Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
5
Helpful
1
Replies

split tunnel Local LAN supernet issue

Go to solution
85MikeTPI
Level 1
Level 1

‎01-20-2018 12:43 PM - edited ‎03-12-2019 04:56 AM

We have had split-tunnel VPN working for years, but at some point we

started to see an issue with home private networks that overlap with our

corporate private networks that I thought was previously handled correctly

by our supernetting.

 

We ACL in our two /16 public nets and supernet our private net10 space

to a /8, which should normally be less preferred than anything more specific.

But when a user with a 10.0.0.0/24 connects, the anyconnect clients are

either replacing or adding a route to 10.0.0.0/24 over the secure tunnel as

well as the 10.0.0.0/8 supernet and it kills any local LAN access.  This 10.0.0.0/24

does NOT show up in the anyconnect client routes listing, but the route is being

added and removed in the clients routing table each time anyconnect is run.

 

When Anyconnect NOT running (MacOS):
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            10.0.0.1           UGSc           62        0     en0
10/24              link#5             UCS             1        0     en0
10.0.0.1           10:86:8c:39:9a:85  UHLWIir        10        6     en0   1193
10.0.0.232/32      link#5             UCS             1        0     en0
10.0.0.232         84:38:35:4e:6f:bc  UHLWI           0        2     lo0

 

When Anyconnect is running:

Destination        Gateway            Flags        Refs      Use   Netif Expire
default            10.0.0.1           UGSc           64        0     en0
10/24              link#12            UCS             0        0   utun2
10                 10.7.0.114         UGSc            0        0   utun2
10.0.0.1           10:86:8c:39:9a:85  UHLSr           7        4     en0
10.0.0.232/32      link#5             UCS             1        0     en0
10.0.0.232         84:38:35:4e:6f:bc  UHLWI           0        2     lo0
10.7.0.114/32      127.0.0.1          UGSc            5        0     lo0

 

I verified the behavior on a Windows 7 client and it adds the 10/24 secured which overrides the existing 10/24 local LAN.

 

ASA ACL:

access-list split-tunnel standard permit 1.2.0.0 255.255.0.0
access-list split-tunnel standard permit 3.4.0.0 255.255.0.0
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0

[...]

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel

 

The Anyconnect client shows the two /16 and /8 as well as two /32 DNS servers as secure, the 0.0.0.0/0 is unsecured.   Do we now have to specifically list the hundreds of private net10 subnets we use internally?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-20-2018 06:08 PM

Hi

 

There was a bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum90946/?referring_site=bugquickviewclick

 

Can you confirm which version of anyconnect do you have?

 

Did you do some upgrade lately?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-20-2018 06:08 PM

Hi

 

There was a bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum90946/?referring_site=bugquickviewclick

 

Can you confirm which version of anyconnect do you have?

 

Did you do some upgrade lately?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents