VPN seems to connect but fails to get a response from the peer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have been using OpenConnect successfully for some time in an Ubuntu
Linux chroot on a chromebook, as this is the only way to authenticate
using a SmartCard into my office's Cisco VPN network on ChromeOS.
Starting in September, when I attempt to connect to the VPN, the
connection seems to work but I am no longer able to access anything on
the network. Unfortunately, I cannot ascertain whether the problem is
on my end, or on my office's end, because I had recently re-installed
my chroot. Most of my colleagues run Windows with AnyConnect, and are
not now experiencing issues with connectivity, though there were some
problems with the building WiFi and VPN around the same time. There
are a few Mac users who use OpenConnect, and they report a similar
issue as mine on the latest version of MacOS, but OpenConnect works on
earlier versions of MacOS.

Output from openconnect --version:

OpenConnect version v7.08-3ubuntu0.18.04.1
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP
software token, TOTP software token, Yubikey OATH, System keys, DTLS

An example of the OpenConnect command I am attempting with my
SmartCard cert url info removed:

sudo openconnect -v -u adam.allgood
--cafile='/home/avrammeir/Downloads/UserNSSDB
6cd262f44f10e19bc2ba48_DOD EMAIL CA-51 - U.S.pem' -c '<REMOVED>'
cpvpn.ncep.noaa.gov/cac/ > openconnect-log.txt

The output I see on the command line is:

PIN required for <REMOVED>
Enter PIN:
CSTP Dead Peer Detection detected dead peer!
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out

And in the file openconnect-log.txt, I see:

POST https://cpvpn.ncep.noaa.gov/cac/
Attempting to connect to server 140.90.73.186:443
Connected to 140.90.73.186:443
Using PKCS#11 certificate <REMOVED>
Using PKCS#11 key <REMOVED>
Using client certificate '<REMOVED>'
Adding supporting CA 'DOD EMAIL CA-51'
SSL negotiation with cpvpn.ncep.noaa.gov
Connected to HTTPS on cpvpn.ncep.noaa.gov
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0QW55Y29ubmVjdC1DQUM=; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 23 Oct 2019 18:08:36 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://cpvpn.ncep.noaa.gov/cac/
Attempting to connect to server 140.90.73.186:443
Connected to 140.90.73.186:443
SSL negotiation with cpvpn.ncep.noaa.gov
Connected to HTTPS on cpvpn.ncep.noaa.gov
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0QW55Y29ubmVjdC1DQUM=; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 23 Oct 2019 18:08:38 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://cpvpn.ncep.noaa.gov/+webvpn+/index.html
SSL negotiation with cpvpn.ncep.noaa.gov
Connected to HTTPS on cpvpn.ncep.noaa.gov
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; preload;
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00
GMT; path=/; secure
Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT;
path=/; secure
Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT;
path=/; secure
Set-Cookie: tg=1QW55Y29ubmVjdC1DQUM=; expires=Thu, 24 Oct 2019
06:08:40 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:085BA44D4EA3D7B8341016BEB24D434431A6CD47&sh:9B065194EB3622CB9E80466DA9C36CC5792D6AF7&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest;
path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
SSL negotiation with cpvpn.ncep.noaa.gov
Connected to HTTPS on cpvpn.ncep.noaa.gov
TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: 192.168.56.214
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Hostname: NCOFW2.ncep.noaa.gov
X-CSTP-DNS: 10.90.110.51
X-CSTP-DNS: 10.90.110.52
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Session-Timeout-Alert-Interval: 60
X-CSTP-Session-Timeout-Remaining: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: ncepad.noaa.gov
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: false
X-DTLS-Session-ID:
A56FC73238401DFFA653FD0EBC8F18B9499152172A98777C4E0E68116B42C624
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1395
X-DTLS-MTU: 1406
X-DTLS-CipherSuite: DHE-RSA-AES256-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.2)-(DHE-RSA-1024)-(AES-256-CBC)-(SHA1)
DTLS option X-DTLS-Session-ID :
A56FC73238401DFFA653FD0EBC8F18B9499152172A98777C4E0E68116B42C624
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1406
DTLS option X-DTLS-CipherSuite : DHE-RSA-AES256-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected as 192.168.56.214, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1).
Initiating IPv4 MTU detection (min=703, max=1406)
No change in MTU after detection (was 1406)
Send CSTP Keepalive
Send CSTP DPD
Send CSTP DPD
Got DTLS DPD request
Send CSTP DPD
sleep 10s, remaining timeout 300s
sleep 20s, remaining timeout 290s
sleep 30s, remaining timeout 270s
sleep 40s, remaining timeout 240s
sleep 50s, remaining timeout 200s
sleep 60s, remaining timeout 150s
sleep 70s, remaining timeout 90s
sleep 80s, remaining timeout 20s

One piece of weirdness that may be helpful to report as well, when I
try this on xenial (the previous LTS Ubuntu) instead of bionic, I get
a DTLS handshake failed - resource temporarily unavailable error. Here
the DTLS connection seems to be made, but then.... nothing.

Thank you so much for maintaining this software!
Adam

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux