I'm having an odd issue on one of my ASA clusters, or more likely a lack of experience/knowledge.
I tunnel all 0.0.0.0/0 traffic via the ASA. Any traffic destination for O365/sfb/teams etc, I include in a DNS-split-exclude configuration.
I also use proxy-pac files and whitelist domains to send traffic direct/local if I do not want the domain to use the internal proxies.
If connected to ASA cluster one (DC1), which currently has no DNS-exclude split tunnel configuration added, and is only using proxy pac config, it works. I can traceroute to domain name (i.e login.live.com) and I can see the next hop is my local router.
If Connected to ASA cluster two (DC2), which has DNS-exclude split tunnel config, it does not work. I can see traffic hitting our proxy and traceroute fails.
Please note, we do not add any proxy config to the AnYConnect profiles/Group policys, we just use the browser pac file to direct https to the internal proxies, unless excluded/whitelisted.
I just added DNS-Exclude split tunnel configuration to DC1 cluster and it is still works. This is the DC that was previously working without this configuration and is still working with the configuration. In short, both DC's now have the split exclude config, but only one works. I'm clearly missing something, but not sure where to look or explore.
I can't specifically understand why the traffic isn't hitting my local hop when on the DC2 AnyConnect...bit miffed.
No comments:
Post a Comment