Available for support for F5 + MFA
Antonio Petrelli
antonio.petrelli at gmail.com
Wed Aug 4 10:56:57 PDT 2021
Il giorno mer 4 ago 2021 alle ore 19:40 Antonio Petrelli
<antonio.petrelli at gmail.com> ha scritto:
> OMG IT WORKED! It seems that the error before happens sometimes, but
> it happens anyway sometimes because something is wrong server side.
> Wait a bit, ignore the previous email, in the next one I will post another log.
I have good news and bad news.
The good news is that I managed to make it work.
The bad news is that it works only if I connect via original f5vpn,
disconnect, then launch openconnect.
Probably the culprit is the access token.
What to do now?
So here's the log, I hope I edited all the needed things :-D
Thanks
Antonio
---------------------
GET https://<corporate-vpn-host-name>/vdesk/vpn/index.php3?outform=xml&client_version=2.0
Attempting to connect to server 77.241.209.42:443
Connected to 77.241.209.42:443
SSL negotiation with <corporate-vpn-host-name>
Matched peer certificate subject name '*.eng.it'
Connected to HTTPS on <corporate-vpn-host-name> with ciphersuite
TLSv1.3-TLS_AES_128_GCM_SHA256
> GET /vdesk/vpn/index.php3?outform=xml&client_version=2.0 HTTP/1.1
> Host: <corporate-vpn-host-name>
> User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272
> Cookie: MRHSession=<mrhsession-cookie>
>
Got HTTP response: HTTP/1.1 200 OK
Server: BigIP
Content-Type: text/xml; charset=utf-8
Accept-Ranges: bytes
Connection: close
Date: Wed, 04 Aug 2021 17:40:13 GMT
Age: 173
Content-Length: 334
X-Frame-Options: DENY
Cache-Control: no-store
HTTP body length: (334)
EPOLL_CTL_DEL: File o directory non esistente
< <?xml version="1.0" encoding="utf-8"?>
< <favorites type="VPN" limited="YES">
< <favorite id="/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA">
< <caption>SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA</caption>
< <name>/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA</name>
< <params>resourcename=/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA</params>
< </favorite>
< </favorites>
Got profile parameters
'resourcename=/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA'
GET https://<corporate-vpn-host-name>/vdesk/vpn/connect.php3?resourcename=/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA&outform=xml&client_version=2.0
SSL negotiation with <corporate-vpn-host-name>
Matched peer certificate subject name '*.eng.it'
Connected to HTTPS on <corporate-vpn-host-name> with ciphersuite
TLSv1.3-TLS_AES_128_GCM_SHA256
> GET /vdesk/vpn/connect.php3?resourcename=/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA&outform=xml&client_version=2.0 HTTP/1.1
> Host: <corporate-vpn-host-name>
> User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272
> Cookie: MRHSession=<mrhsession-cookie>
>
Got HTTP response: HTTP/1.1 200 OK
Server: BigIP
Content-Type: text/html; charset=ISO-8859-1
Accept-Ranges: bytes
Connection: close
Date: Wed, 04 Aug 2021 17:40:13 GMT
Age: 5409
Content-Length: 5728
X-Frame-Options: DENY
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Cache-Control: no-store
HTTP body length: (5728)
EPOLL_CTL_DEL: File o directory non esistente
< <?xml version="1.0" encoding="UTF-8" ?><favorite>
< <object ID="ur_Host"
CLASSID="CLSID:CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7"
CODEBASE="https://<corporate-vpn-host-name>/vdesk/terminal/urxshost.cab#version=7213,2021,527,649"
WIDTH="320" HEIGHT="240">
< <ur_UI_URL>https://<corporate-vpn-host-name>/vdesk/webtop/index.html?S=<mrhsession-cookie></ur_UI_URL>
< <ur_CLSID_URHOST>CLSID:E0FF21FA-B857-45C5-8621-F120A0C17FF2</ur_CLSID_URHOST>
