Re: GlobalProtect connection loss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2020-04-13 at 22:21, Daniel Lenski wrote:

> On Mon, Apr 13, 2020 at 6:33 PM The Wanderer <wanderer@xxxxxxxxxxx>
> wrote:
> 
>> Would a repeating ping over the VPN tunnel (one every 30 seconds,
>> more a keepalive than anything else) be enough to qualify as
>> traffic for this purpose, or would I need to keep something else
>> (e.g. the RDP session) going?
> 
> I don't really know what is used to detect an idle connection. Ping 
> may or may not be enough. ¯\_(ツ)_/¯

It seems to have worked in this case. The session died at about twenty
minutes past midnight; the final timestamp in the file is three hours,
24 seconds after the first one. The resulting file was a round 999K, and
just over a million lines.

It actually looks like the rekey went through successfully, but
something odd happened afterwards. I suspect that the key information
here is going to be in the last dozen or so lines.

There's what looks like the beginning of a client-initiated logout
attempt (although I certainly did not initiate any such logout; I was
asleep at the time), followed by a received result which includes
"Invalid user name", and then EOF - which I interpret to be the program
exiting.

The credentials reported in that received result (which, appropriately,
don't include a password) appear to match those used to authenticate
before. My past experience indicates that when this type of
disconnection happens, reconnecting immediately (as in, within seconds)
with the exact same credentials works fine.

In hindsight I realize there was one thing I could have done differently
on this session invocation to be more sure I didn't miss any stderr,
etc., messages - but I didn't do it, so I'm not entirely positive
there's nothing missing. I hope all the important stuff is there.

>> I hope it's OK if I process the resulting file to strip out
>> identifying information - organization names, not IP addresses et
>> cetera; I'm not entirely sure what is and isn't OK to let out,
>> here, but I know we're told not to share the GlobalProtect portal
>> address and I can see that in the logs already.
> 
> Yep, you should see plenty of examples of how to obfuscate such
> things in the list archives. If you're unsure, you can send the logs
> to "just one random guy on the Internet" (me) instead of "a whole
> bunch of us."

I've looked at the recent archives, but I've only found one log
presented at all and it wasn't at all clear what about it had been
changed for obfuscatory purposes.

Rather than dig through an unknown amount of archives looking for enough
examples to be able to determine what's good practice, I've just gone
through (a copy of) the log and replaced not just the obvious things
(recognizable names, passwords, the external IP address of the VPN
portal) but anything that looked like it even might be a unique ID, down
to in one case something that was reported as being an MD5 hash; the
only apparent hex strings I left unchanged were the "ETag:" entries in
what look like the HTTP traffic.

This is probably far more anonymization than is really necessary, not to
mention far more manual effort, but I'm reasonably confident that it's
sufficient.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man.         -- George Bernard Shaw

[2020-04-13 21:20:19] POST https://foo.bar.baz/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
[2020-04-13 21:20:19] Attempting to connect to server VPN_PORTAL_IPV4:443
[2020-04-13 21:20:19] Connected to VPN_PORTAL_IPV4:443
[2020-04-13 21:20:20] SSL negotiation with foo.bar.baz
[2020-04-13 21:20:20] Connected to HTTPS on foo.bar.baz with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
[2020-04-13 21:20:20] > POST /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
[2020-04-13 21:20:20] > Host: foo.bar.baz
[2020-04-13 21:20:20] > User-Agent: PAN GlobalProtect
[2020-04-13 21:20:20] > 
[2020-04-13 21:20:20] Got HTTP response: HTTP/1.1 200 OK
[2020-04-13 21:20:20] Date: Tue, 14 Apr 2020 01:20:20 GMT
[2020-04-13 21:20:20] Content-Type: application/xml; charset=UTF-8
[2020-04-13 21:20:20] Content-Length: 401
[2020-04-13 21:20:20] Connection: keep-alive
[2020-04-13 21:20:20] ETag: "d7a5da11d19"
[2020-04-13 21:20:20] Pragma: no-cache
[2020-04-13 21:20:20] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-13 21:20:20] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-13 21:20:20] X-FRAME-OPTIONS: DENY
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Strict-Transport-Security: max-age=31536000;
[2020-04-13 21:20:20] X-XSS-Protection: 1; mode=block;
[2020-04-13 21:20:20] X-Content-Type-Options: nosniff
[2020-04-13 21:20:20] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-13 21:20:20] HTTP body length:  (401)
[2020-04-13 21:20:20] < <?xml version="1.0" encoding="UTF-8" ?>
[2020-04-13 21:20:20] < <prelogin-response>
[2020-04-13 21:20:20] < <status>Success</status>
[2020-04-13 21:20:20] < <ccusername></ccusername>
[2020-04-13 21:20:20] < <autosubmit>false</autosubmit>
[2020-04-13 21:20:20] < <msg></msg>
[2020-04-13 21:20:20] < <newmsg></newmsg>
[2020-04-13 21:20:20] < <authentication-message>Enter login credentials</authentication-message>
[2020-04-13 21:20:20] < <username-label>Username</username-label>
[2020-04-13 21:20:20] < <password-label>Password</password-label>
[2020-04-13 21:20:20] < <panos-version>1</panos-version><region>US</region>
[2020-04-13 21:20:20] < </prelogin-response>
[2020-04-13 21:20:20] Login form: "Username: " user(TEXT)=(null), "Password: " passwd(PASSWORD)
[2020-04-13 21:20:20] POST https://foo.bar.baz/global-protect/getconfig.esp
[2020-04-13 21:20:20] > POST /global-protect/getconfig.esp HTTP/1.1
[2020-04-13 21:20:20] > Host: foo.bar.baz
[2020-04-13 21:20:20] > User-Agent: PAN GlobalProtect
[2020-04-13 21:20:20] > Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE
[2020-04-13 21:20:20] > X-Pad: 000000000000000000000000000000000000000000000000000000000000
