Showing results for 
Search instead for 
Did you mean: 

Network connect split tunnelling problem

Occasional Contributor

Network connect split tunnelling problem


I have a SA 2000 for users connect via Network Connect. I wuold like to use split tunnelling feature but it's doesn't work.

I'll try to use "Allow access to local subnet" but I have to add a manual route to access local network outside the tunnel.

Can you help me??

My SA versione is 5.3R3



Re: Network connect split tunneling problem

The network connect 'allow access to the local subnet' is client side. It's local network would change for each location where Network Connect was launched. The routing should only add routes off the Internal Interface and it's subnets. The only routes I've ever needed to add are ones for the subnet local to the Internal INterface on the SA.

I'm using 6.1R2 currently.


Re: Network connect split tunneling problem

Agreed with DougR above.

Check your Network Connect Split Tunneling Policies and Network Connect Connection Profiles

You should not need to add any routes on the IVE. The IVE will route based on the NC Pool and the split-tunnel networks you have defined.

Message Edited by alan on 04-23-2008 11:34 AM
Occasional Contributor

Re: Network connect split tunneling problem


when I use the option "Allow access to local subnet" I see on my client that all the routing is directed to the Network connect adapter.

If I manual add on the client a static routes for the local subnet all works fine.

I have checked the resources policy but it is ok.

Many thanks


New Contributor

Re: Network connect split tunnelling problem

One thing to keep in mind, is that split tunnelling has a specific purpose. It is used to route certain traffic to your internal network, and force all other traffic out the users remote ISP.

In your split tunnelling policies, you will want to add the IP addresses (or a network range) of what you want to access on the internal network with Network connect, like: will force all 172.18 traffic through the IVE and to the internal network. it also works the same if you put in single IP addresses (one per line). anything OUTSIDE the split tunnelling will be routed through their local ISP, bypassing the IVE entirely.

Also keep in mind that these will need to be specified in your Network Connect Access Control list with an allow policy (default policy is set to allow *:*).

Another thing I've seen happen is if you have the Network Connect DHCP network server ip address conflicting with an address on your network, this causes issues with ST - by default it's set at, and can be changed under the system > network > network connect setting

Please give this a try and see if this helps to resolve your issue.