David Woodhouse <dwmw2 <at> infradead.org> writes: > > On Sun, 2015-12-20 at 04:25 +0000, Dan Lenski wrote: > > > > Does one of these indicate how long the cookie will remain valid? My guess: > > > > - CSTP-Session-Timeout indicates the time after which the session > > will end no matter what (3 days here) > > - CSTP-Idle-Timeout indicates the time after which the session will > > end, with no traffic (30 minutes here) > > - CSTP-Disconnected-Timeout indicates the time after which the cookie will > > become invalid, after disconnection (30 minutes here) > > Those seem about right. > > > However, my testing appears to show that the server starts to reject the > > cookie (openconnect -C COOKIE) much sooner than any of these timeouts would > > indicate, a few minutes. > > Note that the session will also be terminated immediately if the client > signs off. If you terminate openconnect with SIGINT it'll close the > session. If you terminate it with SIGHUP or SIGTERM, it won't. (See the > man page). > Thanks, . It appears that one of the VPNs I'm using does not want the cookie to be reused across multiple sessions. When I connect like this, it works fine: $ echo -n password | openconnect gateway.com -u USER --passwd-on-stdin I can even send SIGUSR2 and get OC to pause/reconnect: $ kill -USR2 $pid ... Caller paused the connection User requested reconnect Attempt new DTLS connection SSL negotiation with gateway.com Connected to HTTPS on gateway.com > CONNECT /CSCOSSLC/tunnel HTTP/1.1 ... However, if I use one process to get the webvpn cookie, and another process to feed the cookie to the gateway, it is rejected, even if the cookie is used IMMEDIATELY: $ echo -n password \ | openconnect gateway.com -u USER --passwd-on-stdin --cookie-only \ | openconnect gateway.com --cookie-on-stdin --dump-http-traffic Is there some other piece of "state" which is preserved within each openconnect process, which changes when I try to use the cookie from another process? Dan
