Openconnect (protocol Cisco Anyconnect) only connects from CLI when using --no-xmlpost
I'm trying to connect to my workplace, which uses Cisco Anyconnect with 2-factor authentication. From windows, using Cisco Anyconnect, this works without issues. From Arch Linux, using Openconnect, I can't connect via Network Manager, but only via CLI, using --no-xmlpost flag.
- From Network Manager I get Login failed (although I'm sure that I have the right credentials)
- From CLI I get the following
[root@myuser system-connections]# openconnect -v --protocol=anyconnect my.vpn.domain
POST https://my.vpn.domain/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpn.domain
Connected to HTTPS on my.vpn.domain with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 18 Jul 2022 21:11:22 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
Username:myuser
Password:
Password:
POST https://my.vpn.domain/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 18 Jul 2022 21:11:37 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Login failed.
Please enter your username and password.
Username:^Cfgets (stdin): Interrupted system call
- From CLI, if I add
--no-xmlpost
option, then it works:
[root@myuser system-connections]# openconnect -v --protocol=anyconnect --no-xmlpost my.vpn.domain
GET https://my.vpn.domain/
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.vpn.domain
Connected to HTTPS on my.vpn.domain with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Mon, 18 Jul 2022 21:15:03 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://my.vpn.domain/+webvpn+/index.html
SSL negotiation with my.vpn.domain
Connected to HTTPS on my.vpn.domain with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
Username:myuser
Password:
Password:
POST https://my.vpn.domain/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: CSRFtoken=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: acSamlv2Token=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:412C009D567FD8509DA2DEFD6F9B56F9C0AA42CF&m:iseposture&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
Set-Cookie: webvpnx=
Set-Cookie: webvpnaac=1; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1448, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: 10.64.94.57
X-CSTP-Netmask: 255.255.248.0
X-CSTP-Hostname: FWV-FP2130-DEFRA01-02.mycompany.com
X-CSTP-DNS: 10.64.0.101
X-CSTP-DNS: 10.38.0.111
X-CSTP-Lease-Duration: 172800
X-CSTP-Session-Timeout: 172800
X-CSTP-Session-Timeout-Alert-Interval: 60
X-CSTP-Session-Timeout-Remaining: 172800
X-CSTP-Idle-Timeout: 3600
X-CSTP-Disconnected-Timeout: 3600
X-CSTP-Default-Domain: mycompany.com
X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
X-CSTP-Split-Include: 5.6.7.8/255.255.255.255
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 30
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 6B7A2FC3143C5924B07A3E5612517B376AC7D67A5972A6E503EBAF050E1E580F
X-DTLS-Port: 443
X-DTLS-Keepalive: 30
X-DTLS-DPD: 30
X-CSTP-MTU: 1300
X-DTLS-MTU: 1300
X-DTLS12-CipherSuite: ECDHE-RSA-AES256-GCM-SHA384
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
CSTP connected. DPD 30, Keepalive 30
UDP SO_SNDBUF: 26000
DTLS initialised. DPD 30, Keepalive 30
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Initiating MTU detection (min=576, max=1300)
No change in MTU after detection (was 1300)
Configured as 10.64.94.57, with SSL connected and DTLS connected
Session authentication will expire at Wed Jul 20 23:15:22 2022
Not using vhost-net due to low queue length 10
Send CSTP DPD
Got CSTP DPD response
When looking in the openconnect man-pages, it says
--no-xmlpost
Do not attempt to post an XML authentication/configuration request to the server; use the old style GET method which was used by older clients and servers instead.
This option is a temporary safety net, to work around potential compatibility issues with the code which falls back to the old method automatically. It causes OpenConnect to behave more like older versions (4.08 and below) did. **If you find that you need to use
this option, then you have found a bug in OpenConnect**. Please see https://www.infradead.org/openconnect/mail.html and report this to the developers.
Could you please help troubleshoot this behavior ?
Thanks in advance