Juniper connection failure - is it the host checker?

cartley at comcast.net cartley at comcast.net
Sat Oct 3 08:10:47 PDT 2015 

Hello, I've been successfully using openconnect-7.06 to connect to my company's juniper vpn from Ubuntu 14.04, until recently. I want to know what to try next, but the error messages are unclear to me. It was working with two-factor authentication (the first password prompt below is a OTP). That hasn't changed. But I wonder if it is now requiring the host checker.

I've attached the log below. What should I try next? The tncc-wrapper.py and tncc-preload.so? So far I haven't been able to build the tncc-preload.so. But before I try again, it would be good to know that I'm actually on the right track.

  -craig

myuser at maple:~$ sudo ~/openconnect-7.06/openconnect \
> --juniper \
> --no-cert-check \
> --user=user1234 \
> --script=~myuser/vpnc/vpnc-script.myuser \
> https://connect.evilcorp.com/nonwindowstfa
[sudo] password for myuser:
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://connect.evilcorp.com/nonwindowstfa
Attempting to connect to server 123.234.56.78:443
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Got HTTP response: HTTP/1.1 302 Found
GET https://connect.evilcorp.com/dana-na/auth/url_14/welcome.cgi
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
frmLogin
password:862452
POST https://connect.evilcorp.com/dana-na/auth/url_14/login.cgi
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Got HTTP response: HTTP/1.1 302 Moved
GET https://connect.evilcorp.com/dana-na/auth/url_14/welcome.cgi?p=more-cred&id=state_1184c27a0a482c7c8a9ec3a1c88cd1c9
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
frmLogin
password#2:
POST https://connect.evilcorp.com/dana-na/auth/url_14/login.cgi
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Got HTTP response: HTTP/1.1 302 Moved
GET https://connect.evilcorp.com/dana-na/auth/remediate.cgi?step=rolecheck&stateId=state_9984c27a0a482c7c8a9ec3a1c88cd1c9&realmId=15&rolesremaining=0&realmsremaining=1
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Got HTTP response: HTTP/1.1 302 Moved
GET https://connect.evilcorp.com/dana-na/auth/login.cgi?key=state_9984c27a0a482c7c8a9ec3a1c88cd1c9&RoleSkipRemediate=1
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Got HTTP response: HTTP/1.1 302 Moved
GET https://connect.evilcorp.com/dana-na/auth/url_14/welcome.cgi?p=no-roles
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Got HTTP response: HTTP/1.1 302 Moved
GET https://connect.evilcorp.com/dana-na/auth/remediate.cgi?step=installfail&signinId=url_14&realmsremaining=0&p=no-roles
SSL negotiation with connect.evilcorp.com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on connect.evilcorp.com
Unknown form ID 'frm'
Dumping unknown HTML form:
<form id="frm_142" name="frm" action="remediate.cgi">

    <input id="action_31" type="hidden" name="action" value="">

    <input id="signinId_2" type="hidden" name="signinId" value="url_14">
    <input id="realmId_10" type="hidden" name="realmId" value="">
    <input id="executedStep_2" type="hidden" name="executedStep" value="installfail">
    <input id="stateId_8" type="hidden" name="stateId" value="">
    <input id="p_16" type="hidden" name="p" value="no-roles">

    <input id="showContinue_2" type="hidden" name="showContinue" value="0">
    <input id="showRemedOption_2" type="hidden" name="showRemedOption" value="0">

    <input id="hostcheckTS_2" type="hidden" name="hostcheckTS" value="">
    <input id="totalseconds_2" type="hidden" name="totalseconds" value="">

    <input id="executedAction_2" type="hidden" name="executedAction" value="">
</form>Failed to obtain WebVPN cookie

More information about the openconnect-devel mailing list