ocserv:could not determine the owner of received UDP packet
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Apr 18 23:34:03 PDT 2014
On Sat, 2014-04-19 at 10:04 +0800, Niclau Liu wrote:
> >That's interesting. Could it be that the client changed its DTLS source
> >port number? You can currently see that using wireshark, or you could
> >try ocserv from the repository which now prints that information.
> Yes, source point has changed.wireshark log in attachment.Is it because the NAT?
I was thinking of very esoteric things, and indeed you found the answer
and is pretty simple. Indeed it is the NAT, and you need to keep DPD
under that timeout value to keep the UDP session open.
> >I'm afraid that there is something not nice there. The server shouldn't
> >have disassociated the UDP session from that process, not unless the
> >client changed its port, or it's some issue of the linux kernel (the udp
> >fd passing we do to the appropriate process is pretty undocumented).
> But openvpn in udp mode works fine.
as far as I remember openvpn follows a quite different design. I believe
everything is handled in a single process unless it is run from inetd or
so; but I may be wrong on the latest versions.
> One more issue,what is "web authentication required" in anyconnect 3.1 client.
No idea about that. Most probably you'll need to enable more debugging
to the server to see what it requests.
regards,
Nikos
More information about the openconnect-devel
mailing list