Hi, Background: I'm currently having a problem with anyconnect client on PC/Mac, though it works well on iOS devices. Symptoms: 1. On Windows, after first successful session, anyconnect will no longer work and keep saying that the network requires web authentication. 2. On Mac, same problem as it was on windows, but? 2.1 I can try once with arbitrary address that doesn't have AnyConnect service, like fjdsaklfsdjk 2.2 After anyconnect server failed to connect to that non-existent server 2.3 reconnect to the original good server 2.4 connection will then be established without further errors 3. I have assigned a /48 IPv6 pool in the ocserv, that /48 was came from my ISP, and works on other machines 3.1 Upon?successful?connection was established, the clients has ?obtained an valid IPv6 address 3.2 in details, "Secured connect" is ::/0, means everything IPv6 was route to the ocserv by default, but 3.3 clients cannot connect to any v6 sites, neither can do ping6. The first two symptoms can be related to the certificate problem, however, after I have imported the server CA to trusted list, the problem persists. I'll attach the my profile and .conf, hopefully someone would kindly help me through this interesting yet very difficult problem. Warm Regards, Quan Zhou Attachment 1 <profile.xml>: <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> ? ? <ClientInitialization> ? ? ? ? <AutoUpdate>true</AutoUpdate> ? ? ? ? <BypassDownloader>true</BypassDownloader> ? ? ? ? <UseStartBeforeLogon>false</UseStartBeforeLogon> ? ? ? ? <StrictCertificateTrust>false</StrictCertificateTrust> ? ? ? ? <RestrictPreferenceCaching>false</RestrictPreferenceCaching> ? ? ? ? <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> ? ? ? ? <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> ? ? ? ? <CertificateMatch> ? ? ? ? ? ? <KeyUsage> ? ? ? ? ? ? ? ? <MatchKey>Digital_Signature</MatchKey> ? ? ? ? ? ? </KeyUsage> ? ? ? ? ? ? <ExtendedKeyUsage> ? ? ? ? ? ? ? ? <ExtendedMatchKey>ServerAuth</ExtendedMatchKey> ? ? ? ? ? ? </ExtendedKeyUsage> ? ? ? ? </CertificateMatch> ? ? </ClientInitialization> ? ? <ServerList> ? ? ? ? <HostEntry> ? ? ? ? ? ? <HostName>hostname.example.org</HostName> ? ? ? ? </HostEntry> ? ? </ServerList> </AnyConnectProfile> Attachement 2 <ocserv.conf>: auth = "plain[/etc/ocserv/ocpasswd]" max-clients = 16 max-same-clients = 5 tcp-port = 8443 udp-port = 443 keepalive = 32400 dpd = 90 mobile-dpd = 1800 try-mtu-discovery = true server-cert = /etc/ssl/certs/server-cert.pem server-key = /etc/ssl/private/server-key.pem tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" auth-timeout = 40 use-utmp = true pid-file = /var/run/ocserv.pid socket-file = /var/run/ocserv-socket run-as-user = nobody run-as-group = nogroup device = vpns ipv4-network = 10.88.0.0 ipv4-netmask = 255.255.255.0 dns = 8.8.8.8 dns = 8.8.4.4 # Original IPv6 address replaced with the address from rfc3849 ipv6-network = 2001:DB8:: ipv6-prefix = 64 ipv6-dns = 2001:DB8::2 ipv6-dns = 2001:DB8::2 output-buffer = 10 route-add-cmd = "ip route add %R dev %D" route-del-cmd = "ip route delete %R dev %D" user-profile = /etc/ocserv/profile.xml cisco-client-compat = true custom-header = "X-DTLS-MTU: 1360" custom-header = "X-CSTP-MTU: 1360" custom-header = "X-CSTP-Split-Exclude: 192.168.0.0/255.255.0.0"
