LAN access with Cisco AnyConnect Secure Mobility Client v. 3.0.4235
Solution 1:
I found a solution to my problem. I simply used OpenConnect instead of Cisco's own client.
OpenConnect (http://www.infradead.org/openconnect/) is an open source client for Cisco's AnyConnect SSL VPN,build around GnuTLS and OpenSSL. It runs on BSD, Linux, Mac and Windows.
For me it solved the problem on both Linux (Ubuntu 14, using the package network-manager-openconnect) and Windows (Win7 64bit, using http://www.infradead.org/openconnect/gui.html / https://github.com/openconnect/openconnect-gui/wiki).
Below are routes before and after VPN connection with OpenConnect. Contrast those to the AnyConnect case, where the 172.16.0.0 routes were removed.
I now enjoy access to the VPN resources, and my local LAN (in paticular my network attached sampling device on 172.16.97.2).
Routes before OpenConnect connection:
===========================================================================
Interface List
20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9
15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261
10.191.244.0 255.255.255.0 On-link 10.191.244.11 261
10.191.244.11 255.255.255.255 On-link 10.191.244.11 261
10.191.244.255 255.255.255.255 On-link 10.191.244.11 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.0.0 255.255.0.0 On-link 172.16.97.1 261
172.16.97.1 255.255.255.255 On-link 172.16.97.1 261
172.16.255.255 255.255.255.255 On-link 172.16.97.1 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.191.244.11 261
224.0.0.0 240.0.0.0 On-link 172.16.97.1 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.191.244.11 261
255.255.255.255 255.255.255.255 On-link 172.16.97.1 261
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.220.1 1
0.0.0.0 0.0.0.0 10.191.244.1 Default
===========================================================================
Routes after openconnect conneciton:
===========================================================================
Interface List
20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9
15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.191.244.1 10.191.244.11 261
0.0.0.0 0.0.0.0 192.168.220.1 192.168.221.140 2
10.191.244.0 255.255.255.0 On-link 10.191.244.11 261
10.191.244.11 255.255.255.255 On-link 10.191.244.11 261
10.191.244.255 255.255.255.255 On-link 10.191.244.11 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.16.0.0 255.255.0.0 On-link 172.16.97.1 261
172.16.97.1 255.255.255.255 On-link 172.16.97.1 261
172.16.255.255 255.255.255.255 On-link 172.16.97.1 261
192.168.220.0 255.255.254.0 On-link 192.168.221.140 257
192.168.221.140 255.255.255.255 On-link 192.168.221.140 257
192.168.221.255 255.255.255.255 On-link 192.168.221.140 257
193.28.147.7 255.255.255.255 10.191.244.1 10.191.244.11 6
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.191.244.11 261
224.0.0.0 240.0.0.0 On-link 172.16.97.1 261
224.0.0.0 240.0.0.0 On-link 192.168.221.140 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.191.244.11 261
255.255.255.255 255.255.255.255 On-link 172.16.97.1 261
255.255.255.255 255.255.255.255 On-link 192.168.221.140 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.191.244.1 Default
0.0.0.0 0.0.0.0 192.168.220.1 1
===========================================================================
Solution 2:
You VPN administrator can enable/disable split tunneling from the VPN concentrator end. Even if you do mess with the gateways on your local machine, while connected to the VPN, I believe the Cisco client does whatever the policy tells it to do from the endpoint in your office.
Ask the VPN admin about it...I'm sure he/she will be happy to give you an earful about why it's set up the way it is. :)