SA540 Appliance question - IPSEC VPN - Split Tunnel

Unanswered Question
Feb 25th, 2013

SA540 Configuring VPN (IPSEC) customer would like to be connected to VPN and be able to access the internet simultaneously. Removed existing policies then under Dynamic IP range selected split tunnel, applied and then recreated the policies. When the remote user attempted connection it timed out and never reached a login prompt. Reversed process and put setting back to full tunnel and it picks right back up. In the config guide the only place where split tunnel is mentioned in under SSL VPN section so wondering if this config is supported under IPSEC VPN?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tom Watts Mon, 02/25/2013 - 16:07

Hi Jeff, the IPsec VPN is very similar to the SSL VPN. In the sense, you are correct, you have to delete the existing VPN policy then modify the Dynamic IP Range section then rebuild the policy. To the best of my recollection this is the only requirement needed for it to work.

I am assuming you're using the Cisco VPN Client (5.x).  Here is a link to the SA500 VPN resources

Please mark answered for helpful posts

jeff.heyen Mon, 02/25/2013 - 16:10


Thanks, I was thinking so as I read that tip on one of the forums, but it didn't work. I did just that, deleted the IKE and VPN policy, switched the IP Range to split tunnel, recreated the policies. The user then go no response from the host. Yes we are using the 5.0 client as well.


Tom Watts Mon, 02/25/2013 - 16:18

Jeff, please delete both policies again, modify to split tunnel, rebuild then reboot the router.

Please mark answered for helpful posts

jeff.heyen Mon, 02/25/2013 - 16:25

Will do the next time I get on it, though we rebooted the router as well following our last attempt with no joy



time to leave the office...............

Tom Watts Mon, 02/25/2013 - 16:30

Here's some food for thought

My experience with these boxes are using the 2.1.71 software and earlier. The latest firmware supported is the firmware. If you're not using the or the you may consider doing this as well. Just remember if you're using the firmware, you need to factory default reset the box and manual reconfigure.

Please mark answered for helpful posts

jeff.heyen Mon, 02/25/2013 - 17:46


The very first thing I did was upgrade the firmware and reset to factory specs I will review your links and possibly hit the 'reset' button one more time for good measure.



jeff.heyen Mon, 02/25/2013 - 18:57


Reviewed your links.......

#1: the only difference in teh steps I took is not recreating the user each time first. Otherwise the config an dprocess looks identical. However in my case I can connect over a full tunnel config, but not a split tunnel .......strange

#2: I used this one already to find the tunnel selection under the IP range.............saw this before I got on here.

#3: Similar as #1 but doesn't look like any resolution..............I'll try everything from the ground up one more time but am thinking I may have to call support.

Unless you or someone else has any other ideas, not too much you can do wrong on this setup though.......

Tom Watts Tue, 02/26/2013 - 04:23

Hi Jeff, that's pretty much my only point as well. There is not much to this at all. I have not used the firmware, that's the only difference between you and anyone else I've talked to.

If you're having some problems it may not be a bad idea to try to revert to and see if that makes a difference. I think it would be a fair statement if the works perfectly well on the same config then the is either not working correctly or perhaps a new configuration has been introduced I am not aware of.

Please mark answered for helpful posts