Diagnosing error "SSL read error: The TLS connection was non-properly terminated"

[Kevin Cernekee]

On Thu, Apr 17, 2014 at 2:29 PM, John Hendy <jw.hendy at gmail.com> wrote:
> I finally got openconnect to work with my company's Cisco VPN system
> via some various help from the web and a co-worker on setting up a
> csd-wrapper. However, I'm getting constant disconnection/reconnection
> behaviors. Here's the output from my recent session:
> - http://pastebin.com/wyHTzjwR
>
> That error is generated every few seconds. One internal site seems to
> go on operating reasonably fine (though very slow), while my company
> mail client (browser-based) won't send any emails and requests
> frequent re-authentication.
>
> Here's the ~/.cisco/csd-wrapper.sh script used:

I would not expect the CSD wrapper to interfere with a connection that
has already been established.  It should be a one-shot deal,
pre-logon.

Can you confirm that cstub isn't running in the background while the
connection is up?

> Is this the case of a simple openconnect argument I'm not using/need
> to specify or something else? Consider me completely ignorant with
> respect to network/tunneling/etc., but I'm happy to collect any other
> information suggested and post back. This is what seemed obvious to
> start with, and I couldn't find any hits for the exact error I'm
> getting. In fact, searching google for the exact phrase "SSL read
> error: The TLS connection was non-properly terminated" only gets me
> the pastebin I just posted.
>
> Is this an error message specific to my company, or should these
> messages be standard across all of them?

The error corresponds to GNUTLS_E_PREMATURE_TERMINATION

I think this means that we were expecting to read a TLS record, but
the connection was unexpectedly closed.  You could check this with
tcpdump/wireshark and see if there is a TCP RST originating from the
other side.

What versions of openconnect and GnuTLS are you running?  Have you
tried upgrading?