Solved: Re: AnyConnect Routing Issue?

andrews_steven · ‎12-09-2018

Hi all,

Working through AnyConnect configuration and coming across two issues. A remote test PC cannot connect with error:

"The VPN connection was started by a remote desktop user whose remote console has been disconnected. It is presumed the VPN routing configuration is responsible for the remote console disconnect. The VPN connection has been disconnected to allow the remote console to connect again. A remote desktop user must wait 90 seconds after VPN establishment before disconnecting the remote console to avoid this condition."

I cannot see how this is a routing issue, any help would be appreciated.

Attached is sanitized config.

Note I can connect from the inside interface with no issues.

Thank you,

Steven

JP Miranda Z · ‎12-10-2018

Hi andrews_steven,

Try configuring split tunnel and making sure the ip address of the anyconnect pool is not going through the tunnel. If you don't want to use split tunnel you can use exclude specified and only exclude the ip address of the anyconnect pool.

split tunnel guide:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

exclude specified:
access-list <name> standard permit <anyconnectpool>

group-policy Vandyke attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value <name>

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

andrews_steven · ‎12-11-2018

Hi JP,

Thank you for your help. So config looks like:

access-list <name> standard permit <InternalNetwork>
group-policy <AnyConnectGPName> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <ACLName>

Thank you for pointing me in the right direction.

-Steven

View solution in original post

JP Miranda Z · ‎12-10-2018

Hi andrews_steven,

Try configuring split tunnel and making sure the ip address of the anyconnect pool is not going through the tunnel. If you don't want to use split tunnel you can use exclude specified and only exclude the ip address of the anyconnect pool.

split tunnel guide:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

exclude specified:
access-list <name> standard permit <anyconnectpool>

group-policy Vandyke attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value <name>

Hope this info helps!!

Rate if helps you!!

-JP-

andrews_steven · ‎12-10-2018

Hi JP,

Yea this seems to be the issue. I tested a connection this morning from a PC that I was not remoting to. This showed that AnyConnect works but is not sending traffic out the local WAN as I expected.

I will go through the process of setting up split tunnel and confirm the fix.

Thank you,

Steven

andrews_steven · ‎12-11-2018

Hi JP,

Thank you for your help. So config looks like:

access-list <name> standard permit <InternalNetwork>
group-policy <AnyConnectGPName> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <ACLName>

Thank you for pointing me in the right direction.

-Steven

andrews_steven · ‎12-11-2018

Hi JP,

Thank you for your help. So config looks like:

access-list <name> standard permit <InternalNetwork>
group-policy <AnyConnectGPName> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <ACLName>

Thank you for pointing me in the right direction.

-Steven

bern81 · ‎10-10-2019

Hello GP,

I have the same issue, we have a tunnel all policy for our clients and i am facing this issue with one client.

Could you please provide explanation why this is happening?

In the anyconnect client profile i selected " Allow Remote Users".

Is there any other workaround because i don't want to change the policy just for one person.

anyconnect version: 4.6.00362

Please advise

hichemm07 · ‎10-11-2023

I have the "AllowRemoteUsers" feature enabled on the VPN profile but I'm still receiving the same error message.