Anyconnect cscan failure on Fedora 32

ek01 · May 19, 2020, 2:03am

I’ve been fighting with Fedora 32 for some time, trying to get Cisco Anyconnect client working. It was working on Fedora 31, and I have it working on CentOS 8, but for some reason Fedora 32 on new install will not work for me.

My work uses secondary authentication after user/pass, but I can’t get past the initial login. The initial scan when choosing a vpn end point is failing during posture assessment and update. When that fails, it goes to login, I enter user/pass and nothing else happens.

I did find what appears to be an issue with cscan failing, but no idea how/why and would really appreciate some assistance in troubleshooting. What I pulled from journalctl for cscan follows, but basically it fails for some reason and tries to generate a core dump but can’t (not sure why not).

If there is anything else I can provide or questions I can answer, I’ll do my best. I’m really at a loss at this point and this is the one show stopper for me using Fedora.


May 18 18:49:09 fedora-blue.olympus cscan[3304]: Function: init Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/main.c Line: 1237 Level: all :: hello
May 18 18:49:09 fedora-blue.olympus cscan[3304]: Function: init Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/main.c Line: 1238 Level: all :: cscan version 4.8.01090
May 18 18:49:11 fedora-blue.olympus cscan[3304]: Function: parse_config Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/cfg.c Line: 83 Level: all :: Logging level directive (error) received from headend
May 18 18:49:11 fedora-blue.olympus cscan[3304]: Function: parse_config Thread Id: 0x1009DDC0 File: /tmp/build/thehoff/Negasonic_MR10.25933462906/Negasonic_MR1/posture/asa/cscan/cfg.c Line: 98 Level: all :: Logging level set to (error)
May 18 18:49:12 fedora-blue.olympus audit[3304]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3304 comm="cscan" exe="/home/~user~/.cisco/hostscan/bin/cscan" sig=6 res=1
May 18 18:49:12 fedora-blue.olympus systemd-coredump[3310]: **Resource limits disable core dumping for process 3304 (cscan).**
May 18 18:49:12 fedora-blue.olympus systemd-coredump[3310]: Process 3304 (cscan) of user 1000 dumped core.

Should be able to generate a dump given these limits, right?

$ ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 63415
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 63415
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

Thanks in advance for any assistance

ankursinha · May 19, 2020, 9:08am

Welcome to the community @ek01! Please take a minute to go through the informative posts in the #start-here if you’ve not had a chance yet. They include information on how the forum works and so on.

ek01:

May 18 18:49:12 fedora-blue.olympus audit[3304]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3304 comm="cscan" exe="/home/~user~/.cisco/hostscan/bin/cscan" sig=6 res=1

Is selinux enabled? Perhaps try with sudo setenforce 0 just to be sure that it isn’t an selinux issue?

Work here also uses Anyconnect. I got it working with network manager by using the csd-post.sh script provided by openconnect. Maybe that’s worth a try too?

The path to the csd-post.sh script is: /usr/libexec/openconnect/csd-post.sh. I don’t think the OS needs to be set there, but I just threw it in anyway

(This doesn’t require one to be root or anything at all)

ek01 · May 19, 2020, 1:34pm

Thanks for the reply. I tried disabling the firewall as well as selinux as a test previously with no success. I had not tried Network manager, but I was able to get connected with that. I’m removing anyconnect now.

I hadn’t thought to try that because of the token and just assuming I had to use Cisco. I would have hit a wall with the script reference either way, so much appreciation for that.

The only other question I have is why I wasn’t seeing the core dump files for cscan? I don’t know if you can answer that, or if that’s a question for a different thread but I would like to understand that bit as well.

Thanks for the quick reply and solution.

ek

system · June 16, 2020, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.