Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4162
Views
6
Helpful
8
Replies

FQDN/Dynamic split tunneling for Anyconnect on FTD/FDM

CraigBeamish2945
Level 1
Level 1

‎01-03-2021 02:55 PM

I am trying to configure dynamic split tunneling for AnyConnect RAVPN on a FTD that is NOT using FMC, (locally managed)

every guide says to do flex config for "webvpn" however, that is a blacklisted CLI command so it won't let it do it.
I cannot for the life of me find a guide on how to get dynamic split tunneling on a FDM/FTD.
The configuration for anyconnect only has IPv4/IPv6 split tunnelling with no FQDN objects possible

 

Can someone who has done this, or someone in Cisco who actually knows please advise on this.

no, do not link me to the standard flex object/policy creation:

 
webvpn
anyconnect-custom-attr dynamic-split-exclude-domains description traffic for these domains will not be sent to the VPN headend
anyconnect-custom-data dynamic-split-exclude-domains excludeddomains {{urls}}

It does not work, i get "invalidFlexCliLineBlacklist - Blacklisted cli error: webvpn"

 

Thanks in advance

 

Craig

Labels:
0 Helpful
8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni

‎01-03-2021 06:22 PM

Hi, 

 

The flexconfig you’re showing is for FTD managed by FMC.

If you look at what commands are prohibited on FTD managed by FMC, you will see that webvpn isn’t part of it and that’s why it works.

On FTD, webvpn is a prohibited command and so I would say it won’t work and not supported. Never tested myself as I never had the requirement on a FDM.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CraigBeamish2945
Level 1
Level 1
In response to Francesco Molino

‎01-03-2021 06:33 PM

Hi Francesco

I knew they were FMC lines but I was hoping there was a way to actually apply them at FDM level as I have no intent to run FMC for this deployment. The FMC is pushing the configuration down to the FTD so surely it has some level of capability to have it declared locally, why they wouldn't permit it is baffling and beyond logic.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CraigBeamish2945

‎01-04-2021 04:29 AM

Not all FMC-supported options (including some Flexconfig commands) are supported when using local management (FDM). The reason is because FDM relies on the commands being supported via APIs developed and exposed on the device. FMC interacts with managed devices via a legacy sftunnel interface (non-API-based).

CraigBeamish2945
Level 1
Level 1
In response to Marvin Rhoads

‎01-10-2021 06:29 PM

sooo they want you to move to FTD from ASA but you can't get the dynamic split tunneling without running fmc. joyus. great way to encourage people to continue using their platforms

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to CraigBeamish2945

‎01-11-2021 07:47 PM - edited ‎01-11-2021 07:47 PM

I agree sometimes it's weird the way it goes.

However, buying FMC for 2 FTDs for example, is cheap and affordable (less than 1k list price).


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

PBB1452536
Level 1
Level 1

‎09-22-2022 06:54 AM

I ran into this same issue.  I am running an FTD version 7.2.0.1-12 using FDM.  I opened a TAC case as I was also getting the same "Black list CLI error:" message.  The issue is the syntax.  The "webvpn" command has been truncated to "w".  The "anyconnect-custom-data" has been truncated to "anyconnect-custom-d".  Don't ask me why.

In FlexConfig go to FlexConfig Objects and create a new object.  Name is something meaningful.  In the template use the following lines.  

w
anyconnect-custom-attr dynamic-split-exclude-domains description Traffic not on VPN tunnel
anyconnect-custom-d dynamic-split-exclude-domains excludeddomains facebook.com

For the Negate Template use the following:

w
no anyconnect-custom-attr dynamic-split-exclude-domains description Traffic not on VPN tunnel
no anyconnect-custom-d dynamic-split-exclude-domains excludeddomains facebook.com

After that you will need to create an object to add to the group policy.  Again, in FlexConfig, go to FlexConfig Objects and create a new object.  For the Template use:

group-policy DfltGrpPolicy attributes
anyconnect-custom dynamic-split-exclude-domains value excludeddomains

For the Negate Template use:

group-policy DfltGrpPolicy attributes
no anyconnect-custom dynamic-split-exclude-domains value excludeddomains

 

Disclaimer:  Cisco keeps changing what can and can't be done done with FlexConfig on the FTD running FDM.  While this may work in 7.2, it may or may not work in other versions.

 

 

Pavan Gundu
Cisco Employee
Cisco Employee
In response to PBB1452536

‎09-28-2023 05:22 AM

Tested in FTD 7.3.0 build 69, and it works in my lab.
Thank you @PBB1452536 

0 Helpful

DaveNoonan26775
Level 1
Level 1

‎03-03-2023 02:24 PM

Any thanks PBB1452536!  That FlexConfig worked on my 7.1 box so I can check one more off my list.

Customers Also Viewed These Support Documents