Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

joanmanel · 2023-10-02 15:37:05

Hi,

I have been using openconnect (with NetworkManager) for a while to connect to a VPN (a company), and it always worked fine. Last time I tried it was around a month ago, and it was fine. Today I went to connect and it returned me a "Unexpected 404 result from server".

See the log here:

[POST https://vpn.uk/ (I changed the address to share the message here)
Attempting to connect to server 11111 (IP, added by myself, not in log)
Connected to 11111 (IP, added by myself, not in log)
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Mon, 02 Oct 2023 15:31:23 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
HTTP body http 1.0 (-1)
TLS/DTLS socket closed uncleanly
Unexpected 404 result from server
GET https://vpn.uk/
Attempting to connect to server 11111
Connected to 11111
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Mon, 02 Oct 2023 15:31:24 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://vpn.uk/+webvpn+/index.html
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)

Because the error is a 404, I thought it would be a problem from their VPN server.

But then I downloaded, installed and tried Cisco Anyconnect (the official one), and it works fine.

So I can only imagine this might be some config error from Openconnect. But honestly I have no idea. With networkmanager openconnect I can connect to some other VPNs. But not this one.

DKEBeck · 2023-10-03 03:32:03

Oddly, I have also somewhat recently experienced the same thing. About a month-ish ago, I noticed that same error message when connecting via openconnect through the network manager applet in XFCE. However, the error message only appears for about two seconds before the connection attempt resumes and is successful. I have my VPN credentials saved, so I don't have to do anything to get past the error message. It appears, and then it goes away and the connection attempt resumes.

Note that as outlined in the following thread, I'm running an older version of networkmanager-openconnect than the most recent:
https://bbs.archlinux.org/viewtopic.php … 8#p2122568

dakota · 2023-10-03 04:08:02

joanmanel wrote:

Because the error is a 404, I thought it would be a problem from their VPN server.

I'm not convinced that's the problem. Is that the complete log?

It looks like it:

connects, can't find the resource (404), and then disconnects
connects again, looks for a different resource and is told that it moved (302), and then disconnects
connects again, finds what it's looking for (200), and then the log ends

You might compare the connection log with the log from AnyConnect. Does it show the same pattern?

Cheers,

Edit - why do all the cookies expire in 1970?

Last edited by dakota (2023-10-03 04:08:38)

joanmanel · 2023-10-03 09:37:38

When i try to connect the first time, it shows the 404 error (this error is displayed in the NetworkManager window). Interestingly, username and password appear empty. So I put my login details, and it tries to log in but now the error says "Please enter your username and password".

Log is like this after trying the second connection putting my user details

POST https://vpn.uk/
Attempting to connect to server 1111
Connected to 1111
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 03 Oct 2023 09:30:50 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
HTTP body http 1.0 (-1)
TLS/DTLS socket closed uncleanly
Unexpected 404 result from server
GET https://vpn.uk/
Attempting to connect to server 1111
Connected to 1111
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 03 Oct 2023 09:30:50 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://vpn.uk/+webvpn+/index.html
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
POST https://vpn.uk/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
POST https://vpn.uk/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
POST https://vpn.uk/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
POST https://vpn.uk/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)

I don't know where the logs from Cisco Anyconnect are. There is some stuff in /opt/cisco/anyconnect but they dont seem to be logs.

joanmanel · 2023-10-03 09:44:08

DKEBeck wrote:

Oddly, I have also somewhat recently experienced the same thing. About a month-ish ago, I noticed that same error message when connecting via openconnect through the network manager applet in XFCE. However, the error message only appears for about two seconds before the connection attempt resumes and is successful. I have my VPN credentials saved, so I don't have to do anything to get past the error message. It appears, and then it goes away and the connection attempt resumes.
Note that as outlined in the following thread, I'm running an older version of networkmanager-openconnect than the most recent:
https://bbs.archlinux.org/viewtopic.php … 8#p2122568

Trying as per your post

nmcli con up id VPNNAME --ask

it asks for my username and password. I write the correct stuff, but it asks again.

Please enter your username and password.
Username:myusername
Password:
POST https://vpn.uk/+webvpn+/index.html
Please enter your username and password.
Username:myusername
Password:
POST https://vpn.uk/+webvpn+/index.html
Please enter your username and password.

seth · 2023-10-03 12:07:07

https://www.reddit.com/r/linuxquestions … 04_result/ ?

Edit, also https://github.com/openwrt/packages/issues/21135 and more useragent BS in https://gitlab.com/openconnect/openconnect/-/issues/544

@dakota

date --date=@0

Last edited by seth (2023-10-03 12:08:40)

joanmanel · 2023-10-03 15:37:14

seth wrote:

https://www.reddit.com/r/linuxquestions … 04_result/ ?
Edit, also https://github.com/openwrt/packages/issues/21135 and more useragent BS in https://gitlab.com/openconnect/openconnect/-/issues/544
@dakota
date --date=@0

When trying this in the command line, it seems to work, but when it open the browser to do 2 way auth, it fails.

For example

[juanma@housepc ~]$ sudo openconnect vpn.uk --config=.config/openconnect/config --useragent=AnyConnect
POST https://vpn.uk/
Connected to 11111
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
XML POST enabled
Please complete the authentication process in the browser window.
[2826:2826:1003/163418.427020:ERROR:zygote_host_impl_linux.cc(100)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.

If I do it as a normal user, it does open the browser and I can log in, but then it fails

[juanma@housepc ~]$ openconnect vpn.uk --config=.config/openconnect/config --useragent=AnyConnect
POST https://vpn.uk/
Connected to 1111
SSL negotiation with vpn.uk
Connected to HTTPS on vpn.uk with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
XML POST enabled
Please complete the authentication process in the browser window.
POST https://vpn.uk/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Configured as 130.209.151.214, with SSL connected and DTLS connected
Session authentication will expire at Tue Oct 17 16:35:36 2023

mkdir: cannot create directory ‘/var/run/vpnc’: Permission denied
Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed
Send BYE packet: Set up tun device failed
Unrecoverable I/O error; exiting.

This problem is unrelated to the current problem. It happened previously, but it got solved when I did the connection through networkmanager. But in network manager I dont know how to add the --useragent=AnyConnect

seth · 2023-10-03 17:51:37

You could probably spoof the UA in your browser (might require some extension)
https://github.com/openwrt/packages/issues/21135 suggests to alter /lib/netifd/proto/openconnect.sh - would that cover NM for you?

joanmanel · 2023-10-05 09:50:08

seth wrote:

You could probably spoof the UA in your browser (might require some extension)
https://github.com/openwrt/packages/issues/21135 suggests to alter /lib/netifd/proto/openconnect.sh - would that cover NM for you?

That folder doesn't exist for me. I tried to find the openconnect.sh file but no idea where it can be.

seth · 2023-10-05 12:27:37

Try to shadow /usr/bin/openconnect w/ a script in /usr/local/bin/openconnect

#!/bin/sh
exec /usr/bin/openconnect --useragent=AnyConnect "$@"

If whatever™ executes /usr/bin/openconnect w/ an absolute path you'd have to move that to /usr/bin/openconnect.bin and place the script (w/ adjusted exec) in its place.

Arch Linux

#1 2023-10-02 15:37:05

Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#2 2023-10-03 03:32:03

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#3 2023-10-03 04:08:02

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#4 2023-10-03 09:37:38

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#5 2023-10-03 09:44:08

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#6 2023-10-03 12:07:07

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#7 2023-10-03 15:37:14

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#8 2023-10-03 17:51:37

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#9 2023-10-05 09:50:08

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

#10 2023-10-05 12:27:37

Re: Cannot connect to VPN with openconnect, but I can with Cisco Anyconnec

Board footer