AnyConnect - Windows won't connect but our MAC's will

Solved
TroyV
Here to help

AnyConnect - Windows won't connect but our MAC's will

We have a setup with AnyConnect and split tunneling so I know that there is some service getting blocked, but can't seem to find which one. This is coming from China so we have an SDN provider that creates us a tunnel so our users can use Google and their services amongst other programs. We have this working for all of our MAC computers and have recently been introducing Windows into the environment but I am unable to get the Windows computer to connect while using split tunneling. If I send all traffic through the tunnel then it works, but if I split it with our current allow list, it won't work. 

 

I ran a Wireshark capture but it isn't telling me much or I am not seeing something that is there. Has someone come across this issue and had to whitelist/allow certain services through the tunnel in order for their Windows devices to be able to connect.

 

*Whitelist/allow - Both Client Routing & Dynamic Client Routing are active.

1 Accepted Solution
TroyV
Here to help

We ended up finding out the issue. The problem was caused by Chinese Characters in the Log-in Banner. When we removed some special characters the issue went away and users where now able to log into AnyConnect on their Windows devices.

 

Thank you to those that responded. We did test DNS but that didn't resolve the issue, somewhat shocking, because it normally is DNS. I also didn't feel comfortable posting certain logs as they would show critical information. I could have blurred information but knowing my luck it would have been information necessary to troubleshoot. Thanks again everyone!

View solution in original post

3 Replies 3
KarstenI
Kind of a big deal
Kind of a big deal

Can you post your Split-Tunneling list?

Perhaps there is a mistake in the syntax (like wrong mask for the network) that could show this error.

PhilipDAth
Kind of a big deal
Kind of a big deal

Here is my guess - in split tunnel mode you are sending your DNS locally (in China), and the DNS lookup is getting blocked.

 

Make sure you send the DNS query down the VPN as well.

TroyV
Here to help

We ended up finding out the issue. The problem was caused by Chinese Characters in the Log-in Banner. When we removed some special characters the issue went away and users where now able to log into AnyConnect on their Windows devices.

 

Thank you to those that responded. We did test DNS but that didn't resolve the issue, somewhat shocking, because it normally is DNS. I also didn't feel comfortable posting certain logs as they would show critical information. I could have blurred information but knowing my luck it would have been information necessary to troubleshoot. Thanks again everyone!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels