If you don’t use IPV6 on your corporation network, but users have IPV6 through their ISPs, what are the best ways to handle this when using AnyConnect VPN?
We currently use split tunnel AnyConnect set to drop all IPV6 traffic. This works fine for most clients, but for some, it breaks their connectivity to Outlook Exchange email and some sometimes web browsing in general.
We now plan to switch from split tunnel to full tunnel. Will users with IPV6 connectivity established have the same issues with a full tunnel VPN connection? I assume so because, where is the IPV6 traffic that was enabled before VPN was established going to go after launching VPN if we don’t have IPV6 available through the tunnel?
We have been telling the users to just disable IPV6 on their computers, but sometimes it’s needed in Windows for things not related to VPN and is not a supported configuration from Microsoft.
What are the best solutions for handling IPV6 connectivity through AnyConnect VPN?
Solved! Go to Solution.
If you want to enable full tunnel, you'll have to enable IPv6 on your ASA/FTD (including IPv6 on outside, IPv6 pool, IPv6 routing and ACLs). This way, all of user traffic (both IPv4 and IPv6) will get tunneled back to your gateway and routed towards Internet from there. If you have another FW controlling your traffic, then your IPv4 and IPv6 routing needs to step in and to route traffic to that FW as next hop. If you want to forward traffic from VPN FW, then you'l need to configure U-turn on this FW.
While using split tunnel, you can configure one that I mentioned earlier:
group-policy TestGP attributes