In certain circumstances the command
show openconnect-server sessions
fails with the following:
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/openconnect.py", line 70, in <module>
res = vyos.opmode.run(sys.modules[__name__])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/opmode.py", line 263, in run
res = func(**args)
^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/openconnect.py", line 65, in show_sessions
return _get_formatted_sessions(openconnect_data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/op_mode/openconnect.py", line 45, in _get_formatted_sessions
ses("Device"), ses["Username"], ses("IPv4"), ses["Remote IP"],
^^^^^^^^^^^^^
TypeError: 'dict' object is not callableThis behavior is easy to reproduce. Just go in the browser to the htpps URL of the openconnect server, let the browser to render the page, and then run the op mode command above inside your VyOS router.
The reason is because these incorrect HTTP-sessions do not contain valid variables expected in lines 45-46 of /usr/libexec/vyos/op_mode/openconnect.py, namely Device, IPv4 and some others. We discovered this during the DDOS attack on our frontend, A lot of http sessions were opened by bots, thus we observed this operational mode command behavior. Even without bots this issue is something that can easily happen because the frontend URL is open to any HTTP request, not only from the legitimate openconnect clients. This way, any external actor can effectively disable internal VyOS reporting function.
I would recommend to change the lines 45-46 of /usr/libexec/vyos/op_mode/openconnect.py from:
ses("Device"), ses["Username"], ses("IPv4"), ses["Remote IP"],
ses("_RX"), ses("_TX"), ses["State"], ses["_Connected at"]to:
ses.get("Device","-"), ses["Username"], ses.get("IPv4","-"), ses["Remote IP"],
ses.get("_RX","-"), ses.get("_TX","-"), ses["State"], ses["_Connected at"]to solve this problem.
Similar problem is mentioned T4596, though not identical.