Printing issues to local network when AnyConnect VPN in use

s-daly · ‎12-13-2012

I have situation where I have a user connecting to the corporate office from her home network using a Win7 laptop and AnyConnect VPN 3.1.01065. She has an IP HP printer on her local network. When she is connected via VPN, she cannot print to her printer, Win saying the printer is off-line. That said, we are allowing access to the remote local network with a "split-exlude" conifiguration on the ASA:

access-list LocalLANAccess standard permit host 0.0.0.0

!

group-policy DfltGrpPolicy attributes

...

vpn-tunnel-protocol ssl-client

split-tunnel-policy excludespecified

split-tunnel-network-list value LocalLANAccess

"Allow local (LAN) access when using VPN" in the AC preference tab is checked. And also, she can ping the local printer when connected via VPN. however, the printer appears off-line, from the laptop perspective, when the VPN is on, and will go back "on-line" when the VPN is disconnected.

Anyone have any thoughts on how to correct this?

ju_mobile · ‎12-13-2012

Hi,

Some printers require additional ports to 515 and 9100 to show availability. The configuration that I've experienced is a need for UDP/161 snmp poll. Please check your ACL's for the split tunnel and ensure it has snmp included.

Best Regards

Ju

Sent from Cisco Technical Support iPad App

bschrunk · ‎07-26-2016

If you're using start before login profiles make sure the local lan box is checked. So I had these configured already. But the start before login script needed to edited to allow local lan access.

access-list local-lan-access standard permit host 0.0.0.0

split-tunnel-policy excludespecified
split-tunnel-network-list value local-lan-access

Muhammed Safwan · ‎12-13-2012

Its a known issue and documented in cisco. Please see below solution.

Unable to Print or Browse by Name

When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:

Browse or print by IP address.
- In order to browse, instead of using the syntax \\sharename, use the syntax \\x.x.x.x where x.x.x.x is the IP address of the host computer.
- In order to print, change the properties for the network printer to use an IP address instead of a name. For example, instead of the syntax\\sharename\printername, use \\x.x.x.x\printername, where x.x.x.x is an IP address.

Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:

192.168.0.3 SERVER1
192.168.0.4 SERVER2
192.168.0.5 SERVER3

In Windows XP Professional Edition, the LMHOSTS file is located in %SystemRoot%\System32\Drivers\Etc. Refer to your Microsoft documentation or Microsoft KB Article 314108 for more information.

With Regards,

Safwan

Don't forget to rate helpful posts.

s-daly · ‎12-13-2012

Safwan,

Thanks for the reply. I'll check this out and see if this will provide a workaround for this specific user, however, this may potentially be an inadequate workaround, as I have several hundred laptops and remote users running the AC client, and I don't see us modifying all these laptops to implement this workaround foreach individual remote access network. I just don't have the manpower for this.

First, I'd like to know why this breaks local IP services by name? Is this cited as a bug? If so, is there a fix for it? Or a workaround that I can apply globally to all AC clients (e.g. modifcations to the client profile) so this issues does not occur again?

Thanks,

Sean

Muhammed Safwan · ‎12-13-2012

Well, if you want a workaround to apply for all VPN Client then you need to go for split-tunnel-policy tunnelspecified instead of split-tunnel-policy excludespecified. Suppose if your corporate network is 10.0.1.0/24 and you want to give the access to this subnet for vpn users.then configuration will be as follows.

access-list CorporateLAN standard permit 10.0.1.0 255.255.255.0

!

group-policy DfltGrpPolicy attributes

...

vpn-tunnel-protocol ssl-client

no split-tunnel-policy excludespecified

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CorporateLAN

This will solve the problem globally

With Regards,

Safwan

s-daly · ‎12-14-2012

Unfortunately, my company's security policy dictates that I can't do split tunneling, with the only exception being allowing local LAN access on the remote LAN subnet for the remote user. Anyway, that split-exclude config is a little trick I learned from TAC that allows local LAN access only. From an IP connectivity standpoint, this appears to work, hence I'm able to ping the locall printer when connected to the VPN, so I don't think the split tunnel config is the issue here.

Johannes Herlitz · ‎11-05-2013

Hi s-daly,

Thank you!

The trick with "access-list LocalLANAccess standard permit host 0.0.0.0" is excellent! Worked for me to get the individual LANs allowed. Together with "allow local lan access" from the AnyConnect client preferences page 1, it automatically installs the client's LAN as a "non-secured route".

J

ju_mobile · ‎12-13-2012

Have you confirmed that the user is printing by name and not IP ? This would potentially promote that the user has been able to define that they are using WINS/DNS and or that they have some understanding of the required workgroup. Even when the laptop is not on VPN it would spend the registered domain name to any form of name resolution.

To verify if this is an snmp issue, I would recommend asking the user to try a telnet to the printer IP address on 9100. This would of course require for telnet to be enabled in Windows7. If the connection is proven update the acl.

Best Regards

Ju
Sent from Cisco Technical Support iPad App

ju_mobile · ‎12-13-2012

http://m.techrepublic.com/forum/questions/101-273248/disabling-snmp-on-printer-causes-printer-to-go-offline

http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/windows-7-pro-computer-cannot-print-to-networked/c8ce8a1f-b077-4a0d-a7e2-f19415d00f0a?auth=1

Worth a quick read.. and or alternatively can you post your split-tunnel acl

Best Regards

Ju

Sent from Cisco Technical Support iPad App

s-daly · ‎12-13-2012

Ju,

Please re-read my inital post, as it specifys the ACL there. I'm allowing all ports on the remote local subnet.

ju_mobile · ‎12-13-2012

Doh,

Sorry.. Should have paid a little more attention on that one. I would also add how does NLA identify her home network and what policy does it apply whilst both in and out of VPN?
To qualify what Safu has highlighted can you at least ask the user for further information from their printer and ask them to include route print or alternatively could you get them to run DART ?

Sent from Cisco Technical Support iPad App

VernonX · ‎05-24-2018

Some modern printers can support two or more connections at once (e.g. Samsung C3010dw): e.g., Ethernet and USB. If the printer is close enough to the local computer, you can create two logical printers (one for the network connection and one for the USB connection) for the printer. The USB printer can be used while vpn connection is active (or not), but remain available (via the Ethernet connection) to other computers on the local network.

In theory, though I have not tested, the IOGEAR GUWH104KIT can be used for the USB connection if distance is an issue or you can add additional GUWH104 receivers if you need to connect via USB to multiple computers.