Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
0
Helpful
2
Replies

AnyConnect with split tunnel and "tunnel everything" configured - how to add static route on the client end

Go to solution
kyrreliaaen
Level 1
Level 1

‎10-09-2018 12:42 PM - edited ‎02-21-2020 09:28 PM

Hello all

 

We are running ASA with AnyConnect and have encountered a requirement I've previously not considered. Some users need to establish a _second_ VPN connection to an endpoint within the campus network, and are finding that the static routes this client tries to add to the PC routing table (for the purpose of sending _some_ traffic across the second VPN tunnel which is in turn transported through the AC tunnel (do not ask..)) are being removed by AnyConnect (or so it seems).

 

Does anyone know what configuration elements cause such behaviour? I'll do my own research but I'm stuck as to where to begin :) I have a hunch that using the split-tunnel policy "tunnel all networks" is involved but this is just a guess on my part.

 

Any pointers would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-09-2018 04:16 PM

This is a security feature if I recall correctly. Full tunnel usually installs a default route into your routing table pointing all traffic to the Virtual adapter. The idea is that you do not want users circumventing the routing table (thus bypassing the firewall and other security policies) when connected via VPN. This is the same when you try to manually add a route into the routing table. I don't know if there is any easy way to bypass this feature. 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-09-2018 04:16 PM

This is a security feature if I recall correctly. Full tunnel usually installs a default route into your routing table pointing all traffic to the Virtual adapter. The idea is that you do not want users circumventing the routing table (thus bypassing the firewall and other security policies) when connected via VPN. This is the same when you try to manually add a route into the routing table. I don't know if there is any easy way to bypass this feature. 

 

0 Helpful

Go to solution
kyrreliaaen
Level 1
Level 1
In response to Rahul Govindan

‎10-10-2018 12:15 AM

This sounds about right - thanks for confirming my suspicions.

 

I'll create another policy and switch the split-tunnel settings around to see what I can learn. Worst case we'll have to create a special set of configuration for these users to allow the two VPNs to coexist.

 

Thanks for your help :)

0 Helpful
Customers Also Viewed These Support Documents