OpenConnect 8.20 breaks connection attempt (invalid IP4 config received: no valid IP address/prefix)
After upgrading to OpenConnect 8.20, I can no longer connect to my work VPN via NetworkManager.
I get the error message 'invalid IP4 config received: no valid IP address/prefix'.
Connecting from the command line still works, so I think it's a NetworkManager issue where it fails to detect the IP I was given.
As seen from the log below, I've been given an IP address (172.a.b.c).
Reverting to 8.10 lets me connect as normal
The difference seems to be the these strings when comparing 8.20 to 8.10 output: On 8.20: 'Configured as 172.a.b.c, with SSL connected and ESP disabled' vs this on 8.10: 'Connected as 172.a.b.c, using SSL, with ESP disabled'
Note that the HIP WARNING is present on both versions.
I was originally using Arch Linux's package (1.2.7dev+65+gca4187c5-1), but I tried pulling master and building it (1.2.7dev+101+gaff50e94-1), but it did not solve the issue.
NetworkManager journald log with 8.20:
Mar 03 12:21:26 host NetworkManager[2768]: POST https://x.x.x.x/ssl-vpn/getconfig.esp
Mar 03 12:21:26 host NetworkManager[2768]: Attempting to connect to server x.x.x.x:443
Mar 03 12:21:26 host NetworkManager[2768]: Connected to x.x.x.x:443
Mar 03 12:21:26 host NetworkManager[2768]: SSL negotiation with x.x.x.x
Mar 03 12:21:26 host NetworkManager[2768]: Server certificate verify failed: signer not found
Mar 03 12:21:26 host NetworkManager[2768]: Connected to HTTPS on x.x.x.x with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Mar 03 12:21:26 host NetworkManager[2768]: Got HTTP response: HTTP/1.1 200 OK
Mar 03 12:21:26 host NetworkManager[2768]: Date: Thu, 03 Mar 2022 11:21:26 GMT
Mar 03 12:21:26 host NetworkManager[2768]: Content-Type: application/xml; charset=UTF-8
Mar 03 12:21:26 host NetworkManager[2768]: Content-Length: 1146
Mar 03 12:21:26 host NetworkManager[2768]: Connection: keep-alive
Mar 03 12:21:26 host NetworkManager[2768]: Pragma: no-cache
Mar 03 12:21:26 host NetworkManager[2768]: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Mar 03 12:21:26 host NetworkManager[2768]: Expires: Thu, 19 Nov 1981 08:52:00 GMT
Mar 03 12:21:26 host NetworkManager[2768]: X-FRAME-OPTIONS: DENY
Mar 03 12:21:26 host NetworkManager[2768]: Set-Cookie: PHPSESSID=xxxxxx; secure; HttpOnly
Mar 03 12:21:26 host NetworkManager[2768]: Strict-Transport-Security: max-age=31536000;
Mar 03 12:21:26 host NetworkManager[2768]: X-XSS-Protection: 1; mode=block
Mar 03 12:21:26 host NetworkManager[2768]: X-Content-Type-Options: nosniff
Mar 03 12:21:26 host NetworkManager[2768]: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
Mar 03 12:21:26 host NetworkManager[2768]: HTTP body length: (1146)
Mar 03 12:21:26 host NetworkManager[2768]: Tunnel timeout (rekey interval) is 840 minutes.
Mar 03 12:21:26 host NetworkManager[2768]: Idle timeout is 840 minutes.
Mar 03 12:21:26 host NetworkManager[2768]: Unknown GlobalProtect config tag <exclude-video-redirect>: yes
Mar 03 12:21:26 host NetworkManager[2768]: Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
Mar 03 12:21:26 host NetworkManager[2768]: TCP_INFO rcv mss 1460, snd mss 1460, adv mss 1460, pmtu 1500
Mar 03 12:21:26 host NetworkManager[2768]: Using base_mtu of 1500
Mar 03 12:21:26 host NetworkManager[2768]: After removing TCP/IPv4 headers, MTU of 1460
Mar 03 12:21:26 host NetworkManager[2768]: After removing protocol specific overhead (5 unpadded, 0 padded, 1 blocksize), MTU of 1455
Mar 03 12:21:26 host NetworkManager[2768]: No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
Mar 03 12:21:26 host NetworkManager[2768]: POST https://x.x.x.x/ssl-vpn/hipreportcheck.esp
Mar 03 12:21:26 host NetworkManager[2768]: Got HTTP response: HTTP/1.1 200 OK
Mar 03 12:21:26 host NetworkManager[2768]: Date: Thu, 03 Mar 2022 11:21:26 GMT
Mar 03 12:21:26 host NetworkManager[2768]: Content-Type: application/xml; charset=UTF-8
Mar 03 12:21:26 host NetworkManager[2768]: Content-Length: 137
Mar 03 12:21:26 host NetworkManager[2768]: Connection: keep-alive
Mar 03 12:21:26 host NetworkManager[2768]: X-Content-Type-Options: nosniff
Mar 03 12:21:26 host NetworkManager[2768]: Pragma: no-cache
Mar 03 12:21:26 host NetworkManager[2768]: Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Mar 03 12:21:26 host NetworkManager[2768]: Content-Security-Policy: default-src 'self'
Mar 03 12:21:26 host NetworkManager[2768]: Expires: Thu, 19 Nov 1981 08:52:00 GMT
Mar 03 12:21:26 host NetworkManager[2768]: X-FRAME-OPTIONS: DENY
Mar 03 12:21:26 host NetworkManager[2768]: Strict-Transport-Security: max-age=31536000;
Mar 03 12:21:26 host NetworkManager[2768]: X-XSS-Protection: 1; mode=block
Mar 03 12:21:26 host NetworkManager[2768]: X-Content-Type-Options: nosniff
Mar 03 12:21:26 host NetworkManager[2768]: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
Mar 03 12:21:26 host NetworkManager[2768]: HTTP body length: (137)
Mar 03 12:21:26 host NetworkManager[2768]: Gateway says HIP report submission is needed.
Mar 03 12:21:26 host NetworkManager[2768]: WARNING: Server asked us to submit HIP report with md5sum 6f42412344a9c393b43e3046cb510d35.
Mar 03 12:21:26 host NetworkManager[2768]: VPN connectivity may be disabled or limited without HIP report submission.
Mar 03 12:21:26 host NetworkManager[2768]: You need to provide a --csd-wrapper argument with the HIP report submission script.
Mar 03 12:21:26 host NetworkManager[2768]: Connecting to HTTPS tunnel endpoint ...
Mar 03 12:21:26 host NetworkManager[2768]: Set up UDP failed; using SSL instead
Mar 03 12:21:26 host NetworkManager[2768]: Configured as 172.a.b.c, with SSL connected and ESP disabled
Mar 03 12:21:26 host NetworkManager[2768]: Session authentication will expire at Fri Mar 4 12:21:26 2022
Mar 03 12:21:26 host openconnect[2768]: SIOCSIFMTU: Operation not permitted
Mar 03 12:21:26 host NetworkManager[704]: <warn> [1646306486.5755] vpn[0x555ef8b36120,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN",if:3,dev:2:(vpn0)]: invalid IP4 config received: no valid IP address/prefix
Mar 03 12:21:26 host NetworkManager[704]: <warn> [1646306486.5755] vpn[0x555ef8b36120,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN",if:3,dev:2:(vpn0)]: did not receive valid IP config information
Mar 03 12:21:26 host openconnect[2768]: POST https://x.x.x.x/ssl-vpn/logout.esp
Mar 03 12:21:26 host openconnect[2768]: SSL negotiation with x.x.x.x
Mar 03 12:21:26 host openconnect[2768]: Server certificate verify failed: signer not found
Mar 03 12:21:26 host openconnect[2768]: Connected to HTTPS on x.x.x.x with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Mar 03 12:21:26 host openconnect[2768]: Logout successful.
Mar 03 12:21:26 host openconnect[2768]: User cancelled (SIGINT/SIGTERM); exiting.