Libxml2 in previous version (November) needed here for Cisco AnyConnect client

How to make downgrade libxml2 back to 2.11.5-1?

Manjaro stable 23.1.0 with Cisco AnyConnect Secure Mobility Client 4.10.06079.
Named version of AnyConnect is only version I got from remote network administrators.

Since two weeks (or so) ago it is no more possible to build vpn connection to remote network, “Connection attempt is everything” what user gets back from AnyConnect.
VPN worked very well till appx. the mid of week no. 48.

Dec 07 01:12:43 machi acvpnagent[995]: Function: determineAcidexMacAddrMapForTlv File: ../../vpn/Agent/MainThread.cpp Line: 6694 [ACIDEX] Determined public interface MAC address 08-00-33-xx-xx-xx (interface IPv4 address: 10.0.xx.xx)
Dec 07 01:12:43 machi acvpnui[14342]: Function: getUserName File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 2843 PasswordEntry username is root
Dec 07 01:12:43 machi acvpnui[14342]: Function: PeerCertVerifyCB File: ../../vpn/Api/CTransportCurlStatic.cpp Line: 1114 Return success from VerifyServerCertificate
Dec 07 01:12:43 machi acvpnui[14342]: Function: errorCB File: ../../vpn/Common/Xml/CVCSaxParser.cpp Line: 119 xml errorCB: Document is empty
Dec 07 01:12:43 machi acvpnui[14342]: Function: startParser File: ../../vpn/Common/Xml/CVCSaxParser.cpp Line: 206 Invoked Function: xmlParseDocument Return Code: -1 (0xFFFFFFFF) Description: MTUADJUSTMENTCACHE_ERROR_UNKNOWN
Dec 07 01:12:43 machi acvpnui[14342]: Function: processXML File: ../../vpn/Api/xml/AggAuth.cpp Line: 71 Invoked Function: XmlParser::parseXml Return Code: -33554423 (0xFE000009) Description: Unable to process response from Gateway.
Dec 07 01:12:43 machi acvpnui[14342]: Function: processResponseStringFromSG File: ../../vpn/Api/ConnectMgr.cpp Line: 11894 Invoked Function: AggrAuth::processXML Return Code: -27590645 (0xFE5B000B) Description: AGGAUTH_ERROR_FAILED_TO_PARSE_XML
Dec 07 01:12:43 machi acvpnui[14342]: Message type warning sent to the user: Connection attempt has failed.

The log as above leads me to following discussion: archlinux, Cisco secure client fails to connect
<I am not eligible to place a link to this post, sorry>, archlinux user forum thread id 290520 where guys found out that libxml2 switch from 2.11.5-1 to 2.12.0-1 to cause such worsening.

We can see in our Manjaro update history:

[2023-12-01T15:25:37+0100] [ALPM] upgraded lib32-libxml2 (2.12.0-1.0 → 2.12.1-1)
[2023-12-01T15:25:36+0100] [ALPM] upgraded libxml2 (2.12.0-1.0 → 2.12.1-1)
[2023-11-28T11:46:32+0100] [ALPM] upgraded lib32-libxml2 (2.11.5-1 → 2.12.0-1.0)
[2023-11-28T11:46:30+0100] [ALPM] upgraded libxml2 (2.11.5-1 → 2.12.0-1.0)

I have no idea whether you really should or not. But thats the package/utility.

Yes, libxml2 selective downgrade may result in other new issues.

Sorry, I should have included the wiki link…

manjaro-downgrade manual refers to downgrade manual, where some details reg. usage can be found too.

libxml2 version upgrade in archlinux leads further to short chain of bug tickets.

How soon can one have gnome fix be present in Manjaro 23.1.0?
In this particular case the VPN connection is not working.

manjaro-downgrade is downgrade patched to use Manjaro Archive sources instead of Arch Linux Archive.

There is no Manjaro version number.

But there are Branches - Stable, Testing and Unstable. (and ISO releases)

Packages come as quickly as it gets to Arch and then through our branches…

About branches:

archlinux fixed this bug in libxml2 version 2.12.1-1 which is in Manjaro stable since no later than Dez. 1st, our installation machine too.

However it doesn’t resolves the problem. Since appx. mid of week 48 libxml2 fails at this point.

libxml2 maintainers team is ready to analyse, closed source app however involved Cisco Secure Client fails with "errorCB: Document is empty" since 2.12.0 (#644) · Issues · GNOME / libxml2 · GitLab

Arch Linux doesn’t accept bug report directly from Manjaro user Cisco Secure Client 5.0.05040 fails to connect (#1) · Issues · Arch Linux / Packaging / Packages / libxml2 · GitLab
[SOLVED] Cisco Secure Client 5.0.05040 fails to connect / Pacman & Package Upgrade Issues / Arch Linux Forums

Cisco doesn’t present engagement/interest AC SMC stopped suddenly to work - Cisco Community

Users suffer. Manjaro can report bug to Arch Linux, it has more chances to get listening. How to continue for this?

Drop stuff form Cisco, it was always ■■■■■■ and it will be. For AnyConnect, there are way better VPN technologies available.
Since Arch and Manjaro usually don’t fix upstream problems, there is nothing you or Manjaro can do. There is no point in creating Bug reports with Arch. It will not be fixed there. The only entity that should do anything is Cisco, but Cisco don’t care, so stop buying and using there systems.

If users connecting to their organisation remote network are instructed by IT-team of same organisation network to use Cisco AnyConnect and only this how are the chances VPN client other vendors to work same well?

Your view is biased, biased not at single point but at number of points.
I wonder how you get myself to be in position in this particular case to have the power of deciding which VPN-solution to use. I wonder how you get me to had made the purchase of VPN solution. I wonder how you get me wants Manjaro to fix upstream problem. I wonder how you get it is my function to care for VPN server and client sides. These are not what I have reported.

You won’t understand that my position is a standpoint of organization network remote user where on another side following act: remote network administration, used VPN-solution provider, vendor of used operating system and all his dependencies.

I am not in power to know: if switch to other solution will happen, if it will happen the day it does yet what will be new solution. I am only instructed to use Cisco VPN client, otherwise in case of problems the remote network IT provides no support.

One day it will for sure be possible for me to get rid of Cisco VPN. In same period of time I won’t need to use Manjaro any more - I am happy that day to come.

I agree that using downgrade is a bad idea, since the rest of your packages provided by manjaro are being built against libxml2-2.12.

You can provide the lower version of libxml2 to cisco anyconnect/secureclient only like this -

  • get a copy of 2.11.5 from your pacman cache: /var/cache/pacman/pkg
  • extract the relevant tar file
  • copy the old libxml2 version to vpn dir - e.g. cp usr/lib/ /opt/cisco/secureclient/lib/

You also have to update the systemd unit for vpnagentd like this (I’d have expected it to just work but it did not for me):


Unfortunately you can’t just drop it into the existing location /opt/cisco/secureclient/lib because it does some kind of code integrity check on all the files in that directory.

Re: the other discussion in the thread. I’m a freelancer and have quit this client. I am actively excited to rm -rf /opt/cisco in the new year.

Thanks for hint. Instructions seem be same what I met in archlinux forum.

$ ls -alh /var/cache/pacman/pkg/libxml2*
-rw-r--r-- 1 root root 1,1M 23. Nov 08:42 /var/cache/pacman/pkg/libxml2-2.12.0-1.0-x86_64.pkg.tar.zst
-rw-r--r-- 1 root root  329 23. Nov 08:42 /var/cache/pacman/pkg/libxml2-2.12.0-1.0-x86_64.pkg.tar.zst.sig
-rw-r--r-- 1 root root 844K 24. Nov 20:24 /var/cache/pacman/pkg/libxml2-2.12.1-1-x86_64.pkg.tar.zst
-rw-r--r-- 1 root root  119 24. Nov 20:24 /var/cache/pacman/pkg/libxml2-2.12.1-1-x86_64.pkg.tar.zst.sig
-rw-r--r-- 1 root root 844K  6. Dez 17:24 /var/cache/pacman/pkg/libxml2-2.12.2-1-x86_64.pkg.tar.zst
-rw-r--r-- 1 root root  119  6. Dez 17:24 /var/cache/pacman/pkg/libxml2-2.12.2-1-x86_64.pkg.tar.zst.sig

The period of time where I observed the worsening (working to not working) correlates with log points this Manjaro reading short series of updates libxml2 2.11.last to 2.12.first, subsequently to 2.12.2.

Am I dependent on what in this particular case remote network IT says or not? Do I need to adhere to, or not? If not, I need a solution of which the vendor will support in case of problems.
I don’t dare to ask remote network administration to change VPN-solution as I know they will laugh if myself comes to them with such request - I am one among thousands of their users.

Signals are received for libxml.2 version 2.12.4-1 to fix problem with Cisco AnyConnect client.
It seems to be released mid of previous week by Gnome project.
However in Manjaro somehow it got stuck - up to now reached no more as Unstable.
What is the reason?
All previous 2.12.x versions progressed pretty well and quickly to Stable. 2.12.4 doesn’t.
I need it to have AnyConnect working.

libxml2 version 2.12.4 is in the unstable branch. If you need it asap switch the this branch. Don’t forget to update all packages after the switch.

If you don’t care about system stability you can try to manually download and install the new libxml2 version. This is not a supported way and may result in an completely unusable system. But if you are lucky this can be a very fast way. Just make sure you have a working backup and can roll back fast.

Unfortunately Manjaro here is used to accomplish tasks. We need it to be stable and reliable - for user to be productive.
In case of troubles this Manjaro needs vendor’s support, hence modifications conducted are minimal, if any.
All prior 2.12 subversions needed short time to run through all branches then to reach stable.
Why is 2.12.4 different?

I see right now it reached Testing.
How are chances for it to need less time to make step to final branch than it needed for last branch transition?

Huh? As said million times already, it will be when it will be.

I have no idea about when a stable snap is needed - it relies on the feedback from users on testing branch.

cisco anyconnect is - as I recall not in the repo - thus it must be custom build.

Like with anything else from AUR it requires arch package level - sometimes attainable at stable, sometimes not.

Take responsibility

If you have the resources for it - create your own environment and take responsibility for your systems


  • you can run your own inhouse mirror
  • point all your office workstations to that mirror


  • deploy a custom mirror for hosting the packages you need from AUR

Add it before [core] to override any package of the same name in official repo
Add it to end to make it an additional repo

None of this is supported by the Manjaro Linux Community but I am fairly certain you can make some kind of agreement with the corporate part of Manjaro Imprint.

Or you may contact me for private consulting.

In my feeling dropping the usage of Manjaro will cost less effort.

Broken lib version grabbed from upstream Distribution in rapid manner.
To grab for fixed one needs ten times longer or more, there must be a good rationale behind it.

I have been using Manjaro Linux since late 2016 and I have had no downtime that was not caused by my lack of knowledge.

I have been more productive on Manjaro Linux than I have ever been with Windows systems.

You should do whatever you are most comfortable with.

These sentences make no sense to me.

If I understand you correct - you are implying that the file you require for a custom package should be available in Manjaro Linux repo?

Custom packaging is always the user’s responsibility - that goes for Arch Linux and Manjaro Linux - and any other Arch Linux based distribution out there.

You are most likely best served using a distribution less rolling - or if you really need that AnyConnect package - the easiest method is to switch the system to unstable branch and be done with it.

That would take far less resources and make for zero downtime.

sudo pacman-mirrors -aS unstable && sudo pacman -Syu

Then rebuild the custom package(s)

And it is far easier to maintain a local mirror than you think.

If you do not have the knowledge yourself or the manpower to do so - I have offered my assistance which of course - as you appear to be running a business - is assistance that comes with a fee.