AnyConnect CSD debugging
Mah, Matthew Yew Mun
Matthew_Mah at hms.harvard.edu
Tue Jul 25 22:17:08 PDT 2023
Hello,
I am using OpenSUSE tumbleweed with openconnect 9.12-1.2 through the KDE network manager to connect to a Cisco AnyConnect VPN using two-factor authentication with Duo. This was working until the VPN server side recently changed to require running the CSD trojans, and I have been unsuccessful at reconfiguring the VPN client. As requested in the documentation, I am seeking help debugging this issue.
This is the message that I read as requiring the CSD trojan:
Error: Server asked us to run CSD hostscan.
You need to provide a suitable --csd-wrapper argument.
I tried to configure the network manager setting "Allow Cisco Secure Desktop trojan" and setting the csd-post.sh modified to include "set -x" on line 2 as the CSD wrapper.
I tried this both with and without the User Agent string "AnyConnect".
Below is the slightly anonymized contents of the debug log, with the csd-post.sh script.
Thanks for any help you can provide.
POST https://vpn.example.org/
Attempting to connect to server a.b.c.d:443
Connected to a.b.c.d:443
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Tue, 25 Jul 2023 22:36:23 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' https://api-1234.duosecurity.com/ 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Trying to run CSD Trojan script '/home/username/csd-post.sh'.
CSD script '/home/username/csd-post.sh' completed successfully.
GET https://vpn.example.org/+CSCOE+/sdesktop/wait.html
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 25 Jul 2023 22:36:24 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' https://api-1234.duosecurity.com/ 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.example.org/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 25 Jul 2023 22:36:26 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' https://api-1234.duosecurity.com/ 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.example.org/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.example.org
More information about the openconnect-devel
mailing list