Showing results for 
Search instead for 
Did you mean: 

split-tunnel-policy and multicast: tunnelspecified vs. excludespecified

We have users on an isolated network that connect to our main office using VPN client Main office is currently running ASA 8.2(2)17. They also have a multicast source on their local LAN (vbrick video streamer).

When we configure their group policy to use a split-tunnel-policy with "tunnelspecified" and associated with an ACL that enumerates the networks at our home office, they can access the main office resources just fine, and also connect to the multicast stream on their local LAN.

However, when we change this around and use split-tunnel-policy with excludespecified to enumerate the local subnet they are permitted to access (everything else is tunneled in this scenario) multicast breaks.

What I noted with Wireshark is that when using excludespecified some IGMP traffic tries to go down the tunnel adapter (incorrect behavior), and some is going out the ethernet adapter to the local LAN (correct behavior).

We have to use excludespecified because we only permit split tunnel from a very specific subnet.

Rising star

What multicast IPs did you include in your  excludespecified ACL? What IGMP version you are running?

Cisco Employee

The Cisco VPN client has just been announced as end of life so it is unlikely this will be fixed in the traditional IPSec VPN client:

But there are two enhancement requests to get this functionality with AnyConnect. One for the tunnelspecified scenario and one for the excludespecified scenario:

     CSCtj79104    Multicast traffic should be allowed in the clear with split-tunneling (this is fixed in 003.000(1047) and 002.005(3046) and higher)  
     CSCtr85730: ENH: Multicast traffic should be allowed in the clear with split-exclude (this has not been resolved yet, please contact your Account Team if you are hitting this)