Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection keeps resetting, error message GPST Dead Peer Detection detected dead peer! #364

Open
yjjl opened this issue May 14, 2024 · 14 comments
Open

Connection keeps resetting, error message GPST Dead Peer Detection detected dead peer! #364

yjjl opened this issue May 14, 2024 · 14 comments

Comments

@yjjl
Copy link

yjjl commented May 14, 2024
edited by yuezk

Used to work until recently, no known changes server-side
SAML authentication works, but no internet connectivity once connection has been made.
Connection information returns Default route 0.0.0.0 for tun interface
Output below

Error message "GPST Dead Peer Detection detected dead peer!" did not appear previously.

Command line output:

[2024-05-14T16:30:06Z INFO  gpclient::cli] gpclient started: 2.2.1 (2024-05-07)
[2024-05-14T16:30:06Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-05-14T16:30:07Z INFO  gpauth::cli] gpauth started: 2.2.1 (2024-05-07)
[2024-05-14T16:30:07Z INFO  gpauth::cli] Fixing OpenSSL environment
[2024-05-14T16:30:07Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
[2024-05-14T16:30:07Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-14T16:30:07Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/saml2?SAMLRequest=n**********%3D&RelayState=L**********x
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Raise window in 1 second(s)

(process:74417): libsoup-WARNING **: 17:30:10.252: gssapi step failed: No credentials were supplied, or the credentials were unavailable or inaccessible: SPNEGO cannot find mechanisms to negotiate
[2024-05-14T16:30:11Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Login
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/login
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/common/SAS/ProcessAuth
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/kmsi
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:42Z WARN  gpauth::auth_window] Failed to load uri: https://s**********k/SAML20/SP/ACS with error: Load request cancelled
[2024-05-14T16:30:42Z INFO  gpauth::auth_window] Loaded uri: https://s**********k/SAML20/SP/ACS
[2024-05-14T16:30:42Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:42Z INFO  gpauth::auth_window] Got auth data from headers
[2024-05-14T16:30:42Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-05-14T16:30:42Z INFO  gpclient::connect] Connecting to the only available gateway: Ext-Staff-VPN-Gateway (xxx-xxx.xx.xx)
[2024-05-14T16:30:42Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-14T16:30:42Z WARN  gpapi::gateway::login] GP response error: reason=<none>, status=512 <unknown status code>, body=<html>
      <head></head>
      <body>
      var respStatus = "Error";
      var respMsg = "Authentication failure: Invalid username or password";
      thisForm.inputStr.value = "";
    </body>
    </html>
[2024-05-14T16:30:42Z INFO  gpclient::connect] Gateway login failed: Gateway login error: <none>
[2024-05-14T16:30:42Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-05-14T16:30:42Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
[2024-05-14T16:30:43Z INFO  gpauth::cli] gpauth started: 2.2.1 (2024-05-07)
[2024-05-14T16:30:43Z INFO  gpauth::cli] Fixing OpenSSL environment
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/saml2?SAMLRequest=n**********A&RelayState=L**********x
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Raise window cancelled
[2024-05-14T16:30:44Z WARN  gpauth::auth_window] Failed to load uri: https://s**********k/SAML20/SP/ACS with error: Load request cancelled
[2024-05-14T16:30:44Z INFO  gpauth::auth_window] Loaded uri: https://s**********k/SAML20/SP/ACS
[2024-05-14T16:30:44Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:44Z INFO  gpauth::auth_window] Got auth data from headers
[2024-05-14T16:30:44Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-14T16:30:44Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-05-14T16:30:44Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-05-14T16:30:44Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-05-14T16:30:44Z INFO  openconnect::ffi] OS: linux
[2024-05-14T16:30:44Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-05-14T16:30:44Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-14T16:30:44Z INFO  openconnect::ffi] MTU: 0
[2024-05-14T16:30:44Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/getconfig.esp
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Connected to 134.219.248.132:443
[2024-05-14T16:30:44Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:30:44Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-05-14T16:30:44Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:30:44Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum d69d1e96d63e67de52ab9e2936ca3ff6.
        VPN connectivity may be disabled or limited without HIP report submission.
        You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-05-14T16:30:49Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:30:50Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 12
[2024-05-14T16:30:50Z INFO  gpclient::connect] Wrote PID 74383 to /var/run/gpclient.lock
[2024-05-14T16:31:12Z WARN  openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-14T16:31:12Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xxk/ssl-vpn/getconfig.esp
[2024-05-14T16:31:12Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:31:12Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:12Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:31:12Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:31:12Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:31:17Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:31:38Z WARN  openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-14T16:31:38Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/getconfig.esp
[2024-05-14T16:31:38Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xxk
[2024-05-14T16:31:38Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:38Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:31:38Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:31:38Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xxk/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:31:43Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:31:43Z WARN  openconnect::ffi] Read error on SSL session: Error in the pull function.
[2024-05-14T16:31:43Z WARN  openconnect::ffi] Packet receive error: Operation not permitted
[2024-05-14T16:31:43Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/getconfig.esp
[2024-05-14T16:31:43Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:31:43Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:43Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:31:43Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:31:43Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/hipreportcheck.esp
vpndisconnect[2024-05-14T16:31:48Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.

[2024-05-14T16:31:48Z INFO  gpclient::cli] gpclient started: 2.2.1 (2024-05-07)
[2024-05-14T16:31:48Z INFO  gpclient::disconnect] Found process 74383, killing...
[2024-05-14T16:31:48Z INFO  gpclient::connect] Received the interrupt signal, disconnecting...
[2024-05-14T16:31:48Z INFO  openconnect::ffi] Stopping VPN connection: 12
[2024-05-14T16:31:48Z INFO  openconnect::ffi] POST https:/xxx-xx.xx.xxk/ssl-vpn/logout.esp
jonas@azazello:~$ [2024-05-14T16:31:48Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:31:48Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:48Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
[2024-05-14T16:31:49Z INFO  openconnect::ffi] openconnect_mainloop returned -4, exiting
[2024-05-14T16:31:49Z INFO  gpclient::connect] Removing PID file

Logs
GUI log: (same issues)

[2024-05-14T16:49:57Z INFO  gpservice::cli] gpservice started: 2.2.1 (2024-05-07)
[2024-05-14T16:49:57Z INFO  gpservice::ws_server] WS server listening on port: 34079
[2024-05-14T16:49:57Z INFO  gpapi::process::gui_launcher] Version check passed: 2.2.1
[2024-05-14T16:49:57Z INFO  gpapi::process::gui_launcher] Launching gpgui
[2024-05-14T16:49:57Z INFO  gpgui::cli] gpgui started: 2.2.1 (2024-05-07)
[2024-05-14T16:49:57Z INFO  gpgui::app] Setting the custom openssl conf path
[2024-05-14T16:49:57Z INFO  gpgui::config::private_data] Loaded config key from keyring
[2024-05-14T16:49:57Z INFO  gpgui::app::app_initializer] App initialized
[2024-05-14T16:49:57Z INFO  gpgui::ws_connector] Connecting to WS server
[2024-05-14T16:49:57Z INFO  gpgui::ws_connector] Received ping
[2024-05-14T16:49:57Z INFO  gpgui::ws_connector] Connected to WS server
[2024-05-14T16:49:57Z INFO  gpservice::handlers] New client connected
[2024-05-14T16:49:57Z INFO  gpservice::ws_server] Sending current VPN state to new client
[2024-05-14T16:49:57Z INFO  gpgui::handlers::subscription] Sending the init event to client: main
[2024-05-14T16:49:57Z INFO  gpgui::handlers::subscription] Sent the init event to client: main
[2024-05-14T16:49:58Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect
[2024-05-14T16:50:13Z INFO  gpgui::handlers::subscription] Sending the init event to client: settings
[2024-05-14T16:50:13Z INFO  gpgui::handlers::subscription] Sent the init event to client: settings
[2024-05-14T16:50:13Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Settings
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Connecting to the portal: s**********k...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Try login the gateway with prelogin...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: s**********k...
[2024-05-14T16:50:52Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-05-14T16:50:52Z INFO  gpauth::cli] gpauth started: 2.2.1 (2024-05-07)
[2024-05-14T16:50:52Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:52Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-14T16:50:52Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/saml2?SAMLRequest=n**********B&RelayState=6**********x
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Raise window cancelled
[2024-05-14T16:50:53Z WARN  gpauth::auth_window] Failed to load uri: https://s**********k/SAML20/SP/ACS with error: Load request cancelled
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Loaded uri: https://s**********k/SAML20/SP/ACS
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Got auth data from headers
[2024-05-14T16:50:53Z INFO  gpgui::portal_connector] Performing gateway login, gateway: s**********k...
[2024-05-14T16:50:53Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:53Z INFO  gpgui::portal_connector] Gateway login succeeded, gateway: s**********k
[2024-05-14T16:50:53Z INFO  gpgui::portal_connector] Connecting to the gateway...
[2024-05-14T16:50:53Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-05-14T16:50:53Z INFO  openconnect::ffi] User agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:53Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-05-14T16:50:53Z INFO  openconnect::ffi] OS: linux
[2024-05-14T16:50:53Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-05-14T16:50:53Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-14T16:50:53Z INFO  openconnect::ffi] MTU: 0
[2024-05-14T16:50:53Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Connected to [**********]:443
[2024-05-14T16:50:53Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:50:53Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-05-14T16:50:53Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:50:53Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum d69d1e96d63e67de52ab9e2936ca3ff6.
[2024-05-14T16:50:58Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:50:59Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-05-14T16:50:59Z INFO  gpgui::portal_connector] Connected to the gateway: s**********k
[2024-05-14T16:51:19Z WARN  openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-14T16:51:19Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-05-14T16:51:19Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-05-14T16:51:19Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:51:19Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:51:19Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:51:19Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:51:24Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:51:24Z WARN  openconnect::ffi] Read error on SSL session: Error in the pull function.
[2024-05-14T16:51:24Z WARN  openconnect::ffi] Packet receive error: Operation not permitted
[2024-05-14T16:51:24Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-05-14T16:51:24Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-05-14T16:51:24Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:51:24Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:51:24Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:51:24Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:51:29Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:51:31Z INFO  gpgui::handlers::subscription] Sending the init event to client: settings
[2024-05-14T16:51:31Z INFO  gpgui::handlers::subscription] Sent the init event to client: settings

