Running Ubuntu 12.10 X64 Connecting to a dual stack ASA running 9.1.1 Connecting from an IPv4 only network The IPv4 side of both clients works as expected, however the IPv6 side has some differences. The AnyConnect client provides an IPv6 /128 address and sets the default route for IPv6 traffic across the VPN OpenConnect provides an IPv6 /64 address and the default route is set to lo In the output below, I have done some basic "santizing" on user, host and domain names, IPv6 addresses and public IPv4 addresses Using the Cisco AnyConnect client 3.1.02026 user at V5-171:~$ netstat -6 -r Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:1:2:3::2/128 :: U 256 0 0 cscotun0 fe80::/64 :: U 256 0 0 cscotun0 ::/0 :: U 1 0 0 cscotun0 ::/0 :: !n -1 1 341 lo ::1/128 :: Un 0 1 83 lo 2001:1:2:3::2/128 :: Un 0 1 528 lo fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 cscotun0 ::/0 :: !n -1 1 341 lo Using OpenConnect 4.0.6-1ubuntu1 and NetworkManager OpenConnect 0.9.6.0-0ubuntu1 from the Ubuntu repo user at V5-171:~$ netstat -6 -r Kernel IPv6 routing table Destination Next Hop Flag Met Ref Use If 2001:1:2:3::/64 :: U 256 0 0 vpn0 fe80::/64 :: U 256 0 0 eth1 fe80::/64 :: U 256 0 0 vpn0 ::/0 :: !n -1 1 511 lo ::1/128 :: Un 0 1 84 lo 2001:1:2:3::2/128 :: Un 0 1 0 lo fe80::aed:b9ff:fef8:fc21/128 :: Un 0 1 0 lo ff00::/8 :: U 256 0 0 eth1 ff00::/8 :: U 256 0 0 vpn0 ::/0 :: !n -1 1 511 lo I then tried connecting in a shell sudo openconnect -vvv https://asa.domain.com Attempting to connect to 1.2.3.4:443 SSL negotiation with asa.domain.com Connected to HTTPS on asa.domain.com GET https://asa.domain.com/ Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Sat, 02 Feb 2013 12:21:40 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) SSL negotiation with asa.domain.com Connected to HTTPS on asa.domain.com GET https://asa.domain.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Fixed options give Please enter your username and password. Username:user Password: POST https://asa.domain.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:<deleted>:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fasa.domain.com.xml&fh:<deleted>; path=/; secure Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Transcend-Version: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 192.168.54.5 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Address: 2001:1:2:3::1 X-CSTP-Netmask: 2001:1:2:3::1/64 X-CSTP-DNS: 192.168.53.42 X-CSTP-DNS: 10.201.253.41 X-CSTP-NBNS: 192.168.53.42 X-CSTP-NBNS: 10.201.253.41 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: domain.com X-CSTP-Split-Include: 192.168.53.0/255.255.255.0 X-CSTP-Split-Include: 10.201.253.0/255.255.255.0 X-CSTP-Split-DNS: domain.com X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: true X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: <deleted> X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1415 X-DTLS-MTU: 1418 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-TCP-Keepalive: true CSTP connected. DPD 30, Keepalive 20 ^C I know that I could set the default route manually, but wondered if I misconfigured something, or had hit a bug. I've gone back through the mailing list archives to July 2012, but couldn't see anything that might reference this. Cheers
