Anyconnect cscan failure on Fedora 32

I’ve been fighting with Fedora 32 for some time, trying to get Cisco Anyconnect client working. It was working on Fedora 31, and I have it working on CentOS 8, but for some reason Fedora 32 on new install will not work for me.

My work uses secondary authentication after user/pass, but I can’t get past the initial login. The initial scan when choosing a vpn end point is failing during posture assessment and update. When that fails, it goes to login, I enter user/pass and nothing else happens.

I did find what appears to be an issue with cscan failing, but no idea how/why and would really appreciate some assistance in troubleshooting. What I pulled from journalctl for cscan follows, but basically it fails for some reason and tries to generate a core dump but can’t (not sure why not).

If there is anything else I can provide or questions I can answer, I’ll do my best. I’m really at a loss at this point and this is the one show stopper for me using Fedora.

May 18 18:49:09 fedora-blue.olympus cscan[3304]: Function: init Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/main.c Line: 1237 Level: all :: hello
May 18 18:49:09 fedora-blue.olympus cscan[3304]: Function: init Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/main.c Line: 1238 Level: all :: cscan version 4.8.01090
May 18 18:49:11 fedora-blue.olympus cscan[3304]: Function: parse_config Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/cfg.c Line: 83 Level: all :: Logging level directive (error) received from headend
May 18 18:49:11 fedora-blue.olympus cscan[3304]: Function: parse_config Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/cfg.c Line: 98 Level: all :: Logging level set to (error)
May 18 18:49:12 fedora-blue.olympus audit[3304]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3304 comm="cscan" exe="/home/~user~/.cisco/hostscan/bin/cscan" sig=6 res=1
May 18 18:49:12 fedora-blue.olympus systemd-coredump[3310]: **Resource limits disable core dumping for process 3304 (cscan).**
May 18 18:49:12 fedora-blue.olympus systemd-coredump[3310]: Process 3304 (cscan) of user 1000 dumped core.

Should be able to generate a dump given these limits, right?

$ ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 63415
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 63415
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

Thanks in advance for any assistance

Welcome to the community @ek01! Please take a minute to go through the informative posts in the #start-here if you’ve not had a chance yet. They include information on how the forum works and so on.

Is selinux enabled? Perhaps try with sudo setenforce 0 just to be sure that it isn’t an selinux issue?

Work here also uses Anyconnect. I got it working with network manager by using the csd-post.sh script provided by openconnect. Maybe that’s worth a try too?

1e3c255a12736de284ccebcb358d035ad952059d.png685×867 53.6 KB

The path to the csd-post.sh script is: /usr/libexec/openconnect/csd-post.sh. I don’t think the OS needs to be set there, but I just threw it in anyway

(This doesn’t require one to be root or anything at all)

Thanks for the reply. I tried disabling the firewall as well as selinux as a test previously with no success. I had not tried Network manager, but I was able to get connected with that. I’m removing anyconnect now.

I hadn’t thought to try that because of the token and just assuming I had to use Cisco. I would have hit a wall with the script reference either way, so much appreciation for that.

The only other question I have is why I wasn’t seeing the core dump files for cscan? I don’t know if you can answer that, or if that’s a question for a different thread but I would like to understand that bit as well.

Thanks for the quick reply and solution.

ek

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.