I can no longer work from home over VPN ?

2018-05-30 13:54:17.125Z

I can no longer connect to our VPN server and work from home. Today the server suddenly asks me to run a 'Cisco Secure Desktop' trojan, and I've configured OpenConnect to do this (both via a GUI dialog, and the --csd-user command line option to openconnect), still I'm no longer able to get the VPN connection working.

The VPN connection log ends with these four lines repeated over and over again:

GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...

Do you have any idea about what's happening or how I can fix this?

Would you guess that the problem is a VPN server side configuration change? The 'Cisco Secure Desctop' script perhaps? The VPN server has never asked me to run the 'Cisco Secure Desktop' script before, when I was able to connect. — Or do you think my OS has upgraded OpenConnect to a somehow incompatible version?

"Refreshing .../sdesktop/wait.html", what's that, why? And +CSCOE+, sounds weird.

My OS: Linux Mint 17. OpenConnect version v5.02. Other people are able to connect to the VPN server — they use Mac or Windows, not Linux, though.

Here's the full OpenConnect log:

POST https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
Using client certificate 'My-Full-Name'
Adding supporting CA 'TC TrustCenter Class 2 L1 CA XI'
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/+webvpn+/index.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
GET https://vpn.server.com/CACHE/sdesktop/install/binaries/sfinst
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
(... continues forever)

Edit With the -v (verbose) flag, openconnect keeps repeating these lines:

$ openconnect -v -c cert.pem --csd-user=kajmagnus vpn.example.com
...
GET https://vpn.example.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 06 Nov 2014 11:10:18 GMT
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...

Solved in post #5, click to view

Reply9 Likes

36 replies

There are 36 replies. Estimated reading time: 5 minutes

A
@achara
2018-05-30 13:59:41.356Z
Try wrapping the 'Cisco Secure Desktop' script in a shell script, via the --csd-wrapper option, like so:

#!/bin/bash -x exec 2>&1 > /dev/null CSD_BINARY="$1" shift $CSD_BINARY "$@"

You can read more here -- apparently there's something wrong about how OpenConnect calls the binary.
Reply 1 Disagree 1 Like
1. M @Magnus
  2018-05-30 14:46:32.579Z
  Thanks! This didn't have any effect though.
  Reply
T
In reply toMagnus⬆:
Thamas Davis @thamas
2018-05-30 14:07:44.134Z
You could try adding --no-xmlpost. It makes OpenConnect behave more like older versions, maybe some compatibility issue.
Reply 1 Like
1. M @Magnus
  2018-05-30 14:47:06.467Z
  This didn't help. Thanks anyway
  Reply 1 Disagree
  N Novica Jajcanin @Novica
  2019-02-02 10:18:41.177Z
  Nobody knkws this...
  
  Reply
  C @coolio312
  2021-07-15 15:20:08.104Z
  Interesting
  
  Reply
  C @coolio312
  2021-07-15 15:20:23.228Z
  How many levels
  
  Reply
  In reply toMagnus⬆:
  S sdfhsjdfh @sdfjsdfn
  2022-08-24 06:51:31.091Z
  kdjsngjksndgjkdsnnsdklfn
  
  Reply
2. In reply tothamas⬆:
  G Robe tus @Gdjwjd
  2020-05-02 20:47:07.598Z
  https://mobile.twitter.com/nicolasyanez/status/1256685891013279753
  Reply
  K @KajMagnus
  2020-06-16 06:32:59.832Z
  Twitter tweet embeds will work soon, in 1 or 2 weeks (mostly just code review left now).
  
  Reply
  K Khotso Mphale @KekkelApp
  2023-09-14 10:13:32.001Z
  Testing reply..Testing trply
  
  Reply
Y
In reply toMagnus⬆:
Ying Yue @ying
2018-05-30 14:15:06.387Z
Are you using the Cisco Secure Desktop trojan? You may need 32-bit libraries for it, if your OS is 64 bit. Here's how to add that: https://wiki.debian.org/FAQsFromDebianUser#Multiarch
Reply 1 Like
1. M @Magnus
  2018-05-30 14:47:28.615Z
  Apparently my OS already has that:
  
  $ dpkg --print-foreign-architectures i386
  Reply
A
In reply toMagnus⬆:
Arjana Mwanaj @arjana
2018-05-30 14:22:53.787Z2018-05-31 06:49:08.051Z
The VPN server no longer supports Linux. You can run Windows in a virtual machine, and login and work from home, in the VM. Here're our Windows installers: //nfs02/os/win11/iso/
Reply 7 LikesSolution
1. M @Magnus
  2018-05-30 14:49:18.170Z
  Thanks, this works. I've logged in via Windows in a VM and I'm working from home again now. But why isn't Linux supported any longer?
  Reply 1 Like
  A Arjana Mwanaj @arjana
  2018-05-30 14:51:55.876Z
  Company wide policy. Only Windows and Mac allowed in the future, someone has decided that the company cannot support other OSes for security reasons
  
  Reply
  Q Lafif Astahdziq @qutek
  2020-03-28 07:39:05.635Z
  tes
  
  Reply
  In reply toMagnus⬆:
  E Ismail Adegbenga @euler
  2020-11-19 21:08:12.559Z
  Hello Magnus
  
  Reply
2. In reply toarjana⬆:
  T Thimira Thenuwara @thimiramt
  2020-04-11 18:57:05.914Z
  test comment
  Reply
F
In reply toMagnus⬆:
@fatboyfoy
2020-12-06 22:50:47.512Z
View on YouTube
Reply
D
In reply toMagnus⬆:
ABC @darshana
2021-01-31 11:34:59.367Z
සිම්හල
Reply
P
In reply toMagnus⬆:
Papa Dam @papadam
2021-03-21 16:27:14.907Z
Ding dong, the witch is dead.
Reply
T2
In reply toMagnus⬆:
ttt @ttt
2021-03-28 19:24:24.862Z
Comment test :
Reply
1. T2 ttt @ttt
  2021-03-28 19:24:38.996Z
  reply on reply !
  Reply
J
In reply toMagnus⬆:
Juan Ma @juanmagr
2021-09-23 12:32:32.524Z
Test
Reply
E2
In reply toMagnus⬆:
@enjutomojamuto
2021-10-01 15:11:04.843Z
This is an example:
Reply
F
In reply toMagnus⬆:
五块三 @Five
2022-05-09 05:47:15.792Z
53
Reply
1. F 五块三 @Five
  2022-05-09 05:47:27.327Z
  22
  Reply
S
In reply toMagnus⬆:
sdfhsjdfh @sdfjsdfn
2022-08-23 03:24:50.033Z
.dfjglkdfjg
sflskdlf
Reply
N
In reply toMagnus⬆:
Nikhil Rayaprolu @nikhil684
2022-11-11 12:56:49.712Z
testing this
Reply
N
In reply toMagnus⬆:
Nikhil Rayaprolu @nikhil684
2022-11-11 12:57:16.908Z
again
Reply
T
In reply toMagnus⬆:
Tarcisio Naves @Tarcisio
2022-12-13 19:32:00.116Z
teste
Reply
D2
In reply toMagnus⬆:
Sem Spiri @doomstar
2023-05-31 10:00:41.512Z
I logged in with google, but had to refresh the page because it was showing me the error about unable to load editor. I didn't make a screenshot though
Reply
D2
In reply toMagnus⬆:
Sem Spiri @doomstar
2023-05-31 10:01:10.191Z
testing screenshot capability
Reply
1. D2 Sem Spiri @doomstar
  2023-05-31 10:01:34.132Z
  lol
  Reply
B
In reply toMagnus⬆:
testing @brendanc
2023-06-22 17:52:36.328Z
Reply
Progress
K @KajMagnuspinned this topic 2020-01-13 20:13:43.373Z.
K @KajMagnusunpinned this topic 2023-12-16 12:17:56.567Z.

Reply (discussion)Add progress note