Environment:

  • OS: Ubuntu 22.04
  • Desktop Environment: MATE
  • Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep: [Required for secure store error]
    xx 1663 0.0 0.0 243840 7576 ? Sl 16:16 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
    xx 5423 0.0 0.0 243696 8960 ? Sl 16:23 0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
@yuezk
Copy link
Owner

yuezk commented May 15, 2024

Looks related to https://gitlab.com/openconnect/openconnect/-/issues/701

Can you try it with submitting HIP? sudo gpclient connect --hip <portal>

@yjjl
Copy link
Author

yjjl commented May 16, 2024

Tried, HIP error message goes away but connectivity problem persists.

@martindorey
Copy link

For me today, with my organization's UK gateway, --disable-ipv6 seemed me to be the key, but currently that only seems to be supported with the version 1.x GlobalProtect-openconnect.

@yuezk
Copy link
Owner

yuezk commented May 19, 2024

For me today, with my organization's UK gateway, --disable-ipv6 seemed me to be the key, but currently that only seems to be supported with the version 1.x GlobalProtect-openconnect.

That's very helpful. I'm adding --disable-ipv6 option in 2.x

yuezk added a commit that referenced this issue May 19, 2024
@yuezk
feat: add disable_ipv6 option (related #364)
90a8c11
@martindorey
Copy link

That addition, in today's https://github.com/yuezk/GlobalProtect-openconnect/releases/tag/v2.3.0, got me in for the first time with the 2.x code.

@yuezk
Copy link
Owner

yuezk commented May 20, 2024

@martindorey so the --disable-ipv6 works for you?

@yjjl can you try 2.3.0 with the --disable-ipv6 option?

@martindorey
Copy link

To the particular gateway I was using above, in somewhere between five and ten trials, I've got in with ssh every time with --disable-ipv6 --hip and never with just --hip, always falling foul of Dead Peer Detection. I might guess there are other causes for that problem, but I'm confident that you've solved mine - thanks!

@yjjl
Copy link
Author

yjjl commented May 21, 2024

Hi,
Tried that with the 2.3.0 version but the error remains. There's no connectivity, DNS fails and the error message is the same:

2024-05-21T09:53:46Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-21T09:53:46Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-21T09:53:46Z INFO openconnect::ffi] POST https://xxx.xx.uk/ssl-vpn/hipreportcheck.esp
[2024-05-21T09:53:51Z WARN openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-21T09:54:12Z WARN openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-21T09:54:12Z INFO openconnect::ffi] POST https://xxx.xx.uk/ssl-vpn/getconfig.esp
[2024-05-21T09:54:12Z INFO openconnect::ffi] SSL negotiation with xxx.xx.uk
[2024-05-21T09:54:12Z INFO openconnect::ffi] Connected to HTTPS on xxx.xx.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)

tried both of
sudo gpclient --fix-openssl connect --disable-ipv6 --hip
sudo gpclient connect --disable-ipv6 --hip

Any ideas what could be the issue here?