[2020-04-13 21:20:20] > Content-Type: application/x-www-form-urlencoded
[2020-04-13 21:20:20] > Content-Length: 196
[2020-04-13 21:20:20] > 
[2020-04-13 21:20:20] > jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&ipv6-support=yes&clientos=Linux&os-version=linux-64&server=foo.bar.baz&computer=origin&user=foobar_user&passwd=foobar_user_passwd
[2020-04-13 21:20:20] Got HTTP response: HTTP/1.1 200 OK
[2020-04-13 21:20:20] Date: Tue, 14 Apr 2020 01:20:20 GMT
[2020-04-13 21:20:20] Content-Type: application/xml; charset=UTF-8
[2020-04-13 21:20:20] Content-Length: 7057
[2020-04-13 21:20:20] Connection: keep-alive
[2020-04-13 21:20:20] ETag: "7875da11d19"
[2020-04-13 21:20:20] Pragma: no-cache
[2020-04-13 21:20:20] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-13 21:20:20] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-13 21:20:20] X-FRAME-OPTIONS: DENY
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Strict-Transport-Security: max-age=31536000;
[2020-04-13 21:20:20] X-XSS-Protection: 1; mode=block;
[2020-04-13 21:20:20] X-Content-Type-Options: nosniff
[2020-04-13 21:20:20] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-13 21:20:20] HTTP body length:  (7057)
[2020-04-13 21:20:20] < <?xml version="1.0" encoding="UTF-8" ?>
[2020-04-13 21:20:20] < <policy>
[2020-04-13 21:20:20] < 	<portal-name>FOOBAR-GP-Portal</portal-name>
[2020-04-13 21:20:20] < 	<portal-config-version>4100</portal-config-version>
[2020-04-13 21:20:20] < 	<version>5.0.4-16                                                        </version>
[2020-04-13 21:20:20] < 	<client-role>global-protect-full</client-role>
[2020-04-13 21:20:20] < 	<agent-user-override-key>****</agent-user-override-key>
[2020-04-13 21:20:20] < 	<connect-method>user-logon</connect-method>
[2020-04-13 21:20:20] < 	<on-demand>no</on-demand>
[2020-04-13 21:20:20] < 	<refresh-config>yes</refresh-config>
[2020-04-13 21:20:20] < 	<refresh-config-interval>24</refresh-config-interval>
[2020-04-13 21:20:20] < 	<authentication-modifier>
[2020-04-13 21:20:20] < 		<none/>
[2020-04-13 21:20:20] < 	</authentication-modifier>
[2020-04-13 21:20:20] < 	<authentication-override>
[2020-04-13 21:20:20] < 		<accept-cookie>no</accept-cookie>
[2020-04-13 21:20:20] < 		<generate-cookie>no</generate-cookie>
[2020-04-13 21:20:20] < 		<cookie-encrypt-decrypt-cert></cookie-encrypt-decrypt-cert>
[2020-04-13 21:20:20] < 	</authentication-override>
[2020-04-13 21:20:20] < 	<use-sso>yes</use-sso>
[2020-04-13 21:20:20] < 	<internal-host-detection>
[2020-04-13 21:20:20] < 		<ip-address>10.20.0.82</ip-address>
[2020-04-13 21:20:20] < 		<host>infoins1.bar.baz</host>
[2020-04-13 21:20:20] < 	</internal-host-detection>
[2020-04-13 21:20:20] < 	<gateways>
[2020-04-13 21:20:20] < 		<cutoff-time>5</cutoff-time>
[2020-04-13 21:20:20] < 		<external>
[2020-04-13 21:20:20] < 			<list>
[2020-04-13 21:20:20] < 				<entry name="foo.bar.baz">
[2020-04-13 21:20:20] < 					<priority-rule>
[2020-04-13 21:20:20] < 						<entry name="Any">
[2020-04-13 21:20:20] < 							<priority>1</priority>
[2020-04-13 21:20:20] < 						</entry>
[2020-04-13 21:20:20] < 					</priority-rule>
[2020-04-13 21:20:20] < 					<priority>1</priority>
[2020-04-13 21:20:20] < 					<description>foo.bar.baz</description>
[2020-04-13 21:20:20] < 				</entry>
[2020-04-13 21:20:20] < 			</list>
[2020-04-13 21:20:20] < 		</external>
[2020-04-13 21:20:20] < 	</gateways>
[2020-04-13 21:20:20] < 	<gateways-v6>
[2020-04-13 21:20:20] < 		<cutoff-time>5</cutoff-time>
[2020-04-13 21:20:20] < 		<external>
[2020-04-13 21:20:20] < 			<list>
[2020-04-13 21:20:20] < 				<entry name="foo.bar.baz">
[2020-04-13 21:20:20] < 					<fqdn>foo.bar.baz</fqdn>
[2020-04-13 21:20:20] < 					<priority-rule>
[2020-04-13 21:20:20] < 						<entry name="Any">
[2020-04-13 21:20:20] < 							<priority>1</priority>
[2020-04-13 21:20:20] < 						</entry>
[2020-04-13 21:20:20] < 					</priority-rule>
[2020-04-13 21:20:20] < 					<priority>1</priority>
[2020-04-13 21:20:20] < 				</entry>
[2020-04-13 21:20:20] < 			</list>
[2020-04-13 21:20:20] < 		</external>
[2020-04-13 21:20:20] < 	</gateways-v6>
[2020-04-13 21:20:20] < 	<agent-ui>
[2020-04-13 21:20:20] < 		<can-save-password>yes</can-save-password>
[2020-04-13 21:20:20] < 		<passcode></passcode>
[2020-04-13 21:20:20] < 		<agent-user-override-timeout>0</agent-user-override-timeout>
[2020-04-13 21:20:20] < 		<max-agent-user-overrides>0</max-agent-user-overrides>
[2020-04-13 21:20:20] < 		<help-page></help-page>
[2020-04-13 21:20:20] < 		<help-page-2></help-page-2>
[2020-04-13 21:20:20] < 		<welcome-page>
[2020-04-13 21:20:20] < 			<display>no</display>
[2020-04-13 21:20:20] < 			<page></page>
[2020-04-13 21:20:20] < 		</welcome-page>
[2020-04-13 21:20:20] < <agent-user-override>disabled</agent-user-override>
[2020-04-13 21:20:20] < <enable-advanced-view>yes</enable-advanced-view>
[2020-04-13 21:20:20] < <enable-do-not-display-this-welcome-page-again>yes</enable-do-not-display-this-welcome-page-again>
[2020-04-13 21:20:20] < <can-change-portal>yes</can-change-portal>
[2020-04-13 21:20:20] < <show-agent-icon>yes</show-agent-icon>
[2020-04-13 21:20:20] < <password-expiry-message></password-expiry-message>
[2020-04-13 21:20:20] < <init-panel>no</init-panel>
[2020-04-13 21:20:20] < 
[2020-04-13 21:20:20] < 	</agent-ui>
[2020-04-13 21:20:20] < 	<hip-collection>
[2020-04-13 21:20:20] < 		<hip-report-interval>3600</hip-report-interval>
[2020-04-13 21:20:20] < 		<max-wait-time>20</max-wait-time>
[2020-04-13 21:20:20] < 		<collect-hip-data>yes</collect-hip-data>
[2020-04-13 21:20:20] < 		<default>
[2020-04-13 21:20:20] < 			<category>
[2020-04-13 21:20:20] < 				<member>antivirus</member>
[2020-04-13 21:20:20] < 				<member>anti-spyware</member>
[2020-04-13 21:20:20] < 				<member>host-info</member>
[2020-04-13 21:20:20] < 				<member>data-loss-prevention</member>
[2020-04-13 21:20:20] < 				<member>patch-management</member>
[2020-04-13 21:20:20] < 				<member>firewall</member>
[2020-04-13 21:20:20] < 				<member>anti-malware</member>
