Cannot connect to non-standard HTTPS port #23
Comments
|
Possibly related: https://serverfault.com/questions/771645/openconnect-cannot-connect-to-anyconnect-vpn-group-using-g I wonder if the <group-access> field has the wrong value if a port number is specified. If possible, try experimenting with v7.04 of the command-line openconnect client on Linux or OSX, as that will be easier than repeatedly modifying the library and rebuilding for Android. |
|
Hi Kevin, Given that the debugs on the ASA are lacking, I set up a MitM proxy to be able to see the traffic sent by OpenConnect on Android and I think the problem is this: OpenConnect v7.08 running on Linux sends a POST request with: Host: vpn.example.com:4443 and <group-access>https://vpn.example.com:4443/GROUPNAME</group-access> in the body of the POST. OpenConnect running on Android sends: Host: vpn.example.com (i.e. no port), and: <group-access>https://vpn.example.com/GROUPNAME</group-access> (Again, no port.) There is only one HTTP request made by OpenConnect, and it's immediately rejected by the ASA with that "Invalid host entry. Please re-enter" response. Is OpenConnect for Android based on OpenConnect v7.04? If so, is it too difficult to make OpenConnect for Android use OpenConnect v7.08 as it seems to be working fine on that version? I can try to identify a commit that (possibly) fixed this behavior, if that helps. Cheers! |
Some additional work will be needed to use libopenconnect 7.08 on Android. It is on my TODO list but it isn't currently a high priority. It would be helpful to understand whether this issue is something that is fixed by upgrading from 7.04 to 7.08, or if it is something specific to Android on 7.04. |
|
I am pretty sure this issue will be fixed with an upgrade to a more recent OpenConnect version... For the "<group-access>" XML node, the non-standard port is appended to the URI in auth.c:xmlpost_initial_req(): This part of the code was re-worked because it's different in v7.04: (No non-standard port is appended.) Same thing for the "Host:" HTTP header: In v7.08's cstp.c:start_cstp_connection() the code is: (i.e. non-standard port appended to the host.) but in v7.04's cstp.c:start_cstp_connection() the code is simply: |
|
The master branch is now based on v7.08 + additional fixes. Can you retest? Here's a debug APK, if needed: https://storage.googleapis.com/cernekee-travis/ics-openconnect/OpenConnect-debug.apk |
|
Hi Kevin,
My apologies for the late reply.
I've tested the .apk you linked to below and everything worked great.
Thanks a lot for spending the time to make OpenConnect for Android work
work with the latest OpenConnect.
Cheers,
Eloy Paris.-
…On Sun, Feb 04, 2018 at 03:53:05AM +0000, Kevin Cernekee wrote:
The master branch is now based on v7.08 + additional fixes. Can you retest?
Here's a debug APK, if needed:
https://storage.googleapis.com/cernekee-travis/ics-openconnect/OpenConnect-debug.apk
--
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#23 (comment)
|
|
Closed per #23 (comment) |
My Cisco ASA is configured to terminate SSL VPN connection on port 4443. Android OpenConnect (latest version from the Google Play store) is not able to connect. The full OpenConnect log is in the screenshot mentioned below but the ASA is apparently returning the message "Invalid host entry. Please re-enter".
OpenConnect 7.08 running on Linux is able to connect with no issues.
On the ASA side, with lots of debugs enabled, I see this for a bad connection:
(And that's it; I only have the OpenConnect log on the phone as additional information.)
A good connection from Linux running OpenConnect 7.08 shows this:
Any idea about what could be wrong? Perhaps the wrong Host: header is being passed? It should be "Host: vpn.xxxxx.com:4443", right?
Thanks in advance for any insight.
The text was updated successfully, but these errors were encountered: