Dan Though I agree with what you said (about openconnect just swallowing the poorly configured ip routes and squawking about it), and the patch is done - I’ve already sorted out the split routes at the PaloAlto end. And of course all my routes are there now.
I would note that if this second unexpected value is new to you, I am running PanOS 9.1.2. These 9.1 and later releases added a lot of UserID features (which I use heavily for my GP clients). I love the granularity of the access control. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information I do not use IPV6. Lemme take a look at that and see if I’m up to tinkering with it. With the ever increasing number of people working from home, I’ve spent a lot more time in recent days focusing on granting more and more access. Thank You again for setting me straight. - grant On Apr 23, 2020, at 12:51, Daniel Lenski <[email protected]> wrote: Glad that helped. Although it is a bad idea to include non-canonical IPv4 route specifications, because we don't know what all other platforms and routing utilities will do with them, it would be better for OpenConnect to notice these, fix them when it receives them, and warn the user loudly. I've created a patch to do that: https://gitlab.com/openconnect/openconnect/-/merge_requests/97 > I would like to pay it forward. > If you’d like to troubeleshoot those unexpected argument values, I want to > help. Thanks. Unfortunately, the unknown argument values you have aren't very interesting (not your fault of course 😂)… > GlobalProtect login returned unexpected argument value arg[19]=4 > GlobalProtect login returned unexpected argument value arg[20]=unknown The first we've seen many times. Still don't have any clue what it means (possibly it means “default to using IPv4”, but that's sheer speculation). This is the first time I've seen the second one, but it also doesn't mean much. Really, the only feature of GP itself that we don't understand is how IPv6 connectivity is set up. It sounds like you have some administrative access to configure your VPN. If you're feeling ambitious, try setting up some IPv6 routes and help us figure out how IPv6 address information is configured, over at https://gitlab.com/openconnect/openconnect/issues/79 Dan _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
