> Aug 24 00:14:51 <hostname> openconnect[4476]: Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized Here's the "real" error, which shows that, yes indeed, the cookie being used to reconnect is no longer authorized. > X-CSTP-Lease-Duration: 1209600 > X-CSTP-Session-Timeout: none > X-CSTP-Idle-Timeout: 1800 > X-CSTP-Disconnected-Timeout: 1800 Are you actually *using* the VPN continuously, and it just cuts off suddenly with no warning? Or is it going idle, and then you notice that it's disconnected when you go and try to use it again later? If it's going idle, then there's not much you can do to keep it alive other than send real traffic to it. Some VPNs will stay alive if you just ping a server occasionally (e.g. `ping -i 300 [VPN host]`), others seem to detect and ignore this kind of repetitive traffic. > I am wondering about the fact that NetworkManager does not cause any > problems when reconnecting the VPN. This only seems to appear when using > Connman? What do you mean by this? NetworkManager can reconnect *using the same cookie* after a period where Connman cannot? Dan On Thu, Aug 23, 2018 at 4:10 PM, <scrap at mailbox.org> wrote: > Hello Dan, > > thank you very much for your reply! > > Hereby you receive a "clean and fresh" syslog (uncutted) for better > detection of the mentioned errors. Furthermore you get the data from the > server: > > X-CSTP-Lease-Duration: 1209600 > X-CSTP-Session-Timeout: none > X-CSTP-Idle-Timeout: 1800 > X-CSTP-Disconnected-Timeout: 1800 > > I am wondering about the fact that NetworkManager does not cause any > problems when reconnecting the VPN. This only seems to appear when using > Connman? > > Would there be an option to run a small cron job script to renew the > cookie all few hours automatically? I guess no, because when running the > OpenConnect-command (to recreate the cookie) you have to enter your > password and several other user prompts? > > Do you need more logfiles to assess the current problem situation? > > I am happy to hearing from you! > > Thanks a lot for your help! > > With best regards > David > > > > On 08/23/2018 07:57 PM, Daniel Lenski wrote: >> On Thu, Aug 23, 2018 at 8:15 AM <scrap at mailbox.org> wrote: >>> Hello together, >>> >>> a few months ago I was asking for help on how to set up a >>> OpenConnect-based VPN-connection with Cisco Secure Desktop in Connman. >>> >>> Thanks to your great advices a friend made it work yesterday! Hereby the >>> VPN connection is working perfectly, but just for a few hours. >>> >>> -------------------------------------------------------------------------- >>> >>> Unfortunately we still have this small error what will be easy for you >>> guys to solve. The VPN connection is seriously working perfect in the >>> beginning, but always a few hours later this error in /var/log/syslog >>> occurs when trying to reconnect: >>> >>> "openconnect[1810]: Server certificate verify failed: signer not found" >> I don't think this is the real, significant error message here. You >> should include more of the surrounding log messages from OpenConnect. >> >>> Hereby all approaches to reconnect the VPN fail. After creating a new >>> cookie by... >>> >>> $ sudo openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh >>> --authenticate --user <username> <hostname> >>> >>> ... and pasting this new cookie into /var/lib/connman-vpn/vpnname.config >>> (overwriting the old one) the connection will work perfect for the next >>> few hours until it fails again. >>> Do you have any ideas about why this cookie has to be renewed all few >>> hours? Is there any option on how to avoid this behavior? >> Is your server limiting the cookie lifetime to a few hours? If so, >> there's nothing the client can do about it. >> >> If you run `openconnect -vvvv --dump`, you'll see that Cisco servers >> spit out a few headers like this upon initial connection: >> >> X-CSTP-Lease-Duration: 864000 >> X-CSTP-Session-Timeout: none >> X-CSTP-Idle-Timeout: 3600 >> X-CSTP-Disconnected-Timeout: 3600 >> >> I don't understand the exact definitions of these, but they basically >> means that? >> - if my session is idle for 1 hour (3600s), it gets disconnected. >> - If I remain disconnected for 1 hour (3600s), then my authorization >> cookie becomes invalid >> - No matter what, the authorization cookie/session expires after 10 >> hours (864000s) >> >> Dan >>