OpenConnect GUI connection succeeds but no network access
Summary
After connecting to the server, the GUI reports that the connection is established successfully, and the VPN Info tab reports the assigned IP/Prefix, but cannot access the network. No IP is assigned to the TUN device, it remains on the 169.254.0.0/16 subnet. Cisco Anyconnect works fine.
Version of the software & operating system
Version: 1.6.2-dirty (64-bit)
OS: Windows 11 Pro 24H2 (build 26100.3194)
Steps to reproduce
Just connecting to the server gives the error every time.
Actual results
OpenConnect GUI reports VPN connected with IP/Prefix but no IP Assigned to the TUN interface, so no network access
Expected results
VPN IP/Prefix should be assigned to the TUN interface.
Relevant logs and/or screenshots
Logs (masked a few IPs):
2025-02-16 12:24:18 | 338c | POST https://x.x.x.x/
2025-02-16 12:24:18 | 338c | Attempting to connect to server x.x.x.x:443
2025-02-16 12:24:18 | 338c | Connected to x.x.x.x:443
2025-02-16 12:24:18 | 338c | There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
2025-02-16 12:24:18 | 338c | There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
2025-02-16 12:24:18 | 338c | There was a non-CA certificate in the trusted list: C=US,ST=California,L=Irvine,O=Blizzard Entertainment,OU=Battle.net,CN=Blizzard Battle.net Local Cert.
2025-02-16 12:24:18 | 338c | There was a non-CA certificate in the trusted list: CN=Root Agency.
2025-02-16 12:24:18 | 338c | SSL negotiation with x.x.x.x
2025-02-16 12:24:18 | 338c | Server certificate verify failed: signer not found
2025-02-16 12:24:18 | 338c | Connected to HTTPS on x.x.x.x with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
2025-02-16 12:24:18 | 338c | Got HTTP response: HTTP/1.1 200 OK
2025-02-16 12:24:18 | 338c | Content-Type: text/xml; charset=utf-8
2025-02-16 12:24:18 | 338c | Transfer-Encoding: chunked
2025-02-16 12:24:18 | 338c | Cache-Control: no-store
2025-02-16 12:24:18 | 338c | Pragma: no-cache
2025-02-16 12:24:18 | 338c | Connection: Keep-Alive
2025-02-16 12:24:18 | 338c | Date: Sun, 16 Feb 2025 06:53:58 GMT
2025-02-16 12:24:18 | 338c | X-Frame-Options: SAMEORIGIN
2025-02-16 12:24:18 | 338c | Strict-Transport-Security: max-age=31536000; includeSubDomains
2025-02-16 12:24:18 | 338c | X-Content-Type-Options: nosniff
2025-02-16 12:24:18 | 338c | X-XSS-Protection: 1
2025-02-16 12:24:18 | 338c | Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
2025-02-16 12:24:18 | 338c | X-Aggregate-Auth: 1
2025-02-16 12:24:18 | 338c | HTTP body chunked (-2)
2025-02-16 12:24:18 | 338c | XML POST enabled
2025-02-16 12:24:18 | 338c | POST https://x.x.x.x/
2025-02-16 12:24:18 | 338c | Got HTTP response: HTTP/1.1 200 OK
2025-02-16 12:24:18 | 338c | Content-Type: text/xml; charset=utf-8
2025-02-16 12:24:18 | 338c | Transfer-Encoding: chunked
2025-02-16 12:24:18 | 338c | Cache-Control: no-store
2025-02-16 12:24:18 | 338c | Pragma: no-cache
2025-02-16 12:24:18 | 338c | Connection: Keep-Alive
2025-02-16 12:24:18 | 338c | Date: Sun, 16 Feb 2025 06:53:58 GMT
2025-02-16 12:24:18 | 338c | X-Frame-Options: SAMEORIGIN
2025-02-16 12:24:18 | 338c | Strict-Transport-Security: max-age=31536000; includeSubDomains
2025-02-16 12:24:18 | 338c | X-Content-Type-Options: nosniff
2025-02-16 12:24:18 | 338c | X-XSS-Protection: 1
2025-02-16 12:24:18 | 338c | Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
2025-02-16 12:24:18 | 338c | X-Aggregate-Auth: 1
