Hi, Ive been trying to use Openconnect to connect to our Cisco VPN server for a couple of days and im having some trouble. Im using my smartcard for authentication and the VPN server requires me to perform a hostscan before letting me in. Im trying this on RHEL7 with version: OpenConnect version v6.00 Using GnuTLS. Features present: TPM, PKCS#11, RSA software token, HOTP software token, TOTP software token, DTLS (using OpenSSL) Ive been using this guide http://blog.yunak.eu/2013/07/19/openconnect/ to get the hostscan(CSD) parts to work, the wrapper script is copied from there. And this guide for the smartcard parts http://www.gooze.eu/forums/support/howto-connect-to-cisco-anyconnect-vpn-using-openconnect-and-pki-token . The command im running is this: sudo openconnect -c 'pkcs11:<PKCS11-PATH>' --csd-user=MYUSER -v --csd-wrapper=./script/ciscowrapper.sh https://vpn.smhi.se This works, i get a prompt asking for my PIN code(for the smartcard) and then it asks wich group i belong to. When ive entered that information i get connected. Then i disconnect and try again, this time it does not work(exact same command). Output is this, it loops indefinetly: PIN required for Instant EID IP8 (identification) Enter PIN: Using client certificate 'MYUSER' Adding supporting CA 'MYCA' SSL negotiation with vpn.xyz.com Connected to HTTPS on vpn.xyz.com Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Tue, 04 Nov 2014 09:48:11 GMT X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled GET https://vpn.xyz.com/+CSCOE+/sdesktop/wait.html SSL negotiation with vpn.xyz.com Connected to HTTPS on vpn.xyz.com Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Tue, 04 Nov 2014 09:48:12 GMT HTTP body chunked (-2) Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://vpn.xyz.com/+CSCOE+/sdesktop/wait.html SSL negotiation with vpn.xyz.com Connected to HTTPS on vpn.xyz.com Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Tue, 04 Nov 2014 09:48:14 GMT HTTP body chunked (-2) Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://vpn.smhi.se/+CSCOE+/sdesktop/wait.html SSL negotiation with vpn.xyz.com Connected to HTTPS on vpn.xyz.com Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close This goes on forever until i press ctrl+c, then it says: Socket connect cancelled Failed to reconnect to host vpn.smhi.se Failed to open HTTPS connection to vpn.smhi.se Failed to obtain WebVPN cookie In the server logs it says "Certificate was succesfully validated" over and over each time it loops trough the parts above. Nothing more. The interesting part is if i wait for exactly 2 minutes and try again it will work again like it did the first time. So this seems like a timeout of some sort. However, if i try the openconnect command with ??no?xmlpost it works perfectly every time. The problem is that in the next step i would like to use the Openconnect NetworkManager plugin and this does not seem to have support for the ??no?xmlpost flag. Also the manual (http://www.infradead.org/openconnect/manual.html) says to report if the ??no?xmlpost flag is needed. Can anyone give me any suggestions as to why this is not working as expected ? Please let me know if i can provide any more information. Best regards Peter
