Openconnect no-xmlpost

Peter Magnusson pet.magnusson at gmail.com
Tue Nov 4 02:15:54 PST 2014


Hi,

Ive been trying to use Openconnect to connect to our Cisco VPN server
for a couple of days and im having some trouble.

Im using my smartcard for authentication and the VPN server requires
me to perform a hostscan before letting me in.

Im trying this on RHEL7 with version:
OpenConnect version v6.00
Using GnuTLS. Features present: TPM, PKCS#11, RSA software token, HOTP
software token, TOTP software token, DTLS (using OpenSSL)

Ive been using this guide http://blog.yunak.eu/2013/07/19/openconnect/
to get the hostscan(CSD) parts to work, the wrapper script is copied
from there. And this guide for the smartcard parts
http://www.gooze.eu/forums/support/howto-connect-to-cisco-anyconnect-vpn-using-openconnect-and-pki-token
.

The command im running is this:
sudo openconnect -c 'pkcs11:<PKCS11-PATH>' --csd-user=MYUSER -v
--csd-wrapper=./script/ciscowrapper.sh https://vpn.smhi.se

This works, i get a prompt asking for my PIN code(for the smartcard)
and then it asks wich group i belong to. When ive entered that
information i get connected. Then i disconnect and try again, this
time it does not work(exact same command). Output is this, it loops
indefinetly:

PIN required for Instant EID IP8 (identification)
Enter PIN:
Using client certificate 'MYUSER'
Adding supporting CA 'MYCA'
SSL negotiation with vpn.xyz.com
Connected to HTTPS on vpn.xyz.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 04 Nov 2014 09:48:11 GMT
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
GET https://vpn.xyz.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.xyz.com
Connected to HTTPS on vpn.xyz.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 04 Nov 2014 09:48:12 GMT
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.xyz.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.xyz.com
Connected to HTTPS on vpn.xyz.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 04 Nov 2014 09:48:14 GMT
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.smhi.se/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.xyz.com
Connected to HTTPS on vpn.xyz.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close

This goes on forever until i press ctrl+c, then it says:
Socket connect cancelled
Failed to reconnect to host vpn.smhi.se
Failed to open HTTPS connection to vpn.smhi.se
Failed to obtain WebVPN cookie

In the server logs it says "Certificate was succesfully validated"
over and over each time it loops trough the parts above. Nothing more.

The interesting part is if i wait for exactly 2 minutes and try again
it will work again like it did the first time. So this seems like a
timeout of some sort.

However, if i try the openconnect command with −−no−xmlpost it works
perfectly every time. The problem is that in the next step i would
like to use the Openconnect NetworkManager plugin and this does not
seem to have support for the −−no−xmlpost flag. Also the manual
(http://www.infradead.org/openconnect/manual.html) says to report if
the −−no−xmlpost flag is needed.

Can anyone give me any suggestions as to why this is not working as
expected ? Please let me know if i can provide any more information.


Best regards
Peter



More information about the openconnect-devel mailing list