On 04/06/18 15:44, Daniel Lenski wrote: > On Mon, Jun 4, 2018 at 3:17 AM, Stephen Davies <sdavies at sdc.com.au> wrote: >> Sorry, still no joy. >> >> The actual value in the config file was vendor. > Just to be 100% certain here. > You *did* try running openconnect without `--userconfig=version`, right? > What was the result? > >> Here is the AnyConnect client XML file they provide for windows users with >> just the host names changed. Is there anything in here that I should be >> using? >> >> <?xml version="1.0" encoding="UTF-8"?> >> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ >> AnyConnectProfile.xsd"> >> <ClientInitialization> >> <UseStartBeforeLogon >> UserControllable="true">true</UseStartBeforeLogon> >> <AutomaticCertSelection >> UserControllable="false">true</AutomaticCertSelection> >> <ShowPreConnectMessage>false</ShowPreConnectMessage> >> <CertificateStore>All</CertificateStore> >> <CertificateStoreOverride>false</CertificateStoreOverride> >> <ProxySettings>Native</ProxySettings> >> <AllowLocalProxyConnections>false</AllowLocalProxyConnections> >> <AuthenticationTimeout>12</AuthenticationTimeout> >> <AutoConnectOnStart >> UserControllable="true">false</AutoConnectOnStart> >> <MinimizeOnConnect >> UserControllable="false">true</MinimizeOnConnect> >> <LocalLanAccess >> UserControllable="false">false</LocalLanAccess> >> <ClearSmartcardPin >> UserControllable="false">true</ClearSmartcardPin> >> <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> >> <AutoReconnect UserControllable="false">true >> <AutoReconnectBehavior >> UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior> >> </AutoReconnect> >> <AutoUpdate UserControllable="false">true</AutoUpdate> >> <RSASecurIDIntegration >> UserControllable="false">Automatic</RSASecurIDIntegration> >> <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> >> <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> >> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> >> <PPPExclusion UserControllable="false">Automatic >> <PPPExclusionServerIP >> UserControllable="false"></PPPExclusionServerIP> >> </PPPExclusion> >> <EnableScripting >> UserControllable="false">false</EnableScripting> >> <EnableAutomaticServerSelection >> UserControllable="false">false >> <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> >> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> >> </EnableAutomaticServerSelection> >> <RetainVpnOnLogoff>false >> </RetainVpnOnLogoff> >> </ClientInitialization> >> <ServerList> >> <HostEntry> >> <HostName>Vendor VPN</HostName> >> <HostAddress>remotehost</HostAddress> >> <UserGroup>vendor</UserGroup> >> <BackupServerList> >> <HostAddress>backuphost</HostAddress> >> </BackupServerList> >> </HostEntry> >> </ServerList> >> </AnyConnectProfile> >> > I remain convinced that there's something wrong with the > `--usergroup=vendor` setting here. From your original log, a POST to > https://remotehost/vendor leads to a 404 error, and a GET leads to a > redirect for old clients. which don't support POST This should not > happen. > > POST https://remotehost/vendor > Attempting to connect to server 1.2.3.4:443 > SSL negotiation with remotehost > Connected to HTTPS on remotehost > Got HTTP response: HTTP/1.1 404 Not Found [<- !!!!!] > Cache-Control: no-cache > Pragma: no-cache > Connection: Close > Date: Sun, 03 Jun 2018 10:22:24 GMT > X-Frame-Options: SAMEORIGIN > HTTP body http 1.0 (-1) > SSL socket closed uncleanly > Unexpected 404 result from server > GET https://remotehost/vendor > Attempting to connect to server 1.2.3.4:443 > SSL negotiation with remotehost > Connected to HTTPS on remotehost > Got HTTP response: HTTP/1.0 302 Temporary moved > Set-Cookie: tg=string; path=/; secure > > -Dan After deleting the usergroup entry from the config file, I get pretty much the same result (with or without the useragent bit): [root at se5 ~]# openconnect --config=/etc/openconnect.conf remotehost POST https://remotehost/ Attempting to connect to server 1.2.3.4:443 SSL negotiation with remotehost Connected to HTTPS on remotehost Got HTTP response: HTTP/1.1 404 Not Found Unexpected 404 result from server GET https://remotehost/ Attempting to connect to server 1.2.3.4:443 SSL negotiation with remotehost Connected to HTTPS on remotehost Got HTTP response: HTTP/1.0 302 Temporary moved GET https://remotehost/+webvpn+/index.html SSL negotiation with remotehost Connected to HTTPS on ultimovpn.abc.net.au Got HTTP response: HTTP/1.1 301 Moved Permanently GET https://remotehost/+CSCOU+/anyconnect_unsupported_version.html Please upgrade your AnyConnect Client Failed to obtain WebVPN cookie As illustrated by the old log that I sent earlier, the usergroup=vendor used to work. Cheers, Stephen
