Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

不能登录 返回 HTTP 401 #22

Open
ly0 opened this issue Oct 17, 2017 · 8 comments
Open

不能登录 返回 HTTP 401 #22

ly0 opened this issue Oct 17, 2017 · 8 comments

Comments

@ly0
Copy link

ly0 commented Oct 17, 2017

Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable
Creating SSL connection failed

@TommyLau
Copy link
Owner

What kind of client are you using?

@lacek
Copy link

lacek commented Jan 15, 2018

I got the same error on both clients:

@TommyLau
Copy link
Owner

Can you try the AnyConnect client instead of OpenConnect?

In the config file, it was set to compliant with Cisco AnyConnect.

@lacek
Copy link

lacek commented Jan 15, 2018

I tried Windows AnyConnect Client 3.1.13015 and failed with different errors:

  • when group All[全局代理 All Proxy] is choosen, user and password are entered, nothing happened and Message History showed:

    [2018/1/15 下午 11:32:10] Contacting 192.168.1.101:8443.
    [2018/1/15 下午 11:32:11] Please enter your username.
    [2018/1/15 下午 11:32:13] Please enter your username.
    [2018/1/15 下午 11:32:14] User credentials entered.
    [2018/1/15 下午 11:32:14] Please enter your password.
    [2018/1/15 下午 11:32:15] User credentials entered.
    [2018/1/15 下午 11:32:16] Please enter your password.
    [2018/1/15 下午 11:32:16] User credentials prompt cancelled.
    
  • when group Route[仅海外代理 Exclude CN] is choosen, user and password are entered, first alert prompted:

    The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.

    Then the second alert prompted:

    AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

    And Message History showed:

    [2018/1/15 下午 11:34:03] Contacting 192.168.1.101:8443.
    [2018/1/15 下午 11:34:04] Please enter your username.
    [2018/1/15 下午 11:34:07] User credentials entered.
    [2018/1/15 下午 11:34:07] Please enter your password.
    [2018/1/15 下午 11:34:09] User credentials entered.
    [2018/1/15 下午 11:34:09] Establishing VPN session...
    [2018/1/15 下午 11:34:09] Checking for profile updates...
    [2018/1/15 下午 11:34:09] Checking for product updates...
    [2018/1/15 下午 11:34:12] Checking for customization updates...
    [2018/1/15 下午 11:34:12] Performing any required updates...
    [2018/1/15 下午 11:34:12] Establishing VPN session...
    [2018/1/15 下午 11:34:12] Establishing VPN - Initiating connection...
    [2018/1/15 下午 11:36:52] Connection attempt has failed.
    [2018/1/15 下午 11:37:36] VPN session ended.
    

Update:

Changing the starting command to ocserv -c /etc/ocserv/ocserv.conf -f -d1, I got the debug log from docker container:

ocserv[1]: main[test]: 172.17.0.1:37895 new user session
ocserv[1]: main: tun.c:552: Can't open /dev/net/tun: No such device
ocserv[1]: main[test]: 172.17.0.1:37895 failed authentication attempt for user 'test'
ocserv[71]: worker: 172.17.0.1 failed cookie authentication attempt
ocserv[22]: sec-mod: temporarily closing session for test (session: JlG+Lh)
ocserv[1]: main[test]: 172.17.0.1:37895 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[72]: worker:  could not disable system calls, kernel might not support seccomp
ocserv[1]: main: 172.17.0.1:37896 user disconnected (reason: unspecified, rx: 0, tx: 0)

This is probably problem of my kernel.


Update 2:

My suspicion above should be valid. Changed to use docker daemon on a Mac, successfully launched with the same docker run command.

@ly0 You should try launch you container with the debug flag and check the log message to see if there's any hint, e.g:

docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocserv ocserv -c /etc/ocserv/ocserv.conf -f -d1
# try connect to trigger error
docker logs ocserv

@TommyLau
Copy link
Owner

tun is needed as far as I know to use ocserv, I'm using Ubuntu as the host.

And, till the last time I know, AnyConnect can only connect to port 443 (SSL) other than any other ports.

@lacek Can AnyConnect client on Mac connect to the server other than port 443 now?

@Un1Gfn
Copy link

Un1Gfn commented Mar 4, 2020

@ly0
Do u have other devices connected to the server at the same time?
Disconnect them and try again.
There might be problems w/ multiple clients.

@swanduron
Copy link

Hello Tommy, I also meet this question. My VPN client is Cisco anyconnect 4.9 and I list the operation steps below:

  1. docker run
  2. connect to the server, for example, use group [All projects]
  3. if use correct username/password, the server will reject the connection request as "Connection attempt has failed"
  4. Follow point3, if using the wrong username/password, the server will notice me the username or password is incorrect
  5. Switch the group to [Exclude CN], the correct username/password will work fine
  6. Switch back to [Proxy All], the connection also works smoothly

From my view, ocserv can identify the user information from ocpasswd file. Due to the fewer log messages in docker, I can't identify more information about this case. Do you have any idea?

@TommyLau
Copy link
Owner

@swanduron You can mount the config file to your host, so that you can modify the config file to output more useful information.

And you could also remove group settings as a test.

Personally, I prefer using "Certificate" method other than username/password method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants