All members of the University of Cologne can use a VPN connection to access services outside the campus that are only available on the university network. Install a VPN client on your computer that connects you to the university network. For more information on tunnel types, see Configuration: Tunnel Types.
Be advised, our VPN service requires setting up multi factor authentication in advance. At this point, we would like to point out once again that student and staff accounts are personal and that passing on the credentials ("account sharing") or providing this access to others constitutes a violation of our user regulations and will result in the account being blocked.
Please make sure your operating system is up-to-date before connecting to our network. Use of outdated operating systems is prohibited due to security concerns.
Enlarged view:
You will now be asked to log in with your personal device. If you use this device alone, you can confirm with "Yes, this is my own device" so that no further authentication is necessary within the next eight hours (depending on the browser settings).
Enlarged view:
Wait until the authentication has been completed. You can then close the browser window.
This quick guide explains how to use it on macOS and Windows. For detailed instructions on installation and use on other operating systems, click here.
Start the Cisco Secure Client
If required, enter "vpngate.uni-koeln.de" as the server address [Fig. 1].
You will now be automatically redirected to a Shibboleth authentication via web browser. Log in there with your user name and password [Fig. 2].
Now authenticate yourself via Duo [Fig. 3].
If you have a hardware token, press the green button and enter the numerical code in the corresponding window
If you are using the DuoMobile app, open it and enter the four-digit numerical code on your smartphone (Duo Push).
Alternatively, you can also enter a six-digit numerical code displayed on your smartphone in Duo (Duo Mobile Passcode).
You will now be asked to log in with your personal device. If you use this device alone, you can confirm with "Yes, this is my own device" so that no further authentication is necessary within the next eight hours (depending on the browser settings) [Fig. 4].
Wait until the authentication is complete. You can then close the browser window [Fig. 5].
Is it still possible to use VPN with just a guest account?
Yes, guest accounts are still egliable to use our VPN service even though the login is processed by Shibboleth.
Error: "Potential CSRF attack detected" after authenticating with Shibboleth
Please delete Cookies&Cache in your webbrowser and try restarting the webbrowser. Then try to establish a VPN connection again.
Error: "Not registered in Duo"
In order to use our VPN service it is mandatory to setup multi-factor authentication for all employee and guest accounts. Please have a look at our documentation and support pages on how to setup MFA for your account. Be advised you will not be able to use our VPN service until setting up MFA.
Error: "Windows Update required"?
In order to use our VPN service, it is mandatory that you use an up-to-date operating system with current security updates. If you receive the message “Windows update required”, you must first update your operating system.
Be advised that operating systems such as Windows 8.1 and older have not received any security updates for many years, so they contain numerous security gaps and continuing to use them poses a security risk to our network and to yourself. You can find out which Windows version you are using in the Control Panel (or, for example, use the Windows key + R → enter “winver” → press Enter).
As a guide: Current Windows versions are Windows 10 (22H2) and Windows 11 (24H2).
Troubleshooting
Windows
“Potential CSRF attack detected” after logging into Shibboleth
If you receive this error message after logging into Shibboleth when establishing the VPN connection, please delete the corresponding website data and browser cache from your default web browser. Make sure that the browser is completely closed and then try again.
Error message before forwarding to Shibboleth: “Authentication failed due to a problem navigating to the single sign-on URL.”
You have not set a default browser. Select any browser in the app settings as your default browser to resolve the issue.
If the problem persists despite setting a default browser, please reset the default apps on your Windows computer. To do this, go to Windows Settings->Apps->Default Apps and scroll to the bottom of the list. Below this, you should have the option to reset the default apps. Perform this step, select a browser of your choice as the default app, and try to set up the VPN connection again. In our experience, restarting the computer is not necessary, but it does not hurt either.
If the problem persists, check whether you have Edge installed in your apps and install the Edge browser. If necessary, reset the default apps again.
Message “VPN server internal error” or “Internal error for the VPN server.”
If you receive this error message after logging into Shibboleth when establishing the VPN connection, please delete the corresponding website data and browser cache from your default web browser. Make sure that the browser is completely closed and then try again.
