Configuring SSL-VPN / OneConnect server on secondary Firewall IP address

Last modified on 8 Apr, 2021. Revision 5
Configuring a new SSL-VPN / OneConnect server to listen on a secondary IP address, the importance of routing the IP address on the core interface.
Up to date for
cOS Core 13.00.09 and up
Supported since
cOS Core 13.00.09
Not valid for
cOS Core 13.00.08 and older
Status OK
Peter Nilsson


Adding additional IP addresses to an interface in the Firewall is described in the following KB:

It is recommended to use the “core” route method. And one of the reason for that recommendation is that non-core routed IP addresses that is to be used by the Firewall for a server function such as SSL-VPN, OneConnect, IPsec, WebUI, SSH etc. may not function properly unless the IP address is core routed.

In versions before 13.00.09 it was possible to configure and use the SSL-VPN server on a non-core routed IP address. But changes in 13.00.09 now aligns the SSL-VPN server with other server types which cause any existing configured SSL-VPN servers to stop working unless the IP address for the server is core routed.


The solution to the problem is to follow the above mentioned KB article and instead of using “ARP publish”, create and use a core route + ProxyARP to publish the additional IP address on the Firewall. Doing this change on existing Firewall configurations may require updates to any IP Policy (or rule) that is specifically configured towards a non-core interface used towards the additional IP address. An example on needed changes to IP polices/rules:


Allow Wan all-nets Wan IP_Wan_2 Service=HTTP SetDest=


Allow Wan all-nets Core IP_Wan_2 Service=HTTP SetDest=

Related articles

Brian Smart Search (Beta)
15 Jan, 2024 dictionary troubleshoot core stream incontrol incenter oneconnect cloudservice
Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
28 Apr, 2023 openconnect oneconnect macos ios iphone
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
OneConnect VPN certificate not trusted
18 Mar, 2024 onetouch sslvpn oneconnect troubleshoot certificate
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Howto - Userbased rules
27 Feb, 2024 oneconnect userbased core
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Background apps premission
4 Jun, 2024 oneconnect windows
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core