Connecting to work VPN

David Woodhouse dwmw2 at
Sat Nov 6 08:25:50 EDT 2010

On Fri, 2010-11-05 at 23:55 -0500, Keith Moyer wrote:
> Unfortunately, when I try to connect with openconnect, I end up getting
> "AnyConnect is not enabled on the VPN server" errors (XML shows that
> it's error 89) after entering password.  Doing a little research, I see
> that this may indicate a version mismatch between client and server (the
> AnyConnect client deployed for Windows is version 2.5). 
> Checking the csd logs, I don't see anything to indicate an error there
> (there are some "failed to initialize mozilla certificates" warnings at
> the end, though). I've also manually downloaded the CSD binary and run
> it directly, passing in the token, ticket, group, host, and debug=all
> and got similar results. 

Ew, CSD -- a nasty piece of snake oil.

So what happens is the normal VPN connection process is stalled, given a
pointer to the CSD trojan, and then just stuck in a retry (HTTP refresh)
loop. It's expected to download and run the trojan, which does whatever
it does and reports back -- and then the main authentication is allowed
to continue.

Precisely where are you seeing the error you quoted, and at what stage?

I assume that OpenConnect is managing to download the trojan and run it
-- is it the *trojan* which is getting/reporting this error?

I've mostly treated the CSD trojan as a black box and ignored it, but if
you look in the list archives from a year or so ago you'll see some
people were paying closer attention and trying to work out the
configuration format it used and how to calculate what the 'correct'
response would be and provide those without actually running it.

You may find that it's enlightening to test the Cisco client and see
what *it* does, and compare with the OpenConnect behaviour.

It could be that the 'tests' that the CSD trojan is running on your
system are just misconfigured, and don't work at all. If you look at the
configuration file it's using, you may be able to fake it with a simple
'Success' or 'OK' or 'Authorized' post (it varies) to the response URL.


More information about the openconnect-devel mailing list