Re: TDN - VPN not disconnecting on trusted network [Mgmt Tunnel]

guacamoley · ‎11-30-2023

Hi all,

I have a management tunnel set up with AnyConnect on an FTD. The MGMT tunnel is functioning as intended - I can authenticate to the device prior to logging in using the device cert. The issue is that it isn't

disconnecting after the user logs into Windows. I do NOT want users to be on the mgmt tunnel profile after they log in. In the profile, I have Trusted Network = Disconnect, and Untrusted Network = Do Nothing. I have verified that they receive the correct DNS servers listed in the profile that should be triggering the trusted network following vpn authentication. I do not have AutoConnect on Start enabled.

On that note - I'm not really understanding how that works in regards to the management tunnel. Won't the user be considered on a trusted network once they connect to the management tunnel? Shouldn't it immediately disconnect even prior to the Windows login? In any event, any knowledge would be appreciated here

gajownik · ‎12-01-2023

The primary goal of the Management Tunnel is to allow manageability of a specific device via extremely limited access to the corporate infrastructure when a user has not established a VPN Tunnel. It means it will always be up if the user is not connected via VPN or is not connected to the trusted (corporate) network if TND is enabled.

Trusted Network Detection performs the check on the "physical" interface (WiFi/Ethernet) that provides access to the LAN/Internet, not the VPN tunnel. Otherwise VPN tunnel would end in the reconnection loop.

guacamoley · ‎12-01-2023

What is not working for me is the transition from mgmt tunnel -> user tunnel following windows log in. The other interesting part is that the management tunnel doesn't automatically work when I'm at the log in screen - I have to click the two monitors icon in the bottom right and then it works.