OpenConnect suddenly cannot connect to VPN server: refreshes wait.html forever

Kaj Magnus Lindberg kajmagnus79 at gmail.com
Wed Nov 5 22:38:40 PST 2014 

Hi,

(I posted this question at SuperUser.com [1] yesterday, but no reply
thus far, so I thought I should ask the mailing list; it seems to be
the official help channel.)

In the past I could connect to a certain Cisco VPN server. I've been
away travelling for 7 weeks, and now I'm back home, but no longer able
to connect to the VPN server. Now the server suddenly asks me to run a
'Cisco Secure Desktop' trojan, and I've configured OpenConnect to do
this (both via a GUI dialog, and the `--csd-user` command line option
to `openconnect`), still I'm no longer able to get the VPN connection
working.

The VPN connection log ends with these four lines repeated over and over again:
```
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
```

Do you have any idea about what's happening or how I can fix this?

Would you guess that the problem is a VPN server side configuration
change? The 'Cisco Secure Desctop' script perhaps? The VPN server has
never asked me to run the 'Cisco Secure Desktop' script before, when I
was able to connect. — Or do you think my OS has upgraded OpenConnect
to a somehow incompatible version?

Other people are able to connect to the VPN server — they use Mac or
Windows, not Linux, though.
My OS: Linux Mint 17. OpenConnect version v5.02.

Things I've tested:

1. I read at:  https://bbs.archlinux.org/viewtopic.php?pid=1172567#p1172567
that I could wrap the 'Cisco Secure Desktop' script in a shell script,
via the --csd-wrapperoption; the suggested script looks like below,
but running it had no effect.
```
#!/bin/bash -x
exec 2>&1 > /dev/null
CSD_BINARY="$1"
shift
$CSD_BINARY "$@"
```

2. I read at:
http://lists.infradead.org/pipermail/openconnect-devel/2013-July/001119.html
that the `--no-xmlpost` flag might help; it didn't have any effect though.

3. I read at:  http://lists.infradead.org/pipermail/openconnect-devel/2013-July/001117.html
that the 'Cisco Secure Desctop' script might need 32 bit support, but
apparently my OS already has that:
```
$ dpkg --print-foreign-architectures
i386
```

Someone else has encountered the same problem:
http://nerdanswer.com/answer.php?q=327709
(It's a ServerFault question, but it was apparently deleted at
ServerFault, off-topic over there I'd guess. There were no answers to
the question.)

Here's the full OpenConnect log:
```
POST https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
Using client certificate 'My-Full-Name'
Adding supporting CA 'TC TrustCenter Class 2 L1 CA XI'
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/+webvpn+/index.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
GET https://vpn.server.com/CACHE/sdesktop/install/binaries/sfinst
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
(... continues forever)
```

Thanks for your time and any help,
Best regards,
KajMagnus

[1]: http://superuser.com/questions/836157/openconnect-cannot-connect-to-vpn-server-refreshes-wait-html-forever

More information about the openconnect-devel mailing list