[2020-04-13 21:20:20] < 				<member>disk-backup</member>
[2020-04-13 21:20:20] < 				<member>disk-encryption</member>
[2020-04-13 21:20:20] < 			</category>
[2020-04-13 21:20:20] < 		</default>
[2020-04-13 21:20:20] < 	</hip-collection>
[2020-04-13 21:20:20] < 	<agent-config>
[2020-04-13 21:20:20] < 	<save-user-credentials>1</save-user-credentials>
[2020-04-13 21:20:20] < 	<portal-2fa>no</portal-2fa>
[2020-04-13 21:20:20] < 	<internal-gateway-2fa>no</internal-gateway-2fa>
[2020-04-13 21:20:20] < 	<auto-discovery-external-gateway-2fa>no</auto-discovery-external-gateway-2fa>
[2020-04-13 21:20:20] < 	<manual-only-gateway-2fa>no</manual-only-gateway-2fa>
[2020-04-13 21:20:20] < <uninstall>allowed</uninstall>
[2020-04-13 21:20:20] < <client-upgrade>prompt</client-upgrade>
[2020-04-13 21:20:20] < <enable-signout>yes</enable-signout>
[2020-04-13 21:20:20] < <use-sso-macos>no</use-sso-macos>
[2020-04-13 21:20:20] < <logout-remove-sso>yes</logout-remove-sso>
[2020-04-13 21:20:20] < <krb-auth-fail-fallback>yes</krb-auth-fail-fallback>
[2020-04-13 21:20:20] < <retry-tunnel>30</retry-tunnel>
[2020-04-13 21:20:20] < <retry-timeout>5</retry-timeout>
[2020-04-13 21:20:20] < <enforce-globalprotect>no</enforce-globalprotect>
[2020-04-13 21:20:20] < <enforcer-exception-list/>
[2020-04-13 21:20:20] < <captive-portal-exception-timeout>0</captive-portal-exception-timeout>
[2020-04-13 21:20:20] < <captive-portal-login-url></captive-portal-login-url>
[2020-04-13 21:20:20] < <traffic-blocking-notification-delay>15</traffic-blocking-notification-delay>
[2020-04-13 21:20:20] < <display-traffic-blocking-notification-msg>yes</display-traffic-blocking-notification-msg>
[2020-04-13 21:20:20] < <traffic-blocking-notification-msg>&lt;div style=&quot;font-family:'Helvetica Neue';&quot;&gt;&lt;h1 style=&quot;color:red;text-align:center; margin: 0; font-size: 30px;&quot;&gt;Notice&lt;/h1&gt;&lt;p style=&quot;margin: 0;font-size: 15px; line-height: 1.2em;&quot;&gt;To access the network, you must first connect to GlobalProtect.&lt;/p&gt;&lt;/div&gt;</traffic-blocking-notification-msg>
[2020-04-13 21:20:20] < <allow-traffic-blocking-notification-dismissal>yes</allow-traffic-blocking-notification-dismissal>
[2020-04-13 21:20:20] < <display-captive-portal-detection-msg>no</display-captive-portal-detection-msg>
[2020-04-13 21:20:20] < <captive-portal-detection-msg>&lt;div style=&quot;font-family:'Helvetica Neue';&quot;&gt;&lt;h1 style=&quot;color:red;text-align:center; margin: 0; font-size: 30px;&quot;&gt;Captive Portal Detected&lt;/h1&gt;&lt;p style=&quot;margin: 0; font-size: 15px; line-height: 1.2em;&quot;&gt;GlobalProtect has temporarily permitted network access for you to connect to the Internet. Follow instructions from your internet provider.&lt;/p&gt;&lt;p style=&quot;margin: 0; font-size: 15px; line-height: 1.2em;&quot;&gt;If you let the connection time out, open GlobalProtect and click Connect to try again.&lt;/p&gt;&lt;/div&gt;</captive-portal-detection-msg>
[2020-04-13 21:20:20] < <captive-portal-notification-delay>5</captive-portal-notification-delay>
[2020-04-13 21:20:20] < <certificate-store-lookup>user-and-machine</certificate-store-lookup>
[2020-04-13 21:20:20] < <scep-certificate-renewal-period>7</scep-certificate-renewal-period>
[2020-04-13 21:20:20] < <ext-key-usage-oid-for-client-cert></ext-key-usage-oid-for-client-cert>
[2020-04-13 21:20:20] < <retain-connection-smartcard-removal>yes</retain-connection-smartcard-removal>
[2020-04-13 21:20:20] < <rediscover-network>yes</rediscover-network>
[2020-04-13 21:20:20] < <resubmit-host-info>yes</resubmit-host-info>
[2020-04-13 21:20:20] < <can-continue-if-portal-cert-invalid>yes</can-continue-if-portal-cert-invalid>
[2020-04-13 21:20:20] < <user-switch-tunnel-rename-timeout>0</user-switch-tunnel-rename-timeout>
[2020-04-13 21:20:20] < <pre-logon-tunnel-rename-timeout>-1</pre-logon-tunnel-rename-timeout>
[2020-04-13 21:20:20] < <preserve-tunnel-upon-user-logoff-timeout>0</preserve-tunnel-upon-user-logoff-timeout>
[2020-04-13 21:20:20] < <ipsec-failover-ssl>0</ipsec-failover-ssl>
[2020-04-13 21:20:20] < <ssl-only-selection>0</ssl-only-selection>
[2020-04-13 21:20:20] < <max-internal-gateway-connection-attempts>0</max-internal-gateway-connection-attempts>
[2020-04-13 21:20:20] < <portal-timeout>5</portal-timeout>
[2020-04-13 21:20:20] < <connect-timeout>5</connect-timeout>
[2020-04-13 21:20:20] < <receive-timeout>30</receive-timeout>
[2020-04-13 21:20:20] < <enforce-dns>yes</enforce-dns>
[2020-04-13 21:20:20] < <append-local-search-domain>no</append-local-search-domain>
[2020-04-13 21:20:20] < <flush-dns>no</flush-dns>
[2020-04-13 21:20:20] < <proxy-multiple-autodetect>no</proxy-multiple-autodetect>
[2020-04-13 21:20:20] < <use-proxy>yes</use-proxy>
[2020-04-13 21:20:20] < <wsc-autodetect>yes</wsc-autodetect>
[2020-04-13 21:20:20] < <mfa-enabled>no</mfa-enabled>
[2020-04-13 21:20:20] < <mfa-listening-port>4501</mfa-listening-port>
[2020-04-13 21:20:20] < <mfa-trusted-host-list/>
[2020-04-13 21:20:20] < <mfa-notification-msg>You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate at</mfa-notification-msg>
[2020-04-13 21:20:20] < <mfa-prompt-suppress-time>0</mfa-prompt-suppress-time>
[2020-04-13 21:20:20] < <ipv6-preferred>yes</ipv6-preferred>
[2020-04-13 21:20:20] < <change-password-message></change-password-message>
[2020-04-13 21:20:20] < <show-system-tray-notifications>no</show-system-tray-notifications>
[2020-04-13 21:20:20] < 
[2020-04-13 21:20:20] < 	</agent-config>
[2020-04-13 21:20:20] < <user-email>foobar_user@xxxxxxx</user-email>
[2020-04-13 21:20:20] < <portal-userauthcookie>empty</portal-userauthcookie>
[2020-04-13 21:20:20] < <portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
[2020-04-13 21:20:20] < <scep-cert-auth-cookie>SCEP_CERT_AUTH_COOKIE</scep-cert-auth-cookie>
[2020-04-13 21:20:20] < </policy>
[2020-04-13 21:20:20] Ignoring portal's HIP report interval (60 minutes), because no HIP report script provided.
