AnyConnect and local LAN

Stefan Strand · ‎05-26-2015

Hi,

We have several users that cannot connect to their "local ethernet network" when AnyConnect is installed.

Background:

- Users with Windows 7

- AnyConnect version 3.1.08009

- Authentication using certificates

- Always on policy - with the possibility for some users to disconnect

When the users connect at home (and have connection to the Internet) AnyConnect starts as it should and everything works.

But, when the same users (service engineers) needs to access a PLC using a small switch and "no connection to Internet" they run into problems.

The configure a local IP address (192.168.100.x), and then reboot the PC.

Now, when they try to ping they get a "general failure" error message.

After disabling the NIC, and then re-enabling it, they can ping for a few seconds - and then "general failure" again.

We have seen exactly the same behaviour on PC's in several different locations around the world.

All suggestions on how to solve it are appreciated.

Andres Villarroel · ‎05-26-2015

Hello Stefan Strand,

Have you tried the following link configuration?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.htm l

Stefan Strand · ‎05-26-2015

I have seen that, and I think that works, but that is not really our problem.

The problem is that when "always on vpn" is in place, even if we in the Dynamic Access Policy allows some users to disconnect, when those users are on a LAN where there is no Internet connection, they cannot access local resources on that LAN.

Andres Villarroel · ‎05-26-2015

Hello Stefan Strand,

I think that this is what you are looking for.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#pgfId-1205170

Configuring those policies will allow LAN access when there is not Internet connection while Always On is configured.