GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard
verified publisher icon yuezk

GlobalProtect Version Compatibility Issue: Requires Version 6.1.4 or Higher

Open khaerunsituncu opened this issue 1 year ago • 19 comments

Describe the bug I encountered an issue where my application requires a version higher than 6.1

Expected behavior I am receiving a warning message indicating that I need to ensure a compatible GlobalProtect version (6.1.4 or above).

Logs

[2024-09-19T01:01:06Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator. [2024-09-19T01:01:06Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

Environment:

  • OS: Manjaro 24.0.7
  • Desktop Environment: GNOME

khaerunsituncu avatar Sep 19 '24 01:09 khaerunsituncu

Looks like the VPN server checked the client version. Currently, the client uses 6.0.1-19 to simulate the GP client. But you can customize the version by following:

  • For GUI, please try to set the Client Version to 6.3.0-33 to see if it helps. image
  • For CLI, please pass the client version via the --user-agent 'PAN GlobalProtect/6.3.0-33' to see if it helps.

yuezk avatar Sep 19 '24 01:09 yuezk

After I changed the client version I still got the same error, is there still a way I can connect to global protect ?

khaerunsituncu avatar Sep 19 '24 02:09 khaerunsituncu

Can I have the full logs after changing the client version? So I can ensure we didn't miss anything.

yuezk avatar Sep 19 '24 03:09 yuezk

sudo -E gpclient connect --user-agent 'PAN GlobalProtect/6.3.0-33' --browser default xxxxxxxxxxxxxxx  ✔ [sudo] password for khaerun: [2024-09-19T04:32:00Z INFO gpclient::cli] gpclient started: 2.3.7 (2024-08-16) [2024-09-19T04:32:00Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:32:00Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:32:02Z INFO gpauth::cli] gpauth started: 2.3.7 (2024-08-16) [2024-09-19T04:32:02Z INFO gpapi::process::browser_authenticator] Launching the default browser... [2024-09-19T04:32:02Z INFO gpauth::cli] Please continue the authentication process in the default browser [2024-09-19T04:32:02Z INFO gpauth::cli] Listening authentication data on port 35793 [2024-09-19T04:32:02Z INFO gpauth::cli] If it hangs, please check the logs at /tmp/gpcallback.log for more information [2024-09-19T04:33:07Z INFO gpauth::cli] Received the browser authentication data from the socket [2024-09-19T04:33:07Z INFO gpapi::auth] Got CAS auth data from globalprotectcallback [2024-09-19T04:33:07Z INFO gpauth::cli] Authentication completed [2024-09-19T04:33:07Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:33:08Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways... [2024-09-19T04:33:08Z INFO gpclient::connect] Connecting to the only available gateway: xxxxxxxxxxx (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [2024-09-19T04:33:08Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:33:09Z INFO openconnect::ffi] openconnect version: v9.12 [2024-09-19T04:33:09Z INFO openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T04:33:09Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script [2024-09-19T04:33:09Z INFO openconnect::ffi] OS: linux [2024-09-19T04:33:09Z INFO openconnect::ffi] CSD_USER: 1000 [2024-09-19T04:33:09Z INFO openconnect::ffi] CSD_WRAPPER: (null) [2024-09-19T04:33:09Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300 [2024-09-19T04:33:09Z INFO openconnect::ffi] MTU: 0 [2024-09-19T04:33:09Z INFO openconnect::ffi] DISABLE_IPV6: 0 [2024-09-19T04:33:09Z INFO openconnect::ffi] NO_DTLS: 0 [2024-09-19T04:33:09Z INFO openconnect::ffi] POST https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [2024-09-19T04:33:10Z INFO openconnect::ffi] Connected to xxxxxxxxxxxxxxxxxxxxxxxxx [2024-09-19T04:33:10Z INFO openconnect::ffi] SSL negotiation with xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [2024-09-19T04:33:10Z INFO openconnect::ffi] Connected to HTTPS on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx with ciphersuite (TLS1.2)-(xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [2024-09-19T04:33:11Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator. [2024-09-19T04:33:11Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

khaerunsituncu avatar Sep 19 '24 04:09 khaerunsituncu

Thanks for the logs. The client version seems applied to all the places I can come up with. Did this client work before?

yuezk avatar Sep 19 '24 13:09 yuezk

On Windows it can connect but on Manjaro this is the first time I've tried it

khaerunsituncu avatar Sep 19 '24 13:09 khaerunsituncu

It is the first time I encountered the Please ensure the compatible GlobalProtect version is: 6.1.4 or above error.

Can you run it with sudo gpclient connect <portal> --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows. This may not work, but we can give it a try.

yuezk avatar Sep 19 '24 14:09 yuezk

sudo gpclient connect *********** --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows [sudo] password for khaerun: [2024-09-19T14:39:16Z INFO gpclient::cli] gpclient started: 2.3.7 (2024-08-16) [2024-09-19T14:39:16Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:39:16Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:39:17Z INFO gpauth::cli] gpauth started: 2.3.7 (2024-08-16) [2024-09-19T14:39:17Z INFO gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.3.0-33

** (gpauth:78330): WARNING : 22:39:17.525: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing. [2024-09-19T14:39:17Z INFO gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15 [2024-09-19T14:39:17Z INFO gpauth::auth_window] Load the SAML request as HTML... [2024-09-19T14:39:17Z INFO gpauth::auth_window] Loaded uri: about:blank [2024-09-19T14:39:17Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:17Z INFO gpauth::auth_window] No headers found in response [2024-09-19T14:39:17Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:17Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:17Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:17Z INFO gpauth::auth_window] Raise window in 1 second(s) [2024-09-19T14:39:17Z INFO gpauth::auth_window] Raise window cancelled [2024-09-19T14:39:19Z INFO gpauth::auth_window] Loaded uri: https://lm/fc743075-93ed-4a5c-82c0-ca5eac914220/saml2?SAMLRequest=l%3D&RelayState=_7&SigAlg=h6&Signature=b********%3D [2024-09-19T14:39:19Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:19Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:19Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:19Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:19Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:19Z INFO gpauth::auth_window] Raise window in 1 second(s) [2024-09-19T14:39:21Z INFO gpapi::utils::window] Window not raised: Failed to raise window: GlobalProtect Login [2024-09-19T14:39:38Z INFO gpauth::auth_window] Loaded uri: https://id/isam/sps/auth [2024-09-19T14:39:38Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:38Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:38Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:38Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:38Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:48Z INFO gpauth::auth_window] Loaded uri: https://id/mga/sps/authsvc?PolicyId=u1&Target=hh [2024-09-19T14:39:48Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:48Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:48Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:48Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:48Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:52Z INFO gpauth::auth_window] Loaded uri: https://id/mga/sps/authsvc?StateId=xY&operation=vy [2024-09-19T14:39:52Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:52Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:52Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:52Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:52Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:39:58Z INFO gpauth::auth_window] Loaded uri: https://id/isam/sps/auth [2024-09-19T14:39:58Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:39:58Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:39:58Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:39:58Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:39:58Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:00Z INFO gpauth::auth_window] Loaded uri: https://lm/login.srf [2024-09-19T14:40:00Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:00Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:00Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:00Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:40:00Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:03Z INFO gpauth::auth_window] Loaded uri: https://lm/kmsi [2024-09-19T14:40:03Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:03Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:03Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:03Z INFO gpauth::auth_window] Loaded uri: https://cm/sp/acs [2024-09-19T14:40:03Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:03Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:03Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found [2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint [2024-09-19T14:40:04Z WARN gpauth::auth_window] Failed to load uri: https://sd/SAML20/SP/ACS with error: Load request cancelled [2024-09-19T14:40:04Z INFO gpauth::auth_window] Loaded uri: https://sd/SAML20/SP/ACS [2024-09-19T14:40:04Z INFO gpauth::auth_window] Trying to read auth data from response headers... [2024-09-19T14:40:04Z INFO gpauth::auth_window] No saml-auth-status header found [2024-09-19T14:40:04Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body... [2024-09-19T14:40:04Z INFO gpauth::auth_window] Found gpcallback from html... [2024-09-19T14:40:04Z INFO gpapi::auth] Got CAS auth data from globalprotectcallback [2024-09-19T14:40:04Z INFO gpauth::auth_window] Loaded uri: globalprotectcallback:cas-as=1&unw [2024-09-19T14:40:04Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:40:05Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways... [2024-09-19T14:40:05Z INFO gpclient::connect] Connecting to the only available gateway: *************************** [2024-09-19T14:40:05Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:40:05Z INFO openconnect::ffi] openconnect version: v9.12 [2024-09-19T14:40:05Z INFO openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33 [2024-09-19T14:40:05Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script [2024-09-19T14:40:05Z INFO openconnect::ffi] OS: win [2024-09-19T14:40:05Z INFO openconnect::ffi] CSD_USER: 1000 [2024-09-19T14:40:05Z INFO openconnect::ffi] CSD_WRAPPER: (null) [2024-09-19T14:40:05Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300 [2024-09-19T14:40:05Z INFO openconnect::ffi] MTU: 0 [2024-09-19T14:40:05Z INFO openconnect::ffi] DISABLE_IPV6: 0 [2024-09-19T14:40:05Z INFO openconnect::ffi] NO_DTLS: 0 [2024-09-19T14:40:05Z INFO openconnect::ffi] POST ******************************** [2024-09-19T14:40:05Z INFO openconnect::ffi] Connected to ************* [2024-09-19T14:40:05Z INFO openconnect::ffi] SSL negotiation with ********************** [2024-09-19T14:40:05Z INFO openconnect::ffi] Connected to HTTPS on ****************************** with ciphersuite (TLS1.2)-(******************************** [2024-09-19T14:40:05Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator. [2024-09-19T14:40:05Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

khaerunsituncu avatar Sep 19 '24 14:09 khaerunsituncu

@khaerunsituncu I'm afraid I cannot provide enough help for this problem based on the error message. Since the official Windows client works, it is possible to make this client work as well. However, I need to inspect the network trace sent by the Windows client, but this is not feasible due to security concerns.

So, you may need to contact your IT admin to see if they have some configuration to limit the GlobalProtect client version.

yuezk avatar Sep 20 '24 01:09 yuezk

how to install a ca.pem certificate?

khaerunsituncu avatar Sep 23 '24 13:09 khaerunsituncu

You can pass it via the --certificate <path to ca> parameter.

yuezk avatar Sep 23 '24 13:09 yuezk

image Hi, I managed to connect to the Ubuntu virtual box, is there a possibility that OpenConnect doesn't support Global Protect version 6.2 yet? and needs to be updated

or openconnet can't simulate the GP version

I'm too lazy to change the Manjaro distro to Ubuntu

khaerunsituncu avatar Sep 23 '24 14:09 khaerunsituncu

Perhaps. GlobalProtect VPN server is a black box to us, it may not work if the server side has some modifications or configurations. Currently, my VPN portal does not have the problem. It’s hard to troubleshoot without analyzing the network traffic of the official client.

yuezk avatar Sep 23 '24 14:09 yuezk

I had the same issue and was able to fix it by updating openconnect to >=v9.10 (v9.12 in my case).

Did some research and I think the reason for this issue is a previously hard-coded GlobalProtect client version string in openconnect. In v9.10, openconnect/openconnect!333 was merged, which just takes the the server version and "parrots" it back as the client version. Apparently this is not something that can be influenced with the --user-agent flag.

Unfortunately, there is no option to override the GlobalProtect client version manually (yet), so currently the only solution is using a recent enough openconnect version.

SimonKienzler avatar Dec 10 '24 11:12 SimonKienzler

I have the same issue on Ubuntu 24.04, even if I use the option --user-agent 'PAN GlobalProtect/6.3.0-33'. I was already using Openconnect 9.12, provided by Ubuntu. After reading the comment above just in case I tried installing the latest git version of Openconnect, but I still get the same error.

giac avatar Dec 13 '24 21:12 giac

I've managed to make it work. In short I did the following:

  1. I upgraded the GlobalProtect client version hardcoded here in Openconnect and compiled Openconnect. (Intructions are available on the Openconnect website or here for Ubuntu, by @yuezk)
  2. I ran sudo -E gpclient connect ********.com making sure it uses my modified version of Openconnect and it worked.

Explanation

As @SimonKienzler mentioned, Openconnect reads the server version and "parrots" it back as the client version. However, I inferred from this commit message that this happens only if Openconnect is used to connect to a portal. If you use openconnect to connect directly to the gateway it will use the hardcoded GlobalProtect client version hardcoded here. As far as I understand gpclient handles the Gateway selection and uses Openconnect to connect directly to the Gateway, which is uses the hardcoded client version. I also tried using gp-saml-gui and used openconnect to connect to the portal, but that didn't work for me, I got fgets (stdin): Inappropriate ioctl for device

giac avatar Dec 27 '24 21:12 giac

I have the same issue. My openconnect version is already 9.12. Am I doing something wrong ? 🤔

Here is the full log:

tolga@kanarya:~> gpclient connect XXX.gpcloudservice.com --browser default --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows
[2025-07-21T08:53:32Z INFO  gpclient::cli] gpclient started: 2.4.5 (2025-07-16)
[2025-07-21T08:53:32Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33
[2025-07-21T08:53:32Z INFO  gpauth::cli] gpauth started: 2.4.5 (2025-07-16)
[2025-07-21T08:53:32Z INFO  auth::browser::browser_auth] Launching the default browser...
[2025-07-21T08:53:32Z INFO  auth::browser::auth_server] auth server started at: http://127.0.0.1:43459/6897c86c-47f5-4442-a996-5f21bc41511f
[2025-07-21T08:53:32Z INFO  auth::browser::browser_auth] Please continue the authentication process in the default browser
[2025-07-21T08:53:32Z INFO  auth::browser::browser_auth] Listening authentication data on port 37711
[2025-07-21T08:53:32Z INFO  auth::browser::browser_auth] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2025-07-21T08:53:33Z INFO  auth::browser::auth_server] received request, method: GET, url: /6897c86c-47f5-4442-a996-5f21bc41511f
[2025-07-21T08:53:33Z INFO  auth::browser::auth_server] stop the auth server
[2025-07-21T08:53:38Z INFO  auth::browser::browser_auth] Received the browser authentication data from the socket
[2025-07-21T08:53:38Z INFO  gpapi::auth] Got CAS auth data from globalprotectcallback
[2025-07-21T08:53:38Z INFO  gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33
[2025-07-21T08:53:39Z INFO  gpapi::gateway::parse_gateways] Try to parse the external gateways...
> Which gateway do you want to connect to? Australia Southeast (XXX-XXX.XXX.gw.gpcloudservice.com)
[2025-07-21T08:53:40Z INFO  gpclient::connect] Connecting to the selected gateway: Australia Southeast (XXX-XXX.XXX.gw.gpcloudservice.com)
[2025-07-21T08:53:40Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33
[2025-07-21T08:53:41Z INFO  openconnect::ffi] openconnect version: v9.12
[2025-07-21T08:53:41Z INFO  openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33
[2025-07-21T08:53:41Z INFO  openconnect::ffi] VPNC script: /etc/openconnect/vpnc-script
[2025-07-21T08:53:41Z INFO  openconnect::ffi] OS: win
[2025-07-21T08:53:41Z INFO  openconnect::ffi] CSD_USER: 1000
[2025-07-21T08:53:41Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2025-07-21T08:53:41Z INFO  openconnect::ffi] RECONNECT_TIMEOUT: 300
[2025-07-21T08:53:41Z INFO  openconnect::ffi] MTU: 0
[2025-07-21T08:53:41Z INFO  openconnect::ffi] DISABLE_IPV6: 0
[2025-07-21T08:53:41Z INFO  openconnect::ffi] NO_DTLS: 0
[2025-07-21T08:53:41Z INFO  openconnect::ffi] DPD_INTERVAL: 0
[2025-07-21T08:53:41Z INFO  openconnect::ffi] POST https://XXX-XXX.XXX.gw.gpcloudservice.com/ssl-vpn/getconfig.esp
[2025-07-21T08:53:41Z INFO  openconnect::ffi] Connected to 140.209.221.173:443
[2025-07-21T08:53:41Z INFO  openconnect::ffi] SSL negotiation with XXX-XXX.XXX.gw.gpcloudservice.com
[2025-07-21T08:53:42Z INFO  openconnect::ffi] Connected to HTTPS on XXX-XXX.XXX.gw.gpcloudservice.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2025-07-21T08:53:42Z WARN  openconnect::ffi]  Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator.
[2025-07-21T08:53:42Z WARN  openconnect::ffi] openconnect_make_cstp_connection failed

tolgacanatan avatar Jul 21 '25 08:07 tolgacanatan

I have the same issue. My openconnect version is already 9.12. Am I doing something wrong ? 🤔

Until https://gitlab.com/openconnect/openconnect/-/merge_requests/586 is merged, the only solution I’m aware of is to apply the change manually and build it yourself. Unfortunately, there hasn’t been much activity on OpenConnect in recent months, so it’s unclear when (or if) the merge will happen.

giac avatar Jul 21 '25 16:07 giac

Until https://gitlab.com/openconnect/openconnect/-/merge_requests/586 is merged, ...

It has been merged.

tolgacanatan avatar Jul 28 '25 05:07 tolgacanatan

The new v2.5.0 seems to fix this issue by linking against the current openconnect git master which contains the fix and MR 586

aceArt-GmbH avatar Dec 16 '25 14:12 aceArt-GmbH

Yes, that's why we statically linked openconnect.

yuezk avatar Dec 16 '25 14:12 yuezk