[2020-04-13 21:20:20] 1 gateway servers available:
[2020-04-13 21:20:20]   foo.bar.baz (foo.bar.baz)
[2020-04-13 21:20:20] POST https://foo.bar.baz/ssl-vpn/login.esp
[2020-04-13 21:20:20] > POST /ssl-vpn/login.esp HTTP/1.1
[2020-04-13 21:20:20] > Host: foo.bar.baz
[2020-04-13 21:20:20] > User-Agent: PAN GlobalProtect
[2020-04-13 21:20:20] > Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE
[2020-04-13 21:20:20] > X-Pad: 000000000000000000000000000000000000000000000000000000000000
[2020-04-13 21:20:20] > Content-Type: application/x-www-form-urlencoded
[2020-04-13 21:20:20] > Content-Length: 196
[2020-04-13 21:20:20] > 
[2020-04-13 21:20:20] > jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&ipv6-support=yes&clientos=Linux&os-version=linux-64&server=foo.bar.baz&computer=origin&user=foobar_user&passwd=foobar_user_passwd
[2020-04-13 21:20:20] Got HTTP response: HTTP/1.1 200 OK
[2020-04-13 21:20:20] Date: Tue, 14 Apr 2020 01:20:20 GMT
[2020-04-13 21:20:20] Content-Type: application/xml; charset=UTF-8
[2020-04-13 21:20:20] Content-Length: 652
[2020-04-13 21:20:20] Connection: keep-alive
[2020-04-13 21:20:20] ETag: "23605da11d19"
[2020-04-13 21:20:20] Pragma: no-cache
[2020-04-13 21:20:20] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-13 21:20:20] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-13 21:20:20] X-FRAME-OPTIONS: DENY
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Set-Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE; secure; HttpOnly
[2020-04-13 21:20:20] Strict-Transport-Security: max-age=31536000;
[2020-04-13 21:20:20] X-XSS-Protection: 1; mode=block;
[2020-04-13 21:20:20] X-Content-Type-Options: nosniff
[2020-04-13 21:20:20] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-13 21:20:20] HTTP body length:  (652)
[2020-04-13 21:20:20] < <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>AUTHCOOKIE</argument><argument>AUTHCOOKIE_ARG2</argument><argument>FOOBAR-GP-Gate-N</argument><argument>foobar_user</argument><argument>FOOBAR-GP-Auth</argument><argument>vsys1</argument><argument>bar.baz</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>tunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument></argument><argument></argument><argument></argument><argument>4</argument></application-desc></jnlp>
[2020-04-13 21:20:20] GlobalProtect login returned authentication-source=FOOBAR-GP-Auth
[2020-04-13 21:20:20] POST https://foo.bar.baz/ssl-vpn/getconfig.esp
[2020-04-13 21:20:20] > POST /ssl-vpn/getconfig.esp HTTP/1.1
[2020-04-13 21:20:20] > Host: foo.bar.baz
[2020-04-13 21:20:20] > User-Agent: PAN GlobalProtect
[2020-04-13 21:20:20] > Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE
[2020-04-13 21:20:20] > X-Pad: 00000000000000000000000000000000000000000000000000000
[2020-04-13 21:20:20] > Content-Type: application/x-www-form-urlencoded
[2020-04-13 21:20:20] > Content-Length: 267
[2020-04-13 21:20:20] > 
[2020-04-13 21:20:20] > client-type=1&protocol-version=p1&app-version=4.0.5-8&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2cmd5%2csha256&enc-algo=aes-128-cbc%2caes-256-cbc&authcookie=AUTHCOOKIE&portal=FOOBAR-GP-Gate-N&user=foobar_user&domain=bar.baz&computer=origin
[2020-04-13 21:20:20] Got HTTP response: HTTP/1.1 200 OK
[2020-04-13 21:20:20] Date: Tue, 14 Apr 2020 01:20:20 GMT
[2020-04-13 21:20:20] Content-Type: application/xml; charset=UTF-8
[2020-04-13 21:20:20] Content-Length: 1673
[2020-04-13 21:20:20] Connection: keep-alive
[2020-04-13 21:20:20] ETag: "1f35da11d19"
[2020-04-13 21:20:20] Pragma: no-cache
[2020-04-13 21:20:20] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-13 21:20:20] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-13 21:20:20] X-FRAME-OPTIONS: DENY
[2020-04-13 21:20:20] Strict-Transport-Security: max-age=31536000;
[2020-04-13 21:20:20] X-XSS-Protection: 1; mode=block;
[2020-04-13 21:20:20] X-Content-Type-Options: nosniff
[2020-04-13 21:20:20] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-13 21:20:20] HTTP body length:  (1673)
[2020-04-13 21:20:20] < 
[2020-04-13 21:20:20] < 	<response status="success">
[2020-04-13 21:20:20] < 		<need-tunnel>yes</need-tunnel>
[2020-04-13 21:20:20] < 		<ssl-tunnel-url>/ssl-tunnel-connect.sslvpn</ssl-tunnel-url>
[2020-04-13 21:20:20] < 		<portal>FOOBAR-GP-Gate-N</portal>
[2020-04-13 21:20:20] < 		<user>foobar_user</user>
[2020-04-13 21:20:20] < 		<lifetime>2592000</lifetime>
[2020-04-13 21:20:20] < 		<timeout>10800</timeout>
[2020-04-13 21:20:20] < 		<disconnect-on-idle>10800</disconnect-on-idle>
[2020-04-13 21:20:20] < 		<bw-c2s>1000</bw-c2s>
[2020-04-13 21:20:20] < 		<bw-s2c>1000</bw-s2c>
[2020-04-13 21:20:20] < 		<gw-address>VPN_PORTAL_IPV4</gw-address>
[2020-04-13 21:20:20] < 		<ip-address>10.9.6.2</ip-address>
[2020-04-13 21:20:20] < 		<netmask>255.255.255.255</netmask>
[2020-04-13 21:20:20] < 		<ip-address-preferred>yes</ip-address-preferred>
[2020-04-13 21:20:20] < 		<dns>
[2020-04-13 21:20:20] < 			<member>10.20.0.82</member>
[2020-04-13 21:20:20] < 			<member>10.20.0.13</member>
[2020-04-13 21:20:20] < 		</dns> 
[2020-04-13 21:20:20] < 		<wins>
[2020-04-13 21:20:20] < 		</wins> 
[2020-04-13 21:20:20] < 		<dns-suffix>
[2020-04-13 21:20:20] < 			<member>bar.baz</member>
[2020-04-13 21:20:20] < 			<member>ad.bar.baz</member>
[2020-04-13 21:20:20] < 		</dns-suffix> 
[2020-04-13 21:20:20] < 		<default-gateway>10.9.6.2</default-gateway>
[2020-04-13 21:20:20] < 		<mtu>0</mtu>
[2020-04-13 21:20:20] < 		<no-direct-access-to-local-network>no</no-direct-access-to-local-network>
[2020-04-13 21:20:20] < 		<access-routes>
[2020-04-13 21:20:20] < 			<member>0.0.0.0/0</member>
[2020-04-13 21:20:20] < 			<member>10.20.0.82/32</member>
[2020-04-13 21:20:20] < 			<member>10.20.0.13/32</member>
[2020-04-13 21:20:20] < 		</access-routes> 
[2020-04-13 21:20:20] < 		<exclude-access-routes>
[2020-04-13 21:20:20] < 		</exclude-access-routes> 
[2020-04-13 21:20:20] < 		<ipsec>
[2020-04-13 21:20:20] < 			<udp-port>4501</udp-port>
[2020-04-13 21:20:20] < 			<ipsec-mode>esp-tunnel</ipsec-mode>
[2020-04-13 21:20:20] < 			<enc-algo>aes-128-cbc</enc-algo>
[2020-04-13 21:20:20] < 			<hmac-algo>sha1</hmac-algo>
[2020-04-13 21:20:20] < 			<c2s-spi>ESP_OUTGOINGSPI</c2s-spi>
[2020-04-13 21:20:20] < 			<s2c-spi>ESP_INCOMINGSPI</s2c-spi>
[2020-04-13 21:20:20] < 			<akey-s2c>
[2020-04-13 21:20:20] < 				<bits>160</bits>
[2020-04-13 21:20:20] < 				<val>AKEY_S2C_160</val>
[2020-04-13 21:20:20] < 			</akey-s2c> 
[2020-04-13 21:20:20] < 			<ekey-s2c>
[2020-04-13 21:20:20] < 				<bits>128</bits>
[2020-04-13 21:20:20] < 				<val>EKEY_S2C_128</val>
[2020-04-13 21:20:20] < 			</ekey-s2c> 
[2020-04-13 21:20:20] < 			<akey-c2s>
[2020-04-13 21:20:20] < 				<bits>160</bits>
[2020-04-13 21:20:20] < 				<val>AKEY_C2S_160</val>
[2020-04-13 21:20:20] < 			</akey-c2s> 
[2020-04-13 21:20:20] < 			<ekey-c2s>
[2020-04-13 21:20:20] < 				<bits>128</bits>
[2020-04-13 21:20:20] < 				<val>EKEY_C2S_128</val>
[2020-04-13 21:20:20] < 			</ekey-c2s> 
[2020-04-13 21:20:20] < 		</ipsec> 
[2020-04-13 21:20:20] < 	</response>
[2020-04-13 21:20:20] Session will expire after 43200 minutes.
[2020-04-13 21:20:20] Tunnel timeout (rekey interval) is 180 minutes.
[2020-04-13 21:20:20] Idle timeout is 180 minutes.
[2020-04-13 21:20:20] TCP_INFO rcv mss 1460, snd mss 1460, adv mss 1460, pmtu 1500
[2020-04-13 21:20:20] POST https://foo.bar.baz/ssl-vpn/hipreportcheck.esp
[2020-04-13 21:20:20] > POST /ssl-vpn/hipreportcheck.esp HTTP/1.1
[2020-04-13 21:20:20] > Host: foo.bar.baz
[2020-04-13 21:20:20] > User-Agent: PAN GlobalProtect
[2020-04-13 21:20:20] > Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE
[2020-04-13 21:20:20] > X-Pad: 0000000000000000000000000000000000000000000000000000000
[2020-04-13 21:20:20] > Content-Type: application/x-www-form-urlencoded
[2020-04-13 21:20:20] > Content-Length: 201
[2020-04-13 21:20:20] > 
[2020-04-13 21:20:20] > client-role=global-protect-full&authcookie=AUTHCOOKIE&portal=FOOBAR-GP-Gate-N&user=foobar_user&domain=bar.baz&computer=origin&client-ip=10.9.6.2&md5=UNKNOWN_MD5
[2020-04-13 21:20:20] Got HTTP response: HTTP/1.1 200 OK
[2020-04-13 21:20:20] Date: Tue, 14 Apr 2020 01:20:20 GMT
[2020-04-13 21:20:20] Content-Type: application/xml; charset=UTF-8
[2020-04-13 21:20:20] Content-Length: 87
[2020-04-13 21:20:20] Connection: keep-alive
[2020-04-13 21:20:20] ETag: "6a65da11d19"
[2020-04-13 21:20:20] X-Content-Type-Options: nosniff
[2020-04-13 21:20:20] Pragma: no-cache
[2020-04-13 21:20:20] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-13 21:20:20] Content-Security-Policy: default-src 'self'
[2020-04-13 21:20:20] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-13 21:20:20] X-FRAME-OPTIONS: DENY
[2020-04-13 21:20:20] Strict-Transport-Security: max-age=31536000;
[2020-04-13 21:20:20] X-XSS-Protection: 1; mode=block;
[2020-04-13 21:20:20] X-Content-Type-Options: nosniff
[2020-04-13 21:20:20] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-13 21:20:20] HTTP body length:  (87)
[2020-04-13 21:20:20] < 
[2020-04-13 21:20:20] < 	<response status="success">
[2020-04-13 21:20:20] < 		<hip-report-needed>no</hip-report-needed>
[2020-04-13 21:20:20] < 	</response>
[2020-04-13 21:20:20] Gateway says no HIP report submission is needed.
[2020-04-13 21:20:20] Parameters for incoming ESP: SPI ESP_INCOMINGSPI
[2020-04-13 21:20:20] ESP encryption type AES-128-CBC (RFC3602) key ESP_AES128CBC_INCOMING
[2020-04-13 21:20:20] ESP authentication type HMAC-SHA-1-96 (RFC2404) key ESP_HMACSHA196_INCOMING
[2020-04-13 21:20:20] Parameters for outgoing ESP: SPI ESP_OUTGOINGSPI
[2020-04-13 21:20:20] ESP encryption type AES-128-CBC (RFC3602) key ESP_AES128CBC_OUTGOING
[2020-04-13 21:20:20] ESP authentication type HMAC-SHA-1-96 (RFC2404) key ESP_HMACSHA196_OUTGOING
[2020-04-13 21:20:20] Send ESP probes
[2020-04-13 21:20:20] Connected as 10.9.6.2, using SSL, with ESP in progress
[2020-04-13 21:20:20] Received ESP packet of 84 bytes
[2020-04-13 21:20:20] Accepting later-than-expected ESP packet with seq 1 (expected 0)
[2020-04-13 21:20:20] ESP session established with server
[2020-04-13 21:20:20] Received ESP packet of 84 bytes
[2020-04-13 21:20:20] Accepting expected ESP packet with seq 2
[2020-04-13 21:20:20] Received ESP packet of 84 bytes
[2020-04-13 21:20:20] Accepting expected ESP packet with seq 3
[2020-04-13 21:20:20] ESP tunnel connected; exiting HTTPS mainloop.
