ESP Connection Refused Question

[Daniel Lenski]

On Tue, Jul 30, 2024 at 11:47 AM Benjamin Cardon <bj.cardon at gmail.com> wrote:
>
> Hi, my company has a GlobalProtect VPN and I've been successfully
> using it using GPopen and openconnect for years.


What is GPopen?

> A few months ago, they changed something in our network or VPN that is causing the VPN to fail to connect via ESP when I'm in our office, though it works perfectly fine outside the office network. I have tried to figure out what exactly is preventing ESP from starting up and the only thing I can really see in the logs that is different between in the office versus out of the office is this log
>
> Jul 30 11:06:33 xps15 plasmashell[3116179]: 2024-07-30 11:06:33.467
> INFO  [3116179] [GPClient::onVPNLogAvailable at 518] ESP receive error:
> Connection refused
>
>  My question is, what does this log line imply and where is the connection being refused from?

Find and provide additional context, and then we'll both have a better
idea of what's going on.

As Karl Pinc wrote, run the OpenConnect command-line client with `-vvv
--dump-http-traffic` and share the logs from that, particularly log
messages about ESP configuration.

> Is it just UDP packets to the gateway address? Prior to this, it does do a handshake using Okta to sign in which works just fine so it's transferring the ESP packets explicitly that seems to be the problem. To me, this suggests a network configuration/firewall issue but I need more info to tell our networking team what to investigate.

It is *likely* that some kind of middlebox is preventing UDP packets
from getting through in the non-working network environment, but there
are other possibilities as well.