Protocol F5/BigIP How to debug handshake
LeJacq, Jean Pierre
jeanpierre.lejacq at quoininc.com
Fri Oct 14 07:48:26 PDT 2022
I'm trying to use OpenConnect's with the relatively new F5 protocol support.
I'm running into problems with the initial handshake and looking for some
advice on how to debug.
My environment is the following. I have confirmed that I can connect using the
Windows 11 F5 client.
OS: Debian Buster (stable)
Version: OpenConnect version v9.01-1~bpo11+1.
The problem seems to be that instead of establishing the connection, I'm
immediately redirected to a logout page saying this is an unsupported browser.
Using an explicit Windows 11 user agent string does not eliminate the warning
about a non-supported browser.
I'm thinking I need to provide another cookie but don't see how to determine
which one might be required.
Here's the command line I'm using.
$ sudo openconnect -vvvv --dump --dump-http-traffic --protocol='f5'
'remotemobile.example.com
GET https://remotemobile.example.com/
Attempting to connect to server 216.165.125.164:443
Connected to 216.165.125.164:443
SSL negotiation with remotemobile.example.com
Connected to HTTPS on remotemobile.example.com with ciphersuite (TLS1.2)-
(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-128-GCM)
> GET / HTTP/1.1
> Host: remotemobile.example.com
> User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
>
Got HTTP response: HTTP/1.0 302 Found
Server: BigIP
Connection: Close
Content-Length: 0
Location: /my.policy
Set-Cookie: LastMRH_Session=efd55fd2;path=/
Set-Cookie: MRHSession=<elided>;path=/
Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Cache-Control: no-cache, must-revalidate, max-age=0
HTTP body length: (0)
GET https://remotemobile.example.com/my.policy
SSL negotiation with remotemobile.example.com
Connected to HTTPS on remotemobile.example.com with ciphersuite (TLS1.2)-
(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-128-GCM)
> GET /my.policy HTTP/1.1
> Host: remotemobile.example.com
> User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> Cookie: LastMRH_Session=efd55fd2;
MRHSession=664eeb92605090ed1026f7d3efd55fd2; MRHSHint=deleted
>
Got HTTP response: HTTP/1.0 302 Found
Server: BigIP
Connection: Close
Set-Cookie: F5_ST=1z1z1z1665754014z-1;path=/
Set-Cookie: LastMRH_Session=efd55fd2;path=/
Set-Cookie: MRHSession=<elided>;path=/
Content-Length: 0
Location: /vdesk/hangup.php3
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Cache-Control: no-cache, must-revalidate, max-age=0
HTTP body length: (0)
GET https://remotemobile.example.com/vdesk/hangup.php3
SSL negotiation with remotemobile.example.com
Connected to HTTPS on remotemobile.example.com with ciphersuite (TLS1.2)-
(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-128-GCM)
> GET /vdesk/hangup.php3 HTTP/1.1
> Host: remotemobile.example.com
> User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> Cookie: LastMRH_Session=efd55fd2;
MRHSession=e8db856820671decea73c8ccefd55fd2; MRHSHint=deleted;
F5_ST=1z1z1z1665754014z-1
>
Got HTTP response: HTTP/1.1 200 OK
Server: BigIP
Content-Type: text/html; charset=utf-8
Accept-Ranges: bytes
Connection: Keep-Alive
Date: Fri, 14 Oct 2022 13:26:54 GMT
Age: 672
Content-Length: 3303
X-Frame-Options: DENY
Set-Cookie: MRHSession=<elided>;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
Set-Cookie: F5_ST=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
Set-Cookie: MRHSHint=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
Set-Cookie: F5_HT_shrinked=deleted;expires=Thu, 01-Jan-1970 00:00:01
GMT;path=/
Set-Cookie: F5_fullWT=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
Set-Cookie: MRHSequence=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Cache-Control: no-cache, must-revalidate, max-age=0
HTTP body length: (3303)
< <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< <head>
< <link rel="canonical" href="/internal-login" />
< <title>atExample Logout</title>
< </head>
<
< <body onload="OnLoad();" class="html front not-logged-in no-sidebars page-
node page-node- page-node-1 node-type-page" >
< <div id="main">
< <div id="content" class="column" role="main">
< <h1>Unsupported Browser.</h1>
<
< <div id="LoginContainer">
< <p>
< <h3>Advanced Access is not supported on this
browser.</h3>
<
< Login using Basic by <a href="/">clicking here</a>. Otherwise, please use a
<a href="http://atnyulmc.org/help-documentation/quick-view-os-browser-support-matrix">supported browser</a>. For Advanced Access browser setup instructions
<a href="http://atnyulmc.org/help-documentation/remote-vpn-documentation">click here</a>.
< </p>
< </div>
< </div>
< </div>
< </body>
< </html>
<
GET https://remotemobile.example.com/vdesk/vpn/index.php3?outform=xml&cl
> GET /vdesk/vpn/index.php3?outform=xml&client_version=2.0 HTTP/1.1
> Host: remotemobile.example.com
> User-Agent: Open AnyConnect VPN Agent v9.01-1~bpo11+1
> Cookie: LastMRH_Session=efd55fd2; MRHSession=deleted; MRHSHint=deleted;
F5_Sshrinked=deleted; F5_fullWT=deleted; MRHSequence=deleted
>
Got HTTP response: HTTP/1.0 302 Found
Server: BigIP
Connection: Close
Content-Length: 0
Location: /my.policy
Set-Cookie: LastMRH_Session=4503443b;path=/
Set-Cookie: MRHSession=<elided>;path=/
Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Cache-Control: no-cache, must-revalidate, max-age=0
HTTP body length: (0)
Creating SSL connection failed
Unknown error; exiting.
--
JP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20221014/4752e272/attachment.sig>
More information about the openconnect-devel
mailing list