Traffic intercepted by the Symantec agents does not successfully reach Cloud SWG when the Cisco AnyConnect VPN is enabled.

WSS Agent, SEP/SES Web and Cloud Access, Symantec Enterprise Agent (with the Web Gateway capability)

macOS

Cisco AnyConnect VPN

Default routes do not work as expected in “Split exclude” mode due to a macOS routing issue between modern Network Extensions (like the Symantec agents) and legacy VPNs like AnyConnect, which do not use macOS Network Extensions.

The workaround is to use the “Split include” split tunnel mode for Cisco Anyconnect. 

More information

There are two split tunnel modes for AnyConnect:

• Split include
• Split exclude

Default routes do not work as expected in “Split exclude” mode due to a macOS routing issue between modern Network Extensions (like the Symantec agents) and legacy VPNs like AnyConnect, which do not use macOS Network Extensions.

Apple acknowledges the issue but has stated that they will not resolve it because they only support modern applications that utilize their Network Extension APIs. Therefore, the only permanent solution is for Cisco to modernize Anyconnect to use the supported Apple Network Extension APIs.