VPN Exclude List not working

Unanswered Question
Aug 11th, 2010
User Badges:

I am configuring an SSL and IPSec VPN where I would like to tunnel all traffic except for traffic going to

For the group policy I set the policy to "Exclude Network List Below", and then specified a network list which has a permit statement (I have also tried making this deny).

At that point I connect to the VPN and it shows that it is "Mode: All Traffic".   When I go to the route detail tab it shows a for Secured Routes, but nothing under the Non-Secured Routes.

I've tried configuring it again from scratch, and making sure the Connection Profiles are using the correct group policy.   I verified this buy changing it to split tunnel, and at that point when I connect it sets the correct network under "Secured Routes".

Any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mulatif Wed, 08/11/2010 - 11:57
User Badges:
  • Cisco Employee,

Hi ,

For IPSec VPN Client the below will work

group-policy X

split-tunnel-policy excludespecified

split-tunnel-network-list value Y

For AnyConnect Clients, In addition to above you will need to enable "Enable Local LAN Access" in the AnyConnect Profile.

You can also make this parameter User-Configurable in the profile but in any case, the XML profile needs to be configured and Pushed to the Client.



Lucas Phelps Thu, 10/17/2013 - 11:04
User Badges:

If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:

1) Open Cisco ASDM

2) Click Remote Access VPN section

3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile

4) Edit the profile and place a checkmark in the box next to Local LAN Access

5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'.  You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.


This Discussion