@yjjl
Copy link
Author

yjjl commented May 21, 2024

I should add that error message reappears whenever I try to make a new connection (e.g. open a web page).

@yuezk
Copy link
Owner

yuezk commented May 21, 2024

@yjjl can you try with the openconnect command?

  • openconnect --protocol=gp --disable-ipv6 <portal>
  • openconnect --protocol=gp <portal>

@yjjl
Copy link
Author

yjjl commented May 22, 2024
edited

Authentication doesn't work that way, get the following error message:
POST https://xxx.xx.uk/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server xxx:443
Connected to xxx:443
SSL negotiation with xxx.xxx.uk
Connected to HTTPS on xxx.xxx.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 22 May 2024 10:54:49 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1560
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=ddd2b01c-3c47-40a4-9c68-e590dfaccffe; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1560)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/XXXXXXX
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Response was:

Success

false


Enter login credentials
Username
Password
1
yes

xxx.xx
0
REDIRECT
600
0
aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzJlZmQ2OTlhLTE5MjItNGU2OS1iNjAxLTEwODAwOGQyOGEyZS9zYW1sMj9TQU1MUmVxdWVzdD1uVkxQYjRJd0ZQNVhTTyUyRlFVaEdoRVJLbWg1bTRqQWpiWVplbGxxTE5Tc3ZhNHVaJTJGUDlRdGN4Y1BPNzY4TDklMkJ2OSUyQmFXZHJJbnhlRDJhc1BmQjI2ZDk5bEpaY2w1a1lIQktLS3BGWllvMm5GTEhDTlY4YkFtT0VDa045cHBwaVh3Q211NWNVS3JoVloyNkxpcHVEa0l4cDgyNnd6c25lc3RnZEE2MnJiJTJCb1ZlQjBVY3E5MXBLJTJGVUdQQVdYQjhFYWlhQUpQekJqQnFvVEZvZ0xlY25RakZEM3glMkZySkl2Uk1xNkFRejJ1cldhU1dGNGdIVEhjUzhiZUkwcFg2WVl1eEhQRTc5Yll4Q1AwUUpRa21ERTRvNVBNWEN3RnN0TSUyRkE2YlNqalNZdFFOR3ZTYmR5eUZpY3psRTVhenFJa3hlRUlzM2JnS3pVNlZ5NERHT0hJUjFNZjR6cEVaQnFSS0gwQlh2bmR3cDFRalZDNzI1VnRMeUJMN3V1NjlNdkhxZ2JlTXpmMkhIRUVnSHglMkJja2pPd3VicUZMZHA2VSUyRiUyRklQOUgyM040cFpsZnByOCUyRmtYOEImUmVsYXlTdGF0ZT1KbVFGQUg0OUttWmtaR1F5WWpBeFl5MHpZelEzTFRRd1lUUXRPV00yT0MxbE5Ua3daR1poWTJObVptVXc=
noGB

Failed to complete authentication

I've tried to complete the SAML authentication by opening the link and then running openconnect but the same issue reappears.

@ChatDeBlofeld
Copy link

Same issue here, we don't use any SSO so I can provide the requested logs (no difference with/without --disable-ipv6 though):

sudo openconnect --protocol=gp --csd-wrapper=/usr/libexec/openconnect/hipreport.sh --disable-ipv6 xxx.xx

POST https://xxx.xx/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to xxx:443
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Email address: [email protected]
Password: 
POST https://xxx.xx/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.4-711; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  GW-EXTERNAL-ON-DEMAND (xxx.xx)
Please select GlobalProtect gateway.
GATEWAY: [GW-EXTERNAL-ON-DEMAND]:GW-EXTERNAL-ON-DEMAND
POST https://xxx.xx/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=AUT-SEQ-GP
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=oJJl7db8EL/vfWlScCf5jPVOkM3qYcI5hR+xMlKQz9Qee9NJyiyOclkDwckaph/91Vkuu0M+8oJ0bfIb7qPTvyBpyen/P1Pm0as7MB570+VN3f0B6QWjDOB1Nvh4mqAZNHso3dH9B5StX1u4BemF0baj/G5zqe7gWDZ3MMIjHSPl5qQZ43ujyNrkBi2/lNARkVBEF5v0UWVWP/1KhlxxQVDqdI/0A0P1uAuLlHgm0pR3/KD0AbsSVmwHHf6fcDYX3E0ySpVW0g3EJD1lzsqmNNCxtvioKbG/1gm+3Pwmhct6mWzcADC10L9TE+jbYu9VbtnJzMMUrz+O4wX/9uiqTEoB4pKoMWININELioiJwJkV5CbjN5ZtEgCpGY/x/xi7SYGtHHH4vkYiCn0JwANyKF2kUP5UWTQ9CF/twtKO1AjofenQ69MetnNGHUT4rDY2iwqMdDVFpy2LRmIGCkqd2QlLRSUCOmDaWC/s5V3RZVsPEHWYuMG8ht71g+Bg65TyxU9t5XhA+83T/HkWINSW838oroMI54sVMkQdX6qyQ4XP1kcMTXE/s31qq0uZGP5N0J+juyEUsPiZRqRz81MT8JfzF0/wLnf3XvjS2m0+XJqp+YNkCEBAW/TTpUYtE5ZuO01rXWzWBVep3PMfI9wHX0IfgPDN/DSNP6QsPEhhJY8=
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://xxx.xx/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
Trying to run HIP Trojan script '/usr/libexec/openconnect/hipreport.sh'.
HIP script '/usr/libexec/openconnect/hipreport.sh' completed successfully (report is 2311 bytes).
POST https://xxx.xx/ssl-vpn/hipreport.esp
HIP report submitted successfully.
Set up UDP failed; using SSL instead
Configured as 10.193.24.182, with SSL connected and ESP disabled
Session authentication will expire at Thu May 23 17:29:38 2024

Using vhost-net for tun acceleration, ring size 32
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
^CPOST https://xxx.xx/ssl-vpn/logout.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting.

sudo openconnect --protocol=gp --csd-wrapper=/usr/libexec/openconnect/hipreport.sh xxx.xx 

POST https://xxx.xx/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to xxx:443
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Email address: [email protected]
Password: 
POST https://xxx.xx/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.4-711; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  GW-EXTERNAL-ON-DEMAND (xxx.xx)
Please select GlobalProtect gateway.
GATEWAY: [GW-EXTERNAL-ON-DEMAND]:GW-EXTERNAL-ON-DEMAND
POST https://xxx.xx/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=AUT-SEQ-GP
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=mKNcuqseBlw6oUTus8XzPUVQbXwyis8NgbDmVy/yaIF/y9sRzM1+73LMOr8WDWZIa4scDteSpT6aibUy0ZFkwcMRTD+2yB1r/hd51LHfZsiRnqWPYLKvGslxIHx/IYAVPwCNKqqaEdfGzPNvVYs60Qai6fJzayRu58iOwZxwG8cus+fWOyqAU/PCaaJmh4Zx/WGOhKOxyjH4HlinovtFp2TJKtuYNW2iwabrk2njvQCqrfyT/UHcfMinjr5pnMb3dmGvaWOqBig732ok4tNzo0M3eLSX1W5fliEf2Fqt5jOUIXITVqOxZB3OLF1lQbWlsr6T/26uWAKiV8N+hlsjR88B58cKkVEuhjI13OoTNlw9xt9YAc+klVMiFsGjlB4VG3lVKevvZkuFpOo6xeEVWNAa01MM0hx4H94/a2OKqfDoqS27F9U57ftDqzwE4k1EtLZciOkT3tM583MVc8plUgveJaCauzjvtHIf9hzG+zA/So43FwJwE/fV0nPsm9G9Y6rCR9q/zcL56PnlBNsXJ8NwM9UwW0ZjfXzVuuHkxUGqpcMIqkLBNGI9CTuzgLLevy3Ae5nHAW65skxEPJhcjKOx4WQI6dTT7HKXsa9S7okmWc0ExF3J1kU8su9uAdQQlJ1I4zxlBtEQRjdEbL0Z7HA9FlFmpk25FRZXXL8EL/k=
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://xxx.xx/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
Trying to run HIP Trojan script '/usr/libexec/openconnect/hipreport.sh'.
HIP script '/usr/libexec/openconnect/hipreport.sh' completed successfully (report is 2311 bytes).
POST https://xxx.xx/ssl-vpn/hipreport.esp
HIP report submitted successfully.
Set up UDP failed; using SSL instead
Configured as 10.193.24.194, with SSL connected and ESP disabled
Session authentication will expire at Thu May 23 17:51:25 2024

Using vhost-net for tun acceleration, ring size 32
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
^CPOST https://xxx.xx/ssl-vpn/logout.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting.

For completeness sake, logs without --csd-wrapper set:

sudo openconnect --protocol=gp  xxx.xx

POST https://xxx.xx/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to xxx:443
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Email address: [email protected]
Password: 
POST https://xxx.xx/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.4-711; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  GW-EXTERNAL-ON-DEMAND (xxx.xx)
Please select GlobalProtect gateway.
GATEWAY: [GW-EXTERNAL-ON-DEMAND]:GW-EXTERNAL-ON-DEMAND
POST https://xxx.xx/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=AUT-SEQ-GP
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=kd7c180bU5lTCBuIORTh2u64ArZvcMXKLrOFu41yhieMncxP6TjKZJqgu7+Uul1RWON3/kFeg2jW8QODu4wY6v451LKPxf/V+JjBz2hq+6p7xOPDQ6Y3RyClVuMuwlyp8FzyBy5q08YdPaCqSAdOI//qKv1eP1T22M3FyzrZ9AEB7IG/FlbKpF3yTsbGIcK3NuyWfjzN5WGd5xN7LfkCYVz/r+oMq4ofy+5Nv+Dhxnp1OK7lqaecZr4lXCoHau9pfRVs0QepopKQ3wsK2kTeJTZCxWeuSuh6ulJru+b2AeSfgu33+Vr6aecNQz+QkmHjqC/LGAyCLYMGP7aj6vF6LXGDSj6CImdJSLLWiOKd2VzGIIjBLC6zBeSOqbKJog77bXL18PoCn9hv6DKb1w5wuWBdVQM26LPplkz7FrvWO/D4EvDfpa0LE4ZLG8YKCnSgMqgwQye4vGlJz9YMBfmdekteKNmhkDg/QZJQvlCeTK/XqzL80PBw5t11ZcDSRIaIBiok3Wc1IKH0qD0E90PNRjSIAnd75YB3q5OBPhZebBoUBi3U031ofybTbUu67wsnRS297iTOVYd50XBYmNH79t+yO+8lHicYbrrzVIszeu0SBbmeJz7YV4t48GKcG86tkHRUcNYAeqh6DAaMXZRZIQv3HyOUjomBkDVQFmEznxk=
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://xxx.xx/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
WARNING: Server asked us to submit HIP report with md5sum 451e92e3c4065219a121a8c3a8224cfa.
    VPN connectivity may be disabled or limited without HIP report submission.
    You need to provide a --csd-wrapper argument with the HIP report submission script.
Set up UDP failed; using SSL instead
Configured as 10.193.24.195, with SSL connected and ESP disabled
Session authentication will expire at Thu May 23 17:55:42 2024

Using vhost-net for tun acceleration, ring size 32
Read error on SSL session: Erreur de la fonction « pull ».
Packet receive error: Opération non permise
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
^CPOST https://xxx.xx/ssl-vpn/logout.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting.

@dcarrillo
Copy link

Hi, I have the same problem as @yjjl I'm using SAML authentication via Okta. Tested the same things, same outcome.

In my case, once the connection has been made, there is almost no traffic, but somehow a few (very few) packets are able to reach the target and back (i.e., during a continuous ping). Tried to play with the MTU, no success.

@yjjl
Copy link
Author

yjjl commented May 30, 2024

Update - today I managed to get it to run without having made any changes (other than the --disable-ipv6 flag). The connection is extremely intermittent and frequently disconnects completely, but at least works some of the time unlike before although not reliably enough to be useable. I suspect there have been changes server-side but our central IT staff are not very transparent about any changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@yuezk @dcarrillo @yjjl @martindorey @ChatDeBlofeld