Installing and using the Cisco AnyConnect client with Debian and Ubuntu for UCI VPN

by Jeff Stern. [last updated April 27, 2017]

(Note: There is also an alternative method of installing UCI VPN support without using the Cisco client, but using the built-in Debian/Ubuntu openconnect and openvpn drivers, should you find the below method does not work for you, or if you prefer to use open-source non-proprietary software.)


OIT has a good general VPN-Linux page with instructions on setting up the Cisco AnyConnect VPN client software for Linux, but I got tripped up in a couple of places and thought I'd pass on some heads-ups for other Debian and Ubuntu users.

I originally wrote this "How-To" for Ubuntu v10, and have updated it through v17.04. It should work for most or all Debian-derived distributions including Ubuntu and its derivates.

Please do write me to let me know how it went for you, and/or with any suggestions. I'd love to hear that it helped someone and/or any improvements that could be added.

Thanks to several for the help getting here.


To get the Cisco VPN client working for an Ubuntu system, you'll need to install at least the Cisco AnyConnect client (Section 1). This gives you the core VPN functionality -- a shell vpn command to connect to / disconnect from the UCI VPN. KDE users (like myself) will have to use this method and stop here.

If you run a Gnome-based desktop, you can also optionally add the Linux NetworkManager OpenConnect GUI icon to connect and disconnect from the UCI VPN using your mouse. (Section 2)

Section 1: Installing and Using Core VPN Functionality (Cisco AnyConnect client)


  1. First, make sure you have the necessary Debian/Ubuntu support packages installed:
    $ sudo apt-get update
    $ sudo apt-get install lib32z1 lib32ncurses5
  2. Go to the Download site.
  3. Log in with your UCINetID if it asks.
  4. In the "Free-form query" field to the right, just type in "vpn" and hit Enter
  5. If, in the section, UCI only information, you see a Please login... link, then click on it and log in again using your UCINetID.
  6. You should now see a list of VPN clients to choose from. Click on Linux 32-bit AnyConnect or Linux 64-bit AnyConnect, depending on your system, and click Download my choice. Most people are on 64-bit machines now. If you are unsure, just run:
    $ uname -a
    Linux sporkula 3.19.0-31-lowlatency #36-Ubuntu SMP PREEMPT Wed Oct 7 15:44:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
    As you can see from the above example, I am on 64-bit Intel (x86_64) based processor. If you see a '386' somewhere, then you are on a 32-bit machine.
  7. Save the anyconnect-predeploy-linux-64-3.1.11004-k9.tar.gz (or some similarly-named) file to your computer. The following instructions assume you stored it in your Downloads directory under your home dir.
  8. Now, open a terminal and..
    $ cd ~/Downloads
    $ tar zxvf anyconnect-predeploy-linux-64-3.1.11004-k9.tar.gz
    $ cd anyconnect-3.1.11004/vpn
    $ sudo ./
  9. Accept the terms and let it finish.
    Do you accept the terms in the license agreement? [y/n] y
    You have accepted the license agreement.
    Please wait while Cisco AnyConnect Secure Mobility Client is being installed...
    Starting Cisco AnyConnect Secure Mobility Client Agent...
  10. If you get the following message at the end instead:
    Failed to start vpnagentd.service: Unit vpnagentd.service failed to load: No such file or directory.
    it most likely means you did not install the two Ubuntu packages up in step 1, above.
  11. Now reload systemd, scanning for new or changed units:
    $ sudo systemctl daemon-reload
  12. The vpn client should now have been installed on your system and the vpnagentd process started. You can verify this by looking at the active processes:
    $ ps auxw | grep vpnagentd | grep -v grep
       root      3049  0.0  0.2 165960  8356 ?        Sl   09:07   0:04 /opt/cisco/anyconnect/bin/vpnagentd
  13. During the installation, the vpnagentd daemon should now be set up to be started each time your system is booted. To verify:
    $ find /etc/rc?.d -type l -name *vpnagentd*
    $ ls -l /etc/rc?.d/*vpn*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc2.d/K25vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc2.d/S85vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc3.d/K25vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc3.d/S85vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc4.d/K25vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc4.d/S85vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc5.d/K25vpnagentd -> /etc/init.d/vpnagentd*
       lrwxrwxrwx 1 root root 21 Jun  5 09:07 /etc/rc5.d/S85vpnagentd -> /etc/init.d/vpnagentd*
  14. Make an alias to point to the vpn command, so that you only have to type, "vpn" to start it. Insert the following line into either your ~/.bashrc or ~/.bash_aliases file:
    alias vpn='/opt/cisco/anyconnect/bin/vpn'
    and you can do the same for their windowed version:
    alias vpnui='/opt/cisco/anyconnect/bin/vpnui'
  15. Now sign out and back in so that the alias takes effect.

