Failed to obtain WebVPN cookie

Dustin Hartung dustin.hartung at gmail.com
Tue Jan 24 12:16:39 PST 2017


Thank you for the response and tip.  I tried as you said - running it
with --dump using a user agent and without as there appears to be
different requirements/rules depending on the device type- the results
are below:

________________________________________________________________________________
With a Mobile UserAgent:

dhrmbp1:~ dh$  openconnect --juniper --useragent  'JunosPulseiPhone
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X)
AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206
JunosPulse(Version-3.2.2.21349)iPhone' --csd-wrapper=tncc-wrapper.py
--dump vpn.mycompany.com/mycompany

WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://vpn.mycompany.com/mycompany
Attempting to connect to server 65.210.57.16:443
Connected to 65.210.57.16:443
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
> GET /mycompany HTTP/1.1
> Host: vpn.mycompany.com
> User-Agent: JunosPulseiPhone Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 JunosPulse(Version-3.2.2.21349)iPhone
> Connection: close
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 302 Found
Location: https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu,
31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/mycompany; path=/; secure
Connection: close
Content-Length: 0
HTTP body length:  (0)
GET https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
> GET /dana-na/auth/url_default/welcome.cgi HTTP/1.1
> Host: vpn.mycompany.com
> User-Agent: JunosPulseiPhone Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 JunosPulse(Version-3.2.2.21349)iPhone
> Cookie: DSSIGNIN=url_default; DSSignInURL=/mycompany
> Connection: close
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: DSCheckBrowser=; path=/; expires=Sat, 27-Jan-2007 19:57:58
GMT; secure
Set-Cookie: DSPREAUTH=592a86ac%3AxrGHWPieAgABAAAAocszTLLg%2B11ic1XMpqoG6PAPgy47Untj5pYv%2BijnNUxzb1APVPhG6a7kFQUp8kc6ULtZXpyBkTyalepHwrqe70hZNJGp2cKX0ahkf5oW%2BRyxaNbvENdzcxJdKu27Dtmub9CoqoFY1%2BBBpdScgLv8ZAAiYwRsQISaKGPEYOk4oSUDRoHwIFDrhn1p5dxA9QWUuN3oxdrGmSPTmr5HMhKJyOl%2BBVJO%2B2NaA7zofTpelJz1W5OsKRAMfIDqsqQeZtgMofagWm7tPEcdPdNxR%2FWvxQlyY7ITrCGwE0xrclPt0E4R2QdcBIOgmEiup2G6ii6rovUfX%2BqxG0aYx3Z9Z0U2WLfVBeUeMrxsegvybc1ebQoIDuLIclxxasKxyOtxZcVa;
path=/dana-na/; expires=Wed,  24-Jan-2018 14:57:58 GMT; secure
Set-Cookie: DSHCSTARTED=1; path=/dana-na/; secure
Date: Tue, 24 Jan 2017 19:57:58 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-store
Expires: -1
X-Frame-Options: SAMEORIGIN
HTTP body http 1.0 (-1)
SSL socket closed uncleanly
< <html><head>
< <meta http-equiv="Content-Language"/>
< <meta http-equiv="Content-Type" content="text/html"/>
< <meta name=robots content="none"/>
< <title>mycompany Secure Access Service - PleaseWait</title>
<
< <link href="/dana-na/css/ds_mobile_common_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.css"
type="text/css" rel="stylesheet"/>
< <link href="/dana-na/css/ds_mobile_safari_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.css"
type="text/css" rel="stylesheet"/>
< <meta name="viewport" content="width=device-width,
initial-scale=1.0, maximum-scale=1.0, user-scalable=no"/>
< <meta name="format-detection" content="telephone=no"/>
<
< <script type="text/javascript">function hideUrlBar() {
<     // Hides URL Bar on the iPhone
<     var minHeight = 0;
<
<     if (window.innerHeight) {
<         minHeight = window.innerHeight + 60;
<     }
<     document.body.style.minHeight = minHeight + 'px';
<     document.getElementById('main_div').style.minHeight = minHeight + 'px';
<
<     setTimeout(function()
<     {
<         window.scrollTo(0,1);
<     }, 100);
< }
<
< addEventListener("load", function() { setTimeout(hideUrlBar, 0); }, false);
< function textFieldGetFocus(field) {
<   document.getElementById(field).focus();
< }
< </script>
<
< </head>
<
<
< <script language="JavaScript">
< var userAgentTypeApple = "1";
< var userAgentTypeAndroid = "";
< function OnStart()
< {
<     if(userAgentTypeApple == "1") {
<         window.location = "IVEAction://startHC";
<         Browser.redirect("IVEAction://startHC");
<     }
<     else if(userAgentTypeAndroid == "1"){
<         HTMLOUT.showHTML("my APP");
<     }
<     else {
<         document.cookie = "DSCheckBrowser=" + escape('none') + ";
path=/;secure";
<         var href = window.location.href;
<         window.location = href;
<     }
< }
< </script>
<
< <body onload="OnStart();"><table
id="table_PleaseWait-mobile-webkit_1" border="0" cellpadding="10"
cellspacing="0">
<         <tr><td><small><b>Loading Components...</b></small></td></tr>
< </table>
<
< <table id="table_PleaseWait-mobile-webkit_2" cellpadding="2"
cellspacing="0" border="0" width="100%">
<     <tr>
<         <td> </td>
<         <td width="100%"><span><div id="hc">Host Checker</div></span></td>
<     </tr>
< </table></body>
<
< <input id="serverdetails_1" type="hidden" name="serverdetails"
value="interval=0;process_timeout=90;cert_md5=1f9ab4221d578a51b6c73b93c06149fe;hash_key=06f23f73c64c6df8a8a64ecbe431b75d166d46d1;logging=1;locale=en">
< </html>
<
Failed to obtain WebVPN cookie

