Hi, I've been using OC successfully for months to connect to my organization's VPN. However, they recently upgraded to a newer appliance (both Cisco AnyConnect) and I'm having difficulty getting OC to work on the new one.? I'm hoping someone may be able to help me figure this out. I'm running on a fully up-to-date Manjaro system and connecting with a PIV card (there has been no other change except the VPN itself since this was last working).? (Please LMK if any other details are helpful.) The new VPN requires CSD (the old one did not).? I've tried two different third-party 'wrapper' implementations with partial success on one and (I think) full success on the other. The first one attempts an "honest" CSD by downloading the trojan and running it. The wrapper seems to work but the 'cscan' program fails with the error "drbg_instantiate failed" on stdout.? It also logs an error: "Opswat returned error: -23 ... Failed to create OPSWAT plugin, error 1".? I wasn't able to find any help with this error so I tried a different wrapper. The second wrapper implements a "phony" hostscan response.? This seems to work. I get the following response (as per curl, after POSTing the phony response): ??? <?xml version="1.0" encoding="ISO-8859-1"?> <hostscan><status>TOKEN_SUCCESS</status></hostscan> I assume that means CSD verification was successful.? (Please tell me if it is not.) However, after this I still ultimately get a "Failed to obtain WebVPN cookie" error.? I do not see anything in the output suggesting an error that I can try to run down; hence, this inquiry.? The (sanitized) OC output that follows the CSD verification is pasted below.? I'm happy to post the entire OC output log if this is useful. I would greatly appreciate any help with this.? I guess I'm mostly hoping that someone familiar with the response formats can glean something from mine that might lead to a solution.? (Unfortunately, my organization is not very helpful; although they don't block Linux clients they also won't help with them, so I'm on my own with this and my access is now completely cut-off.) Thanks! ~ray ------------------------------------------------------------------- GET https://$HOSTDOMAIN/+CSCOE+/sdesktop/wait.html SSL negotiation with $HOSTDOMAIN Connected to HTTPS on $HOSTDOMAIN > GET /+CSCOE+/sdesktop/wait.html HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: sdesktop=7BB2F2B628647A515AED4378 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > Got HTTP response: HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Wed, 03 Oct 2018 19:53:26 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; Location: / Set-Cookie: sdesktop=7BB2F2B628647A515AED4378; path=/; secure HTTP body chunked (-2) < <html>x</html> POST https://$HOSTDOMAIN/piv SSL negotiation with $HOSTDOMAIN Connected to HTTPS on $HOSTDOMAIN > POST /piv HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: sdesktop=7BB2F2B628647A515AED4378 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > X-Pad: 00000000000000000000000000000000000000000 > Content-Type: application/x-www-form-urlencoded > Content-Length: 215 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version \ who="vpn">v7.08</version><device-id>linux-64</device-id> \ <group-access>https://$HOSTDOMAIN/piv</group-access></config-auth> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 03 Oct 2018 19:53:28 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; X-Aggregate-Auth: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <config-auth client="vpn" type="auth-request" aggregate-auth-version="2"> < <opaque is-for="sg"> < <tunnel-group>PIV</tunnel-group> < <config-hash>1530112511655</config-hash> < </opaque> < <auth id="main"> < <authentication-complete></authentication-complete> < </auth> < <host-scan> < <host-scan-ticket>0C04BFF94F81F6C079004043</host-scan-ticket> < <host-scan-token>2EF981F2731310FD606A9954</host-scan-token> < <host-scan-base-uri>/CACHE</host-scan-base-uri> < <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri> < </host-scan> < </config-auth> Failed to obtain WebVPN cookie
