Cisco Cisco ASA 5555-X Adaptive Security Appliance - No Payload Encryption
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 16
Both the split-tunnel policy and the VPN filter are configured per group policy. So the VPN administrator can apply
different policies for different VPN groups.
Split-Exclude Policy
Some organizations may not find it practical to define the entire subnet required for split-include policies. However,
they can use the split-exclude policy to prevent any known traffic from using the VPN tunnel. For example, an
organization concerned about bandwidth could add the destination subnets for NetFlix, Hulu, YouTube, and others
to their split-exclude list (Figure 8).
Figure 8. Split-Exclude Policy
Troubleshooting Common Errors
Certificate Authentication Failures
Ensure that
1. The certificate is still valid and the CA server has not revoked the certificate.
2. The correct VPN connection profile is used for authentication.
3. The Key Usage of the certificate is set to TLS Web Client Authentication.
SCEP Enrollment Failures
Ensure that
1. The CA server is configured to automatically grant the certificate.
2. The clock skew between the ASA and the CA server is less than 30 seconds.
3. The CA server enrollment URL is reachable over the VPN tunnel.