Running FreeBSD 11 ocserv 0.11.7 cannot seemingly establish the DTLS channel with a Cisco AnyConnect 4.4 client for Windows. Communication between the server and the client is free and open. Looks like there is a problem with procedures in main.c around 868. ocserv runs with default config (only tiny changes, e.g. ip/port). Gathered with --debug=7 Problematic log pieces below. Full log at: https://paste.ee/r/B4E1U May 7 19:29:17 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 main received worker's message 'tun mtu change' of 3 bytes May 7 19:29:17 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 setting tun0 MTU to 1353 May 7 19:29:20 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0) May 7 19:29:20 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 main.c:868: bind UDP to 10.0.1.31:443: Address already in use May 7 19:29:20 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 sending (socket) message 10 to worker May 7 19:29:20 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 passed UDP socket from 10.0.1.50:49360 May 7 19:29:20 test0 ocserv[27666]: sec-mod: received request from a processes with uid 903 May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 sending message 'sm: worker cli stats' to secmod May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 sent periodic stats (in: 0, out: 0) to sec-mod May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 worker received message udp fd of 103 bytes May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 received new UDP fd and connected to peer May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 setting up DTLS-0.9 connection May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 Initializing MTU discovery; initial MTU: 1447 May 7 19:29:20 test0 ocserv[27666]: sec-mod: cmd [size=63] sm: worker cli stats May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 received 84 byte(s) (TLS) May 7 19:29:20 test0 ocserv[27677]: worker[one]: 10.0.1.50 writing 76 byte(s) to TUN May 7 19:29:21 test0 ocserv[27677]: worker[one]: 10.0.1.50 sending 76 byte(s) May 7 19:29:21 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0) May 7 19:29:21 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 received UDP connection too soon from 10.0.1.50:49360 May 7 19:29:23 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0) May 7 19:29:23 test0 ocserv[27665]: main[one]: 10.0.1.50:49260 received UDP connection too soon from 10.0.1.50:49360 May 7 19:29:27 test0 ocserv[27665]: main: new DTLS session from 10.0.1.50:49360 (record v1.0, hello v1.0) At the same time there clearly is an UDP connection established between the server and the client: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS _ocserv ocserv 27677 1 udp4 10.0.1.31:55738 10.0.1.50:49360 _ocserv ocserv 27677 11 tcp4 10.0.1.31:443 10.0.1.50:49260 root ocserv 27665 4 tcp4 10.0.1.31:443 *:* root ocserv 27665 5 udp4 10.0.1.31:443 *:* But occtl shows no dtls set (which is correct re problems in the log): id user group ip vpn-ip device since dtls-cipher status 27677 one default 10.0.1.50 10.250.3.3 tun0 42s (no-dtls) connected Thanks for any help to get this fixed. The VPN works well using TCP only, but I'd like to use its full potential and have DTLS along with that. I realize not many people use (Free)BSD, so if you need me to run any extra tests/debugs, let me know. Won't be a problem. -- Tomasz