< <ur_CODEBASE_URHOST>https://<corporate-vpn-host-name>/public/download/urxhost.cab#version=7213,2021,527,649</ur_CODEBASE_URHOST>
< <ur_CLSID_PROXY>CLSID:6C275925-A1ED-4DD2-9CEE-9823F5FDAA10</ur_CLSID_PROXY>
< <ur_CODEBASE_PROXY>https://<corporate-vpn-host-name>/public/download/f5tunsrv.cab#version=7213,2021,527,649</ur_CODEBASE_PROXY>
< <ur_CLSID>CLSID:2BCDB465-81F9-41CB-832C-8037A4064446</ur_CLSID>
< <ur_CODEBASE>https://<corporate-vpn-host-name>/public/download/urxvpn.cab#version=7213,2021,527,649</ur_CODEBASE>
< <ur_CLSID_PROXY_9X_NEW>CLSID:6C275925-A1ED-4DD2-9CEE-9823F5FDAA10</ur_CLSID_PROXY_9X_NEW>
< <ur_CODEBASE_PROXY_9X_NEW>https://<corporate-vpn-host-name>/public/download/f5tunsrv.cab#version=7213,2021,527,649</ur_CODEBASE_PROXY_9X_NEW>
< <ur_CODEBASE_PortRedirector>https://<corporate-vpn-host-name>/public/download/f5fltsrv.cab#version=7213,2021,527,649</ur_CODEBASE_PortRedirector>
< <ur_CLSID_PortRedirector>service:F5FltSrv</ur_CLSID_PortRedirector>
< <resources>https://<corporate-vpn-host-name>/public/download/utunres.cab#2003,6,4,1</resources>
< <Session_ID><mrhsession-cookie></Session_ID>
< <ur_SIDHASH><mrhsession-cookie></ur_SIDHASH>
< <ur_Z>/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA</ur_Z>
< <ur_name>/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA</ur_name>
< <host0>127.0.0.1</host0>
< <port0>44444</port0>
< <ur_type>VPN</ur_type>
< <ur_connect>auto</ur_connect>
< <tunnel_host0><corporate-vpn-host-name></tunnel_host0>
< <tunnel_port0>443</tunnel_port0>
< <tunnel_protocol0>https</tunnel_protocol0>
< <idle_session_timeout>900</idle_session_timeout>
< <firepassserver0>/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA</firepassserver0>
< <IPV4_0>1</IPV4_0>
< <IPV6_0>0</IPV6_0>
< <tunnel_dtls>1</tunnel_dtls>
< <tunnel_port_dtls>4433</tunnel_port_dtls>
< <DNS0><elided></DNS0>
< <DNS6_0></DNS6_0>
< <WINS0></WINS0>
< <DNSSuffix0><elided></DNSSuffix0>
< <DNSRegisterConnection0>1</DNSRegisterConnection0>
< <DNSUseDNSSuffixForRegistration0>1</DNSUseDNSSuffixForRegistration0>
< <SplitTunneling0>1</SplitTunneling0>
< <LAN0><routing-info-elided> </LAN0>
< <LAN6_0></LAN6_0>
< <ExcludeSubnets0> </ExcludeSubnets0>
< <ExcludeSubnets6_0> </ExcludeSubnets6_0>
< <DNS_SPLIT0><elided></DNS_SPLIT0>
< <ExcludeDomainNames0></ExcludeDomainNames0>
< <AllowLocalSubnetAccess0>1</AllowLocalSubnetAccess0>
< <AllowLocalDNSServersAccess0>0</AllowLocalDNSServersAccess0>
< <AllowLocalDHCPAccess0>1</AllowLocalDHCPAccess0>
<
<
< <ur_DoNotWarnUser>no</ur_DoNotWarnUser>
< <AppLaunch00>"reconnect_to_domain" </AppLaunch00>
<
< <ClientForMicrosoftNetworks0>1</ClientForMicrosoftNetworks0>
< <FileAndPrinterSharingForMicrosoftNetworks0>1</FileAndPrinterSharingForMicrosoftNetworks0>
< <EnforceDNSOrder0>ON</EnforceDNSOrder0>
<
<
<
< <ur_disableClientCerts>no</ur_disableClientCerts>
<
< <DontReportPolicy0>TRUE</DontReportPolicy0>
< <ProcessTimeout0>-1</ProcessTimeout0>
< <hdlc_framing>no</hdlc_framing>
< <AutoReconnectIfDropped0>yes</AutoReconnectIfDropped0>
< <tcp_reconnect_timeout0>900000</tcp_reconnect_timeout0>
< <tcp_reconnect_delay0>200</tcp_reconnect_delay0>
< <TrafficControl0></TrafficControl0>
< <ur_PowerManagement>0</ur_PowerManagement>
< <DisplayedBandwidth0>100000000</DisplayedBandwidth0>
<
< <display_connect_msg0>NO</display_connect_msg0>
< <ur_NetworkTunnelEnabled>yes</ur_NetworkTunnelEnabled>
< <ur_OptimizedAppsEnabled>no</ur_OptimizedAppsEnabled>
< <minimize_after_connect0>YES</minimize_after_connect0>
< <ur_CtrlChannelEnabled>1</ur_CtrlChannelEnabled>
< <ur_ISessionEnabled>1</ur_ISessionEnabled>
< <display_connect_msg_txt0></display_connect_msg_txt0>
