You are not logged in.
I have a virtual machine running Ubuntu that connects to a Cisco AnyConnect network using the openconnect plugin in NetworkManager. I would like to achieve the same in a non-graphical setup using an Arch machine instead. However, when I attempt to connect to the VPN using openconnect directly, I do not receive any response from the VPN network. Everything is just timing out. I have also confirmed that the same issue occurs when I try to use openconnect directly on the Ubuntu machine. The routing table is identical when connecting with nm and after using openconnect.
Here is the output (I have masked some irrelevant information) when openconnect on Arch:
[andreas@host ~]$ sudo openconnect --user username --server https://host/+webvpn+/index.html --verbose
POST https://host/+webvpn+/index.html
Attempting to connect to server 124.32.225.34:443
Connected to 124.32.225.34:443
SSL negotiation with host
Connected to HTTPS on host with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 400 Bad Request
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Connection: close
X-Transcend-Version: 1
HTTP body http 1.0 (-1)
TLS/DTLS socket closed uncleanly
Unexpected 400 result from server
GET https://host/+webvpn+/index.html
Attempting to connect to server 124.32.225.34:443
Connected to 124.32.225.34:443
SSL negotiation with host
Connected to HTTPS on host with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
Password:
POST https://host/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: CSRFtoken=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:AD814894617AA0F9559C05BAAB3FCFFF875572BB&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fhost.xml&fh:FF197C01385C4485165F4BCF3E9B47B656E93E5E; path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: 10.22.22.22
X-CSTP-Netmask: 255.255.254.0
X-CSTP-Hostname: host-de.host.intra
X-CSTP-DNS: 10.66.60.20
X-CSTP-DNS: 10.66.60.21
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Session-Timeout-Alert-Interval: 60
X-CSTP-Session-Timeout-Remaining: none
X-CSTP-Idle-Timeout: 28800
X-CSTP-Disconnected-Timeout: 28800
X-CSTP-Default-Domain: host.intra
X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
X-CSTP-Split-Include: 192.168.0.0/255.255.0.0
X-CSTP-Split-Include: 34.177.237.160/255.255.255.240
X-CSTP-Split-Include: 34.177.225.208/255.255.255.248
X-CSTP-Split-Include: 34.177.225.215/255.255.255.255
X-CSTP-Split-Include: 34.177.225.217/255.255.255.255
X-CSTP-Split-Include: 34.177.225.218/255.255.255.255
X-CSTP-Split-Include: 34.177.225.219/255.255.255.255
X-CSTP-Split-Include: 34.177.225.220/255.255.255.252
X-CSTP-Split-DNS: host.intra
X-CSTP-Split-DNS: host.de
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 329D9A06890A30FFD1821A25019FF4B36E131471CBFBD34DB9813F3BD34FC8AA
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1367
X-DTLS-MTU: 1390
X-DTLS12-CipherSuite: ECDHE-RSA-AES256-GCM-SHA384
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
UDP SO_SNDBUF: 88960
DTLS initialised. DPD 30, Keepalive 20
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Initiating MTU detection (min=576, max=1390)
No change in MTU after detection (was 1390)
Configured as 10.22.22.29, with SSL connected and DTLS connected
Session authentication will expire at Sun May 19 15:42:59 2024
Detected virtual address range 0x1000-0x7ffffffff000
Using vhost-net for tun acceleration, ring size 32
Got DTLS DPD response
Got DTLS DPD response
Send CSTP Keepalive
Send CSTP DPD
Send DTLS DPD
Send CSTP DPD
Send DTLS DPD
Send CSTP DPD
Send DTLS DPD
DTLS Dead Peer Detection detected dead peer!
UDP SO_SNDBUF: 88960
CSTP Dead Peer Detection detected dead peer!
Failed to reconnect to host host: Connection timed out
sleep 10s, remaining timeout 300s
Failed to reconnect to host host: Connection timed out
sleep 20s, remaining timeout 290s
Failed to reconnect to host host: Connection timed out
sleep 30s, remaining timeout 270s
Failed to reconnect to host host: Connection timed out
sleep 40s, remaining timeout 240s//AlgoJerViA
Offline
It doesn't look too difficult to troubleshot from your side. Just compare Wireshark dumps and openconnect configuration.
It's definitely possible to connect to your VPN server via openconnect from cli, if you can do it from NetworkManager. Openconnect's log looks good to me. Try the --no-dtls option, maybe it will start functioning.
Last edited by MS-DTYP (2024-05-08 19:21:55)
Offline
Hi
The --no-dtls options does not solve the problem.
I'm having trouble capturing the TLS secrets when using Network Manager.
I have added SSLKEYLOGFILE="/home/andreas/sslkeys.log" as a global environment variable and get all the keys when using openconnect directly but when using Network Manager, for some reason, the last TLS stream remains encrypted.
Offline