MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established.
I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up.


Installing OpenConnect:
  • Launch MacOS Terminal
  • brew install openconnect
Getting VPN IP's/DNS Endpoints from AnyConnect:
The information is typically located in your profile xml files located here:

In the xml file, you are looking for "<HostAddress></HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnect.

Using OpenConnect:
For the sake of simplicity right now, you would now just type in your MacOS Terminal:

  • openconnect
Depending upon the VPN setup, you would be prompted for a multitude of things, but this behavior should be no different from the Cisco AnyConnect client minus the GUI aspect.  There is an openconnect-gui version too if you REALLY want a GUI.  I personally prefer the cli version since there are some interesting fancy things, that are obvious to me, that I can do.

Optional/Alternative OpenConnect:

  • brew cask install openconnect-gui

Some extra interesting things you can do w/ openconnect is integrate it w/ you RSA token using a tool called stoken.  To install, use brew once again.

  • brew install stoken
Stoken integrates nicely w/ Openconnect.  If a token is detected by openconnect via stoken, it will simply prompt you for your PIN and username.  To import your RSA token, it must be software based, specific instructions on how to do so is here:

OpenConnect sudo bypass
OpenConnect requires elevated privileges to run.  You can bypass this requirement by augmenting your sudoers configuration.  To do this safely, recommend you use visudo to create your customizations.  I created two config files.  One for an alias and one granting my account the ability to run that alias w/o a password.

  • sudo visudo /etc/sudoers.d/openconnect
    • Cmnd_Alias OPENCONNECT = /usr/local/bin/openconnect
      • Above assumes you installed via brew.  Path would be different if it was installed by other means.
  • sudo visudo /etc/sudoers.d/sudouser
    • yourusername   ALL=(ALL:ALL) NOPASSWD: OPENCONNECT
Once you save and write these files, you will be able to call openconnect w/o being prompted for password elevation.  You can do these same steps for any command you want to run elevated automatically and just append to your sudouser file the additional alias.


This is a niche tool, but is useful if you happen to connect to different VPNs or sshuttle connections throughout the day.

  • brew install vpn-slice
With vpn-slice, you can do things like redirect specific URL calls through your VPN while keeping all your other traffic over things like sshuttle or plain internet.  The one downside is that you still have to be somewhat specific in your calls.  Like you couldn't just do a base domain name.  This is how it looks w/ openconnect:
  • openconnect https://yourvpnserverEndpoint -s 'vpn-slice my.intranet.local another.intranet.local'
More examples for vpn-slice can be found here:


Popular posts from this blog

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

NSX-T: Release associated invalid node ID from certificate