Juniper connection failure, HTTP/1.1 302 Found

Nate Mow natemow at gmail.com
Wed Aug 12 17:06:39 PDT 2015 

I'm seeing a "Got inappropriate HTTP CONNECT response: HTTP/1.1 302 
Found" message when using the --juniper option in 7.06. I *think* the 
Juniper version is Version: 8.0R8.1.

Output from my wrapper script looks like this:

   WARNING: Juniper Network Connect support is experimental.
   It will probably be superseded by Junos Pulse support.

   Authentication info:

   host         xxx.xxx.x.xx
   fingerprint  sha1:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   cookie       DSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; 
DSFirst=1439422295; DSLast=1439422295

   OpenConnect version v7.06
   Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), 
HOTP software token, TOTP software token, DTLS
   Attempting to connect to server xxx.xxx.x.xx:443
   SSL negotiation with alias.example.com
   No match for altname 'vpn.example.com'
   No match for altname 'alias.example-europe.com'
   Matched DNS altname 'alias.example.com'
   Connected to HTTPS on alias.example.com
   > CONNECT /CSCOSSLC/tunnel HTTP/1.1
   > Host: alias.example.com
   > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) 
Gecko/20100101 Firefox/40.0
   > Cookie: webvpn=DSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; 
DSFirst=1439422295; DSLast=1439422295
   > X-CSTP-Version: 1
   > X-CSTP-Hostname: XXXXXXX
   > X-CSTP-Accept-Encoding: lzs
   > X-CSTP-MTU: 1406
   > X-CSTP-Address-Type: IPv4
   > X-DTLS-Master-Secret: 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   > X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
   > X-DTLS-Accept-Encoding: lzs
   >
   Got inappropriate HTTP CONNECT response: HTTP/1.1 302 Found
   Creating SSL connection failed

Relevant wrapper script bits:

   # Do pre-auth stuff to fetch cookie, etc.
   eval `
   echo "$JNC_PASS" | openconnect "https://$JNC_HOST/$JNC_PATH" \
     --juniper \
     --disable-ipv6 \
     --quiet \
     --os="linux-64" \
     --useragent="$_ua_string" \
     --passwd-on-stdin \
     --authenticate \
--cafile="./config/GlobalSignOrganizationValidationCA-SHA256-G2.ca" \
     --user="$JNC_USER"`;

   cat <<EOF

   Authentication info:

   host         $HOST
   fingerprint  $FINGERPRINT
   cookie       $COOKIE

   EOF

   # Now attempt the actual connection.
   echo "$COOKIE" | sudo openconnect "$JNC_HOST" \
     --dump-http-traffic \
     --disable-ipv6 \
     --os="linux-64" \
     --useragent="$_ua_string" \
     --cookie-on-stdin \
--cafile="./config/GlobalSignOrganizationValidationCA-SHA256-G2.ca" \
     --servercert="$FINGERPRINT" \
     --no-cert-check --background --pid-file=$VPN_PID_FILE \
       >> $VPN_LOG_FILE 2>&1;


I was able to finally convince the IT department to disable host 
checking for our particular LDAP group, so that's not in play here. Our 
LDAP group also uses a non-default url path (its url_31 for us). In the 
browser, I have confirmed that the host checker applet doesn't run. 
There is however an attempt in the browser to install some sort of 
Java-based application access tool and I definitely have the DSID cookie 
at that point.

Looking at cstp.c:291 (HEAD), it seems like the host is trying to do 
another redirect (probably via JavaScript knowing Juniper) and 
OpenConnect isn't following it somehow. I've tried every option and 
variant on args I can think of, but I'm kinda stuck at the moment. Any 
ideas?

(Thanks very much for all your hard work on OpenConnect btw...it really 
is a great piece of software.)

More information about the openconnect-devel mailing list