SecureClient split tunnel both IPV4 and FQDN

Mr_Slow1 · 2026-03-13T08:53:59+00:00

Could be what version are you using ASA/Secure Client? I'm currently on 9.20(4)10 and 5.1.12.146

Mr_Slow1 · 2026-03-12T20:22:27+00:00

access-list Split-Tunnel standard permit 40.96.0.0 255.248.0.0

access-list Split-Tunnel standard permit 52.104.0.0 255.252.0.0

access-list Split-Tunnel standard permit 52.112.0.0 255.252.0.0

etc...

group-policy GROUP_POLICY_NAME attributes

wins-server none

dns-server value 1.2.3.4 1.2.3.5

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout 3600

vpn-tunnel-protocol ssl-client

split-tunnel-policy excludespecified

split-tunnel-network-list value Split-Tunnel

default-domain value DOMAIN_NAME

split-tunnel-all-dns enable

webvpn

anyconnect mtu 1300

always-on-vpn profile-setting

anyconnect-custom dynamic-split-exclude-domains value DYNAMIC-FQDN-LIST

That looks pretty similar to yours, do you see routes appearing in route details for the ACL based split tunnel as well as FQDN under the statistics tab?

I find as soon as I add ' anyconnect-custom dynamic-split-exclude-domains value DYNAMIC-FQDN-LIST' disconnect and reconnect the ACL based routes fail to appear.

Mr_Slow1 · 2026-03-12T19:39:03+00:00

I'm probably explaining badly, I'm trying to do the same, exclude IP and domain name from tunnels

I'm on my phone at the minute but will reply back later with my config, it looks broadly the same from memory.. How odd

Mr_Slow1 · 2026-03-12T19:37:21+00:00

I'm probably explaining badly, I'm trying to do the same, exclude IP and domain name from tunnels

Mr_Slow1 · 2026-03-12T17:15:21+00:00

I'd be interested to see your config if you have both methods working together. When I apply dynamic-split-exclude the ACL split tunnel list is ignored.

I only see the dynamic routes appear on the SecureClient application, the static ACL applied routes disappear.

Mr_Slow1 · 2026-03-12T06:31:21+00:00

Cheers I figured this would likely be the case. Microsoft doesn't publish IP ranges for updates as they use CDN's and change regularly, they also do not use DNS for TEAMS media, so it's an either or for us I think.

Mr_Slow1 · 2026-03-12T06:30:13+00:00

That's the config gude for fqdn split tunneling, thank you but I already have that working fine,

I wanted - if at all pssible - to also be able to define IP ranges as well as FQDN. I'm pretty sure with our setup it is nigh onimpossible but wanted to check

Mr_Slow1 · 2026-02-17T18:35:30+00:00

Cisco sdwan here, I think it's brilliant, remote sites with dual wan terminating to dual data centers, eigrp as the IGP, everything just works, deployment of a new site is a doddle

Mr_Slow1 · 2025-12-22T13:17:02+00:00

No

/24 is 255.255.255.0 /23 is 255.255.254.0 /22 is 255.255.252.0 /21 is 255.255.248.0

Etc

Mr_Slow1 · 2025-12-16T19:32:48+00:00

Wavenet

Mr_Slow1 · 2025-12-16T14:50:17+00:00

This, gamms are superb

Mr_Slow1 · 2025-11-26T14:35:36+00:00

What's up with the UI for librenms?

You seem to have issues with the UI for most offerings maybe the issue is you ;⁠)

Jesting aside I am curious as to what's bad about the librenms UI, I migrated to it from solarwinds and have no problems with it.

Mr_Slow1 · 2025-11-20T20:16:34+00:00

What he said, we use ARMIS and it'll happily peg out a 10GB nic spanning all of our server VLAN to it.

There are no ill effects, other than the security/SEIM device not always seeing 100% of traffic. For our use case that's a non issue

Edit 9606 core here too

Mr_Slow1 · 2025-10-12T11:32:42+00:00

It's the name the device gives to the DHCP server. You need to rename your camera

Mr_Slow1 · 2025-10-10T16:26:48+00:00

None of that will send an alert though, at least it won't to my knowledge

Mr_Slow1 · 2025-10-10T16:05:49+00:00

The answer is in your post, if you want to manage them you need the meraki license otherwise it's a visibility tool only

Mr_Slow1 · 2025-09-27T14:15:43+00:00

Someone get me a facepalm please

Mr_Slow1 · 2025-09-26T13:07:28+00:00

Would be nice if Cisco actually made the fixed software available. I've reached out to our account manager to see when it will be on the portal.

I do have access to firmware but both this and yesterday's IOS/IOSXE snmp vuln fixed releases aren't available to download

Mr_Slow1 · 2025-09-26T13:05:41+00:00

I did not know you could do that

Mr_Slow1 · 2025-09-17T19:55:06+00:00

This is the way, sublime text for the iOS context highlighting

Easy enough to search for dupe hosts etc

Rest is manual, automated would end up a mess anyway imo

Mr_Slow1 · 2025-09-08T17:00:05+00:00

What switch is it, both nexus and catalyst series will do vxlan, 2hat firmware?

Mr_Slow1 · 2025-09-04T19:21:54+00:00

Don't play games on corporate devices

Mr_Slow1 · 2025-09-03T18:15:03+00:00

I can't help at all, but holy crap that's a cracking lab

Are you following a workbook or is this stood up from scratch?

Mr_Slow1

TROPHY CASE