ESP Connection Refused Question

Benjamin Cardon bj.cardon at gmail.com
Tue Jul 30 16:04:14 PDT 2024


Sorry Daniel for the lack of info. GPopen is just my fork of an old
version of GlobalProtect-openconnect before it became payware.

When I'm in the office again tomorrow I'll collect more info and scrub
it to share here.

Thanks!
Ben

On Tue, Jul 30, 2024 at 4:35 PM Daniel Lenski <dlenski at gmail.com> wrote:
>
> On Tue, Jul 30, 2024 at 11:47 AM Benjamin Cardon <bj.cardon at gmail.com> wrote:
> >
> > Hi, my company has a GlobalProtect VPN and I've been successfully
> > using it using GPopen and openconnect for years.
>
>
> What is GPopen?
>
> > A few months ago, they changed something in our network or VPN that is causing the VPN to fail to connect via ESP when I'm in our office, though it works perfectly fine outside the office network. I have tried to figure out what exactly is preventing ESP from starting up and the only thing I can really see in the logs that is different between in the office versus out of the office is this log
> >
> > Jul 30 11:06:33 xps15 plasmashell[3116179]: 2024-07-30 11:06:33.467
> > INFO  [3116179] [GPClient::onVPNLogAvailable at 518] ESP receive error:
> > Connection refused
> >
> >  My question is, what does this log line imply and where is the connection being refused from?
>
> Find and provide additional context, and then we'll both have a better
> idea of what's going on.
>
> As Karl Pinc wrote, run the OpenConnect command-line client with `-vvv
> --dump-http-traffic` and share the logs from that, particularly log
> messages about ESP configuration.
>
> > Is it just UDP packets to the gateway address? Prior to this, it does do a handshake using Okta to sign in which works just fine so it's transferring the ESP packets explicitly that seems to be the problem. To me, this suggests a network configuration/firewall issue but I need more info to tell our networking team what to investigate.
>
> It is *likely* that some kind of middlebox is preventing UDP packets
> from getting through in the non-working network environment, but there
> are other possibilities as well.



More information about the openconnect-devel mailing list