Openconnect cannot connect

[David Woodhouse]

On Tue, 2013-07-02 at 13:20 +0200, Thomas Richter wrote:
> Dear openconnect members,
> 
> how can it happen that from some access points, openconnect does not
> get 
> any type of connection at all? This happened yesterday at the Vienna 
> airport, with the attached connection log. At that point, openconnect 
> just got stuck, no further log output, but no tunnel either.
> 
> The cisco anyconnect client was successful under the very same 
> situation, so I wonder what was going on there? The vpn endpoint was 
> reachable.

Looks like a typical broken firewall on the server side.

You request a page, over a link which has an MTU lower than the normal
1500 bytes. Perhaps the location you were connecting from was through a
tunnel or a PPPoE link or something?

Server tries to send at 1500-byte packet to you. Some intermediate
router realises it won't fit into the tunnel/PPPoE/whatever and sends
back an ICMP "needs fragmentation" error. The server is *supposed* to
see that, and resend the data in smaller packets. If a broken firewall
eats the ICMP, the server never notices and just keeps sending the same
too-big packets over and over again.

If you reduce the MTU on your *local* Ethernet, does that make things
work? It'll set the MSS in the TCP negotiation lower, so the server
won't send packets which are as large. 

Not entirely sure what the Cisco client would be doing differently. If
you could capture its connection with tcpdump, and the openconnect one,
we could compare. Perhaps it's lowering its MSS somehow; is there a
sockopt that will do that?

But really, the right fix is to round up all the sysadmins who like to
block ICMP, and break their fingers.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130702/8186cec7/attachment.bin>