GlobalProtect failed logout

Daniel Lenski dlenski at gmail.com
Sat Sep 5 13:40:00 EDT 2020


> I use the official version from the repository (version 8.05-1) on
> Pop_OS! 20.04.
> How can I fix this?

Given that your GlobalProtect VPN uses a "domain" parameter of
"(empty_domain)", I believe this issue has already been fixed in my MR
of https://gitlab.com/openconnect/openconnect/-/merge_requests/93.

This is not yet in a released version of OpenConnect, but you can fix
by building from source.

Since it is a bug with security implications (session logout never
succeeds), perhaps we should encourage distributions to include the
patch even before it is released.

-Dan


On Sat, Sep 5, 2020 at 2:34 AM Zoïs Moitier <zmoitier at ucmerced.edu> wrote:
>
> Hello,
>
> I use the command `sudo openconnect --protocol=gp
> --csd-wrapper=/usr/libexec/openconnect/hipreport.sh vpn.ucmerced.edu` to
> connect, it works perfectly and then when I ctrl+c to stop the vpn said
> that the logout fail but after that the vpn does stop on my side. Here
> what I get in the command line:
>
> ```bash
>
> ^CPOST https://vpn.ucmerced.edu/ssl-vpn/logout.esp
> SSL negotiation with vpn.ucmerced.edu
> Connected to HTTPS on vpn.ucmerced.edu
> Invalid user name
> Logout failed.
> RTNETLINK answers: No such process
> RTNETLINK answers: No such process
> User cancelled (SIGINT/SIGTERM); exiting.
>
> ```
>
> After discussing with the IT department, it seem than I am never logout
> on the vpn side.
>
> If I add the options `--script "sh -x
> /usr/share/vpnc-sripts/vpnc-script"` and `-vvv --dump`, after the ctrl+c
> I think that the interesting part are
>
> ```bash
>
> < <?xml version="1.0" encoding="UTF-8" ?>
> <
> <     <response status="error">
> <         <portal>UCM_VPN-N</portal>
> <         <domain>%28empty_domain%29</domain>
> <         <user>my_user_name</user>
> <         <computer>pop-os</computer>
> <         <error>Invalid user name</error>
> <     </response>
> Invalid user name
> Logout failed.
>
> ```
>
> and
>
> ```bash
>
> + /sbin/ip route replace default via 192.168.0.1 dev wlp0s20f3 via
> 192.168.0.1 dev wlp0s20f3
> Error: argument "via" is wrong: use nexthop syntax to specify multiple via
>
> ```
>
> I use the official version from the repository (version 8.05-1) on
> Pop_OS! 20.04.
>
>
> How can I fix this?
>
> Zoïs
>
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel



More information about the openconnect-devel mailing list