Ubuntu 16.04 openconnect cisco vpn failed to obtain webvpn cookie
Solution 1
I found my answer through this post:
https://gist.github.com/l0ki000/56845c00fd2a0e76d688
I did the following:
cd ~
mkdir .cisco
cd .cisco
wget https://gist.githubusercontent.com/l0ki000/56845c00fd2a0e76d688/raw/61fc41ac8aec53ae0f9f0dfbfa858c1740307de4/csd-wrapper.sh
chmod +x csd-wrapper.sh
Edit the file with the vpn server:
CSD_HOSTNAME=vpnserver.com
Run the file
./csd-wrapper.sh
Run openconnect:
sudo openconnect --csd-user=YOURLINUXUSERNAME --csd-wrapper=/home/YOURLINUXUSERNAME/.cisco/csd-wrapper.sh vpnserver.com
Solution 2
I found that I needed to specify --os=win as well. This seemed to work around a 404 response that the server was generating when attempting to download sfinst.
GET https://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
Information on the 404 for sfinst issue can be found on the openconnect-devel mailing list "Connecting with Linux when the CSD is available" post.
I had success with the following command which uses the os flag and the csd-wrapper flag together:
sudo openconnect \
--user <USERNAME> \
--cert-expire-warning=15 \
--certificate <CERTFILE> \
--os=win \
--csd-user=<USERNAME> \
--csd-wrapper=<PATHTO>/csd-wrapper.sh \
https://<VPNADDRESS e.g., vpn.company.com>
Solution 3
I had this Error in Ubuntu 18.04
I was able to connect to the server using the link below and the second answer.
just use the -v
flag
sudo openconnect -v NAMESERVER.COM
Related videos on Youtube
sdstack
Updated on September 18, 2022Comments
-
sdstack over 1 year
On Ubuntu 16.04 I am getting the following error:
$ openconnect -v vpn.com POST https://vpn.com/ Attempting to connect to server 1.1.1.1:443 SSL negotiation with vpn.com Connected to HTTPS on vpn.com Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Aug 2016 00:04:14 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Error: Server asked us to run CSD hostscan. You need to provide a suitable --csd-wrapper argument. Failed to obtain WebVPN cookie
I tried
--no-xmlpost post
and got error as well.Here is some background:
I had Ubuntu 14.04 and was connecting to vpn server using openconnect. Then a week ago, it stopped working with this issue. My guess is that the vpn site upgraded its Cisco vpn server to required to CSD trojan. Anyhow, I decided to upgrade to 16.04 and still have the same problem.-
totymedli about 6 yearsFor me, the solution was in this answer. I needed to use a different option for the command:
--authgroup
instead of--usergroup
. -
Leo over 4 yearsFor me, the issue was that I had a bad nameserver configuration in
/etc/resolv.conf
and DNS lookups were failing.
-
-
Randall over 5 yearsCurious - why are your running openconnect with
sudo
? They support non-root operation. From that page: For security reasons, it is better if network-facing code can run without root privileges — and there are a few options which allow OpenConnect to run as an unprivileged user instead. -
Mark about 4 yearsLink to post appears to be broken (good reason to put all relevant content in the answer)--anyone have an updated link/script?
-
Val Blant almost 4 years"--os=win" was the missing piece for me as well.
-
Randall over 3 years@Mark - the openconnect Gitlab project has updated copies of csd-wrapper.sh and csd-post.sh in the trojans folder. You only specify one or the other as the argument to
--csd-wrapper
.csd-post.sh
lets you explicitly craft the response sent back, whilecsd-wrapper.sh
tries to run the Cisco host scanning binaries. -
hajimuz over 3 yearsworks for me. Thank you!