Problems with OpenConnect v8.20
Schütz Dominik
Dominik.Schuetz at esolutions.de
Thu Apr 7 06:37:43 PDT 2022
Dear Support,
We have a strange issue with the output of OpenConnect on Ubuntu 22.04 (Beta) with OpenConnect v8.20 compared to Ubuntu 20.04 with OpenConnect v8.05 or Ubuntu 22.04 (Beta) with OpenConnect v8.10. See text below.
What is the reason for this "debug/long" output and will it be removed with the final Ubuntu 22.04 release?
### The "vpnc-script" is the latest from https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script
## On Ubuntu 20.04 with OpenConnect v8.05
dominik at host1:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.4 LTS"
dominik at host1:~$
dominik at host1:~$ dpkg -l | grep openconnect
ii libopenconnect5:amd64 8.05-1 amd64 open client for Cisco AnyConnect, Pulse, GlobalProtect VPN - shared library
ii openconnect 8.05-1 amd64 open client for Cisco AnyConnect, Pulse, GlobalProtect VPN
dominik at host1:~$
# --protocol=nc, because --protocol=pulse does not work on this version for us
dominik at host1:~$ sudo openconnect --script=/root/vpnc-script --protocol=nc https://vpn-gateway/linux
GET https://vpn-gateway/linux
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway
Got HTTP response: HTTP/1.1 302 Found
GET https://vpn-gateway/dana-na/auth/url_xxx/welcome.cgi
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway
frmLogin
username:dominik at domain
password:
POST https://vpn-gateway/dana-na/auth/url_xxx/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
GET https://vpn-gateway/dana-na/auth/url_xxx/welcome.cgi?p=user%2Dconfirm
POST https://vpn-gateway/dana-na/auth/url_xxx/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
GET https://vpn-gateway/dana/home/index.cgi
Set up UDP failed; using SSL instead
Connected as xxx.xxx.xxx.xxx, using SSL, with ESP disabled
## On Ubuntu 22.04 (Beta) with OpenConnect v8.20
dominik at host2:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu Jammy Jellyfish (development branch)"
dominik at host2:~$
dominik at host2:~$ dpkg -l | grep openconnect
ii libopenconnect5:amd64 8.20-1 amd64 open client for various network vendors SSL VPNs - shared library
ii openconnect 8.20-1 amd64 open client for various network vendors SSL VPNs
dominik at host2:~$
# --protocol=nc
dominik at host2:~$ sudo openconnect --script=/root/vpnc-script --protocol=nc https://vpn-gateway/linux
GET https://vpn-gateway/linux
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 302 Found
Location: /dana-na/auth/url_xxx/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_xxx; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/linux; path=/; secure
Connection: close
Content-Length: 0
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body length: (0)
GET https://vpn-gateway/dana-na/auth/url_xxx/welcome.cgi
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Thu, 07 Apr 2022 08:42:51 GMT
x-frame-options: SAMEORIGIN
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
frmLogin
username:dominik at domain
password:
POST https://vpn-gateway/dana-na/auth/url_xxx/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
Set-Cookie: DSASSERTREF=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSID=<elided>; path=/; secure
Set-Cookie: DSDID=44e22973d2ccd237; path=/; secure; HttpOnly
Set-Cookie: DSFirstAccess=1649320980; path=/; secure
Set-Cookie: DSSIGNIN=url_xxx; path=/; secure
Date: Thu, 07 Apr 2022 08:43:00 GMT
location: /dana/home/index.cgi
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Content-Length: 0
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body length: (0)
GET https://vpn-gateway/dana/home/index.cgi
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: DSLastAccess=1649320980; path=/; Secure
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
Got HTTP response: HTTP/1.1 200 OK
Content-type: application/octet-stream
Pragma: no-cache
NCP-Version: 3
Set-Cookie: DSLastAccess=1649320980; path=/; Secure
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
> 0000: 15 00 00 04 00 00 00 08 00 65 73 6f 31 35 38 35 |.........host2|
> 0010: 30 bb 01 00 00 00 00 |0......|
Read 3 bytes of SSL record
< 0000: 01 00 00 |...|
Read 1986 bytes of SSL record
Got KMP message 301 of length 2322
Read additional 358 bytes of KMP 301 message
Got KMP message 301 of size 2322
Unknown TLV group 3 attr 1 len 1: 01
Unknown TLV group 3 attr 2 len 1: 00
Received split include route 0.0.0.0/0.0.0.0
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received MTU 1400 from server
Received DNS server xxx.xxx.xxx.xxx
Received DNS server xxx.xxx.xxx.xxx
Received DNS search domain
Unknown TLV group 2 attr 3 len 4: 01 00 00 00
Received internal IP address xxx.xxx.xxx.xxx
Received netmask 255.255.255.255
Received internal gateway address xxx.xxx.xxx.xxx
oNCP negotiation request outgoing:
> 0000: 24 00 00 00 00 00 00 00 01 2f 01 00 00 00 01 00 |$......../......|
> 0010: 00 00 00 00 00 10 00 06 00 00 00 0a 00 02 00 00 |................|
> 0020: 00 04 00 00 05 78 |.....x|
Set up UDP failed; using SSL instead
Configured as xxx.xxx.xxx.xxx, with SSL connected and ESP disabled
# --protocol=pulse -> also a long output
dominik at host2:~$ sudo openconnect --script=/root/vpnc-script --protocol=pulse https://vpn-gateway/linux
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 101 Switching Protocols
Content-type: application/octet-stream
Pragma: no-cache
Upgrade: IF-T/TLS 1.0
Connection: Upgrade
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
> 0000: 00 00 55 97 00 00 00 01 00 00 00 14 00 00 00 00 |..U.............|
> 0010: 00 01 02 02 |....|
IF-T/TLS version from server: 2
> 0000: 00 00 0a 4c 00 00 00 88 00 00 00 41 00 00 00 01 |...L.......A....|
> 0010: 63 6c 69 65 6e 74 48 6f 73 74 4e 61 6d 65 3d 65 |clientHostName=h|
> 0020: 73 6f 31 35 38 35 30 20 63 6c 69 65 6e 74 49 70 |ost2 clientIp|
> 0030: 3d 31 39 32 2e 31 36 38 2e 31 37 38 2e 34 32 0a |=xxx.xxx.xxx.xx.|
> 0040: 00 |.|
> 0000: 00 00 55 97 00 00 00 06 00 00 00 22 00 00 00 02 |..U........"....|
> 0010: 00 0a 4c 01 02 01 00 0e 01 61 6e 6f 6e 79 6d 6f |..L......anonymo|
> 0020: 75 73 |us|
AVP 0x583/0xd49: 00 00 00 04
AVP 0x583/0xd4a: 00 00 00 01
AVP 0x583/0xd56: '220253a5-0a3f-49fc-985e-35c455e0ce68'
> 0000: 00 00 55 97 00 00 00 06 00 00 00 50 00 00 00 03 |..U........P....|
> 0010: 00 0a 4c 01 02 02 00 3c fe 00 0a 4c 00 00 00 01 |..L....<...L....|
> 0020: 00 00 0d 70 80 00 00 2d 00 00 05 83 4f 70 65 6e |...p...-....Open|
> 0030: 20 41 6e 79 43 6f 6e 6e 65 63 74 20 56 50 4e 20 | AnyConnect VPN |
> 0040: 41 67 65 6e 74 20 76 38 2e 32 30 2d 31 00 00 00 |Agent v8.20-1...|
AVP 79: 01 00 00 0d fe 00 0a 4c 00 00 00 02 01
Pulse password auth request, code 0x01
Enter user credentials:
Username:dominik at domain
Password:
> 0000: 00 00 55 97 00 00 00 06 00 00 00 6c 00 00 00 04 |..U........l....|
> 0010: 00 0a 4c 01 02 03 00 58 fe 00 0a 4c 00 00 00 01 |..L....X...L....|
> 0020: 00 00 0d 6d 80 00 00 1e 00 00 05 83 64 6f 73 63 |...m........domi|
> 0030: 37 38 30 39 40 65 73 6f 2e 6c 6f 63 61 6c 00 00 mailto:|nik at domain..|
> 0040: 00 00 00 4f 40 00 00 29 02 00 00 21 fe 00 0a 4c mailto:|...O at ..)...!...L|
> 0050: 00 00 00 02 02 02 14 4c 61 6e 64 77 69 72 74 73 |................|
> 0060: 63 68 61 66 74 32 30 32 31 00 00 00 |............|
AVP 0x583/0xd53: 'd55670db1882bfc58496fbdb9a3000ff'
AVP 0x583/0xd8b: '2557842474d35665'
AVP 0x583/0xd5c: 00 00 a8 c0
AVP 0x583/0xd54: 'xxx.xxx.xxx.xxx/linux'
AVP 0x583/0xd55: '28de4cd8d1c633f954683b869f032405'
AVP 0x583/0xd6b: 00 00 00 10
AVP 0x583/0xd75: 00 00 00 00
AVP 0x583/0xd57: 00 00 00 00
> 0000: 00 00 55 97 00 00 00 06 00 00 00 20 00 00 00 05 |..U........ ....|
> 0010: 00 0a 4c 01 02 04 00 0c fe 00 0a 4c 00 00 00 01 |..L........L....|
Unexpected IF-T/TLS packet when expecting configuration.
