GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
Published
20 hours ago •
yuezk
yuezk
ip:port recognized as domain
Logs
[2024-08-02T02:58:37Z INFO gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: 1.2.3.4:9000)
> Password: ********
[2024-08-02T02:58:38Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-08-02T02:58:38Z INFO openconnect::ffi] openconnect version: v9.12
[2024-08-02T02:58:38Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-08-02T02:58:38Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script
[2024-08-02T02:58:38Z INFO openconnect::ffi] OS: linux
[2024-08-02T02:58:38Z INFO openconnect::ffi] CSD_USER: 1000
[2024-08-02T02:58:38Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-08-02T02:58:38Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-08-02T02:58:38Z INFO openconnect::ffi] MTU: 0
[2024-08-02T02:58:38Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2024-08-02T02:58:38Z INFO openconnect::ffi] POST https://1.2.3.4:9000/ssl-vpn/getconfig.esp
[2024-08-02T02:58:38Z WARN openconnect::ffi] getaddrinfo failed for host '1.2.3.4:9000': Name or service not known
[2024-08-02T02:58:38Z WARN openconnect::ffi] Failed to open HTTPS connection to 1.2.3.4:9000
[2024-08-02T02:58:38Z WARN openconnect::ffi] openconnect_make_cstp_connection failed
Environment:
- OS: Archlinux
- Desktop Environment: cli
Seems like the error is reported from the underlying OpenConnect library. It doesn't provide a way to set the host and the port separately.
How many gateways do you have and do they all use the non-standard (i.e. 443) ports?
How many gateways do you have and do they all use the non-standard (i.e. 443) ports?
Only one, it provide by our company, i can't change it.
Hi @Asutorufa if your portal doesn't use SSO for authentication, you can try to connect your portal with openconnect to see if it works.
sudo openconnect --protocol=gp <portal>
I just want to chime in and say i have the same problem. Connecting with openconnect directly works fine with the port added at the end.
Sure, I'll include gpclient also:
gpclient -v connect login.vpnsite.com:8443
[2025-07-06T08:18:27Z INFO gpclient::cli] gpclient started: 2.4.4 (2025-07-05)
[2025-07-06T08:18:27Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-07-06T08:18:27Z DEBUG reqwest::connect] starting new connection: https://login.vpnsite.com:8443/
[2025-07-06T08:18:27Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=login.vpnsite.com
[2025-07-06T08:18:27Z DEBUG hyper_util::client::legacy::connect::http] connecting to 1.2.3.4:8443
[2025-07-06T08:18:27Z DEBUG hyper_util::client::legacy::connect::http] connected to 1.2.3.4:8443
[2025-07-06T08:18:27Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", login.vpnsite.com:8443)
Enter login credentials (Portal: login.vpnsite.com:8443)
> Username: disl
> Password: ********
[2025-07-06T08:18:48Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2025-07-06T08:18:48Z DEBUG reqwest::connect] starting new connection: https://login.vpnsite.com:8443/
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=login.vpnsite.com
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::connect::http] connecting to 1.2.3.4:8443
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::connect::http] connected to 1.2.3.4:8443
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", login.vpnsite.com:8443)
[2025-07-06T08:18:48Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways...
[2025-07-06T08:18:48Z INFO gpclient::connect] Connecting to the only available gateway: gp_gateway (login.vpnsite.com:8443)
[2025-07-06T08:18:48Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2025-07-06T08:18:48Z DEBUG reqwest::connect] starting new connection: https://login.vpnsite.com:8443/
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=login.vpnsite.com
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::connect::http] connecting to 1.2.3.4:8443
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::connect::http] connected to 1.2.3.4:8443
[2025-07-06T08:18:48Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", login.vpnsite.com:8443)
[2025-07-06T08:18:48Z INFO openconnect::ffi] openconnect version: v9.12
[2025-07-06T08:18:48Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2025-07-06T08:18:48Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script
[2025-07-06T08:18:48Z INFO openconnect::ffi] OS: linux
[2025-07-06T08:18:48Z INFO openconnect::ffi] CSD_USER: 1000
[2025-07-06T08:18:48Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2025-07-06T08:18:48Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2025-07-06T08:18:48Z INFO openconnect::ffi] MTU: 0
[2025-07-06T08:18:48Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2025-07-06T08:18:48Z INFO openconnect::ffi] NO_DTLS: 0
[2025-07-06T08:18:48Z INFO openconnect::ffi] POST https://login.vpnsite.com:8443/ssl-vpn/getconfig.esp
[2025-07-06T08:18:48Z WARN openconnect::ffi] getaddrinfo failed for host 'login.vpnsite.com:8443': Name or service not known
[2025-07-06T08:18:48Z WARN openconnect::ffi] Failed to open HTTPS connection to login.vpnsite.com:8443
[2025-07-06T08:18:48Z WARN openconnect::ffi] openconnect_make_cstp_connection failed
sudo openconnect -v --protocol=gp login.vpnsite.com:8443
[sudo] password for disl:
POST https://login.vpnsite.com:8443/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 1.2.3.4:8443
Connected to 1.2.3.4:8443
SSL negotiation with login.vpnsite.com
Connected to HTTPS on login.vpnsite.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Sun, 06 Jul 2025 08:24:29 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 569
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length: (569)
Enter login credentials
Username: disl
Password:
POST https://login.vpnsite.com:8443/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Sun, 06 Jul 2025 08:24:52 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 10033
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length: (10033)
Portal reports GlobalProtect version 6.3.3-633; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
gp_gateway (login.vpnsite.com:8443)
Please select GlobalProtect gateway.
GATEWAY: [gp_gateway]:gp_gateway
POST https://login.vpnsite.com:8443/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Sun, 06 Jul 2025 08:24:52 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1071
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length: (1071)
GlobalProtect login returned authentication-source=gp-authentication-profile
GlobalProtect login returned password-expiration-days=0
GlobalProtect login returned portal-userauthcookie=******************************************************************************************************************************************************************************************************************************************************************************************************************************************************==
GlobalProtect login returned portal-prelogonuserauthcookie=empty
GlobalProtect login returned usually-equals-4=4
POST https://login.vpnsite.com:8443/ssl-vpn/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Sun, 06 Jul 2025 08:24:52 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 2305
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length: (2305)
Tunnel timeout (rekey interval) is 180 minutes.
Unknown GlobalProtect config tag <lifetime-notify-prior>: 1800
Unknown GlobalProtect config tag <lifetime-notify-message>: Your GlobalProtect session will expire in 30 minutes. Please save your work before your session expires.
Unknown GlobalProtect config tag <inactivity-notify-prior>: 1800
Unknown GlobalProtect config tag <inactivity-notify-message>: Your GlobalProtect session will time out in 30 minutes. Please save your work before your session times out.
Unknown GlobalProtect config tag <admin-logout-notify-message>: Your administrator has logged you out.
Unknown GlobalProtect config tag <user_expires>: 1754382292
Idle timeout is 180 minutes.
Unknown GlobalProtect config tag <panos-version>: 11.1.6-h6
TCP_INFO rcv mss 1460, snd mss 1460, adv mss 1460, pmtu 1500
No MTU received. Calculated 1422 for ESP tunnel
POST https://login.vpnsite.com:8443/ssl-vpn/hipreportcheck.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Sun, 06 Jul 2025 08:24:52 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 127
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
HTTP body length: (127)
Gateway says HIP report submission is needed.
WARNING: Server asked us to submit HIP report with md5sum ********************************.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Send ESP probes
UDP SO_SNDBUF: 91008
Send ESP probes
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.
Configured as 10.10.10.15, with SSL disconnected and ESP established
Session authentication will expire at Tue Aug 5 10:24:51 2025
Detected virtual address range 0x1000-0x7ffffffff000
Using vhost-net for tun acceleration, ring size 32
@dislabled you can download the CI build from here and see if it works for you. https://github.com/yuezk/GlobalProtect-openconnect/actions/runs/16147714367
@yuezk ! I can confirm that it works using both the cli and the gui! Thank you very much!
@yuezk ! I can confirm that it works using both the cli and the gui! Thank you very much!
Thanks, will release it soon.