Bug 1258103 - Unable to connect to a Cisco Anyconnect(openconnect) network using a Gnome network-manager-applet
Unable to connect to a Cisco Anyconnect(openconnect) network using a Gnome ne...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: openconnect (Show other bugs)
24
x86_64 Linux
unspecified Severity low
: ---
: ---
Assigned To: David Woodhouse
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-29 01:43 EDT by Henrique Doiche
Modified: 2017-08-08 08:11 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-08 08:11:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Henrique Doiche 2015-08-29 01:43:24 EDT
Description of problem:

Unable to connect to a Cisco AnyConnect VPN using NetworkManager Applet


Version-Release number of selected component (if applicable):

Fedora 22 Mate 

network-manager-applet-1.0.2-1.fc22.x86_64
openconnect-7.06-1.fc22.x86_64
NetworkManager-openconnect-1.0.2-1.fc22.x86_64


How reproducible:


Steps to Reproduce:
1. Create a new Cisco AnyConnect Compatible VPN (openconnect) in Gnome NetworkManager Applet
2. Set gateway in the new AnyConnect Compatible VPN 
3. Set Allow Cisco Secure Desktop
4. Add and define CSD Wrapper Script
5. Add .pem certificates to UserCertificate and User private key Certificate Authentication   

Actual results:

Running journalctl -u NetworkManager.service

It is possible to see:
Aug 29 01:17:20 Punzer NetworkManager[1041]: <error> [1440821840.833142] [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb(): (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi
Aug 29 01:17:57 Punzer NetworkManager[1041]: <error> [1440821877.781828] [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb(): (523e2bc9-566c-46e7-9c95-0700f85eb12e/IVPN - SAS) fi
Aug 29 01:19:58 Punzer NetworkManager[1041]: <error> [1440821998.224235] [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb(): (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi
Aug 29 01:22:16 Punzer NetworkManager[1041]: <error> [1440822136.875336] [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb(): (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi
Aug 29 01:28:03 Punzer NetworkManager[1041]: <error> [1440822483.876389] [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb(): (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi


Also the network-manager-applet VPN logs shows:

POST https://sasvpn.xxx.com/
Attempting to connect to server xx.33.xx.50:443
Using certificate file /home/rick/VPN/USER-CERTIFICATE.pem
Using private key file /home/rick/VPN/PRIVATE-KEY.pem
Using client certificate 'Rick'
SSL negotiation with sasvpn.xxx.com
Connected to HTTPS on sasvpn.xxx.com
Got HTTP response: HTTP/1.0 302 Temporary moved
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:11 GMT
X-Frame-Options: SAMEORIGIN
Location: https://sasvpn03.xxx.com/
HTTP body length:  (0)
POST https://xx.33.xx.50:443/
Attempting to connect to server xx.33.xx.53:443
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS on sasvpn03.xxx.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 28 Aug 2015 22:42:13 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
POST https://sasvpn03.xxx.com/
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS on sasvpn03.xxx.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 28 Aug 2015 22:42:13 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
GET https://sasvpn03.xxx.com/+CSCOE+/sdesktop/wait.html
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:14 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://sasvpn03.xxx.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS on sasvpn03.xxx.com
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:15 GMT
X-Frame-Options: SAMEORIGIN
Location: /
Set-Cookie: sdesktop=000AE4C219EEED0D799A6BA4; path=/; secure
HTTP body chunked (-2)
POST https://sasvpn03.xxx.com/
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS onsasvpn03.xxx.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 28 Aug 2015 22:42:16 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)




Expected results:

If I run openconnect from command line it connects successfully!


openconnect -v -c /home/rick/VPN/USER-CERTIFICATE.pem -k /home/rick/VPN/PRIVATE-KEY.pem --no-xmlpost --disable-ipv6 -i vpn0 sasvpn.xxx.com --csd-wrapper=/usr/share/ohsd.py


GET https://sasvpn.xxx.com/
Attempting to connect to server xx.33.xx.50:443
Using certificate file /home/rick/VPN/USER-CERTIFICATE.pem
Using private key file /home/rick/VPN/PRIVATE-KEY.pem
Using client certificate 'Rick'
SSL negotiation with sasvpn.xxx.com
Connected to HTTPS on sasvpn.xxx.com
Got HTTP response: HTTP/1.0 302 Temporary moved
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:48 GMT
X-Frame-Options: SAMEORIGIN
Location: https://sasvpn03.xxx.com/
HTTP body length:  (0)
GET https://sasvpn03.xxx.com/
Attempting to connect to server xx.33.xx.53:443
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS on sasvpn03.xxx.com/
Got HTTP response: HTTP/1.0 302 Temporary moved
Set-Cookie: tg=0SASCert; path=/; secure
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:49 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
HTTP body length:  (0)
GET https://sasvpn03.xxx.com//+webvpn+/index.html
SSL negotiation with sasvpn03.xxx.com/
Connected to HTTPS on sasvpn03.xxx.com/
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
GET https://sasvpn03.xxx.com//CACHE/sdesktop/install/binaries/sfinst
SSL negotiation with sasvpn03.xxx.com/
Connected to HTTPS on sasvpn03.xxx.com/
Got HTTP response: HTTP/1.1 200 OK
Content-Length: 916
Cache-Control: max-age=0
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body length:  (916)
GET https://sasvpn03.xxx.com//+CSCOE+/sdesktop/wait.html
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:52 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Open Honor System Desktop: gateway ACCEPTED our response
GET https://sasvpn03.xxx.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS on sasvpn03.xxx.com
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 28 Aug 2015 22:42:54 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: sdesktop=0FDA5721507051992EE7A000; path=/; secure
HTTP body chunked (-2)
GET https://sasvpn03.xxx.com/+webvpn+/index.html
SSL negotiation with sasvpn03.xxx.com
Connected to HTTPS on sasvpn03.xxx.com
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: tg=1SASCert; expires=Sat, 29 Aug 2015 06:42:55 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&ch:75139F7A585E9C&sh:BDD409C67A65434036C1&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2Fxxx.xml&fh:E2B89A7C6; path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: 9.9.227.9
X-CSTP-Netmask: 255.255.240.0
X-CSTP-DNS: 9.9.9.9
X-CSTP-DNS: 9.9.9.10
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 1800
X-CSTP-Disconnected-Timeout: 1800
X-CSTP-Default-Domain: xxx.com
X-CSTP-Split-Include: 200.200.200.255/255.255.255.255
X-CSTP-Split-DNS: xxx.com
X-CSTP-Split-DNS: xyz.com
X-CSTP-Split-DNS: xww.com
X-CSTP-Split-DNS: wxz.com
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 63AC7D4F
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES256-SHA
X-DTLS-Content-Encoding: lzs
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-DAP-User-Message: 
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 20
CSTP Ciphersuite: (TLS1.2)-(DHE-RSA-1024)-(AES-256-CBC)-(SHA256)
DTLS option X-DTLS-Session-ID : 63AC7D4F
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-CipherSuite : AES256-SHA
DTLS option X-DTLS-Content-Encoding : lzs
DTLS initialised. DPD 30, Keepalive 20
Connected tun0 as 9.9.X.51, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).



Additional info:

What I could notice is that from command line openconnect starts with a GET parameter and from network-manager-applet it starts with a POST parameter.

Log from openconnect using command line: 

GET https://sasvpn.xxx.com/
Attempting to connect to server xx.33.xx.50:443


log from Openconnect using  NetworkManager Applet: 

POST https://sasvpn.xxx.com/
Attempting to connect to server xx.33.xx.50:443


Thank you in advanced,
Comment 1 Henrique Doiche 2015-08-29 09:15:27 EDT
I'm also adding "/etc/NetworkManager/system-connections/SAS " NetworkManager config file.


