How SplitTunnel Works with AnyConnect

Cisco AnyConnect creates a VPN tunnel between your Mac and your corporate network. SplitTunnel operates at a different layer of the macOS networking stack, managing which applications send traffic through that tunnel and which connect directly over your physical interface.

The two work independently. AnyConnect manages the tunnel itself — encryption, authentication, and the secure connection to your corporate network. SplitTunnel manages per-app routing decisions at the OS level.

What Per-App Routing Means

Traditional VPN routing works at the network level — all traffic to certain IP ranges goes through the tunnel. Per-app routing works at the application level — you choose which apps use VPN and which connect directly.

• •

  Apps routed through VPN get full AnyConnect tunnel protection

• •

  Apps routed direct connect over your physical network interface

• •

  AnyConnect stays connected and unmodified throughout

• •

  Routing rules persist across VPN reconnections

How It Works

SplitTunnel runs as an approved macOS system extension, giving it the ability to manage per-app routing without modifying your VPN connection.

• •

  Runs as a macOS system extension (not a kernel extension)

• •

  Requires explicit user permission to install

• •

  Manages routing decisions per application

• •

  Does not inspect, log, or modify packet contents

Setting Up SplitTunnel with AnyConnect

Example Configuration

Route Through VPN

• •

  Slack

• •

  Microsoft Teams

• •

  Work email client

• •

  Browsers used for internal tools

• •

  Corporate applications

Route Direct

• •

  Spotify, Apple Music

• •

  Netflix, YouTube

• •

  Personal browser

• •

  FaceTime, personal video calls

Verifying the Setup

1. Confirm AnyConnect shows Connected in its status

2. Open SplitTunnel and check app routing status

3. Test a work app — should reach internal resources normally

4. Test a direct app — should reflect your physical connection speed

5. Confirm AnyConnect remains connected throughout

VPN-Only vs SASE Mode

Cisco Secure Client (formerly AnyConnect) can operate in two distinct modes. SplitTunnel is only compatible with VPN-only mode.

VPN-Only Mode (Compatible)

In VPN-only mode, AnyConnect creates a standard VPN tunnel interface. SplitTunnel works alongside it the same way it works with any VPN client.

SASE Mode with System Extension (Not Compatible)

In newer enterprise deployments, Cisco Secure Client installs a macOS system extension via MDM to inspect and control all network traffic. Because this extension is deployed by your IT department through a managed profile, it takes priority over SplitTunnel — making the two incompatible.

How to Check Which Mode You're Using

1. Open System Settings → General → Login Items & Extensions

2. Look for "Network Extensions" or "System Extensions"

3. If you see a Cisco Secure Client system extension listed and enabled, your organization is using SASE mode — SplitTunnel will not be able to route traffic

4. If no Cisco system extension is listed, you're using VPN-only mode and SplitTunnel will work normally

Compatibility Notes

• •

  Tested with Cisco AnyConnect 4.x and 5.x on macOS in VPN-only mode

• •

  Works with both user-initiated and always-on AnyConnect configurations

• •

  Routing rules persist across AnyConnect reconnections

• •

  Compatible with AnyConnect's DNS and proxy settings

• •

  Not compatible with Cisco Secure Client when a SASE system extension is deployed via MDM

Troubleshooting

Internal resources unreachable

Verify the app is set to route through VPN in SplitTunnel. Check that AnyConnect still shows a connected status.

Direct apps still slow

Confirm the app is set to direct in SplitTunnel. Some apps use helper processes — you may need to add those as well.

AnyConnect reconnects frequently

This is normal for some AnyConnect configurations. SplitTunnel handles reconnections automatically — your routing rules persist.