> You should use --dump to show the complete chain of HTTPS request and > response headers. Thanks for this. It seems openconnect is indeed issuing the three DTLS lines, but nothing seems to be coming in response. I wonder how the anyconnect client is able to create a DTLS connection in this case. HTTP body length: (130) < <?xml version="1.0" encoding="UTF-8"?><auth id="success"><title>SSL VPN Service</title><message>Success</message><success/></auth> TCP_INFO rcv mss 536, snd mss 536, adv mss 1460, pmtu 1500 > CONNECT /CSCOSSLC/tunnel HTTP/1.1 > Host: company.com > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: webvpn=00 at 1303835295@33337 at 3715556236@3831327201 at MainVPNContext > X-CSTP-Version: 1 > X-CSTP-Hostname: punch > X-CSTP-Accept-Encoding: oc-lz4,lzs > X-CSTP-Base-MTU: 1500 > X-CSTP-MTU: 1406 > X-CSTP-Address-Type: IPv6,IPv4 > X-CSTP-Full-IPv6-Capability: true > X-DTLS-Master-Secret: D514BF73ED72D3DCA808FD72766E6006A25B90CA9164E23F10DFB52DF84D9A00476E5E9999965699D8F926E12DBD5091 > X-DTLS-CipherSuite: PSK-NEGOTIATE:OC-DTLS1_2-AES256-GCM:OC2-DTLS1_2-CHACHA20-POLY1305:DHE-RSA-AES256-SHA:OC-DTLS1_2-AES128-GCM:DHE-RSA-AES128-SHA:DES-CBC3-SHA:AES256-SHA:AES128-SHA > X-DTLS-Accept-Encoding: oc-lz4,lzs > Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 10.200.200.184 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Keep: true X-CSTP-DNS: 10.200.200.11 X-CSTP-Lease-Duration: 43200 X-CSTP-MTU: 1406 X-CSTP-Default-Domain: company.com X-CSTP-Split-Include: 10.200.200.0/255.255.255.0 X-CSTP-Split-Include: 10.200.0.0/255.255.0.0 X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 300 X-CSTP-Disconnected-Timeout: 2100 X-CSTP-Idle-Timeout: 2100 X-CSTP-Session-Timeout: 0 X-CSTP-Keepalive: 30 CSTP connected. DPD 300, Keepalive 30 CSTP Ciphersuite: (TLS1.0)-(RSA)-(AES-256-CBC)-(SHA1) Set up DTLS failed; using SSL instead
