I'm seeing a "Got inappropriate HTTP CONNECT response: HTTP/1.1 302 Found" message when using the --juniper option in 7.06. I *think* the Juniper version is Version: 8.0R8.1. Output from my wrapper script looks like this: WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. Authentication info: host xxx.xxx.x.xx fingerprint sha1:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cookie DSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; DSFirst=1439422295; DSLast=1439422295 OpenConnect version v7.06 Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS Attempting to connect to server xxx.xxx.x.xx:443 SSL negotiation with alias.example.com No match for altname 'vpn.example.com' No match for altname 'alias.example-europe.com' Matched DNS altname 'alias.example.com' Connected to HTTPS on alias.example.com > CONNECT /CSCOSSLC/tunnel HTTP/1.1 > Host: alias.example.com > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 > Cookie: webvpn=DSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; DSFirst=1439422295; DSLast=1439422295 > X-CSTP-Version: 1 > X-CSTP-Hostname: XXXXXXX > X-CSTP-Accept-Encoding: lzs > X-CSTP-MTU: 1406 > X-CSTP-Address-Type: IPv4 > X-DTLS-Master-Secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > X-DTLS-CipherSuite: AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA > X-DTLS-Accept-Encoding: lzs > Got inappropriate HTTP CONNECT response: HTTP/1.1 302 Found Creating SSL connection failed Relevant wrapper script bits: # Do pre-auth stuff to fetch cookie, etc. eval ` echo "$JNC_PASS" | openconnect "https://$JNC_HOST/$JNC_PATH"; \ --juniper \ --disable-ipv6 \ --quiet \ --os="linux-64" \ --useragent="$_ua_string" \ --passwd-on-stdin \ --authenticate \ --cafile="./config/GlobalSignOrganizationValidationCA-SHA256-G2.ca" \ --user="$JNC_USER"`; cat <<EOF Authentication info: host $HOST fingerprint $FINGERPRINT cookie $COOKIE EOF # Now attempt the actual connection. echo "$COOKIE" | sudo openconnect "$JNC_HOST" \ --dump-http-traffic \ --disable-ipv6 \ --os="linux-64" \ --useragent="$_ua_string" \ --cookie-on-stdin \ --cafile="./config/GlobalSignOrganizationValidationCA-SHA256-G2.ca" \ --servercert="$FINGERPRINT" \ --no-cert-check --background --pid-file=$VPN_PID_FILE \ >> $VPN_LOG_FILE 2>&1; I was able to finally convince the IT department to disable host checking for our particular LDAP group, so that's not in play here. Our LDAP group also uses a non-default url path (its url_31 for us). In the browser, I have confirmed that the host checker applet doesn't run. There is however an attempt in the browser to install some sort of Java-based application access tool and I definitely have the DSID cookie at that point. Looking at cstp.c:291 (HEAD), it seems like the host is trying to do another redirect (probably via JavaScript knowing Juniper) and OpenConnect isn't following it somehow. I've tried every option and variant on args I can think of, but I'm kinda stuck at the moment. Any ideas? (Thanks very much for all your hard work on OpenConnect btw...it really is a great piece of software.)