2025-02-16 12:24:18 | 338c | HTTP body chunked (-2)
2025-02-16 12:24:18 | 338c | XML POST enabled
2025-02-16 12:24:18 | 338c | Select form: group_list
2025-02-16 12:24:18 | 338c | Text form: username
2025-02-16 12:24:18 | 338c | Password form: password
2025-02-16 12:24:24 | 338c | POST https://x.x.x.x./
2025-02-16 12:24:24 | 338c | Got HTTP response: HTTP/1.1 200 OK
2025-02-16 12:24:24 | 338c | Content-Type: text/xml; charset=utf-8
2025-02-16 12:24:24 | 338c | Transfer-Encoding: chunked
2025-02-16 12:24:24 | 338c | Cache-Control: no-store
2025-02-16 12:24:24 | 338c | Pragma: no-cache
2025-02-16 12:24:24 | 338c | Connection: Keep-Alive
2025-02-16 12:24:24 | 338c | Date: Sun, 16 Feb 2025 06:54:04 GMT
2025-02-16 12:24:24 | 338c | X-Frame-Options: SAMEORIGIN
2025-02-16 12:24:24 | 338c | Strict-Transport-Security: max-age=31536000; includeSubDomains
2025-02-16 12:24:24 | 338c | X-Content-Type-Options: nosniff
2025-02-16 12:24:24 | 338c | X-XSS-Protection: 1
2025-02-16 12:24:24 | 338c | Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
2025-02-16 12:24:24 | 338c | X-Aggregate-Auth: 1
2025-02-16 12:24:24 | 338c | HTTP body chunked (-2)
2025-02-16 12:24:24 | 338c | Enter the otp
2025-02-16 12:24:24 | 338c | Password form: answer
2025-02-16 12:24:35 | 338c | POST https://x.x.x.x/
2025-02-16 12:24:35 | 338c | Got HTTP response: HTTP/1.1 200 OK
2025-02-16 12:24:35 | 338c | Content-Type: text/xml; charset=utf-8
2025-02-16 12:24:35 | 338c | Transfer-Encoding: chunked
2025-02-16 12:24:35 | 338c | Cache-Control: no-store
2025-02-16 12:24:35 | 338c | Pragma: no-cache
2025-02-16 12:24:35 | 338c | Connection: Keep-Alive
2025-02-16 12:24:35 | 338c | Date: Sun, 16 Feb 2025 06:54:15 GMT
2025-02-16 12:24:35 | 338c | X-Frame-Options: SAMEORIGIN
2025-02-16 12:24:35 | 338c | Strict-Transport-Security: max-age=31536000; includeSubDomains
2025-02-16 12:24:35 | 338c | X-Content-Type-Options: nosniff
2025-02-16 12:24:35 | 338c | X-XSS-Protection: 1
2025-02-16 12:24:35 | 338c | Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
2025-02-16 12:24:35 | 338c | X-Aggregate-Auth: 1
2025-02-16 12:24:35 | 338c | HTTP body chunked (-2)
2025-02-16 12:24:35 | 338c | TCP_MAXSEG 1360
2025-02-16 12:24:35 | 338c | Got CONNECT response: HTTP/1.1 200 OK
2025-02-16 12:24:35 | 338c | X-CSTP-Version: 1
2025-02-16 12:24:35 | 338c | X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
2025-02-16 12:24:35 | 338c | X-CSTP-Address: 10.64.220.15
2025-02-16 12:24:35 | 338c | X-CSTP-Netmask: 255.255.255.0
2025-02-16 12:24:35 | 338c | X-CSTP-Address-IP6: 2405:200:1413::304/120
2025-02-16 12:24:35 | 338c | X-CSTP-Hostname: v6Firepower
2025-02-16 12:24:35 | 338c | X-CSTP-DNS: 172.16.56.142
2025-02-16 12:24:35 | 338c | X-CSTP-Lease-Duration: 1209600
2025-02-16 12:24:35 | 338c | X-CSTP-Session-Timeout: none
2025-02-16 12:24:35 | 338c | X-CSTP-Session-Timeout-Alert-Interval: 60
2025-02-16 12:24:35 | 338c | X-CSTP-Session-Timeout-Remaining: none
2025-02-16 12:24:35 | 338c | X-CSTP-Idle-Timeout: 1800
2025-02-16 12:24:35 | 338c | X-CSTP-Disconnected-Timeout: 1800
2025-02-16 12:24:35 | 338c | X-CSTP-Split-Include: */255.255.255.0
2025-02-16 12:24:35 | 338c | X-CSTP-Split-Include: */255.255.0.0
2025-02-16 12:24:35 | 338c | X-CSTP-Split-Include: */255.255.255.0
2025-02-16 12:24:35 | 338c | X-CSTP-Split-Include: */255.255.255.255
2025-02-16 12:24:35 | 338c | X-CSTP-Keep: false
2025-02-16 12:24:35 | 338c | X-CSTP-Tunnel-All-DNS: true
