Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Thomas Glanzmann thomas at glanzmann.de
Sun Jan 12 04:14:24 EST 2014 

Hello Nikos,

> It makes sense. I've now setup a cookie to save the username across
> connections and restart authentication when present. Can you confirm it
> solves the issue (or at least that there is some process)?

when I try to connect now I get the following error message:

The service provider in your current location is restricting access to
the Internet. You need to log on with the service provider before you
can establish a VPN session. You can try this by visting any website
with your browser.

Of course I'm at home and have full internet access. Also the client
periodicially retries every 3 seconds or so.

(infra) [~/work/ocserv] /local/ocserv-bisect/sbin/ocserv -f -d -c /local/ocserv/etc/config --http-debug
listening (TCP) on 78.47.70.72:443...
listening (UDP) on 78.47.70.72:443...
ocserv[1999]: sec-mod initialized (socket: /var/run/ocserv-socket.1998)
ocserv[1998]: [main] initialized ocserv 0.3.0pre0
ocserv[2000]: 212.114.206.182:49228 accepted connection
ocserv[1999]: sec-mod received request from pid 2000 and uid 65534
ocserv[2000]: 212.114.206.182:49228 sending message 6 to main
ocserv[2000]: 212.114.206.182:49228 TLS handshake completed
ocserv[1998]: 212.114.206.182:49228 main received message 6 of 258 bytes
ocserv[2000]: 212.114.206.182:49228 HTTP: User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05152
ocserv[2000]: 212.114.206.182:49228 HTTP: Host: 78.47.70.72
ocserv[2000]: 212.114.206.182:49228 HTTP: Content-Length: 0
ocserv[2000]: 212.114.206.182:49228 HTTP: Connection: Close
ocserv[2000]: 212.114.206.182:49228 HTTP: User-Agent: AnyConnect Agent 3.1.05152
ocserv[2000]: 212.114.206.182:49228 HTTP: X-Transcend-Version: 1
ocserv[2000]: 212.114.206.182:49228 HTTP GET /
ocserv[1998]: 212.114.206.182:49228 handle_commands:378: command socket closed
< RETRY here
ocserv[2002]: 212.114.206.182:49229 accepted connection
ocserv[1999]: sec-mod received request from pid 2002 and uid 65534
ocserv[2002]: 212.114.206.182:49229 sending message 6 to main
ocserv[2002]: 212.114.206.182:49229 TLS handshake completed
ocserv[1998]: 212.114.206.182:49229 main received message 6 of 258 bytes
ocserv[2002]: 212.114.206.182:49229 HTTP: User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05152
ocserv[2002]: 212.114.206.182:49229 HTTP: Host: 78.47.70.72
ocserv[2002]: 212.114.206.182:49229 HTTP: Content-Length: 0
ocserv[2002]: 212.114.206.182:49229 HTTP: Connection: Close
ocserv[2002]: 212.114.206.182:49229 HTTP: User-Agent: AnyConnect Agent 3.1.05152
ocserv[2002]: 212.114.206.182:49229 HTTP: X-Transcend-Version: 1
ocserv[2002]: 212.114.206.182:49229 HTTP GET /
ocserv[1998]: 212.114.206.182:49229 handle_commands:378: command socket closed
< RETRY here
ocserv[2004]: 212.114.206.182:49230 accepted connection
ocserv[1999]: sec-mod received request from pid 2004 and uid 65534
ocserv[2004]: 212.114.206.182:49230 sending message 6 to main
ocserv[2004]: 212.114.206.182:49230 TLS handshake completed
ocserv[1998]: 212.114.206.182:49230 main received message 6 of 258 bytes
ocserv[2004]: 212.114.206.182:49230 HTTP: User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05152
ocserv[2004]: 212.114.206.182:49230 HTTP: Host: 78.47.70.72
ocserv[2004]: 212.114.206.182:49230 HTTP: Content-Length: 0
ocserv[2004]: 212.114.206.182:49230 HTTP: Connection: Close
ocserv[2004]: 212.114.206.182:49230 HTTP: User-Agent: AnyConnect Agent 3.1.05152
ocserv[2004]: 212.114.206.182:49230 HTTP: X-Transcend-Version: 1
ocserv[2004]: 212.114.206.182:49230 HTTP GET /
ocserv[1998]: 212.114.206.182:49230 handle_commands:378: command socket closed

I tapped in the SSL using socat and saw the following:

GET / HTTP/1.0
User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.05152
Host: 78.47.70.72
Content-Length: 0
Connection: Close
User-Agent: AnyConnect Agent 3.1.05152
X-Transcend-Version: 1

HTTP/1.0 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 209
X-Transcend-Version: 1

<?xml version="1.0" encoding="UTF-8"?>
<auth id="main">
<message>Please enter your username</message>
<form method="post" action="/auth">
<input type="text" name="username" label="Username:" />
</form></auth>

If you need access to the anyconnect client for Windows or to a windows 7
virtual machine with 'anyconnect' installed on it, raise the word and I'll
immediately provide one for you.

If you do not have Windows, you can install rdesktop or freerdp and connect to
one of my VMs. The only thing you have to make sure is that you don't push a
default route, otherwise you knock yourself out.

Cheers,
        Thomas

More information about the openconnect-devel mailing list