02-16-2011 05:46 AM
We have users on an isolated network that connect to our main office using VPN client 5.0.07.0290. Main office is currently running ASA 8.2(2)17. They also have a multicast source on their local LAN (vbrick video streamer).
When we configure their group policy to use a split-tunnel-policy with "tunnelspecified" and associated with an ACL that enumerates the networks at our home office, they can access the main office resources just fine, and also connect to the multicast stream on their local LAN.
However, when we change this around and use split-tunnel-policy with excludespecified to enumerate the local subnet they are permitted to access (everything else is tunneled in this scenario) multicast breaks.
What I noted with Wireshark is that when using excludespecified some IGMP traffic tries to go down the tunnel adapter (incorrect behavior), and some is going out the ethernet adapter to the local LAN (correct behavior).
We have to use excludespecified because we only permit split tunnel from a very specific subnet.
02-16-2011 11:13 AM
What multicast IPs did you include in your excludespecified ACL? What IGMP version you are running?
08-03-2011 07:48 AM
The Cisco VPN client has just been announced as end of life so it is unlikely this will be fixed in the traditional IPSec VPN client:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps2308/end_of_life_c51-680819.html
But there are two enhancement requests to get this functionality with AnyConnect. One for the tunnelspecified scenario and one for the excludespecified scenario:
CSCtj79104 Multicast traffic should be allowed in the clear with split-tunneling (this is fixed in 003.000(1047) and 002.005(3046) and higher)CSCtr85730: ENH: Multicast traffic should be allowed in the clear with split-exclude (this has not been resolved yet, please contact your Account Team if you are hitting this)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide