Diagnosing error "SSL read error: The TLS connection was non-properly terminated"

John Hendy jw.hendy at gmail.com
Thu Apr 17 20:21:49 PDT 2014 

On Thu, Apr 17, 2014 at 9:08 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> On Thu, Apr 17, 2014 at 6:46 PM, John Hendy <jw.hendy at gmail.com> wrote:
>> $ sudo pacman -Q | grep curl
>> curl 7.36.0-1
>>
>> I can't connect with that script -- my credentials get denied and
>> there's a message to contact my company IT Help Desk. If I recall
>> correctly, I used to get that message when trying with the anyconnect
>> client if I hadn't started the /etc/rc.d/hostscan service.
>
> Hmm, OK, I'm probably missing some data from the request.
>
>>> Could you post the result from connecting with "openconnect -v" so we
>>> can see if the gateway has DTLS disabled?
>>
>> Here's the verbose output using the csd-wrapper.sh I posted earlier:
>> - http://pastebin.com/5ZcNpUuj
>
> If DTLS is enabled on the gateway you should see some X-DTLS fields, like this:
>
> Got CONNECT response: HTTP/1.1 200 OK
> X-CSTP-Version: 1
> X-CSTP-Address: 192.168.6.14
> X-CSTP-Netmask: 255.255.255.0
> X-CSTP-Address: 2001:db8::2
> X-CSTP-Netmask: 2001:db8::2/32
> X-CSTP-Lease-Duration: 1209600
> X-CSTP-Session-Timeout: none
> X-CSTP-Idle-Timeout: 36000
> X-CSTP-Disconnected-Timeout: 36000
> X-CSTP-Keep: true
> X-CSTP-Tunnel-All-DNS: false
> X-CSTP-Rekey-Time: 240
> X-CSTP-Rekey-Method: new-tunnel
> X-CSTP-DPD: 30
> X-CSTP-Keepalive: 20
> X-CSTP-MSIE-Proxy-Lockdown: true
> X-CSTP-Smartcard-Removal-Disconnect: true
> X-DTLS-Session-ID:
> 88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E
> X-DTLS-Port: 443
> X-DTLS-Keepalive: 20
> X-DTLS-DPD: 30
> X-DTLS-Rekey-Time: 240
> X-CSTP-MTU: 1406
> X-DTLS-CipherSuite: AES128-SHA
> X-CSTP-Routing-Filtering-Ignore: false
> X-CSTP-Quarantine: false
> X-CSTP-Disable-Always-On-VPN: false
> X-CSTP-TCP-Keepalive: true
> X-CSTP-Post-Auth-XML: <elided>
> CSTP connected. DPD 30, Keepalive 20
> DTLS option X-DTLS-Session-ID :
> 88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E
> DTLS option X-DTLS-Port : 443
> DTLS option X-DTLS-Keepalive : 20
> DTLS option X-DTLS-DPD : 30
> DTLS option X-DTLS-Rekey-Time : 240
> DTLS option X-DTLS-CipherSuite : AES128-SHA
> DTLS initialised. DPD 30, Keepalive 20
> Connected (script) as 192.168.6.14 + 2001:db8::2/32, using SSL
> No work to do; sleeping for 20000 ms...
> No work to do; sleeping for 20000 ms...
> Established DTLS connection (using OpenSSL). Ciphersuite AES128-SHA.
>
>
> If you can get in touch with your ASA admin, they can re-enable DTLS
> (i.e. disable no-tls mode) with these commands:
>
> config term
> webvpn
> enable outside
>
> That is the first thing I would try if experiencing performance or
> stability problems on a poor connection.

Hmmm. I can try. This is an 80k employee, world wide company, and I've
experienced approximately no response for other requests...

I'll start with an IT contact I have to test the waters :)

Thanks for the suggestion.
John

More information about the openconnect-devel mailing list