21

On Ubuntu 16.04 I am getting the following error: 

$ openconnect -v vpn.com
POST https://vpn.com/
Attempting to connect to server 1.1.1.1:443
SSL negotiation with vpn.com
Connected to HTTPS on vpn.com
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 22 Aug 2016 00:04:14 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Error: Server asked us to run CSD hostscan.
You need to provide a suitable --csd-wrapper argument.
Failed to obtain WebVPN cookie

I tried --no-xmlpost post and got error as well.

Here is some background:
I had Ubuntu 14.04 and was connecting to vpn server using openconnect. Then a week ago, it stopped working with this issue. My guess is that the vpn site upgraded its Cisco vpn server to required to CSD trojan. Anyhow, I decided to upgrade to 16.04 and still have the same problem.

abu_bua
  • 10,473
  • 10
  • 45
  • 62
sdstack
  • 469
  • 1
  • 3
  • 7
  • For me, the solution was [in this answer](https://serverfault.com/a/783791/257331). I needed to use a different option for the command: `--authgroup` instead of `--usergroup`. – totymedli Feb 09 '18 at 14:18
  • For me, the issue was that I had a bad nameserver configuration in `/etc/resolv.conf` and DNS lookups were failing. – Leo Sep 09 '19 at 20:20

3 Answers3

15

I found my answer through this post:
https://gist.github.com/l0ki000/56845c00fd2a0e76d688

I did the following:

cd ~  
mkdir .cisco  
cd .cisco  
wget https://gist.githubusercontent.com/l0ki000/56845c00fd2a0e76d688/raw/61fc41ac8aec53ae0f9f0dfbfa858c1740307de4/csd-wrapper.sh  
chmod +x csd-wrapper.sh

Edit the file with the vpn server: 

CSD_HOSTNAME=vpnserver.com

Run the file 

./csd-wrapper.sh

Run openconnect: 

sudo openconnect --csd-user=YOURLINUXUSERNAME --csd-wrapper=/home/YOURLINUXUSERNAME/.cisco/csd-wrapper.sh vpnserver.com
Maura
  • 143
  • 5
sdstack
  • 469
  • 1
  • 3
  • 7
  • 1
    Curious - why are your running openconnect with `sudo`? They support [non-root operation](http://www.infradead.org/openconnect/nonroot.html). From that page: _For security reasons, it is better if network-facing code can run without root privileges — and there are a few options which allow OpenConnect to run as an unprivileged user instead._ – Randall Aug 23 '18 at 20:53
  • Link to post appears to be broken (good reason to put all relevant content in the answer)--anyone have an updated link/script? – Mark Feb 19 '20 at 15:39
  • 1
    @Mark - the openconnect Gitlab project has updated copies of csd-wrapper.sh and csd-post.sh [in the trojans folder](https://gitlab.com/openconnect/openconnect/-/tree/master/trojans). You only specify one or the other as the argument to `--csd-wrapper`. `csd-post.sh` lets you explicitly craft the response sent back, while `csd-wrapper.sh` tries to run the Cisco host scanning binaries. – Randall Jul 28 '20 at 20:55
7

I found that I needed to specify --os=win as well. This seemed to work around a 404 response that the server was generating when attempting to download sfinst.

GET https://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 404 Not Found (does not exist)

Information on the 404 for sfinst issue can be found on the openconnect-devel mailing list "Connecting with Linux when the CSD is available" post.

I had success with the following command which uses the os flag and the csd-wrapper flag together:

sudo openconnect \
    --user <USERNAME> \
    --cert-expire-warning=15 \
    --certificate <CERTFILE> \
    --os=win \
    --csd-user=<USERNAME> \
    --csd-wrapper=<PATHTO>/csd-wrapper.sh \
    https://<VPNADDRESS e.g., vpn.company.com>
D.A.
  • 151
  • 1
  • 11
1

I had this Error in Ubuntu 18.04
I was able to connect to the server using the link below and the second answer.

just use the -v flag

sudo openconnect -v NAMESERVER.COM
abu_bua
  • 10,473
  • 10
  • 45
  • 62
hoseinmont
  • 11
  • 2