Connecting (via command-line)

  1. To start the client from a command-line prompt in a terminal window, using the alias you made above:
    $ vpn
  2. At the VPN> prompt, type connect and press Enter. You will now see:
    VPN> connect
       >> Please enter your UCInetID and password.
       0) Default-WebVPN
       1) Merage
       2) MerageFull
       3) UCI
       4) UCIFull
    If you do not see this, but get a connect error instead, please see NOTE 1 - Connect Error below.
  3. Ignore the message about entering your UCInetID and password, for now.
  4. Choose one of the choices by number and press return -- usually UCI or UCIFull. (See the differences in the Tunnels below.) For instance, for UCI, press 3 and hit Enter.
  5. Enter your UCInetID and password in the Username and Password boxes and press return.
  6. At the accept? [y/n]: prompt, type y and press Enter. You may get several notices the first time about the downloader performing update checks. At the end you should see a >> state: Connected message and a new VPN> prompt. You are now connected.
  7. Either leave the VPN> prompt open or if you want your terminal back just type quit at the VPN> prompt (the connection will remain active).

NOTE 1 - Connect-error

In most cases I have seen, a connection is made. I have, however, seen the below error before only once. It was when the person was installing on a netbook (running Gnome) which was on campus and usingthe campus wifi system (though I don't know if those factors were the cause). It didn't matter if they answered y or n, they continued to get the error and be denied connection.


VPN> connect
  >> contacting host ( for login information...
  >> notice: Contacting
VPN> AnyConnect cannot verify the VPN server:
    - Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted VPN servers unless the
reason for the error condition is known.

Connect Anyway? [y/n]: 

Update 2015-12-6: "Robert" wrote me with a solution to this:

Thank you, Robert!

To disconnect

  1. At the VPN> prompt, type disconnect and hit Enter.

To exit

  1. At the VPN> prompt, type quit and hit return.

De-installation / Removal

  1. Run
    $ sudo /opt/cisco/anyconnect/bin/

Section 2: Installing and Using NetworkManager Icon (GUI)

Having installed the core VPN functionality (in Section 1 above), you
can actually stop there if you prefer, and from now on, just connect
and disconnect using your terminal per the above instructions.

If, however, you're using a Gnome-based desktop environment, you
also have the option of connecting and disconnecting to the VPN via
the NetworkManager icon.  Instructions for adding that functionality
are below. (If you do install the NetworkManager icon functionality,
you can still use the command-line method, too.)
  1. Install core VPN functionality (above)
  2. Install Ubuntu Network Manager plugins

    in a terminal, type:

    sudo apt-get install network-manager-openconnect
    (or install via Synaptic)

  3. Configure a NetworkManager VPN profile for UCI

    1. find the "Network Manager" icon in your System Tray on your desktop. Examples:

      Ubuntu 10.04 with Gnome desktop:

      Xubuntu 13.04 with Xfce desktop:
    2. click on that Network manager icon, and choose VPN Connections->Configure VPN(1)
    3. click Add
    4. choose Cisco AnyConnect Compatible VPN (openconnect) and click Create
    5. Connection name: anything you want, e.g., UCI.
    6. Gateway:
    7. User name: leave blank.
    8. hit Apply and then Close (or just Save)
  4. Connect/Disconnect

    (From now on, all you should have to do is this section any time you want to connect.)


    1. click on Network Manager icon in your system try and choose VPN Connections->UCI (or whatever you named your connection).
    2. click on the "plug" icon to the right of the

    3. choose your Group. this corresponds to the VPN Connection Tunnels documented on UCI's VPN-for-Linux page. For better speed when making non-UCI connections, i usually just choose the UCI (i.e., probably would communicate more if it were called UCI-only) "split tunnel" group.
    4. fill in Username and Password with your UCINETID credentials
    5. click Login

    now all your connections to UCI (web, ssh, ftp, etc.) will be through the VPN until you disconnect.


    1. when you're done using the UCI VPN, just left-click on Network Manager icon in your system try and choose VPN Connections->Disconnect VPN.

Additional Hints, Tips, and Handling of Errors and Problems Contributed by Users

Several people have written in to me with some additional tips and solutions which I'll add here:

Contact / Feedback

Please email me to let me know how this process went for you, and/or with any suggestions for improvement on this page itself. Thanks.


Thanks to:

  1. Mike Iglesias and Sylvia Bass at UCI's OIT for for putting up the link to here from their VPN-Linux page.
  2. a page at Georgia Tech (now defunct), from which Section 2 was originally adapted.
  3. Joe Remenak for clear, concise feedback on some additional steps (1 and 11) necessary now for the newer 64-bit Ubuntus.
  4. Tom Distler, for the Tux/Cisco image at the top of this page, which I mooched from his page, How to connect Linux to a Cisco VPN using a PCF file.


(1) or from the main desktop menu, click System->Preferences->Network Connections and select the VPN tab. OR from the main desktop menu, click Settings Manager->Hardware->Network Connections. One of these (or something like them) should get you in the ballpark. (Don't you just love the Linux desktop zoo???)

Last Updated Oct 22 2015