GlobalProtect-openconnect Error during connectio

The login page on web don' appear

Logs

sudo gpclient -vv --ignore-tls-errors --fix-openssl connect www.xxx.it -u angelo.it
[2025-04-10T17:41:46Z INFO  gpclient::cli] gpclient started: 2.4.4 (2025-02-09)
[2025-04-10T17:41:46Z INFO  gpapi::utils::openssl] Using 'UnsafeLegacyServerConnect' option
[2025-04-10T17:41:46Z INFO  gpclient::cli] TLS errors will be ignored
[2025-04-10T17:41:46Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-04-10T17:41:46Z TRACE hyper_util::client::legacy::pool] checkout waiting for idle connection: ("https", ztna-esterni.a2a.it)
[2025-04-10T17:41:46Z DEBUG reqwest::connect] starting new connection: https://www.xxx.it/
[2025-04-10T17:41:46Z TRACE hyper_util::client::legacy::connect::http] Http::connect; scheme=Some("https"), host=Some("www.xxx.it"), port=None
[2025-04-10T17:41:46Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=www.xxx.it
[2025-04-10T17:41:46Z TRACE tracing::span::active] -> resolve;
[2025-04-10T17:41:47Z TRACE tracing::span::active] <- resolve;
[2025-04-10T17:41:47Z TRACE tracing::span] -- resolve;
[2025-04-10T17:41:47Z DEBUG hyper_util::client::legacy::connect::http] connecting to 140.209.999.999:443
[2025-04-10T17:41:47Z DEBUG hyper_util::client::legacy::connect::http] connected to 140.209.999.999:443
[2025-04-10T17:41:47Z TRACE hyper_util::client::legacy::client] http1 handshake complete, spawning background dispatcher task
[2025-04-10T17:41:47Z TRACE hyper_util::client::legacy::pool] checkout dropped for ("https", www.xxx.it)
[2025-04-10T17:41:47Z TRACE hyper_util::client::legacy::pool] put; add idle connection for ("https", www.xxx.it)
[2025-04-10T17:41:47Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", www.xxx.it)
[2025-04-10T17:41:47Z TRACE hyper_util::client::legacy::pool] pool closed, canceling idle interval
[2025-04-10T17:41:47Z TRACE uzers::base] Running getpwuid_r for user #1000
[2025-04-10T17:41:47Z TRACE uzers::base] Loading user with uid 1000
[2025-04-10T17:41:47Z INFO  gpauth::cli] gpauth started: 2.4.4 (2025-02-09)
[2025-04-10T17:41:47Z INFO  gpauth::cli] TLS errors will be ignored
[2025-04-10T17:41:47Z INFO  gpauth::cli] Fixing OpenSSL environment
[2025-04-10T17:41:47Z INFO  gpapi::utils::openssl] Using 'UnsafeLegacyServerConnect' option
[2025-04-10T17:41:47Z INFO  auth::webview::webview_auth] Setting up auth window...
[2025-04-10T17:41:47Z INFO  auth::webview::webview_auth] Loading auth request as URL: https://l**********m/aec650de-3432-485f-a3e8-9ac6e6709696/saml2?whr=a**********t&SAMLRequest=j**********%3D&RelayState=s**********x&SigAlg=h**********6&Signature=j**********%3D
[2025-04-10T17:41:47Z INFO  auth::webview::webview_auth] Auth window setup completed

(process:236136): GLib-Net-WARNING **: 19:41:47.461: Could not start proxy autoconfiguration helper:
    Failed to execute child process ?dbus-launch? (No such file or directory)
Proxy autoconfiguration will not work

(process:236136): GLib-GIO-WARNING **: 19:41:47.461: Invalid proxy URI 'use-proxy:': Invalid URI ?use-proxy:?

