Determining webvpn cookie lifetime?
Dan Lenski
dlenski at gmail.com
Sat Dec 19 20:25:43 PST 2015
Hi,
I'm writing a script which will periodically connect to several different
AnyConnect VPNs, and I'm finding that the webvpn cookies for some of them
become invalid much sooner than others... so I'm trying to figure out
intelligently how often they have to be used to remain valid.
Is it possible for OpenConnect to determine the lifetime during which the
webvpn cookie obtained in the authentication process will remain valid?
- Using the --dump-http-traffic and --cookieonly flags doesn't seem to
provide any information about the lifetime of the webvpn cookie.
- After the VPN is actually setup with CONNECT, the --dump-http-traffic
headers appear to show some lifetime-related settings, e.g.:
Got CONNECT response: HTTP/1.1 200 OK
...
X-CSTP-Lease-Duration: 259200
X-CSTP-Session-Timeout: 259200
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Keep: true
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-TCP-Keepalive: true
...
CSTP connected. DPD 30, Keepalive 20
Does one of these indicate how long the cookie will remain valid? My guess:
- CSTP-Session-Timeout indicates the time after which the session
will end no matter what (3 days here)
- CSTP-Idle-Timeout indicates the time after which the session will
end, with no traffic (30 minutes here)
- CSTP-Disconnected-Timeout indicates the time after which the cookie will
become invalid, after disconnection (30 minutes here)
However, my testing appears to show that the server starts to reject the
cookie (openconnect -C COOKIE) much sooner than any of these timeouts would
indicate, a few minutes.
Thanks,
Dan
More information about the openconnect-devel
mailing list