Solved: AnyConnect Split Tunneling issue with STUN traffic

Sylvain_Che · ‎10-15-2020

Hi guys,

I'm experiencing a curious behaviour with AnyConnect split-tunneling.

In my setup, split-tunneling (split-exclude) is working perfectly fine for all FQDNs and subnets defined in the split ACL except for 2 subnets linked to Google Hangouts/Meet.

Reverse routes are correctly pushed on the Windows 10 computer but traffic still go through the VPN. In our front-end firewall we see that traffic as 'STUN' application.

By filtering this type of traffic on our front-end firewall, we see the first packets being denied in the logs and then traffic is correctly split-tunneled at home as expected (Google Meet switches to port 443 because STUN is now blocked).

I looked at some readings to know more about STUN protocol but to my understanding, any traffic defined in the split-exclude ACL should exit at the user's home internet connection whatever the port used.

Does someone know what is causing this behaviour?

Thanks,

Sylvain.

Sylvain_Che · ‎11-09-2020

Finally sorted out the thing.

Google Meet is in fact using WebRTC. WebRTC determines the best path to use on its own and override the routing table of the computer.

Some browser extensions are available to modify the behaviour of WebRTC.

Sylvain.

View solution in original post

Sylvain_Che · ‎11-09-2020

Finally sorted out the thing.

Google Meet is in fact using WebRTC. WebRTC determines the best path to use on its own and override the routing table of the computer.

Some browser extensions are available to modify the behaviour of WebRTC.

Sylvain.