Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
10
Helpful
2
Replies

Management Tunnel Anyconnect 4.7 problem

DAVIES604
Level 1
Level 1

‎03-14-2019 06:19 AM - edited ‎03-15-2019 04:27 AM

Trying to get the management tunnel feature working but it drops after certificate authentication because it complains there is an issue with the split tunnelling configuration, but I can't work out what's wrong with it. I've followed the Cisco docs, and created the ManagementTunnelAllAllowed attribute. I've enable Client Bypass Protocol, but what ever I set the Split Policy to I get the event logs below:

 

Function: CCustomAttributes::checkCustomAttributes

File: Xml\CustomAttributes.cpp

Line: 205

Found custom attribute ManagementTunnelAllAllowed=true/true

 

 

Function: CCvcConfig::validateMgmtTunParameters

File: vpnconfig.cpp

Line: 3647

Only IPv4 split-include or bypass-all configuration is supported for management tunnel

 

 

Function: CCvcConfig::setConfig

File: vpnconfig.cpp

Line: 1736

Invoked Functions: CCvcConfig::validateMgmtTunParameters

Return Code: -33095617 (0xFE07003F)

Description: CVCCONFIG_ERROR_INVALID_MGMT_TUN_CONFIG

 

I seem to get the same error if I configure Tunnel All, or Tunnel Network List. If I disable Client Bypass Protocol it complains about IPv6 which I'm not using.

 

Anyone any ideas? I'm obviously missing something here.

Labels:
0 Helpful
2 Replies 2

DAVIES604
Level 1
Level 1

‎03-17-2019 03:57 PM

Hoping someone will still pick this up. It seems if I configure the custom attribute and set policy to tunnel all I get the error above. If I configure split include and protocol bypass, I get the error about not supporting block-all IPv6. It’s as if it’s ignoring the custom attribute and the protocol bypass. It doesn’t seem to be behaving as the docs describe.
Does anyone have this working and can confirm whether these split tunnel error events appear anyway, maybe it’s a red herring.
Thanks.
0 Helpful

DAVIES604
Level 1
Level 1
In response to DAVIES604

‎03-19-2019 02:13 AM

For anyone who happened to be struggling with this like me, I stumbled across another post in the community which has led me to get this working. Turns out, if on the client you have IPv6 on nontunnel interfaces disabled, then the management tunnel doesn't seem to build, no matter what split configuration you use. When IPv6 is enabled on the client, whether I'm using it or not, I can get the tunnel to build using split-include policy and Client Bypass Protocol. However the Cisco docs also state the tunnel should build when the custom tunnel all attribute is configured and policy is tunnel all, but I still can't get it to work in this configuration.

Customers Also Viewed These Support Documents