On Mon, Jun 4, 2018 at 3:17 AM, Stephen Davies <sdavies at sdc.com.au> wrote: > Sorry, still no joy. > > The actual value in the config file was vendor. Just to be 100% certain here. You *did* try running openconnect without `--userconfig=version`, right? What was the result? > Here is the AnyConnect client XML file they provide for windows users with > just the host names changed. Is there anything in here that I should be > using? > > <?xml version="1.0" encoding="UTF-8"?> > <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ > AnyConnectProfile.xsd"> > <ClientInitialization> > <UseStartBeforeLogon > UserControllable="true">true</UseStartBeforeLogon> > <AutomaticCertSelection > UserControllable="false">true</AutomaticCertSelection> > <ShowPreConnectMessage>false</ShowPreConnectMessage> > <CertificateStore>All</CertificateStore> > <CertificateStoreOverride>false</CertificateStoreOverride> > <ProxySettings>Native</ProxySettings> > <AllowLocalProxyConnections>false</AllowLocalProxyConnections> > <AuthenticationTimeout>12</AuthenticationTimeout> > <AutoConnectOnStart > UserControllable="true">false</AutoConnectOnStart> > <MinimizeOnConnect > UserControllable="false">true</MinimizeOnConnect> > <LocalLanAccess > UserControllable="false">false</LocalLanAccess> > <ClearSmartcardPin > UserControllable="false">true</ClearSmartcardPin> > <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> > <AutoReconnect UserControllable="false">true > <AutoReconnectBehavior > UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior> > </AutoReconnect> > <AutoUpdate UserControllable="false">true</AutoUpdate> > <RSASecurIDIntegration > UserControllable="false">Automatic</RSASecurIDIntegration> > <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> > <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> > <AutomaticVPNPolicy>false</AutomaticVPNPolicy> > <PPPExclusion UserControllable="false">Automatic > <PPPExclusionServerIP > UserControllable="false"></PPPExclusionServerIP> > </PPPExclusion> > <EnableScripting > UserControllable="false">false</EnableScripting> > <EnableAutomaticServerSelection > UserControllable="false">false > <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> > <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> > </EnableAutomaticServerSelection> > <RetainVpnOnLogoff>false > </RetainVpnOnLogoff> > </ClientInitialization> > <ServerList> > <HostEntry> > <HostName>Vendor VPN</HostName> > <HostAddress>remotehost</HostAddress> > <UserGroup>vendor</UserGroup> > <BackupServerList> > <HostAddress>backuphost</HostAddress> > </BackupServerList> > </HostEntry> > </ServerList> > </AnyConnectProfile> > I remain convinced that there's something wrong with the `--usergroup=vendor` setting here. From your original log, a POST to https://remotehost/vendor leads to a 404 error, and a GET leads to a redirect for old clients. which don't support POST This should not happen. POST https://remotehost/vendor Attempting to connect to server 1.2.3.4:443 SSL negotiation with remotehost Connected to HTTPS on remotehost Got HTTP response: HTTP/1.1 404 Not Found [<- !!!!!] Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Sun, 03 Jun 2018 10:22:24 GMT X-Frame-Options: SAMEORIGIN HTTP body http 1.0 (-1) SSL socket closed uncleanly Unexpected 404 result from server GET https://remotehost/vendor Attempting to connect to server 1.2.3.4:443 SSL negotiation with remotehost Connected to HTTPS on remotehost Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=string; path=/; secure -Dan