Solved: AnyConnect Routing Issue?

andrews_steven · ‎12-09-2018

Hi all,

Working through AnyConnect configuration and coming across two issues. A remote test PC cannot connect with error:

"The VPN connection was started by a remote desktop user whose remote console has been disconnected. It is presumed the VPN routing configuration is responsible for the remote console disconnect. The VPN connection has been disconnected to allow the remote console to connect again. A remote desktop user must wait 90 seconds after VPN establishment before disconnecting the remote console to avoid this condition."

I cannot see how this is a routing issue, any help would be appreciated.

Attached is sanitized config.

Note I can connect from the inside interface with no issues.

Thank you,

Steven

JP Miranda Z · ‎12-10-2018

Hi andrews_steven,

Try configuring split tunnel and making sure the ip address of the machine you are using to do RDP is not going through the tunnel. If you don't want to use split tunnel you can use exclude specified and only exclude the ip address of source machine where you are initiating the RDP session to the machine where you are connecting with AnyConnect.

split tunnel guide:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

exclude specified:
access-list <name> standard permit <anyconnectpool>

group-policy Vandyke attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value <name>

A bit more clear example:

Machine A --> opens RDP and connects to Machine B

Machine B --> connects to AnyConnect

If AnyConnect is using exclude specified and the ip of Machine A is not excluded in the ACL you will get the error.

Depending on the amount of clients that will play the role of Machine A using exclude specific is not scalable, in that case i will recommend using split tunnel and only allowing the traffic that you want to send over the tunnel and the rest use the local NIC.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

andrews_steven · ‎12-11-2018

Hi JP,

Thank you for your help. So config looks like:

access-list <name> standard permit <InternalNetwork>
group-policy <AnyConnectGPName> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <ACLName>

Thank you for pointing me in the right direction.

-Steven

View solution in original post

JP Miranda Z · ‎12-10-2018

Hi andrews_steven,

Try configuring split tunnel and making sure the ip address of the machine you are using to do RDP is not going through the tunnel. If you don't want to use split tunnel you can use exclude specified and only exclude the ip address of source machine where you are initiating the RDP session to the machine where you are connecting with AnyConnect.

split tunnel guide:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

exclude specified:
access-list <name> standard permit <anyconnectpool>

group-policy Vandyke attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value <name>

A bit more clear example:

Machine A --> opens RDP and connects to Machine B

Machine B --> connects to AnyConnect

If AnyConnect is using exclude specified and the ip of Machine A is not excluded in the ACL you will get the error.

Depending on the amount of clients that will play the role of Machine A using exclude specific is not scalable, in that case i will recommend using split tunnel and only allowing the traffic that you want to send over the tunnel and the rest use the local NIC.

Hope this info helps!!

Rate if helps you!!

-JP-

andrews_steven · ‎12-10-2018

Hi JP,

Yea this seems to be the issue. I tested a connection this morning from a PC that I was not remoting to. This showed that AnyConnect works but is not sending traffic out the local WAN as I expected.

I will go through the process of setting up split tunnel and confirm the fix.

Thank you,

Steven

andrews_steven · ‎12-11-2018

Hi JP,

Thank you for your help. So config looks like:

access-list <name> standard permit <InternalNetwork>
group-policy <AnyConnectGPName> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <ACLName>

Thank you for pointing me in the right direction.

-Steven

andrews_steven · ‎12-11-2018

Hi JP,

Thank you for your help. So config looks like:

access-list <name> standard permit <InternalNetwork>
group-policy <AnyConnectGPName> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <ACLName>

Thank you for pointing me in the right direction.

-Steven

bern81 · ‎10-10-2019

Hello GP,

I have the same issue, we have a tunnel all policy for our clients and i am facing this issue with one client.

Could you please provide explanation why this is happening?

In the anyconnect client profile i selected " Allow Remote Users".

Is there any other workaround because i don't want to change the policy just for one person.

anyconnect version: 4.6.00362

Please advise

hichemm07 · ‎10-11-2023

I have the "AllowRemoteUsers" feature enabled on the VPN profile but I'm still receiving the same error message.