I'm on Gentoo with OpenConnect 7.08 and GnuTLS 3.5.13.
When I connect to my company's VPN, it prompts me to enter my username and
password as well as an access token, which I receive via SMS. After
connecting, I'm able to access internal resources, but only for a limited
time. Usually the connection drops after a random amount of time, but there's
nothing in the output from openconnect that indicates so. I'm just unable to
access the internal resources anymore, so I have to reconnect. Sending a
SIGUSR2 signal to the process doesn't fix the issue, either. I have to kill
the process and enter my credentials again, which uses up another access
token.
I've asked the infrastructure team for support on this issue, but they don't
support Linux systems or anything other than Cisco AnyConnect, which works
fine but only on Mac or Windows systems.
I've tried enabling verbose output but haven't noticed anything useful. I've
also tried using the "--force-dpd" option with values from 2-10 but the result
is the same.
Here's a sample of the output from openconnect:
POST https://vpn.mycompany.com/
Attempting to connect to server 111.222.333.444:443
Connected to 111.222.333.444:443
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 25 Jul 2017 18:20:15 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://vpn.mycompany.com/
Attempting to connect to server 111.222.333.444:443
Connected to 111.222.333.444:443
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 25 Jul 2017 18:20:15 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://vpn.mycompany.com/+webvpn+/index.html
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
Username:Password:
Password:
POST https://vpn.mycompany.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:ABCDEFGHIJLKMNOPQRSTUVWXYZ1234567890&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Freconnect.xml&fh:ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.2.229.236
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 10.24.50.10
X-CSTP-DNS: 10.2.110.10
X-CSTP-NBNS: 10.1.110.10
X-CSTP-NBNS: 10.2.110.10
X-CSTP-Lease-Duration: 86400
X-CSTP-Session-Timeout: 86400
X-CSTP-Idle-Timeout: 7200
X-CSTP-Disconnected-Timeout: 7200
X-CSTP-Default-Domain: mycompany.ad
X-CSTP-Split-Include: 10.4.1.0/255.255.255.0
X-CSTP-Split-Include: 10.5.0.0/255.255.0.0
X-CSTP-Split-Include: 10.6.0.0/255.255.0.0
X-CSTP-Split-Include: 10.7.1.0/255.255.255.0
X-CSTP-Split-Include: ...
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: DES-CBC3-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1)
DTLS option X-DTLS-Session-ID : ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-CipherSuite : DES-CBC3-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected as 10.2.229.236, using SSL
No work to do; sleeping for 1000 ms...
No work to do; sleeping for 1000 ms...
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(3DES-CBC)-(SHA1).
Initiating IPv4 MTU detection (min=703, max=1406)
Sending MTU DPD probe (1406 bytes, min=703, max=1406)
Received MTU DPD probe (1407 bytes of 1406)
No change in MTU after detection (was 1406)
No work to do; sleeping for 1000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
Received DTLS packet 0x00 of 124 bytes
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response
Send DTLS Keepalive
Send DTLS DPD
Got DTLS DPD response
...
Send BYE packet: Aborted by caller
User canceled (SIGINT); exiting;
Lines 111-119 are repeated (in various order) until I kill the program because
I lost connectivity.
