01-20-2018 12:43 PM - edited 03-12-2019 04:56 AM
We have had split-tunnel VPN working for years, but at some point we
started to see an issue with home private networks that overlap with our
corporate private networks that I thought was previously handled correctly
by our supernetting.
We ACL in our two /16 public nets and supernet our private net10 space
to a /8, which should normally be less preferred than anything more specific.
But when a user with a 10.0.0.0/24 connects, the anyconnect clients are
either replacing or adding a route to 10.0.0.0/24 over the secure tunnel as
well as the 10.0.0.0/8 supernet and it kills any local LAN access. This 10.0.0.0/24
does NOT show up in the anyconnect client routes listing, but the route is being
added and removed in the clients routing table each time anyconnect is run.
When Anyconnect NOT running (MacOS):
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGSc 62 0 en0
10/24 link#5 UCS 1 0 en0
10.0.0.1 10:86:8c:39:9a:85 UHLWIir 10 6 en0 1193
10.0.0.232/32 link#5 UCS 1 0 en0
10.0.0.232 84:38:35:4e:6f:bc UHLWI 0 2 lo0
When Anyconnect is running:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGSc 64 0 en0
10/24 link#12 UCS 0 0 utun2
10 10.7.0.114 UGSc 0 0 utun2
10.0.0.1 10:86:8c:39:9a:85 UHLSr 7 4 en0
10.0.0.232/32 link#5 UCS 1 0 en0
10.0.0.232 84:38:35:4e:6f:bc UHLWI 0 2 lo0
10.7.0.114/32 127.0.0.1 UGSc 5 0 lo0
I verified the behavior on a Windows 7 client and it adds the 10/24 secured which overrides the existing 10/24 local LAN.
ASA ACL:
access-list split-tunnel standard permit 1.2.0.0 255.255.0.0
access-list split-tunnel standard permit 3.4.0.0 255.255.0.0
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
[...]
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
The Anyconnect client shows the two /16 and /8 as well as two /32 DNS servers as secure, the 0.0.0.0/0 is unsecured. Do we now have to specifically list the hundreds of private net10 subnets we use internally?
Solved! Go to Solution.
01-20-2018 06:08 PM
Hi
There was a bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum90946/?referring_site=bugquickviewclick
Can you confirm which version of anyconnect do you have?
Did you do some upgrade lately?
01-20-2018 06:08 PM
Hi
There was a bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum90946/?referring_site=bugquickviewclick
Can you confirm which version of anyconnect do you have?
Did you do some upgrade lately?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide