Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
Windows 7+
Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled)
Pre AnyConnect 4.2:
Only DNS requests to DNS servers configured under the group-policy (tunnel DNS servers)
are allowed. The AnyConnect driver responds to all other requests with a 'no such name'
response. As a result, DNS resolution can only be performed using the tunnel DNS servers.
are allowed. The AnyConnect driver responds to all other requests with a 'no such name'
response. As a result, DNS resolution can only be performed using the tunnel DNS servers.
AnyConnect 4.2 +
DNS requests to any DNS servers are allowed, as long as they are originated from the VPN
adapter and are sent across the tunnel. All other requests are responded with 'no such name'
response, and DNS resolution can only be performed via the VPN tunnel
adapter and are sent across the tunnel. All other requests are responded with 'no such name'
response, and DNS resolution can only be performed via the VPN tunnel
, it restricts which network adapters can initiate DNS requests.
Split-include configuration (tunnel-all DNS disabled and no split-DNS)
AnyConnect driver does not interfere with the native DNS resolver. Therefore, DNS resolution is
performed based on the order of network adapters, and AnyConnect is always the preferred
adapter when VPN is connected. So a DNS query will be first sent via the tunnel and if it does not
get resolved, the resolver will attempt to resolve it via the public interface. The split-include
access-list will have to include the subnet covering the Tunnel DNS server(s). Starting with
AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include
networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no
longer requires explicit addition of the tunnel DNS server subnet.
performed based on the order of network adapters, and AnyConnect is always the preferred
adapter when VPN is connected. So a DNS query will be first sent via the tunnel and if it does not
get resolved, the resolver will attempt to resolve it via the public interface. The split-include
access-list will have to include the subnet covering the Tunnel DNS server(s). Starting with
AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include
networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no
longer requires explicit addition of the tunnel DNS server subnet.
Split-exclude configuration (tunnel-all DNS disabled and no split-DNS)
AnyConnect driver does not interfere with the native DNS resolver. Therefore, DNS resolution is
performed based on the order of network adapters, and AnyConnect is always the preferred
adapter when VPN is connected. So a DNS query will be first sent via the tunnel and if it does not
get resolved, the resolver will attempt to resolve it via the public interface. The split-exclude
access-list should not include the subnet covering the Tunnel DNS server(s). Starting with
AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include
n e t w o r k s ( s e c u r e r o u t e s ) b y t h e A n y C o n n e c t c l i e n t , a n d t h e r e f o r e t h a t w i l l
prevent misconfiguration in the split-exclude access-list.
performed based on the order of network adapters, and AnyConnect is always the preferred
adapter when VPN is connected. So a DNS query will be first sent via the tunnel and if it does not
get resolved, the resolver will attempt to resolve it via the public interface. The split-exclude
access-list should not include the subnet covering the Tunnel DNS server(s). Starting with
AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include
n e t w o r k s ( s e c u r e r o u t e s ) b y t h e A n y C o n n e c t c l i e n t , a n d t h e r e f o r e t h a t w i l l
prevent misconfiguration in the split-exclude access-list.
Split-DNS (tunnel-all DNS disabled, split-include configured)
Pre AnyConnect 4.2