(process:236136): GLib-GIO-WARNING **: 19:41:47.502: Invalid proxy URI 'use-proxy:': Invalid URI ?use-proxy:?
[2025-04-10T17:41:47Z WARN  auth::webview::platform_impl] Failed to load uri: https://l**********m/aec650de-3432-485f-a3e8-9ac6e6709696/saml2?whr=a**********t&SAMLRequest=j**********%3D&RelayState=s**********x&SigAlg=h**********6&Signature=j**********%3D with error: Unspecified proxy lookup failure
[2025-04-10T17:41:47Z INFO  auth::webview::webview_auth] No auth data found in Headers, it may not be the /SAML20/SP/ACS endpoint
[2025-04-10T17:41:47Z INFO  auth::webview::auth_messenger] Displaying the window in 2 second(s)...
[2025-04-10T17:41:49Z INFO  auth::webview::webview_auth] Raising auth window...
[2025-04-10T17:41:50Z INFO  gpapi::utils::window::unix] Window not raised: Failed to raise window: GlobalProtect Login

Environment:

OS: Ubuntu 22.04
Desktop Environment: GNOME
Output of `angelo 5535 0.0 0.0 469096 13764 ? SLsl Apr09 0:04 /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring

Hope this helps, Cheers, Angelo

Apr 10 '25 17:04 teicors

using the command line, as suggested in the main page,

sudo -E gpclient connect --browser default

after the login in the web browser, I can choose or the web server by the customer, bu I finally I achieve the error below

[2025-04-13T10:56:18Z WARN openconnect::ffi] Assign private IP address failed [2025-04-13T10:56:18Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

Apr 13 '25 12:04 teicors

What's the logs with the -vv parameter using the default browser?

Apr 14 '25 13:04 yuezk

Hi huge log: I'm masquerading the real ips and the domain involved.