________________________________________________________________________________
With No UserAgent:

openconnect --juniper --dump --csd-wrapper=tncc-wrapper.py
vpn.mycompany.com/mycompany
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://vpn.mycompany.com/mycompany
Attempting to connect to server 65.210.57.16:443
Connected to 65.210.57.16:443
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
> GET /mycompany HTTP/1.1
> Host: vpn.mycompany.com
> User-Agent: Open AnyConnect VPN Agent v7.08
> Connection: close
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 302 Found
Location: https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu,
31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/mycompany; path=/; secure
Connection: close
Content-Length: 0
HTTP body length:  (0)
GET https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
> GET /dana-na/auth/url_default/welcome.cgi HTTP/1.1
> Host: vpn.mycompany.com
> User-Agent: Open AnyConnect VPN Agent v7.08
> Cookie: DSSIGNIN=url_default; DSSignInURL=/mycompany
> Connection: close
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: DSHCSTARTED=1; path=/dana-na/; secure
Date: Tue, 24 Jan 2017 20:05:18 GMT
Connection: close
Pragma: no-cache
Cache-Control: no-store
Expires: -1
X-Frame-Options: SAMEORIGIN
HTTP body http 1.0 (-1)
SSL socket closed uncleanly
<
< <html>
< <head>
< <meta http-equiv="Content-Language">
< <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
< <title>mycompany Secure Access Service - PleaseWait</title>
< <script src="/dana-na/css/ds_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script>
< <meta name="robots" content="none">
< <script>
<         WriteCSS();
< </script>
< <noscript>
< <link rel="stylesheet"
href="/dana-na/css/ds_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.css"></link>
< </noscript>
< <script src="/dana-na/js/checkbrowser_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script>
< <script src="/dana-na/js/clientSetup_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script><script
src="/dana-na/js/intermediate_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script>
< <script>
<
< var error_message = '';
< var start_status = 1;
< var check_browser = new CheckBrowser();
< var g_delivery = '';
< var g_checkbCookieSet = false;
< var g_HCLoading = 'Host Checker';
< var g_isUAC = '0';
<
< function initBulb (component)
< {
< document.getElementById(component + 'bulb').style.color = "#808080";
< }
<
< function setSucceeded(component)
< {
<     document.getElementById(component + 'bulb').style.color = "#03CA08";
<     setStatus(1);
< }
<
< function setFailed(component)
< {
<     document.getElementById(component + 'bulb').style.color = "#990000";
<     setStatus(0);
< }
<
< function setStarted(component)
< {
< document.getElementById(component).style.fontWeight = "bold";
< }
<
< function setFinished(component)
< {
< document.getElementById(component).style.fontWeight = "normal";
< }
< function gowelcome()
< {
<     if (g_delivery != '') {
<         setCheckBrowserCookie ();
<     }
< if (getStatus()) {
< document.getElementById('endstatus').innerHTML = 'Components loaded
successfully';
<         var url = window.location;
<         if (dsIsVista() || dsIsWinXP()) {
<             try {
<                 var SetupCtrl;
<                 if (document.deliveryType == 'java') {
<                     var doc = getIFrameDocument("controlframe");
<                     if (typeof(doc) == "undefined") {
<                         return false;
<                     }
<                     SetupCtrl = doc.getElementById("NeoterisSetup");
<                 }
<                 else if (document.deliveryType == 'activex') {
<                     SetupCtrl = document.getElementById("NeoterisSetup");
<                 }
<                 if (SetupCtrl != "undefined") {
<                     var data = SetupCtrl.retrieveData("HCDATA");
<                     if (data && data.indexOf("AED={") != -1) {
<                         // AED getting initialised
<                         var aedParams = aedParseProgressString (data);
<                         var aedInitComplete = 0;
<                         if (aedParams.statusInitialization ==
gAedProgress.SUCCESS
||aedParams.statusInitialization==gAedProgress.FAIL) {
<                             if (aedParseParam(data, 'HSStatus:')) {
<                                 aedInitComplete = 1;
<                             }
<                         }
<                         if (!aedInitComplete) {
<                             if (url.toString().indexOf('?') == -1) {
<                                 url += "?type=inter";
<                             }
<                             else {
<                                 url += "&type=inter";
<                             }
<                         }
<                     }
<                 }
<             }
<             catch (e) {
<             }
<         }
<         window.location = url;
< }
< else  {
< document.getElementById('endstatus').innerHTML = error_message;
<    setTimeout("window.location = window.location;", 5000);
<     }
< }
<
< function setCCSucceeded()
< {
< setSucceeded('cc');
< }
< function setHCSucceeded()
< {
< setSucceeded('hc');
< }
<
< function getComponent(component)
< {
<     return document.getElementById(component + 'bulb');
< }
<
< function failComponents()
< {
<     if (getComponent('hc')) setFailed('hc');
<     if (getComponent('cc')) setFailed('cc');
<     if (getComponent('ep')) setFailed('ep');
< }
<
< function setStatus(s)
< {
<     start_status = s;
< }
< function getStatus()
< {
<     return start_status;
< }
< function setErrorMessage(aMsg)
< {
<     error_message = aMsg;
< }
<
< function loadIframe(iframeName, url) {
<    var doc = getIFrameDocument(iframeName);
<    if (typeof(doc) == "undefined") {
<     return false;
<    }
<    doc.location.href = url;
<    return true;
< }
<
< function getIFrameDocument(iframeName) {
<     var fr;
<     var frWindow;
<     var frDocument;
<     if ( window.frames && window.frames[iframeName] ) {
<         frWindow = window.frames[iframeName];
<     }else if (document.getElementById(iframeName) ) {
<         frWindow = document.getElementById(iframeName).contentWindow;
<     }else {
<         return ;
<     }
<
<     fr = document.getElementById(iframeName);
<     if (frWindow && frWindow.document)
<         frDocument = frWindow.document;
<     else if (fr && fr.contentDocument)
<         frDocument = fr.contentDocument;
<
<     return frDocument;
< }
<
< function checkb() {
<     g_delivery = 'none';    g_delivery = 'none';
<     if (dsIsActiveXEnabled()){
<         g_delivery = 'activex';
<     }else if (dsIsJavaEnabled()) {
<         g_delivery = 'java';
<     }    document.deliveryType = g_delivery;
<     return g_delivery;
< }
<
< // Redirect to CGI to download the Setup Client .exe
< function redirectToSetupCGI() {
<     var href = window.location.href;
<     var redirectURL = "/dana-na/setup/download.cgi?r=" + escape(href);
<     if (dsIsMac()) {
<         redirectURL = redirectURL + "&platform=Macintosh";
<     }
<     window.location = redirectURL;
< }
<
< function loadControlFrame()
< {
<     try {
<         loadIframe ('controlframe', window.location);
<     } catch (e) {
<         failComponents();
<         setTimeout("gowelcome();", 0);
<     }
< }
<
< function setCheckBrowserCookie () {
<     if (g_checkbCookieSet == false) {
<         document.cookie = "DSCheckBrowser=" + escape(g_delivery) +
"; path=/;secure";
<         g_checkbCookieSet = true;
<     }
< }
<
< function submitBrowserInfo() {
<     setCheckBrowserCookie ();
<     if (g_delivery == 'none') {
<         setErrorMessage ('Your browser does not support either
ActiveX controls or Java applets. Please contact your
administrator.');
<         failComponents ();
<         gowelcome();
<     } else {
<         loadControlFrame();
<     }
< }
<
< function startOnLoad()
< {
