I'm building out a new AnyConnect VPN on an ASA5525X and have encountered a problem. The NAT exemption from inside,any for the VPN subnet to the management subnet is forcing the traffic through the inside interface versus the management interface, despite having route-lookup at the end of the NAT statement. All of our network devices have their OOB management on this subnet. I mean, I could create a new subnet specifically for ASA management, and route the normal management subnet through the inside interface, but dammit, I want to make this work. Packet-tracer and captures on the inside interface confirm that this is occurring. I'm running ASA v9.4. Same-security-traffic, both intra and inter, is enabled. I'm going to try configuring a way around this with PBR tomorrow, since 9.4 supports it, but...PBR. Eh. I've had a TAC going for the last 2 days about this, but they have not been very helpful at all. Any ideas on why this would be happening?

I know, ASAs are not routers, and I hate using them as such, since there are special cases (such as this) where they do not follow normal routing logic, but this is where we have the VPN licenses.

EDIT: Forgot to add, it's not doing a management-only drop on the interface on packet-tracer. It's determining the egress interface to be inside based upon the NAT statement, not the routing table.