Openconnect does not work with Cisco ASA's that are Context Based
OpenConnect stopped working at some point with context-based Cisco ASA's. Below is the evidence:
user@jumphost:~$ sudo openconnect --protocol=anyconnect https://vpnhostname.com
POST https://vpnhostname.com/
Connected to x.x.x.x:443
SSL negotiation with vpnhostname.com
Connected to HTTPS on vpnhostname.com
Got HTTP response: HTTP/1.1 404 Not Found
Unexpected 404 result from server
GET https://vpnhostname.com/
Connected to x.x.x.x:443
SSL negotiation with vpnhostname.com
Connected to HTTPS on vpnhostname.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpnhostname.com/+webvpn+/index.html
SSL negotiation with vpnhostname.com
Connected to HTTPS on vpnhostname.com
Got HTTP response: HTTP/1.1 301 Moved Permanently
GET https://vpnhostname.com/+CSCOU+/anyconnect_unsupported_version.html
Please upgrade your AnyConnect Client
Failed to obtain WebVPN cookie
Note: During testing with a context-based Cisco ASA, I encountered the following false errors:
error 1: "Please upgrade your AnyConnect Client" - The client is upgraded and has the same version as the ASA in the subsequent example.
error 2: "Failed to obtain WebVPN cookie" - I'm unsure about this error.
I have several working scripts using the following options, here are some options used in my scripts that I have tested on both ASA's context and non-context. It makes no difference to try these options on context based ASA and I get the same errors.
--os=win
--protocol=anyconnect
--servercert pin-sha256:xxxxxxxxxx=
--user user
--authgroup groupname
It seems the command line OpenConnect client struggles with the web directory for Context Based Cisco ASA's
, which lacks the directory structure to perform a GET
for:
`GET https://vpnhostname/+CSCOU+/`
I believe during the GET
process, it should simply accept whatever the server provides instead of requiring an exact GET
string. This is because the Context-Based Cisco ASA's
don't have the same directory structure to navigate to the VPN Groups.
For comparison, here's an example of a working Non-Context based Cisco ASA
:
user@jumphost:~$ sudo openconnect https://workingvpnhostname.com
POST https://workingvpnhostname.com/
Connected to x.x.x.x:443
SSL negotiation with workingvpnhostname.com
Connected to HTTPS on workingvpnhostname.com
XML POST enabled
Please enter your username and password.
GROUP: [GROUP1|GROUP2]:
If you can assist, it would be greatly appreciated. These commands used to work just 1-2 years ago. Now, all my scripts for testing and using VPN with OpenConnect are outdated, as most of my VPN systems operate on context-based Cisco ASA's.