(i think) yes, correct...

group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel

How do I determine which group policy this Anyconnect VPN is mapped to?

@jmaxwellUSAF and is that the group-policy that has been assigned to the session? show vpn-sessiondb detail anyconnect will tell you the applied group-policy for that user.

As you've reconfigured the default group-policy that will only be applied if you have not explictly referenced that group-policy under the tunnel-group.

Ideally you'd use a standard ACL, as mentioned before the destination object is ignored.

(always obfuscated)

ASA-5525# show vpn-sessiondb detail anyconnect

Group Policy : HAWAII_VPN Tunnel Group : Enterprise-Employee

@jmaxwellUSAF and what is the configuration of the HAWAII_VPN group-policy, is it configured for split tunnel aswell or ?

Check the "Route Details" tab in AnyConnect, is the route in the "Secured routes"?

My enterprise does not allow me to use the ASDM.

Below is pruned from "sh run"...

group-policy Hawaii_VPN internal
group-policy Hawaii_VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
client-bypass-protocol enable

@jmaxwellUSAF Check the "Route Details" tab in AnyConnect, is the route or any other routes define in the split_tunnel ACL in the "Secured routes"?

"Check the "Route Details" tab in AnyConnect"

My enterprise does not allow me to use the ASDM.

Below is pruned from "sh run"...

group-policy Hawaii_VPN internal
group-policy Hawaii_VPN attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel
client-bypass-protocol enable

@jmaxwellUSAF AnyConnect is the VPN client, I am not referring to ASDM. I want to know if when the user is logged onto the VPN, whether the AnyConnect client has received the split tunnel routes.

Example:

Yes, the route is verified visible in the vpn client gui.

@jmaxwellUSAF so the is this traffic routed back to the ASA then?

Do you have the relevant configuration to allow access - a NAT exemption rule from RAVPN users to object 1.1.1.1

Or is this an internet resource tunneled back to the ASA? If so configure - same-security-traffic permit intra-interface and a NAT rule to allow RAVPN users to access the internet.

object network RAVPN
 subnet 192.168.10.0 255.255.255.0
 nat (outside,outside) dynamic interface

Anyconnect VPN workers need to access VENDOR1 site at 1.1.1.1.

I think above code you mention is already installed. (I understand the reason for that code, I don't understand exactly if my specific code needs specific adjustments to the above familiar code.)

Ther exist many exemptions like this in the Split tunnel. Clearly i'm configuring this wrong for 1.1.1.1. I tried to reverse-engineer old code, but I'm failing.

What is my next troubleshoot step to fix this?