[EXT] Re: Unable to connect to GlobalProtect VPN

Anthony Becker abecker at sigcorp.com
Thu Aug 17 11:03:57 PDT 2023



Hi Daniel –

 Here is the openconnect version output:

 sshuser at oakvpn:~$ openconnect --version
OpenConnect version v8.20-1
Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script

Neither “--clientos=Windows” nor “--usergroup=gateway:prelogin-cookie” worked for me – I received the same error messages as before. 

Anthony Becker
Senior Consultant
Strata Information Group 
M  248.563.6987  
O  619.296.0170


From: Daniel Lenski <dlenski at gmail.com>
Sent: Thursday, August 17, 2023 13:21
To: Anthony Becker <abecker at sigcorp.com>
Cc: openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
Subject: [EXT] Re: Unable to connect to GlobalProtect VPN 
 
CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders.

[EXT-STAMP-ADDED]

On Mon, Aug 14, 2023 at 8:31 AM Anthony Becker <abecker at sigcorp.com> wrote:
>
>
> I am unable to connect to a GlobalProtect VPN.  I start with the command:
>
> eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto )
>
> A web form requests my username and password and sends me a Duo push.  The login succeeds and gives me a cookie to use when connecting.  I then enter the command:
>
> echo $MYCOOKIE |  sudo openconnect --protocol=gp --user=$MYUSERNAME --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu


Please show output of  `openconnect --version`.

>
> The login fails with:
>
> POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
> Attempting to connect to server 141.210.72.2:443
> Connected to 141.210.72.2:443
> SSL negotiation with grizzvpn.oakland.edu
> Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> Got HTTP response: HTTP/1.1 200 OK
> Date: Mon, 14 Aug 2023 14:33:26 GMT
> Content-Type: application/xml; charset=UTF-8
> Content-Length: 6720
> Connection: keep-alive
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
> Set-Cookie: SESSID=83c144c4-908c-4b32-889c-3c81d660f2f6; Path=/; HttpOnly; Secure
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=31536000;
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
> HTTP body length:  (6720)
> Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete.
> Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
> Enter login credentials
> POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp
> Got HTTP response: HTTP/1.1 200 OK
> Date: Mon, 14 Aug 2023 14:33:26 GMT
> Content-Type: application/xml; charset=UTF-8
> Content-Length: 11407
> Connection: keep-alive
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
> Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=31536000;
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
> HTTP body length:  (11407)
> Portal set HIP report interval to 60 minutes).
> 1 gateway servers available:
>   OU_VPN_Gateway (grizzvpn.oakland.edu)
> Please select GlobalProtect gateway.
> GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway
> POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp
> Got HTTP response: HTTP/1.1 200 OK
> Date: Mon, 14 Aug 2023 14:33:26 GMT
> Content-Type: text/html; charset=UTF-8
> Content-Length: 69
> Connection: keep-alive
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
> Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=31536000;
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
> HTTP body length:  (69)
> Failed to parse server response
> Response was: <html>
>   <body>Error: Login fails (invalid session id)</body>
> </html>
> Failed to complete authentication
>
> Can you provide assistance, please?

I have never seen this exact error message, but it appears to be in
keeping with many other flavors of what I'd call "mindless state
propagation" … the GlobalProtect VPN servers expect the *client* to
propagate a very large number of random bits of state that the
*server* really should be keeping track of on its own (and some
interesting security holes result from the server not doing so 😬).

Things to try:

1. Pretend to be running on Windows, rather than Linux. (`gp-saml-gui
--clientos Windows` → `openconnect --os=win`).
2. Try bypassing the "portal" interface and going straight to the
"gateway" interface of the GP VPN server. (`openconnect
--usergroup=gateway:prelogin-cookie`)


More information about the openconnect-devel mailing list