03-20-2023 12:07 PM
Hi All,
A novice when it comes to split tunneling, so I believe this may be a pretty basic question but can't find any info online to validate my thought process.
It's quite a complex solution... but basically after a new computer device is provisioned on the network, it briefly connects to the anyconnect VPN and then reboots shortly after. A policy within the network prevents it from accessing the internet when it reboots. When the laptop has rebooted, it needs to download further components from a URL to make it compliant, which in turn will allow it to connect to the anyconnect VPN. It currently can't as all internet access is blocked.
A colleague believes that when it initially connects to the VPN, the laptop will pull the settings from the ASA to then allow it to connect to the URL where the components are contained, as it's been listed in the split-tunnel-exclude-domains config. I do not believe this is the case, as it would make logical sense that split tunneling will only work if you're connected to the VPN at that present moment, and will only split traffic when connected to the VPN. I believe an ISE policy would be more the way to tackle this.
Does that sound like a reasonable thought process? Again, not a wizard on split-tunneling so if I'm wrong then let me know.
Solved! Go to Solution.
03-20-2023 08:34 PM - edited 03-20-2023 08:38 PM
I believe you're on the right track. Split-tunnel-exclude-domains will only take effect when you're connected to the VPN. If a network policy is preventing your devices from accessing the internet after a reboot (and you can't connect to AnyConnect until you reach the URL for compliance,) then you'll need to make an exception for accessing the URL outside of AnyConnect configuration.
03-20-2023 08:34 PM - edited 03-20-2023 08:38 PM
I believe you're on the right track. Split-tunnel-exclude-domains will only take effect when you're connected to the VPN. If a network policy is preventing your devices from accessing the internet after a reboot (and you can't connect to AnyConnect until you reach the URL for compliance,) then you'll need to make an exception for accessing the URL outside of AnyConnect configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide