cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28251
Views
10
Helpful
12
Comments

 

  • The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel dynamically, at run time
    • Use case when you have a public cloud service with wide range of public IPs which needs to be excluded from VPN connection such as O365 in run time and dynamically.
  • Depending on split tunneling policy configured, dynamic split tunneling exclusion is applied as follow:
    • Tunnel All Networks—All exclusions from the VPN tunnel are dynamic.
    • Exclude Specific Networks—Dynamic exclusions are added to preconfigured static ones.
    • Include Specific Networks—Dynamic exclusions are only relevant if at least one IP address of the excluded host names overlaps with a split include network. Otherwise, the traffic is already excluded from the VPN tunnel, and no dynamic exclusion is performed.

 

  • Configuration steps

 

Step 1

Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains

Step 2

Define the custom attribute names for each cloud/web service that needs access by the client outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be in comma-separated-values (CSV) format using the following as an example:anyconnect-custom-data dynamic-split-exclude-domains webex_service_domains webex.com, webexconnect.com, tags.tiqcdn.com

Step 3

Attach the previously defined custom attribute to a certain policy group with the following command, executed in the group-policy attributes context:anyconnect-custom dynamic-split-exclude-domains value webex_service_domains

Comments
ED PAQUETTE
Level 1
Level 1

Hello Mohammed I found these same instruction also in one of Cisco's setup guides, but it does not seem to work. I set it up to not use the tunnel when going to webex.com, but my trace is the same as before (via the tunnel). Any thoughts?

nidamen
Cisco Employee
Cisco Employee

Hey Ed

 

I am not sure why your are having an issue. There is a good chance of configuration issue. If you have this as a production problem please generate a Dart file and work with tac to ensure you have a successful deployment. 

How can you tell from the AnyConnect client this works? 

balaji.bandi
Hall of Fame
Hall of Fame
IsraelSchmidt
Level 1
Level 1

@Mohammed al Baqari/mygroundbiz wrote:

 

  • The dynamic split tunneling exclusions address scenarios when traffic pertaining to a certain service needs to be excluded from the VPN tunnel dynamically, at run time
    • Use case when you have a public cloud service with wide range of public IPs which needs to be excluded from VPN connection such as O365 in run time and dynamically.
  • Depending on split tunneling policy configured, dynamic split tunneling exclusion is applied as follow:
    • Tunnel All Networks—All exclusions from the VPN tunnel are dynamic.
    • Exclude Specific Networks—Dynamic exclusions are added to preconfigured static ones.
    • Include Specific Networks—Dynamic exclusions are only relevant if at least one IP address of the excluded host names overlaps with a split include network. Otherwise, the traffic is already excluded from the VPN tunnel, and no dynamic exclusion is performed.

 

  • Configuration steps

 

Step 1

Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains

Step 2

Define the custom attribute names for each cloud/web service that needs access by the client outside the VPN tunnel. For example, add Google_domains to represent a list of DNS domain names pertaining to Google web services. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be in comma-separated-values (CSV) format using the following as an example:anyconnect-custom-data dynamic-split-exclude-domains webex_service_domains webex.com, webexconnect.com, tags.tiqcdn.com

Step 3

Attach the previously defined custom attribute to a certain policy group with the following command, executed in the group-policy attributes context:anyconnect-custom dynamic-split-exclude-domains value webex_service_domains


There is a good chance of configuration issue. If you have this as a production problem please generate a Dart file and work with tac to ensure you have a successful deployment. 

cmarva
Level 4
Level 4

we have been testing DST and that seems to work fine. a bunch of the microsoft documents advise against DST, and to use traditional split tunneling. I guess my question is, can you do both on the same GP? If I am doing DST based on an anyconnect attribute list, can I then add an acl and enable split tunnel exclude, and have them both work? Or are they mutually exclusive?

 

thank you, chris

 

Nayan.Patel85
Level 1
Level 1

@Mohammed al Baqari 

I have implemented dynamic split exclude domains as per cisco documentation.

and its showing up under my cisco any connect setting as well

Dynamic Tunnel Exclusion: microsoft.com 

 

Its works when I do the traceroute to either support.microsoft.com or download.microsoft.com.

Trace route goes out through my ISP

 

But I am running into problem when I use Browser. It always try to go out through our company proxy based on the logs we see.

we use pac file for internet browsing. 