< <display_connect_fallback_msg_txt0></display_connect_fallback_msg_txt0>
< <display_routing_changes_txt0></display_routing_changes_txt0>
< <display_process_check_txt0></display_process_check_txt0>
< <display_registry_check_txt0></display_registry_check_txt0>
< <display_config_error_txt0></display_config_error_txt0>
< <display_os_patch_check_txt0></display_os_patch_check_txt0>
< <display_ie_patch_check_txt0></display_ie_patch_check_txt0>
< <display_pf_check_txt0></display_pf_check_txt0>
<
< </object>
< </favorite>
<
Idle timeout is 15 minutes
Got DNS server <elided>
Got search domain italy.itroot.adnet
Got SplitTunneling0 value of 1
Got split include route <elided>
...
DTLS is enabled on port 4433
Got ipv4 1 ipv6 0 hdlc 0 ur_Z
'/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA'
UDP SO_SNDBUF: 30000
DTLS handshake failed: 1
139969204090688:error:141E70BF:SSL
routines:tls_construct_client_hello:no protocols
available:../ssl/statem/statem_clnt.c:1112:
Set up UDP failed; using SSL instead
Delaying tunnel with reason: PPP negotiation
SSL negotiation with <corporate-vpn-host-name>
Matched peer certificate subject name '*.eng.it'
Connected to HTTPS on <corporate-vpn-host-name> with ciphersuite
TLSv1.3-TLS_AES_128_GCM_SHA256
> GET /myvpn?sess=<mrhsession-cookie>&hdlc_framing=no&ipv4=yes&ipv6=no&Z=/Common/SSL_VPN_Portal_Import-<CORPORATE-ELIDED>_NA&hostname=YW50b25pby1ONTNTVg== HTTP/1.1
> Host: <corporate-vpn-host-name>
> User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272
>
Got HTTP response: HTTP/1.0 200 OK
Content-length: 0
X-VPN-client-IP: <elided>
Got Legacy IP address <elided>
X-VPN-server-IP: 1.1.1.1
TCP_INFO rcv mss 1436, snd mss 1448, adv mss 1448, pmtu 1500
Using base_mtu of 1500
After removing TCP/IPv4 headers, MTU of 1448
After removing protocol specific overhead (10 unpadded, 0 padded, 1
blocksize), MTU of 1438
Requesting calculated MTU of 1438
Sending our LCP/id 1 config request to server
PPP state transition from DEAD to ESTABLISH on TLS channel
Current PPP state: ESTABLISH (encap F5):
in: asyncmap=0x00000000, lcp_opts=0, lcp_magic=0x00000000,
ipv4=0.0.0.0, ipv6=none
out: asyncmap=0x00000000, lcp_opts=930, lcp_magic=0x732ed1fa,
ipv4=<elided>, ipv6=none, solicit_peerns=0, got_peerns=0
< 0000: f5 00 00 1c ff 03 c0 21 01 01 00 18 01 04 05 77 |.......!.......w|
< 0010: 02 06 00 00 00 00 05 06 b9 ff cf 14 07 02 08 02 |................|
Received LCP/id 1 Configure-Request from server
Received MRU 1399 from server. Nak-offering larger MRU of 1438 (our MTU)
Received asyncmap of 0x00000000 from server
Received magic number of 0xb9ffcf14 from server
Received protocol field compression from server
Received address and control field compression from server
Nak LCP/id 1 config from server
Sending PPP LCP Configure-Request packet over TLS (id 1, 26 bytes total)
> 0000: f5 00 00 16 ff 03 c0 21 01 01 00 12 01 04 05 9e |.......!........|
> 0010: 05 06 73 2e d1 fa 07 02 08 02 |..s.......|
Sending PPP LCP Configure-Nak packet over TLS (id 1, 16 bytes total)
> 0000: f5 00 00 0c ff 03 c0 21 03 01 00 08 01 04 05 9e |.......!........|
Delaying tunnel with reason: DTLS connection pending
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: f5 00 00 16 ff 03 c0 21 02 01 00 12 01 04 05 9e |.......!........|
< 0010: 05 06 73 2e d1 fa 07 02 08 02 |..s.......|
Received LCP/id 1 Configure-Ack from server
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: f5 00 00 1c ff 03 c0 21 01 02 00 18 01 04 05 9e |.......!........|
< 0010: 02 06 00 00 00 00 05 06 b9 ff cf 14 07 02 08 02 |................|
Received LCP/id 2 Configure-Request from server
Received MRU 1438 from server. Setting our MTU to match.
