Fahad,

Do not change the system->network->network connect-> network connect server IP address. This is the IP address your internal network returns the NC clients traffic to. This is not the place for split tunnel. you define the split tunne network under

Users->Resource Policies >Network Connect Split Tunneling Policies

By default I has an ip address 10.200.200.200 , should i keep it same and unchanged?

and in

Users->Resource Policies >Network Connect Split Tunneling Policies

I defined the network as 10.16.2.2/32, thats it?

what else i need to do?

I too am curious as to why the 10.200.200.200? It would be helpful to understand the reasoning behind this.

We run an internal managment address of 192.168.88.xxx could we not change the 10. to our 192?

Daver109

well 10.200.200.200 is just a sample ip address the recommendation is to not change it once it has been properly setup. So if 10.200.200.200 is there you can change it according to your internal network and make sure that your whole network knows that your Network connect ip space is behind this IP address.

and Fahad that should be it you will probably have to define ACL to make sure users are allowed to access that subnet but other than that SPLIT tunneled you have defined everythign else will go out to users default gateway and not the tunnel gateway.

dear mrKool,

Thank for ur reply.

Please kindly elaborate a little more. you mean that I need to add a route on my internal network devices like

ip route <subnet of pool for NC> via <gateway = 10.200.200.200>

I mean, this is how they will know that my NC user is behind 10.200.200.200 right?

kindly help me out for exact configuration for defining split tunneling networks as i m feeling difficulties in it.

Guide me towards a better guide book as well. or describe a test scenario here.

Thanks alot.

Based on his information I just give it an IP address from our internal 192.168.x.x and everything continued to work.

hope that helps

So, you are saying that a route on the internal network should lead packets towards the NC client IP range through the NC Base Server IP address. If that is the case, how is this possible on a 3 node active/active cluster where the nodes are in 3 separate data centers and the NC Base Server IP address is common to all 3 cluster nodes?

---

@nfawcett wrote:

So, you are saying that a route on the internal network should lead packets towards the NC client IP range through the NC Base Server IP address.  If that is the case, how is this possible on a 3 node active/active cluster where the nodes are in 3 separate data centers and the NC Base Server IP address is common to all 3 cluster nodes?

---

the route on the internal network needs to point to the internal port of the node that is hosting that IP range.

each device will need to have its own unique range that it will assign.

the base server IP needs to not be routable on the network