Pulse secure "Unexpected IF-T/TLS packet when expecting configuration"
Daniel Lenski
dlenski at gmail.com
Mon Oct 12 13:20:13 EDT 2020
On Sun, Oct 11, 2020 at 11:11 AM Aiden Foxx <aiden.foxx.mail at gmail.com> wrote:
>
> I can successfully authenticate to a pulse secure network, but after
> that openconnect errors out with:
>
> > 0000: 00 00 55 97 00 00 00 06 00 00 00 20 00 00 00 05 |..U........ ....|
> > 0010: 00 0a 4c 01 02 04 00 0c fe 00 0a 4c 00 00 00 01 |..L........L....|
> Unexpected IF-T/TLS packet when expecting configuration.
> < 0000: 00 00 0a 4c 00 00 00 83 00 00 00 1a 00 00 01 fb |...L............|
> < 0010: 65 70 45 76 74 3d 72 65 0a 00 |epEvt=re..|
> Unexpected IF-T/TLS packet when expecting configuration.
> < 0010: 70 66 77 65 3d 30 20 65 70 45 76 74 3d 70 65 0a |pfwe=0 epEvt=pe.|
> < 0020: 00 |.|
> Unexpected IF-T/TLS packet when expecting configuration.
> < 0000: 00 00 0a 4c 00 00 00 83 00 00 00 29 00 00 01 fd |...L.......)....|
> < 0010: 68 74 3d 31 38 30 30 20 68 69 3d 39 30 30 20 65 |ht=1800 hi=900 e|
> < 0020: 70 45 76 74 3d 72 63 0a 00 |pEvt=rc..|
> Unexpected IF-T/TLS packet when expecting configuration.
> < 0000: 00 00 0a 4c 00 00 00 83 00 00 00 1a 00 00 01 fe |...L............|
> < 0010: 65 70 45 76 74 3d 63 69 0a 00 |epEvt=ci..|
> Unexpected IF-T/TLS packet when expecting configuration.
> < 0000: 00 00 0a 4c 00 00 00 83 00 00 00 56 00 00 01 ff |...L.......V....|
> < 0010: 64 70 3d 2f 64 61 6e 61 2d 63 61 63 68 65 64 2f |dp=/dana-cached/|
> < 0020: 65 70 2f 45 50 41 67 65 6e 74 53 65 74 75 70 2e |ep/EPAgentSetup.|
> < 0030: 65 78 65 2e 63 61 62 20 65 70 45 76 74 3d 69 76 |exe.cab epEvt=iv|
> < 0040: 20 70 76 3d 31 2e 30 2e 30 2e 31 20 76 72 3d 35 | pv=1.0.0.1 vr=5|
> < 0050: 31 31 31 33 0a 00 |1113..|
>
> I searched the filename of the last packet and found it was related to
> some Juniper host checking software, for ensuring certain software is
> installed. Is there any support for this in openconnect, or any way
> around the issue?
See https://gitlab.com/openconnect/openconnect/-/issues/120#note_334010594
The short summary is that OpenConnect doesn't yet support TNCC/Host
Checker in Pulse mode. However, many Pulse VPNs can connect using the
older Juniper NC protocol (it appears that your VPN administrator has
to explicitly disable it for this not to be the case. So try
connecting with `--protocol=nc` instead. If that works, great.
If not… help us understand the Pulse authentication protocol and TNCC
process better so that we can develop support for it :)
Dan
More information about the openconnect-devel
mailing list