<  var c = checkb();
<  if ((c == 'none') && (dsIsVista() || dsIsWinXP() || dsIsMac())) {
<      failComponents ();
<      setTimeout("redirectToSetupCGI();", 7000);
<      return;
<  }
<     setTimeout ("submitBrowserInfo();", 2000);}
< </script>
<
<
<
< <script>
< <!--
< if (window.top != self) {
< top.location = location;
< }
< //--></script>
< </head>
<
< <body bgcolor="#FFFFFF" color="#000000" link="#3366CC"
vlink="#CC6699" alink="#3366CC" leftmargin="0" topmargin="0"
rightmargin="0" marginwidth="0" marginheight="0"
onload="startOnLoad()" >
<
<
< <table id="table_PleaseWait_1" border="0" width="100%"
cellspacing="0" cellpadding="3">
<         <tr>
<             <td bgcolor="E3E3E3"><img border="0"
src="/dana-na/auth/welcome.cgi?p=logo" alt="Logo"></td>
<        <td bgcolor="E3E3E3" align="right"> </td>
<
<         </tr>
< </table>
< <table id="table_PleaseWait_2" cellpadding="0" cellspacing="0"
border="0" width="100%">
<         <tr>
<                 <td bgcolor="#000000" colspan="2"><img border="0"
src="/dana-na/imgs/space.gif" width="1" height="1"></td>
<         </tr>
< </table>
< <blockquote>
<         <table id="table_PleaseWait_3" border="0" cellpadding="2"
cellspacing="0">
< <tr><td nowrap ><font face="verdana,sans-serif" size="3"><b>Loading
Components...</b></font></td></tr>
< <tr><td nowrap ><font face="verdana,sans-serif" size="2">Please
wait. This may take several minutes.</font></td></tr>
<         </table>
<
< <table id="table_PleaseWait_4" cellpadding="4" cellspacing="0"
border="0" width="100%"> <tr>
< <td><img src="/dana-na/imgs/space.gif" width="30" height="1"></td>
< <td><span style="font-weight:bold; color:#808080; font-size:135%;"
id="hcbulb">•</span></td>
< <td width="100%"><span><div id="hc">Host Checker</div></span></td>
< </tr> <tr>
< <td> </td>
< <td> </td>
< <tr>
<         <table id="table_PleaseWait_5" border="0" cellpadding="2"
cellspacing="0">
< <tr><td nowrap ><font face="verdana,sans-serif" size="2">
<         <div id="continue">If an error prevents a component from
loading properly, you can <a href="javascript:void(0)"
onclick="javascript:gowelcome();return false;">click here</a> to
continue. Not all functionality may be available.
</div></font></td></tr>
<         </table>
< </tr>
< <tr>
< <td><img src="/dana-na/imgs/space.gif" width="30" height="1"></td>
< </tr>
< <tr>
< <td><img src="/dana-na/imgs/space.gif" width="30" height="1"></td>
< </tr>
<         <table id="table_PleaseWait_6" border="0" cellpadding="2"
cellspacing="0">
< <tr><td nowrap ><font face="verdana,sans-serif" size="2"><div
id="endstatus"></div></font></td></tr>
<         </table>
< </table>
< </blockquote>
< <OBJECT classid="clsid:F27237D7-93C8-44C2-AC6E-D6057B9A918F"
<  id=NeoterisSetup
codebase="\dana-cached\sc\JuniperSetupClient.cab#version=2,1,1,1"
< width=0 height=0 >
< </object><p align="left"><iframe id="controlframe"
name="controlframe" src="/dana-na/html/blank.html" width="2"
height="2" frameborder="0" scrolling="NO"></iframe></p>
<
< </body>
<
< </html>
No DSPREAUTH cookie; not attempting TNCC
Failed to obtain WebVPN cookie
Dustin L Hartung


On Tue, Jan 24, 2017 at 1:12 PM, Daniel Lenski <dlenski at gmail.com> wrote:
> On Tue, Jan 24, 2017 at 9:28 AM, Dustin Hartung
> <dustin.hartung at gmail.com> wrote:
>> I am trying to use openconnect on my Mac to connect to a Junos vpn.
>> Below is my command and the response i am getting. I am not sure
>> where to go from here.  I downloaded generic tncc-wrapper.py from
>> Github.  Does it need to be modified?
>
> Are you sure that TNCC is the problem here?
>
> You should run with --dump to show all the HTTP traffic that
> openconnect is sending and receiving. OC is probably getting hung up
> on an authentication form that it doesn't understand. OC's Juniper
> auth support is necessarily incomplete, because Juniper authentication
> consists of totally free-form web pages.
>
> Logging should make this clear.
>
> Dan



More information about the openconnect-devel mailing list