On Fri, Aug 31, 2018 at 6:05 AM, Christopher Mattern <syscjm at gwu.edu> wrote: > I ran a session with --dump-http-traffic. Here are the lines with of output > with CSTP: >> >> X-CSTP-Version: 1 >> X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc. >> X-CSTP-Address: 128.164.108.32 >> X-CSTP-Netmask: 255.255.255.192 >> X-CSTP-Hostname: ASAFB1.gwu.edu >> X-CSTP-DNS: 128.164.141.231 >> X-CSTP-DNS: 161.253.152.241 >> X-CSTP-Lease-Duration: 43200 >> X-CSTP-Session-Timeout: 43200 >> X-CSTP-Idle-Timeout: 3600 >> X-CSTP-Disconnected-Timeout: 3600 >> X-CSTP-Default-Domain: ead.gwu.edu >> X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255 >> X-CSTP-Keep: true >> X-CSTP-Tunnel-All-DNS: false >> X-CSTP-DPD: 30 >> X-CSTP-Keepalive: 20 >> X-CSTP-MSIE-Proxy: none >> X-CSTP-MSIE-Proxy-Lockdown: true >> X-CSTP-Smartcard-Removal-Disconnect: true >> X-CSTP-MTU: 1406 >> X-CSTP-Routing-Filtering-Ignore: false >> X-CSTP-Quarantine: false >> X-CSTP-Disable-Always-On-VPN: false >> X-CSTP-Client-Bypass-Protocol: false >> X-CSTP-TCP-Keepalive: true >> X-CSTP-Post-Auth-XML: <elided> >> CSTP connected. DPD 30, Keepalive 20 >> CSTP Ciphersuite: (TLS1.0)-(DHE-RSA-1024)-(AES-128-CBC)-(SHA1) >> Send CSTP DPD > This line is surprising. It is a very strange split-exclude routing instruction, probably due to a misconfiguration of the Cisco ASA: >> X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255 Because of that unexpected line, the vpnc-script will end up running a syntactically invalid routing command at http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script#l322 Try running with: openconnect --script "unset CISCO_SPLIT_EXC; /usr/share/vpnc-scripts/vpnc-script" > Thanks for your help. Sorry I forgot to put what Ubuntu release; it's > 18.04.1 LTS. > > A run with sh -x on the vpnc-script shows it seems to be hanging when it > tries to run "/sbin/resolvconf -a tun0". That's odd, and seems related to https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1752411 If the script still hangs? just open another terminal window and try `ping 128.164.141.231` (one of the DNS servers behind your VPN). Does that work? -Dan