2025-02-16 12:24:35 | 338c | X-CSTP-DPD: 30
2025-02-16 12:24:35 | 338c | X-CSTP-Keepalive: 20
2025-02-16 12:24:35 | 338c | X-CSTP-Banner: **************
A%22025-02-16 12:24:35 | 338c | X-CSTP-MSIE-Proxy-Lockdown: true
2025-02-16 12:24:35 | 338c | X-CSTP-Smartcard-Removal-Disconnect: true
2025-02-16 12:24:35 | 338c | X-DTLS-Session-ID: 2CA4B48149DA86AC4ECF7306ED0DCEEC9AAF659A9C6D81C05D8AAA050A54DCBE
2025-02-16 12:24:35 | 338c | X-DTLS-Port: 443
2025-02-16 12:24:35 | 338c | X-DTLS-Keepalive: 20
2025-02-16 12:24:35 | 338c | X-DTLS-DPD: 30
2025-02-16 12:24:35 | 338c | X-CSTP-MTU: 1280
2025-02-16 12:24:35 | 338c | X-DTLS-MTU: 1280
2025-02-16 12:24:35 | 338c | X-DTLS12-CipherSuite: ECDHE-RSA-AES256-GCM-SHA384
2025-02-16 12:24:35 | 338c | X-CSTP-Routing-Filtering-Ignore: false
2025-02-16 12:24:35 | 338c | X-CSTP-Quarantine: false
2025-02-16 12:24:35 | 338c | X-CSTP-Disable-Always-On-VPN: false
2025-02-16 12:24:35 | 338c | X-CSTP-Client-Bypass-Protocol: false
2025-02-16 12:24:35 | 338c | X-CSTP-TCP-Keepalive: true
2025-02-16 12:24:35 | 338c | X-CSTP-Post-Auth-XML: <elided>
2025-02-16 12:24:35 | 338c | CSTP connected. DPD 30, Keepalive 20
2025-02-16 12:24:35 | 338c | UDP SO_SNDBUF: 40960
2025-02-16 12:24:35 | 338c | DTLS initialised. DPD 30, Keepalive 20
2025-02-16 12:24:35 | 338c | Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
2025-02-16 12:24:35 | 338c | Initiating MTU detection (min=576, max=1280)
2025-02-16 12:24:35 | 338c | No change in MTU after detection (was 1280)
2025-02-16 12:24:35 | 338c | Using generated interface name x.x.x.x_13e1cdca
2025-02-16 12:24:35 | 338c | Script 'C:/Program Files/OpenConnect-GUI\vpnc-script.js' returned error 1
2025-02-16 12:24:35 | 338c | Failed to spawn script 'C:/Program Files/OpenConnect-GUI\vpnc-script.js' for pre-init: The operation completed successfully.
2025-02-16 12:24:35 | 338c | Ignoring non-matching interface "Ethernet 2"
2025-02-16 12:24:35 | 338c | 0: Using existing driver 0.14
2025-02-16 12:24:35 | 338c | 0: Creating adapter
2025-02-16 12:24:36 | 338c | Ignoring non-matching interface "Ethernet 2"
2025-02-16 12:24:36 | 338c | Loaded Wintun v0.14
2025-02-16 12:24:36 | 338c | Using Wintun device 'x.x.x.x_13e1cdca', index 48
2025-02-16 12:24:36 | 338c | WARNING: Support for Wintun is experimental and may be unstable. If you
encounter problems, install the TAP-Windows driver instead. See
https://www.infradead.org/openconnect/building.html
2025-02-16 12:24:36 | 338c | Script 'C:/Program Files/OpenConnect-GUI\vpnc-script.js' returned error 1
2025-02-16 12:24:36 | 338c | Failed to spawn script 'C:/Program Files/OpenConnect-GUI\vpnc-script.js' for connect: The operation completed successfully.
2025-02-16 12:24:36 | 338c | Could not open C:\Users\swaru\AppData\Local\Temp\vpnc.log: The system cannot find the file specified.
2025-02-16 12:24:55 | 338c | Send CSTP Keepalive
2025-02-16 12:25:05 | 338c | Send DTLS DPD
2025-02-16 12:25:05 | 338c | Send CSTP DPD
2025-02-16 12:25:05 | 338c | Got DTLS DPD response
2025-02-16 12:25:05 | 338c | Got CSTP DPD responseipconfig
Unknown adapter x.x.x.x_13e1cdca:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::aad1:6d8a:6810:6c29%48
Autoconfiguration IPv4 Address. . : 169.254.6.67
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :Possible fixes
From the logs, it looks like the Script C:/Program Files/OpenConnect-GUI\vpnc-script.js is not getting executed. Maybe that fixes the issue.
Edited by Swarup Sengupta