< 0000: 00 00 0a 4c 00 00 00 96 00 00 00 34 00 00 01 fb |...L.......4....|
< 0010: 32 32 30 32 35 33 61 35 2d 30 61 33 66 2d 34 39 |220253a5-0a3f-49|
< 0020: 66 63 2d 39 38 35 65 2d 33 35 63 34 35 35 65 30 |fc-985e-35c455e0|
< 0030: 63 65 36 38 |ce68|
Unknown attr 0x4025 len 1: 01
Received split include route 0.0.0.0/0.0.0.0
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Received split exclude route xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
Unknown attr 0x4000 len 1: 01
Unknown attr 0x4001 len 1: 00
Unknown attr 0x401f len 1: 00
Unknown attr 0x4020 len 1: 01
Unknown attr 0x4021 len 1: 01
Received MTU 1400 from server
Received DNS server xxx.xxx.xxx.xxx
Received DNS server xxx.xxx.xxx.xxx
Received DNS search domain
Unknown attr 0x4007 len 4: 00 00 00 01
Unknown attr 0x4019 len 1: 01
ESP only: 0
Unknown attr 0x4024 len 1: 01
ESP to SSL fallback: 15 seconds
Unknown attr 0x400f len 2: 00 00
ESP encryption: 0x0005 (AES-256)
ESP HMAC: 0x0003 (SHA256)
ESP key lifetime: 3600 seconds
ESP key lifetime: 0 bytes
ESP replay protection: 1
Unknown attr 0x4015 len 4: 00 00 00 00
ESP port: 4500
ESP to SSL fallback: 15 seconds
Unknown attr 0x4018 len 4: 00 00 00 3c
Received internal Legacy IP address xxx.xxx.xxx.xxx
Received netmask 255.255.255.255
Received internal gateway address xxx.xxx.xxx.xxx
Unknown attr 0x400c len 1: 00
Unknown attr 0x400d len 1: 00
Unknown attr 0x400e len 1: 00
Unknown attr 0x401b len 1: 00
Unknown attr 0x401c len 1: 00
Unknown attr 0x13 len 1: 00
Unknown attr 0x14 len 1: 00
64 bytes of ESP secrets
ESP SPI (outbound): 24e17219
> 0000: 00 00 0a 4c 00 00 00 01 00 00 00 c0 00 00 00 06 |...L............|
> 0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> 0020: 21 20 24 00 00 00 00 00 00 00 00 b0 00 00 00 94 |! $.............|
> 0030: 01 00 00 00 59 61 f2 0f 00 40 8b 85 ee f7 81 19 mailto:|....Ya... at ......|
> 0040: 15 cc 72 bf 7e d0 f2 93 d9 8d 07 8c 01 93 0f 42 |..r.~..........B|
> 0050: 9d e0 b2 fd 8d b9 14 cc b4 1a 53 da e0 8e 97 01 |..........S.....|
> 0060: 81 ed 89 07 84 b8 26 e5 28 5f 9b 5a 5f 63 f6 7b |......&.(_.Z_c.{|
> 0070: d5 a4 15 ae 14 d5 00 ab da 97 19 72 e1 24 00 40 mailto:|...........r.$.@|
> 0080: b8 8c 5d ae 35 ee 88 f5 6f 96 27 7d ef 46 1a f1 |..].5...o.'}.F..|
> 0090: c4 a4 14 ab ee b4 c3 c1 4f 3a 95 ba 16 23 ff 0a |........O:...#..|
> 00a0: 05 7d 90 6b 0e c3 58 08 c6 3c b4 bc bd 88 5b aa |.}.k..X..<....[.|
> 00b0: 84 bb 68 b7 0a e0 6a 8e 9d 38 34 f0 71 14 69 16 |..h...j..84.q.i.|
> 0000: 00 00 0a 4c 00 00 00 05 00 00 00 18 00 00 00 07 |...L............|
