Ubuntu 16.04 openconnect cisco vpn failed to obtain webvpn cookie

networking vpn cisco openconnect

43,426

Solution 1

I found my answer through this post:
https://gist.github.com/l0ki000/56845c00fd2a0e76d688

I did the following:

cd ~  
mkdir .cisco  
cd .cisco  
wget https://gist.githubusercontent.com/l0ki000/56845c00fd2a0e76d688/raw/61fc41ac8aec53ae0f9f0dfbfa858c1740307de4/csd-wrapper.sh  
chmod +x csd-wrapper.sh

Edit the file with the vpn server:

CSD_HOSTNAME=vpnserver.com

Run the file

./csd-wrapper.sh

Run openconnect:

sudo openconnect --csd-user=YOURLINUXUSERNAME --csd-wrapper=/home/YOURLINUXUSERNAME/.cisco/csd-wrapper.sh vpnserver.com

Solution 2

I found that I needed to specify --os=win as well. This seemed to work around a 404 response that the server was generating when attempting to download sfinst.

GET https://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 404 Not Found (does not exist)

Information on the 404 for sfinst issue can be found on the openconnect-devel mailing list "Connecting with Linux when the CSD is available" post.

I had success with the following command which uses the os flag and the csd-wrapper flag together:

sudo openconnect \
    --user <USERNAME> \
    --cert-expire-warning=15 \
    --certificate <CERTFILE> \
    --os=win \
    --csd-user=<USERNAME> \
    --csd-wrapper=<PATHTO>/csd-wrapper.sh \
    https://<VPNADDRESS e.g., vpn.company.com>

Solution 3

I had this Error in Ubuntu 18.04
I was able to connect to the server using the link below and the second answer.

just use the -v flag

sudo openconnect -v NAMESERVER.COM

43,426

sdstack

Updated on September 18, 2022

Comments

sdstack over 1 year
On Ubuntu 16.04 I am getting the following error:
```
$ openconnect -v vpn.com
POST https://vpn.com/
Attempting to connect to server 1.1.1.1:443
SSL negotiation with vpn.com
Connected to HTTPS on vpn.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 22 Aug 2016 00:04:14 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Error: Server asked us to run CSD hostscan.
You need to provide a suitable --csd-wrapper argument.
Failed to obtain WebVPN cookie
```
I tried --no-xmlpost post and got error as well.

Here is some background:
I had Ubuntu 14.04 and was connecting to vpn server using openconnect. Then a week ago, it stopped working with this issue. My guess is that the vpn site upgraded its Cisco vpn server to required to CSD trojan. Anyhow, I decided to upgrade to 16.04 and still have the same problem.
- totymedli about 6 years
  
  For me, the solution was in this answer. I needed to use a different option for the command: --authgroup instead of --usergroup.
- Leo over 4 years
  
  For me, the issue was that I had a bad nameserver configuration in /etc/resolv.conf and DNS lookups were failing.
Randall over 5 years

Curious - why are your running openconnect with sudo? They support non-root operation. From that page: For security reasons, it is better if network-facing code can run without root privileges — and there are a few options which allow OpenConnect to run as an unprivileged user instead.
Mark about 4 years

Link to post appears to be broken (good reason to put all relevant content in the answer)--anyone have an updated link/script?
Val Blant almost 4 years

"--os=win" was the missing piece for me as well.
Randall over 3 years

@Mark - the openconnect Gitlab project has updated copies of csd-wrapper.sh and csd-post.sh in the trojans folder. You only specify one or the other as the argument to --csd-wrapper. csd-post.sh lets you explicitly craft the response sent back, while csd-wrapper.sh tries to run the Cisco host scanning binaries.
hajimuz over 3 years

works for me. Thank you!