cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
0
Replies

Route to DHCP server is added to Windows' Routing Table after AnyConnect connection

Alex Ferenstein
Level 1
Level 1

I have provisioned a Tunnel-Group (without "dhcp-server" attribute) with Group-Policy that specifies split-tunneling.

All works as expected, except that after AnyConnect connection is successful, Windows' "route print" shows an additional host route to the original DHCP server (seen in Windows' "ipconfig /all"). This route's gateway is that original (non-VPN) address.

Our issue is that our DHCP server is within the split-tunnel address range and we wish all traffic to it to go via VPN, however, because the route's gateway is the original (non-VPN) address it will not do so.

My question: (a) is this documented, and (b) who inserts this route - Windows or AnyConnect?

The following is from "Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.1", but it refers to tunneling all traffic, not split-tunneling.

Implicit DHCP filter applied when Tunnel All Networks Configured
To allow local DHCP traffic to flow in the clear when Tunnel All Networks is configured, AnyConnect adds a specific route to the local DHCP server when the AnyConnect client connects. To prevent data leakage on this route, AnyConnect also applies an implicit filter on the LAN adapter of the host machine, blocking all traffic for that route except DHCP traffic.

R's, Alex

 

 

 

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: