Ask Your Question
2

openconnect "either to is duplicate or uid is garbage"

asked 2017-06-04 16:05:05 -0600

vkg gravatar image

$ uname -a Linux asterix 4.10.15-200.fc25.x8664 #1 SMP Mon May 8 18:46:06 UTC 2017 x8664 x8664 x8664 GNU/Linux

$ openconnect --version OpenConnect version v7.08 Using GnuTLS. Features present: TPM, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS

When establishing a VPN, I get the following error:

POST https://vpn.example.com/

SSL negotiation with vpn.example-1.example.com

Connected to HTTPS on vpn.example-1.example.com

Got CONNECT response: HTTP/1.1 200 OK

CSTP connected. DPD 30, Keepalive 20

Connected as 13x.xxx.xxx.xxx, using SSL

Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).

Error: either "to" is duplicate, or "uid" is a garbage.

Any ideas why? Thanks a lot in advance!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2017-06-07 07:41:01 -0600

vkg gravatar image

I traced this to a problem in the /etc/vpnc/vpnc-script. This script is different from the default vpnc-script at [1]. It was probably obtained from a Cisco Anyconnect installation (which is what is used in my company). In any case, the problem was extra parameters being passed to the route(1) command. A diff of the changes is below, in case anyone is interested. (The patch will probably not be formatted appropriately, but all the same ...)

[1] http://www.infradead.org/openconnect/...

Cheers.

* vpnc-script 2017-06-06 12:50:21.724905288 -0500 --- vpnc-script.orig 2017-06-06 12:20:04.759953527 -0500


* 1,4 * ! #!/bin/sh # reason -- why this script was called, one of: pre-init connect disconnect #* VPNGATEWAY -- vpn gateway address (always present) #* TUNDEV -- tunnel device (always present) --- 1,4 ---- ! #!/bin/sh -x #* reason -- why this script was called, one of: pre-init connect disconnect #* VPNGATEWAY -- vpn gateway address (always present) #* TUNDEV -- tunnel device (always present)


* 115,123 ** # =========== route handling ====================================

if [ -n "$IPROUTE" ]; then

fix_ip_get_output () {

! sed 's/cache//;s/metric \?[0-9]+ [0-9]+//g;s/hoplimit [0-9]+//g;s/uid 0//g' }

set_vpngateway_route() {

--- 115,122 ---- # =========== route handling ====================================

if [ -n "$IPROUTE" ]; then fixipget_output () { ! sed 's/cache//;s/metric \?[0-9]+ [0-9]+//g;s/hoplimit [0-9]+//g' }

set_vpngateway_route() {
edit flag offensive delete link more

Comments

The inline diff gets pretty mangled. Can you wrap it in triple-backticks to mark a code block? Thanks! For other readers, here is an attempt to demangle it: http://dpaste.com/3NA6C30

cm gravatar imagecm ( 2018-08-27 11:03:19 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2017-06-04 16:05:05 -0600

Seen: 1,170 times

Last updated: Jun 07 '17