VPN help
Help for connecting to the University VPN
VPN login changes
From 14 May 2024, your SSO (single sign-on) login details will be requested through your default web browser when connecting to the VPN. If you have recently logged into another SSO protected service in your browser, the login step may be skipped.
Some online resources can only be accessed by devices connected to the University's network or VPN.
Most services do not require you to use a VPN, but commonly restricted services are:
- HR Self-Service
- Restricted University web pages (like the IT Services Online Shop)
- Certain Bodleian Library resources (Oxford Libraries Information Platform)
- Departmental network drives
You may not be able to use the VPN service if:
- Your University card has expired
- You do not connect to the VPN using your single sign-on (SSO) details
- A specified VPN application is not being used or not up to date
- A specified VPN application is not available for your device or cannot be installed
- The use a VPN is blocked by your internet service provider
The VPN service was updated in April 2023 to use your single sign-on (SSO) password. You must now provide your Oxford username in the format abcd1234@ox.ac.uk and your SSO password when connecting.
We are not aware of a way for the AnyConnect VPN application to remember your username or password.
To replace the password used for the VPN you must update your SSO password.
For issues due to the default web browser being used to provide the username, password and MFA details, the VPN application's internal web browser can be used instead by providing the server name as vpn.ox.ac.uk/cisco-browser when logging in.
Most VPN applications are not compatible with the University VPN service as they do not support multi-factor authentication (MFA).
Cisco AnyConnect and Cisco Secure Client are currently the only supported VPN applications, any others could stop working without notice.
The Cisco AnyConnect socket filter is installed along with the VPN on macOS devices and has a role in monitoring, routing and filtering network traffic on the VPN connections.
The socket filter runs all the time, but does not do anything when the VPN is not connected. If required, it can be removed if you delete the application "Cisco AnyConnect Socket Filter.app" then reboot.
Operating system | Version check |
Windows | Open Cisco Secure Client / AnyConnect, select , then check the version number is the same or higher than on our VPN download page |
macOS | Open Cisco Secure Client / AnyConnect, check that the version number listed in the bottom-right of its window matches our VPN download page |
Linux | Open Cisco Secure Client / AnyConnect, select , then check the version number is the same or higher than on our VPN download page |
iOS | Check your device's app store to update Cisco Secure Client / AnyConnect |
Android | Check your device's app store to update Cisco Secure Client / AnyConnect |
If you encounter issues connecting to printers and other devices on your local network whilst using the VPN:
- In Cisco Secure Client / AnyConnect, select the cog icon
- Select the Preferences tab
- Ensure Allow local (LAN) access when using VPN (if configured) is ticked
By default your network traffic is sent through the VPN while connected, with the following exceptions:
- High volume Microsoft traffic, such as Teams, to allow the service to have greater capacity.
- Local network traffic, so you can connect to devices such as printers and home assistants.
If you are concerned about the security of your network, you should instead connect to vpn.ox.ac.uk/tunnel-all to make all network traffic to go through the VPN tunnel. You will still be able to connect to printers and other devices on your local network.
The VPN application requires an SSL tunnel and optionally a DTLS tunnel.
- SSL: TCP port 443
- DTLS: UDP port 443
The VPN application contacts the servers in the IP range 192.76.7.64/27.
The VPN application is given an IP address from the private IP range 10.1.32.0/20 or 10.10.64.0/18.
The private addresses are mapped by dynamic PAT to a public IP address in the IP range 129.67.116.0/22.
Before you start...
Minimise or close open windows so you can clearly see messages and instructions displayed during installation.
Essentials
On macOS 13 (Ventura) and above, after installing or upgrading the Cisco Secure client, connecting to VPN displays "Connect capability is unavailable because the VPN service is unavailable." You may also see a warning message in the Connect box saying: "No connection to VPN service. Reattach failed" where normally it would show "Ready to connect". This applies to new installations, manual updates, and forced updates to the Cisco Secure Client - AnyConnect VPN Service.
If you are an Administrator of the Mac, Go into > System Settings > General > Login Items, and make sure the switch against Cisco Secure Client - AnyConnect VPN Service shows as enabled. You can toggle this off and on (for luck) if it is already enabled.
Deep dive
Starting with macOS 13 (Ventura), Apple made changes, including allowing users who have administrative access to their macOS devices, to have more visibility of, and control over, tasks running in the background. Previously, it wasn't possible to view and manage background tasks from the GUI. From Ventura, you can view and change them in System Settings\General\Login Items in the Allow in Background section.
When recent versions of the Cisco Secure Client are installed on devices running macOS 13 (Ventura) and above (including upgrade scenarios), you may be prompted to allow the VPN Service to run in the background. The prompt includes a link to the System Settings and an image to show the setting change you need to make. If you either ignore the prompt or cannot make the change (e.g. because you don't have permission), you won't be able to connect to the VPN.
When the Cisco Secure Client v5 installs or upgrades, you may see one or both of the following prompts:
-
allow the socket filter kernel extension
-
allow the VPN Service to run in the background
both require you to make changes in System Settings; the prompts include links.
If you do not allow the socket filter kernel extension, it may continue to show warnings, but the VPN should still work. However, if you don't allow the VPN Service to run in the background, the VPN will not be able to connect.
For University macOS devices managed centrally and where you do not have administrative access, your local IT may need to fix this for you.
Older macOS versions (12 and below) have no way in the GUI to view and manage background tasks, and you may only see the kernel extension prompt.
Further information regarding the Cisco VPN client is available to University IT Support Staff (ITSS), with specific articles on:
- Split Tunnelling Profiles and Local LAN Access
- Customising the Cisco VPN Client
- Automatic updates with the Cisco VPN Client
- AnyConnect Socket Filter on macOS
- Configuring the Cisco VPN Client Installer for macOS
Cisco also provide release notes and a troubleshooting guide for the Cisco Secure Client.
Get support
If you cannot find the solution you need here then we have other ways to get IT support
Submit a suggestion, compliment or complaint