 

balaji.bandi
VIP Expert
IsraelSchmidt
Beginner

@Mohammed al Baqari/mygroundbiz wrote:

 

  • The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel dynamically, at run time
    • Use case when you have a public cloud service with wide range of public IPs which needs to be excluded from VPN connection such as O365 in run time and dynamically.
  • Depending on split tunneling policy configured, dynamic split tunneling exclusion is applied as follow:
    • Tunnel All Networks—All exclusions from the VPN tunnel are dynamic.
    • Exclude Specific Networks—Dynamic exclusions are added to preconfigured static ones.
    • Include Specific Networks—Dynamic exclusions are only relevant if at least one IP address of the excluded host names overlaps with a split include network. Otherwise, the traffic is already excluded from the VPN tunnel, and no dynamic exclusion is performed.

 

  • Configuration steps

 

Step 1

Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains

Step 2

Define the custom attribute names for each cloud/web service that needs access by the client outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be in comma-separated-values (CSV) format using the following as an example:anyconnect-custom-data dynamic-split-exclude-domains webex_service_domains webex.com, webexconnect.com, tags.tiqcdn.com

Step 3

Attach the previously defined custom attribute to a certain policy group with the following command, executed in the group-policy attributes context:anyconnect-custom dynamic-split-exclude-domains value webex_service_domains


There is a good chance of configuration issue. If you have this as a production problem please generate a Dart file and work with tac to ensure you have a successful deployment. 

cmarva
Enthusiast

we have been testing DST and that seems to work fine. a bunch of the microsoft documents advise against DST, and to use traditional split tunneling. I guess my question is, can you do both on the same GP? If I am doing DST based on an anyconnect attribute list, can I then add an acl and enable split tunnel exclude, and have them both work? Or are they mutually exclusive?

 

thank you, chris

 

Nayan.Patel85
Beginner

@Mohammed al Baqari 

I have implemented dynamic split exclude domains as per cisco documentation.

and its showing up under my cisco any connect setting as well

Dynamic Tunnel Exclusion: microsoft.com 

 

Its works when I do the traceroute to either support.microsoft.com or download.microsoft.com.

Trace route goes out through my ISP

 

But I am running into problem when I use Browser. It always try to go out through our company proxy based on the logs we see.

we use pac file for internet browsing. 

 

I am missing any thing here.

DEENA VERAPPAN
Beginner

Can an existing DST, be edited to include another site? I currently have a DST defined with sites; youtube.com,netflix,com,spotify.com, and tried to add webex.com. Defined a GP for the DST to be applied to. When running a traceroute, the webex traffic, continues to transit the VPN tunnel, and not route over the end users ISP. The syntax, in the ASA config shows up as youtube.com,netflix,com,spotify.comwebex.com. I've tried to create a 2nd instance of DST1 (DST2), with just webex.com, but that does get pushed out to the end users Anyconnect configuration. I've also tried deleting DST1 and replacing it with a new config (DST2), that lists all the sites needed to be excluded; youtube.com,netflix,com,spotify.com,webex.com. Applied it to the GP, but it doesn't show up on the end users dynamic tunnel exclusion list.

What am I doing wrong?

Isaac Smith
Beginner

Deena - i have that same problem - when trying to add another domain to the list it is like the ASA just smashes it onto the end without including a space and comma and then breaks the existing setup. You can't remove one that is in use so creating a new fresh list seems to be the fix. I'd like to know how you are supposed to edit an existing exclusion list properly.

Isaac Smith
Beginner
 
As i've been typing this out i've been testing:
I think maybe i found the way around this, if you want to add another domain you have to do ,doman.com
So adding the comma before cisco.com seems to input it correctly
anyconnect-custom-data dynamic-split-exclude-domains **NAME OF EXCLUSION***
youtube.com
anyconnect-custom-data dynamic-split-exclude-domains **NAME OF EXCLUSION*** ,cisco.com
 
ALTERNATIVELY - remove the dynamic-split-exclude-domains from the group-policy, remove the existing value, re-create with the new domain added, reapply to the group-policy
group-policy ***GP HERE*** attributes no anyconnect-custom-data dynamic-split-exclude-domains
 
anyconnect-custom-data dynamic-split-exclude-domains **NAME OF EXCLUSION*** youtube.com,cisco.com
group-policy ***GP HERE*** attributes anyconnect-custom dynamic-split-exclude-domains value **NAME OF EXCLUSION***
Content for Community-Ad