On Thu, Apr 17, 2014 at 9:08 PM, Kevin Cernekee <cernekee at gmail.com> wrote: > On Thu, Apr 17, 2014 at 6:46 PM, John Hendy <jw.hendy at gmail.com> wrote: >> $ sudo pacman -Q | grep curl >> curl 7.36.0-1 >> >> I can't connect with that script -- my credentials get denied and >> there's a message to contact my company IT Help Desk. If I recall >> correctly, I used to get that message when trying with the anyconnect >> client if I hadn't started the /etc/rc.d/hostscan service. > > Hmm, OK, I'm probably missing some data from the request. > >>> Could you post the result from connecting with "openconnect -v" so we >>> can see if the gateway has DTLS disabled? >> >> Here's the verbose output using the csd-wrapper.sh I posted earlier: >> - http://pastebin.com/5ZcNpUuj > > If DTLS is enabled on the gateway you should see some X-DTLS fields, like this: > > Got CONNECT response: HTTP/1.1 200 OK > X-CSTP-Version: 1 > X-CSTP-Address: 192.168.6.14 > X-CSTP-Netmask: 255.255.255.0 > X-CSTP-Address: 2001:db8::2 > X-CSTP-Netmask: 2001:db8::2/32 > X-CSTP-Lease-Duration: 1209600 > X-CSTP-Session-Timeout: none > X-CSTP-Idle-Timeout: 36000 > X-CSTP-Disconnected-Timeout: 36000 > X-CSTP-Keep: true > X-CSTP-Tunnel-All-DNS: false > X-CSTP-Rekey-Time: 240 > X-CSTP-Rekey-Method: new-tunnel > X-CSTP-DPD: 30 > X-CSTP-Keepalive: 20 > X-CSTP-MSIE-Proxy-Lockdown: true > X-CSTP-Smartcard-Removal-Disconnect: true > X-DTLS-Session-ID: > 88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E > X-DTLS-Port: 443 > X-DTLS-Keepalive: 20 > X-DTLS-DPD: 30 > X-DTLS-Rekey-Time: 240 > X-CSTP-MTU: 1406 > X-DTLS-CipherSuite: AES128-SHA > X-CSTP-Routing-Filtering-Ignore: false > X-CSTP-Quarantine: false > X-CSTP-Disable-Always-On-VPN: false > X-CSTP-TCP-Keepalive: true > X-CSTP-Post-Auth-XML: <elided> > CSTP connected. DPD 30, Keepalive 20 > DTLS option X-DTLS-Session-ID : > 88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E > DTLS option X-DTLS-Port : 443 > DTLS option X-DTLS-Keepalive : 20 > DTLS option X-DTLS-DPD : 30 > DTLS option X-DTLS-Rekey-Time : 240 > DTLS option X-DTLS-CipherSuite : AES128-SHA > DTLS initialised. DPD 30, Keepalive 20 > Connected (script) as 192.168.6.14 + 2001:db8::2/32, using SSL > No work to do; sleeping for 20000 ms... > No work to do; sleeping for 20000 ms... > Established DTLS connection (using OpenSSL). Ciphersuite AES128-SHA. > > > If you can get in touch with your ASA admin, they can re-enable DTLS > (i.e. disable no-tls mode) with these commands: > > config term > webvpn > enable outside > > That is the first thing I would try if experiencing performance or > stability problems on a poor connection. Hmmm. I can try. This is an 80k employee, world wide company, and I've experienced approximately no response for other requests... I'll start with an IT contact I have to test the waters :) Thanks for the suggestion. John