MacOS
Problems installing Cisco Secure Client when selecting the drive
Open Terminal (Spotlight search (magnifying glass in the upper right corner of the menu bar) → Terminal)
Enter the following command: sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn
You will then be asked for your local password (for administration on your Mac); for security reasons, the entry is invisible, so what you type is not displayed.
Restart the installation. If necessary, shut down your Mac and restart it.
“Potential CSRF attack detected” after logging into Shibboleth
If you receive this error message after logging into Shibboleth when establishing the VPN connection, please delete the corresponding website data and browser cache from your default web browser. Make sure that the browser is completely closed and then try again.
Deleting the browser cache in Safari:
1. Go to the “Safari” menu and click on the “Advanced” option under Settings. 2. In this menu, select “Show Develop menu in menu bar.” 3. You can close the settings and click on the newly activated “Show Develop menu in menu bar” and select “Empty Cache”. 4. In the last step, quit Safari and restart the browser so that the settings can be adjusted. 5. You can deactivate the bar in the settings by removing the check mark.
Cisco Secure Client message: “VPN Server internal error” or “Internal error for the VPN server”
If you receive this error message after logging into Shibboleth when establishing the VPN connection, please delete the corresponding website data and browser cache from your default web browser. Make sure that the browser is completely closed and then try again.
Deleting the browser cache in Safari:
1. Go to the “Safari” menu and click on the “Advanced” option under Settings. 2. In this menu, select “Show Develop menu in menu bar.” 3. You can close the settings and click on the newly activated “Show Develop menu in menu bar” and select “Empty Cache”. 4. In the last step, quit Safari and restart the browser so that the settings can be adjusted. 5. You can deactivate the bar in the settings by removing the check mark.
Linux
Cisco Secure client doesn't start after successful installation
Some newer versions of Linux no longer provide the libxml2.so.2 dependency. It is also not available via the package manager. Instead, newer distributions only provide libxml2.so.16.
We are aware that this affects the following distributions: Ubuntu 25.10. (and newer), OpenSuse Tumbleweed
There is a workaround for this problem by using libxml2.so.16 via a symbolic link instead of the libxml2.so.16 dependency. To do this, you must first find the storage location/path of libxml2.so.2 using the following command: sudo ldconfig -p | grep libxml2
The result should look like this: libxml2.so.16 (libc6,x86-64) ⇒ /PATH/libxml2.so.16
Then you can use the following command to create the symbolic link: sudo ln -s /PATH/libxml2.so.16 /PATH/libxml2.so.2
In this case, PATH should reflect the result from the first command.
Next, you need to install package dependencies for libxml2.
For Ubuntu 25.10: sudo apt install libxml2-dev libxml2-utils
For OpenSuse Tumbleweed: sudo zypper install libxml2-tools libxml2-devel zypper-libxml2-tools zypper-libxml2-tools-plugin
Restart your PC to be on the safe side and ensure that the dependencies are recognized.
“Potential CSRF attack detected” after logging into Shibboleth
If you receive this error message after logging into Shibboleth when establishing the VPN connection, please delete the corresponding website data and browser cache from your default web browser. Make sure that the browser is completely closed and then try again.
Message “VPN server internal error” or “Internal error for the VPN server.”
If you receive this error message after logging into Shibboleth when establishing the VPN connection, please delete the corresponding website data and browser cache from your default web browser. Make sure that the browser is completely closed and then try again.
Secure Client does not appear under Programs after installation
Update the package manager in the terminal using the command “sudo apt-update && sudo apt-upgrade” and restart the computer.
Input/Output Error Failed to execute default web browser
Depending on how browsers are installed, it may not be possible to configure them correctly as the default web browser. Check whether the browser has been installed as a Snap package and install it as a Debian package. You should now be able to change the default browser.
Android / chromeOS
“localhost:29786 Connection refused” is displayed in the browser
Disable desktop mode in your (default) web browser, close the browser, and try to reconnect.
If you are using the Chrome browser, please use an alternative (e.g., Firefox).
Contact
If you have any questions or problems, please contact the ITCC-Helpdesk
