Re: Anyconnect VPN shows tunnel type shows Split Excuded

nematosama · ‎05-30-2024

Dears Community

I have configured SSL-VPN on a Cisco Router with access-list to allow specific traffic, but when I connect I see the Tunnel mode Split Exclude [see the status image attached], I can access the hosts allowed through the VPN, but I can not access the internet. the print route of my PC shows the default route with the lowest cost is the VPN route, not the local network interface,

crypto ssl authorization policy ssl-auth-policy
rekey time 1110
client profile ssl-isr
mtu 1000
module gina
keepalive 500
dpd-interval client 1000
netmask 255.255.255.0
include-local-lan
pool SSLVPN_POOL
dns 8.8.8.8
banner SSL-VPN
route set access-list SSL-VPN-AccessList
timeout disconnect 10000
crypto ssl policy ssl-policy
ssl proposal ssl-proposal
pki trustpoint LOCAL-CA sign
ip address local Our-Puplic-IP port 443
crypto ssl profile ssl-profile
match policy ssl-policy
aaa authentication user-pass list default
aaa authorization user user-pass list default ssl-auth-policy
aaa accounting user-pass list sslvpn
authentication remote user-pass
virtual-template 2

ip access-list extended SSL-VPN-AccessList
10 permit ip host x.x.x.x any
20 permit ip host y.y.y.y any

crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.6.04056-webdeploy-k9.pkg sequence 1

crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml

Also, I noticed that the Anyconnect missed up the secure and non-secure network, I tried to uninstall the program and install another version but the same problem exists.

Kind Regards

tvotna · ‎05-30-2024

This looks like a bug. Please provide:

show crypto ssl authorization policy

tvotna · ‎05-30-2024

Also, try to remove "include-local-lan" and re-test. It is possible that IOS reverts to split-exclude because of this option configured.

nematosama · ‎05-30-2024

#show crypto ssl authorization poli

SSL Auth Policy: ssl-auth-policy
V6 Parameter:
Address Pool: none
Prefix: none
Route ACL : none
DNS : none
V4 Parameter:
Address Pool: SSLVPN_POOL
Netmask: 255.255.255.0
Route ACL : SSL-VPN-AccessList
DNS :
8.8.8.8
WINS : none
Banner : SSL-VPN
Home Page : none
Idle timeout : 1800
Disconnect Timeout : 10000
Session Timeout : 43200
Keepalive Interval : 500
Client DPD Interval : 1000
Gateway DPD Interval : 300
Rekey
Interval: 1110
Method : New Tunnel
Split DNS: none
Default domain : none
Proxy Settings
Server: none
Option: NULL
Exception(s): none
Anyconnect Profile Name : ssl-isr
Module : Gina
MAX MTU : 1000
Smart Card
Removal Disconnect : NO
Include Local LAN : YES
Disable Always On : NO

it sounds like it doesn't set the access-list as route!

tvotna · ‎05-30-2024

Nope, it does:

Route ACL : SSL-VPN-AccessList

but it doesn't say anything about the split mode: whether it's split-include or split-exclude. Try to remove "include-local-lan" from the configuration and test again. If it doesn't help, you'd need TAC help, because behavior is definitely wrong.

MHM Cisco World · ‎05-30-2024

Police-group

Did config it ?

MHM

nematosama · ‎06-01-2024

Hi MHM,

no there is no configuration related to policy-group.

MHM Cisco World · ‎06-04-2024

return to link I shared before and config policy-group under it config prefix you need

MHM