Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1951
Views
0
Helpful
3
Replies

AnyConnect Split Tunnel for Office 365 and MS Online Services connectivity issues

PiotrM
Level 1
Level 1

‎04-15-2020 04:21 AM - edited ‎04-16-2020 05:47 AM

Hello,

 

I have a very annoying problem with the VPN Split Tunneling. I've configured exclusions for MS Online Services (and youtube.com :)) and everything looks good except that very often we observe a problem with Outlook Connectivity - mostly sending emails. It can take several minutes to send an email. When I'm trying to speed up sending a message I'm very often receiving an error that that Outlook could not contact the server. A similar situation is when I'm trying to do an administrative task via PowerShell in Exchange Online. Sometimes I can't connect to Exchange Online Services, then I'm disconnecting or reconnecting the VPN connection and then it works.

 

I've upgraded AnyConnect Client to the newest version (4.8.03036) thinking there is a bug but it didn't help. I was just pinging outlook.office365.com and I noticed strange behavior - just look at the screenshot below:

ping_o365.png

 

I don't notice such behavior when I'm not using VPN and I didn't notice that when the VPN was configured to tunnel the entire traffic.

 

Did you notice similar behavior? Do you have any idea what can be a root of the issues? Below you can find some screenshots from my ASDM and AnyConnect client.

 

Thank you in advance for any support.

Piotr.

 

ASA configuration:

asa_anyconnect_attributesNames.png

 

asa_anyconnect_ip_exclusions.png

 

AnyConnect applied settings:

 

asa_anyconnect_dynamic_domains_excl.pngasa_anyconnect_routes.png

1 person had this problem
Labels:
0 Helpful
3 Replies 3

PiotrM
Level 1
Level 1

‎04-16-2020 05:44 AM

OK, I "solved" the problem myself. It looks that Cisco AnyConnect adds IP addresses dynamically to the exclusions, but when it decides the IP address is not used anymore it removes it and then a routing problem occurs. I removed office 365 domains from dynamic exclusions for now.

Does anyone know if there is a possibility to enable this feature (dynamic-split-exclude-domains) with keeping the dynamically added IP addresses on the list to the end of VPN session?

Thanks,

Piotr.

0 Helpful

Jerome S
Level 1
Level 1

‎12-02-2020 05:57 AM

I have the same problem with anyconnect 4.8, static split exclude ACL and dynamic split exclude.

I found this bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu10868/

This bug is fixed in release 4.9

 

0 Helpful

crescentwire
Level 1
Level 1

‎12-15-2020 01:55 AM

We also are experiencing this same issue, but on AnyConnect 4.9.x. I have an open TAC case investigating. I'll update findings and a fix here if we find one. Nice to know we're not the only ones at least

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents