Make sure you are in the "Network Connect split tunneling policies" and not "Network Connect access policies". The potential actions should be "Allow access" and "Exclude access".
The "255.255.255.255" mask will be stripped off, since it is a host route, but you should not see the colon and asterisk after the address.
Thanks ken, I sure was on the wrong page.
I did have an ACCESS policy of icmp://*:* tcp://*:* and udp://*:* and while testing today I found that this was effectively enabling at least some sort of split tunneling even though split tunneling was disabled.
Is that by design? I thought the access policy was strictly the allowed access on the tunneled routes?
What is the SA version you're using? In Sa 7.x versions split tunnel policy get effect when split tunnel enabled on the role.
Ok... if that is the case then, User > Resource policies > VPN tunneling > Split tunneling networks > policy will not be used. You need to enable split tunnel on the role.
I'm running into an issue with Split Tunneling as well. We have Pretty much our entire 10.x.x.x network utilized in various test networks. We have a product range that users 10.10.10.x and 10.10.20.x that we have worked around. with a very likely overly complicated allow rule. The problem crops up when a contractor connected to our network and they used the network range 10.60.100.0/24. I changed our Test Allow rule to Detailed rule. then denyed that range for the contractor role. then allowed the networks for all Roles. This isn't working though. Can anyone point out where I went wrong? Also, if I understand this, I can change the Test polcy to use the resources 10.0.0.0/8 and let the detailed rule allow statement to handle the mishmash of 10.x.x.x networks that should come accross the tunnel.
SA4500 v7.2 r3
The role is set to use Junos Pulse
Split tunneling is allowed.
Route Precidence is set to Tunnel Route
Split Tunnel Resource Policy