iw4p / OpenConnect-Cisco-AnyConnect-VPN-Server-OneKey-ocserv

[Script and Docker 🐳] OpenConnect (Cisco AnyConnect) VPN Server (OCServ) script one key easy configurator and installer
263 stars 143 forks source link

Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable #34

Closed qaiwiz closed 1 year ago

qaiwiz commented 1 year ago

I am running docker on my VPS with Ubuntu 18.04.6 LTS , I test with "openconnect -v $myhostIP" command on my mac (the behavior is the same on my android phone) but for some reason after asking for user and pass it returns this error. Here is the tail of connection log: (I have redacted THE_KEY)

Got HTTP response: HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/xml Content-Length: 189 X-Transcend-Version: 1 Set-Cookie: webvpncontext=ALV+Xl8mSC6ClMtGD7e0Ed9eBYpUet6upEB3XhLLjoM=; Secure Set-Cookie: webvpn=; Secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:THE_KEY.; path=/; Secure HTTP body length: (189) Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable Creating SSL connection failed Cookie was rejected by server; exiting.

I am not sure if it is related to ipv6, but shouldn't ipv6 be disabled in sysctl?

iw4p commented 1 year ago

Are you using ipv6? Accessing the server from a single ipv4 is enough. Also try to test another versions of client apps as they said in this issue.

https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/63

Sent from Proton Mail for iOS

On Thu, Jan 26, 2023 at 11:59 AM, qaiwiz @.***> wrote:

I am running docker on my VPS with Ubuntu 18.04.6 LTS , I test with "openconnect -v $myhostIP" command on my mac (the behavior is the same on my android phone) but for some reason after asking for user and pass it returns this error. Here is the tail of connection log: (I have redacted THE_KEY)

Got HTTP response: HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/xml Content-Length: 189 X-Transcend-Version: 1 Set-Cookie: webvpncontext=ALV+Xl8mSC6ClMtGD7e0Ed9eBYpUet6upEB3XhLLjoM=; Secure Set-Cookie: webvpn=; Secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:THE_KEY.; path=/; Secure HTTP body length: (189) Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable Creating SSL connection failed Cookie was rejected by server; exiting.

I am not sure if it is related to ipv6, but shouldn't ipv6 be disabled in sysctl?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

mohamad6663661 commented 1 year ago

استاد ipv6 هم میشه تو سرور ست کرد ؟ بلاک شدنش کمتره اره ؟

iw4p commented 1 year ago

استاد ipv6 هم میشه تو سرور ست کرد ؟ بلاک شدنش کمتره اره ؟

I think it's possible, but I have never done this before.

qaiwiz commented 1 year ago

Are you using ipv6? Accessing the server from a single ipv4 is enough. Also try to test another versions of client apps as they said in this issue. https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/63 Sent from Proton Mail for iOS On Thu, Jan 26, 2023 at 11:59 AM, qaiwiz @.> wrote: I am running docker on my VPS with Ubuntu 18.04.6 LTS , I test with "openconnect -v $myhostIP" command on my mac (the behavior is the same on my android phone) but for some reason after asking for user and pass it returns this error. Here is the tail of connection log: (I have redacted THE_KEY) Got HTTP response: HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/xml Content-Length: 189 X-Transcend-Version: 1 Set-Cookie: webvpncontext=ALV+Xl8mSC6ClMtGD7e0Ed9eBYpUet6upEB3XhLLjoM=; Secure Set-Cookie: webvpn=; Secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:THE_KEY.; path=/; Secure HTTP body length: (189) Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable Creating SSL connection failed Cookie was rejected by server; exiting. I am not sure if it is related to ipv6, but shouldn't ipv6 be disabled in sysctl? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.>

Not really, I am testing with "openconnect -v --disable-ipv6 --no-dtls $myhostip" on my mac to ensure that I am not using ipv6, it returns the same error message after asking user and pass. I should mention that I am connecting this server using stunnel with no problem, but openconnect fails to connect.

qaiwiz commented 1 year ago

I am wondering: 1) what is expected HTTP connect response? Is there any desired, specific acceptable pattern, or criteria (eg, expected format)? 2) How can I retrieve what is delivered "HTTP CONNECT response"? Thanks.

iw4p commented 1 year ago

I am wondering:

  1. what is expected HTTP connect response? Is there any desired, specific acceptable pattern, or criteria (eg, expected format)?
  2. How can I retrieve what is delivered "HTTP CONNECT response"? Thanks.

As I know, it is not open source, so you can only check logs through client application or maybe somewhere in your server. Have you checked the client logs while trying to connect to the server?

qaiwiz commented 1 year ago

mmm, logs returns the same message while trying to connect using my phone, for example. I am just wondering is it me that is having this problem?

iw4p commented 1 year ago

Try different ISPs, or ask your friends to test and send you their logs.

ehsanamiri9214 commented 1 year ago

Same here.

Server: Ubuntu 22.04.1 LTS. Clients: OpenConnect and AnyConnect on Android, iOS, Windows, Ubuntu Desktop and MacOS.

Tested on multiple ISPs.

It used to work weeks ago. Any idea?

iw4p commented 1 year ago

Same here.

Server: Ubuntu 22.04.1 LTS. Clients: OpenConnect and AnyConnect on Android, iOS, Windows, Ubuntu Desktop and MacOS.

Tested on multiple ISPs.

It used to work weeks ago. Any idea?

Not really, It's based on the gov infrastructure. Check out the other issues. i.e. here.

ehsanamiri9214 commented 1 year ago

I see. Yet found this repo, which works. I'm not a network expert, so don't know the difference.

Also there is a note here, which says:

Syntax Error

If you see the following error when trying to establish VPN connection, it’s probably because there’s a syntax error in your ocserv config file. Check the journal (sudo journalctl -eu ocserv) to find out.

Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable.

iw4p commented 1 year ago

Thank you. It's strange that it was working fine a few weeks ago, and now it does not work because of a syntax error. BTW Thanks for your report.

qaiwiz commented 1 year ago

Since it is closed, does it mean any error is resolved, or nothing can be done? Thanks.

iw4p commented 1 year ago

Since it is closed, does it mean any error is resolved, or nothing can be done? Thanks.

Honestly nothing can be done, because it depends on ISP and server providers.