Re: Anyconnect TND and Management Tunnel

Stuart Patton · ‎03-17-2021

Hi,

I have configured a management tunnel by following the steps in below document:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

The only change I have made is in the VPN profile, to configure TND by putting both domains and DNS servers. We were finding that when users went into the office, that the management tunnel would connect. I also have a "normal" VPN tunnel that we use when connecting to the network through SBL.

Today, I went to the site and had loads of problem. When I was troubleshooting this, I could see from a "route print" that all of my split tunnels for the management tunnel were inserted into the routing table. However on the Anyconnect GUI, it shows "On a trusted network". In the management tunnel, the settings are trusted network = disconnect, untrusted network = connect.

So my questions are:

1) Does the TND for a management tunnel work as normal (bearing in mind this VPN establishes automatically and there are no always-on settings configured.

2) In my "normal" VPN profile, should I add the same TND settings, ie my internal DNS domains and DNS servers?

Thanks,

Stuart

Rob Ingram · ‎03-17-2021

Hi @Stuart Patton

To answer your question, the AnyConnect documentation says " For a consistent user experience, you must use identical TND settings in both user and management VPN tunnel profiles."

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/configure_vpn.html#id_100260

Stuart Patton · ‎03-18-2021

Hi @Sheraz.Salim and @Rob Ingram

I did read the note about applying TND to the other profiles, but I don't get why it's relevant. If I deployed Anyconnect purely for a management-only tunnel and with no facility for "normal" remote access for my users, I wouldn't have a non-management tunnel to put the TND settings into. As it's the management-only tunnel that's established, surely the TND settings relate to this tunnel?!?

In any case, I'll add the settings to my other profile and see what happens.

Regards,

Stuart

Sheraz.Salim · ‎03-17-2021

1) Does the TND for a management tunnel work as normal (bearing in mind this VPN establishes automatically and there are no always-on settings configured.

- yes. Disconnects whenever the user initiates a VPN tunnel, before or after user login

2) In my "normal" VPN profile, should I add the same TND settings, ie my internal DNS domains and DNS servers?

- yes,DNS and DNS servers need to be same as in the internal coporate network due to the path managment SCCM connectivitly to order to download the updates.

please do not forget to rate.

stsargen · ‎03-18-2021

The Management VPN tunnel is automatically initiated whenever a trusted network is NOT detected per USER profile settings. Regardless of what the "action" is in the profile.

Not sure if this answers your question.

Stuart Patton · ‎03-19-2021

Hi @stsargen

So in my hypothetical scenario above, you would never deploy a management-only tunnel without a regular tunnel? And is that why the TND in the normal profile is needed?

Thanks,
Stuart