Split tunneling problem with Anyconnect

Unanswered Question
Nov 12th, 2009


we've got a problem with split tunneling and Anyconnect clients. Basically, our policy for remote access users is as follows: local LAN traffic should be allowed directly (eg. local printing), everything else should go through the tunnel. This works pretty fine with the Cisco IPsec VPN Client.

In contrary to that, it doesn't work while using Anyconnect clients. I can't use the exclude-parameter, so my only chance would be to define an ACE, that tunnels traffic for specific networks.

Our problem now is, that we can't tell the ASA to tunnel traffic only for network A oder B. The ASA should tunnel the entire traffic EXCEPT local LAN access. Is is possible to tell the ASA this policy for Anyconnect connections like we did it on the IPsec Group policy?

Our IPsec Group Policy settings:


split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access


access-list Local_LAN_Access standard permit host

The documentation says, that we cannot use this "excludespecified" parameter for SSL connections, only for IPsec connection.

Any suggestions are appreciated!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Thu, 11/12/2009 - 14:33

The above configuration should work for AnyConnect. The only caveat with AnyConnect is that starting with 2.3 and later, local LAN access is disabled by default. You can enable it manually by clicking on the "preferences" button next to the "connect to" box or via XML profile. Once enabled and connected, you should see two route panels on the route details tab, one for non-secured and one for secured routes. Please verify that you have tested the above. If you are still having issues, I can try mocking it up in my lab.


This Discussion