On 10/3/18 6:54 PM, David Woodhouse wrote: > I don't see it trying the CSD wrapper at all there. > Can you show the command line, and add '-vv' to it too? Perhaps also > add a 'set -x' to the csd_wrapper script you're using, so we definitely > see what it's doing too. Hi David, Thanks for the response and sorry if I wasn't clear.? I had only posted the last half of the log, after the wrapper script (because I thought that part was successful and it was fairly long). I re-ran it with -vv and 'set -x' and I'm now posting the full output (below) and command.? Note that my wrapper script outputs a start/end message that starts with "===" so I can see clearly where it runs. ~ray --------------------------------------------------------------------------------------- $ sudo openconnect \ ??????? -vv \ ??????? --user="$ADDOM/$USERNAME" \ ??????? --certificate="$PIVCERT" \ ??????? --pid-file="$PIDFILE" \ ??????? --csd-user=$ME \ ??????? --csd-wrapper="$CSDWRAPPER" \ ??????? --dump-http-traffic \ ??????? $HOSTDOMAIN/piv [sudo] password for ray: POST https://$HOSTDOMAIN/piv Attempting to connect to server XXX.XXX.XX.X:443 Connected to XXX.XXX.XX.X:443 Using PKCS#11 certificate pkcs11:token=FIRSTNAME%20O%20LASTNAME;id=%00%02;type=cert Trying PKCS#11 key URL pkcs11:token=FIRSTNAME%20O%20LASTNAME;id=%00%02;type=private PIN required for FIRSTNAME M LASTNAME Enter PIN: Using PKCS#11 key pkcs11:token=FIRSTNAME%20O%20LASTNAME;id=%00%02;type=private Using client certificate 'FIRSTNAME M LASTNAME' Adding supporting CA '$MYORG' Adding supporting CA 'Symantec SSP Intermediate CA - G4' SSL negotiation with $HOSTDOMAIN Connected to HTTPS on $HOSTDOMAIN > POST /piv HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > X-Pad: 00000000000000000000000000000000000000000 > Content-Type: application/x-www-form-urlencoded > Content-Length: 215 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version who="vpn">v7.08</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 03 Oct 2018 23:44:23 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; X-Aggregate-Auth: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <config-auth client="vpn" type="auth-request" aggregate-auth-version="2"> < <client-cert-request></client-cert-request> < </config-auth> POST https://$HOSTDOMAIN/piv SSL negotiation with $HOSTDOMAIN Connected to HTTPS on $HOSTDOMAIN > POST /piv HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > X-Pad: 00000000000000000000000000000000000000000 > Content-Type: application/x-www-form-urlencoded > Content-Length: 215 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version who="vpn">v7.08</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 03 Oct 2018 23:44:25 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; X-Aggregate-Auth: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <config-auth client="vpn" type="auth-request" aggregate-auth-version="2"> < <opaque is-for="sg"> < <tunnel-group>PIV</tunnel-group> < <config-hash>1530112511655</config-hash> < </opaque> < <auth id="main"> < <authentication-complete></authentication-complete> < </auth> < <host-scan> < <host-scan-ticket>260F964C1481B67F19F23B9E</host-scan-ticket> < <host-scan-token>0EF135D975E118204E8B8B23</host-scan-token> < <host-scan-base-uri>/CACHE</host-scan-base-uri> < <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri> < </host-scan> < </config-auth> XML POST enabled GET https://$HOSTDOMAIN/+CSCOE+/sdesktop/wait.html > GET /+CSCOE+/sdesktop/wait.html HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: sdesktop=0EF135D975E118204E8B8B23 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > + echo '=== csd-wrapper.sh is running...' === csd-wrapper.sh is running... + CSD_HOSTNAME=$HOSTDOMAIN + host=https://$HOSTDOMAIN + token=0EF135D975E118204E8B8B23 + echo '[token=0EF135D975E118204E8B8B23]' [token=0EF135D975E118204E8B8B23] + echo '[sending...]' [sending...] + run_curl --data-ascii @- 'https://$HOSTDOMAIN/+CSCOE+/sdesktop/scan.xml?reusebrowser=1' + /usr/bin/curl --insecure --user-agent 'Open AnyConnect VPN Agent v7.08' --header 'X-Transcend-Version: 1' --header 'X-Aggregate-Auth: 1' --header 