cancel
Showing results for 
Search instead for 
Did you mean: 

Connection Errors from Fedora-26 workstation

Highlighted
New Contributor

Connection Errors from Fedora-26 workstation

Hi

I'm having connection problems trying to connect to my employers vpn. I can successfully connect from my windows workstation, but I've been unable to get the linux workstation to work.

I've installed ps-pulse-linux-5.3r2.0-b853-centos-rhel-installer.rpm which my employer recently downloaded and the install seemingly went well.

I am running Fedora-26.

I am able to get the GUI to come up and connect to the vpn. I get through the login page to the host checker page and then nothing happens after that - the app appear hung.

Below are logs that I've collected. Specifics to the vpn end-point are masked for security reasons.

The two logs seem to tell a different tale. The sdtout log calls out a json parsing error while the pulsesvc.log complains about a bad certificate.

How can I troubleshoot this further?

Thanks

Phil

=============================
stdout when I run pulseUi from terminal
=============================

open(/home/phil/.pulse_secure/pulse/pulsesvc.log) failed: Permission denied
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.

(pulseUi:25493): Gtk-WARNING **: Unable to locate theme engine in module_path: "adwaita",

(pulseUi:25493): Gtk-WARNING **: Unable to locate theme engine in module_path: "adwaita",
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
20170913142804.349164 pulsesvc[p25493.t25493] pulseui.info /usr/lib/libproxy.so.1 loaded
(pulseProxy.cpp:160)
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.
20170913142804.358072 pulsesvc[p25493.t25493] pulseui.info proxy is direct://

(pulseProxy.cpp:185)
20170913142804.358123 pulsesvc[p25493.t25493] pulseui.info Protocol :direct Credential : (pulseProxy.cpp:58)
20170913142804.358131 pulsesvc[p25493.t25493] pulseui.info Proxy used is NULL (pulseUi.cpp:717)
20170913142804.358138 pulsesvc[p25493.t25493] pulseui.info Proxy Host is NULL (pulseUi.cpp:718)
20170913142804.358144 pulsesvc[p25493.t25493] pulseui.info Proxy Port is 0 (pulseUi.cpp:719)
20170913142804.358151 pulsesvc[p25493.t25493] pulseui.info Proxy UserName is NULL (pulseUi.cpp:720)
20170913142804.358157 pulsesvc[p25493.t25493] pulseui.info Proxy Password is NULL (pulseUi.cpp:721)
20170913142804.358163 pulsesvc[p25493.t25493] pulseui.error Proxy is not used/set (pulseUi.cpp:751)
20170913142804.358171 pulsesvc[p25493.t25493] pulseui.info Proxy object is delete (pulseProxy.cpp:26)

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed

(pulseUi:25493): libsoup-CRITICAL **: soup_cookie_jar_get_cookies: assertion 'SOUP_IS_COOKIE_JAR (jar)' failed
20170913142815.261089 pulsesvc[p25493.t25493] pulseui.info Updating Preferred certificate:i for connection (pulseCertAuth.cpp:103)
20170913142815.288862 pulsesvc[p25493.t25493] pulseui.info /usr/lib/libproxy.so.1 loaded
(pulseProxy.cpp:160)
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.
20170913142815.298299 pulsesvc[p25493.t25493] pulseui.info proxy is direct://

(pulseProxy.cpp:185)
20170913142815.298330 pulsesvc[p25493.t25493] pulseui.info Protocol :direct Credential : (pulseProxy.cpp:58)
20170913142815.298338 pulsesvc[p25493.t25493] pulseui.info Proxy used is NULL (pulseUi.cpp:717)
20170913142815.298345 pulsesvc[p25493.t25493] pulseui.info Proxy Host is NULL (pulseUi.cpp:718)
20170913142815.298351 pulsesvc[p25493.t25493] pulseui.info Proxy Port is 0 (pulseUi.cpp:719)
20170913142815.298357 pulsesvc[p25493.t25493] pulseui.info Proxy UserName is NULL (pulseUi.cpp:720)
20170913142815.298363 pulsesvc[p25493.t25493] pulseui.info Proxy Password is NULL (pulseUi.cpp:721)
20170913142815.298369 pulsesvc[p25493.t25493] pulseui.error Proxy is not used/set (pulseUi.cpp:751)
20170913142815.298375 pulsesvc[p25493.t25493] pulseui.info Proxy object is delete (pulseProxy.cpp:26)
20170913142815.300471 pulsesvc[p25493.t25493] pulseui.info About to start VPN connection: , baseUrl: https://vpn..com (pulseUi.cpp:408)
20170913142840.296708 pulsesvc[p25493.t25493] pulseui.info Succesfully Launched host checker process (pulseUi.cpp:917)
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.
20170913142840.439337 pulsesvc[p25493.t25493] pulseui.info Succesfully read the return cookie from host checker process (pulseUi.cpp:921)
20170913142840.439488 pulsesvc[p25493.t25493] pulseui.info Succesfully read the compliance status from host checker process (pulseUi.cpp:929)
20170913142840.440557 pulsesvc[p25493.t25493] pulseui.info Post-Auth Host checking completed (pulseUi.cpp:1007)
20170913142840.607628 pulsesvc[p25493.t25493] pulseui.error Unable to load Json Parser, message: SyntaxError: Unexpected token '
Tags (1)
6 REPLIES 6
New Contributor

Re: Connection Errors from Fedora-26 workstation

I must have exceed a line count. Here's the tail end of that log

20170913142840.608354 pulsesvc[p25493.t25493] pulseui.error Unable to load Json Parser, message: ReferenceError: Can't find variable: WriteCSS (pulseUi.cpp:265)

===============
and the pulsesvc.log
===============

20170913142840.317978 pulsesvc[p25511.t25511] dsncuiapi.para DsNcUiApi:Smiley Very HappysNcUiApi (dsncuiapi.cpp:75)
20170913142840.319056 pulsesvc[p25511.t25511] pulseui.info /usr/lib/libproxy.so.1 loaded
(pulseProxy.cpp:160)
20170913142840.338784 pulsesvc[p25511.t25511] pulseui.info proxy is direct://

(pulseProxy.cpp:185)
20170913142840.338906 pulsesvc[p25511.t25511] pulseui.info Protocol :direct Credential : (pulseProxy.cpp:58)
20170913142840.338981 pulsesvc[p25511.t25511] dsclient.para DSClient::authenticate(): userSmiley SadNULL), password:..., cert:81c50c1, realmSmiley SadNULL) (dsclient.cpp:306)
20170913142840.343798 pulsesvc[p25511.t25511] DSInet.info IVE host vpn..com resolved to , port 443 (dsinet.cpp:329)
20170913142840.365015 pulsesvc[p25511.t25511] dsssl.warn ssl_init : Failed to load CA certificates (DSSSLSock.cpp:1515)
20170913142840.365053 pulsesvc[p25511.t25511] http_connection.para Starting a timed connect with SSL session 0x897c4f0, proxy (null):0, and timeout 30 (http_connection.cpp:236)
20170913142840.365066 pulsesvc[p25511.t25511] http_connection.para Entering state_start_connection (http_connection.cpp:351)
20170913142840.365076 pulsesvc[p25511.t25511] http_connection.para Remote Address: ip=, port=443, familiy=2 (http_connection.cpp:799)
20170913142840.365085 pulsesvc[p25511.t25511] http_connection.para Remote Server=vpn..com (http_connection.cpp:801)
20170913142840.365093 pulsesvc[p25511.t25511] http_connection.para Local Address: ip=0.0.0.0, port=0, familiy=2 (http_connection.cpp:806)
20170913142840.365101 pulsesvc[p25511.t25511] http_connection.para Proxy Address: ip=(null), port=0, familiy=0 (http_connection.cpp:811)
20170913142840.404735 pulsesvc[p25511.t25511] http_connection.para Entering state_continue_connection (http_connection.cpp:368)
20170913142840.404827 pulsesvc[p25511.t25511] http_connection.para Entering state_ssl_connect (http_connection.cpp:538)
20170913142840.435150 pulsesvc[p25511.t25511] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)
20170913142840.435394 pulsesvc[p25511.t25511] dsssl.info log_cert_info : Subject : OU = Domain Control Validated, OU = COMODO SSL, CN = vpn..com (DSSSLSock.cpp:1555)
20170913142840.435610 pulsesvc[p25511.t25511] dsssl.error SSL_connect failed. Error 1 (DSSSLSock.cpp:1834)
20170913142840.435650 pulsesvc[p25511.t25511] http_connection.para Returning DSHTTP_ERROR from state_ssl_connect (http_connection.cpp:553)
20170913142840.435673 pulsesvc[p25511.t25511] http_connection.para do_connect error: state 5, err 5 (http_connection.cpp:341)
20170913142840.435785 pulsesvc[p25511.t25511] DSInet.error failed to connect to (vpn..com) error 1 (dsinet.cpp:412)
20170913142840.435834 pulsesvc[p25511.t25511] dsclient.error unable to open URL: (https://vpn..com) with error -7 (dsclient.cpp:321)
20170913142840.435859 pulsesvc[p25511.t25511] pulsesvc.error Failed to authenticate with IVE.HC Failed (pulsesvc.cpp:956)
20170913142840.435901 pulsesvc[p25511.t25511] pulseui.info Proxy object is delete (pulseProxy.cpp:26)
Contributor

Re: Connection Errors from Fedora-26 workstation

May be the device certificate is not added to the trusted certificates list in the client. Could you try with the solution here: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40200

Specific steps for yum based systems:

1. Install the ca-certificates package.
yum install ca-certificates

2. Enable the dynamic CA configuration feature.
update-ca-trust force-enable

3. Add it as a new file to /etc/pki/ca-trust/source/anchors/
cp foo.crt /etc/pki/ca-trust/source/anchors/

4. Update the CA store.
update-ca-trust extract
Contributor

Re: Connection Errors from Fedora-26 workstation

Since your device certificate is signed by a CA, you will have to add the CA to the trusted certificates list in /usr/share/pki/ ... folder
Pulser

Re: Connection Errors from Fedora-26 workstation

The DNS is not resolving the hostname to an IP address so it doesn't know what to connect to:

DSInet.info IVE host vpn..com resolved to , port 443 (dsinet.cpp:329)
Remote Address: ip=, port=443, familiy=2


Try adding a hosts file entry for vpn.com and see if that makes it to the connecting stage.
New Contributor

Re: Connection Errors from Fedora-26 workstation

Thanks for the replies.

re: csuchindra

I followed your suggestions as per the KB article. The behaviors is the same and I'm not seeing a difference in the error log.

I can see that the crt I downloaded is now in /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt, the comment being the name of the downloaded crt.

Again, I masked host id info.

20170919085800.125662 pulsesvc[p3574.t3574] dsncuiapi.para DsNcUiApi:Smiley Very HappysNcUiApi (dsncuiapi.cpp:75)
20170919085800.127019 pulsesvc[p3574.t3574] pulseui.info /usr/lib/libproxy.so.1 loaded
(pulseProxy.cpp:160)
20170919085800.143506 pulsesvc[p3574.t3574] pulseui.info proxy is direct://

(pulseProxy.cpp:185)
20170919085800.143576 pulsesvc[p3574.t3574] pulseui.info Protocol :direct Credential : (pulseProxy.cpp:58)
20170919085800.143604 pulsesvc[p3574.t3574] dsclient.para DSClient::authenticate(): userSmiley SadNULL), password:..., cert:81c50c1, realmSmiley SadNULL) (dsclient.cpp:306)
20170919085800.145792 pulsesvc[p3574.t3574] DSInet.info IVE host vpn.DOMAIN.com resolved to 63.0.1.2, port 443 (dsinet.cpp:329)
20170919085800.160536 pulsesvc[p3574.t3574] dsssl.warn ssl_init : Failed to load CA certificates (DSSSLSock.cpp:1515)
20170919085800.160570 pulsesvc[p3574.t3574] http_connection.para Starting a timed connect with SSL session 0xa0014c0, proxy (null):0, and timeout 30 (http_connection.cpp:236)
20170919085800.160586 pulsesvc[p3574.t3574] http_connection.para Entering state_start_connection (http_connection.cpp:351)
20170919085800.160599 pulsesvc[p3574.t3574] http_connection.para Remote Address: ip=63.0.1.2, port=443, familiy=2 (http_connection.cpp:799)
20170919085800.160610 pulsesvc[p3574.t3574] http_connection.para Remote Server=vpn.DOMAIN.com (http_connection.cpp:801)
20170919085800.160621 pulsesvc[p3574.t3574] http_connection.para Local Address: ip=0.0.0.0, port=0, familiy=2 (http_connection.cpp:806)
20170919085800.160632 pulsesvc[p3574.t3574] http_connection.para Proxy Address: ip=(null), port=0, familiy=0 (http_connection.cpp:811)
20170919085800.198357 pulsesvc[p3574.t3574] http_connection.para Entering state_continue_connection (http_connection.cpp:368)
20170919085800.198494 pulsesvc[p3574.t3574] http_connection.para Entering state_ssl_connect (http_connection.cpp:538)
20170919085800.232797 pulsesvc[p3574.t3574] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)
20170919085800.232987 pulsesvc[p3574.t3574] dsssl.info log_cert_info : Subject : OU = Domain Control Validated, OU = COMODO SSL, CN = vpn.DOMAIN.com (DSSSLSock.cpp:1555)
20170919085800.233323 pulsesvc[p3574.t3574] dsssl.error SSL_connect failed. Error 1 (DSSSLSock.cpp:1834)
20170919085800.233404 pulsesvc[p3574.t3574] http_connection.para Returning DSHTTP_ERROR from state_ssl_connect (http_connection.cpp:553)
20170919085800.233451 pulsesvc[p3574.t3574] http_connection.para do_connect error: state 5, err 5 (http_connection.cpp:341)
20170919085800.233630 pulsesvc[p3574.t3574] DSInet.error failed to connect to (vpn.DOMAIN.com) error 1 (dsinet.cpp:412)
20170919085800.233725 pulsesvc[p3574.t3574] dsclient.error unable to open URL: (https://vpn.DOMAIN.com) with error -7 (dsclient.cpp:321)
20170919085800.233777 pulsesvc[p3574.t3574] pulsesvc.error Failed to authenticate with IVE.HC Failed (pulsesvc.cpp:956)
20170919085800.233857 pulsesvc[p3574.t3574] pulseui.info Proxy object is delete (pulseProxy.cpp:26)
Contributor

Re: Connection Errors from Fedora-26 workstation

Hi phlp,

Could you try the following:

. Place the certificate in /usr/share/pki/ca-trust-source/anchors
. Place the CA certificate (if any), and intermediate CA certificate (if any) in the same folder (/usr/share/pki/ca-trust-source/anchors)
. Run the following commands:

update-ca-trust enable
update-ca-trust extract
. If there is an intermediate CA certificate, then it should be added to System -> Certificates -> Device Certificates -> Intermediate CAs (Note: "Intermediate CAs" is not a button, but a link. You might have to do a ctrl-f to find it on the page)
. Then try connecting using Pulse Secure Client
. Check System -> Log/Monitoring -> User Access -> Log. That would give more details as to why it has failed. Sometimes it is possible that the hashing algorithm is not supported. It might also be that the certificate strength is 4096 bits (which is not supported)