Received asyncmap of 0x00000000 from server
Received magic number of 0xb9ffcf14 from server
Received protocol field compression from server
Received address and control field compression from server
Ack LCP/id 2 config from server
Sending our IPCP/id 1 config request to server
PPP state transition from ESTABLISH to OPENED on TLS channel
Current PPP state: OPENED (encap F5):
in: asyncmap=0x00000000, lcp_opts=384, lcp_magic=0xb9ffcf14,
ipv4=0.0.0.0, ipv6=none
out: asyncmap=0x00000000, lcp_opts=418, lcp_magic=0x732ed1fa,
ipv4=<elided>, ipv6=none, solicit_peerns=0, got_peerns=0
Sending PPP LCP Configure-Ack packet over TLS (id 2, 32 bytes total)
> 0000: f5 00 00 1c ff 03 c0 21 02 02 00 18 01 04 05 9e |.......!........|
> 0010: 02 06 00 00 00 00 05 06 b9 ff cf 14 07 02 08 02 |................|
Sending PPP IPCP Configure-Request packet over TLS (id 1, 16 bytes total)
> 0000: f5 00 00 0c 80 21 01 01 00 0a 03 06 a1 1b 3d e4 |.....!........=.|
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: f5 00 00 0c ff 03 c0 21 09 00 00 08 b9 ff cf 14 |.......!........|
Received LCP/id 0 Echo-Request from server
< 0000: f5 00 00 0c 80 21 01 01 00 0a 03 06 01 01 01 01 |.....!..........|
Received IPCP/id 1 Configure-Request from server
Received peer IPv4 address 1.1.1.1 from server
Ack IPCP/id 1 config from server
< 0000: f5 00 00 10 80 57 01 01 00 0e 01 0a 58 92 fc 2f |.....W......X../|
< 0010: 4f f5 00 8d |O...|
Sending Protocol-Reject for IP6CP. Payload:
> 0000: 01 01 00 0e 01 0a 58 92 fc 2f 4f f5 00 8d |......X../O...|
< 0000: f5 00 00 0c 80 21 02 01 00 0a 03 06 a1 1b 3d e4 |.....!........=.|
Received IPCP/id 1 Configure-Ack from server
PPP state transition from OPENED to NETWORK on TLS channel
Current PPP state: NETWORK (encap F5):
in: asyncmap=0x00000000, lcp_opts=384, lcp_magic=0xb9ffcf14,
ipv4=1.1.1.1, ipv6=none
out: asyncmap=0x00000000, lcp_opts=418, lcp_magic=0x732ed1fa,
ipv4=<elided>, ipv6=none, solicit_peerns=0, got_peerns=0
Sending PPP LCP Echo-Reply packet over TLS (id 0, 16 bytes total)
> 0000: f5 00 00 0c ff 03 c0 21 0a 00 00 08 73 2e d1 fa |.......!....s...|
Sending PPP IPCP Configure-Ack packet over TLS (id 1, 16 bytes total)
> 0000: f5 00 00 0c 80 21 02 01 00 0a 03 06 01 01 01 01 |.....!..........|
Sending PPP LCP Protocol-Reject packet over TLS (id 2, 28 bytes total)
> 0000: f5 00 00 18 ff 03 c0 21 08 02 00 14 80 57 01 01 |.......!.....W..|
> 0010: 00 0e 01 0a 58 92 fc 2f 4f f5 00 8d |....X../O...|
More information about the openconnect-devel
mailing list