search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.34k stars 150 forks source link

Reset Settings required for every new SAML login #120

Closed bagnaram closed 8 months ago

bagnaram commented 2 years ago

When I attempt to connect via Oauth, it will fail after authentication through the call-back, unless I reset the settings in GlobalProtect-openconnect. After resetting, and re-entering the server, it will work. This is more of an inconvenience.

crankycrank commented 2 years ago

Same issue. Arch Linux.

rmcd1024 commented 2 years ago

Same issue, ubuntu 20.04

yuezk commented 2 years ago

Thanks for your feedback. It's a known issue that is hard to reproduce from my side. And I will keep it open and would expect I can fix it in the future.

Sorry for the inconvenience.

praetorzero commented 2 years ago

Is there any information that we can provide that would assist?

yuezk commented 2 years ago

@praetorzero You can run the gpclient command directly to view the logs. For this issue, send me the normal logs and the abnormal logs.

bagnaram commented 2 years ago

Failure logs

o ~ gpclient                                      
propsReply "Method \"GetAll\" with signature \"s\" on interface \"org.freedesktop.DBus.Properties\" doesn't exist\n"
nmReply "Method \"GetDevices\" with signature \"\" on interface \"org.freedesktop.NetworkManager\" doesn't exist\n"
"Object path cannot be empty"
2022-03-10 11:19:36.048 INFO  [135230] [main@23] GlobalProtect started, version: 1.4.1
2022-03-10 11:19:36.506 INFO  [135230] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
QObject::connect: No such signal QPlatformNativeInterface::systemTrayWindowChanged(QScreen*)
2022-03-10 11:19:43.921 INFO  [135230] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
2022-03-10 11:19:43.973 INFO  [135230] [GPClient::doConnect@246] Start connecting...
2022-03-10 11:19:43.974 INFO  [135230] [GPClient::doConnect@262] Start gateway login using the previously saved gateway...
2022-03-10 11:19:43.974 INFO  [135230] [GPClient::gatewayLogin@357] Performing gateway login...
2022-03-10 11:19:43.980 INFO  [135230] [GatewayAuthenticator::authenticate@33] Start gateway authentication...
2022-03-10 11:19:43.983 INFO  [135230] [GatewayAuthenticator::login@46] Trying to login the gateway at https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/login.esp with prot=https%3A&server=&jnlpReady=jnlpReady&computer=bagnaram-pc&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=&inputStr=
2022-03-10 11:19:46.423 ERROR [135230] [GatewayAuthenticator::onLoginFinished@58] Failed to login the gateway at https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/login.esp, Error transferring https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/login.esp - server replied: Custom error
2022-03-10 11:19:46.423 INFO  [135230] [GatewayAuthenticator::doAuth@86] Perform the gateway prelogin at https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2022-03-10 11:19:46.752 INFO  [135230] [GatewayAuthenticator::onPreloginFinished@103] Gateway prelogin succeeded.
2022-03-10 11:19:46.752 INFO  [135230] [PreloginResponse::parse@26] Start parsing the prelogin response...
2022-03-10 11:19:46.754 INFO  [135230] [GatewayAuthenticator::samlAuth@161] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/7441ffe1-0d68-444e-9047-1dd7e40961a7
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2022-03-10 11:19:47.248 INFO  [135230] [SAMLLoginWindow::onResponseReceived@64] Response received from data:<REDACTED>
2022-03-10 11:19:48.727 INFO  [135230] [SAMLLoginWindow::onResponseReceived@64] Response received from https://example.okta.com/app/panw_globalprotect/exkmuocq9ijzAysk60x7/sso/saml
2022-03-10 11:19:49.904 INFO  [135230] [SAMLLoginWindow::onLoadFinished@98] Load finished https://example.okta.com/app/panw_globalprotect/exkmuocq9ijzAysk60x7/sso/saml
2022-03-10 11:19:50.171 INFO  [135230] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2022-03-10 11:19:56.720 INFO  [135230] [SAMLLoginWindow::onResponseReceived@64] Response received from https://example.okta.com/auth/services/devicefingerprint
2022-03-10 11:20:19.917 INFO  [135230] [SAMLLoginWindow::onResponseReceived@64] Response received from https://example.okta.com/login/sessionCookieRedirect
2022-03-10 11:20:20.448 INFO  [135230] [SAMLLoginWindow::onResponseReceived@64] Response received from https://omni.example-it.com/SAML20/SP/ACS
2022-03-10 11:20:20.472 INFO  [135230] [SAMLLoginWindow::onLoadFinished@98] Load finished https://omni.example-it.com/SAML20/SP/ACS

<this is where i get the failed authentication window in the SAML web popup>

^CCaught signal: Interrupt
Release of profile requested but WebEnginePage still not deleted. Expect troubles !

And here is a successful connect after reset:

➜ ~ gpclient    
propsReply "Method \"GetAll\" with signature \"s\" on interface \"org.freedesktop.DBus.Properties\" doesn't exist\n"
nmReply "Method \"GetDevices\" with signature \"\" on interface \"org.freedesktop.NetworkManager\" doesn't exist\n"
"Object path cannot be empty"
2022-03-10 11:27:24.936 INFO  [136420] [main@23] GlobalProtect started, version: 1.4.1
2022-03-10 11:27:25.054 INFO  [136420] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
QObject::connect: No such signal QPlatformNativeInterface::systemTrayWindowChanged(QScreen*)
2022-03-10 11:27:32.793 INFO  [136420] [GPClient::doConnect@246] Start connecting...
2022-03-10 11:27:32.794 INFO  [136420] [GPClient::doConnect@267] Start portal login...
2022-03-10 11:27:32.802 INFO  [136420] [PortalAuthenticator::authenticate@33] Preform portal prelogin at https://omni.example-it.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2022-03-10 11:27:32.817 INFO  [136420] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
2022-03-10 11:27:33.992 INFO  [136420] [PortalAuthenticator::onPreloginFinished@50] Portal prelogin succeeded.
2022-03-10 11:27:33.992 INFO  [136420] [PreloginResponse::parse@26] Start parsing the prelogin response...
2022-03-10 11:27:33.993 INFO  [136420] [PortalAuthenticator::onPreloginFinished@54] Finished parsing the prelogin response. The region field is: US
2022-03-10 11:27:33.993 INFO  [136420] [PortalAuthenticator::samlAuth@121] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/f2d2a42e-cb51-4f4c-af77-171211c37c13
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2022-03-10 11:27:34.358 INFO  [136420] [SAMLLoginWindow::onResponseReceived@64] Response received from data:text/<REDACTED>
2022-03-10 11:27:34.396 INFO  [136420] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
2022-03-10 11:27:35.596 INFO  [136420] [SAMLLoginWindow::onResponseReceived@64] Response received from https://example.okta.com/app/panw_globalprotect/exkmuocq9ijzAysk60x7/sso/saml
2022-03-10 11:27:36.050 INFO  [136420] [SAMLLoginWindow::onLoadFinished@98] Load finished https://example.okta.com/app/panw_globalprotect/exkmuocq9ijzAysk60x7/sso/saml
2022-03-10 11:27:36.075 INFO  [136420] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2022-03-10 11:27:41.501 INFO  [136420] [SAMLLoginWindow::onResponseReceived@64] Response received from https://example.okta.com/auth/services/devicefingerprint
2022-03-10 11:27:53.858 INFO  [136420] [SAMLLoginWindow::onResponseReceived@64] Response received from https://example.okta.com/login/sessionCookieRedirect
2022-03-10 11:27:54.918 INFO  [136420] [SAMLLoginWindow::onResponseReceived@64] Response received from https://omni.example-it.com/SAML20/SP/ACS
2022-03-10 11:27:54.918 INFO  [136420] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers matt.bagnara@example.com
2022-03-10 11:27:54.918 INFO  [136420] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers HPRx6M043z2gfPa7HCbJkjW7P762Bru3pdTO6H+yfkSvR956AdCtygQJj+RPRS0I
2022-03-10 11:27:54.918 INFO  [136420] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: matt.bagnara@example.com, preloginCookie: HPRx6M043z2gfPa7HCbJkjW7P762Bru3pdTO6H+yfkSvR956AdCtygQJj+RPRS0I, userAuthCookie: 
2022-03-10 11:27:54.918 INFO  [136420] [PortalAuthenticator::onSAMLLoginSuccess@135] SAML login succeeded, got the prelogin-cookie HPRx6M043z2gfPa7HCbJkjW7P762Bru3pdTO6H+yfkSvR956AdCtygQJj+RPRS0I
2022-03-10 11:27:54.922 INFO  [136420] [PortalAuthenticator::fetchConfig@161] Fetching the portal config from https://omni.example-it.com/global-protect/getconfig.esp for user: matt.bagnara@example.com
2022-03-10 11:27:54.938 INFO  [136420] [SAMLLoginWindow::onLoadFinished@98] Load finished https://omni.example-it.com/SAML20/SP/ACS
2022-03-10 11:27:55.288 INFO  [136420] [PortalAuthenticator::onFetchConfigFinished@187] Fetch the portal config succeeded.
2022-03-10 11:27:55.288 INFO  [136420] [PortalConfigResponse::parse@20] Start parsing the portal configuration...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGateways@64] Start parsing the gateways from portal configuration...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.289 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.290 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.291 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2022-03-10 11:27:55.292 INFO  [136420] [PortalConfigResponse::parseGateways@89] Finished parsing the gateways.
2022-03-10 11:27:55.295 INFO  [136420] [PortalConfigResponse::parse@32] Start reading portal-userauthcookie
2022-03-10 11:27:55.295 INFO  [136420] [PortalConfigResponse::parse@35] Start reading portal-prelogonuserauthcookie
2022-03-10 11:27:55.295 INFO  [136420] [PortalConfigResponse::parse@42] Finished parsing portal configuration.
2022-03-10 11:27:55.295 INFO  [136420] [GPClient::onPortalSuccess@298] Portal authentication succeeded.
2022-03-10 11:27:55.295 INFO  [136420] [gpclient::helper::filterPreferredGateway@35] 19 gateway(s) avaiable, filter the gateways with rule: US
2022-03-10 11:27:55.295 INFO  [136420] [gpclient::helper::filterPreferredGateway@41] Find a preferred gateway: Canada East
2022-03-10 11:27:55.295 INFO  [136420] [GPClient::setAllGateways@437] Updating all the gateways...
2022-03-10 11:27:55.295 INFO  [136420] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
2022-03-10 11:27:55.302 INFO  [136420] [GPClient::setCurrentGateway@457] Updating the current gateway to Canada East
2022-03-10 11:27:55.302 INFO  [136420] [GPClient::populateGatewayMenu@141] Populating the Switch Gateway menu...
2022-03-10 11:27:55.310 INFO  [136420] [GPClient::gatewayLogin@357] Performing gateway login...
2022-03-10 11:27:55.320 INFO  [136420] [GatewayAuthenticator::authenticate@33] Start gateway authentication...
2022-03-10 11:27:55.320 INFO  [136420] [GatewayAuthenticator::login@46] Trying to login the gateway at https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/login.esp with prot=https%3A&server=&jnlpReady=jnlpReady&computer=bagnaram-pc&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=matt.bagnara%40example.com&passwd=&portal-userauthcookie=jg4RdTtkjgVLJr4iesir1kD3q0PjjbTki1ggQZ5YYORxvQ%2Brp2ZDfnsdB9SsE7D9SiTplfp%2FcXbtn6iD2O7twKfmXrcek%2Fq4i23ZEz%2BYdpyt%2BIedChb0zqz1JghOmzPJSC8ylXaTmIFtfCDP2D%2FhUM4DdWLrtK5wD5PoZbKYfbHi38F4kwrWg5ubnIckGz8zFYXcI9mueLAye%2Fb4iQKOoRpOg9EdxAdg0OucWPN%2BHrmxV8dl0ZPgQljBcsytO4q4nHp7E%2F65JIrnvAVvP8asDNI0qdhQIXX34M26hKoChpviDmXexoJf2vbXE4VVCVVYn5d96zGCCfEJEe6HLliC8w%3D%3D&inputStr=
2022-03-10 11:27:56.046 INFO  [136420] [gpclient::helper::parseGatewayResponse@51] Start parsing the gateway response...
2022-03-10 11:27:56.046 INFO  [136420] [gpclient::helper::parseGatewayResponse@52] The gateway response is: <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>8836c84f5b458327e01e7e2245de0a42</argument><argument>a747278cd6e1f65b1ff09e24724ecdd40a56f0a3</argument><argument>GlobalProtect_External_Gateway-N</argument><argument>matt.bagnara@example.com</argument><argument>Okta</argument><argument>vsys1</argument><argument>%28empty_domain%29</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>tunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument>jg4RdTtkjgVLJr4iesir1kD3q0PjjbTki1ggQZ5YYORxvQ+rp2ZDfnsdB9SsE7D9SiTplfp/cXbtn6iD2O7twKfmXrcek/q4i23ZEz+Ydpyt+IedChb0zqz1JghOmzPJSC8ylXaTmIFtfCDP2D/hUM4DdWLrtK5wD5PoZbKYfbHi38F4kwrWg5ubnIckGz8zFYXcI9mueLAye/b4iQKOoRpOg9EdxAdg0OucWPN+HrmxV8dl0ZPgQljBcsytO4q4nHp7E/65JIrnvAVvP8asDNI0qdhQIXX34M26hKoChpviDmXexoJf2vbXE4VVCVVYn5d96zGCCfEJEe6HLliC8w==</argument><argument>yCrEWBoBJ1fEj4e3Ta4T7YkVsDGqcx54+2lTKWxE2ujvXmaVoTVKazhYDg7fB4O4nqgArAR5/zYWludB+duELJGIh/Om7p7L7W2TXsBs31I7ymMLtts46Mf5NA3mfb2fDza7yQxSPDBYuEUn+X3IVAazH39QEwHlA2qci4fxZGPqjnJmT/XTCAx1aQxU7DjqSN0AmXw4G8roeAUNtPLq++RhEKQL5IynlJExyORiMat0ZerqSU8ugvroJy2V0Da5/381QhTrItLjp3r3d3yq22I8Zgj7Ke75X22EZB/h4A+TSof16in9bnOWQs6tAtMsS0OSbJVo0wsSiB8YRWldpg==</argument><argument></argument><argument>4</argument><argument>unknown</argument><argument></argument></application-desc></jnlp>
2022-03-10 11:27:56.046 INFO  [136420] [GPClient::onGatewaySuccess@374] Gateway login succeeded, got the cookie authcookie=8836c84f5b458327e01e7e2245de0a42&portal=GlobalProtect_External_Gateway-N&user=matt.bagnara%40example.com&domain=%2528empty_domain%2529&preferred-ip=&computer=bagnaram-pc
2022-03-10 11:27:56.072 INFO  [136420] [GPClient::onVPNLogAvailable@499] Output of `openconnect --version`
: OpenConnect version v8.20
Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script

2022-03-10 11:27:56.073 INFO  [136420] [GPClient::onVPNLogAvailable@499] Start process with arugments: --protocol=gp -u matt.bagnara@example.com --cookie-on-stdin canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com
2022-03-10 11:27:56.078 INFO  [136420] [GPClient::onVPNLogAvailable@499] Openconnect started successfully, PID=136575
2022-03-10 11:27:56.084 INFO  [136420] [GPClient::onVPNLogAvailable@499] POST https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/getconfig.esp

2022-03-10 11:27:56.139 INFO  [136420] [GPClient::onVPNLogAvailable@499] Attempting to connect to server 34.99.87.79:443

2022-03-10 11:27:56.236 INFO  [136420] [GPClient::onVPNLogAvailable@499] Connected to 34.99.87.79:443

2022-03-10 11:27:56.283 INFO  [136420] [GPClient::onVPNLogAvailable@499] SSL negotiation with canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com

2022-03-10 11:27:56.526 INFO  [136420] [GPClient::onVPNLogAvailable@499] Connected to HTTPS on canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)

2022-03-10 11:27:56.647 INFO  [136420] [GPClient::onVPNLogAvailable@499] Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 17:27:57 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 7644
Connection: keep-alive
ETag: "23d6081f90a"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY

2022-03-10 11:27:56.647 INFO  [136420] [GPClient::onVPNLogAvailable@499] Set-Cookie: PHPSESSID=c53c1231c444063c00ef023d7a82d27f; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (7644)

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] Tunnel timeout (rekey interval) is 180 minutes.

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] Idle timeout is 180 minutes.

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] Unknown GlobalProtect config tag <exclude-split-tunneling-domain>: 
            socketron.app1f.outreach.cloud:443
            Chunderw-gll.twilio.com:443
            Chunderw-vpc-gll.twilio.com:443
            Chunderw-vpc-gll-au1.twilio.com:443
            Chunderw-vpc-gll-br1.twilio.com:443
            Chunderw-vpc-gll-de1.twilio.com:443
            Chunderw-vpc-gll-ie1.twilio.com:443
            Chunderw-vpc-gll-jp1.twilio.com:443
            Chunderw-vpc-gll-sg1.twilio.com:443
            Chunderw-vpc-gll-us1.twilio.com:443
            Ers.twilio.com:443
            Eventgw.twilio.com:443
            socketron.app1a.outreach.cloud:443
            socketron.app1b.outreach.cloud:443
            socketron.app1c.outreach.cloud:443
            socketron.app1d.outreach.cloud:443
            socketron.app1e.outreach.cloud:443
            socketron.app2a.outreach.cloud:443
            socketron.app2b.outreach.cloud:443

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] Unknown GlobalProtect config tag <exclude-video-redirect>: yes

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] TCP_INFO rcv mss 1360, snd mss 1340, adv mss 1460, pmtu 1500

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] Using base_mtu of 1500

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] After removing UDP/IPv4 headers, MTU of 1472

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] After removing protocol specific overhead (36 unpadded, 2 padded, 16 blocksize), MTU of 1422

2022-03-10 11:27:56.654 INFO  [136420] [GPClient::onVPNLogAvailable@499] No MTU received. Calculated 1422 for ESP tunnel

2022-03-10 11:27:56.655 INFO  [136420] [GPClient::onVPNLogAvailable@499] POST https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/hipreportcheck.esp

2022-03-10 11:27:56.805 INFO  [136420] [GPClient::onVPNLogAvailable@499] Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 10 Mar 2022 17:27:57 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 107
Connection: keep-alive

2022-03-10 11:27:56.806 INFO  [136420] [GPClient::onVPNLogAvailable@499] ETag: "72b6081f90a"
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self'
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff

2022-03-10 11:27:56.806 INFO  [136420] [GPClient::onVPNLogAvailable@499] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (107)

2022-03-10 11:27:56.806 INFO  [136420] [GPClient::onVPNLogAvailable@499] Gateway says HIP report submission is needed.

2022-03-10 11:27:56.806 INFO  [136420] [GPClient::onVPNLogAvailable@499] Parameters for incoming ESP: SPI 0xb07c2034
ESP encryption type AES-128-CBC (RFC3602) key 0xec6260164b2ed4acfde773e286fa4e7d
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0x8a94b1251a12476c2d98fef078d0397c952a277d
Parameters for outgoing ESP: SPI 0x30273cc7
ESP encryption type AES-128-CBC (RFC3602) key 0x5d1446a55f3deb3dd45179e582d581a9
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0xe90cf065efbc5752acfcb4588c9841fc0c6d8902
Send ESP probes

2022-03-10 11:27:56.806 INFO  [136420] [GPClient::onVPNLogAvailable@499] WARNING: Server asked us to submit HIP report with md5sum 5b55ed883eb38656bb0cb3991302abb3.
    VPN connectivity may be disabled or limited without HIP report submission.
    You need to provide a --csd-wrapper argument with the HIP report submission script.

2022-03-10 11:27:56.807 INFO  [136420] [GPClient::onVPNLogAvailable@499] UDP SO_SNDBUF: 28440
ICMPv4 probe packet (seq 1) for GlobalProtect ESP:

2022-03-10 11:27:56.807 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0000:  45 00 00 2c 47 47 40 00  40 01 36 dd ac 12 10 9b  |E..,GG@.@.6.....|

2022-03-10 11:27:56.807 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0010:  00 00 00 00 08 00 0b 08  47 47 00 01 6d 6f 6e 69  |........GG..moni|
> 0020:  74 6f 72 00 00 70 61 6e  20 68 61 20              |tor..pan ha |

2022-03-10 11:27:56.807 INFO  [136420] [GPClient::onVPNLogAvailable@499] ICMPv4 probe packet (seq 2) for GlobalProtect ESP:

2022-03-10 11:27:56.807 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0000:  45 00 00 2c 47 47 40 00  40 01 36 dd ac 12 10 9b  |E..,GG@.@.6.....|

2022-03-10 11:27:56.807 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0010:  00 00 00 00 08 00 0b 07  47 47 00 02 6d 6f 6e 69  |........GG..moni|

2022-03-10 11:27:56.808 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0020:  74 6f 72 00 00 70 61 6e  20 68 61 20              |tor..pan ha |

2022-03-10 11:27:56.808 INFO  [136420] [GPClient::onVPNLogAvailable@499] ICMPv4 probe packet (seq 3) for GlobalProtect ESP:

2022-03-10 11:27:56.808 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0000:  45 00 00 2c 47 47 40 00  40 01 36 dd ac 12 10 9b  |E..,GG@.@.6.....|

2022-03-10 11:27:56.808 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0010:  00 00 00 00 08 00 0b 06  47 47 00 03 6d 6f 6e 69  |........GG..moni|

2022-03-10 11:27:56.808 INFO  [136420] [GPClient::onVPNLogAvailable@499] > 0020:  74 6f 72 00 00 70 61 6e  20 68 61 20              |tor..pan ha |

2022-03-10 11:27:56.920 INFO  [136420] [GPClient::onVPNLogAvailable@499] ESP session established with server

2022-03-10 11:27:56.920 INFO  [136420] [GPClient::onVPNLogAvailable@499] ESP tunnel connected; exiting HTTPS mainloop.

2022-03-10 11:27:57.920 INFO  [136420] [GPClient::onVPNLogAvailable@499] Configured as 172.18.16.155, with SSL disconnected and ESP established
Session authentication will expire at Sat Apr  9 12:27:55 2022

2022-03-10 11:28:08.430 INFO  [136420] [GPClient::onVPNLogAvailable@499] POST https://canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com/ssl-vpn/logout.esp

2022-03-10 11:28:08.430 INFO  [136420] [GPClient::onVPNLogAvailable@499] Failed to open tun device: No such device
Set up tun device failed

2022-03-10 11:28:08.632 INFO  [136420] [GPClient::onVPNLogAvailable@499] SSL negotiation with canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com

2022-03-10 11:28:09.173 INFO  [136420] [GPClient::onVPNLogAvailable@499] Connected to HTTPS on canada-east-examplet.gp5y555jys2.gw.gpcloudservice.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)

2022-03-10 11:28:09.408 INFO  [136420] [GPClient::onVPNLogAvailable@499] Unrecoverable I/O error; exiting.

2022-03-10 11:28:09.408 INFO  [136420] [GPClient::onVPNLogAvailable@499] Invalid user name
Logout failed.

2022-03-10 11:28:09.411 INFO  [136420] [GPClient::onVPNLogAvailable@499] Openconnect process exited with code 1 and exit status NormalExit
^CCaught signal: Interrupt
Release of profile requested but WebEnginePage still not deleted. Expect troubles !
yuezk commented 2 years ago

Hi guys, I did some improvements to the authentication workflow in 1.4.8. If you still will me, please give it a try to see if the problem is still there. Thanks.

rmcd1024 commented 2 years ago

It doesn't seem to be an issue any more. For me I believe it went away a few releases ago. Thank you for this software and the follow up!

crankycrank commented 2 years ago

I tried installing globalprotect-openconnect-git from the AUR on Arch Linux, the problem is present. The problem itself is a tiny inconvenience. It looks like it depends on the VPN setup your organizaiton uses. If I were to help with it, what should I PM you? Start globalprotect-openconnect from terminal and capture the output? Run it with strace?

yuezk commented 2 years ago

You can run gpclient from the terminal and post the logs here, but I'm afraid it won't do much help.

praetorzero commented 2 years ago

I think it's an improvement. I tested connecting/disconnecting multiple times in a row and didn't get an error. However, if there is a while in between the initial connect and disconnect/reconnect, I get an error "Unsupported request. The application you have accessed is not registered for use with this service." I'm pretty sure that's with our 2FA/Duo landing page. For example, I connected at 0800 this morning. 45 minutes later, I attempted to change servers. I received this message. The only way to clear it now is to reset the client.

Is the client performing any caching for authentication? Can you have that cache expire and clear itself after a short interval? That way, I wouldn't have to reset the client on a daily basis. This is a minor annoyance that I can live with. You've done great work on the client and I'm thrilled you're still updating it. Thanks!

Gowiem commented 1 year ago

I'm running into this issue with a SAML login that is behind Okta SSO. I need to reset every time. Has anyone discovered a workaround? @yuezk is this something your still actively working on at all or do you expect it to be largely fixed? I'm wondering what I can do to improve this workflow as it is a major pain (though the client itself is great!).

yuezk commented 1 year ago

@Gowiem I'm rewriting this client using Tauri (the current progress is roughly 80%) on the refactor branch. It is supposed to be fixed in the new client.

Since I cannot reproduce this issue, I would appreciate it if you could help me verify whether it is reproducible on the new client. You can follow the instructions on the README of that branch.

Gowiem commented 1 year ago

@yuezk tried working off your refactor branch, but quickly hit the following: 

error: failed to run custom build command for `gpcommon v0.1.0 (/home/user/Workspace/GlobalProtect-openconnect/gpcommon)`

Caused by:
  process didn't exit successfully: `/home/user/Workspace/GlobalProtect-openconnect/target/debug/build/gpcommon-6b7a80cd347b49f1/build-script-build` (exit status: 1)
  --- stdout
  cargo:rustc-link-lib=openconnect
  cargo:rerun-if-changed=src/vpn/vpn.c
  cargo:rerun-if-changed=src/vpn/vpn.h
  TARGET = Some("x86_64-unknown-linux-gnu")
  OPT_LEVEL = Some("0")
  HOST = Some("x86_64-unknown-linux-gnu")
  cargo:rerun-if-env-changed=CC_x86_64-unknown-linux-gnu
  CC_x86_64-unknown-linux-gnu = None
  cargo:rerun-if-env-changed=CC_x86_64_unknown_linux_gnu
  CC_x86_64_unknown_linux_gnu = None
  cargo:rerun-if-env-changed=HOST_CC
  HOST_CC = None
  cargo:rerun-if-env-changed=CC
  CC = None
  cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-linux-gnu
  CFLAGS_x86_64-unknown-linux-gnu = None
  cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_linux_gnu
  CFLAGS_x86_64_unknown_linux_gnu = None
  cargo:rerun-if-env-changed=HOST_CFLAGS
  HOST_CFLAGS = None
  cargo:rerun-if-env-changed=CFLAGS
  CFLAGS = None
  cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS
  CRATE_CC_NO_DEFAULTS = None
  DEBUG = Some("true")
  CARGO_CFG_TARGET_FEATURE = Some("fxsr,sse,sse2")
  running: "cc" "-O0" "-ffunction-sections" "-fdata-sections" "-fPIC" "-gdwarf-4" "-fno-omit-frame-pointer" "-m64" "-I" "src/vpn" "-Wall" "-Wextra" "-o" "/home/user/Workspace/GlobalProtect-openconnect/target/debug/build/gpcommon-669710cdc92b757c/out/src/vpn/vpn.o" "-c" "src/vpn/vpn.c"
  cargo:warning=src/vpn/vpn.c:6:10: fatal error: openconnect.h: No such file or directory
  cargo:warning=    6 | #include <openconnect.h>
  cargo:warning=      |          ^~~~~~~~~~~~~~~
  cargo:warning=compilation terminated.
  exit status: 1

  --- stderr

  error occurred: Command "cc" "-O0" "-ffunction-sections" "-fdata-sections" "-fPIC" "-gdwarf-4" "-fno-omit-frame-pointer" "-m64" "-I" "src/vpn" "-Wall" "-Wextra" "-o" "/home/user/Workspace/GlobalProtect-openconnect/target/debug/build/gpcommon-669710cdc92b757c/out/src/vpn/vpn.o" "-c" "src/vpn/vpn.c" with args "cc" did not execute successfully (status code exit status: 1).

warning: build failed, waiting for other jobs to finish...

Is there a specific registry I need to install openconnect-devel? I have the openconnect package, but when trying to install openconnect-devel on Ubuntu I haven't been able to find good info. Let me know.

yuezk commented 1 year ago

@Gowiem try install the libopenconnect-dev package.

Gowiem commented 1 year ago

@yuezk that got me unblocked on that, but then pnmp install failed: 

 gpgui (branch:refactor) » pnpm install                                                                                                                                                                                                      

Lockfile is up to date, resolution step is skipped
Packages: +120
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Packages are hard linked from the content-addressable store to the virtual store.
  Content-addressable store is at: /home/user/.local/share/pnpm/store/v3
  Virtual store is at:             node_modules/.pnpm
Downloading registry.npmjs.org/@tauri-apps/cli-linux-x64-gnu/1.3.1: 7.89 MB/7.89 MB, done
Downloading registry.npmjs.org/@tauri-apps/cli-linux-x64-musl/1.3.1: 7.88 MB/7.88 MB, done
Downloading registry.npmjs.org/@swc/core-linux-x64-gnu/1.3.36: 14.90 MB/14.90 MB, done
Downloading registry.npmjs.org/@swc/core-linux-x64-musl/1.3.36: 14.74 MB/14.74 MB, done
Progress: resolved 120, reused 0, downloaded 120, added 120, done
Downloading registry.npmjs.org/typescript/4.9.5: 11.62 MB/11.62 MB, done
node_modules/.pnpm/@swc+core@1.3.36/node_modules/@swc/core: Running postinstall script...
 ELIFECYCLE  Command failed.
 gpgui (branch:refactor) » pnpm tauri dev                                                                                                                                                                                                     
 ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL  Command "tauri" not found
 gpgui (branch:refactor) » pnpm install                                                                                                                                                                                                       
Lockfile is up to date, resolution step is skipped
Packages: +120
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Progress: resolved 120, reused 120, downloaded 0, added 0, done
node_modules/.pnpm/@swc+core@1.3.36/node_modules/@swc/core: Running postinstall script...
 ELIFECYCLE  Command failed.
node_modules/.pnpm/esbuild@0.16.17/node_modules/esbuild: Running postinstall script...

Trying to help you debug early on, but if this is too early than I can just wait. If this is helpful, then I'm happy to keep hitting road blocks. Let me know your thoughts. Thanks!

yuezk commented 1 year ago

Thanks, @Gowiem, I will make the refactor branch more stable to test.

yuezk commented 8 months ago

This should no longer be a problem in the 2.x release, closing.