Scenario:
Cisco AnyConnect 4.10
Windows client
Tunnel-ALL networks, with a split-exclude ACL to avoid encrypting traffic destined for ms teams, webex teams, microsoft 365 etc
Experience seen is, accessing stuff on the local lan while connected to the VPN does not work, cannot connect. For example, a printer. I used wireshark and loaded up two instances of it, one on the anyconnect adapter and the other on the local wifi. When trying to access something on the local lan, the vpn adapter sees the request. Meaning the traffic is routed and encrypted through the VPN tunnel.
I had the inclination to check the local windows route table while connected to the VPN and it clearly shows two interesting routes while connected that are the same subnet as the local wifi. These two routes each point to the local on-link network ie the local wifi network as well as the same route but over the vpn tunnel. The metrics on these routes show the vpn tunnel always preferred, ie the on-link network has a metric as 311 and the same network but relating to the vpn has a metric of "2". So unless this is a red herring, then this tells me that local LAN traffic always gets sent over the tunnel.
I found a similar cisco forum thread, same issue: https://community.cisco.com/t5/vpn/issue-with-split-tunnel-and-local-lan-access-via-anyconnect-vpn/td-p/3754771
back in the day I played around with this and I was sure that it used to work as desired - where local lan is available even when using tunnel all. However generally I've not used tunnel all vpn for performance reasons a long time ago.
Done some more "research" since my post and found this post which suggests that the problem is indeed caused by tunnel-all: https://www.petenetlive.com/KB/Article/0001689
The "fix" there basically says to add 0.0.0.0/32 to the excluded networks while keeping tunnel-all I assume.
EDIT::
So after adding the additional net of host route: 0.0.0.0 (I tried to add 0.0.0.0/32 to the FMC object as this is FTD but it refused 0.0.0.0/32 so I just added a host of 0.0.0.0 instead. Then saving and pushing the policy to the FTD pair, NOW I can ping local LAN devices.
Though:
1. this host net route does not show up in the AnyConnect "secured routes" so it's not possible to see any change there
2. this host net route does not show up in the windows route table
Also the windows route table is different now. The problem I mentioned at the beginning of this post is gone. Now there are not two identical routes with bad metrics, but only one route and it points to the local on-link network. The metric is still high but it is not relevant now as there is only one route. There is no duplicate network for the same local subnet anymore.
The tunnel-all functionality has not changed either. My public IP is still that of the corp office.
So the solution is needing to exclude host 0.0.0.0 using a tunnel-all exclude ACL :D
Could also go with a CASB/SASE solution! :smug:
I cant even get onedrive access! :XD: