Hello Dan, thank you very much for your reply! Hereby you receive a "clean and fresh" syslog (uncutted) for better detection of the mentioned errors. Furthermore you get the data from the server: X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 I am wondering about the fact that NetworkManager does not cause any problems when reconnecting the VPN. This only seems to appear when using Connman? Would there be an option to run a small cron job script to renew the cookie all few hours automatically? I guess no, because when running the OpenConnect-command (to recreate the cookie) you have to enter your password and several other user prompts? Do you need more logfiles to assess the current problem situation? I am happy to hearing from you! Thanks a lot for your help! With best regards David On 08/23/2018 07:57 PM, Daniel Lenski wrote: > On Thu, Aug 23, 2018 at 8:15 AM <scrap at mailbox.org> wrote: >> Hello together, >> >> a few months ago I was asking for help on how to set up a >> OpenConnect-based VPN-connection with Cisco Secure Desktop in Connman. >> >> Thanks to your great advices a friend made it work yesterday! Hereby the >> VPN connection is working perfectly, but just for a few hours. >> >> -------------------------------------------------------------------------- >> >> Unfortunately we still have this small error what will be easy for you >> guys to solve. The VPN connection is seriously working perfect in the >> beginning, but always a few hours later this error in /var/log/syslog >> occurs when trying to reconnect: >> >> "openconnect[1810]: Server certificate verify failed: signer not found" > I don't think this is the real, significant error message here. You > should include more of the surrounding log messages from OpenConnect. > >> Hereby all approaches to reconnect the VPN fail. After creating a new >> cookie by... >> >> $ sudo openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh >> --authenticate --user <username> <hostname> >> >> ... and pasting this new cookie into /var/lib/connman-vpn/vpnname.config >> (overwriting the old one) the connection will work perfect for the next >> few hours until it fails again. >> Do you have any ideas about why this cookie has to be renewed all few >> hours? Is there any option on how to avoid this behavior? > Is your server limiting the cookie lifetime to a few hours? If so, > there's nothing the client can do about it. > > If you run `openconnect -vvvv --dump`, you'll see that Cisco servers > spit out a few headers like this upon initial connection: > > X-CSTP-Lease-Duration: 864000 > X-CSTP-Session-Timeout: none > X-CSTP-Idle-Timeout: 3600 > X-CSTP-Disconnected-Timeout: 3600 > > I don't understand the exact definitions of these, but they basically > means that? > - if my session is idle for 1 hour (3600s), it gets disconnected. > - If I remain disconnected for 1 hour (3600s), then my authorization > cookie becomes invalid > - No matter what, the authorization cookie/session expires after 10 > hours (864000s) > > Dan > -------------- next part -------------- A non-text attachment was scrubbed... Name: Syslog.md Type: text/markdown Size: 3103 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180824/a7649c3b/attachment.md>
