Thanks for the reply! This is very interesting, we have not been seeing any issues with Split Tunneling. Could you attach a screen shot of the routing table for split tunneling from AnyConnect? To do that, while connected to the lab VPN, select the 'gear' logo at the bottom left side. Then Select the route deails. It should look something like the attached screenshot!
Hi Jacob - I'm attaching the screenshot. Thanks for taking a look. Upon further inspection, I realized that I do have connectivity to the IP addresses in my local network, it's just that the hostname resolution stops working (which effectively makes several applications that depend on hostname to stop functioning)
Best - Dave
Ahhhh, I see. Sounds like a DNS configuration issue. When connected to VPN, the ASA headend will typically hand out the DNS address from your lab. While this will still allow access to the outside world, all local hostname lookups would be lost. Check your IP configuration, make sure your internal DNS server is set as primary on the local NIC and VPN adapter. This should ensure all hostname lookups go to your internal server first, and if they're not found there go to ours (configured as secondary).
Please let me know if this helps out!
Thanks very much for writing back! I understand your suggestion, and it makes sense, I'm just struggling on how to make the modifications. I'm on a MAC and am running the Cisco AnyConnect application (Version 4.0.00061). The AnyConnect client runs as a standalone app and doesn't appear at all in my list of Network adapters/option types. Therefore I'm at a loss as to how to configure the AnyConnect's DNS server (which I don't see at all in any of the settings on AnyConnect) as a secondary option.
I looked at my colleague's MAC and can see that the virtual adapter was not showing up there. Could you try running the 'ifconfig' command at the terminal? This should give us a better understanding of what's going on at the backend! Make sure you're connected to the VPN before you run this command.
Sure thing! Here's the output of ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::62f8:1dff:feb7:2e36%en0 prefixlen 64 scopeid 0x4
inet 10.70.101.129 netmask 0xfffffc00 broadcast 10.70.103.255
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
media: autoselect <full-duplex>
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
media: autoselect <full-duplex>
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
awdl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1452
inet6 fe80::30e1:58ff:fe93:acae%awdl0 prefixlen 64 scopeid 0x8
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 5 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 6 priority 0 path cost 0
media: <unknown type>
en3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::ae87:a3ff:fe14:43fc%en3 prefixlen 64 scopeid 0xb
inet 10.70.23.12 netmask 0xffffff00 broadcast 10.70.23.255
media: autoselect (1000baseT <full-duplex,flow-control>)
utun0: flags=80d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1399
inet 192.168.213.30 --> 192.168.213.30 netmask 0xffffff00
inet6 fe80::62f8:1dff:feb7:2e36%utun0 prefixlen 64 scopeid 0xa
inet6 fe80::cc6e:4412:5b5b:2ada%utun0 prefixlen 128 scopeid 0xa
I'm having the same issues on my macbook.. The session comes up and then disconnects. I get this message.
"The client's MTU configuration sent from the secure gateway is too small. A value of at least 1280 is required in order to tunnel IPv6 traffic. Please contact your network administrator."
Could you let me know what VPN/lab you are trying to connect to? When connected could you open on AnyConnect, click on the "gear," the go take a screenshot of "route details" and post it as a reply?
The Sandbox FAQ indicates that Split tunnelling is enabled on the VPN so only traffic destined for the lab will transverse the tunnel. All other traffic, including internet and LAN, will remain local.
I'm not experiencing this in my Sandbox, I lose access to my local LAN resources when I connect.
BTW, my AnyConnect client is configured to allow local LAN access when using VPN.
Perhaps this is just coincidental, but before the maintenance window last month, I was not experiencing this issue when using a sandbox.
Thanks in advance for any guidance.