[2020-04-13 21:20:20] Sent ESP packet of 100 bytes
[2020-04-13 21:20:20] No work to do; sleeping for 10000 ms...
[2020-04-13 21:20:24] Sent ESP packet of 100 bytes
[2020-04-13 21:20:24] No work to do; sleeping for 6000 ms...
[2020-04-13 21:20:30] Send ESP probes for DPD
[2020-04-13 21:20:30] No work to do; sleeping for 5000 ms...
[2020-04-13 21:20:30] Received ESP packet of 84 bytes
[2020-04-13 21:20:30] Accepting expected ESP packet with seq 4
[2020-04-13 21:20:30] No work to do; sleeping for 10000 ms...
[2020-04-13 21:20:33] Sent ESP packet of 100 bytes
[2020-04-13 21:20:33] No work to do; sleeping for 7000 ms...
[2020-04-13 21:20:40] Send ESP probes for DPD
[2020-04-13 21:20:40] No work to do; sleeping for 5000 ms...
[2020-04-13 21:20:40] Received ESP packet of 84 bytes
[2020-04-13 21:20:40] Accepting expected ESP packet with seq 5
[2020-04-13 21:20:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:20:50] Send ESP probes for DPD
[2020-04-13 21:20:50] No work to do; sleeping for 5000 ms...
[2020-04-13 21:20:50] Received ESP packet of 84 bytes
[2020-04-13 21:20:50] Accepting expected ESP packet with seq 6
[2020-04-13 21:20:50] No work to do; sleeping for 10000 ms...
[2020-04-13 21:20:52] Sent ESP packet of 100 bytes
[2020-04-13 21:20:52] No work to do; sleeping for 8000 ms...
[2020-04-13 21:21:00] Send ESP probes for DPD
[2020-04-13 21:21:00] No work to do; sleeping for 5000 ms...
[2020-04-13 21:21:00] Received ESP packet of 84 bytes
[2020-04-13 21:21:00] Accepting expected ESP packet with seq 7
[2020-04-13 21:21:00] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:10] Send ESP probes for DPD
[2020-04-13 21:21:10] No work to do; sleeping for 5000 ms...
[2020-04-13 21:21:10] Received ESP packet of 84 bytes
[2020-04-13 21:21:10] Accepting expected ESP packet with seq 8
[2020-04-13 21:21:10] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:20] Send ESP probes for DPD
[2020-04-13 21:21:20] No work to do; sleeping for 5000 ms...
[2020-04-13 21:21:20] Received ESP packet of 84 bytes
[2020-04-13 21:21:20] Accepting expected ESP packet with seq 9
[2020-04-13 21:21:20] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:29] Sent ESP packet of 100 bytes
[2020-04-13 21:21:29] No work to do; sleeping for 1000 ms...
[2020-04-13 21:21:30] Send ESP probes for DPD
[2020-04-13 21:21:30] No work to do; sleeping for 5000 ms...
[2020-04-13 21:21:30] Received ESP packet of 84 bytes
[2020-04-13 21:21:30] Accepting expected ESP packet with seq 10
[2020-04-13 21:21:30] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Send ESP probes for DPD
[2020-04-13 21:21:40] No work to do; sleeping for 5000 ms...
[2020-04-13 21:21:40] Received ESP packet of 84 bytes
[2020-04-13 21:21:40] Accepting expected ESP packet with seq 11
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Sent ESP packet of 100 bytes
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Received ESP packet of 116 bytes
[2020-04-13 21:21:40] Accepting expected ESP packet with seq 12
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Sent ESP packet of 100 bytes
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Received ESP packet of 164 bytes
[2020-04-13 21:21:40] Accepting expected ESP packet with seq 13
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Sent ESP packet of 100 bytes
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:40] Received ESP packet of 164 bytes
[2020-04-13 21:21:40] Accepting expected ESP packet with seq 14
[2020-04-13 21:21:40] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:44] Sent ESP packet of 116 bytes
[2020-04-13 21:21:44] No work to do; sleeping for 6000 ms...
[2020-04-13 21:21:44] Received ESP packet of 132 bytes
[2020-04-13 21:21:44] Accepting expected ESP packet with seq 15
[2020-04-13 21:21:44] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:44] Sent ESP packet of 116 bytes
[2020-04-13 21:21:44] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:44] Received ESP packet of 164 bytes
[2020-04-13 21:21:44] Accepting expected ESP packet with seq 16
[2020-04-13 21:21:44] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:44] Sent ESP packet of 116 bytes
[2020-04-13 21:21:44] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:44] Received ESP packet of 164 bytes
[2020-04-13 21:21:44] Accepting expected ESP packet with seq 17
[2020-04-13 21:21:44] No work to do; sleeping for 10000 ms...
[2020-04-13 21:21:54] Send ESP probes for DPD
[2020-04-13 21:21:54] No work to do; sleeping for 5000 ms...
[2020-04-13 21:21:54] Received ESP packet of 84 bytes
[2020-04-13 21:21:54] Accepting expected ESP packet with seq 18
[2020-04-13 21:21:54] No work to do; sleeping for 10000 ms...


[2020-04-14 00:19:03] Received ESP packet of 84 bytes
[2020-04-14 00:19:03] Accepting expected ESP packet with seq 4005
[2020-04-14 00:19:03] No work to do; sleeping for 10000 ms...
[2020-04-14 00:19:13] Send ESP probes for DPD
[2020-04-14 00:19:13] No work to do; sleeping for 5000 ms...
[2020-04-14 00:19:13] Received ESP packet of 84 bytes
[2020-04-14 00:19:13] Accepting expected ESP packet with seq 4006
[2020-04-14 00:19:13] No work to do; sleeping for 7000 ms...
