12-03-2021 03:54 AM - edited 12-09-2021 01:26 PM
Hello
I try to implement dyanamic split exclusion based on domain.
There are a lot of tutorial that are almost same.
I configured a custom attribute that contains a list with URLs.
Everything seems to be fine.
But the dynamic list is not applied to anyconnect (Dynamic Tunnel Exclusion remains none).
Are there an important step that the Cisco AnyConnect apply these exclusions?
Thanks for help.
Greetings
Solved! Go to Solution.
12-06-2021 02:40 AM
Please use the attribute-name "dynamic-split-exclude-domains" instead of "Dynamic-Exclusions".
12-03-2021 04:08 AM
check below document for verification :
12-03-2021 04:10 AM
For me it just worked out of the box. Some things to check:
12-06-2021 12:00 AM
I have now performed the steps several times. But the exceptions are not set in Cisco AnyConnect.
ASA: 9.6 (ASA version 9.0 is required)
AnyConnect: 4.10.xxx (should also fit)
No other global or in AnyConnect settings need to be done? Is there any way to check if the ASA returns the exceptions?
12-06-2021 12:12 AM
If it is done several times and each time it doesn't work, then it's likely that you did every time the same thing wrong. But without seeing what you have configured, it is impossible to tell.
12-06-2021 02:02 AM
Here are the necessary commands.
webvpn anyconnect-custom-attr Dynamic-Exclusions description Dynamic Exclusions anyconnect-custom-data Dynamic-Exclusions CISCO cisco.com webvpn group-policy Grouppolicytest internal group-policy Grouppolicytest attributes split-tunnel-policy tunnelall ipv6-split-tunnel-policy tunnelall split-tunnel-network-list none split-tunnel-all-dns disable anyconnect-custom Dynamic-Exclusions value CISCO
12-06-2021 02:40 AM
Please use the attribute-name "dynamic-split-exclude-domains" instead of "Dynamic-Exclusions".
12-06-2021 03:41 AM
Thanks.
Now it looks better.
The exclusion is now set in the AnyConnect.
But for the routes, everything is routed to the VPN tunnel (only 0.0.0.0/0).
What could be that now?
12-06-2021 03:47 AM
because everything that is not an exclusion is configured to go through the tunnel:
split-tunnel-policy tunnelall
12-06-2021 07:32 AM
Thank you.
Now the domains are dynamically added as an exception.
cisco.com is callable, but extremely slow, so sometimes the connection drops.
This is probably not normal?
Without VPN the website cisco.com goes up very quickly.
12-06-2021 07:50 AM
No, it shouldn't be slower than before.
I would first look at the Route-Details in the AnyConnect client to see if you get entries for all the excluded destinations. And add some test-destinations that are under your control to see if they behave similar.
12-09-2021 12:53 PM
Thank you very much.
Now everything works.
Had uninstalled AnyConnect and downloaded the latest version.
The name dynamic-split-exclude-domains is like some kind of trigger of the dynamic split tunnel? And only this name can be used for this?
Is it possible to use different lists that can be assigned this way?
12-09-2021 01:10 PM
Yes, the AnyConnect client needs to know which feature has to be activated. But the lists can have any name you want.
12-09-2021 01:27 PM
Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide