You are not logged in.

#1 2012-10-08 11:25:34

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Cannot connect to VPN through NetworkManager anymore.

I cannot connect to VPN through networkmanager anymore. Last time used it, it worked perfectly but I don't use it so often and last time was 2-3 months ago. So I don't know what went wrong, or which package upgrade broke it.

I switched to systemd a month ago, it may or may not be related.

I can still connect from the commandline using the vpn/vpn-disconnect tools.

All that happens is an alert windows saying: "The VPN connection '......' failed because there were no valid VPN secrets." And here is the journal:

NetworkManager[355]: <info> Starting VPN service 'vpnc'...
NetworkManager[356]: <info> VPN service 'vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 9214
kernel: tun: Universal TUN/TAP device driver, 1.6
kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
NetworkManager[356]: <info> VPN service 'vpnc' appeared; activating connections
NetworkManager[356]: <error> [1349687970.426748] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.
NetworkManager[356]: <info> Policy set 'MYSSIDOMITTED' (wifi0) as default for IPv4 routing and DNS.
NetworkManager[356]: <error> [1349687973.943758] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.
NetworkManager[356]: <info> Policy set 'MYSSIDOMITTED' (wifi0) as default for IPv4 routing and DNS.
NetworkManager[356]: <info> VPN service 'vpnc' disappeared

All neccessary vpn packages for networkmanager are installed.

Google did not turn up any useful info other than a few year old threads saying "upgrade your networkmanager".

Offline

#2 2012-10-08 14:02:44

neunon
Member
From: Seattle, WA
Registered: 2011-01-25
Posts: 15
Website

Re: Cannot connect to VPN through NetworkManager anymore.

I'm experiencing the same issue:

Oct  8 06:59:45 croesus NetworkManager[294]: <info> Starting VPN service 'openconnect'...
Oct  8 06:59:45 croesus NetworkManager[294]: <info> VPN service 'openconnect' started (org.freedesktop.NetworkManager.openconnect), PID 4363
Oct  8 06:59:45 croesus NetworkManager[294]: <info> VPN service 'openconnect' appeared; activating connections
Oct  8 06:59:45 croesus NetworkManager[294]: <error> [1349704785.901516] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.
Oct  8 06:59:45 croesus NetworkManager[294]: <info> Policy set 'Ethernet' (eth0) as default for IPv4 routing and DNS.
Oct  8 06:59:51 croesus NetworkManager[294]: <info> VPN service 'openconnect' disappeared

Connecting with the 'openconnect' binary on the command-line works fine, however.

Offline

#3 2012-10-08 14:28:30

neunon
Member
From: Seattle, WA
Registered: 2011-01-25
Posts: 15
Website

Re: Cannot connect to VPN through NetworkManager anymore.

Hmm. I ssh'd in and killed gnome-shell and started it up again (so I could see messages by gnome-shell printed to stdout/stderr). Turns out I was getting a permissions problem:

Window manager warning: Log level 16: Device activation failed: (32) Not authorized to control networking.

So I created a file in /etc/polkit-1/localauthority/90-mandatory.d with these contents:

[allow-nm-self]
Identity=unix-user:neunon
Action=org.freedesktop.NetworkManager.network-control
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Once I rebooted (not sure how to trigger a policykit refresh), VPN via Gnome shell works again.

So now the question is why there's a permissions issue in the first place.

EDIT: Or maybe that's not the whole issue. With the above policykit file I can start the VPN via gnome-shell while gnome-shell is running in an SSH session, but *not* when I run gnome-shell normally.

EDIT redux: I killed gnome-session via gnome-terminal and then started it there, instead of via SSH. It complained about not being able to find nm-openconnect-service.name's auth-dialog binary (it was looking in /usr/lib/gnome-shell instead of /usr/lib/networkmanager). I symlinked it into the gnome-shell path (which feels like a terrible hack). Now the dialog shows up, but it completely breaks when it comes to trying to connect to the VPN. This is aggravating.

Last edited by neunon (2012-10-08 14:48:33)

Offline

#4 2012-10-08 14:58:13

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Re: Cannot connect to VPN through NetworkManager anymore.

Interesting, but the permission issue could be a misleading. You don't have to start gnome-shell from terminal to see the output. It is in ~/.xsession-errors and I don't get any messages from gnome-shell there If I try to connect.

Offline

#5 2012-10-08 15:08:39

neunon
Member
From: Seattle, WA
Registered: 2011-01-25
Posts: 15
Website

Re: Cannot connect to VPN through NetworkManager anymore.

.xsession-errors wasn't capturing any messages from gnome-shell, which is why I investigated such a bizarre route to getting more data.

Offline

#6 2012-10-08 15:13:24

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Re: Cannot connect to VPN through NetworkManager anymore.

neunon wrote:

.xsession-errors wasn't capturing any messages from gnome-shell, which is why I investigated such a bizarre route to getting more data.

Strange, I'm gettin "Window manager warning"-s and various javascript error messages from gnome-shell in that file.

But still, what could be the reason behind this vpn issue? If it really is a polkit issue, how can we debug that?

Offline

#7 2012-10-08 15:18:25

neunon
Member
From: Seattle, WA
Registered: 2011-01-25
Posts: 15
Website

Re: Cannot connect to VPN through NetworkManager anymore.

I'm not sure. It's strange, because the whole Network Manager VPN process works perfectly if I start gnome-shell via SSH (along with my above polkit permissions change), but doesn't work at all when gnome-shell is started locally... I don't know why starting gnome-shell via SSH would change what paths it looks in for 'nm-openconnect-auth-dialog', or why the behavior of the dialog would be different when it does launch it.

Offline

#8 2012-10-08 15:49:07

neunon
Member
From: Seattle, WA
Registered: 2011-01-25
Posts: 15
Website

Re: Cannot connect to VPN through NetworkManager anymore.

Well, I managed to get the auth dialog to show up reliably by applying a couple patches from this Bugzilla: https://bugzilla.gnome.org/show_bug.cgi?id=679212

Still getting breakage in that it's not properly authenticating:

Attempting to connect to redacted:443
Using client certificate '/CN=redacted'
Client certificate expires soon at: Dec  5 02:57:05 2012 GMT
SSL negotiation with somesite.somedomain.com
Connected to HTTPS on somesite.somedomain.com
GET https://somesite.somedomain.com/
Got HTTP response: HTTP/1.0 302 Object Moved
SSL negotiation with somesite.somedomain.com
Connected to HTTPS on somesite.somedomain.com
GET https://somesite.somedomain.com/+webvpn+/index.html
GET https://somesite.somedomain.com/CACHE/sdesktop/install/binaries/sfinst
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://somesite.somedomain.com/+CSCOE+/sdesktop/wait.html
Failed to read from SSL socket
Error fetching HTTPS response

This behavior is not what I'm getting from the command-line client, of course, so... still digging.

Offline

#9 2012-10-08 16:13:51

neunon
Member
From: Seattle, WA
Registered: 2011-01-25
Posts: 15
Website

Re: Cannot connect to VPN through NetworkManager anymore.

It was breaking on running the "CSD" binary ("Cisco Secure Desktop" a.k.a. "Cisco Trojan"). Something's weird about how openconnect invokes the binary, because I added a simple wrapper script for it (openconnect has the option to use one, I hadn't ever used it before):

#!/bin/bash -x
exec 2>&1 > /dev/null
CSD_BINARY="$1"
shift
$CSD_BINARY "$@"

This seemingly meaningless shell script makes the CSD binary execute successfully and then the VPN can connect correctly. The thing breaks terribly if I just do 'exec $CSD_BINARY "$@"', and also breaks terribly without the 'exec 2>&1 >/dev/null'. I don't really understand why it works, but it does.

Unfortunately I'm not sure this helps your case with vpnc, since this solution is *extremely* Cisco-centric.

Offline

#10 2012-10-08 20:46:49

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Re: Cannot connect to VPN through NetworkManager anymore.

Well, at least I found out that it is a gnome-shell issue. I think I will wait for gnome 3.6 to hit the repos, and see what happens then.

I can use the command line vpnc until then.

Offline

#11 2012-10-24 19:40:54

wavded
Member
Registered: 2012-04-16
Posts: 8

Re: Cannot connect to VPN through NetworkManager anymore.

ijanos, unfortunately I am using 3.6 from testing and this exists (seems to have worked fine before that).  i'll try the command line vpnc.

Offline

#12 2012-10-31 12:33:10

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Re: Cannot connect to VPN through NetworkManager anymore.

wavded wrote:

ijanos, unfortunately I am using 3.6 from testing and this exists (seems to have worked fine before that).  i'll try the command line vpnc.

Indeed. I've also upgraded as gnome 3.6 and the problem still exists.

I am really annoyed by this regeression, it worked flawlessy in the past, and I have no idea what causes it, or where should I report it. (It is a gnome bug, a networkmanager bug or something is fishy with the vpn client?)

Offline

#13 2012-11-02 21:19:30

michaels
Member
Registered: 2012-10-17
Posts: 20

Re: Cannot connect to VPN through NetworkManager anymore.

I also had the issue of vpnc not working after upgrade to 3.6. Removing consolekit seems to have solved the problem, now it's working again for me (so far...).

Offline

#14 2012-11-02 21:24:06

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Re: Cannot connect to VPN through NetworkManager anymore.

michaels wrote:

I also had the issue of vpnc not working after upgrade to 3.6. Removing consolekit seems to have solved the problem, now it's working again for me (so far...).

I removed consolekit right after the upgrade... it has something to do with permissions but I cannot figure out what exactly.

Offline

#15 2012-11-14 18:36:41

dejavu
Member
Registered: 2008-05-26
Posts: 103

Re: Cannot connect to VPN through NetworkManager anymore.

Also doesn't work in my gnome-shell.
Have to use vpnc cli client for now...

Offline

#16 2012-11-21 14:24:09

masteinhauser
Member
Registered: 2012-11-21
Posts: 1

Re: Cannot connect to VPN through NetworkManager anymore.

I too am having the same issues as dejavu. I can only use vpnc from the cli client.

ConsoleKit is removed. This definitely broke when I upgraded to systemd as it was working previously on GNOME Shell 3.6 before the systemd upgrade.

Offline

#17 2012-12-02 12:53:18

heiko
Member
Registered: 2012-04-09
Posts: 9

Re: Cannot connect to VPN through NetworkManager anymore.

I've had the same problem but at least found a solution that works for me (with some drawbacks).

Nm-applet redirects the secrets request to GNOME Shell (when version >= 3.4 is detected), which apparently is not able to handle this without ConsoleKit.

The following patch prevent nm-applet from redirecting the request (as it is done for GNOME Shell version <3.4): fix-vpn-secret-request.patch
I also created a new pkgbuild with the above patch included: network-manager-applet.tar.xz (I didn't change pkgname or pkgver as I consider this being only for testing).

I don't think this is an appropriate final solution but it may help to identify the problem and works as a temporary fix. The drawbacks that I noticed so far are that the nm-applet shows a second icon when a VPN connection is established (this may be rather related to another problem I have with my icons and themes) and that there is no message in the notification area about the successful connection.

I've no idea if this is an Arch related or upstream problem neither if the problem is in gnome-shell, network-manager-applet or anywhere else.

Please try and report if it works for you, too.

Last edited by heiko (2012-12-12 00:12:25)

Offline

#18 2012-12-12 00:12:48

heiko
Member
Registered: 2012-04-09
Posts: 9

Re: Cannot connect to VPN through NetworkManager anymore.

Easier solution that also works for me here. Make sure to exchange 'openconnect' with 'vpnc' when creating the symlink.

Offline

#19 2012-12-12 08:53:52

ijanos
Member
From: Budapest, Hungary
Registered: 2008-03-30
Posts: 443

Re: Cannot connect to VPN through NetworkManager anymore.

heiko wrote:

Easier solution that also works for me here. Make sure to exchange 'openconnect' with 'vpnc' when creating the symlink.

Wow, It works! Great, now where do we report the bug? Is it a packageing bug, and the symlink should be provided by the package or is it just an ugly workaround, I can't tell.

Offline

Board footer

Powered by FluxBB