Re: anyconnect reconnecting when docker containers are starting/stoppi

sinhlam · ‎06-04-2025

pretty sure this isn't a unique case but I can't seem to find a viable solution.

TL;DR - we replaced our old vpn solution with a Meraki mx67 and our linux users cannot use anyconnect due to constant reconnects

now the long version -

Some of our end users are unable to use the Cisco AnyConnect client for linux due to it constantly reconnecting. this is most likely due to them using docker containers on their workstations and the constant starting and stopping of these containers are triggering the reconnects. unfortunately I can't just tell them 'don't use docker'. With our old vpn solution we used the OpenConnect client and it worked fine. However, we can not use the openconnect client due to constantly receiving a HTTP 401 when trying to connect.

after testing out various variation of trying to connect with openconnect it has all resulted in a HTTP/401 error. If you're wondering why am I using openconnect when anyconnect 'works'? because a basic search yields 'best workaround is to use openconnect'. plus our users like it and it's simple with almost zero change in their connect work flow.

so here are the question(s) :

* if you've ran into this issue with openconnect, can you share what you have done to get past this issue?

* if you have found a way to get past this constant reconnecting when a network interface state changes would you mind sharing what you've done.

Currently on the mx67 we are using radius as the auth method and that radius (free radius) is using ldap to validate credentials. I can share whatever is needed (and whatever I can) to get past this problem.

TIA

Sinh

vinjana · ‎06-16-2025

Unfortunately, openconnect does not work anymore with our Cisco VPN servers -- at least for me (also `--protocol=anyconnect --useragent=Anyconnect` don't help). Now, to use containers for development, I have to log out of the VPN, change the Docker proxy settings, do my work, and reconnect, and change the proxy settings back. Extremely annoying.

sinhlam · ‎06-16-2025

well that's pretty not great to hear. especially since everything points to 'use openconnect'.

vinjana · ‎06-17-2025

First of all, the disconnection when doing Docker work seems to be a long lastig bug of the AnyConnect client.

After searching the web and trying out some things for some time, I managed to get it to work with the openconnect client, though.

My observed problem was that after entering the TOTP token, I first got a HTTP 200 (OK), but then shortly afterwards an HTTP 404 (Not authorized) error. This can be seen in detail from the --verbose output of openconnect.

I needed to to change 2 things:

1. I added a more specific useragent string. I got this from this website and used it as a wild guess, but it worked. As useragent I used "AnyConnect Windows 5.1.7.80". The version I obtained from the AnyConnect client version I downloaded from my company as the one to use.

2. I had to add the gnutls-priority option.

Eventually, the working command looked like this:

openconnect \
  --protocol=anyconnect \
  --useragent="AnyConnect Windows 5.1.7.80" \
  --background \
  --gnutls-priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+RSA:+AES-128-CBC:+SHA1 \
  --user $USER \
  https://$ourGateWayServer/token

sinhlam · ‎06-17-2025

Oh that’s fantastic. However we do not currently have 2fa implemented
with our login so your example just results in a 401 during my test.

vinjana · ‎06-17-2025

Hi sinh,

Sorry, sinh. I initially missed the 401 and that you use radius is a completely different setting than mine. So my posts are really no correct in your thread. Sorry for this.

I hope you find a solution. Unfortunately, I have no clue about radius

vinjana

anyconnect reconnecting when docker containers are starting/stopping