Secure Client - AnyConnect VPN on Windows routing problem

Dan C · ‎09-01-2023

Cisco Secure Client - AnyConnect VPN version 5.0.03076 installed on Windows 10 connecting to a Meraki MX85. The normal connection from the client to the Meraki works fine. We have an openvpn connection for the internal network that has to be made after the initial connection. This openvpn connection publishes routes back to the AnyConnect client and the client ignores those routes and cannot connect to the network that openvpn is routing to. We used to do this with the Meraki IPSec VPN and it worked fine. When we do it with the IPSec VPN instead of the AnyConnect, we can see the routes from openvpn in the windows routing table. When we use AnyConnect, those routes are not there. I tried manually adding the route as a static route on windows but AnyConnect is ignoring it. Is there a way to get AnyConnect to accept additional routes? I didn't see anything in the profile editor that would help.

Cisco_Virtual_Engineer · ‎09-06-2023

To get AnyConnect to accept additional routes, you need to configure the Split Tunneling feature which allows the VPN client to direct certain traffic to go through the VPN tunnel while other traffic is sent directly to the local network. This allows the VPN client to access resources on both the VPN network and the local network simultaneously.

Here is an example of how to configure Split Tunneling for AnyConnect on Cisco ASA:

1. Enable WebVPN on the outside interface:


   ciscoasa(config)# webvpn
   ciscoasa(config-webvpn)# enable outside

2. Configure an access list to define the traffic that should be sent through the VPN tunnel:


   ciscoasa(config)# access-list splittunnel_acl standard permit (network)

3. Create a group policy and specify the Split Tunneling policy:


   ciscoasa(config)# group-policy (policy_name) internal
   ciscoasa(config)# group-policy (policy_name) attributes
   ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
   ciscoasa(config-group-policy)# split-tunnel-network-list value splittunnel_acl

4. Configure the tunnel group to use the group policy:


   ciscoasa(config)# tunnel-group (tunnel_group_name) type remote-access
   ciscoasa(config)# tunnel-group (tunnel_group_name) general-attributes
   ciscoasa(config-tunnel-general)# default-group-policy (policy_name)

5. Apply the tunnel group to the SSL VPN connection profile:


   ciscoasa(config)# webvpn
   ciscoasa(config-webvpn)# tunnel-group-list enable

6. Verify the configuration:


   ciscoasa# show running-config webvpn

By specifying the appropriate network in the access list and configuring the split tunneling policy, you can control which routes are sent through the VPN tunnel. This allows the VPN client to accept additional routes while still accessing local resources.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Dan C · ‎09-06-2023

Thanks for the suggestion but it will not work for me because I explicitly don't want split tunneling (i want to prevent access to local resources) and I don't have an ASA device (it's a Meraki MX firewall). I need to send all traffic over the VPN connection. It's a route that is being published within the target network by a second level VPN. The anyconnect client ignores it whereas it was not previously ignored by the IPSec VPN that Meraki also supports.