Troubleshoot IP Layer Enforcement Enablement for Roaming Client

Available Languages

Download Options

  • PDF     (11.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (81.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (65.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 23, 2025
Document ID:225278

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Introduction

This document describes how to troubleshoot IP Layer Enforcement enablement for the roaming client.

Overview

You can use this guide to troubleshoot issues with enabling IP Layer Enforcement in the roaming client. IP Layer Enforcement enables independently from the roaming client mode. Enabling or disabling this feature depends on policy synchronization and specific parameters returned from the sync server.

Expected Functionality

The roaming client enables IP Layer Enforcement regardless of the current client mode. This process is triggered by a policy sync.

  • When the roaming client syncs, it sends the bundle ID to the sync server (Hydra).
  • The Hydra server checks the policy associated with the bundle ID.
  • The sync response includesipFilteringEnabled(1 for true, 0 for false) andiplKillSwitch(1 for true, 0 for false).
  • TheiplKillSwitchvalue indicates if the feature is unavailable or limited.
    • This applies to all AnyConnect roaming clients unless the AnyConnect IP Layer Enforcement feature flag is enabled.
    • Without this flag, the feature does not activate even if the policy enables it.

Enable and Disable Triggers

The roaming client establishes an IP Layer Enforcement VPN tunnel if all conditions are met:

  • ipFilteringEnabledis 1 (true)
  • iplKillSwitchis 0 (false)

The roaming client does not enable IP Layer Enforcement if any of these are true:

  • ipFilteringEnabledis 0 (false)
  • iplKillSwitchis 1 (true)

Troubleshoot Common Issues

  • If the client does not enable IP Layer Enforcement, but the final policy shows it as enabled, check that the kill switch is not on.
  • There can be a 30-minute delay before activation.
    • The policy bundle might not be sent during the initial sync if it is not available.
    • IP Layer Enforcement enables after the next sync, which occurs about 25 minutes later.

Revision History

Revision Publish Date Comments
1.0
23-Oct-2025
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • TAC

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products