GlobalProtect failed logout

Daniel Lenski dlenski at gmail.com
Sat Sep 5 13:59:20 EDT 2020


Sorry, I was mistaken about these changes being unreleased. They are
in v8.09 and v8.10, so upgrading to the latest released version should
indeed fix this issue:

$ git tag --contains 494e81eac1d8465cdbe072115a68b002281c0efe
v8.09
v8.10

Thanks,
Dan

On Sat, Sep 5, 2020 at 10:40 AM Daniel Lenski <dlenski at gmail.com> wrote:
>
> > I use the official version from the repository (version 8.05-1) on
> > Pop_OS! 20.04.
> > How can I fix this?
>
> Given that your GlobalProtect VPN uses a "domain" parameter of
> "(empty_domain)", I believe this issue has already been fixed in my MR
> of https://gitlab.com/openconnect/openconnect/-/merge_requests/93.
>
> This is not yet in a released version of OpenConnect, but you can fix
> by building from source.
>
> Since it is a bug with security implications (session logout never
> succeeds), perhaps we should encourage distributions to include the
> patch even before it is released.
>
> -Dan
>
>
> On Sat, Sep 5, 2020 at 2:34 AM Zoïs Moitier <zmoitier at ucmerced.edu> wrote:
> >
> > Hello,
> >
> > I use the command `sudo openconnect --protocol=gp
> > --csd-wrapper=/usr/libexec/openconnect/hipreport.sh vpn.ucmerced.edu` to
> > connect, it works perfectly and then when I ctrl+c to stop the vpn said
> > that the logout fail but after that the vpn does stop on my side. Here
> > what I get in the command line:
> >
> > ```bash
> >
> > ^CPOST https://vpn.ucmerced.edu/ssl-vpn/logout.esp
> > SSL negotiation with vpn.ucmerced.edu
> > Connected to HTTPS on vpn.ucmerced.edu
> > Invalid user name
> > Logout failed.
> > RTNETLINK answers: No such process
> > RTNETLINK answers: No such process
> > User cancelled (SIGINT/SIGTERM); exiting.
> >
> > ```
> >
> > After discussing with the IT department, it seem than I am never logout
> > on the vpn side.
> >
> > If I add the options `--script "sh -x
> > /usr/share/vpnc-sripts/vpnc-script"` and `-vvv --dump`, after the ctrl+c
> > I think that the interesting part are
> >
> > ```bash
> >
> > < <?xml version="1.0" encoding="UTF-8" ?>
> > <
> > <     <response status="error">
> > <         <portal>UCM_VPN-N</portal>
> > <         <domain>%28empty_domain%29</domain>
> > <         <user>my_user_name</user>
> > <         <computer>pop-os</computer>
> > <         <error>Invalid user name</error>
> > <     </response>
> > Invalid user name
> > Logout failed.
> >
> > ```
> >
> > and
> >
> > ```bash
> >
> > + /sbin/ip route replace default via 192.168.0.1 dev wlp0s20f3 via
> > 192.168.0.1 dev wlp0s20f3
> > Error: argument "via" is wrong: use nexthop syntax to specify multiple via
> >
> > ```
> >
> > I use the official version from the repository (version 8.05-1) on
> > Pop_OS! 20.04.
> >
> >
> > How can I fix this?
> >
> > Zoïs
> >
> >
> > _______________________________________________
> > openconnect-devel mailing list
> > openconnect-devel at lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/openconnect-devel



More information about the openconnect-devel mailing list