Problems with client in Ubuntu Linux.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/31/2018 01:35 PM, Daniel Lenski wrote:
> On Fri, Aug 31, 2018 at 6:05 AM, Christopher Mattern <syscjm at gwu.edu> wrote:
>> I ran a session with --dump-http-traffic.  Here are the lines with of output
>> with CSTP:
>>>
>>> X-CSTP-Version: 1
>>> X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
>>> X-CSTP-Address: 128.164.108.32
>>> X-CSTP-Netmask: 255.255.255.192
>>> X-CSTP-Hostname: ASAFB1.gwu.edu
>>> X-CSTP-DNS: 128.164.141.231
>>> X-CSTP-DNS: 161.253.152.241
>>> X-CSTP-Lease-Duration: 43200
>>> X-CSTP-Session-Timeout: 43200
>>> X-CSTP-Idle-Timeout: 3600
>>> X-CSTP-Disconnected-Timeout: 3600
>>> X-CSTP-Default-Domain: ead.gwu.edu
>>> X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255
>>> X-CSTP-Keep: true
>>> X-CSTP-Tunnel-All-DNS: false
>>> X-CSTP-DPD: 30
>>> X-CSTP-Keepalive: 20
>>> X-CSTP-MSIE-Proxy: none
>>> X-CSTP-MSIE-Proxy-Lockdown: true
>>> X-CSTP-Smartcard-Removal-Disconnect: true
>>> X-CSTP-MTU: 1406
>>> X-CSTP-Routing-Filtering-Ignore: false
>>> X-CSTP-Quarantine: false
>>> X-CSTP-Disable-Always-On-VPN: false
>>> X-CSTP-Client-Bypass-Protocol: false
>>> X-CSTP-TCP-Keepalive: true
>>> X-CSTP-Post-Auth-XML: <elided>
>>> CSTP connected. DPD 30, Keepalive 20
>>> CSTP Ciphersuite: (TLS1.0)-(DHE-RSA-1024)-(AES-128-CBC)-(SHA1)
>>> Send CSTP DPD
>>
> 
> This line is surprising. It is a very strange split-exclude routing
> instruction, probably due to a misconfiguration of the Cisco ASA:
> 
>>> X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255
> 
> Because of that unexpected line, the vpnc-script will end up running a
> syntactically invalid routing command at
> http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script#l322
> 
> Try running with:
> 
>       openconnect --script "unset CISCO_SPLIT_EXC;
> /usr/share/vpnc-scripts/vpnc-script"

Alas, that didn't help.

> 
>> Thanks for your help.  Sorry I forgot to put what Ubuntu release; it's
>> 18.04.1 LTS.
>>
>> A run with sh -x on the vpnc-script shows it seems to be hanging when it
>> tries to run "/sbin/resolvconf -a tun0".
> 
> That's odd, and seems related to
> https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1752411
> 
> If the script still hangs? just open another terminal window and try
> `ping 128.164.141.231` (one of the DNS servers behind your VPN). Does
> that work?

Nope.

> syscjm at ibis:~$ ping 128.164.141.231
> PING 128.164.141.231 (128.164.141.231) 56(84) bytes of data.
> ^C
> --- 128.164.141.231 ping statistics ---
> 24 packets transmitted, 0 received, 100% packet loss, time 23393ms
> 
> syscjm at ibis:~$ 

Also, while the vopenconnect is attempting to run, a new entry gets 
added to my route table:

> syscjm at ibis:~$ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         0.0.0.0         0.0.0.0         U     0      0        0 tun0
> ^C
> syscjm at ibis:~$

and then the route command hangs.

It'll finish running if I kill the openconnect, though:

> syscjm at ibis:~$ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         0.0.0.0         0.0.0.0         U     0      0        0 tun0
> default         161.253.143.254 0.0.0.0         UG    100    0        0 eth0
> default         161.253.143.254 0.0.0.0         UG    100    0        0 eth0
> 128.164.108.0   0.0.0.0         255.255.255.192 U     0      0        0 tun0
> gwvpnadmin.info 161.253.143.254 255.255.255.255 UGH   0      0        0 eth0
> 161.253.143.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0
> link-local      0.0.0.0         255.255.0.0     U     1000   0        0 eth0
> 172.16.136.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet1
> 192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet8
> syscjm at ibis:~$ 


Running route after the openconnect is killed looks like this:

> syscjm at ibis:~$ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         _gateway        0.0.0.0         UG    100    0        0 eth0
> default         _gateway        0.0.0.0         UG    100    0        0 eth0
> 161.253.143.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0
> link-local      0.0.0.0         255.255.0.0     U     1000   0        0 eth0
> 172.16.136.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet1
> 192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet8
> syscjm at ibis:~$
Also, other clients are using this VPN server without problems.  It just 
seems to be openconnect that's failing.

-- 
Christopher Mattern
Unix Engineer, George Washington University



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux