In the past I could connect to a certain Cisco VPN server. I've been away travelling for 7 weeks, and now I'm back home, but no longer able to connect to the VPN server. Today the server suddenly asks me to run a 'Cisco Secure Desktop' trojan, and I've configured OpenConnect to do this (both via a GUI dialog, and the --csd-user
command line option to openconnect
), still I'm no longer able to get the VPN connection working.
The VPN connection log ends with these four lines repeated over and over again:
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Do you have any idea about what's happening or how I can fix this?
Would you guess that the problem is a VPN server side configuration change? The 'Cisco Secure Desctop' script perhaps? The VPN server has never asked me to run the 'Cisco Secure Desktop' script before, when I was able to connect. — Or do you think my OS has upgraded OpenConnect to a somehow incompatible version?
"Refreshing .../sdesktop/wait.html", what's that, why? And +CSCOE+, sounds weird.
My OS: Linux Mint 17. OpenConnect version v5.02. Other people are able to connect to the VPN server — they use Mac or Windows, not Linux, though.
Here's the full OpenConnect log:
POST https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
Using client certificate 'My-Full-Name'
Adding supporting CA 'TC TrustCenter Class 2 L1 CA XI'
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/+webvpn+/index.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
GET https://vpn.server.com/CACHE/sdesktop/install/binaries/sfinst
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
(... continues forever)
I read here that I could wrap the 'Cisco Secure Desktop' script in a shell script, via the --csd-wrapper
option; the suggested script looks like so:
#!/bin/bash -x
exec 2>&1 > /dev/null
CSD_BINARY="$1"
shift
$CSD_BINARY "$@"
This didn't have any effect though.
I've also tested the --no-xmlpost
flag, as suggested here, no effect.
Someone suggest to install 32 bit support, but apparently my OS already has that:
$ dpkg --print-foreign-architectures
i386
Here is someone else who has encountered the same problem. It's a ServerFault question, but it was apparently deleted at ServerFault, off-topic over there I'd guess. There were no answers to the question.
Edit With the -v
(verbose) flag, openconnect
keeps repeating these lines:
$ openconnect -v -c cert.pem --csd-user=kajmagnus vpn.example.com
...
GET https://vpn.example.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 06 Nov 2014 11:10:18 GMT
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...