I have two ASA5505's in failover and set up the the IPSEC client group policy for non-inherited browser proxy settings. I have a manual IP address and the typical port 8080 configured.

What is not working are Windows and Macbook laptop clients. iPads and iPhones accept the policy even though the built-in Cisco IPSEC client does not have a proxy setting on the ipad/iphone.

On a Mac, under Network Preferences, I can set the proxy manually for that VPN profile under any of the "Locations" and it will use the proxy settings. But, if I leave everything blank, even on a Windows 7 PC (Internet Options, Connections, LAN Settings), neither platform seem to accept or maybe it should be "receive" those settings.

I turned up the packet capture on the ASA and saw the ipad/iphone pointing all their browser traffic to the proxy:8080. But the Mac and PC (multiple hardware tested) are sending their packets to the actual host IP. So, the result is that the ASA sees a packet from the "outside" interface that is trying to go to the "outside" interface instead of the inside interface. In effect, it is trying to do a hairpin. I don't want to configure hairpin, I would rather solve this issue.

I know there are some other work arounds that I could do but I really need to figure out why the group policy for an IPSEC client vpn connection is not working.

Any thoughts? Did I miss something?