[connection]
id=SAS
uuid=523e2bc9-566c-46e7-9c95-0700f85eb12e
type=vpn
autoconnect=false
permissions=
secondaries=

[vpn]
enable_csd_trojan=yes
xmlconfig-flags=0
pem_passphrase_fsid=no
gwcert-flags=2
gateway-flags=2
autoconnect-flags=0
lasthost-flags=0
userkey=/home/rick/VPN/PRIVATE-KEY.pem
usercert=/home/rick/VPN/USER-CERTIFICATE.pem
stoken_source=disabled
certsigs-flags=0
cookie-flags=2
csd_wrapper=/usr/share/ohsd.py
gateway=sasvpn.xxx.com
authtype=cert
service-type=org.freedesktop.NetworkManager.openconnect

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
ip6-privacy=0
method=ignore
Comment 2 Fedora Admin XMLRPC Client 2015-10-14 10:50:16 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Henrique Doiche 2015-12-30 21:08:19 EST
Hi Guys, any news regarding the implementation of --no-xmlpost on Fedora network-manager-applet?

Thank you
Comment 4 Henrique Doiche 2015-12-31 06:52:03 EST
It looks like that this issue has been corrected for Ubuntu already:
https://bugs.launchpad.net/ubuntu/+source/openconnect/+bug/1229195

Unfortunately I could not alien libopenconnect2 to Fedora 22.

Anyway, do we have any news regarding the implementation of --no-xmlpost on Fedora network-manager-applet?


Thank you in advanced,
Comment 5 Lubomir Rintel 2016-04-18 05:26:55 EDT
(In reply to Henrique Doiche from comment #0)
> Running journalctl -u NetworkManager.service
> 
> It is possible to see:
> Aug 29 01:17:20 Punzer NetworkManager[1041]: <error> [1440821840.833142]
> [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb():
> (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi
> Aug 29 01:17:57 Punzer NetworkManager[1041]: <error> [1440821877.781828]
> [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb():
> (523e2bc9-566c-46e7-9c95-0700f85eb12e/IVPN - SAS) fi
> Aug 29 01:19:58 Punzer NetworkManager[1041]: <error> [1440821998.224235]
> [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb():
> (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi
> Aug 29 01:22:16 Punzer NetworkManager[1041]: <error> [1440822136.875336]
> [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb():
> (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi
> Aug 29 01:28:03 Punzer NetworkManager[1041]: <error> [1440822483.876389]
> [vpn-manager/nm-vpn-connection.c:1840] plugin_need_secrets_cb():
> (523e2bc9-566c-46e7-9c95-0700f85eb12e/VPN - SAS) fi

^^^ That is, "final secrets request failed to provide sufficient secrets"

> If I run openconnect from command line it connects successfully!
> 
> 
> openconnect -v -c /home/rick/VPN/USER-CERTIFICATE.pem -k
> /home/rick/VPN/PRIVATE-KEY.pem --no-xmlpost --disable-ipv6 -i vpn0
> sasvpn.xxx.com --csd-wrapper=/usr/share/ohsd.py

You shouldn't need to use --no-xmlpost. Does the connection from command line work without the option?
Comment 6 Fedora End Of Life 2016-07-19 16:13:22 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 7 Henrique Doiche 2016-10-13 20:55:09 EDT
Hi Lubomir Rintel, thank you for your time.

This bugs still exists on Fedora 24.

Actually answering your question:

"You shouldn't need to use --no-xmlpost. Does the connection from command line work without the option?"

No it does not work without the --no-xmlpost.

Please let me know if you need any info from my environment.

Thank you in advanced,
Comment 8 David Woodhouse 2017-06-14 03:41:17 EDT
Please can I see the contents of the 200 response you get to the POST, when you use the command line without --no-xmlpost but with --dump-http-traffic.

You can send it by private email if you prefer.
Comment 9 Fedora End Of Life 2017-07-25 15:12:49 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 10 Fedora End Of Life 2017-08-08 08:11:05 EDT
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.