[2020-04-14 00:19:20] GlobalProtect rekey due
[2020-04-14 00:19:20] POST https://foo.bar.baz/ssl-vpn/getconfig.esp
[2020-04-14 00:19:20] SSL negotiation with foo.bar.baz
[2020-04-14 00:19:20] Connected to HTTPS on foo.bar.baz with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
[2020-04-14 00:19:20] > POST /ssl-vpn/getconfig.esp HTTP/1.1
[2020-04-14 00:19:20] > Host: foo.bar.baz
[2020-04-14 00:19:20] > User-Agent: PAN GlobalProtect
[2020-04-14 00:19:20] > Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE
[2020-04-14 00:19:20] > X-Pad: 000000000000000
[2020-04-14 00:19:20] > Content-Type: application/x-www-form-urlencoded
[2020-04-14 00:19:20] > Content-Length: 305
[2020-04-14 00:19:20] > 
[2020-04-14 00:19:20] > client-type=1&protocol-version=p1&app-version=4.0.5-8&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2cmd5%2csha256&enc-algo=aes-128-cbc%2caes-256-cbc&preferred-ip=10.9.6.2&preferred-ipv6=&authcookie=AUTHCOOKIE&portal=FOOBAR-GP-Gate-N&user=foobar_user&domain=bar.baz&computer=origin
[2020-04-14 00:19:20] Got HTTP response: HTTP/1.1 200 OK
[2020-04-14 00:19:20] Date: Tue, 14 Apr 2020 04:19:23 GMT
[2020-04-14 00:19:20] Content-Type: application/xml; charset=UTF-8
[2020-04-14 00:19:20] Content-Length: 1673
[2020-04-14 00:19:20] Connection: keep-alive
[2020-04-14 00:19:20] ETag: "1f35da11d19"
[2020-04-14 00:19:20] Pragma: no-cache
[2020-04-14 00:19:20] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-14 00:19:20] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-14 00:19:20] X-FRAME-OPTIONS: DENY
[2020-04-14 00:19:20] Strict-Transport-Security: max-age=31536000;
[2020-04-14 00:19:20] X-XSS-Protection: 1; mode=block;
[2020-04-14 00:19:20] X-Content-Type-Options: nosniff
[2020-04-14 00:19:20] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-14 00:19:20] HTTP body length:  (1673)
[2020-04-14 00:19:20] < 
[2020-04-14 00:19:20] < 	<response status="success">
[2020-04-14 00:19:20] < 		<need-tunnel>yes</need-tunnel>
[2020-04-14 00:19:20] < 		<ssl-tunnel-url>/ssl-tunnel-connect.sslvpn</ssl-tunnel-url>
[2020-04-14 00:19:20] < 		<portal>FOOBAR-GP-Gate-N</portal>
[2020-04-14 00:19:20] < 		<user>foobar_user</user>
[2020-04-14 00:19:20] < 		<lifetime>2581257</lifetime>
[2020-04-14 00:19:20] < 		<timeout>10800</timeout>
[2020-04-14 00:19:20] < 		<disconnect-on-idle>10800</disconnect-on-idle>
[2020-04-14 00:19:20] < 		<bw-c2s>1000</bw-c2s>
[2020-04-14 00:19:20] < 		<bw-s2c>1000</bw-s2c>
[2020-04-14 00:19:20] < 		<gw-address>VPN_PORTAL_IPV4</gw-address>
[2020-04-14 00:19:20] < 		<ip-address>10.9.6.2</ip-address>
[2020-04-14 00:19:20] < 		<netmask>255.255.255.255</netmask>
[2020-04-14 00:19:20] < 		<ip-address-preferred>yes</ip-address-preferred>
[2020-04-14 00:19:20] < 		<dns>
[2020-04-14 00:19:20] < 			<member>10.20.0.82</member>
[2020-04-14 00:19:20] < 			<member>10.20.0.13</member>
[2020-04-14 00:19:20] < 		</dns> 
[2020-04-14 00:19:20] < 		<wins>
[2020-04-14 00:19:20] < 		</wins> 
[2020-04-14 00:19:20] < 		<dns-suffix>
[2020-04-14 00:19:20] < 			<member>bar.baz</member>
[2020-04-14 00:19:20] < 			<member>ad.bar.baz</member>
[2020-04-14 00:19:20] < 		</dns-suffix> 
[2020-04-14 00:19:20] < 		<default-gateway>10.9.6.2</default-gateway>
[2020-04-14 00:19:20] < 		<mtu>0</mtu>
[2020-04-14 00:19:20] < 		<no-direct-access-to-local-network>no</no-direct-access-to-local-network>
[2020-04-14 00:19:20] < 		<access-routes>
[2020-04-14 00:19:20] < 			<member>0.0.0.0/0</member>
[2020-04-14 00:19:20] < 			<member>10.20.0.82/32</member>
[2020-04-14 00:19:20] < 			<member>10.20.0.13/32</member>
[2020-04-14 00:19:20] < 		</access-routes> 
[2020-04-14 00:19:20] < 		<exclude-access-routes>
[2020-04-14 00:19:20] < 		</exclude-access-routes> 
[2020-04-14 00:19:20] < 		<ipsec>
[2020-04-14 00:19:20] < 			<udp-port>4501</udp-port>
[2020-04-14 00:19:20] < 			<ipsec-mode>esp-tunnel</ipsec-mode>
[2020-04-14 00:19:20] < 			<enc-algo>aes-128-cbc</enc-algo>
[2020-04-14 00:19:20] < 			<hmac-algo>sha1</hmac-algo>
[2020-04-14 00:19:20] < 			<c2s-spi>ESP_OUTGOINGSPI_REKEY</c2s-spi>
[2020-04-14 00:19:20] < 			<s2c-spi>ESP_INCOMINGSPI_REKEY</s2c-spi>
[2020-04-14 00:19:20] < 			<akey-s2c>
[2020-04-14 00:19:20] < 				<bits>160</bits>
[2020-04-14 00:19:20] < 				<val>AKEYS2C_REKEY</val>
[2020-04-14 00:19:20] < 			</akey-s2c> 
[2020-04-14 00:19:20] < 			<ekey-s2c>
[2020-04-14 00:19:20] < 				<bits>128</bits>
[2020-04-14 00:19:20] < 				<val>EKEYS2C_REKEY</val>
[2020-04-14 00:19:20] < 			</ekey-s2c> 
[2020-04-14 00:19:20] < 			<akey-c2s>
[2020-04-14 00:19:20] < 				<bits>160</bits>
[2020-04-14 00:19:20] < 				<val>AKEYC2S_REKEY</val>
[2020-04-14 00:19:20] < 			</akey-c2s> 
[2020-04-14 00:19:20] < 			<ekey-c2s>
[2020-04-14 00:19:20] < 				<bits>128</bits>
[2020-04-14 00:19:20] < 				<val>EKEYC2S_REKEY</val>
[2020-04-14 00:19:20] < 			</ekey-c2s> 
[2020-04-14 00:19:20] < 		</ipsec> 
[2020-04-14 00:19:20] < 	</response>
[2020-04-14 00:19:20] Session will expire after 43020 minutes.
[2020-04-14 00:19:20] Tunnel timeout (rekey interval) is 180 minutes.
[2020-04-14 00:19:20] Idle timeout is 180 minutes.
[2020-04-14 00:19:20] TCP_INFO rcv mss 1460, snd mss 1460, adv mss 1460, pmtu 1500
[2020-04-14 00:19:20] Parameters for incoming ESP: SPI ESP_INCOMINGSPI_REKEY
[2020-04-14 00:19:20] ESP encryption type AES-128-CBC (RFC3602) key ESP_AES128CBC_INCOMING_REKEY
[2020-04-14 00:19:20] ESP authentication type HMAC-SHA-1-96 (RFC2404) key ESP_HMACSHA196_INCOMING_REKEY
[2020-04-14 00:19:20] Parameters for outgoing ESP: SPI ESP_OUTGOINGSPI_REKEY
[2020-04-14 00:19:20] ESP encryption type AES-128-CBC (RFC3602) key ESP_AES128CBC_OUTGOING_REKEY
[2020-04-14 00:19:20] ESP authentication type HMAC-SHA-1-96 (RFC2404) key ESP_HMACSHA196_OUTGOING_REKEY
[2020-04-14 00:19:20] Send ESP probes
[2020-04-14 00:19:20] No work to do; sleeping for 5000 ms...
