I know this is somewhat old now, but I wanted to add how I ended up finally fixing this. Originally what I did was create a batch script that was executed when a user logged into the VPN. This batch script would connect to a Windows share on our internal network, copy down a PowerShell script along with the related support files to the users local machine. The batch would then execute the PowerShell script that was downloaded. This worked fine initially and got the desired result. We recently replaced the NAS device this share was hosted on which for whatever reason resulted in certain clients being unable to access the share and thus download the PowerShell script for execution. Some clients have differing AV clients which might block files from being downloaded. Just became too unreliable. I searched for a different way and finally came up with the fix which as it turns out so much less complicated than the way I was originally trying to do this. I ended up configuring the ASA device to use two different scripts for Windows clients when they log in. First I configured one script for use on the ASA, and then configured a second script for use on the ASA for VPN Onconnect execution. So what happens here is that when an AnyConnect client connects to the VPN, the ASA actually automatically downloads two different scripts to the clients local hard drive. One script is just a batch script that just has code in it to execute the second script, which is my PowerShell code. Since the ASA is configured to use two scripts, each one gets downloaded to the local client. No more having to connect to a share to copy the files, potentially exposing passwords or perhaps not being able to download the files needed at all from the share. Whats more, is that the scripts get downloaded anytime they are changed. If you make a change to the scripts, you just re-upload them to the ASA, re-configured the VPN configuration to use them, and your changes get re-downloaded to the client upon connecting to the VPN. Then its just a matter of having the batch script call the PowerShell script in the path it gets downloaded to by the ASA.    I had originally tried this method, and the ASA would download both scripts, but I could never get the PowerShell one to execute. It seemed as though the ASA was confused about which script to execute when there were two of them, or that it was executing the PowerShell script first which would never work because its PowerShell. I tried this again tonight and finally got it to work. The key was uploading the PowerShell code to the ASA first, and then adding the batch script second. Seemed to order the two scripts in such a way as to allow the batch to run first which then will run the PowerShell code. I may have also had the path incorrect when I originally tried this. I forgot that the PowerShell file that gets downloaded has a prefix added to the filename of "Onconnect_". So UserRDP.ps1 becomes "Onconnect_UserRDP.ps1" when its added to the VPN configuration. Its possible it would not work because I was not calling the correct filename with the pre-pended filename in the batch file. Not sure. Anyway its working now.   For anyone else wanting to do this, try the following:   1. Create your PowerShell script 2. Create your batch file. The batch file should just have the following in it:    echo off powershell.exe -ExecutionPolicy Bypass -File "%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script\Onconnect_<PowerShellScriptName>.ps1"   3. Upload both scripts to the ASA flash filesystem 4. Add a new onconnect script for Windows clients to your VPN configuration. Choose the PS script you created in step one. Ignore the warning about the script not being executable and continue importing the script. 5. Add a second Onconnect script to the ASA VPN configuration. This time choose the batch file that you created in step two.   That's it. The ASA should download both scripts locally, and execute the batch script first to then call the locally downloaded PowerShell script. Just wanted to finish this out in case any one else tries to do something similar. HTH. ... View more

I got this to work following this thread:   https://supportforums.cisco.com/t5/vpn/anyconnect-disables-native-ipv6-when-connected/td-p/1748824   The last post from Fabian L did the trick. This issue for me was that Split-DNS was working, but using IPv6 for doing lookups for IPv6 hosts outside the tunnel. Anyconnect was simply dropping those packets instead of splitting them out because IPv6 was not enabled in the Anyconnect client. I added IPv6 split tunneling using a bogus IPv6 IP block. This allows the Anyconnect connection to know what IPv6 traffic to split out so that the client can make normal local IPv6 DNS queries and thus allow IPv6 connectivity for IPv6 split tunnel clients. Keeps the Anyconnect client from just dropping all IPv6 traffic which would be needed for clients using native IPv6 with their ISPs. Here are the relevant config additions for reference:   group-policy colo-anyconnect-ras attributes ipv6-split-tunnel-policy tunnelspecified split-tunnel-network-list value colo-ras-split-tunnel split-dns value domain.com split-tunnel-all-dns disable address-pools value colo-ras ipv6-address-pools value colo-ras-ipv6 ipv6 local pool colo-ras-ipv6 <ipv6 Address Block Goes Here>/80 100 access-list colo-ras-split-tunnel extended permit ip <IPv6 Address Block/80   So this has the effect of allowing IPv6 traffic to selectively traverse the Anyconnect tunnel based on the access list  colo-ras-split-tunnel . Now I don't need IPv6 traffic over the tunnel at all, but since I am specifying what should go over it, this has the side affect of telling Anyconnect what traffic should NOT go over it. Anyconnect then splits the traffic out for IPv6 lookups to the Internet for the Anyconnect clients which use native IPv6. Anyway its all figured out. Hope this helps someone else with the same issue. ... View more