Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2804
Views
25
Helpful
4
Replies

AnyConnect VPN client fails on Fedora 28

gitman
Level 1
Level 1

‎05-24-2018 07:18 PM - edited ‎03-20-2019 10:10 PM

On Fedora 28, which ships with GCC 8.1.1 / libstdc++ 8.1.1, the hostscan (cscan) utility that AnyConnect runs in the background after you attempt to connect encounters an error and segfaults, preventing the completion of the scan (which is what AnyConnect refers to as "CSD verification", or "posture assessment", or "pre-login verification"). This causes AnyConnect to just sit and wait without end after you enter your credentials.

 

Here is the error that is displayed when running the CLI client:

/builddir/build/BUILD/gcc-8.1.1-20180502/obj-x86_64-redhat-linux/x86_64-redhat-linux/libstdc++-v3/include/bits/basic_string.h:3965: std::basic_string<_CharT, _Traits, _Alloc>::reference std::basic_string<_CharT, _Traits, _Alloc>::operator[](std::basic_string<_CharT, _Traits, _Alloc>::size_type) [with _CharT = char; _Traits = std::char_traits<char>; _Alloc = std::allocator<char>; std::basic_string<_CharT, _Traits, _Alloc>::reference = char&; std::basic_string<_CharT, _Traits, _Alloc>::size_type = long unsigned int]: Assertion '__pos <= size()' failed.

 

Referencing https://bugzilla.redhat.com/show_bug.cgi?id=1515858 and https://fedoraproject.org/wiki/Changes/HardeningFlags28, it seems the use of'-Wp,-D_GLIBCXX_ASSERTIONS' in the compiler flags is why this is happening now in Fedora 28.

 

The important thing to note is that this does expose a real bug in cscanbecause, as stated in the Redhat bugzilla ticket, the new compiler flags "will enable additional security hardening which performs range checking for operator[] in std::vector, std::string, and std::array." Based on the error output from cscan, it seems to be accessing an illegal string position.

 

I'm experiencing this on AnyConnect versions 4.3, 4.5, and 4.6 starting with Fedora 28. Fedora 27 and earlier is not affected. Please also consider that this change to Fedora will eventually make its way to Redhat Enterprise Linux (RHEL).

 

Update: If I copy the /lib64/libstdc++.so.6.0.24 from Fedora 27 and place it into ~/.cisco/hostscan/lib/libstdc++.so.6, then I am able to work around this issue.

4 people had this problem
Labels:
4 Replies 4

MathieuBlanvillain2693
Level 1
Level 1

‎07-14-2019 11:05 PM

Hi,

I've the same problem. Any chance you can share the lib64/libstdc++.so.6.0.24 from Fedora 27 ?

Thanks

Mathieu

gitman
Level 1
Level 1

‎07-15-2019 08:11 AM

Download the appropriate RPM for your architecture from https://koji.fedoraproject.org/koji/buildinfo?buildID=1105342 and open it in file-roller

MathieuBlanvillain2693
Level 1
Level 1
In response to gitman

‎07-15-2019 01:29 PM

Thanks a lot gitman
0 Helpful

MathieuBlanvillain2693
Level 1
Level 1
In response to MathieuBlanvillain2693

‎07-16-2019 06:43 AM

Hi all,

 

just to let you know that, thanks to @gitman, I've fixed my problem.

 

The complete steps are : 

 

removing completely Anyconnect client by using posture/dart/vpn _uninstall.sh.

then, rebooting.

Then re installing the client

try to launch one time.

copy the .so as said by @gitman into the hostscan directory

rebooting

and then,, it works ... only in batch mode. GUI is still stuck when trying to connect.

 

Thanks a lot @gitman  

Customers Also Viewed These Support Documents