[2020-04-14 00:19:20] Received ESP packet of 84 bytes
[2020-04-14 00:19:20] Accepting later-than-expected ESP packet with seq 1 (expected 0)
[2020-04-14 00:19:20] ESP session established with server
[2020-04-14 00:19:20] Received ESP packet of 84 bytes
[2020-04-14 00:19:20] Accepting expected ESP packet with seq 2
[2020-04-14 00:19:20] Received ESP packet of 84 bytes
[2020-04-14 00:19:20] Accepting expected ESP packet with seq 3
[2020-04-14 00:19:20] ESP tunnel connected; exiting HTTPS mainloop.
[2020-04-14 00:19:20] No work to do; sleeping for 10000 ms...
[2020-04-14 00:19:23] Sent ESP packet of 132 bytes
[2020-04-14 00:19:23] No work to do; sleeping for 7000 ms...
[2020-04-14 00:19:23] Received ESP packet of 132 bytes
[2020-04-14 00:19:23] Accepting expected ESP packet with seq 4
[2020-04-14 00:19:23] No work to do; sleeping for 10000 ms...
[2020-04-14 00:19:33] Send ESP probes for DPD
[2020-04-14 00:19:33] No work to do; sleeping for 5000 ms...
[2020-04-14 00:19:33] Received ESP packet of 84 bytes
[2020-04-14 00:19:33] Accepting expected ESP packet with seq 5
[2020-04-14 00:19:33] No work to do; sleeping for 10000 ms...
[2020-04-14 00:19:43] Send ESP probes for DPD
[2020-04-14 00:19:43] No work to do; sleeping for 5000 ms...
[2020-04-14 00:19:43] Received ESP packet of 84 bytes
[2020-04-14 00:19:43] Accepting expected ESP packet with seq 6
[2020-04-14 00:19:43] No work to do; sleeping for 10000 ms...
[2020-04-14 00:19:53] Send ESP probes for DPD
[2020-04-14 00:19:53] Sent ESP packet of 132 bytes
[2020-04-14 00:19:53] No work to do; sleeping for 5000 ms...
[2020-04-14 00:19:53] Received ESP packet of 84 bytes
[2020-04-14 00:19:53] Accepting expected ESP packet with seq 7
[2020-04-14 00:19:53] No work to do; sleeping for 10000 ms...
[2020-04-14 00:19:53] Received ESP packet of 132 bytes
[2020-04-14 00:19:53] Accepting expected ESP packet with seq 8
[2020-04-14 00:19:53] No work to do; sleeping for 10000 ms...
[2020-04-14 00:20:03] Send ESP probes for DPD
[2020-04-14 00:20:03] No work to do; sleeping for 5000 ms...
[2020-04-14 00:20:03] Received ESP packet of 84 bytes
[2020-04-14 00:20:03] Accepting expected ESP packet with seq 9
[2020-04-14 00:20:03] No work to do; sleeping for 10000 ms...
[2020-04-14 00:20:13] Send ESP probes for DPD
[2020-04-14 00:20:13] No work to do; sleeping for 5000 ms...
[2020-04-14 00:20:13] Received ESP packet of 84 bytes
[2020-04-14 00:20:13] Accepting expected ESP packet with seq 10
[2020-04-14 00:20:13] No work to do; sleeping for 10000 ms...
[2020-04-14 00:20:23] Send ESP probes for DPD
[2020-04-14 00:20:23] Sent ESP packet of 132 bytes
[2020-04-14 00:20:23] No work to do; sleeping for 5000 ms...
[2020-04-14 00:20:28] Send ESP probes for DPD
[2020-04-14 00:20:28] No work to do; sleeping for 5000 ms...
[2020-04-14 00:20:33] Send ESP probes for DPD
[2020-04-14 00:20:33] No work to do; sleeping for 5000 ms...
[2020-04-14 00:20:38] No work to do; sleeping for 5000 ms...
[2020-04-14 00:20:43] Connecting to HTTPS tunnel endpoint ...
[2020-04-14 00:20:43] SSL negotiation with foo.bar.baz
[2020-04-14 00:20:43] Connected to HTTPS on foo.bar.baz with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
[2020-04-14 00:20:43] > GET /ssl-tunnel-connect.sslvpn?authcookie=AUTHCOOKIE&user=foobar_user HTTP/1.1
[2020-04-14 00:20:43] > 
[2020-04-14 00:20:44] POST https://foo.bar.baz/ssl-vpn/logout.esp
[2020-04-14 00:20:44] SSL negotiation with foo.bar.baz
[2020-04-14 00:20:44] Connected to HTTPS on foo.bar.baz with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
[2020-04-14 00:20:44] > POST /ssl-vpn/logout.esp HTTP/1.1
[2020-04-14 00:20:44] > Host: foo.bar.baz
[2020-04-14 00:20:44] > User-Agent: PAN GlobalProtect
[2020-04-14 00:20:44] > Cookie: PHPSESSID=PHP_SESSION_ID_COOKIE
[2020-04-14 00:20:44] > X-Pad: 000000000000000
[2020-04-14 00:20:44] > Content-Type: application/x-www-form-urlencoded
[2020-04-14 00:20:44] > Content-Length: 113
[2020-04-14 00:20:44] > 
[2020-04-14 00:20:44] > authcookie=AUTHCOOKIE&portal=FOOBAR-GP-Gate-N&user=foobar_user&domain=bar.baz&computer=origin
[2020-04-14 00:20:44] Got HTTP response: HTTP/1.1 200 OK
[2020-04-14 00:20:44] Date: Tue, 14 Apr 2020 04:20:47 GMT
[2020-04-14 00:20:44] Content-Type: application/xml; charset=UTF-8
[2020-04-14 00:20:44] Content-Length: 235
[2020-04-14 00:20:44] Connection: keep-alive
[2020-04-14 00:20:44] ETag: "69f5da11d19"
[2020-04-14 00:20:44] Pragma: no-cache
[2020-04-14 00:20:44] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2020-04-14 00:20:44] Expires: Thu, 19 Nov 1981 08:52:00 GMT
[2020-04-14 00:20:44] X-FRAME-OPTIONS: DENY
[2020-04-14 00:20:44] Strict-Transport-Security: max-age=31536000;
[2020-04-14 00:20:44] X-XSS-Protection: 1; mode=block;
[2020-04-14 00:20:44] X-Content-Type-Options: nosniff
[2020-04-14 00:20:44] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
[2020-04-14 00:20:44] HTTP body length:  (235)
[2020-04-14 00:20:44] < <?xml version="1.0" encoding="UTF-8" ?>
[2020-04-14 00:20:44] < 
[2020-04-14 00:20:44] < 	<response status="error">
[2020-04-14 00:20:44] < 		<portal>FOOBAR-GP-Gate-N</portal>
[2020-04-14 00:20:44] < 		<domain>bar.baz</domain>
[2020-04-14 00:20:44] < 		<user>foobar_user</user>
[2020-04-14 00:20:44] < 		<computer>origin</computer>
[2020-04-14 00:20:44] < 		<error>Invalid user name</error>
[2020-04-14 00:20:44] < 	</response>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux