Hostscan Is Waiting For The Next Scan Macos Version
Here is a quick summary of what I've sent previously:
My company doesn't official support Linux when connecting to a Cisco
Anywhere VPN. I'm told if I can get it to work, it is fine, but they are
not going to support me. So, what I've done is I referenced this thread
between David and Fromzy:
(switch to http)
hxxp://openconnect-devel.infradead.narkive.com/HaRKFi2f/csd-use-and-impossib
le-to-connect-linux
The problem I was having is openconnect would fail to continue if the CSD
could not be downloaded. This is what the log showed:
GET hxxps://vpn.company.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 404 Not Found (does not exist)
X-Transcend-Version: 1
HTTP body http 1.0 (-1)
Cannot receive HTTP 1.0 body without closing connection Failed to obtain
WebVPN cookie
I original directly modified the code to skip the download but later found
out that I could simply use 'os=android' on the command line. Once I got
past that I ended up using sslsplit and capturing a windows session
connecting. I then basically ran Curl in the wrapper script using these
post values:
run_curl --data-ascii @-
'https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1' <<-END
endpoint.policy.location='Default';
endpoint.enforce='success';
endpoint.fw['MSWindowsFW']={};
endpoint.fw['MSWindowsFW'].exists='true';
endpoint.fw['MSWindowsFW'].enabled='ok';
endpoint.as['MicrosoftAS']={};
endpoint.as['MicrosoftAS'].exists='true';
endpoint.as['MicrosoftAS'].activescan='ok';
endpoint.av['MicrosoftAV']={};
endpoint.av['MicrosoftAV'].exists='true';
endpoint.av['MicrosoftAV'].activescan='ok';
END
I got two other co-workers hook up this way as well and we are all
successfully able to connect now. I'm having my co-workers use the
'--os-android' flag, but I question if this isn't going to lead to other
issues in the future. All, I want to do is continue if the CSD failed to
download or skip it altogether.
What I'd like to eventually do is put together a tutorial for other Linux
users who are stuck. I spent a long time getting this to work and I think
others might find it useful.
My next goal is to get this to work with network-manager but I'm still stuck
on how to correctly update the version of openconnect it uses and how to
pass in optional commandline arguments.
For now do you think it would make sense to add in a new commandline
argument? Maybe something like '--csd-skip-download'? I'm fine continuing
to use '--os=android', but it seems a bit odd.
I can reply to this thread sometime in the future once I complete my
tutorial.
Thanks
--Andy
Hostscan Is Waiting For The Next Scan Fix
7:06:43 PM Hostscan is waiting for the next scan 7:07:44 PM Hostscan is performing system scan 7:07:44 PM Hostscan is performing software scan 7:07:51 PM Hostscan state idle 7:07:52 PM Hostscan is waiting for the next scan 7:08:52 PM Hostscan is performing system scan 7:08:53 PM Hostscan is performing software scan 7:08:59 PM Hostscan state. The hostscan bypass was originally coded and tested against a Windows machine running AnyConnect. I do not personally have the resources to troubleshoot issues on MacOS. However, @cjbirk did a bit of troubleshooting and successfully generated a CSD file using the bypass on MacOS. Thank you, thank you thank you thank you tha. This is such an obscure reason for failure, I would have -never- figured it out! The.real. problem here is that the fact that the hostscan is failing isn't being shown to the user. Now all you do is wait. You don’t need to authenticate in order for the hostscan to take place. Once the endpoint information is sent across the wire, hostscan-bypass has enough information to generate the CSD file. You need to make hostscan-bypass.sh executable before OpenConnect can use it. I use Cisco AnyConnect to connect to a client's VPN. Lately, it started hanging with the status message 'Hostscan is waiting for the next scan'. The logs show a loop that lasts a little over 10 minutes where it scans and starts over until it finally gives up.