Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
1
Replies

Split Tunnel Query

Go to solution
oliclarke7
Level 1
Level 1

‎03-20-2023 12:07 PM

Hi All,

A novice when it comes to split tunneling, so I believe this may be a pretty basic question but can't find any info online to validate my thought process.

It's quite a complex solution... but basically after a new computer device is provisioned on the network, it briefly connects to the anyconnect VPN and then reboots shortly after. A policy within the network prevents it from accessing the internet when it reboots. When the laptop has rebooted, it needs to download further components from a URL to make it compliant, which in turn will allow it to connect to the anyconnect VPN. It currently can't as all internet access is blocked.

A colleague believes that when it initially connects to the VPN, the laptop will pull the settings from the ASA to then allow it to connect to the URL where the components are contained, as it's been listed in the split-tunnel-exclude-domains config. I do not believe this is the case, as it would make logical sense that split tunneling will only work if you're connected to the VPN at that present moment, and will only split traffic when connected to the VPN. I believe an ISE policy would be more the way to tackle this.

Does that sound like a reasonable thought process? Again, not a wizard on split-tunneling so if I'm wrong then let me know.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
BlakeBratu
Cisco Employee
Cisco Employee

‎03-20-2023 08:34 PM - edited ‎03-20-2023 08:38 PM

I believe you're on the right track. Split-tunnel-exclude-domains will only take effect when you're connected to the VPN. If a network policy is preventing your devices from accessing the internet after a reboot (and you can't connect to AnyConnect until you reach the URL for compliance,) then you'll need to make an exception for accessing the URL outside of AnyConnect configuration.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
BlakeBratu
Cisco Employee
Cisco Employee

‎03-20-2023 08:34 PM - edited ‎03-20-2023 08:38 PM

I believe you're on the right track. Split-tunnel-exclude-domains will only take effect when you're connected to the VPN. If a network policy is preventing your devices from accessing the internet after a reboot (and you can't connect to AnyConnect until you reach the URL for compliance,) then you'll need to make an exception for accessing the URL outside of AnyConnect configuration.

0 Helpful
Customers Also Viewed These Support Documents