Has anyone successfully run Cisco AnyConnect VPN with Fedora 34? Installation of 4.8.02045 (which works on Fedora 33) seems to go okay, but ends with:
Job for vpnagentd.service failed because the control process exited with error code.
Doing a “journalctl -xeu vpnagentd.service” yields:
vpnagentd.service: Failed to locate executable /opt/cisco/anyconnect/bin/load_tun.sh: Permission denied
vpnagentd.service: Control process exited, code=exited, status=203/EXEC
vpnagentd.service: Failed with result 'exit-code'.
Failed to start Cisco AnyConnect Secure Mobility Client Agent.
However, the file /opt/cisco/anyconnect/bin/load_tun.sh exists, and seems to have the right permissions…if you run it as root, it creates the tunnel. However, even with the tunnel in place you still get 203/EXEC errors when trying to start the vpnagentd.service.
When you start the client from the command line (/opt/cisco/anyconnect/bin/vpnui), the following message appears in the console:
Gtk-Message: 16:32:32.727: Failed to load module "pk-gtk-module"
I wasn’t expecting anything with the vpnagentd.service down, but the GUI fails to draw properly at all and eventually quits after this. So there seems to be multiple issues.
I also tried 4.9.06037, and versions going back to 4.5, all with the same result. Any help would be appreciated!
aureport -a -ts recent
# date time comm subj syscall class permission obj result event
<no events of interest were found>
Thanks for the link. I did generate a TE rule for that, which got my farther down the process…with a whole bunch of other errors, but the service is running, and the UI comes up as expected - I am successfully able to connect via VPN!
I can’t believe I didn’t think of SELinux - it’s odd that the permissions didn’t get set right in the first place though. I didn’t see any SELinux failures when the installer was running, but the SELinux policy in place for /opt/cisco/ is definitely not the same as it was in Fedora 33 and 32.
I have had multiple issues trying to run Cisco AnyConnect software. As a replacement I use the default gnome settings (Settings>Network>Add VPN) to add a VPN using the VPN multi-protocol which is compatible with this kind of VPNs, I think this is easier, more reliable and better integrated in to the gnome environment.
You will see many options there, but you only need to fill in the gateway and you can leave everything else empty.
I was happily using GNOME’s VPN, which I believe is NetworkManager-OpenConnect, until we switched to requiring MFA on our VPN, and it turns out that GNOME is unable to handle this, at least with our setup. I miss being able to single-click the VPN on and off again whenever I wanted, instead of the ordeal it is to run Cisco AnyConnect! I’ve found Cisco to be much less reliable in general, so I would urge people to try the built-in VPN first before resorting to AnyConnect.