Hello again Dan, sorry for the delayed response. On Thu, Oct 24, 2019 at 2:46 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > Interesting. Even in your more verbose log, it appears that > OpenConnect is totally and entirely failing to receive any response > over the DTLS channel… except for the MTU DPD probe at the beginning. > > This is why I suggest upgrading to a more recent version in which > David Woodhouse has made the DTLS MTU detection much more robust and… > I updated to: OpenConnect version v8.05 Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse Unfortunately I appear to be having the same problems. > > … and also I'm quite surprised that --no-dtls does not make a > difference. This option makes OpenConnect communicate entirely over > the HTTPS/TLS channel which is already used for authentication, and > not try to open a DTLS channel at all. > > You're *sure* it makes no difference? No ability to receive any > packets the VPN server over the TLS channel? No additional clues in > the log with `--no-dtls -vvv --dump`? > Here is the log from v8.05 using --no-dtls: POST https://cpvpn.ncep.noaa.gov/cac/ Attempting to connect to server 140.90.73.186:443 Connected to 140.90.73.186:443 Using PKCS#11 certificate <DELETED> Trying PKCS#11 key URL <DELETED> Using PKCS#11 key <DELETED> Using client certificate '<DELETED> Got no issuer from PKCS#11 Adding supporting CA 'DOD EMAIL CA-51' SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov > POST /cac/ HTTP/1.1 > Host: cpvpn.ncep.noaa.gov > User-Agent: Open AnyConnect VPN Agent v8.05 > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: linux-64 > X-Support-HTTP-Auth: true > X-Pad: 00000000000000000000000000000000000000 > Content-Type: application/x-www-form-urlencoded > Content-Length: 218 > > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version who="vpn">v8.05</version><device-id>linux-64</device-id><group-access>https://cpvpn.ncep.noaa.gov/cac/</group-access></config-auth> Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=<DELETED>=; path=/; secure Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 01 Nov 2019 20:38:10 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; Location: /+webvpn+/index.html HTTP body length: (0) GET https://cpvpn.ncep.noaa.gov/cac/ Attempting to connect to server 140.90.73.186:443 Connected to 140.90.73.186:443 SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov > GET /cac/ HTTP/1.1 > Host: cpvpn.ncep.noaa.gov > User-Agent: Open AnyConnect VPN Agent v8.05 > Cookie: tg=<DELETED>= > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Support-HTTP-Auth: true > Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=<DELETED>=; path=/; secure Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 01 Nov 2019 20:38:12 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; preload; Location: /+webvpn+/index.html HTTP body length: (0) GET https://cpvpn.ncep.noaa.gov/+webvpn+/index.html SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov > GET /+webvpn+/index.html HTTP/1.1 > Host: cpvpn.ncep.noaa.gov > User-Agent: Open AnyConnect VPN Agent v8.05 > Cookie: tg=<DELETED>= > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Support-HTTP-Auth: true > Got HTTP response: HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000; preload; Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: tg=<DELETED>=; expires=Sat, 02 Nov 2019 08:38:14 GMT; path=/; secure Set-Cookie: webvpn=<elided>; path=/; secure Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:<DELETED>:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure Set-Cookie: webvpnx= Set-Cookie: webvpnaac=1; path=/; secure X-Frame-Options: SAMEORIGIN X-Transcend-Version: 1 HTTP body chunked (-2) < <?xml version="1.0" encoding="UTF-8"?> < <auth id="success"> < <title>SSL VPN Service</title> < <message>Success</message> < <success/> < </auth> < < SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500 > CONNECT /CSCOSSLC/tunnel HTTP/1.1 > Host: cpvpn.ncep.noaa.gov > User-Agent: Open AnyConnect VPN Agent v8.05 > Cookie: webvpn=<DELETED> > X-CSTP-Version: 1 > X-CSTP-Hostname: localhost > X-CSTP-Accept-Encoding: lzs > X-CSTP-Base-MTU: 1500 > X-CSTP-MTU: 1390 > X-CSTP-Address-Type: IPv6,IPv4 > X-CSTP-Full-IPv6-Capability: true > Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc. X-CSTP-Address: 192.168.56.204 X-CSTP-Netmask: 255.255.255.0 X-CSTP-Hostname: NCOFW2.ncep.noaa.gov X-CSTP-DNS: 10.90.110.51 X-CSTP-DNS: 10.90.110.52 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Session-Timeout-Alert-Interval: 60 X-CSTP-Session-Timeout-Remaining: none X-CSTP-Idle-Timeout: 1800 X-CSTP-Disconnected-Timeout: 1800 X-CSTP-Default-Domain: ncepad.noaa.gov X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: false X-CSTP-MTU: 1383 X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true CSTP connected. DPD 30, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(DHE-RSA-1024)-(AES-256-CBC)-(SHA256) Connected as 192.168.56.204, using SSL, with DTLS disabled Sending uncompressed data packet of 76 bytes Sending uncompressed data packet of 60 bytes Sending uncompressed data packet of 201 bytes No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 76 bytes No work to do; sleeping for 20000 ms... Sending uncompressed data packet of 201 bytes ... <skipping a lot of this> ... Sending uncompressed data packet of 52 bytes No work to do; sleeping for 4000 ms... Sending uncompressed data packet of 52 bytes No work to do; sleeping for 4000 ms... Sending uncompressed data packet of 84 bytes No work to do; sleeping for 4000 ms... Sending uncompressed data packet of 87 bytes No work to do; sleeping for 3000 ms... Sending uncompressed data packet of 52 bytes No work to do; sleeping for 3000 ms... Sending uncompressed data packet of 52 bytes No work to do; sleeping for 3000 ms... Sending uncompressed data packet of 60 bytes Sending uncompressed data packet of 60 bytes No work to do; sleeping for 3000 ms... Sending uncompressed data packet of 84 bytes No work to do; sleeping for 3000 ms... Sending uncompressed data packet of 60 bytes No work to do; sleeping for 2000 ms... Sending uncompressed data packet of 60 bytes Sending uncompressed data packet of 60 bytes No work to do; sleeping for 2000 ms... Sending uncompressed data packet of 84 bytes No work to do; sleeping for 2000 ms... Sending uncompressed data packet of 64 bytes No work to do; sleeping for 1000 ms... No work to do; sleeping for 1000 ms... No work to do; sleeping for 1000 ms... No work to do; sleeping for 1000 ms... sleep 10s, remaining timeout 300s sleep 20s, remaining timeout 290s User cancelled (SIGINT/SIGTERM); exiting. On the command line, I saw: avrammeir@localhost:~$ sudo openconnect -vvv --dump --no-dtls -u adam.allgood --cafile='/home/avrammeir/Downloads/UserNSSDB 6cd262f44f10e19bc2ba48_DOD EMAIL CA-51 - U.S.pem' -c '<DELETED>' cpvpn.ncep.noaa.gov/cac/ > no-dtls.txt PIN required for <DELETED> Enter PIN: CSTP Dead Peer Detection detected dead peer! unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date Script '/usr/share/vpnc-scripts/vpnc-script' returned error 1 Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date Script '/usr/share/vpnc-scripts/vpnc-script' returned error 1 ^CSocket connect canceled Is there any information in this that can suggest why I'm receiving no response after connecting? I would assume it's something wrong with the way my office has configured the VPN, but AnyConnect on Windows has no problems. Thanks again! Adam _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
