Losing connection with Unknown DTLS packet

Daniel Lenski dlenski at gmail.com
Mon Nov 28 11:59:33 PST 2016 

On Mon, Nov 28, 2016 at 10:47 AM, Stuart Luppescu <slu at ccsr.uchicago.edu> wrote:
> On Sat, 2016-11-26 at 12:23 -0500, Daniel Lenski wrote:
>> Can you run as openconnect -vvvvv to show maximal verbosity of
>> debugging output? Does the more verbose output give additional
>> information about what's going wrong?
>
> I tried this and got a 56MB file with 1325033 lines. I grep'ed for
> error but nothing came up. I don't know what to search for in that big
> file. However, at the console I got these messages:

Search for the original errors in the more verbose output ("Unknown
DTLS packet").

Does the more verbose output show additional pertinent information
*around* these errors?

>
>  CSTP Dead Peer Detection detected dead peer!
> Failed to reconnect to host cvpn.uchicago.edu: No route to host
> DTLS got write error: Error in the push function.. Falling back to SSL
> DTLS handshake failed: Resource temporarily unavailable, try again.
> CSTP Dead Peer Detection detected dead peer!
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Failed to reconnect to host cvpn.uchicago.edu: Connection timed out
> Reconnect failed
> RTNETLINK answers: No such process
> Unknown error; exiting.

These errors are indicating that OC can't connect to the HTTPS side of
the VPN (port 443). What does the log show *before* these errors?

Your previous errors suggest a different problem, something specific
to the DTLS tunnel, not the HTTPS tunnel.

If you run with `openconnect --no-dtls` do you get a stable connection?

This prevents OC from using the better-performing DTLS tunnel, and
forces it to only use the HTTPS tunnel, which is usually "less
broken."

-Dan

More information about the openconnect-devel mailing list