Unable to get WebVPN Cookie after sfinst failed to download

Adam Brenner adam at aeb.io
Fri Mar 25 21:02:10 PDT 2016 

Howdy,

I have been using OpenConnect version 7.06 on linux and after a few 
months of working, I noticed that it stopped. I suspect the crazy tin 
foil hat security folks at my company blocked access which is extremely 
sad. I am hoping someone can offer some insights on how to get this to 
work, if at all.

I use the following command line to connect:

   $ sudo openconnect vpn.company.tld --csf-user=adam --no-xmlpost \
     --csd-user=adam --no-xmlpost \
     --csd-wrapper=/home/adam/.cisco/csd-wrapper.sh

What I get in response is that I am unable to download the Linux binary 
from the server (using --dump-http-traffic we see):

  GET https://vpn.company.tld/CACHE/sdesktop/install/binaries/sfinst
  > GET /CACHE/sdesktop/install/binaries/sfinst HTTP/1.1
  > Host: vpn.company.tld
  > User-Agent: Open AnyConnect VPN Agent v7.06
  > Cookie: webvpnlogin=1
  > Accept: */*
  > Accept-Encoding: identity
  > X-Transcend-Version: 1
  > X-Support-HTTP-Auth: true
  >
  Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
  X-Transcend-Version: 1
  HTTP body http 1.0 (-1)
  Cannot receive HTTP 1.0 body without closing connection
  Failed to obtain WebVPN cookie


Confirming with CURL and WGET the binary does _not_exists. Alright, so 
the crazy fin foil hat security folks removed the binary. Faking the OS 
with --os=win we get:

   GET https://vpn.company.tld/CACHE/sdesktop/install/binaries/inst.exe
   > GET /CACHE/sdesktop/install/binaries/inst.exe HTTP/1.1
   > Host: vpn.company.tld
   > User-Agent: Open AnyConnect VPN Agent v7.06
   > Cookie: webvpnlogin=1
   > Accept: */*
   > Accept-Encoding: identity
   > X-Transcend-Version: 1
   > X-Support-HTTP-Auth: true
   >
   Got HTTP response: HTTP/1.1 200 OK
   Content-Length: 173968
   Content-Type: application/octet-stream
   Cache-Control: max-age=0
   X-Frame-Options: SAMEORIGIN
   X-Transcend-Version: 1
   HTTP body length:  (173968)
   Failed to obtain WebVPN cookie

With --os=win we are able to get passed the download of binary but 
unable to get the webvpn cookie. Trying --os=android leads to the famous 
"Refreshing +CSCOE+/sdesktop/wait.html after 1 second..." screen which 
never loads.

Using the --dump-http-traffic with --os=android and copying, what 
appears to be a cookie,

   GET https://vpn.company.tld/+CSCOE+/sdesktop/wait.html
   > Cookie: webvpnlogin=1; sdesktop=4712CB7D0B02ADD4004BD727

into the last command with --cookie-on-stdin did not work. Gave me a 401 
unauthorized.


Any ideas on how I am able to connect back to work? As a work around I 
have a VM of Windows on my linux laptop which I hatefully use.

thanks,
/adam

-- 
Adam Brenner <adam at aeb.io>

More information about the openconnect-devel mailing list