OpenConnect problems after updating to debian bookworm

Martin Staudigel mastaudig at googlemail.com
Sat Jul 8 02:11:47 PDT 2023 

Hello,

I recently updated my (Debian) os, which included an update from
openvpn/oldstable,now 2.5.1-3 amd64 [installed] to
openvpn/stable,now 2.6.3-1 amd64 [installed,automatic]

I became aware, that my vpn connection, using Protocol Cisco AnyConnect 
or OpenConnect via NetworkManager does not work anymore. When connecting 
with openvpn on cli using the --no-xmlpost parameter the connction could 
be established.

Using 2.6.3-1 without parameter results in the following connection log:

[code]
$>sudo openconnect -v --protocol=anyconnect [SERVER]/[PATH]

POST https://[SERVER]/[PATH]
Attempting to connect to server [IP]:443
Connected to [IP]:443
SSL negotiation with [SERVER]
Connected to HTTPS on [SERVER] with ciphersuite 
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 02 Jul 2023 17:15:20 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
[/Code]

This is where the credentials have to be entered.
After doing this, the result is something like this:

[Code]
POST https://[SERVER]/
Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Sun, 02 Jul 2023 17:15:54 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body http 1.0 (-1)
TLS/DTLS socket closed uncleanly
Unexpected 404 result from server
Failed to complete athentication
[/Code]

Using the --no-xmlpost option the connect log looks like this.

[code]
$>sudo openconnect -v --protocol=anyconnect --no-xmlpost [SERVER]/[PATH]

POST https://[SERVER]/[PATH]
Attempting to connect to server [IP]:443
Connected to [IP]:443
SSL negotiation with [SERVER]
Connected to HTTPS on [SERVER] with ciphersuite 
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0VEdfTUlLX09UUA==; path=/; secure
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Sun, 02 Jul 2023 17:56:38 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://[SERVER]/[PATH]
Attempting to connect to server [IP]:443
Connected to [IP]:443
SSL negotiation with [SERVER]
Connected to HTTPS on [SERVER] with ciphersuite 
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0VEdfTUlLX09UUA==; path=/; secure
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Sun, 02 Jul 2023 17:56:38 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://[SERVER]/+webvpn+/index.html
SSL negotiation with [SERVER]
Connected to HTTPS on [SERVER] with ciphersuite 
(TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
[/Code]

...authentification follows.

[Code]
POST https://[Server]/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 
'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 
GMT; path=/; secure
Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT; 
path=/; secure
Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; 
path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=[Content removed]
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: [some IPv4]
X-CSTP-Netmask: 255.255.252.0
X-CSTP-Address-IP6: [some IPv6]
X-CSTP-Hostname: [Server]
X-CSTP-DNS: [some IPv4]
X-CSTP-DNS: [some IPv4]
X-CSTP-Lease-Duration: 72000
X-CSTP-Session-Timeout: 72000
X-CSTP-Session-Timeout-Alert-Interval: 60
X-CSTP-Session-Timeout-Remaining: 72000
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: [Domain]
X-CSTP-Split-Include: [some IPv4]/255.255.0.0
X-CSTP-Split-Include: [some IPv4]/255.240.0.0
X-CSTP-Split-Include-IP6: [some IPv6]/48
X-CSTP-Split-Include-IP6: [some IPv6]/48
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
[/Code]

As I read in the manpage of OpenConnect: "If you find that you need
to use this option, then you have found a bug in OpenConnect.
Please see https://www.infradead.org/openconnect/mail.html and
report this to the developers."

So here is my report. Hopefully I gave you all the information that you 
need. If not, I'm happy to provide some more logs or debug output, I 
just have to know exactly what.

Thanks for your efforts an the good work, regards,

Martin

More information about the openconnect-devel mailing list