Hello Dan,
thank you very much for your reply!
Hereby you receive a "clean and fresh" syslog (uncutted) for better
detection of the mentioned errors. Furthermore you get the data from the
server:
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
I am wondering about the fact that NetworkManager does not cause any
problems when reconnecting the VPN. This only seems to appear when using
Connman?
Would there be an option to run a small cron job script to renew the
cookie all few hours automatically? I guess no, because when running the
OpenConnect-command (to recreate the cookie) you have to enter your
password and several other user prompts?
Do you need more logfiles to assess the current problem situation?
I am happy to hearing from you!
Thanks a lot for your help!
With best regards
David
On 08/23/2018 07:57 PM, Daniel Lenski wrote:
> On Thu, Aug 23, 2018 at 8:15 AM <[email protected]> wrote:
>> Hello together,
>>
>> a few months ago I was asking for help on how to set up a
>> OpenConnect-based VPN-connection with Cisco Secure Desktop in Connman.
>>
>> Thanks to your great advices a friend made it work yesterday! Hereby the
>> VPN connection is working perfectly, but just for a few hours.
>>
>> --------------------------------------------------------------------------
>>
>> Unfortunately we still have this small error what will be easy for you
>> guys to solve. The VPN connection is seriously working perfect in the
>> beginning, but always a few hours later this error in /var/log/syslog
>> occurs when trying to reconnect:
>>
>> "openconnect[1810]: Server certificate verify failed: signer not found"
> I don't think this is the real, significant error message here. You
> should include more of the surrounding log messages from OpenConnect.
>
>> Hereby all approaches to reconnect the VPN fail. After creating a new
>> cookie by...
>>
>> $ sudo openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh
>> --authenticate --user <username> <hostname>
>>
>> ... and pasting this new cookie into /var/lib/connman-vpn/vpnname.config
>> (overwriting the old one) the connection will work perfect for the next
>> few hours until it fails again.
>> Do you have any ideas about why this cookie has to be renewed all few
>> hours? Is there any option on how to avoid this behavior?
> Is your server limiting the cookie lifetime to a few hours? If so,
> there's nothing the client can do about it.
>
> If you run `openconnect -vvvv --dump`, you'll see that Cisco servers
> spit out a few headers like this upon initial connection:
>
> X-CSTP-Lease-Duration: 864000
> X-CSTP-Session-Timeout: none
> X-CSTP-Idle-Timeout: 3600
> X-CSTP-Disconnected-Timeout: 3600
>
> I don't understand the exact definitions of these, but they basically
> means that…
> - if my session is idle for 1 hour (3600s), it gets disconnected.
> - If I remain disconnected for 1 hour (3600s), then my authorization
> cookie becomes invalid
> - No matter what, the authorization cookie/session expires after 10
> hours (864000s)
>
> Dan
>
Aug 24 00:14:51 <hostname> connmand[444]: lo {newlink} index 1 address 00:00:00:00:00:00 mtu 65536
Aug 24 00:14:51 <hostname> connmand[444]: lo {newlink} index 1 operstate 0 <UNKNOWN>
Aug 24 00:14:51 <hostname> connmand[444]: wlo1 {RX} 2144 packets 324319 bytes
Aug 24 00:14:51 <hostname> connmand[444]: wlo1 {TX} 700 packets 95990 bytes
Aug 24 00:14:51 <hostname> connmand[444]: wlo1 {newlink} index 2 address A0:88:B4:CE:37:88 mtu 1500
Aug 24 00:14:51 <hostname> connmand[444]: wlo1 {newlink} index 2 operstate 6 <UP>
Aug 24 00:14:51 <hostname> connmand[444]: enp0s25 {RX} 654630 packets 933506052 bytes
Aug 24 00:14:51 <hostname> connmand[444]: enp0s25 {TX} 347735 packets 55598367 bytes
Aug 24 00:14:51 <hostname> connmand[444]: enp0s25 {newlink} index 3 address 44:1E:A1:CE:F6:DD mtu 1500
Aug 24 00:14:51 <hostname> connmand[444]: enp0s25 {newlink} index 3 operstate 6 <UP>
Aug 24 00:14:51 <hostname> connmand[444]: virbr0 {RX} 331806 packets 46180772 bytes
Aug 24 00:14:51 <hostname> connmand[444]: virbr0 {TX} 629481 packets 906730137 bytes
Aug 24 00:14:51 <hostname> connmand[444]: virbr0 {newlink} index 4 address 52:54:00:E0:EE:D9 mtu 1500
Aug 24 00:14:51 <hostname> connmand[444]: virbr0 {newlink} index 4 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: virbr0-nic {newlink} index 5 address 52:54:00:E0:EE:D9 mtu 1500
Aug 24 00:14:51 <hostname> connmand[444]: virbr0-nic {newlink} index 5 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 2 ipconfig method 1
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {create} index 23 type 65534 <NONE>
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {update} flags 4240 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {newlink} index 23 address 00:00:00:00:00:00 mtu 1500
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {newlink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {create} index 23 type 65534 <NONE>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {update} flags 4240 <DOWN>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {newlink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 2 ipconfig method 1
Aug 24 00:14:51 <hostname> openconnect[4476]: Connected to <VPN server IP>:443
Aug 24 00:14:51 <hostname> openconnect[4476]: SSL negotiation with <VPN server IP>
Aug 24 00:14:51 <hostname> openconnect[4476]: Server certificate verify failed: signer not found
Aug 24 00:14:51 <hostname> openconnect[4476]: Connected to HTTPS on <VPN server IP>
Aug 24 00:14:51 <hostname> openconnect[4476]: Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {dellink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: (null) {remove} index 23
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {dellink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {remove} index 23
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 7 ipconfig method 1
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 6 ipconfig method 1
_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel
