Reconnect fails due to missing re-authentication

[rawIce]

Describe the bug
When an established VPN connection gets interrupted, OpenConnect tries to reconnect to the previous connection.

Once the remote host becomes available again, the re-connection attempt is unsuccessful with an HTTP/1.1 404 Unauthorized response from the remote server, because the client does not seem to properly authenticate itself.

If I manually click the "connect" button afterwards, the VPN connection is established successfully again without the need of entering credentials manually.

2019-03-06 15:32:39 | 1078 | Connected to some.host.de
2019-03-06 15:23:11 | 11cc | Failed to reconnect to host some.host.de: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2019-03-06 15:23:11 | 11cc | sleep 60s, remaining timeout 750s
2019-03-06 15:24:32 | 11cc | Failed to reconnect to host some.host.de: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2019-03-06 15:24:32 | 11cc | sleep 70s, remaining timeout 690s
2019-03-06 15:25:42 | 11cc | SSL negotiation with some.host.de
2019-03-06 15:25:42 | 11cc | Connected to HTTPS on some.host.de
2019-03-06 15:25:42 | 11cc | Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
2019-03-06 15:25:42 | 11cc | Cookie is no longer valid, ending session
2019-03-06 15:25:42 | 11cc | Reconnect failed
2019-03-06 15:25:42 | 11cc | <<-- [EXEC] route print
...
2019-03-06 15:25:42 | 2058 | Disconnected

To Reproduce
Steps to reproduce the behavior:

1. Connect to a user and password protected VPN server
2. Interrupt the connection to the remote host or shut it down
3. OpenConnect tries to reconnect
4. Connection attempt is not successful and OpenConnect immediately fully disconnects
5. Manually to push the connect button to reconnect to the server successfully

Expected behavior
OpenConnect is supposed to reauthenticate with user and password the way it does if I manually click on connect

Desktop (please complete the following information):

• OS: Windows Server 2012 R2
• Version: 1.5.3

[horar]

Thanks for report. Could you please try it with bundled console client? (in admin terminal) - just to identify the source of problem (gui or library). Thanks.

[rawIce]

thanks for your response. I just tested inside command prompt, the result looks similar.

Route configuration done.
...
DTLS Dead Peer Detection detected dead peer!
SSL read error: Error in the pull function.; reconnecting.
...
Failed to reconnect to host some.host.de: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
sleep 60s, remaining timeout 750s
Failed to reconnect to host some.host.de: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
sleep 70s, remaining timeout 690s
SSL negotiation with some.host.de
Connected to HTTPS on some.host.de
Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Cookie is no longer valid, ending session
Reconnect failed
...
Cookie was rejected on reconnection; exiting.

[horar]

looks like openconnect library issue. Could you please try the last openconnect-gui snapshot (2019.01.18) from here:
https://github.com/openconnect/openconnect-gui/blob/develop/docs/snapshots.md

if it will not help, then please raise issue in openconnect library project:
https://gitlab.com/openconnect/openconnect/issues

[rawIce]

with that build I am able to pipe the password into command line (probably due to fix in version 8.00 - an other issue I have not mentioned so far) but the issue I have reported here regarding reconnection stays the same.

Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Send CSTP DPD
SSL read error: Error in the pull function.; reconnecting.
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
...
Failed to reconnect to host some.host.de: A connection attempt failed beca
use the connected party did not properly respond after a period of time, or esta
blished connection failed because connected host has failed to respond.
sleep 70s, remaining timeout 690s
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
.
SSL negotiation with some.host.de
Connected to HTTPS on some.host.de
Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Cookie is no longer valid, ending session
Reconnect failed
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
.
Cookie was rejected on reconnection; exiting.

[horar]

thanks for update; pls. report/discuss this with openconnect maintainer; issue looks to be outside of GUI (this project is only smal gui on top of mentioned library/tool)

[rawIce]

hi horar,
i got feedback on gitlab and they basically say everything is working as expected.

This is expected behaviour. OpenConnect creates one VPN connection, and lasts for as long as that VPN session does. When the session expires — which seems to have happened in this case, because the login cookie stopped working — you need to log in again with the original username/password/OTP/certificate/etc.
To do that, you initiate a new connection with OpenConnect.
I think what you're really asking for is a feature request for openconnect-gui which would automatically connect and authenticate, having saved the password somewhere?
https://gitlab.com/openconnect/openconnect/issues/29

So could we add that simple change in behavior as a feature request? I think that might help a lot of users. Thanks a lot in advance!