Cisco AnyConnect - only first connection successful if gateway URL contains a slash
My company VPN uses Cisco AnyConnect. The gateway URL is something like my.company.com/employee.
When configuring such a VPN connection from NetworkManager, I am only able to connect the first time.
If I disconnect and try connecting again, I get an error ("Certificate Validation Failure"), because the wrong gateway was targeted this time around.
This is clearly visible from the logs:
https://bugsfiles.kde.org/attachment.cgi?id=160429 https://bugsfiles.kde.org/attachment.cgi?id=160428 -> here you can see that the POST URL is missing the /employee suffix. In the logs of the first connection, it is there, which is crucial to make it work.
I tried to do some investigation on my own, and I have noticed that upon first connection, the openconnect XML config is written (B64 encoded) to:
/etc/NetworkManager/system-connections/.nmconnection
I suspect that on connection attempts past the first one, NM is decoding the openconnect XML config, and taking the gateway URL from AnyConnectProfile/ServerList/HostEntry/HostAddress, and basically running:
openconnect -x
Instead of taking the server URL from the .nmconnection file (under [vpn].gateway)
Indeed, if I decode the B64 and put it in a file and run openconnect -x config.xml , it fails with the exact same error shown in those screenshots.
Instead if I run openconnect -x config.xml <server-from-nmconnect-[tui].gateway>, it works
I think it's either that, or the [tui].gateway value is read, but for some reason anything that comes after a slash is removed after the first connection.
I can provide the exact gateway URL in private. It requires authentication (not needed to reproduce), but it's still my work VPN and would rather not share it in public.
Thanks