Pretty sure I see the problem? On Sun, Jun 3, 2018 at 1:30 PM, Stephen Davies <sdavies at sdc.com.au> wrote: > Here is the debug output:[root at se5 ~]# openconnect -vvvv --config=/etc/openconnect.conf --useragent="Cisco AnyConnect VPN Agent for Windows 4.2.01035" remotehost > POST https://remotehost/vendor The "/vendor" value here must be the *same value* as the placeholder you called 'ggggg' in the config file. > Attempting to connect to server 1.2.3.4:443 > SSL negotiation with remotehost > Connected to HTTPS on remotehost > Got HTTP response: HTTP/1.1 404 Not Found > Cache-Control: no-cache > Pragma: no-cache > Connection: Close > Date: Sun, 03 Jun 2018 10:22:24 GMT > X-Frame-Options: SAMEORIGIN > HTTP body http 1.0 (-1) > SSL socket closed uncleanly > Unexpected 404 result from server > GET https://remotehost/vendor > Attempting to connect to server 1.2.3.4:443 > SSL negotiation with remotehost > Connected to HTTPS on remotehost > Got HTTP response: HTTP/1.0 302 Temporary moved > Set-Cookie: tg=string; path=/; secure > Content-Length: 0 > Cache-Control: no-cache > Pragma: no-cache > Connection: Close > Date: Sun, 03 Jun 2018 10:22:24 GMT > X-Frame-Options: SAMEORIGIN > Location: /+webvpn+/index.html > HTTP body length: (0) > GET https://remotehost/+webvpn+/index.html > SSL negotiation with remotehost > Connected to HTTPS on remotehost > Got HTTP response: HTTP/1.1 301 Moved Permanently > X-Transcend-Version: 1 > Location: https://remotehost/+CSCOU+/anyconnect_unsupported_version.html > Content-Type: text/html > Content-Length: 0 > HTTP body length: (0) > GET https://remotehost/+CSCOU+/anyconnect_unsupported_version.html > Got HTTP response: HTTP/1.1 200 OK > Content-Type: text/xml > Transfer-Encoding: chunked > Cache-Control: no-cache > Pragma: no-cache > Connection: Keep-Alive > Date: Sun, 03 Jun 2018 10:22:24 GMT > X-Frame-Options: SAMEORIGIN > HTTP body chunked (-2) > Please upgrade your AnyConnect Client > Failed to obtain WebVPN cookie > > Here is the config file: > > [root at se5 ~]# cat /etc/openconnect.conf > usergroup=gggg > user=xxxx > interface=tun0 You are using the "usergroup" setting. Remove it. Usergroup doesn't do what you expect: it changes the URL that the client submits a POST to? which leads to a 404 error? which leads to the client retrying with GET? which is effectively the behavior of very old clients? which leads to a redirect to a page for old clients. I think that probably you used to have an old Cisco server which actually used the URL-as-usergroup mechanism, and it got replaced with a newer one. Assuming it works without --usergroup, and you get a prompt asking you which realm/group to join? the option that you want to use to set this automatically is --authgroup, NOT --usergroup. GROUP: [Employees|Contractors|Pandas|Leprechauns]: Leprechauns Please enter your username and password. Username: johnsmith Password: ******** => openconnect --authgroup=Leprechauns --user=johnsmith If I'm right about this? the manual for the --usergroup option should be clarified to tell people that they probably want the --authgroup option. :-D Dan
