Solved: Re: Split tunnel configuration from DART diagnostics

ziqex · ‎12-29-2021

Hello,

I've lost my ASAv latest configuration. I wanted to find split tunnel exclusion which were used. I have recent DART diagnostics file. Does dart diagnostics contain the list of split tunnel addresses?

Thank you.

Regards,

Daniel

Rob Ingram · ‎12-29-2021

@ziqex under "General Information" folder locate the route_result file. It has a "route print" output from the client, from there you can determine the split tunnel routes, these routes have an interface that is from the RAVPN pool.

You will not find the ASA dynamic-split-exclude-domains list configuration as the output is from the client device not the ASA, but you will be able to determine what routes were in the list.

Example:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 2.2.2.254 2.2.2.200 271
1.1.1.5 255.255.255.255 2.2.2.254 2.2.2.200 16
2.2.2.0 255.255.255.0 On-link 2.2.2.200 271
2.2.2.200 255.255.255.255 On-link 2.2.2.200 271
2.2.2.255 255.255.255.255 On-link 2.2.2.200 271
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.10.0 255.255.255.0 192.168.14.2 192.168.14.1 2
192.168.10.5 255.255.255.255 192.168.14.2 192.168.14.1 2
192.168.11.0 255.255.255.255 192.168.14.2 192.168.14.1 2

The bottom three routes in bold are the split tunnel routes.

View solution in original post

Mike.Cifelli · ‎12-29-2021

AFAIK you should be able to find this information inside the DART bundle. I would look specifically under General Information and/or Cisco AnyConnect Secure Mobility Client folders.

ziqex · ‎12-29-2021

I've looked through those folders but cannot find any file which contains domains from dynamic-split-exclude-domains list.

Thanks,

Daniel

Rob Ingram · ‎12-29-2021

@ziqex under "General Information" folder locate the route_result file. It has a "route print" output from the client, from there you can determine the split tunnel routes, these routes have an interface that is from the RAVPN pool.

You will not find the ASA dynamic-split-exclude-domains list configuration as the output is from the client device not the ASA, but you will be able to determine what routes were in the list.

Example:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 2.2.2.254 2.2.2.200 271
1.1.1.5 255.255.255.255 2.2.2.254 2.2.2.200 16
2.2.2.0 255.255.255.0 On-link 2.2.2.200 271
2.2.2.200 255.255.255.255 On-link 2.2.2.200 271
2.2.2.255 255.255.255.255 On-link 2.2.2.200 271
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.10.0 255.255.255.0 192.168.14.2 192.168.14.1 2
192.168.10.5 255.255.255.255 192.168.14.2 192.168.14.1 2
192.168.11.0 255.255.255.255 192.168.14.2 192.168.14.1 2

The bottom three routes in bold are the split tunnel routes.

ziqex · ‎12-29-2021

I was looking for the dynamic tunnel exclusions rather than IPs.

That's a shame that DART diagnostics does not include dynamic tunnel exclusions.

Thanks,

Daniel