cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14621
Views
0
Helpful
16
Replies

1)Connection timed out / Failed to obtain WebVPN cookie-Using openconnect 2)Anyconnect Linux is where???

worldwide1
Level 1
Level 1

~$ sudo openconnect --version
OpenConnect version v8.05-1
Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
:~$ sudo openconnect -v devnetsandbox-usw1-reservation.cisco.com:20149
POST https://devnetsandbox-usw1-reservation.cisco.com:20149/
Attempting to connect to server 131.226.217.48:20149
Failed to connect to 131.226.217.48:20149: Connection timed out
Failed to connect to host devnetsandbox-usw1-reservation.cisco.com
Failed to open HTTPS connection to devnetsandbox-usw1-reservation.cisco.com
Failed to obtain WebVPN cookie

Openconnect didn't work using the GUI either

 

Where's (see pic) Anyconnect for Linux - if necessary?

1 Accepted Solution

Accepted Solutions

16 Replies 16

worldwide1
Level 1
Level 1

 

Failed to establish PC/SC context: Service not available.
POST https://devnetsandbox-usw1-reservation.cisco.com:20131/
Attempting to connect to server 131.226.217.48:20131
Socket connect canceled
Failed to connect to 131.226.217.48:20131: Interrupted system call
Failed to connect to host devnetsandbox-usw1-reservation.cisco.com
Failed to open HTTPS connection to devnetsandbox-usw1-reservation.cisco.com
POST https://devnetsandbox-usw1-reservation.cisco.com:20131/
Attempting to connect to server 131.226.217.48:20131

It's not me...dig works

 

~$ sudo openconnect -v devnetsandbox-usw1-reservation.cisco.com:20131

POST https://devnetsandbox-usw1-reservation.cisco.com:20131/
Attempting to connect to server 131.226.217.48:20131
Failed to connect to 131.226.217.48:20131: Connection timed out
Failed to connect to host devnetsandbox-usw1-reservation.cisco.com
Failed to open HTTPS connection to devnetsandbox-usw1-reservation.cisco.com
Failed to obtain WebVPN cookie

~$ dig 131.226.217.48

; <<>> DiG 9.16.1-Ubuntu <<>> 131.226.217.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3641
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;131.226.217.48. IN A

;; Query time: 2772 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Feb 14 07:05:10 PST 2021
;; MSG SIZE rcvd: 43

The attached screenshots include the anyconnect version, firewall settings (all off) and the anyconnect adapter displaying the "unplugged".

The other anyconnect adapter status is disabled and you have to enable it and that results in the unplugged status.

Again this is a windows 10 vm on a Linux host and the the vm assumes the state of the host and the adapter is bridged. (see pic)

 

I hope this helps but I'd rather have an Openconnect solution because, again, this a 127GB anyconnect solution that wont do.

All of the above still applies but THIS time I am on the win10 vm.

As of this morning,16 Feb 2021, I've deleted the win10vm. Spun up a ubuntu 16 vm, install openconnect but it failed, after ctl+c, with "Failed to obtain WebVPN cookie" too.

Please try

 

sudo openconnect devnetsandbox-usw1-reservation.cisco.com:20149 -v --no-dtls -u {username}

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Same outcome ...and to be sure I tried {worldwide1} ...also tried with --os=linux-64 w/ same outcomes

I got to see the encrypted traffic in Wireshark

 

$ sudo openconnect devnetsandbox-usw1-reservation.cisco.com:20170 -v --no-dtls -u worldwide1
POST https://devnetsandbox-usw1-reservation.cisco.com:20170/
Attempting to connect to server 131.226.217.48:20170
Failed to connect to 131.226.217.48:20170: Connection timed out
Failed to connect to host devnetsandbox-usw1-reservation.cisco.com
Failed to open HTTPS connection to devnetsandbox-usw1-reservation.cisco.com
Failed to obtain WebVPN cookie

 

sudo openconnect devnetsandbox-usw1-reservation.cisco.com:20111 -v -l --no-dtls --dump-http-traffic -u worldwide1

 

 

~$ sudo openconnect devnetsandbox-usw1-reservation.cisco.com:20111 -v -l --no-dtls --dump-http-traffic -u worldwide1
 
Failed to obtain WebVPN cookie
~$ dig devnetsandbox-usw1-reservation.cisco.com

; <<>> DiG 9.16.1-Ubuntu <<>> devnetsandbox-usw1-reservation.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25899
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;devnetsandbox-usw1-reservation.cisco.com. IN A

;; ANSWER SECTION:
devnetsandbox-usw1-reservation.cisco.com. 538 IN A 131.226.217.48

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Feb 17 13:02:45 PST 2021
;; MSG SIZE rcvd: 85

wizbang@ubuntu:~$ ping devnetsandbox-usw1-reservation.cisco.com
PING devnetsandbox-usw1-reservation.cisco.com (131.226.217.48) 56(84) bytes of data.
^C
--- devnetsandbox-usw1-reservation.cisco.com ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 15352ms

~$

 

 

====== from syslog ..the -l (el) ===========

Feb 17 13:10:16 ubuntu openconnect[2537]: POST https://devnetsandbox-usw1-reservation.cisco.com:20111/
Feb 17 13:10:16 ubuntu openconnect[2537]: Attempting to connect to server 131.226.217.48:20111
Feb 17 13:12:27 ubuntu openconnect[2537]: Failed to connect to 131.226.217.48:20111: Connection timed out
Feb 17 13:12:27 ubuntu openconnect[2537]: Failed to connect to host devnetsandbox-usw1-reservation.cisco.com
Feb 17 13:12:27 ubuntu openconnect[2537]: Failed to open HTTPS connection to devnetsandbox-usw1-reservation.cisco.com

@worldwide1 sandbox does not allow URL/Endpoints to return ICMP/ping. This is within the security posture of the sandbox design. I tested your active session and this connects with success.

 

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Could also be worth looking to see if the ports are block somewhere. The port range will be anywhere from TCP 20100 through TCP 20354. You can check this using TCP traceroute for example (use your VPN headend and port details provided in the email you recieved)

 

STUACLAR-M-R6EU:~ stuaclar$ sudo tcptraceroute devnetsandbox-emea-gwy.cisco.com 20203
Selected device en0, address 192.168.1.101, port 63826 for outgoing packets
Tracing the path to devnetsandbox-emea-gwy.cisco.com (173.38.221.89) on TCP port 20203, 30 hops max
 1  192.168.1.254  1.831 ms  1.113 ms  1.559 ms
 2  * * *
 3  * * *
 4  31.55.187.180  13.037 ms  12.095 ms  11.195 ms
 5  core1-hu0-16-0-6.southbank.ukcore.bt.net (213.121.192.88)  10.672 ms  9.822 ms  9.682 ms
 6  peer7-et-3-1-6.telehouse.ukcore.bt.net (109.159.252.234)  10.450 ms  10.304 ms  10.335 ms
 7  166-49-214-194.gia.bt.net (166.49.214.194)  10.783 ms  9.963 ms  12.102 ms
 8  166-49-214-191.gia.bt.net (166.49.214.191)  38.028 ms  31.357 ms  29.346 ms
 9  xe-1-1-1.cr1-ams9.ip4.gtt.net (89.149.181.205)  20.741 ms  20.691 ms  22.442 ms
10  134.222.93.54  23.656 ms  20.596 ms  22.114 ms
11  128.107.10.9  23.190 ms  21.363 ms  21.631 ms
12  aer01-mda1-dmzbb-gw2-be91.cisco.com (173.38.246.82)  21.595 ms  21.520 ms  20.654 ms
13  aer01-mda2-dmznet-gw2-ten2-1.cisco.com (173.38.208.38)  20.263 ms  21.228 ms  20.618 ms
14  aer01-mda2-dmzvaas-gw2-gig0-2.cisco.com (173.38.208.230)  25.564 ms  23.230 ms  30.669 ms
15  173.38.209.138  70.558 ms  56.920 ms *
16  173.38.221.90  59.116 ms  59.697 ms  57.287 ms
17  devnetsandbox-emea-gwy.cisco.com (173.38.221.89) [open]  56.273 ms  73.167 ms  60.886 ms

https://articles.assembla.com/en/articles/1589335-how-to-use-tcp-traceroute

 

Hope this helps.

 

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

On both the host and the vm.  Both are xubuntu.

~$ sudo ufw status
Status: inactive
~$

 

============

 

$ sudo traceroute -T devnetsandbox-usw1-reservation.cisco.com 20208
traceroute to devnetsandbox-usw1-reservation.cisco.com (131.226.217.48), 30 hops max, 60 byte packets
1 * * *
2 142.254.183.173 (142.254.183.173) 15.175 ms 15.634 ms 15.544 ms
3 agg60.vnnzca2402h.socal.rr.com (76.167.27.77) 16.194 ms 16.094 ms 15.982 ms
4 72.129.14.86 (72.129.14.86) 19.735 ms 19.598 ms 14.825 ms
5 agg29.tustcaft01r.socal.rr.com (72.129.13.2) 16.300 ms 19.236 ms 19.118 ms
6 bu-ether16.tustca4200w-bcr00.tbone.rr.com (66.109.6.64) 18.999 ms ae-5-0.cr0.chi10.tbone.rr.com (66.109.6.202) 33.039 ms 209-18-43-72.dfw10.tbone.rr.com (209.18.43.72) 17.918 ms
7 * * *
8 * * *
9 CYXTERA-COM.ear2.SanJose1.Level3.net (4.16.45.254) 27.849 ms 27.652 ms 27.501 ms
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
:~$

 

=======with -p 20208 ====

$ sudo traceroute -T -p 20208 devnetsandbox-usw1-reservation.cisco.com
traceroute to devnetsandbox-usw1-reservation.cisco.com (131.226.217.48), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
:~$

============

~$ sudo tcptraceroute devnetsandbox-usw1-reservation.cisco.com 20208
Running:
traceroute -T -O info -p 20208 devnetsandbox-usw1-reservation.cisco.com
traceroute to devnetsandbox-usw1-reservation.cisco.com (131.226.217.48), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
~$

@worldwide1  so in the use example one, traffic being dropped at CYXTERA-COM.ear2.SanJose1.Level3.net (4.16.45.254) and the other traceroute, it is not leaving the local network, no route etc... I think this explains why you are getting the 'no internet message' here.

 

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Reading this (see pic) due to your help.

 

Thank you very much.

I've also no problems spinning up that win10vm to chase down the "disconnected" cable feature?

Let me know.