Demo Forum Go back to the main website

I can no longer work from home over VPN ?

By @Magnus2018-05-30 13:54:17.125Z

I can no longer connect to our VPN server and work from home. Today the server suddenly asks me to run a 'Cisco Secure Desktop' trojan, and I've configured OpenConnect to do this (both via a GUI dialog, and the --csd-user command line option to openconnect), still I'm no longer able to get the VPN connection working.

The VPN connection log ends with these four lines repeated over and over again:

GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...

Do you have any idea about what's happening or how I can fix this?

Would you guess that the problem is a VPN server side configuration change? The 'Cisco Secure Desctop' script perhaps? The VPN server has never asked me to run the 'Cisco Secure Desktop' script before, when I was able to connect. — Or do you think my OS has upgraded OpenConnect to a somehow incompatible version?

"Refreshing .../sdesktop/wait.html", what's that, why? And +CSCOE+, sounds weird.

My OS: Linux Mint 17. OpenConnect version v5.02. Other people are able to connect to the VPN server — they use Mac or Windows, not Linux, though.

Here's the full OpenConnect log:

POST https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
Using client certificate 'My-Full-Name'
Adding supporting CA 'TC TrustCenter Class 2 L1 CA XI'
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/
Attempting to connect to server 111.222.333.444:443
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn.server.com/+webvpn+/index.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
GET https://vpn.server.com/CACHE/sdesktop/install/binaries/sfinst
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.server.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.server.com
Connected to HTTPS on vpn.server.com
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
(... continues forever)

Edit With the -v (verbose) flag, openconnect keeps repeating these lines:

$ openconnect -v -c cert.pem --csd-user=kajmagnus vpn.example.com
...
GET https://vpn.example.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Thu, 06 Nov 2014 11:10:18 GMT
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Solved in post #5, click to view
  • 9 replies
  1. A
    Arjana Mwanaj @arjana2018-05-30 14:22:53.787Z2018-05-31 06:49:08.051Z

    The VPN server no longer supports Linux. You can run Windows in a virtual machine, and login and work from home, in the VM. Here're our Windows installers: //nfs02/os/win11/iso/

    Reply4 LikesSolution
    1. M@Magnus2018-05-30 14:49:18.170Z

      Thanks, this works. I've logged in via Windows in a VM and I'm working from home again now. But why isn't Linux supported any longer?

      1. AArjana Mwanaj @arjana2018-05-30 14:51:55.876Z

        Company wide policy. Only Windows and Mac allowed in the future, someone has decided that the company cannot support other OSes for security reasons

    2. A
      In reply toMagnus:
      @achara2018-05-30 13:59:41.356Z

      Try wrapping the 'Cisco Secure Desktop' script in a shell script, via the --csd-wrapper option, like so:

      #!/bin/bash -x
      exec 2>&1 > /dev/null
      CSD_BINARY="$1"
      shift
      $CSD_BINARY "$@"
      

      You can read more here -- apparently there's something wrong about how OpenConnect calls the binary.

      1. M@Magnus2018-05-30 14:46:32.579Z

        Thanks! This didn't have any effect though.

      2. T
        In reply toMagnus:
        Thamas Davis @thamas2018-05-30 14:07:44.134Z

        You could try adding --no-xmlpost. It makes OpenConnect behave more like older versions, maybe some compatibility issue.

        1. M@Magnus2018-05-30 14:47:06.467Z

          This didn't help. Thanks anyway

        2. Y
          In reply toMagnus:
          Ying Yue @ying2018-05-30 14:15:06.387Z

          Are you using the Cisco Secure Desktop trojan? You may need 32-bit libraries for it, if your OS is 64 bit. Here's how to add that: https://wiki.debian.org/FAQsFromDebianUser#Multiarch

          1. M@Magnus2018-05-30 14:47:28.615Z

            Apparently my OS already has that:

            $ dpkg --print-foreign-architectures
            i386