ocserv[4688]: worker: [client-ip:port] TLS handshake completed ocserv[4688]: worker: [client-ip:port] User-agent: 'Cisco AnyConnect VPN Agent for Apple iPhone 3.0' ocserv[4688]: worker: [client-ip:port] sending message 'auth cookie request' to main ocserv[4622]: main: [client-ip:port] main received message 'auth cookie request' of 80 bytes ocserv[4622]: main: [client-ip:port] sending msg sm: session open to sec-mod ocserv[4623]: sec-mod: received request from pid 4622 and uid 0 ocserv[4623]: sec-mod: cmd [size=24] sm: session open ocserv[4623]: sec-mod: session open/close but with non-existing sid! ocserv[4623]: sec-mod: error processing data for 'sm: session open' command (-1) ocserv[4622]: common.c:385: recvmsg returned zero ocserv[4622]: main: [client-ip:port] main-misc.c:226: error receiving auth reply message ocserv[4622]: main: [client-ip:port] could not open session ocserv[4622]: main: [client-ip:port] failed authentication attempt for user '' ocserv[4622]: main: [client-ip:port] sending message 'auth cookie reply' to worker ocserv[4688]: worker: [client-ip:port] received auth reply message (value: 3) ocserv[4688]: worker: [client-ip:port] error receiving cookie authentication reply ocserv[4688]: worker: [client-ip:port] failed cookie authentication attempt Is auth cookie somehow affected by my client certificate? if I uncomment cert-user-oid and cert-group-oid, then I couldn't login to ocserv at all, even when my cn/ou match local user/group. On Sun, Jan 25, 2015 at 9:05 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sun, 2015-01-25 at 20:50 +0800, David Frank wrote: >> Continue investigation from my previous thread, I manage to obtain a >> decent capture of client log. >> >> >> Basically test flow: >> >> connect to ocserv, put my iphone 6 to sleep, wake it from sleep after >> 3 minutes, and observe reconnect attempt failed. >> >> >> My ocserv settings: >> >> auth = "certificate" >> cookie-timeout = 600 >> cisco-client-compat = true >> >> >> AnyConnect general timeline: > [...] >> TL;DR: So ocserv return 401 when AnyConnect send it the auth cookie? I >> think there is something wonky happening, even though I set it to last >> for 10minutes, and does not require certificate on reconnect, ocserv >> still rejects AnyConnect reconnect attempts. > > What do you see on the ocserv side? Do you see the reason of not > accepting the cookie? > > regards, > Nikos > >
