Protocol F5/BigIP How to debug handshake

Info Skymem info at skymem.com
Sun Oct 16 15:12:34 PDT 2022 

Hi,
thank you for your information.

On our website you can find email addresses of companies and people.
https://www.skymem.info

In short, it’s like Google for emails.

Best regards,
Robert,
Skymem team

On Fri, Oct 14, 2022 at 4:49 PM LeJacq, Jean Pierre
<jeanpierre.lejacq at quoininc.com> wrote:
>
> I'm trying to use OpenConnect's with the relatively new F5 protocol support.
>
> I'm running into problems with the initial handshake and looking for some
> advice on how to debug.
>
> My environment is the following. I have confirmed that I can connect using the
> Windows 11 F5 client.
>
>     OS: Debian Buster (stable)
>     Version: OpenConnect version v9.01-1~bpo11+1.
>
> The problem seems to be that instead of establishing the connection, I'm
> immediately redirected to a logout page saying this is an unsupported browser.
> Using an explicit Windows 11 user agent string does not eliminate the warning
> about a non-supported browser.
>
> I'm thinking I need to provide another cookie but don't see how to determine
> which one might be required.
>
> Here's the command line I'm using.
> $ sudo openconnect -vvvv --dump --dump-http-traffic --protocol='f5'
> 'remotemobile.example.com
>
> GET https://remotemobile.example.com/
> Attempting to connect to server 216.165.125.164:443
> Connected to 216.165.125.164:443
> SSL negotiation with remotemobile.example.com
> Connected to HTTPS on remotemobile.example.com with ciphersuite (TLS1.2)-
> (ECDHE-SECP256R1)-(RSA-SHA256)-(AES-128-GCM)
> > GET / HTTP/1.1
> > Host: remotemobile.example.com
> > User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> >
> Got HTTP response: HTTP/1.0 302 Found
> Server: BigIP
> Connection: Close
> Content-Length: 0
> Location: /my.policy
> Set-Cookie: LastMRH_Session=efd55fd2;path=/
> Set-Cookie: MRHSession=<elided>;path=/
> Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Content-Type-Options: nosniff
> Cache-Control: no-cache, must-revalidate, max-age=0
> HTTP body length:  (0)
> GET https://remotemobile.example.com/my.policy
> SSL negotiation with remotemobile.example.com
> Connected to HTTPS on remotemobile.example.com with ciphersuite (TLS1.2)-
> (ECDHE-SECP256R1)-(RSA-SHA256)-(AES-128-GCM)
> > GET /my.policy HTTP/1.1
> > Host: remotemobile.example.com
> > User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> > Cookie: LastMRH_Session=efd55fd2;
> MRHSession=664eeb92605090ed1026f7d3efd55fd2; MRHSHint=deleted
> >
> Got HTTP response: HTTP/1.0 302 Found
> Server: BigIP
> Connection: Close
> Set-Cookie: F5_ST=1z1z1z1665754014z-1;path=/
> Set-Cookie: LastMRH_Session=efd55fd2;path=/
> Set-Cookie: MRHSession=<elided>;path=/
> Content-Length: 0
> Location: /vdesk/hangup.php3
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Content-Type-Options: nosniff
> Cache-Control: no-cache, must-revalidate, max-age=0
> HTTP body length:  (0)
> GET https://remotemobile.example.com/vdesk/hangup.php3
> SSL negotiation with remotemobile.example.com
> Connected to HTTPS on remotemobile.example.com with ciphersuite (TLS1.2)-
> (ECDHE-SECP256R1)-(RSA-SHA256)-(AES-128-GCM)
> > GET /vdesk/hangup.php3 HTTP/1.1
> > Host: remotemobile.example.com
> > User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> > Cookie: LastMRH_Session=efd55fd2;
> MRHSession=e8db856820671decea73c8ccefd55fd2; MRHSHint=deleted;
> F5_ST=1z1z1z1665754014z-1
> >
> Got HTTP response: HTTP/1.1 200 OK
> Server: BigIP
> Content-Type: text/html; charset=utf-8
> Accept-Ranges: bytes
> Connection: Keep-Alive
> Date: Fri, 14 Oct 2022 13:26:54 GMT
> Age:     672
> Content-Length:       3303
> X-Frame-Options: DENY
> Set-Cookie: MRHSession=<elided>;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
> Set-Cookie: F5_ST=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
> Set-Cookie: MRHSHint=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
> Set-Cookie: F5_HT_shrinked=deleted;expires=Thu, 01-Jan-1970 00:00:01
> GMT;path=/
> Set-Cookie: F5_fullWT=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
> Set-Cookie: MRHSequence=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
> Pragma: no-cache
> Cache-Control: no-cache, must-revalidate
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Content-Type-Options: nosniff
> Cache-Control: no-cache, must-revalidate, max-age=0
> HTTP body length:  (3303)
> < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://
> www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> < <head>
> <     <link rel="canonical" href="/internal-login" />
> <     <title>atExample Logout</title>
> < </head>
> <
> < <body onload="OnLoad();" class="html front not-logged-in no-sidebars page-
> node page-node- page-node-1 node-type-page" >
> < <div id="main">
> <       <div id="content" class="column" role="main">
> <               <h1>Unsupported Browser.</h1>
> <
> <               <div id="LoginContainer">
> <                       <p>
> <                               <h3>Advanced Access is not supported on this
> browser.</h3>
> <
> < Login using Basic by <a href="/">clicking here</a>. Otherwise, please use a
> <a href="http://atnyulmc.org/help-documentation/quick-view-os-browser-support-matrix">supported browser</a>. For Advanced Access browser setup instructions
> <a href="http://atnyulmc.org/help-documentation/remote-vpn-documentation">click here</a>.
> <                       </p>
> <               </div>
> <       </div>
> < </div>
> <   </body>
> < </html>
> <
> GET https://remotemobile.example.com/vdesk/vpn/index.php3?outform=xml&cl
> > GET /vdesk/vpn/index.php3?outform=xml&client_version=2.0 HTTP/1.1
> > Host: remotemobile.example.com
> > User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> > Cookie: LastMRH_Session=efd55fd2; MRHSession=deleted; MRHSHint=deleted;
> F5_Sshrinked=deleted; F5_fullWT=deleted; MRHSequence=deleted
> >
> Got HTTP response: HTTP/1.0 302 Found
> Server: BigIP
> Connection: Close
> Content-Length: 0
> Location: /my.policy
> Set-Cookie: LastMRH_Session=4503443b;path=/
> Set-Cookie: MRHSession=<elided>;path=/
> Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Content-Type-Options: nosniff
> Cache-Control: no-cache, must-revalidate, max-age=0
> HTTP body length:  (0)
> Creating SSL connection failed
> Unknown error; exiting.
>
> --
> JP
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel

More information about the openconnect-devel mailing list