> 0010: 6e 63 6d 6f 3d 31 0a 00 |ncmo=1..|
Parameters for incoming ESP: SPI 0x0ff26159
ESP encryption type AES-256-CBC (RFC3602) key 0x8b85eef7811915cc72bf7ed0f293d98d078c01930f429de0b2fd8db914ccb41a
ESP authentication type HMAC-SHA-256-128 (RFC4868) key 0x53dae08e970181ed890784b826e5285f9b5a5f63f67bd5a415ae14d500abda97
Parameters for outgoing ESP: SPI 0x24e17219
ESP encryption type AES-256-CBC (RFC3602) key 0xb88c5dae35ee88f56f96277def461af1c4a414abeeb4c3c14f3a95ba1623ff0a
ESP authentication type HMAC-SHA-256-128 (RFC4868) key 0x057d906b0ec35808c63cb4bcbd885baa84bb68b70ae06a8e9d3834f071146916
Send ESP probes
UDP SO_SNDBUF: 28000
Configured as xxx.xxx.xxx.xxx, with SSL connected and ESP in progress
Session authentication will expire at Thu Apr 7 22:43:50 2022
ESP session established with server
## On Ubuntu 22.04 (Beta) with downgrade to OpenConnect v8.10 (from Ubuntu 21.10)
dominik at host2:~$ dpkg -l | grep openconnect
ii libopenconnect5:amd64 8.10-2build1 amd64 open client for Cisco AnyConnect, Pulse, GlobalProtect VPN - shared library
ii openconnect 8.10-2build1 amd64 open client for Cisco AnyConnect, Pulse, GlobalProtect VPN
dominik at host2:~$
# --protocol=nc, because --protocol=pulse does not work on this version for us
dominik at host2:~$ sudo openconnect --script=/root/vpnc-script --protocol=nc https://vpn-gateway/linux
GET https://vpn-gateway/linux
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 302 Found
GET https://vpn-gateway/dana-na/auth/url_xxx/welcome.cgi
SSL negotiation with vpn-gateway
Connected to HTTPS on vpn-gateway with ciphersuite (TLS1.2)-(RSA)-(AES-128-GCM)
frmLogin
username:dominik at domain
password:
POST https://vpn-gateway/dana-na/auth/url_xxx/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
GET https://vpn-gateway/dana/home/index.cgi
Set up UDP failed; using SSL instead
Connected as xxx.xxx.xxx.xxx, using SSL, with ESP disabled
Many thanks in advance.
Mit freundlichen Grüßen / Kind regards
Dominik Schütz
Junior IT-Administrator
eso-IT-Infra
e.solutions GmbH
Despag-Straße 4a, 85055 Ingolstadt,
Phone +49845833321287
Dominik.Schuetz at esolutions.de
Please, find my mail encryption keys at: https://secmail.esolutions.de
Registered Office:
e.solutions GmbH
Despag-Straße 4a, 85055 Ingolstadt, Germany
Managing Directors Uwe Reder, Rainer Lange
Register Court Ingolstadt HRB 5221
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6003 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220407/080f0c81/attachment-0001.p7s>
More information about the openconnect-devel
mailing list