On 08/31/2018 01:35 PM, Daniel Lenski wrote: > On Fri, Aug 31, 2018 at 6:05 AM, Christopher Mattern <syscjm at gwu.edu> wrote: >> I ran a session with --dump-http-traffic. Here are the lines with of output >> with CSTP: >>> >>> X-CSTP-Version: 1 >>> X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc. >>> X-CSTP-Address: 128.164.108.32 >>> X-CSTP-Netmask: 255.255.255.192 >>> X-CSTP-Hostname: ASAFB1.gwu.edu >>> X-CSTP-DNS: 128.164.141.231 >>> X-CSTP-DNS: 161.253.152.241 >>> X-CSTP-Lease-Duration: 43200 >>> X-CSTP-Session-Timeout: 43200 >>> X-CSTP-Idle-Timeout: 3600 >>> X-CSTP-Disconnected-Timeout: 3600 >>> X-CSTP-Default-Domain: ead.gwu.edu >>> X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255 >>> X-CSTP-Keep: true >>> X-CSTP-Tunnel-All-DNS: false >>> X-CSTP-DPD: 30 >>> X-CSTP-Keepalive: 20 >>> X-CSTP-MSIE-Proxy: none >>> X-CSTP-MSIE-Proxy-Lockdown: true >>> X-CSTP-Smartcard-Removal-Disconnect: true >>> X-CSTP-MTU: 1406 >>> X-CSTP-Routing-Filtering-Ignore: false >>> X-CSTP-Quarantine: false >>> X-CSTP-Disable-Always-On-VPN: false >>> X-CSTP-Client-Bypass-Protocol: false >>> X-CSTP-TCP-Keepalive: true >>> X-CSTP-Post-Auth-XML: <elided> >>> CSTP connected. DPD 30, Keepalive 20 >>> CSTP Ciphersuite: (TLS1.0)-(DHE-RSA-1024)-(AES-128-CBC)-(SHA1) >>> Send CSTP DPD >> > > This line is surprising. It is a very strange split-exclude routing > instruction, probably due to a misconfiguration of the Cisco ASA: > >>> X-CSTP-Split-Exclude: 0.0.0.0/255.255.255.255 > > Because of that unexpected line, the vpnc-script will end up running a > syntactically invalid routing command at > http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob/HEAD:/vpnc-script#l322 > > Try running with: > > openconnect --script "unset CISCO_SPLIT_EXC; > /usr/share/vpnc-scripts/vpnc-script" Alas, that didn't help. > >> Thanks for your help. Sorry I forgot to put what Ubuntu release; it's >> 18.04.1 LTS. >> >> A run with sh -x on the vpnc-script shows it seems to be hanging when it >> tries to run "/sbin/resolvconf -a tun0". > > That's odd, and seems related to > https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1752411 > > If the script still hangs? just open another terminal window and try > `ping 128.164.141.231` (one of the DNS servers behind your VPN). Does > that work? Nope. > syscjm at ibis:~$ ping 128.164.141.231 > PING 128.164.141.231 (128.164.141.231) 56(84) bytes of data. > ^C > --- 128.164.141.231 ping statistics --- > 24 packets transmitted, 0 received, 100% packet loss, time 23393ms > > syscjm at ibis:~$ Also, while the vopenconnect is attempting to run, a new entry gets added to my route table: > syscjm at ibis:~$ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default 0.0.0.0 0.0.0.0 U 0 0 0 tun0 > ^C > syscjm at ibis:~$ and then the route command hangs. It'll finish running if I kill the openconnect, though: > syscjm at ibis:~$ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default 0.0.0.0 0.0.0.0 U 0 0 0 tun0 > default 161.253.143.254 0.0.0.0 UG 100 0 0 eth0 > default 161.253.143.254 0.0.0.0 UG 100 0 0 eth0 > 128.164.108.0 0.0.0.0 255.255.255.192 U 0 0 0 tun0 > gwvpnadmin.info 161.253.143.254 255.255.255.255 UGH 0 0 0 eth0 > 161.253.143.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 > link-local 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 > 172.16.136.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 > 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 > syscjm at ibis:~$ Running route after the openconnect is killed looks like this: > syscjm at ibis:~$ route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > default _gateway 0.0.0.0 UG 100 0 0 eth0 > default _gateway 0.0.0.0 UG 100 0 0 eth0 > 161.253.143.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 > link-local 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 > 172.16.136.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 > 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 > syscjm at ibis:~$ Also, other clients are using this VPN server without problems. It just seems to be openconnect that's failing. -- Christopher Mattern Unix Engineer, George Washington University
