Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Kevin Cernekee cernekee at gmail.com
Sun Jan 12 02:22:09 EST 2014


On Sat, Jan 11, 2014 at 10:52 PM, Thomas Glanzmann <thomas at glanzmann.de> wrote:
>> > User-Agent: AnyConnect Windows 3.0.07059
>
>> If ocserv requires XML POST submissions, I would suggest tweaking the
>> ocserv XML output so that it more closely resembles the structure of
>> the document shown above.  However, requiring XML POST does break
>> compatibility with AnyConnect <=v2.5.
>
> we can use the User-Agent header to distinguish, sending the legacy
> challenge for the old clients and the XML for the newer anyconnect
> clients.

It should be possible to tell from the very first client transmission,
as the new data format is distinctive.

Also, I believe AnyConnnect <=2.5 is guaranteed not to send the
X-Aggregate-Auth: or X-AnyConnect-Platform: headers.

FWIW, the ASA uses the latter header to match up its installed
AnyConnect *.img files to the client.  If the server's copy of the
web-deploy image for that platform (linux, linux-64, win, ...) is
<=2.5, it will force legacy mode, even if the client software is
>=3.0.  Likewise, if the server does not recognize the
X-AnyConnect-Platform: value because it has no installed web-deploy
package for that client, it will also force legacy mode.

But there is no reason to put all of that convoluted logic in ocserv...

> However my assumption is that, that the problem is not the
> format being used, but the fact that newer AnyConnect versions use
> multiple TCP connections instead of one. One for the username and one
> for the password which is killing the state machine in
> src/worker-auth.c.

I agree that this looks like a likely culprit for the problem you
reported.  I played around with "openconnect --no-http-keepalive" and
also saw problems using ocserv with plain authentication.



More information about the openconnect-devel mailing list