Package: openconnect Version: 7.06-2+b2 Severity: important Dear Maintainer,
A couple of weeks back, my openconnect VPN connection started to freeze frequently. I'm not sure what changed at the time. The connection comes back after a while and I noticed from the logs that it is restored after a "DTLS Dead Peer Detection detected dead peer!" message. So I found the --force-dpd option and the situation is bearable, if I set the value to 2 or 3. What might be the problem? Is it a bug or a configuration issue? On client or server? openconnect.log is output of an exampla openconnect connection using -v option. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openconnect depends on: ii libc6 2.23-5 ii libgnutls30 3.5.3-3 ii libopenconnect5 7.06-2+b2 ii libproxy1v5 0.4.11-5 ii libxml2 2.9.4+dfsg1-1+b1 ii vpnc-scripts 0.1~git20150318-1 openconnect recommends no packages. openconnect suggests no packages. *** /home/matti/openconnect.log $ echo pass|sudo /usr/sbin/openconnect -v --force-dpd=3 --usergroup=$USERGROUP --user=$USERNAME --passwd-on-stdin $SERVERNAME POST https://$SERVERNAME/restricted Attempting to connect to server $SERVER_IP:443 SSL negotiation with $SERVERNAME Connected to HTTPS on $SERVERNAME Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sat, 27 Aug 2016 09:21:27 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Please enter your username and password. POST https://$SERVERNAME/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sat, 27 Aug 2016 09:21:27 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Protocol: Copyright (c) 2004-2016 Cisco Systems, Inc. X-CSTP-Address: $ADDRESS X-CSTP-Netmask: 255.255.255.255 X-CSTP-Hostname: $HOSTNAME X-CSTP-DNS: $DNS1 X-CSTP-DNS: $DNS2 X-CSTP-NBNS: $NBNS1 X-CSTP-NBNS: $NBNS2 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 5400 X-CSTP-Disconnected-Timeout: 5400 X-CSTP-Default-Domain: $DOMAIN X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-PAC-URL: $PAC_URL X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: 80FD648BC40104FC32F5E5F012A93F86471611402E235C99BD294AF4A26300E1 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 3600 X-CSTP-MTU: 1200 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <elided> CSTP connected. DPD 3, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) DTLS option X-DTLS-Session-ID : 80FD648BC40104FC32F5E5F012A93F86471611402E235C99BD294AF4A26300E1 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 3600 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS initialised. DPD 3, Keepalive 20 Connected tun0 as $IP, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1). Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send DTLS DPD Got DTLS DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send DTLS DPD Got DTLS DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send DTLS DPD Send CSTP DPD Got DTLS DPD response Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send DTLS DPD Got DTLS DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response Send DTLS DPD Send CSTP DPD Got CSTP DPD response Send DTLS DPD Send DTLS DPD Send DTLS DPD Send CSTP DPD Got CSTP DPD response DTLS Dead Peer Detection detected dead peer! Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1). Send CSTP DPD Got CSTP DPD response
