cisco anyconnect 连接报错

changchunhua2017 commented 3 years ago

环境： 桌面 OS ： Windows 10 vpn客户端 cisco anyconnect 版本 v4.9.04043

作为对比，同样是这个客户端，连另一台 VPN 服务端  OpenConnect server （ocserv 1.1.1）登录正常

客户端报错 cisco anyconnect 输入 pin + OTP 动态码后，Banner信息弹出正常，但下一步就报错了

企业微信截图_16104172326780

服务端日志输出

2021/01/12 10:04:48 main.go:26: [Info] Server pid:  2027
2021/01/12 10:04:48 server.go:47: [Info] listen server :443
2021/01/12 10:04:48 server.go:58: [Info] Listen admin :8800
2021/01/12 10:05:30 link_tunnel.go:69: [Debug] 192.168.214.10 02:00:ac:1a:05:0e demo
2021/01/12 10:05:30 link_cstp.go:54: [Debug] DISCONNECT 192.168.214.10
2021/01/12 10:05:30 closeOnce: 192.168.214.10

bjdgyc commented 3 years ago

我使用 anyconnect-win-4.9.05042.msi 本地测试正常，麻烦提供下用户组的配置信息

changchunhua2017 commented 3 years ago

我使用 anyconnect-win-4.9.05042.msi 本地测试正常，麻烦提供下用户组的配置信息

用户组信息

企业微信截图_16104172326780

Echo21bash commented 3 years ago

环境： 桌面 OS ： Windows 10 vpn客户端 cisco anyconnect 版本 v4.9.04043
作为对比，同样是这个客户端，连另一台 VPN 服务端  OpenConnect server （ocserv 1.1.1）登录正常 
客户端报错 cisco anyconnect 输入 pin + OTP 动态码后，Banner信息弹出正常，但下一步就报错了

服务端日志输出
2021/01/12 10:04:48 main.go:26: [Info] Server pid:  2027
2021/01/12 10:04:48 server.go:47: [Info] listen server :443
2021/01/12 10:04:48 server.go:58: [Info] Listen admin :8800
2021/01/12 10:05:30 link_tunnel.go:69: [Debug] 192.168.214.10 02:00:ac:1a:05:0e demo
2021/01/12 10:05:30 link_cstp.go:54: [Debug] DISCONNECT 192.168.214.10
2021/01/12 10:05:30 closeOnce: 192.168.214.10

使用的是自签证书吗？

bq1122 commented 3 years ago

我的也是这个错误.用的是自签证书,自签证书引起的?

changchunhua2017 commented 3 years ago

我的也是这个错误.用的是自签证书,自签证书引起的?

我用的昨天刚申请的 Let's Encrypt 泛域名公共证书（类似 *.example.com ），非自签证书

Echo21bash commented 3 years ago

我的也是这个错误.用的是自签证书,自签证书引起的?

我使用的自签证书，需要将p12证书导入浏览器。可以正常使用。这个报错具体原因不太清楚

bjdgyc commented 3 years ago

这个删除掉，不正确的CIDR也会导致链接问题。另增加了CIDR判断和返回数据的debug信息，稍后会更新

changchunhua2017 commented 3 years ago

排除路由的内容去掉了，问题依旧

服务端日志
2021/01/12 15:16:14 link_tunnel.go:69: [Debug] 192.168.214.10 02:00:ac:1a:05:0e demo
2021/01/12 15:16:14 link_cstp.go:54: [Debug] DISCONNECT 192.168.214.10
2021/01/12 15:16:14 closeOnce: 192.168.214.10
2021/01/12 15:16:14 link_tun.go:104: [Error] tun Read err 0 read tun: file already closed

anyconnect 客户端的连接日志

     15:22:20    Contacting sslvpn.xxx.org.
     15:22:39    User credentials entered.
     15:24:21    User credentials entered.
     15:24:21    Please respond to banner.
     15:24:22    User accepted banner.
     15:24:22    Establishing VPN session...
     15:24:22    The AnyConnect Downloader is performing update checks...
     15:24:22    Checking for profile updates...
     15:24:22    Checking for customization updates...
     15:24:23    Establishing VPN - Initiating connection...
     15:24:23    Establishing VPN session...
     15:24:23    Connection attempt has failed.
     15:24:23    VPN session ended.

bq1122 commented 3 years ago

有没有个QQ群?

bq1122 commented 3 years ago

去Let's Encrypt申请了证书换上去.录入ping+动态码之后. )I1LUF3AD~U4(60CKUYG7$3 M}{7AZOV3YE3J`$W50@NSSP 118FR1 H$CQ}3FGWU5`(2 8

Echo21bash commented 3 years ago

去Let's Encrypt申请了证书换上去.录入ping+动态码之后.

这个报错和我自签证书报错一样的，我是将p12证书文件加入到浏览器解决的

bjdgyc commented 3 years ago

排除路由的内容去掉了，问题依旧

服务端日志
2021/01/12 15:16:14 link_tunnel.go:69: [Debug] 192.168.214.10 02:00:ac:1a:05:0e demo
2021/01/12 15:16:14 link_cstp.go:54: [Debug] DISCONNECT 192.168.214.10
2021/01/12 15:16:14 closeOnce: 192.168.214.10
2021/01/12 15:16:14 link_tun.go:104: [Error] tun Read err 0 read tun: file already closed

anyconnect 客户端的连接日志

     15:22:20    Contacting sslvpn.xxx.org.
     15:22:39    User credentials entered.
     15:24:21    User credentials entered.
     15:24:21    Please respond to banner.
     15:24:22    User accepted banner.
     15:24:22    Establishing VPN session...
     15:24:22    The AnyConnect Downloader is performing update checks...
     15:24:22    Checking for profile updates...
     15:24:22    Checking for customization updates...
     15:24:23    Establishing VPN - Initiating connection...
     15:24:23    Establishing VPN session...
     15:24:23    Connection attempt has failed.
     15:24:23    VPN session ended.

