Problem with openconnect and NAT for HTTP requests

David Woodhouse dwmw2 at
Thu Jan 12 04:53:00 EST 2012

On Thu, 2012-01-12 at 09:36 +0000, Mark Round wrote:
> I then log into another system and route traffic to the remote VPN 
> through my Ubuntu openconnect system. This appears to work fine for 
> ICMP, SSH, MySQL and so on - but for some reason, I cannot seem to
> NAT 
> HTTP traffic. On the Ubuntu gateway itself, HTTP access works as 
> expected - no problems. 

Can't read tcpdump now; baby shouting. First suspect would be MTU
issues. Make 100% sure all ICMP is working and not blocked. Your NAT
client can ping the HTTP server you're testing with? If not, fix that
first. You may sometimes have to shoot some incompetent IT muppets who
are addicted to security-by-voodoo to fix that.

Try clamping the MSS, Or temporarily set the local Ethernet MTU, on the
NAT client, to the same as on the VPN.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list