Solved: [Solved] AnyConnect dynamic split exclusion were not set

Marco Serato · ‎12-03-2021

Hello

I try to implement dyanamic split exclusion based on domain.

There are a lot of tutorial that are almost same.

I configured a custom attribute that contains a list with URLs.

Everything seems to be fine.

But the dynamic list is not applied to anyconnect (Dynamic Tunnel Exclusion remains none).

Are there an important step that the Cisco AnyConnect apply these exclusions?

Thanks for help.

Greetings

Karsten Iwen · ‎12-06-2021

Please use the attribute-name "dynamic-split-exclude-domains" instead of "Dynamic-Exclusions".

View solution in original post

balaji.bandi · ‎12-03-2021

check below document for verification :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Karsten Iwen · ‎12-03-2021

For me it just worked out of the box. Some things to check:

recent AnyConnect version
usage of FQDNs in the List and not URLs
Applied the setting to the right user-group (the right group-policy)
having the right building blocks chained together

Marco Serato · ‎12-06-2021

I have now performed the steps several times. But the exceptions are not set in Cisco AnyConnect.

ASA: 9.6 (ASA version 9.0 is required)

AnyConnect: 4.10.xxx (should also fit)

No other global or in AnyConnect settings need to be done? Is there any way to check if the ASA returns the exceptions?

Karsten Iwen · ‎12-06-2021

If it is done several times and each time it doesn't work, then it's likely that you did every time the same thing wrong. But without seeing what you have configured, it is impossible to tell.

Marco Serato · ‎12-06-2021

Here are the necessary commands.

webvpn
 anyconnect-custom-attr Dynamic-Exclusions description Dynamic Exclusions
 anyconnect-custom-data Dynamic-Exclusions CISCO cisco.com

webvpn
group-policy Grouppolicytest internal
group-policy Grouppolicytest attributes
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 split-tunnel-network-list none
 split-tunnel-all-dns disable
 anyconnect-custom Dynamic-Exclusions value CISCO

Karsten Iwen · ‎12-06-2021

Please use the attribute-name "dynamic-split-exclude-domains" instead of "Dynamic-Exclusions".

Marco Serato · ‎12-06-2021

Thanks.

Now it looks better.
The exclusion is now set in the AnyConnect.
But for the routes, everything is routed to the VPN tunnel (only 0.0.0.0/0).
What could be that now?

Karsten Iwen · ‎12-06-2021

because everything that is not an exclusion is configured to go through the tunnel:

 split-tunnel-policy tunnelall

Marco Serato · ‎12-06-2021

Thank you.

Now the domains are dynamically added as an exception.
cisco.com is callable, but extremely slow, so sometimes the connection drops.

This is probably not normal?
Without VPN the website cisco.com goes up very quickly.

Karsten Iwen · ‎12-06-2021

No, it shouldn't be slower than before.

I would first look at the Route-Details in the AnyConnect client to see if you get entries for all the excluded destinations. And add some test-destinations that are under your control to see if they behave similar.

Marco Serato · ‎12-09-2021

Thank you very much.
Now everything works.
Had uninstalled AnyConnect and downloaded the latest version.

The name dynamic-split-exclude-domains is like some kind of trigger of the dynamic split tunnel? And only this name can be used for this?
Is it possible to use different lists that can be assigned this way?

Karsten Iwen · ‎12-09-2021

Yes, the AnyConnect client needs to know which feature has to be activated. But the lists can have any name you want.

Marco Serato · ‎12-09-2021

Many thanks.