Startup entered FATAL state, too many start retries too quickly

[grebois]

Hi @jamgocoop I'm getting the following output when trying to connect;

2017-09-27 08:28:24,157 CRIT Supervisor running as root (no user in config file)
2017-09-27 08:28:24,159 INFO supervisord started with pid 1
2017-09-27 08:28:25,165 INFO spawned: 'startup' with pid 9
2017-09-27 08:28:25,377 INFO exited: startup (exit status 1; not expected)
2017-09-27 08:28:26,381 INFO gave up: startup entered FATAL state, too many start retries too quickly

The connection values look ok, any way to make the output verbose?

[jamgocoop]

Hi @grebois to make the connect procces verbose you can add a -v to the OPENCONNECT_OPTIONS environment variable. Ex.:

-e "OPENCONNECT_OPTIONS=--servercert pin-sha256:XXX -v"

[grebois]

@jamgocoop didn't work, same output as before

[jamgocoop]

@grebois Can you send me the "docker run" command you're using (without the credentials obviously)?

[andrius]

I have the same issue. Everything works within docker from command line.

Issue:

2018-02-24 10:04:44,857 CRIT Supervisor running as root (no user in config file)
2018-02-24 10:04:44,863 INFO supervisord started with pid 1
2018-02-24 10:04:45,867 INFO spawned: 'startup' with pid 8
2018-02-24 10:04:46,052 INFO exited: startup (exit status 1; not expected)
2018-02-24 10:04:47,056 INFO gave up: startup entered FATAL state, too many start retries too quickly

docker run command:

docker run -ti --rm --name pulsevpn \
  -e "VPN_URL=https://MY_CORPORATE_DOMAIN/dana-na/auth/url_default/welcome.cgi" \
  -e "VPN_USER=MY_USERNAME" \
  -e "VPN_PASSWORD=MY_PASSWORD" \
  -e "OPENCONNECT_OPTIONS=-v --servercert FINGERPRINT" \
  --privileged=true \
  jamgocoop/pulsesecure-vpn

If I add sh option to the docker-run and type within docker container following:

openconnect -q --cookieonly $OPENCONNECT_OPTIONS --disable-ipv6 --protocol=nc --os=linux \
  $VPN_URL -u $VPN_USER --passwd-on-stdin | \
openconnect $OPENCONNECT_OPTIONS -b --disable-ipv6 --protocol=nc --os=linux \
  $VPN_URL --cookie-on-stdin

Then everything works interactively (and I do receive SMS with 2FA), it gets connected properly. For some reason I still have enter username but then all right:

Server certificate verify failed: signer not found
Connected to HTTPS on MY_CORPORATE_DOMAIN
frmLogin
username:MY_USERNAME
password:MY_PASSWORD

Connected to HTTPS on MY_CORPORATE_DOMAIN
frmDefender
password:MY_SMS_2FA_PASSWORD
POST https://MY_CORPORATE_DOMAIN/dana-na/auth/url_default/login.cgi
SSL negotiation with MY_CORPORATE_DOMAIN

and after I get connected, everything is fine, I can access network servers:

Connected as 10.156.152.118, using SSL
Continuing in background; pid 8
/ # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 tun0
10.156.152.118  0.0.0.0         255.255.255.255 UH        0 0          0 tun0
XXX.XXX.XXX.XXX 172.17.0.1      255.255.255.255 UGH       0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0

/ # ping 10.0.129.12
PING 10.0.129.12 (10.0.129.12): 56 data bytes
64 bytes from 10.0.129.12: seq=0 ttl=54 time=61.314 ms

[jamgocoop]

Hi andrius.

A few days ago I committed a fix in startup.sh. There was a hardcoded user name that I pushed by mistake. I don't know if this is the origin of the error, but can you confirm if you have the latest version of the code? I see that your issue log is from 2018-02-24 but I don't know if you had the last version.

Thanks.

[andrius]

Hello, that was the latest version from docker hub

…

Sent from my iPhone

On 25 Feb 2018, at 13:50, Jamgo ***@***.***> wrote: Hi andrius. A few days ago I committed the fix in startup.sh. There was a hardcoded user name that I pushed by mistake. I don't know if this is the origin of the error, but can you confirm if you have the latest version of the code? I see that your issue log is from 2018-02-24 but I don't know if you had the last version. Thanks. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[jamgocoop]

Ok.

I noticed that the docker image build had failed when I committed the fix ten days ago. I forced a build five hours ago and now the image was built correctly. Can you do a docker pull jamgocoop/pulsesecure-vpn and try again with a new container?

[andrius]

The same error. I've made my repository and get everything working but I have to enter username, password and OTP password interactively https://github.com/andrius/openconnect-docker