Cookie auth rejected by ocserv on reconnect

David Frank bitinn at gmail.com
Sun Jan 25 04:50:24 PST 2015 

Continue investigation from my previous thread, I manage to obtain a
decent capture of client log.


Basically test flow:

connect to ocserv, put my iphone 6 to sleep, wake it from sleep after
3 minutes, and observe reconnect attempt failed.


My ocserv settings:

auth = "certificate"
cookie-timeout = 600
cisco-client-compat = true


AnyConnect general timeline:

[01-25-15 17:51:15:115] [VPN] <Information> - Connecting to [my-vpn-ip:port]
[01-25-15 17:51:15:874] [VPN] <Information> - Establishing VPN session
[01-25-15 17:51:17:946] [VPN] <Information> - Establishing VPN session
...
[01-25-15 17:51:19:687] [VPN] <Information> - Establishing VPN
[01-25-15 17:51:19:714] [VPN] <Information> - Connected to [my-vpn-ip:port]
[01-25-15 17:54:17:447] [VPN] <Information> - Reconnecting to [my-vpn-ip:port]
[01-25-15 17:54:17:454] [VPN] <Information> - Reconnecting to [my-vpn-ip:port]
[01-25-15 17:54:19:293] [VPN] <Information> - Disconnecting
[01-25-15 17:54:19:467] [VPN] <Error> - Secure gateway reject
reconnect attempts, please re-authenticate with the server


AnyConnect debug log, on initial connection:

...
[01-25-15 17:51:15:860] AnyConnectAuthenticator: Function: connect
File: /tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Api/ConnectIfc.cpp
Line: 703 Auth Cookie acquired
[01-25-15 17:51:15:861] AnyConnectAuthenticator: Function: connect
File: /tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Api/ConnectIfc.cpp
Line: 711 Config Cookie acquired
...


AnyConnect debug log, during reconnect:

...
[01-25-15 17:54:18:042] AnyConnectDataAgent: A SSL connection has been
established using cipher AES128-SHA
[01-25-15 17:54:18:043] AnyConnectDataAgent: Function:
calculateTunnelMTU File:
/tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Agent/CstpProtocol.cpp
Line: 2551 The candidate MTU (4294967202) is the physical interface
MTU.
[01-25-15 17:54:19:164] AnyConnectDataAgent: The HTTP response code
from the secure gateway is 401, (null)  HTTP/1.1 401 Unauthorized
...
[01-25-15 17:54:19:188] AnyConnectDataAgent: Termination reason code
28: HTTP response contained an HTTP error code.
...
[01-25-15 17:54:19:201] AnyConnectDataAgent: Reconnect reason code 6:
Reconnecting due to the disruption of the VPN connection to the secure
gateway. IGNORED: VPN is not yet connected or is terminating
...
[01-25-15 17:54:19:219] AnyConnectAuthenticator: Function:
getStateMessage File:
/tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Api/ClientIfcBase.cpp
Line: 2194 Disconnect in progress.
[01-25-15 17:54:19:222] AnyConnectDataAgent: The Primary SSL
connection to the secure gateway is being torn down.
...


TL;DR: So ocserv return 401 when AnyConnect send it the auth cookie? I
think there is something wonky happening, even though I set it to last
for 10minutes, and does not require certificate on reconnect, ocserv
still rejects AnyConnect reconnect attempts.

More information about the openconnect-devel mailing list