10-15-2020 08:03 AM
Hi guys,
I'm experiencing a curious behaviour with AnyConnect split-tunneling.
In my setup, split-tunneling (split-exclude) is working perfectly fine for all FQDNs and subnets defined in the split ACL except for 2 subnets linked to Google Hangouts/Meet.
Reverse routes are correctly pushed on the Windows 10 computer but traffic still go through the VPN. In our front-end firewall we see that traffic as 'STUN' application.
By filtering this type of traffic on our front-end firewall, we see the first packets being denied in the logs and then traffic is correctly split-tunneled at home as expected (Google Meet switches to port 443 because STUN is now blocked).
I looked at some readings to know more about STUN protocol but to my understanding, any traffic defined in the split-exclude ACL should exit at the user's home internet connection whatever the port used.
Does someone know what is causing this behaviour?
Thanks,
Sylvain.
Solved! Go to Solution.
11-09-2020 07:19 AM
Finally sorted out the thing.
Google Meet is in fact using WebRTC. WebRTC determines the best path to use on its own and override the routing table of the computer.
Some browser extensions are available to modify the behaviour of WebRTC.
Sylvain.
11-09-2020 07:19 AM
Finally sorted out the thing.
Google Meet is in fact using WebRTC. WebRTC determines the best path to use on its own and override the routing table of the computer.
Some browser extensions are available to modify the behaviour of WebRTC.
Sylvain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide