Cookie auth rejected by ocserv on reconnect

David Frank bitinn at gmail.com
Sun Jan 25 05:52:41 PST 2015


ocserv[4688]: worker: [client-ip:port] TLS handshake completed
ocserv[4688]: worker: [client-ip:port] User-agent: 'Cisco AnyConnect
VPN Agent for Apple iPhone 3.0'
ocserv[4688]: worker: [client-ip:port] sending message 'auth cookie
request' to main
ocserv[4622]: main: [client-ip:port] main received message 'auth
cookie request' of 80 bytes
ocserv[4622]: main: [client-ip:port] sending msg sm: session open to sec-mod
ocserv[4623]: sec-mod: received request from pid 4622 and uid 0
ocserv[4623]: sec-mod: cmd [size=24] sm: session open
ocserv[4623]: sec-mod: session open/close but with non-existing sid!
ocserv[4623]: sec-mod: error processing data for 'sm: session open' command (-1)
ocserv[4622]: common.c:385: recvmsg returned zero
ocserv[4622]: main: [client-ip:port] main-misc.c:226: error receiving
auth reply message
ocserv[4622]: main: [client-ip:port] could not open session
ocserv[4622]: main: [client-ip:port] failed authentication attempt for user ''
ocserv[4622]: main: [client-ip:port] sending message 'auth cookie
reply' to worker
ocserv[4688]: worker: [client-ip:port] received auth reply message (value: 3)
ocserv[4688]: worker: [client-ip:port] error receiving cookie
authentication reply
ocserv[4688]: worker: [client-ip:port] failed cookie authentication attempt

Is auth cookie somehow affected by my client certificate?

if I uncomment cert-user-oid and cert-group-oid, then I couldn't login
to ocserv at all, even when my cn/ou match local user/group.



On Sun, Jan 25, 2015 at 9:05 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Sun, 2015-01-25 at 20:50 +0800, David Frank wrote:
>> Continue investigation from my previous thread, I manage to obtain a
>> decent capture of client log.
>>
>>
>> Basically test flow:
>>
>> connect to ocserv, put my iphone 6 to sleep, wake it from sleep after
>> 3 minutes, and observe reconnect attempt failed.
>>
>>
>> My ocserv settings:
>>
>> auth = "certificate"
>> cookie-timeout = 600
>> cisco-client-compat = true
>>
>>
>> AnyConnect general timeline:
> [...]
>> TL;DR: So ocserv return 401 when AnyConnect send it the auth cookie? I
>> think there is something wonky happening, even though I set it to last
>> for 10minutes, and does not require certificate on reconnect, ocserv
>> still rejects AnyConnect reconnect attempts.
>
> What do you see on the ocserv side? Do you see the reason of not
> accepting the cookie?
>
> regards,
> Nikos
>
>



More information about the openconnect-devel mailing list