KB ID 0001239 Dtd 19/09/16
Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location.
You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information.
Before proceeding are you sure Split-Tunnelling has ever been setup and configured? See the following article.
For Split Tunnelling to work you need;
- An Access Control List, allowing the networks/IP’s that are protected by your ASA, that you need to access over the VPN.
- A Group-policy that references the access-list above.
- A Tunnel Group that references the Group-policy above.
The lines get a bit blurred if you are in the ASDM, in there the terminology, is access control list, group-policy, and connection profile.
Troubleshoot Split Tunnel From CLI
Connect and authenticate an AnyConnect client. Then on the firewall run the following command.
Petes-ASA# show vpn-sessiondb anyconnect Session Type: AnyConnect Username : petelong Index : 4 Assigned IP : 172.16.1.1 Public IP : 192.168.100.77 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : 14128 Bytes Rx : 12305 Group Policy : GroupPolicy_ANYCONNECT-PROFILE Tunnel Group : ANYCONNECT-PROFILE Login Time : 12:49:31 GMT/BST Mon Sep 19 2016 Duration : 0h:01m:03s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : c0a86e010000400057dfd0cb Security Grp : none Petes-ASA#
From the output above, we know the name of the Group Policy and the Tunnel Group. The fact we can see BOTH is an indication that the tunnel group is setup correctly, but it does no harm to check.
Petes-ASA# show run tunnel-group ANYCONNECT-PROFILE tunnel-group ANYCONNECT-PROFILE type remote-access tunnel-group ANYCONNECT-PROFILE general-attributes address-pool ANYCONNECT-POOL default-group-policy GroupPolicy_ANYCONNECT-PROFILE tunnel-group ANYCONNECT-PROFILE webvpn-attributes group-alias ANYCONNECT-PROFILE enable Petes-ASA#
Then check that that group-policy has enabled split tunnelling, and referenced the correct access control list.
Petes-ASA# show run group-policy GroupPolicy_ANYCONNECT-PROFILE group-policy GroupPolicy_ANYCONNECT-PROFILE internal group-policy GroupPolicy_ANYCONNECT-PROFILE attributes wins-server none dns-server value 18.104.22.168 22.214.171.124 vpn-tunnel-protocol ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value petenetlive.com webvpn anyconnect profiles value testbench type user Petes-ASA#
Finally take the ACL name (SPLIT-TUNNEL) and make sure that’s OK.
Petes-ASA# show run access-list SPLIT-TUNNEL access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 192.168.115.0 255.255.255.0
Troubleshoot Split Tunnel From ASDM
As above connect a remote AnyConnect client > Monitoring > VPN > VPN Statistics > Sessions > AnyConnect Client > Select your connected client > Details.
Note: The info we actually want, is shown on this screen, but let’s look at the session anyway.
Now you can see the Group Policy and Connection Profile thats been applied to this user.
Configuration > Remote Access VPN > AnyConnect Connection Profiles > Select the one shown above > Edit.
Check the Group-Policy is correct, (Note: You can manage it directly from here, but I will take the long way round).
Configuration > Remote Access VPN > Network (Client Access) > Group Policies > Select the one shown above > Edit.
Advanced > Split Tunneling > Ensure Policy is ‘untucked’ and set to ‘Tunnel Network List Below’ > Ensure Network list is ‘untucked’ and set to the name of your split tunnel ACL > Manage.
Make sure the network(s) or IP addresses behind your ASA, that you want to access over the VPN, are listed.