下载最新版，然后把debug信息贴一下

bjdgyc commented 3 years ago

有没有个QQ群?

暂时没有建立

bjdgyc commented 3 years ago

去Let's Encrypt申请了证书换上去.录入ping+动态码之后.

使用较新版本的客户端试一下 https://gitee.com/bjdgyc/anylink-soft

changchunhua2017 commented 3 years ago

去Let's Encrypt申请了证书换上去.录入ping+动态码之后.

使用较新版本的客户端试一下 https://gitee.com/bjdgyc/anylink-soft

@hebaodanroot 对，你需要用最新版本的 anyconnect 测试

changchunhua2017 commented 3 years ago

最新版 debug 信息 @bjdgyc

X-Cstp-Keep: true
X-Cstp-Keepalive: 20
X-Cstp-Lease-Duration: 1209600
X-Cstp-License: accept
X-Cstp-Msie-Proxy-Lockdown: true
X-Cstp-Mtu: 1399
X-Cstp-Netmask: 255.255.255.0
X-Cstp-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-Cstp-Quarantine: false
X-Cstp-Rekey-Method: new-tunnel
X-Cstp-Rekey-Time: 172800
X-Cstp-Routing-Filtering-Ignore: false
X-Cstp-Session-Timeout: none
X-Cstp-Session-Timeout-Alert-Interval: 60
X-Cstp-Session-Timeout-Remaining: none
X-Cstp-Smartcard-Removal-Disconnect: true
X-Cstp-Split-Exclude: 0.0.0.0/255.255.255.255
X-Cstp-Split-Include:
X-Cstp-Tcp-Keepalive: false
X-Cstp-Tunnel-All-Dns: false
X-Cstp-Version: 1
X-Dtls-Keepalive: 20
X-Dtls-Mtu: 1399
X-Dtls-Port: 4433
X-Dtls-Rekey-Time: 5400
X-Dtls-Session-Id: e8de40505476305c05c84f60df1d7efe4ca513ca1a993bae5e77b3dfa162f2bc
X-Dtls12-Ciphersuite: ECDHE-ECDSA-AES128-GCM-SHA256

2021/01/13 09:34:30 link_cstp.go:54: [Debug] DISCONNECT 192.168.214.10
2021/01/13 09:34:30 closeOnce: 192.168.214.10

bjdgyc commented 3 years ago

X-Cstp-Split-Include: 这个信息不能为空

changchunhua2017 commented 3 years ago

X-Cstp-Split-Include: 这个信息不能为空

补全后，测试问题依旧

2021/01/13 13:47:27 link_tunnel.go:70: [Debug] 192.168.214.10 02:00:ac:1a:05:0e demo
2021/01/13 13:47:27 link_tunnel.go:138: [Debug] Server: AnyLink 0.0.8
X-Cstp-Address: 192.168.214.10
X-Cstp-Client-Bypass-Protocol: false
X-Cstp-Disable-Always-On-Vpn: false
X-Cstp-Disconnected-Timeout: 18000
X-Cstp-Dns: 114.114.114.114
X-Cstp-Dns: 8.8.8.8
X-Cstp-Dpd: 30
X-Cstp-Hostname: anylink
X-Cstp-Idle-Timeout: 18000
X-Cstp-Keep: true
X-Cstp-Keepalive: 20
X-Cstp-Lease-Duration: 1209600
X-Cstp-License: accept
X-Cstp-Msie-Proxy-Lockdown: true
X-Cstp-Mtu: 1399
X-Cstp-Netmask: 255.255.255.0
X-Cstp-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-Cstp-Quarantine: false
X-Cstp-Rekey-Method: new-tunnel
X-Cstp-Rekey-Time: 172800
X-Cstp-Routing-Filtering-Ignore: false
X-Cstp-Session-Timeout: none
X-Cstp-Session-Timeout-Alert-Interval: 60
X-Cstp-Session-Timeout-Remaining: none
X-Cstp-Smartcard-Removal-Disconnect: true
X-Cstp-Split-Exclude: 0.0.0.0/255.255.255.255
X-Cstp-Split-Exclude: 192.168.11.0/255.255.255.0
X-Cstp-Split-Include: 192.168.18.0/255.255.255.0
X-Cstp-Tcp-Keepalive: false
X-Cstp-Tunnel-All-Dns: false
X-Cstp-Version: 1
X-Dtls-Keepalive: 20
X-Dtls-Mtu: 1399
X-Dtls-Port: 4433
X-Dtls-Rekey-Time: 5400
X-Dtls-Session-Id: bf23df96a52499dcc73fc3e3afe52b9d29d2d0094bcbabefb0bf9a2db05d0105
X-Dtls12-Ciphersuite: ECDHE-ECDSA-AES128-GCM-SHA256

2021/01/13 13:47:27 link_cstp.go:54: [Debug] DISCONNECT 192.168.214.10
2021/01/13 13:47:27 closeOnce: 192.168.214.10
2021/01/13 13:47:27 link_tun.go:104: [Error] tun Read err 0 read tun: file already closed

bjdgyc commented 3 years ago

临时建了一个qq群，可以进群讨论下 567510628

bjdgyc / anylink

cisco anyconnect 连接报错 #4