Consider a VPN client such as Palo Alto GlobalProtect doing split tunneling with an include access route of 10.4.0.0/16, 10.5.0.0/16, and 10.6.0.0/16. The client route table in Windows looks like this, as expected:
C:\Users\harold>route print IPv4 Route Table ======================================================================= Active Routes: Network Destination Netmask Gateway Interface Metric 10.4.0.0 255.255.0.0 On-link 10.4.1.205 1 10.5.0.0 255.255.0.0 On-link 10.4.1.205 1 10.6.0.0 255.255.0.0 On-link 10.4.1.205 1
The user then connects to a AnyConnect VPN with a split tunnel include of 10.0.0.0/8. Something rather funny happens!
C:\Users\harold>route print IPv4 Route Table ======================================================================= Active Routes: Network Destination Netmask Gateway Interface Metric 10.4.0.0 255.255.0.0 On-link 10.4.1.205 1 10.4.0.0 255.255.0.0 10.8.2.1 10.8.2.27 2 10.5.0.0 255.255.0.0 On-link 10.4.1.205 1 10.5.0.0 255.255.0.0 10.8.2.1 10.8.2.27 2 10.6.0.0 255.255.0.0 On-link 10.4.1.205 1 10.6.0.0 255.255.0.0 10.8.2.1 10.8.2.27 2
AnyConnect has created duplicate routes…for routes that don’t even belong to it. But since the metric is a higher value (2 vs. 1) these routes are ignored by Windows. So, no harm no foul I guess?
Different story on Mac though…hmmm
sadf