Hi,
we're currently deploying a VPN profile customized for a customer, but we are facing some issues there.
The customer wants to have following behavior:
1) Seamless automatic VPN-connection at startup (always-on profile with machine-cert auth)
2) Users should be able to manually disconnect (e.g. to access a local resource)
3) When finished and connecting again, the connection should again happen without interaction (machine-cert)
Part 1 and 3 work absolutely fine. The behavior and flow is incredible, miles ahead of any other competitor that I know of.
Our only problems occur with the part, where the user can manually disconnect.
This was achieved with the option in the profile "Allow VPN Disconnect" - but:
A) In the AC client the info "VPN Connection Required" is shown, and after a certain amount of time, the connection is re-established automatically. So if a user is using e.g. a local RDP-connection, AC reestablishes by itself and since it is a full-tunnel, the RDP connection is dropped. So user needs to disconnect AC again manually and reconnecting to RDP - over and over again every 2-3 minutes.
Is there any way either to tweak some timer (e.g. to at least an hour), or to completely disable the auto-reconnect, but without having any impact on the initial connection at startup, which is desired and should happen immediately.
B) After disconnecting manually, there is an issue with the internet connection.
- Cisco AC NW Adapter is disabled (good)
- IPconfig shows the correct local Wifi Settings (good)
- nslookup is working properly (to the home router IP - good)
- Routing table looks fine (except an explicit host-route to the public IP of the VPN Gateway)
- Windows shows the little yellow triangle with the exclamation mark - no internet connection
- nslookup cisco.com works / ping cisco.com doesn't work (Ping request could not find host cisco.com. Please check the name and try again.)
- ping to the GW (192.168.0.1) results in a "General failure."
The only two solutions that resolve this connection issue are either to reconnect VPN (works properly) or to kill AnyConnect and then to disable/enable the wifi adapter.
For me it's a really strange behavior.
DNS works with nslookup, but pinging that same hostname ends in a DNS error.
DNS lookup to the router works, but pinging the router doesn't.
Nothing on the internet is reachable, but re-establishing the VPN-connection to the GW via internet works.
Do you guys have any idea if this issue can be resolved?
Thanks in advance!