Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GlobalProtect Version Compatibility Issue: Requires Version 6.1.4 or Higher #427

Open
khaerunsituncu opened this issue Sep 19, 2024 · 15 comments
Open

GlobalProtect Version Compatibility Issue: Requires Version 6.1.4 or Higher #427

khaerunsituncu opened this issue Sep 19, 2024 · 15 comments

Comments

@khaerunsituncu
Copy link

Describe the bug
I encountered an issue where my application requires a version higher than 6.1

Expected behavior
I am receiving a warning message indicating that I need to ensure a compatible GlobalProtect version (6.1.4 or above).

Logs

[2024-09-19T01:01:06Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator.
[2024-09-19T01:01:06Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

Environment:

  • OS: Manjaro 24.0.7
  • Desktop Environment: GNOME
@yuezk
Copy link
Owner

yuezk commented Sep 19, 2024

Looks like the VPN server checked the client version. Currently, the client uses 6.0.1-19 to simulate the GP client. But you can customize the version by following:

  • For GUI, please try to set the Client Version to 6.3.0-33 to see if it helps.
    image
  • For CLI, please pass the client version via the --user-agent 'PAN GlobalProtect/6.3.0-33' to see if it helps.

@khaerunsituncu
Copy link
Author

After I changed the client version I still got the same error, is there still a way I can connect to global protect ?

@yuezk
Copy link
Owner

yuezk commented Sep 19, 2024

Can I have the full logs after changing the client version? So I can ensure we didn't miss anything.

@khaerunsituncu
Copy link
Author

khaerunsituncu commented Sep 19, 2024
edited
Loading

sudo -E gpclient connect --user-agent 'PAN GlobalProtect/6.3.0-33' --browser default xxxxxxxxxxxxxxx  ✔
[sudo] password for khaerun:
[2024-09-19T04:32:00Z INFO gpclient::cli] gpclient started: 2.3.7 (2024-08-16)
[2024-09-19T04:32:00Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T04:32:00Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T04:32:02Z INFO gpauth::cli] gpauth started: 2.3.7 (2024-08-16)
[2024-09-19T04:32:02Z INFO gpapi::process::browser_authenticator] Launching the default browser...
[2024-09-19T04:32:02Z INFO gpauth::cli] Please continue the authentication process in the default browser
[2024-09-19T04:32:02Z INFO gpauth::cli] Listening authentication data on port 35793
[2024-09-19T04:32:02Z INFO gpauth::cli] If it hangs, please check the logs at /tmp/gpcallback.log for more information
[2024-09-19T04:33:07Z INFO gpauth::cli] Received the browser authentication data from the socket
[2024-09-19T04:33:07Z INFO gpapi::auth] Got CAS auth data from globalprotectcallback
[2024-09-19T04:33:07Z INFO gpauth::cli] Authentication completed
[2024-09-19T04:33:07Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T04:33:08Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways...
[2024-09-19T04:33:08Z INFO gpclient::connect] Connecting to the only available gateway: xxxxxxxxxxx (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
[2024-09-19T04:33:08Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T04:33:09Z INFO openconnect::ffi] openconnect version: v9.12
[2024-09-19T04:33:09Z INFO openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T04:33:09Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script
[2024-09-19T04:33:09Z INFO openconnect::ffi] OS: linux
[2024-09-19T04:33:09Z INFO openconnect::ffi] CSD_USER: 1000
[2024-09-19T04:33:09Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-09-19T04:33:09Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-09-19T04:33:09Z INFO openconnect::ffi] MTU: 0
[2024-09-19T04:33:09Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2024-09-19T04:33:09Z INFO openconnect::ffi] NO_DTLS: 0
[2024-09-19T04:33:09Z INFO openconnect::ffi] POST https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2024-09-19T04:33:10Z INFO openconnect::ffi] Connected to xxxxxxxxxxxxxxxxxxxxxxxxx
[2024-09-19T04:33:10Z INFO openconnect::ffi] SSL negotiation with xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[2024-09-19T04:33:10Z INFO openconnect::ffi] Connected to HTTPS on xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx with ciphersuite (TLS1.2)-(xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
[2024-09-19T04:33:11Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator.
[2024-09-19T04:33:11Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

@yuezk
Copy link
Owner

yuezk commented Sep 19, 2024

Thanks for the logs. The client version seems applied to all the places I can come up with. Did this client work before?

@khaerunsituncu
Copy link
Author

On Windows it can connect but on Manjaro this is the first time I've tried it

@yuezk
Copy link
Owner

yuezk commented Sep 19, 2024

It is the first time I encountered the Please ensure the compatible GlobalProtect version is: 6.1.4 or above error.

Can you run it with sudo gpclient connect <portal> --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows. This may not work, but we can give it a try.

@khaerunsituncu
Copy link
Author

sudo gpclient connect *********** --user-agent 'PAN GlobalProtect/6.3.0-33' --os Windows
[sudo] password for khaerun:
[2024-09-19T14:39:16Z INFO gpclient::cli] gpclient started: 2.3.7 (2024-08-16)
[2024-09-19T14:39:16Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T14:39:16Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T14:39:17Z INFO gpauth::cli] gpauth started: 2.3.7 (2024-08-16)
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect/6.3.0-33

** (gpauth:78330): WARNING : 22:39:17.525: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Load the SAML request as HTML...
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Loaded uri: about:blank
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:39:17Z INFO gpauth::auth_window] No headers found in response
[2024-09-19T14:39:17Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:39:17Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Raise window in 1 second(s)
[2024-09-19T14:39:17Z INFO gpauth::auth_window] Raise window cancelled
[2024-09-19T14:39:19Z INFO gpauth::auth_window] Loaded uri: https://l**********m/fc743075-93ed-4a5c-82c0-ca5eac914220/saml2?SAMLRequest=l**********%3D&RelayState=_**********7&SigAlg=h**********6&Signature=b**********%3D
[2024-09-19T14:39:19Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:39:19Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:39:19Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:39:19Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:39:19Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:39:19Z INFO gpauth::auth_window] Raise window in 1 second(s)
[2024-09-19T14:39:21Z INFO gpapi::utils::window] Window not raised: Failed to raise window: GlobalProtect Login
[2024-09-19T14:39:38Z INFO gpauth::auth_window] Loaded uri: https://i**********d/isam/sps/auth
[2024-09-19T14:39:38Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:39:38Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:39:38Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:39:38Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:39:38Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:39:48Z INFO gpauth::auth_window] Loaded uri: https://i**********d/mga/sps/authsvc?PolicyId=u**********1&Target=h**********h
[2024-09-19T14:39:48Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:39:48Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:39:48Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:39:48Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:39:48Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:39:52Z INFO gpauth::auth_window] Loaded uri: https://i**********d/mga/sps/authsvc?StateId=x**********Y&operation=v**********y
[2024-09-19T14:39:52Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:39:52Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:39:52Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:39:52Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:39:52Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:39:58Z INFO gpauth::auth_window] Loaded uri: https://i**********d/isam/sps/auth
[2024-09-19T14:39:58Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:39:58Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:39:58Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:39:58Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:39:58Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:40:00Z INFO gpauth::auth_window] Loaded uri: https://l**********m/login.srf
[2024-09-19T14:40:00Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:40:00Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:40:00Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:40:00Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:40:00Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:40:03Z INFO gpauth::auth_window] Loaded uri: https://l**********m/kmsi
[2024-09-19T14:40:03Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:40:03Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:40:03Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:40:03Z INFO gpauth::auth_window] Loaded uri: https://c**********m/sp/acs
[2024-09-19T14:40:03Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:40:03Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:40:03Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-09-19T14:40:03Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-09-19T14:40:04Z WARN gpauth::auth_window] Failed to load uri: https://s**********d/SAML20/SP/ACS with error: Load request cancelled
[2024-09-19T14:40:04Z INFO gpauth::auth_window] Loaded uri: https://s**********d/SAML20/SP/ACS
[2024-09-19T14:40:04Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-09-19T14:40:04Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-09-19T14:40:04Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-09-19T14:40:04Z INFO gpauth::auth_window] Found gpcallback from html...
[2024-09-19T14:40:04Z INFO gpapi::auth] Got CAS auth data from globalprotectcallback
[2024-09-19T14:40:04Z INFO gpauth::auth_window] Loaded uri: globalprotectcallback:cas-as=1&un**********w
[2024-09-19T14:40:04Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T14:40:05Z INFO gpapi::gateway::parse_gateways] Try to parse the external gateways...
[2024-09-19T14:40:05Z INFO gpclient::connect] Connecting to the only available gateway: ***************************
[2024-09-19T14:40:05Z INFO gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T14:40:05Z INFO openconnect::ffi] openconnect version: v9.12
[2024-09-19T14:40:05Z INFO openconnect::ffi] User agent: PAN GlobalProtect/6.3.0-33
[2024-09-19T14:40:05Z INFO openconnect::ffi] VPNC script: /etc/vpnc/vpnc-script
[2024-09-19T14:40:05Z INFO openconnect::ffi] OS: win
[2024-09-19T14:40:05Z INFO openconnect::ffi] CSD_USER: 1000
[2024-09-19T14:40:05Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-09-19T14:40:05Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-09-19T14:40:05Z INFO openconnect::ffi] MTU: 0
[2024-09-19T14:40:05Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2024-09-19T14:40:05Z INFO openconnect::ffi] NO_DTLS: 0
[2024-09-19T14:40:05Z INFO openconnect::ffi] POST ********************************
[2024-09-19T14:40:05Z INFO openconnect::ffi] Connected to *************
[2024-09-19T14:40:05Z INFO openconnect::ffi] SSL negotiation with **********************
[2024-09-19T14:40:05Z INFO openconnect::ffi] Connected to HTTPS on ****************************** with ciphersuite (TLS1.2)-(******************************
[2024-09-19T14:40:05Z WARN openconnect::ffi] Please ensure the compatible GlobalProtect version is: 6.1.4 or above. If you are using a compatible GlobalProtect version and receiving this message, please contact your IT Administrator.
[2024-09-19T14:40:05Z WARN openconnect::ffi] openconnect_make_cstp_connection failed

@yuezk
Copy link
Owner

yuezk commented Sep 20, 2024

@khaerunsituncu I'm afraid I cannot provide enough help for this problem based on the error message. Since the official Windows client works, it is possible to make this client work as well. However, I need to inspect the network trace sent by the Windows client, but this is not feasible due to security concerns.

So, you may need to contact your IT admin to see if they have some configuration to limit the GlobalProtect client version.

@khaerunsituncu
Copy link
Author

how to install a ca.pem certificate?

@yuezk
Copy link
Owner

yuezk commented Sep 23, 2024

You can pass it via the --certificate <path to ca> parameter.

@khaerunsituncu
Copy link
Author

khaerunsituncu commented Sep 23, 2024
edited
Loading

image
Hi, I managed to connect to the Ubuntu virtual box, is there a possibility that OpenConnect doesn't support Global Protect version 6.2 yet? and needs to be updated

or openconnet can't simulate the GP version

I'm too lazy to change the Manjaro distro to Ubuntu

@yuezk
Copy link
Owner

yuezk commented Sep 23, 2024

Perhaps. GlobalProtect VPN server is a black box to us, it may not work if the server side has some modifications or configurations. Currently, my VPN portal does not have the problem. It’s hard to troubleshoot without analyzing the network traffic of the official client.

@SimonKienzler
Copy link

I had the same issue and was able to fix it by updating openconnect to >=v9.10 (v9.12 in my case).

Did some research and I think the reason for this issue is a previously hard-coded GlobalProtect client version string in openconnect. In v9.10, openconnect/openconnect!333 was merged, which just takes the the server version and "parrots" it back as the client version. Apparently this is not something that can be influenced with the --user-agent flag.

Unfortunately, there is no option to override the GlobalProtect client version manually (yet), so currently the only solution is using a recent enough openconnect version.

@giac
Copy link

giac commented Dec 13, 2024
edited
Loading

I have the same issue on Ubuntu 24.04, even if I use the option --user-agent 'PAN GlobalProtect/6.3.0-33'.
I was already using Openconnect 9.12, provided by Ubuntu. After reading the comment above just in case I tried installing the latest git version of Openconnect, but I still get the same error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@giac @yuezk @SimonKienzler @khaerunsituncu