Continue investigation from my previous thread, I manage to obtain a decent capture of client log. Basically test flow: connect to ocserv, put my iphone 6 to sleep, wake it from sleep after 3 minutes, and observe reconnect attempt failed. My ocserv settings: auth = "certificate" cookie-timeout = 600 cisco-client-compat = true AnyConnect general timeline: [01-25-15 17:51:15:115] [VPN] <Information> - Connecting to [my-vpn-ip:port] [01-25-15 17:51:15:874] [VPN] <Information> - Establishing VPN session [01-25-15 17:51:17:946] [VPN] <Information> - Establishing VPN session ... [01-25-15 17:51:19:687] [VPN] <Information> - Establishing VPN [01-25-15 17:51:19:714] [VPN] <Information> - Connected to [my-vpn-ip:port] [01-25-15 17:54:17:447] [VPN] <Information> - Reconnecting to [my-vpn-ip:port] [01-25-15 17:54:17:454] [VPN] <Information> - Reconnecting to [my-vpn-ip:port] [01-25-15 17:54:19:293] [VPN] <Information> - Disconnecting [01-25-15 17:54:19:467] [VPN] <Error> - Secure gateway reject reconnect attempts, please re-authenticate with the server AnyConnect debug log, on initial connection: ... [01-25-15 17:51:15:860] AnyConnectAuthenticator: Function: connect File: /tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Api/ConnectIfc.cpp Line: 703 Auth Cookie acquired [01-25-15 17:51:15:861] AnyConnectAuthenticator: Function: connect File: /tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Api/ConnectIfc.cpp Line: 711 Config Cookie acquired ... AnyConnect debug log, during reconnect: ... [01-25-15 17:54:18:042] AnyConnectDataAgent: A SSL connection has been established using cipher AES128-SHA [01-25-15 17:54:18:043] AnyConnectDataAgent: Function: calculateTunnelMTU File: /tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Agent/CstpProtocol.cpp Line: 2551 The candidate MTU (4294967202) is the physical interface MTU. [01-25-15 17:54:19:164] AnyConnectDataAgent: The HTTP response code from the secure gateway is 401, (null) HTTP/1.1 401 Unauthorized ... [01-25-15 17:54:19:188] AnyConnectDataAgent: Termination reason code 28: HTTP response contained an HTTP error code. ... [01-25-15 17:54:19:201] AnyConnectDataAgent: Reconnect reason code 6: Reconnecting due to the disruption of the VPN connection to the secure gateway. IGNORED: VPN is not yet connected or is terminating ... [01-25-15 17:54:19:219] AnyConnectAuthenticator: Function: getStateMessage File: /tmp/build/thehoff/DaVinci_MR120.418509679697/DaVinci_MR12/vpn/ApplePlugins/Api/ClientIfcBase.cpp Line: 2194 Disconnect in progress. [01-25-15 17:54:19:222] AnyConnectDataAgent: The Primary SSL connection to the secure gateway is being torn down. ... TL;DR: So ocserv return 401 when AnyConnect send it the auth cookie? I think there is something wonky happening, even though I set it to last for 10minutes, and does not require certificate on reconnect, ocserv still rejects AnyConnect reconnect attempts.