'X-AnyConnect-Platform: linux-64' --cookie sdesktop=0EF135D975E118204E8B8B23 --data-ascii @- 'https://$HOSTDOMAIN/+CSCOE+/sdesktop/scan.xml?reusebrowser=1' Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Wed, 03 Oct 2018 23:44:25 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; HTTP body chunked (-2) < < <html> < <head> < <meta http-equiv="refresh" content="1"> < <title>Installation</title> < <link href="/+CSCOU+/portal.css" rel="stylesheet" type="text/css"> < <link href="/+CSCOE+/logon_custom.css" rel="stylesheet" type="text/css"> < </head> < <body style="background-color:#ffffff; overflow:auto;"> < <table style="width:100%;height: 100%" cellspacing=0 cellpadding=0> < <tr> < <td style="border-bottom:1px solid #aaaaaa" colspan=2> < <table style="width:100%" border="0" cellpadding="0" cellspacing="0" class="cuesHeaderBg"> < <tr> < <td colspan="2" class="cuesHeaderAccent"></td> < </tr> <??? <tr> <?????? <td class="install-title" style="height:40px; padding: 8px; font-size:larger;font-weight:bold"> <?????????? <img src="/+CSCOU+/csco_logo.gif" align="absmiddle" alt="Logo"? title="Logo"> <?????????? Secure Desktop <?????? </td> <??? </tr> < </tr> < </table> < </td> < </tr> < < <td id=form_panel align=middle> < <div id=keepout_margin> < <table id=form_table cellspacing=0 cellpadding=0 border=0 width=300> < <???? <tr> <???? <td colspan=2 id="logon" align="middle" valign="top"> <???? <table id="form_title"? width=100% cellspacing=0? border="0"> <???? <tr height=20> <???? <td id="form_title_text" colspan=2 align="middle" nowrap> <???????? Secure Desktop <???? </td> <???? </tr> <???? </table> <???? </td> < </tr> < <tr><td colspan=2 align=middle> < <table border=0> < <tr> < <td colspan=2><div style="margin-top:10;margin-bottom:10;"> < Processing, please wait... < </div> < </td> < </tr> < <tr><td><center><img src="/+CSCOU+/progress.gif" alt="Loading..."></center></tr></td> < <tr> < <td align=middle colspan=2 height=40> < </td> < </tr> < </table> < </div> < </td> < </table> < </div> < </td> < </body> < </html> Refreshing +CSCOE+/sdesktop/wait.html after 1 second... <?xml version="1.0" encoding="ISO-8859-1"?> <hostscan><status>TOKEN_SUCCESS</status></hostscan> + echo '[sent]' [sent] + echo '=== csd-wrapper.sh is exiting' === csd-wrapper.sh is exiting + exit 0 GET https://$HOSTDOMAIN/+CSCOE+/sdesktop/wait.html SSL negotiation with $HOSTDOMAIN Connected to HTTPS on $HOSTDOMAIN > GET /+CSCOE+/sdesktop/wait.html HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: sdesktop=0EF135D975E118204E8B8B23 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > Got HTTP response: HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Wed, 03 Oct 2018 23:44:28 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; Location: / Set-Cookie: sdesktop=0EF135D975E118204E8B8B23; path=/; secure HTTP body chunked (-2) < <html>x</html> POST https://$HOSTDOMAIN/piv SSL negotiation with $HOSTDOMAIN Connected to HTTPS on $HOSTDOMAIN > POST /piv HTTP/1.1 > Host: $HOSTDOMAIN > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: sdesktop=0EF135D975E118204E8B8B23 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > X-Pad: 00000000000000000000000000000000000000000 > Content-Type: application/x-www-form-urlencoded > Content-Length: 215 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version who="vpn">v7.08</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Wed, 03 Oct 2018 23:44:30 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; X-Aggregate-Auth: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <config-auth client="vpn" type="auth-request" aggregate-auth-version="2"> < <opaque is-for="sg"> < <tunnel-group>PIV</tunnel-group> < <config-hash>1530112511655</config-hash> < </opaque> < <auth id="main"> < <authentication-complete></authentication-complete> < </auth> < <host-scan> < <host-scan-ticket>60AC20764B72C71146C5CB38</host-scan-ticket> < <host-scan-token>65853B9B04C273AA7F365695</host-scan-token> < <host-scan-base-uri>/CACHE</host-scan-base-uri> < <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri> < </host-scan> < </config-auth> Failed to obtain WebVPN cookie
