On Thu, Apr 17, 2014 at 6:46 PM, John Hendy <jw.hendy at gmail.com> wrote: > $ sudo pacman -Q | grep curl > curl 7.36.0-1 > > I can't connect with that script -- my credentials get denied and > there's a message to contact my company IT Help Desk. If I recall > correctly, I used to get that message when trying with the anyconnect > client if I hadn't started the /etc/rc.d/hostscan service. Hmm, OK, I'm probably missing some data from the request. >> Could you post the result from connecting with "openconnect -v" so we >> can see if the gateway has DTLS disabled? > > Here's the verbose output using the csd-wrapper.sh I posted earlier: > - http://pastebin.com/5ZcNpUuj If DTLS is enabled on the gateway you should see some X-DTLS fields, like this: Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Address: 192.168.6.14 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Address: 2001:db8::2 X-CSTP-Netmask: 2001:db8::2/32 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 36000 X-CSTP-Disconnected-Timeout: 36000 X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-Rekey-Time: 240 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: 88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 240 X-CSTP-MTU: 1406 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <elided> CSTP connected. DPD 30, Keepalive 20 DTLS option X-DTLS-Session-ID : 88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 240 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS initialised. DPD 30, Keepalive 20 Connected (script) as 192.168.6.14 + 2001:db8::2/32, using SSL No work to do; sleeping for 20000 ms... No work to do; sleeping for 20000 ms... Established DTLS connection (using OpenSSL). Ciphersuite AES128-SHA. If you can get in touch with your ASA admin, they can re-enable DTLS (i.e. disable no-tls mode) with these commands: config term webvpn enable outside That is the first thing I would try if experiencing performance or stability problems on a poor connection.
