01-03-2021 02:55 PM
I am trying to configure dynamic split tunneling for AnyConnect RAVPN on a FTD that is NOT using FMC, (locally managed)
every guide says to do flex config for "webvpn" however, that is a blacklisted CLI command so it won't let it do it.
I cannot for the life of me find a guide on how to get dynamic split tunneling on a FDM/FTD.
The configuration for anyconnect only has IPv4/IPv6 split tunnelling with no FQDN objects possible
Can someone who has done this, or someone in Cisco who actually knows please advise on this.
no, do not link me to the standard flex object/policy creation:
webvpn anyconnect-custom-attr dynamic-split-exclude-domains description traffic for these domains will not be sent to the VPN headend anyconnect-custom-data dynamic-split-exclude-domains excludeddomains {{urls}}
It does not work, i get "invalidFlexCliLineBlacklist - Blacklisted cli error: webvpn"
Thanks in advance
Craig
01-03-2021 06:22 PM
Hi,
The flexconfig you’re showing is for FTD managed by FMC.
If you look at what commands are prohibited on FTD managed by FMC, you will see that webvpn isn’t part of it and that’s why it works.
On FTD, webvpn is a prohibited command and so I would say it won’t work and not supported. Never tested myself as I never had the requirement on a FDM.
01-03-2021 06:33 PM
Hi Francesco
I knew they were FMC lines but I was hoping there was a way to actually apply them at FDM level as I have no intent to run FMC for this deployment. The FMC is pushing the configuration down to the FTD so surely it has some level of capability to have it declared locally, why they wouldn't permit it is baffling and beyond logic.
01-04-2021 04:29 AM
Not all FMC-supported options (including some Flexconfig commands) are supported when using local management (FDM). The reason is because FDM relies on the commands being supported via APIs developed and exposed on the device. FMC interacts with managed devices via a legacy sftunnel interface (non-API-based).
01-10-2021 06:29 PM
sooo they want you to move to FTD from ASA but you can't get the dynamic split tunneling without running fmc. joyus. great way to encourage people to continue using their platforms
01-11-2021 07:47 PM - edited 01-11-2021 07:47 PM
I agree sometimes it's weird the way it goes.
However, buying FMC for 2 FTDs for example, is cheap and affordable (less than 1k list price).
09-22-2022 06:54 AM
I ran into this same issue. I am running an FTD version 7.2.0.1-12 using FDM. I opened a TAC case as I was also getting the same "Black list CLI error:" message. The issue is the syntax. The "webvpn" command has been truncated to "w". The "anyconnect-custom-data" has been truncated to "anyconnect-custom-d". Don't ask me why.
In FlexConfig go to FlexConfig Objects and create a new object. Name is something meaningful. In the template use the following lines.
w
anyconnect-custom-attr dynamic-split-exclude-domains description Traffic not on VPN tunnel
anyconnect-custom-d dynamic-split-exclude-domains excludeddomains facebook.com
For the Negate Template use the following:
w
no anyconnect-custom-attr dynamic-split-exclude-domains description Traffic not on VPN tunnel
no anyconnect-custom-d dynamic-split-exclude-domains excludeddomains facebook.com
After that you will need to create an object to add to the group policy. Again, in FlexConfig, go to FlexConfig Objects and create a new object. For the Template use:
group-policy DfltGrpPolicy attributes
anyconnect-custom dynamic-split-exclude-domains value excludeddomains
For the Negate Template use:
group-policy DfltGrpPolicy attributes
no anyconnect-custom dynamic-split-exclude-domains value excludeddomains
Disclaimer: Cisco keeps changing what can and can't be done done with FlexConfig on the FTD running FDM. While this may work in 7.2, it may or may not work in other versions.
09-28-2023 05:22 AM
Tested in FTD 7.3.0 build 69, and it works in my lab.
Thank you @PBB1452536
03-03-2023 02:24 PM
Any thanks PBB1452536! That FlexConfig worked on my 7.1 box so I can check one more off my list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide