On Sun, Sep 25, 2016 at 11:31 AM, David Woodhouse <dwmw2 at infradead.org> wrote: > You could add --dump-http-traffic and confirm that we're really trying, > but DO NOT send the output of that to the list. Filter passwords and > cookies out of it before you send it to me in private if you wish. > Thanks. With --dump-http-traffic and the latest from git, I can see OpenConnect sending the X-DTLS headers, but not receiving any in response. I'll ask about getting the official client on Monday. The secondary ASA apparently did take over from the primary sometime Thursday night, but they should have been switched back after I noticed the VPN problems. I'm wondering now if that didn't end up working. In any case, all signs are certainly pointing to the server. Thanks again, Peter