On Thu, Mar 26, 2020 at 5:52 PM John Clonts <john@xxxxxxxxxx> wrote: > < <csd token="6D98F33B40B9C5CA494D1D35" ticket="3A9674966B3F57B15EDDBA58" /> > < <csd stuburl="/CACHE/sdesktop/install/binaries/inst.exe" > preloginurl="/CACHE/sdesktop/install/binaries/cache.jar" > preloginname="CSDPreLogin" > starturl="/CACHE/sdesktop/install/result.htm" > waiturl="/+CSCOE+/sdesktop/wait.html" /><csdMac > stuburl="/CACHE/sdesktop/install/binaries/sfinst" > starturl="/CACHE/sdesktop/install/result.htm" > waiturl="/+CSCOE+/sdesktop/wait.html" /><csdLinux > stuburl="/CACHE/sdesktop/install/binaries/sfinst" > starturl="/CACHE/sdesktop/install/result.htm" > waiturl="/+CSCOE+/sdesktop/wait.html" /> ,,, > GET https://vpn.mycompany.com/CACHE/sdesktop/install/binaries/sfinst > > GET /CACHE/sdesktop/install/binaries/sfinst HTTP/1.1 > > Host: vpn.mycompany.com > > User-Agent: Open AnyConnect VPN Agent v7.08-3ubuntu0.18.04.1 > > Cookie: webvpnlogin=1 > > Accept: */* > > Accept-Encoding: identity > > X-Transcend-Version: 1 > > X-Support-HTTP-Auth: true > > > Got HTTP response: HTTP/1.1 404 Not Found ,,, > < File not found > Unexpected 404 result from server > Failed to obtain WebVPN cookie > john@mint:~$ Thanks, this is perfect. It's clear from the log exactly what's going on, and turns out to be an easy fix. == What's wrong == Your Cisco VPN admins have misconfigured the server by requiring CSD/HostScan on all platforms, but failing to test that it actually works with all platforms. They probably only tested with Mac, Windows, and Android, and didn't consider Linux clients. The CSD “stub” script specified for Linux clients doesn't actually exist. OpenConnect tries to download it, assuming that it has to be able to run this stub in order to complete the HostScan… and fails because it doesn't exist. This is why `--os=android` or `--os=win` work: the stubs for those operating systems *do* exist, so OpenConnect doesn't fail. == Why the server misconfiguration doesn't actually matter == The `csd-post.sh` script doesn't even try to use the scripts/binaries sent by the server *at all*, so OpenConnect should be able to ignore it. == Fix == I whipped up a quick patch to address this (https://gitlab.com/openconnect/openconnect/-/merge_requests/77) and took the liberty of testing it on your server using the IP address from your log. Long story short, it works fine with `csd-post.sh`, despite the server's lack of a correct configuration for Linux clients. If you can compile OpenConnect from source, you should be able to test this patched version just as I did. If you then install the resulting OpenConnect binaries system-wide, NetworkManager should work fine with it. Otherwise, it'll be a matter of waiting until we can roll some version of this into an official release… -Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
