When using OpenConnect to connect to a Cisco AnyConnect VPN, specifying the group name via command line (-g flag) sometimes fails with an "Invalid host entry" error, while interactive authentication works fine. Here's the behavior comparison:
# Working interactive authentication
openconnect -v -u username vpn-gw1.example.com
# Failing command-line group specification
openconnect -v -g GROUPNAME -u username vpn-gw1.example.com
The issue typically occurs because of:
- URL encoding requirements for special characters in group names
- Different authentication flows between interactive and non-interactive modes
- Server-side validation of the group parameter format
Solution 1: URL Encoding the Group Name
Try encoding special characters in your group name:
# For group "CLUSTER-DLCE"
openconnect -v -g CLUSTER%2dDLCE -u username vpn-gw1.example.com
Solution 2: Using the Full Authentication URL
Some VPN servers require the full authentication path:
openconnect -v -g "https://vpn-gw1.example.com/CLUSTER-DLCE" -u username vpn-gw1.example.com
Solution 3: Combining with --authenticate
For complex setups, try the authentication step separately:
# First get the cookie
openconnect --authenticate -g CLUSTER-DLCE -u username vpn-gw1.example.com > vpn.cookie
# Then connect using the cookie
openconnect --cookie-on-stdin < vpn.cookie vpn-gw1.example.com
When all else fails, you can automate the interactive process:
#!/bin/bash
expect <For deeper investigation, use these techniques:
# Increase verbosity
openconnect -vvvv -g GROUPNAME -u username vpn-gw1.example.com
# Check server response
curl -v -k -d "group_list=GROUPNAME" https://vpn-gw1.example.com
When working with OpenConnect (the open-source alternative to Cisco AnyConnect), many users encounter authentication failures when specifying VPN groups via the -g parameter. The error message "Invalid host entry" appears misleading since the identical group name works during interactive authentication.
Cisco AnyConnect servers typically handle group authentication through XML POST requests. The server expects specific formatting for group names that differs between interactive and command-line input methods.
- Interactive mode succeeds:
openconnect -v -u user vpn.example.com - Command-line group fails:
openconnect -v -g GROUPNAME -u user vpn.example.com - Error occurs after password entry, suggesting authentication sequence issue
Here are three working approaches to specify VPN groups:
Method 1: URL Encoding
openconnect -v -g "GROUP%7CSUBGROUP" -u user vpn.example.com
Method 2: Pipe Character Escaping
openconnect -v -g "GROUP\\|SUBGROUP" -u user vpn.example.com
Method 3: Configuration File
# ~/.openconnect
user=your_username
authgroup=GROUP|SUBGROUP
For deeper investigation:
openconnect --dump -vvv -g "GROUPNAME" -u user vpn.example.com
Check for these key details in the output:
- XML POST request formatting
- Server response headers
- Authentication redirections
For complex authentication flows:
#!/usr/bin/expect -f
spawn sudo openconnect -v -u user vpn.example.com
expect "GROUP:"
send "GROUPNAME\r"
expect "Password:"
send "your_password\r"
interact
Some Cisco ASA configurations require:
- URL-encoded forward slashes
- Specific XML namespace declarations
- Strict content-type headers