sudo -E gpclient connect --browser default xxx.yyy.it -vv -u [email protected]
[sudo] password for angelo:
[2025-04-14T13:57:10Z INFO  gpclient::cli] gpclient started: 2.4.4 (2025-02-09)
[2025-04-14T13:57:10Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-04-14T13:57:10Z TRACE hyper_util::client::legacy::pool] checkout waiting for idle connection: ("https", xxx.yyy.it)
[2025-04-14T13:57:10Z DEBUG reqwest::connect] starting new connection: https://xxx.yyy.it/
[2025-04-14T13:57:10Z TRACE hyper_util::client::legacy::connect::http] Http::connect; scheme=Some("https"), host=Some("xxx.yyy.it"), port=None
[2025-04-14T13:57:10Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=xxx.yyy.it
[2025-04-14T13:57:10Z TRACE tracing::span::active] -> resolve;
[2025-04-14T13:57:11Z TRACE tracing::span::active] <- resolve;
[2025-04-14T13:57:11Z TRACE tracing::span] -- resolve;
[2025-04-14T13:57:11Z DEBUG hyper_util::client::legacy::connect::http] connecting to 111.222.333.444:443
[2025-04-14T13:57:11Z DEBUG hyper_util::client::legacy::connect::http] connected to 111.222.333.444:443
[2025-04-14T13:57:11Z TRACE hyper_util::client::legacy::client] http1 handshake complete, spawning background dispatcher task
[2025-04-14T13:57:11Z TRACE hyper_util::client::legacy::pool] checkout dropped for ("https", xxx.yyy.it)
[2025-04-14T13:57:11Z TRACE hyper_util::client::legacy::pool] put; add idle connection for ("https", xxx.yyy.it)
[2025-04-14T13:57:11Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", xxx.yyy.it)
[2025-04-14T13:57:11Z TRACE hyper_util::client::legacy::pool] pool closed, canceling idle interval
[2025-04-14T13:57:11Z TRACE uzers::base] Running getpwuid_r for user #1000
[2025-04-14T13:57:11Z TRACE uzers::base] Loading user with uid 1000
[2025-04-14T13:57:11Z INFO  gpauth::cli] gpauth started: 2.4.4 (2025-02-09)
[2025-04-14T13:57:11Z DEBUG tiny_http] Server listening on 127.0.0.1:35803
[2025-04-14T13:57:11Z INFO  auth::browser::browser_auth] Launching the default browser...
[2025-04-14T13:57:11Z INFO  auth::browser::auth_server] auth server started at: http://127.0.0.1:35803/17f85fa9-de4c-408c-b595-291a9ca84b6f
[2025-04-14T13:57:11Z DEBUG tiny_http] Running accept thread
[2025-04-14T13:57:11Z TRACE webbrowser::os] found xdg browser: "firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/home/angelo/.local/share/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/usr/share/gnome-xorg/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/usr/share/gnome/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/home/angelo/.local/share/flatpak/exports/share/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/var/lib/flatpak/exports/share/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/usr/local/share/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/usr/share/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z TRACE webbrowser::os] checking for xdg config at "/var/lib/snapd/desktop/applications/firefox_firefox.desktop"
[2025-04-14T13:57:11Z DEBUG webbrowser::common] background spawn: "/usr/bin/env" "BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/firefox_firefox.desktop" "/snap/bin/firefox" "http://127.0.0.1:35803/17f85fa9-de4c-408c-b595-291a9ca84b6f"
[2025-04-14T13:57:11Z INFO  auth::browser::browser_auth] Please continue the authentication process in the default browser
[2025-04-14T13:57:11Z INFO  auth::browser::browser_auth] Listening authentication data on port 42635
[2025-04-14T13:57:11Z INFO  auth::browser::browser_auth] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2025-04-14T13:57:12Z INFO  auth::browser::auth_server] received request, method: GET, url: /17f85fa9-de4c-408c-b595-291a9ca84b6f
[2025-04-14T13:57:12Z INFO  auth::browser::auth_server] stop the auth server
[2025-04-14T13:57:12Z DEBUG tiny_http] Terminating accept thread
[2025-04-14T13:57:55Z INFO  auth::browser::browser_auth] Received the browser authentication data from the socket
[2025-04-14T13:57:55Z INFO  gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2025-04-14T13:57:55Z TRACE hyper_util::client::legacy::pool] checkout waiting for idle connection: ("https", xxx.yyy.it)
[2025-04-14T13:57:55Z DEBUG reqwest::connect] starting new connection: https://xxx.yyy.it/
[2025-04-14T13:57:55Z TRACE hyper_util::client::legacy::connect::http] Http::connect; scheme=Some("https"), host=Some("xxx.yyy.it"), port=None
[2025-04-14T13:57:55Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=xxx.yyy.it
[2025-04-14T13:57:55Z TRACE tracing::span::active] -> resolve;
[2025-04-14T13:57:55Z TRACE tracing::span::active] <- resolve;
[2025-04-14T13:57:55Z TRACE tracing::span] -- resolve;
[2025-04-14T13:57:55Z DEBUG hyper_util::client::legacy::connect::http] connecting to 111.222.333.444:443
[2025-04-14T13:57:55Z DEBUG hyper_util::client::legacy::connect::http] connected to 111.222.333.444:443
[2025-04-14T13:57:55Z TRACE hyper_util::client::legacy::client] http1 handshake complete, spawning background dispatcher task
[2025-04-14T13:57:55Z TRACE hyper_util::client::legacy::pool] checkout dropped for ("https", xxx.yyy.it)
[2025-04-14T13:57:56Z TRACE hyper_util::client::legacy::pool] put; add idle connection for ("https", xxx.yyy.it)
[2025-04-14T13:57:56Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", xxx.yyy.it)
[2025-04-14T13:57:56Z INFO  gpapi::gateway::parse_gateways] Try to parse the external gateways...
? Which gateway do you want to connect to? [2025-04-14T13:57:56Z TRACE hyper_util::client::legacy::pool] pool closed, canceling idle interval
> Italy (reserved.gpcloudservice.com)                                                                                  [2025-04-14T13:57:56Z TRACE mio::poll] registering event source with poller: token=Token(0), interests=READABLEom)
[↑↓ to move, enter to select, type to filter]                                       [2025-04-14T13:57:56Z TRACE mio::poll] registering event source with poller: token=Token(1), interests=READABLE
> Which gateway do you want to connect to? Italy (reserved.gpcloudservice.com)
[2025-04-14T13:58:07Z INFO  gpclient::connect] Connecting to the selected gateway: Italy (reserved.gpcloudservice.com)
[2025-04-14T13:58:07Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2025-04-14T13:58:07Z TRACE hyper_util::client::legacy::pool] checkout waiting for idle connection: ("https", reserved.gpcloudservice.com)
[2025-04-14T13:58:07Z DEBUG reqwest::connect] starting new connection: https://reserved.gpcloudservice.com/
[2025-04-14T13:58:07Z TRACE hyper_util::client::legacy::connect::http] Http::connect; scheme=Some("https"), host=Some("reserved.gpcloudservice.com"), port=None
[2025-04-14T13:58:07Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=reserved.gpcloudservice.com
[2025-04-14T13:58:07Z TRACE tracing::span::active] -> resolve;
[2025-04-14T13:58:07Z TRACE tracing::span::active] <- resolve;
[2025-04-14T13:58:07Z TRACE tracing::span] -- resolve;
[2025-04-14T13:58:07Z DEBUG hyper_util::client::legacy::connect::http] connecting to 222.333.444.111214:443
[2025-04-14T13:58:07Z DEBUG hyper_util::client::legacy::connect::http] connected to 222.333.444.111214:443
[2025-04-14T13:58:07Z TRACE hyper_util::client::legacy::client] http1 handshake complete, spawning background dispatcher task
[2025-04-14T13:58:07Z TRACE hyper_util::client::legacy::pool] checkout dropped for ("https", reserved.gpcloudservice.com)
[2025-04-14T13:58:07Z TRACE hyper_util::client::legacy::pool] put; add idle connection for ("https", reserved.gpcloudservice.com)
[2025-04-14T13:58:07Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", reserved.gpcloudservice.com)
[2025-04-14T13:58:07Z TRACE uzers::base] Running getpwuid_r for user #1000
[2025-04-14T13:58:07Z TRACE uzers::base] Loading user with uid 1000
[2025-04-14T13:58:07Z TRACE hyper_util::client::legacy::pool] pool closed, canceling idle interval
[2025-04-14T13:58:07Z INFO  openconnect::ffi] openconnect version: v9.12-1build5
[2025-04-14T13:58:07Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2025-04-14T13:58:07Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2025-04-14T13:58:07Z INFO  openconnect::ffi] OS: linux
[2025-04-14T13:58:07Z INFO  openconnect::ffi] CSD_USER: 1000
[2025-04-14T13:58:07Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2025-04-14T13:58:07Z INFO  openconnect::ffi] RECONNECT_TIMEOUT: 300
[2025-04-14T13:58:07Z INFO  openconnect::ffi] MTU: 0
[2025-04-14T13:58:07Z INFO  openconnect::ffi] DISABLE_IPV6: 0
[2025-04-14T13:58:07Z INFO  openconnect::ffi] NO_DTLS: 0
[2025-04-14T13:58:07Z INFO  openconnect::ffi] POST https://reserved.gpcloudservice.com/ssl-vpn/getconfig.esp
[2025-04-14T13:58:07Z DEBUG openconnect::ffi] Attempting to connect to server 222.333.444.111214:443
[2025-04-14T13:58:07Z INFO  openconnect::ffi] Connected to 222.333.444.111214:443
[2025-04-14T13:58:07Z INFO  openconnect::ffi] SSL negotiation with reserved.gpcloudservice.com
[2025-04-14T13:58:07Z INFO  openconnect::ffi] Connected to HTTPS on reserved.gpcloudservice.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Got HTTP response: HTTP/1.1 200 OK
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Date: Mon, 14 Apr 2025 13:58:08 GMT
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Content-Type: application/xml; charset=UTF-8
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Content-Length: 259
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Connection: keep-alive
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] X-Frame-Options: DENY
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Strict-Transport-Security: max-age=31536000;
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] X-XSS-Protection: 1; mode=block
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] X-Content-Type-Options: nosniff
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none';
[2025-04-14T13:58:08Z DEBUG openconnect::ffi] HTTP body length:  (259)
[2025-04-14T13:58:08Z WARN  openconnect::ffi] Assign private IP address failed
[2025-04-14T13:58:08Z WARN  openconnect::ffi] openconnect_make_cstp_connection failed

Apr 14 '25 14:04 teicors

Try add the --os Windows --hip parameters to see if it works for you.

Apr 14 '25 14:04 yuezk

No luck at all: I can achieve the mfa page of Microsoft autenticator and I can be authenticated.

[...] [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Got HTTP response: HTTP/1.1 200 OK [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Date: Mon, 14 Apr 2025 15:45:27 GMT [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Content-Type: application/xml; charset=UTF-8 [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Content-Length: 259 [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Connection: keep-alive [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 [2025-04-14T15:45:28Z DEBUG openconnect::ffi] X-Frame-Options: DENY [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Strict-Transport-Security: max-age=31536000; [2025-04-14T15:45:28Z DEBUG openconnect::ffi] X-XSS-Protection: 1; mode=block [2025-04-14T15:45:28Z DEBUG openconnect::ffi] X-Content-Type-Options: nosniff [2025-04-14T15:45:28Z DEBUG openconnect::ffi] Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; [2025-04-14T15:45:28Z DEBUG openconnect::ffi] HTTP body length: (259) [2025-04-14T15:45:28Z WARN openconnect::ffi] Assign private IP address failed [2025-04-14T15:45:28Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

Apr 14 '25 15:04 teicors

Using the GUI I can log into the VPN

May 21 '25 06:05 teicors

It looks like your VPN server updated its settings. If the GUI works for you, the CLI should also work.

May 25 '25 11:05 yuezk

I cannot figure it out.. not it works !

[2025-05-29T09:38:12Z INFO openconnect::ffi] SSL negotiation with 11.22.33.44 [2025-05-29T09:38:12Z INFO openconnect::ffi] Server certificate verify failed: signer not found [2025-05-29T09:38:12Z INFO openconnect::ffi] Accepting the server certificate though signer not found [2025-05-29T09:38:12Z INFO openconnect::ffi] Connected to HTTPS on 11.22.33.44 with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) [2025-05-29T09:38:12Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes. [2025-05-29T09:38:12Z INFO openconnect::ffi] Idle timeout is 180 minutes. [2025-05-29T09:38:12Z WARN openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel [2025-05-29T09:38:12Z INFO openconnect::ffi] POST https://11.22.33.44/ssl-vpn/hipreportcheck.esp [2025-05-29T09:38:12Z INFO openconnect::ffi] ESP session established with server [2025-05-29T09:38:12Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop. [2025-05-29T09:38:12Z INFO openconnect::ffi] Using vhost-net for tun acceleration, ring size 32 [2025-05-29T09:38:12Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 15 [2025-05-29T09:38:12Z INFO gpclient::connect] Wrote PID 1183711 to /var/run/gpclient.lock [2025-05-29T09:38:12Z WARN openconnect::ffi] ESP receive error: Message too long [2025-05-29T09:38:13Z INFO openconnect::ffi] ESP session established with server [2025-05-29T09:38:13Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.

May 29 '25 10:05 teicors

@teicors, Do you mean that the GUI works, but the CLI version still does not work?

Jun 01 '25 03:06 yuezk

I'm using the client in two different environment: the first is with the mfa with the code displayed on the web page and the second is always with mfa, but without the confirmation on the web page, but only with the confirm on the phone. The second works : I achieve on the mobile the request to access and after the confirmation I can access the resources "behind", but with the ack with the web page, I put the right value from the mfa app using the value displayed and after I see on the linux client the request to choose to continue the login or the web page or the globalprotect app. Choosing the first or the second choice, the access process stops.

Can you help me?

Jul 24 '25 06:07 teicors

Hi @teicors, please try to run xdg-mime default gpgui.desktop x-scheme-handler/globalprotectcallback to see if it helps.

Jul 24 '25 09:07 yuezk

I did it, but n o luck at all

The web callback doesn't let me choose between the options now

Jul 24 '25 13:07 teicors

GlobalProtect-openconnect GlobalProtect-openconnect copied to clipboard

Error during connectio

GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard