Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN Exclude List not working

I am configuring an SSL and IPSec VPN where I would like to tunnel all traffic except for traffic going to

For the group policy I set the policy to "Exclude Network List Below", and then specified a network list which has a permit statement (I have also tried making this deny).

At that point I connect to the VPN and it shows that it is "Mode: All Traffic".   When I go to the route detail tab it shows a for Secured Routes, but nothing under the Non-Secured Routes.

I've tried configuring it again from scratch, and making sure the Connection Profiles are using the correct group policy.   I verified this buy changing it to split tunnel, and at that point when I connect it sets the correct network under "Secured Routes".

Any suggestions?

Cisco Employee

Re: VPN Exclude List not working

Hi ,

For IPSec VPN Client the below will work

group-policy X

split-tunnel-policy excludespecified

split-tunnel-network-list value Y

For AnyConnect Clients, In addition to above you will need to enable "Enable Local LAN Access" in the AnyConnect Profile.

You can also make this parameter User-Configurable in the profile but in any case, the XML profile needs to be configured and Pushed to the Client.



New Member

Re: VPN Exclude List not working

If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:

1) Open Cisco ASDM

2) Click Remote Access VPN section

3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile

4) Edit the profile and place a checkmark in the box next to Local LAN Access

5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'.  You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.

CreatePlease to create content