 

I am missing any thing here.

DEENA VERAPPAN
Level 1
Level 1

Can an existing DST, be edited to include another site? I currently have a DST defined with sites; youtube.com,netflix,com,spotify.com, and tried to add webex.com. Defined a GP for the DST to be applied to. When running a traceroute, the webex traffic, continues to transit the VPN tunnel, and not route over the end users ISP. The syntax, in the ASA config shows up as youtube.com,netflix,com,spotify.comwebex.com. I've tried to create a 2nd instance of DST1 (DST2), with just webex.com, but that does get pushed out to the end users Anyconnect configuration. I've also tried deleting DST1 and replacing it with a new config (DST2), that lists all the sites needed to be excluded; youtube.com,netflix,com,spotify.com,webex.com. Applied it to the GP, but it doesn't show up on the end users dynamic tunnel exclusion list.

What am I doing wrong?

Isaac Smith
Level 1
Level 1

Deena - i have that same problem - when trying to add another domain to the list it is like the ASA just smashes it onto the end without including a space and comma and then breaks the existing setup. You can't remove one that is in use so creating a new fresh list seems to be the fix. I'd like to know how you are supposed to edit an existing exclusion list properly.

Isaac Smith
Level 1
Level 1
 
As i've been typing this out i've been testing:
I think maybe i found the way around this, if you want to add another domain you have to do ,doman.com
So adding the comma before cisco.com seems to input it correctly
anyconnect-custom-data dynamic-split-exclude-domains **NAME OF EXCLUSION***
youtube.com
anyconnect-custom-data dynamic-split-exclude-domains **NAME OF EXCLUSION*** ,cisco.com
 
ALTERNATIVELY - remove the dynamic-split-exclude-domains from the group-policy, remove the existing value, re-create with the new domain added, reapply to the group-policy
group-policy ***GP HERE*** attributes no anyconnect-custom-data dynamic-split-exclude-domains
 
anyconnect-custom-data dynamic-split-exclude-domains **NAME OF EXCLUSION*** youtube.com,cisco.com
group-policy ***GP HERE*** attributes anyconnect-custom dynamic-split-exclude-domains value **NAME OF EXCLUSION***
jewfcb001
Level 4
Level 4

@Mohammed al Baqari  

Hi Mohammed 

I following from your information but the traffic still via the tunnel .

Can you advise me ? 

ronbuchalski
Level 1
Level 1

Here are some tips that make it easier to manage dynamic split-tunnel domain lists...

1. Use ASDM to manage them!  I know, we all love to hate ASDM, but it makes list management easier.  You can basically develop or modify your domain list, comma-separated, in your favorite simple text editor (Notepad, TextEdit, etc.), and then paste it into ASDM.  ASDM will then take care of the formatting to make it work in the ASA.  The ASA will allow 420 characters per list.

 

2. If your split-tunnel domain list gets to be too long, it needs to be broken up into groups on the ASA.  I think it is impossible to do this manually, using CLI and a text editor.  ASDM will take care of this for you.  Basically, if the list is longer than 420 characters, it will create another list, with the same name, to continue on with characters 421 - 840, and if needed, a third list with characters 841 - 1260, and so on.  I believe the total number of characters for this combined list can be 5000 characters (but I have not found the reference to confirm it).  At the maximum limit, any additional characters will just get truncated.

 

3. I give these dynamic split-tunnel groups UNIQUE NAMES, to make them easier to apply updates.  If you try to stick to always using the same name, then you cannot edit the group until it is no longer applied to any VPN profiles.  By using UNIQUE NAMES you can create a new split tunnel group alongside the existing split tunnel group, and once installed on the ASA, you can then go into the VPN profiles and apply the new tunnel group, and delete the old tunnel group.  What I found useful was to incorporate the DATE into the tunnel group name, so future tunnel group updates will always have a unique name that incorporates the date.  For example, tunnel group name 'split-tunnel-exclude-06122023'.  So, in the future, when I want to add more domains to the group, I can copy out the domain list (or have it maintained on a notepad doc), create 'split-tunnel-exclude-07012023', paste in the existing list of domains and then add the new domains.

 

I hope this is helpful.  Managing split-tunnel exclude or include policies on the ASA is very archaic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: