Connection keeps resetting, error message GPST Dead Peer Detection detected dead peer!

[yjjl]

Used to work until recently, no known changes server-side
SAML authentication works, but no internet connectivity once connection has been made.
Connection information returns Default route 0.0.0.0 for tun interface
Output below

Error message "GPST Dead Peer Detection detected dead peer!" did not appear previously.

Command line output:

[2024-05-14T16:30:06Z INFO  gpclient::cli] gpclient started: 2.2.1 (2024-05-07)
[2024-05-14T16:30:06Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-05-14T16:30:07Z INFO  gpauth::cli] gpauth started: 2.2.1 (2024-05-07)
[2024-05-14T16:30:07Z INFO  gpauth::cli] Fixing OpenSSL environment
[2024-05-14T16:30:07Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
[2024-05-14T16:30:07Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-14T16:30:07Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/saml2?SAMLRequest=n**********%3D&RelayState=L**********x
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:09Z INFO  gpauth::auth_window] Raise window in 1 second(s)

(process:74417): libsoup-WARNING **: 17:30:10.252: gssapi step failed: No credentials were supplied, or the credentials were unavailable or inaccessible: SPNEGO cannot find mechanisms to negotiate
[2024-05-14T16:30:11Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Login
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/login
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:16Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/common/SAS/ProcessAuth
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:28Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/kmsi
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:41Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:42Z WARN  gpauth::auth_window] Failed to load uri: https://s**********k/SAML20/SP/ACS with error: Load request cancelled
[2024-05-14T16:30:42Z INFO  gpauth::auth_window] Loaded uri: https://s**********k/SAML20/SP/ACS
[2024-05-14T16:30:42Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:42Z INFO  gpauth::auth_window] Got auth data from headers
[2024-05-14T16:30:42Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-05-14T16:30:42Z INFO  gpclient::connect] Connecting to the only available gateway: Ext-Staff-VPN-Gateway (xxx-xxx.xx.xx)
[2024-05-14T16:30:42Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-14T16:30:42Z WARN  gpapi::gateway::login] GP response error: reason=<none>, status=512 <unknown status code>, body=<html>
      <head></head>
      <body>
      var respStatus = "Error";
      var respMsg = "Authentication failure: Invalid username or password";
      thisForm.inputStr.value = "";
    </body>
    </html>
[2024-05-14T16:30:42Z INFO  gpclient::connect] Gateway login failed: Gateway login error: <none>
[2024-05-14T16:30:42Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-05-14T16:30:42Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
[2024-05-14T16:30:43Z INFO  gpauth::cli] gpauth started: 2.2.1 (2024-05-07)
[2024-05-14T16:30:43Z INFO  gpauth::cli] Fixing OpenSSL environment
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/saml2?SAMLRequest=n**********A&RelayState=L**********x
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-05-14T16:30:43Z INFO  gpauth::auth_window] Raise window cancelled
[2024-05-14T16:30:44Z WARN  gpauth::auth_window] Failed to load uri: https://s**********k/SAML20/SP/ACS with error: Load request cancelled
[2024-05-14T16:30:44Z INFO  gpauth::auth_window] Loaded uri: https://s**********k/SAML20/SP/ACS
[2024-05-14T16:30:44Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:30:44Z INFO  gpauth::auth_window] Got auth data from headers
[2024-05-14T16:30:44Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-14T16:30:44Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-05-14T16:30:44Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-05-14T16:30:44Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-05-14T16:30:44Z INFO  openconnect::ffi] OS: linux
[2024-05-14T16:30:44Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-05-14T16:30:44Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-14T16:30:44Z INFO  openconnect::ffi] MTU: 0
[2024-05-14T16:30:44Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/getconfig.esp
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Connected to 134.219.248.132:443
[2024-05-14T16:30:44Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:30:44Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:30:44Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-05-14T16:30:44Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:30:44Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum d69d1e96d63e67de52ab9e2936ca3ff6.
        VPN connectivity may be disabled or limited without HIP report submission.
        You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-05-14T16:30:49Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:30:50Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 12
[2024-05-14T16:30:50Z INFO  gpclient::connect] Wrote PID 74383 to /var/run/gpclient.lock
[2024-05-14T16:31:12Z WARN  openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-14T16:31:12Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xxk/ssl-vpn/getconfig.esp
[2024-05-14T16:31:12Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:31:12Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:12Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:31:12Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:31:12Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:31:17Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:31:38Z WARN  openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-14T16:31:38Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/getconfig.esp
[2024-05-14T16:31:38Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xxk
[2024-05-14T16:31:38Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:38Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:31:38Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:31:38Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xxk/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:31:43Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:31:43Z WARN  openconnect::ffi] Read error on SSL session: Error in the pull function.
[2024-05-14T16:31:43Z WARN  openconnect::ffi] Packet receive error: Operation not permitted
[2024-05-14T16:31:43Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/getconfig.esp
[2024-05-14T16:31:43Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:31:43Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:43Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:31:43Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:31:43Z INFO  openconnect::ffi] POST https://xxx-xx.xx.xx/ssl-vpn/hipreportcheck.esp
vpndisconnect[2024-05-14T16:31:48Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.

[2024-05-14T16:31:48Z INFO  gpclient::cli] gpclient started: 2.2.1 (2024-05-07)
[2024-05-14T16:31:48Z INFO  gpclient::disconnect] Found process 74383, killing...
[2024-05-14T16:31:48Z INFO  gpclient::connect] Received the interrupt signal, disconnecting...
[2024-05-14T16:31:48Z INFO  openconnect::ffi] Stopping VPN connection: 12
[2024-05-14T16:31:48Z INFO  openconnect::ffi] POST https:/xxx-xx.xx.xxk/ssl-vpn/logout.esp
jonas@azazello:~$ [2024-05-14T16:31:48Z INFO  openconnect::ffi] SSL negotiation with xxx-xx.xx.xx
[2024-05-14T16:31:48Z INFO  openconnect::ffi] Connected to HTTPS on xxx-xx.xx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:31:48Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
[2024-05-14T16:31:49Z INFO  openconnect::ffi] openconnect_mainloop returned -4, exiting
[2024-05-14T16:31:49Z INFO  gpclient::connect] Removing PID file

Logs
GUI log: (same issues)

[2024-05-14T16:49:57Z INFO  gpservice::cli] gpservice started: 2.2.1 (2024-05-07)
[2024-05-14T16:49:57Z INFO  gpservice::ws_server] WS server listening on port: 34079
[2024-05-14T16:49:57Z INFO  gpapi::process::gui_launcher] Version check passed: 2.2.1
[2024-05-14T16:49:57Z INFO  gpapi::process::gui_launcher] Launching gpgui
[2024-05-14T16:49:57Z INFO  gpgui::cli] gpgui started: 2.2.1 (2024-05-07)
[2024-05-14T16:49:57Z INFO  gpgui::app] Setting the custom openssl conf path
[2024-05-14T16:49:57Z INFO  gpgui::config::private_data] Loaded config key from keyring
[2024-05-14T16:49:57Z INFO  gpgui::app::app_initializer] App initialized
[2024-05-14T16:49:57Z INFO  gpgui::ws_connector] Connecting to WS server
[2024-05-14T16:49:57Z INFO  gpgui::ws_connector] Received ping
[2024-05-14T16:49:57Z INFO  gpgui::ws_connector] Connected to WS server
[2024-05-14T16:49:57Z INFO  gpservice::handlers] New client connected
[2024-05-14T16:49:57Z INFO  gpservice::ws_server] Sending current VPN state to new client
[2024-05-14T16:49:57Z INFO  gpgui::handlers::subscription] Sending the init event to client: main
[2024-05-14T16:49:57Z INFO  gpgui::handlers::subscription] Sent the init event to client: main
[2024-05-14T16:49:58Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect
[2024-05-14T16:50:13Z INFO  gpgui::handlers::subscription] Sending the init event to client: settings
[2024-05-14T16:50:13Z INFO  gpgui::handlers::subscription] Sent the init event to client: settings
[2024-05-14T16:50:13Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Settings
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Connecting to the portal: s**********k...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Trying to connect the gateway directly...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Try login the gateway with prelogin...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Gateway prelogin, gateway: s**********k...
[2024-05-14T16:50:52Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Authenticating gateway...
[2024-05-14T16:50:52Z INFO  gpgui::portal_connector] Launching SAML authentication...
[2024-05-14T16:50:52Z INFO  gpauth::cli] gpauth started: 2.2.1 (2024-05-07)
[2024-05-14T16:50:52Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:52Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-14T16:50:52Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/2efd699a-1922-4e69-b601-108008d28a2e/saml2?SAMLRequest=n**********B&RelayState=6**********x
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Raise window cancelled
[2024-05-14T16:50:53Z WARN  gpauth::auth_window] Failed to load uri: https://s**********k/SAML20/SP/ACS with error: Load request cancelled
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Loaded uri: https://s**********k/SAML20/SP/ACS
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-14T16:50:53Z INFO  gpauth::auth_window] Got auth data from headers
[2024-05-14T16:50:53Z INFO  gpgui::portal_connector] Performing gateway login, gateway: s**********k...
[2024-05-14T16:50:53Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:53Z INFO  gpgui::portal_connector] Gateway login succeeded, gateway: s**********k
[2024-05-14T16:50:53Z INFO  gpgui::portal_connector] Connecting to the gateway...
[2024-05-14T16:50:53Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-05-14T16:50:53Z INFO  openconnect::ffi] User agent: PAN GlobalProtect/6.0.1-19 (Linux Ubuntu 22.04.4 LTS)
[2024-05-14T16:50:53Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-05-14T16:50:53Z INFO  openconnect::ffi] OS: linux
[2024-05-14T16:50:53Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-05-14T16:50:53Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-14T16:50:53Z INFO  openconnect::ffi] MTU: 0
[2024-05-14T16:50:53Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Connected to [**********]:443
[2024-05-14T16:50:53Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:50:53Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:50:53Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-05-14T16:50:53Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:50:53Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum d69d1e96d63e67de52ab9e2936ca3ff6.
[2024-05-14T16:50:58Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:50:59Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-05-14T16:50:59Z INFO  gpgui::portal_connector] Connected to the gateway: s**********k
[2024-05-14T16:51:19Z WARN  openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-14T16:51:19Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-05-14T16:51:19Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-05-14T16:51:19Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:51:19Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:51:19Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:51:19Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:51:24Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:51:24Z WARN  openconnect::ffi] Read error on SSL session: Error in the pull function.
[2024-05-14T16:51:24Z WARN  openconnect::ffi] Packet receive error: Operation not permitted
[2024-05-14T16:51:24Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/getconfig.esp
[2024-05-14T16:51:24Z INFO  openconnect::ffi] SSL negotiation with [**********]
[2024-05-14T16:51:24Z INFO  openconnect::ffi] Connected to HTTPS on [**********] with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-14T16:51:24Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-14T16:51:24Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-14T16:51:24Z INFO  openconnect::ffi] POST https://[**********]/ssl-vpn/hipreportcheck.esp
[2024-05-14T16:51:29Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-14T16:51:31Z INFO  gpgui::handlers::subscription] Sending the init event to client: settings
[2024-05-14T16:51:31Z INFO  gpgui::handlers::subscription] Sent the init event to client: settings

Environment:

• OS: Ubuntu 22.04
• Desktop Environment: MATE
• Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep: [Required for secure store error]
  xx 1663 0.0 0.0 243840 7576 ? Sl 16:16 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
  xx 5423 0.0 0.0 243696 8960 ? Sl 16:23 0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets

[yuezk]

Looks related to https://gitlab.com/openconnect/openconnect/-/issues/701

Can you try it with submitting HIP? sudo gpclient connect --hip <portal>

[yjjl]

Tried, HIP error message goes away but connectivity problem persists.

[martindorey]

For me today, with my organization's UK gateway, --disable-ipv6 seemed me to be the key, but currently that only seems to be supported with the version 1.x GlobalProtect-openconnect.

[yuezk]

For me today, with my organization's UK gateway, --disable-ipv6 seemed me to be the key, but currently that only seems to be supported with the version 1.x GlobalProtect-openconnect.

That's very helpful. I'm adding --disable-ipv6 option in 2.x

[martindorey]

That addition, in today's https://github.com/yuezk/GlobalProtect-openconnect/releases/tag/v2.3.0, got me in for the first time with the 2.x code.

[yuezk]

@martindorey so the --disable-ipv6 works for you?

@yjjl can you try 2.3.0 with the --disable-ipv6 option?

[martindorey]

To the particular gateway I was using above, in somewhere between five and ten trials, I've got in with ssh every time with --disable-ipv6 --hip and never with just --hip, always falling foul of Dead Peer Detection. I might guess there are other causes for that problem, but I'm confident that you've solved mine - thanks!

[yjjl]

Hi,
Tried that with the 2.3.0 version but the error remains. There's no connectivity, DNS fails and the error message is the same:

2024-05-21T09:53:46Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-21T09:53:46Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-21T09:53:46Z INFO openconnect::ffi] POST https://xxx.xx.uk/ssl-vpn/hipreportcheck.esp
[2024-05-21T09:53:51Z WARN openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
[2024-05-21T09:54:12Z WARN openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-21T09:54:12Z INFO openconnect::ffi] POST https://xxx.xx.uk/ssl-vpn/getconfig.esp
[2024-05-21T09:54:12Z INFO openconnect::ffi] SSL negotiation with xxx.xx.uk
[2024-05-21T09:54:12Z INFO openconnect::ffi] Connected to HTTPS on xxx.xx.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)

tried both of
sudo gpclient --fix-openssl connect --disable-ipv6 --hip
sudo gpclient connect --disable-ipv6 --hip

Any ideas what could be the issue here?

[yjjl]

I should add that error message reappears whenever I try to make a new connection (e.g. open a web page).

[yuezk]

@yjjl can you try with the openconnect command?

• openconnect --protocol=gp --disable-ipv6 <portal>
• openconnect --protocol=gp <portal>

[yjjl]

Authentication doesn't work that way, get the following error message:
POST https://xxx.xx.uk/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server xxx:443
Connected to xxx:443
SSL negotiation with xxx.xxx.uk
Connected to HTTPS on xxx.xxx.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Wed, 22 May 2024 10:54:49 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1560
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=ddd2b01c-3c47-40a4-9c68-e590dfaccffe; Path=/; SameSite=Lax; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1560)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/XXXXXXX
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Response was:

Success

false


Enter login credentials
Username
Password
1
yes

xxx.xx
0
REDIRECT
600
0
aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzJlZmQ2OTlhLTE5MjItNGU2OS1iNjAxLTEwODAwOGQyOGEyZS9zYW1sMj9TQU1MUmVxdWVzdD1uVkxQYjRJd0ZQNVhTTyUyRlFVaEdoRVJLbWg1bTRqQWpiWVplbGxxTE5Tc3ZhNHVaJTJGUDlRdGN4Y1BPNzY4TDklMkJ2OSUyQmFXZHJJbnhlRDJhc1BmQjI2ZDk5bEpaY2w1a1lIQktLS3BGWllvMm5GTEhDTlY4YkFtT0VDa045cHBwaVh3Q211NWNVS3JoVloyNkxpcHVEa0l4cDgyNnd6c25lc3RnZEE2MnJiJTJCb1ZlQjBVY3E5MXBLJTJGVUdQQVdYQjhFYWlhQUpQekJqQnFvVEZvZ0xlY25RakZEM3glMkZySkl2Uk1xNkFRejJ1cldhU1dGNGdIVEhjUzhiZUkwcFg2WVl1eEhQRTc5Yll4Q1AwUUpRa21ERTRvNVBNWEN3RnN0TSUyRkE2YlNqalNZdFFOR3ZTYmR5eUZpY3psRTVhenFJa3hlRUlzM2JnS3pVNlZ5NERHT0hJUjFNZjR6cEVaQnFSS0gwQlh2bmR3cDFRalZDNzI1VnRMeUJMN3V1NjlNdkhxZ2JlTXpmMkhIRUVnSHglMkJja2pPd3VicUZMZHA2VSUyRiUyRklQOUgyM040cFpsZnByOCUyRmtYOEImUmVsYXlTdGF0ZT1KbVFGQUg0OUttWmtaR1F5WWpBeFl5MHpZelEzTFRRd1lUUXRPV00yT0MxbE5Ua3daR1poWTJObVptVXc=
noGB

Failed to complete authentication

I've tried to complete the SAML authentication by opening the link and then running openconnect but the same issue reappears.

[ChatDeBlofeld]

Same issue here, we don't use any SSO so I can provide the requested logs (no difference with/without --disable-ipv6 though):

sudo openconnect --protocol=gp --csd-wrapper=/usr/libexec/openconnect/hipreport.sh --disable-ipv6 xxx.xx

POST https://xxx.xx/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to xxx:443
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Email address: [email protected]
Password: 
POST https://xxx.xx/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.4-711; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  GW-EXTERNAL-ON-DEMAND (xxx.xx)
Please select GlobalProtect gateway.
GATEWAY: [GW-EXTERNAL-ON-DEMAND]:GW-EXTERNAL-ON-DEMAND
POST https://xxx.xx/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=AUT-SEQ-GP
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=oJJl7db8EL/vfWlScCf5jPVOkM3qYcI5hR+xMlKQz9Qee9NJyiyOclkDwckaph/91Vkuu0M+8oJ0bfIb7qPTvyBpyen/P1Pm0as7MB570+VN3f0B6QWjDOB1Nvh4mqAZNHso3dH9B5StX1u4BemF0baj/G5zqe7gWDZ3MMIjHSPl5qQZ43ujyNrkBi2/lNARkVBEF5v0UWVWP/1KhlxxQVDqdI/0A0P1uAuLlHgm0pR3/KD0AbsSVmwHHf6fcDYX3E0ySpVW0g3EJD1lzsqmNNCxtvioKbG/1gm+3Pwmhct6mWzcADC10L9TE+jbYu9VbtnJzMMUrz+O4wX/9uiqTEoB4pKoMWININELioiJwJkV5CbjN5ZtEgCpGY/x/xi7SYGtHHH4vkYiCn0JwANyKF2kUP5UWTQ9CF/twtKO1AjofenQ69MetnNGHUT4rDY2iwqMdDVFpy2LRmIGCkqd2QlLRSUCOmDaWC/s5V3RZVsPEHWYuMG8ht71g+Bg65TyxU9t5XhA+83T/HkWINSW838oroMI54sVMkQdX6qyQ4XP1kcMTXE/s31qq0uZGP5N0J+juyEUsPiZRqRz81MT8JfzF0/wLnf3XvjS2m0+XJqp+YNkCEBAW/TTpUYtE5ZuO01rXWzWBVep3PMfI9wHX0IfgPDN/DSNP6QsPEhhJY8=
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://xxx.xx/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
Trying to run HIP Trojan script '/usr/libexec/openconnect/hipreport.sh'.
HIP script '/usr/libexec/openconnect/hipreport.sh' completed successfully (report is 2311 bytes).
POST https://xxx.xx/ssl-vpn/hipreport.esp
HIP report submitted successfully.
Set up UDP failed; using SSL instead
Configured as 10.193.24.182, with SSL connected and ESP disabled
Session authentication will expire at Thu May 23 17:29:38 2024

Using vhost-net for tun acceleration, ring size 32
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
^CPOST https://xxx.xx/ssl-vpn/logout.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting.

sudo openconnect --protocol=gp --csd-wrapper=/usr/libexec/openconnect/hipreport.sh xxx.xx 

POST https://xxx.xx/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to xxx:443
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Email address: [email protected]
Password: 
POST https://xxx.xx/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.4-711; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  GW-EXTERNAL-ON-DEMAND (xxx.xx)
Please select GlobalProtect gateway.
GATEWAY: [GW-EXTERNAL-ON-DEMAND]:GW-EXTERNAL-ON-DEMAND
POST https://xxx.xx/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=AUT-SEQ-GP
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=mKNcuqseBlw6oUTus8XzPUVQbXwyis8NgbDmVy/yaIF/y9sRzM1+73LMOr8WDWZIa4scDteSpT6aibUy0ZFkwcMRTD+2yB1r/hd51LHfZsiRnqWPYLKvGslxIHx/IYAVPwCNKqqaEdfGzPNvVYs60Qai6fJzayRu58iOwZxwG8cus+fWOyqAU/PCaaJmh4Zx/WGOhKOxyjH4HlinovtFp2TJKtuYNW2iwabrk2njvQCqrfyT/UHcfMinjr5pnMb3dmGvaWOqBig732ok4tNzo0M3eLSX1W5fliEf2Fqt5jOUIXITVqOxZB3OLF1lQbWlsr6T/26uWAKiV8N+hlsjR88B58cKkVEuhjI13OoTNlw9xt9YAc+klVMiFsGjlB4VG3lVKevvZkuFpOo6xeEVWNAa01MM0hx4H94/a2OKqfDoqS27F9U57ftDqzwE4k1EtLZciOkT3tM583MVc8plUgveJaCauzjvtHIf9hzG+zA/So43FwJwE/fV0nPsm9G9Y6rCR9q/zcL56PnlBNsXJ8NwM9UwW0ZjfXzVuuHkxUGqpcMIqkLBNGI9CTuzgLLevy3Ae5nHAW65skxEPJhcjKOx4WQI6dTT7HKXsa9S7okmWc0ExF3J1kU8su9uAdQQlJ1I4zxlBtEQRjdEbL0Z7HA9FlFmpk25FRZXXL8EL/k=
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://xxx.xx/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
Trying to run HIP Trojan script '/usr/libexec/openconnect/hipreport.sh'.
HIP script '/usr/libexec/openconnect/hipreport.sh' completed successfully (report is 2311 bytes).
POST https://xxx.xx/ssl-vpn/hipreport.esp
HIP report submitted successfully.
Set up UDP failed; using SSL instead
Configured as 10.193.24.194, with SSL connected and ESP disabled
Session authentication will expire at Thu May 23 17:51:25 2024

Using vhost-net for tun acceleration, ring size 32
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
^CPOST https://xxx.xx/ssl-vpn/logout.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting.

For completeness sake, logs without --csd-wrapper set:

sudo openconnect --protocol=gp  xxx.xx

POST https://xxx.xx/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to xxx:443
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
Email address: [email protected]
Password: 
POST https://xxx.xx/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.4-711; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  GW-EXTERNAL-ON-DEMAND (xxx.xx)
Please select GlobalProtect gateway.
GATEWAY: [GW-EXTERNAL-ON-DEMAND]:GW-EXTERNAL-ON-DEMAND
POST https://xxx.xx/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=AUT-SEQ-GP
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=kd7c180bU5lTCBuIORTh2u64ArZvcMXKLrOFu41yhieMncxP6TjKZJqgu7+Uul1RWON3/kFeg2jW8QODu4wY6v451LKPxf/V+JjBz2hq+6p7xOPDQ6Y3RyClVuMuwlyp8FzyBy5q08YdPaCqSAdOI//qKv1eP1T22M3FyzrZ9AEB7IG/FlbKpF3yTsbGIcK3NuyWfjzN5WGd5xN7LfkCYVz/r+oMq4ofy+5Nv+Dhxnp1OK7lqaecZr4lXCoHau9pfRVs0QepopKQ3wsK2kTeJTZCxWeuSuh6ulJru+b2AeSfgu33+Vr6aecNQz+QkmHjqC/LGAyCLYMGP7aj6vF6LXGDSj6CImdJSLLWiOKd2VzGIIjBLC6zBeSOqbKJog77bXL18PoCn9hv6DKb1w5wuWBdVQM26LPplkz7FrvWO/D4EvDfpa0LE4ZLG8YKCnSgMqgwQye4vGlJz9YMBfmdekteKNmhkDg/QZJQvlCeTK/XqzL80PBw5t11ZcDSRIaIBiok3Wc1IKH0qD0E90PNRjSIAnd75YB3q5OBPhZebBoUBi3U031ofybTbUu67wsnRS297iTOVYd50XBYmNH79t+yO+8lHicYbrrzVIszeu0SBbmeJz7YV4t48GKcG86tkHRUcNYAeqh6DAaMXZRZIQv3HyOUjomBkDVQFmEznxk=
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://xxx.xx/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
WARNING: Server asked us to submit HIP report with md5sum 451e92e3c4065219a121a8c3a8224cfa.
    VPN connectivity may be disabled or limited without HIP report submission.
    You need to provide a --csd-wrapper argument with the HIP report submission script.
Set up UDP failed; using SSL instead
Configured as 10.193.24.195, with SSL connected and ESP disabled
Session authentication will expire at Thu May 23 17:55:42 2024

Using vhost-net for tun acceleration, ring size 32
Read error on SSL session: Erreur de la fonction « pull ».
Packet receive error: Opération non permise
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
GPST Dead Peer Detection detected dead peer!
POST https://xxx.xx/ssl-vpn/getconfig.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://xxx.xx/ssl-vpn/hipreportcheck.esp
^CPOST https://xxx.xx/ssl-vpn/logout.esp
Négociation SSL avec xxx.xx
Connected to HTTPS on xxx.xx with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting.

[dcarrillo]

Hi, I have the same problem as @yjjl I'm using SAML authentication via Okta. Tested the same things, same outcome.

In my case, once the connection has been made, there is almost no traffic, but somehow a few (very few) packets are able to reach the target and back (i.e., during a continuous ping). Tried to play with the MTU, no success.

[yjjl]

Update - today I managed to get it to run without having made any changes (other than the --disable-ipv6 flag). The connection is extremely intermittent and frequently disconnects completely, but at least works some of the time unlike before although not reliably enough to be useable. I suspect there have been changes server-side but our central IT staff are not very transparent about any changes.

[huang-jy]

I commented on here the other day but looks like my comment was either deleted or didn't actually save.

I've actually hit this same problem on the 2.3.1 client.

I used

sudo gpclient connect {portal} --csd-wrapper /usr/libexec/openconnect/hipreport.sh --disable-ipv6 --os Linux --clean

to connect.

I get the same as reported above -- timeouts and repeated Dead Peer messages. This is the case on Linux Mint, Fedora and Manjaro.

Now our IT guys have an older version on a backup VPN connection endpoint, so I used the same thing but pointed to that. (10.x.x on the broken endpoint, 9.x.x on the backup one -- not sure if that's of any use, though as a response to @yjjl, maybe that's something similar to what happened in your case)

[huang-jy]

I was able to do some comparisons between a failed and working portal:

On the working portal, it has the following when it connects:

POST https://{portal}/ssl-vpn/logout.esp
SSL negotiation with {portal}
Connected to HTTPS on {portal} with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)

On the broken one, it has the following when it connects:

POST https://{portal}/ssl-vpn/getconfig.esp
SSL negotiation with {portal}
Connected to HTTPS on {portal} with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)

I noticed the difference in ciphersuite between the two -- could this be perhaps causing the problems? e.g. maybe openconnect or openssl can't handle the ECDHE-SECP256R1 and/or RSA-SHA256?

[yuezk]

Hi @huang-jy thanks for your investigation.

But I'm afraid the cipher suite might not be the root cause of this problem. Because the HTTPS error could occur if it doesn't support the cipher suite. I think we should dive into the logic of OpenConnect to understand when will it throw this error. Related in https://gitlab.com/openconnect/openconnect/-/issues/701

[huang-jy]

@yuezk thanks very much, I was already aware of that issue (indeed my research into this issue did send me there) -- I'm already keeping an eye on it.

[yjjl]

FWIW, the GlobalProtect client suffers from the same issues and our IT staff seem unable to understand why. May be due to the version of Linux used? I'm on Ubuntu MATE 22.04 so nothing exotic.

[yjjl]

Any updates on this? The behaviour has changed slightly - I now get intermittent connections which work as normal, but most of the time any connections fail (time out).

[yuezk]

@yjjl there is no progress on our side. This might related to the server-side configuration or the VPN portal in your case.

[lizhuohua]

I encountered the same issue. Below is my comment on https://gitlab.com/openconnect/openconnect/-/issues/701, which I have copied here for reference.

I encountered the same issue. After connecting to GlobalProtect VPN using openconnect, there is no network connection, and it keeps reconnecting with the error message: GPST Dead Peer Detection detected dead peer. Sometimes, after a few reconnections, a stable network can be established, but most of the time, there is no network. (During reconnection, there may be a few seconds of available network connection.)

I tested two devices in the same network environment: one Linux (Fedora 41) and one MacBook Pro (macOS 14.7). Using the same openconnect (v9.12) command to connect to the same VPN portal, everything works fine on macOS, but on Linux, I encounter the issues described above. I also tested the official GlobalProtect client. On Linux, there is a similar problem: no network and constant reconnecting, with the log showing the error: Too many outstanding keepalive and no response from GP gateway, disconnect tunnel. However, the official client on macOS works perfectly.

I tried the following on Linux: changing the MTU, enabling/disabling IPv6, submitting/not submitting hipreport, and modifying the --os option to impersonate macOS, but none of these had any effect. However, on macOS, everything seems to work fine regardless of the settings for the above parameters.

I suspect that the issue lies with the Linux system itself rather than the VPN server, especially since everything works fine on macOS. However, I don’t know where the problem might be, and sometimes a stable network connection can indeed be achieved on Linux (after several reconnections), which makes debugging very difficult.

[madduci]

same issue for me on Ubuntu 24.04 and SAML login with Microsoft. Interestingly, also the official Linux GlobalProtect client stopped working on my system.

[lizhuohua]

It is likely a server-side bug. This discussion might be relevant: https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-connection-issues-in-pan-os-10-2-7-h3/td-p/571507

I reached out to my organization's Tech Support, and they acknowledged the existence of this bug. However, they declined to upgrade the server-side software, as most users do not use Linux...