OpenConnect VPN connection always fails after a few hours of successfull usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Aug 23, 2018 at 8:15 AM <scrap at mailbox.org> wrote:
>
> Hello together,
>
> a few months ago I was asking for help on how to set up a
> OpenConnect-based VPN-connection with Cisco Secure Desktop in Connman.
>
> Thanks to your great advices a friend made it work yesterday! Hereby the
> VPN connection is working perfectly, but just for a few hours.
>
> --------------------------------------------------------------------------
>
> Unfortunately we still have this small error what will be easy for you
> guys to solve. The VPN connection is seriously working perfect in the
> beginning, but always a few hours later this error in /var/log/syslog
> occurs when trying to reconnect:
>
> "openconnect[1810]: Server certificate verify failed: signer not found"

I don't think this is the real, significant error message here. You
should include more of the surrounding log messages from OpenConnect.

> Hereby all approaches to reconnect the VPN fail. After creating a new
> cookie by...
>
> $ sudo openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh
> --authenticate --user <username> <hostname>
>
> ... and pasting this new cookie into /var/lib/connman-vpn/vpnname.config
> (overwriting the old one) the connection will work perfect for the next
> few hours until it fails again.

> Do you have any ideas about why this cookie has to be renewed all few
> hours? Is there any option on how to avoid this behavior?

Is your server limiting the cookie lifetime to a few hours? If so,
there's nothing the client can do about it.

If you run `openconnect -vvvv --dump`, you'll see that Cisco servers
spit out a few headers like this upon initial connection:

X-CSTP-Lease-Duration: 864000
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 3600
X-CSTP-Disconnected-Timeout: 3600

I don't understand the exact definitions of these, but they basically
means that?
- if my session is idle for 1 hour (3600s), it gets disconnected.
- If I remain disconnected for 1 hour (3600s), then my authorization
cookie becomes invalid
- No matter what, the authorization cookie/session expires after 10
hours (864000s)

Dan
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux