# Cisco AnyConnect VPN fails on AMD64

## sl70

I used to be able to run this VPN client but when my old 32-bit system died and I upgraded to AMD64, I can't connect any more. The client is only 32-bit, but according to Cisco, it should be usable in biarch systems. Here's what the docs say:

 *Quote:*   

> glibc users must have glibc 2.3.2 installed. For example, libc.so.6 or higher.
> 
> •libstdc++ users must have libstdc++ version 3.3.2 (libstdc++.so.5) or higher, but below version 4.
> 
> •Firefox: required 1.0 or later (with libnss3.so installed in /usr/local/lib, /usr/local/firefox/lib, or /usr/lib).
> ...

 

As far as I can tell, I have all these libs. At least, ldd doesn't tell me anything is missing:

```
ldd vpn

        linux-gate.so.1 =>  (0xf7729000)                                

        libxml2.so.2 => /usr/lib32/libxml2.so.2 (0xf75cf000)

        libz.so.1 => /lib32/libz.so.1 (0xf75bb000)

        libcrypto.so.0.9.8 => /opt/cisco/vpn/lib/libcrypto.so.0.9.8 (0xf74cc000)

        libssl.so.0.9.8 => /opt/cisco/vpn/lib/libssl.so.0.9.8 (0xf749e000)

        libpthread.so.0 => /lib32/libpthread.so.0 (0xf7484000)

        libm.so.6 => /lib32/libm.so.6 (0xf745e000)

        libc.so.6 => /lib32/libc.so.6 (0xf7316000)

        libdl.so.2 => /lib32/libdl.so.2 (0xf7312000)

        /lib/ld-linux.so.2 (0xf772a000)

```

But when I try and connect I get this:

```
 notice: Please respond to Server Certificate Acceptance Request.

VPN> 

Warning: The following Certificate received from the Server could not be verified:

accept? [y/n]: y

  >> warning: Unable to process response from cvpn.uchicago.edu.

  >> notice: Please respond to Server Certificate Acceptance Request.

VPN> 

Warning: The following Certificate received from the Server could not be verified:

accept? [y/n]: 

```

Simultaneously, this shows up in the logs:

```
Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - Certificates/NSSCertUtils.cpp:378 (fe210005) getProfilePath

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - Certificates/NSSCertStore.cpp:57 (fe210005) CNSSCertUtils::InitNSS

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - Certificates/CollectiveCertStore.cpp:795 (fe210005) CNSSCertStore::CNSSCertStore

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: warning - Certificates/CollectiveCertStore.cpp:217 (fe210005) CCollectiveCertStore::addNSSStore

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - Certificates/CollectiveCertStore.cpp:65 (fe21000e) CCollectiveCertStore::OpenStores

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - Certificates/VPNCertStore.cpp:86 (fe21000e) CCapiCertStore::CCapiCertStore

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - Certificates/CertHelper.cpp:50 (fe21000e) CCertStoreFactory::AcquireStore

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - CTransportCurlStatic.cpp:785 (fe21000e) CCertHelper

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - CTransportCurlStatic.cpp:1335 (fe010020) curl_easy_perform problem with the SSL CA cert (path? access rights?)

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - ConnectIfc.cpp:362 (fe010020) ConnectIfc::connect Send request to peer failed

Feb 19 20:26:46 musume vpn: [p:14726  pp:13163]: error - ConnectMgr.cpp:869 (fe010020) ConnectIfc::connect

```

Anyone know the trick to getting this to connect?

P.S. I tried openconnect, but it was not satisfactory. It would connect, but it threw all kinds of errors and when I tried to write to a cifs mounted remote directory, the whole machine froze up.

----------

## HeissFuss

There are some 32 bit libs you'll need, some from the emul package and some straight from a 32-bit firefox install package.

First off, you'll need at least app-emulation/emul-linux-x86-baselibs installed.

This link shows how to get it working on Ubuntu.  The concept on Gentoo should be similar.

----------

## sl70

I did all that but the sticking point seems to be a 32-bit version of nss-mdns. I installed that but the libs are 64-bit versions:

```
 file /usr/lib64/libnss_mdns.so.2

/usr/lib64/libnss_mdns.so.2: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped

```

I don't know how to get around this. Can I just take the 32-bit versions from my laptop and stick them in /usr/lib32?

----------

## sl70

Well, I tried copying all the libnss_mdns files from my 32-bit laptop to my problematic 64-bit desktop, but I'm still getting the same errors. Sigh.

----------

## dwmw2

 *sl70 wrote:*   

> P.S. I tried openconnect, but it was not satisfactory. It would connect, but it threw all kinds of errors and when I tried to write to a cifs mounted remote directory, the whole machine froze up.

 

I'd be very interested in the errors you saw with openconnect. I strongly suspect that the CIFS problem wasn't related to the fact that you were using openconnect -- if connectivity was working and you could connect to hosts on the VPN, there's not a lot that it could do wrong. Unless perhaps your network is broken and firewalls ICMP, in which case reducing the MTU (with the --mtu option) may help.

Feel free to mail me (or the openconnect-devel list) if you want more assistance.

----------

## sl70

I think I may have been mistaken about the problem with cifs mount problems. I may have been having these problems because I tried running the Cisco AnyConnect client in the interim, so there may have been some kind of contention for devices or some such. After I rebooted, I did not have those problems again.

I'll write to the list if anything comes up again.

----------

