Bug 991653

Summary: Openconnect VPN cannot start in gnome3 f19
Product: [Fedora] Fedora Reporter: enrico <enrico.brambilla>
Component: NetworkManager-openconnectAssignee: David Woodhouse <dwmw2>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: danw, dcbw, dwmw2, enrico.brambilla, fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openconnect-5.02-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-03 08:31:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description enrico 2013-08-03 10:18:55 UTC 
Description of problem:
OpenConnect VPN connection via NetworkManager fails with the following messages in /var/log/messages:

Aug  3 12:06:23 tweety NetworkManager[517]: <info> Starting VPN service 'openconnect'...
Aug  3 12:06:23 tweety NetworkManager[517]: <info> VPN service 'openconnect' started (org.freedesktop.NetworkManager.openconnect), PID 7895
Aug  3 12:06:23 tweety NetworkManager[517]: <info> VPN service 'openconnect' appeared; activating connections
Aug  3 12:06:36 tweety fprintd[7859]: ** Message: No devices in use, exit
Aug  3 12:06:37 tweety NetworkManager[517]: <info> VPN plugin state changed: starting (3)
Aug  3 12:06:37 tweety NetworkManager[517]: <info> VPN connection 'Mycompany Corp.' (Connect) reply received.
Aug  3 12:06:37 tweety NetworkManager[517]: <warn> /sys/devices/virtual/net/vpn0: couldn't determine device driver; ignoring...
Aug  3 12:06:37 tweety openconnect[7909]: Attempting to connect to server ipaddressremoved:443
Aug  3 12:06:38 tweety openconnect[7909]: SSL negotiation with myaccess.mycompanyvpn.com
Aug  3 12:06:38 tweety openconnect[7909]: Connected to HTTPS on myaccess.mycompanyvpn.com
Aug  3 12:06:39 tweety openconnect[7909]: Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Aug  3 12:06:39 tweety avahi-daemon[473]: Withdrawing workstation service for vpn0.
Aug  3 12:06:39 tweety NetworkManager[517]: <warn> VPN plugin failed: 0
Aug  3 12:06:39 tweety NetworkManager[517]: <info> VPN plugin state changed: stopped (6)
Aug  3 12:06:39 tweety NetworkManager[517]: <info> VPN plugin state change reason: 10
Aug  3 12:06:39 tweety NetworkManager[517]: <info> Policy set 'wargames' (wlp2s0) as default for IPv4 routing and DNS.
Aug  3 12:06:39 tweety NetworkManager[517]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Aug  3 12:06:44 tweety NetworkManager[517]: <info> VPN service 'openconnect' disappeared
Aug  3 12:07:06 tweety /etc/gdm/Xsession[7048]: (process:7913): GLib-CRITICAL **: g_slice_set_config: assertion `sys_page_size == 0' failed
Aug  3 12:07:11 tweety /etc/gdm/Xsession[7048]: Avviso del window manager: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x2e0007f (Mozilla Fi)
Aug  3 12:07:11 tweety /etc/gdm/Xsession[7048]: Avviso del window manager: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.

Works fine on command line as root.


Version-Release number of selected component (if applicable):
openconnect-5.01-1.fc19.x86_64
gnome-desktop3-3.8.2-2.fc19.x86_64
NetworkManager-openconnect-0.9.7.0-2.git20120918.fc19.x86_64

How reproducible:
Define a new Openconnect VPN and try to start it in the graphical interface.

Steps to Reproduce:
1. define a simple openconnect connection via network manager applet
2. specify a vpn gateway
3. save it
4. tail -100f /var/log/messages in a shell as root
5. try to connect
6. see the above messages

Actual results:
VPN connection cannot start

Expected results:
VPN connection starts

Additional info:
Worked perfectly in f18.
Comment 1 sgs 2013-12-18 08:51:26 UTC 
We have the exact same problem, although another openconnect VPN works fine:

This happens with the failing one:

Dec 18 09:45:58 golem NetworkManager[924]: <info> VPN plugin state changed: starting (3)
Dec 18 09:45:58 golem NetworkManager[924]: <info> VPN connection 'TU-Berlin' (Connect) reply received.
Dec 18 09:45:58 golem NetworkManager[924]: <warn> /sys/devices/virtual/net/vpn0: couldn't determine device driver; ignoring...
Dec 18 09:45:58 golem openconnect[1375]: Attempting to connect to server 130.149.5.50:443
Dec 18 09:45:58 golem openconnect[1375]: SSL negotiation with vpn.tu-berlin.de
Dec 18 09:45:58 golem openconnect[1375]: Connected to HTTPS on vpn.tu-berlin.de
Dec 18 09:45:58 golem openconnect[1375]: Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Dec 18 09:45:58 golem avahi-daemon[792]: Withdrawing workstation service for vpn0.
Dec 18 09:45:59 golem NetworkManager[924]: <warn> VPN plugin failed: 0
Dec 18 09:45:59 golem NetworkManager[924]: <info> VPN plugin state changed: stopped (6)
Dec 18 09:45:59 golem NetworkManager[924]: <info> VPN plugin state change reason: 10
Dec 18 09:45:59 golem NetworkManager[924]: <info> Policy set 'Auto Fuchsbau25' (wlp3s0) as default for IPv4 routing and DNS.
Dec 18 09:45:59 golem NetworkManager[924]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Dec 18 09:45:59 golem nm-applet[1629]: (nm-applet:1629): nm-applet-WARNING **: Failed to show notification: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Notifications was not provided by any .service files
Dec 18 09:45:59 golem NetworkManager[924]:    keyfile: updating /etc/NetworkManager/system-connections/TU-Berlin
Dec 18 09:46:04 golem NetworkManager[924]: <info> VPN service 'openconnect' disappeared

Manual connection works:

λ ~/ sudo openconnect vpn.tu-berlin.de 
POST https://vpn.tu-berlin.de/
Attempting to connect to server 130.149.5.50:443
SSL negotiation with vpn.tu-berlin.de
Connected to HTTPS on vpn.tu-berlin.de
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://asa-03.vpn.tu-berlin.de/
Attempting to connect to server 130.149.5.53:443
SSL negotiation with asa-03.vpn.tu-berlin.de
Connected to HTTPS on asa-03.vpn.tu-berlin.de
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.tu-berlin.de/
SSL negotiation with vpn.tu-berlin.de
Connected to HTTPS on vpn.tu-berlin.de
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.tu-berlin.de/+webvpn+/index.html
SSL negotiation with vpn.tu-berlin.de
Connected to HTTPS on vpn.tu-berlin.de
Please enter your username and password.
Username:<USER>
Password:<PASSWORD>
POST https://vpn.tu-berlin.de/+webvpn+/index.html
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as <IP>, using SSL
Established DTLS connection (using GnuTLS)

This one also works from NetworkManager, it obviously uses a different protocol (XML POST):

λ ~/ sudo openconnect vpn.fu-berlin.de 
POST https://vpn.fu-berlin.de/
Attempting to connect to server 160.45.252.2:443
SSL negotiation with vpn.fu-berlin.de
Connected to HTTPS on vpn.fu-berlin.de
XML POST enabled
Please enter your username and password.
Username:<USER>
Password:<PASSWORD>
POST https://vpn.fu-berlin.de/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as <IP>, using SSL
Established DTLS connection (using GnuTLS)
Comment 2 Fedora Update System 2014-01-02 00:32:25 UTC 
openconnect-5.02-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/openconnect-5.02-1.fc19
Comment 3 Fedora Update System 2014-01-02 00:32:26 UTC 
openconnect-5.02-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/openconnect-5.02-1.fc20
Comment 4 Fedora Update System 2014-01-03 08:31:02 UTC 
openconnect-5.02-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-01-03 08:35:10 UTC 
openconnect-5.02-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.