MTU mismatch with 7.08 and "Unknown DTLS packet"

Chaskiel Grundman cgrundman at gmail.com
Wed Jan 3 15:09:47 PST 2018 

I am running:
OpenConnect version v7.08
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP
software token, TOTP software token, Yubikey OATH, System keys, DTLS

on ubuntu artful. I'm not sure when this started, but openconnect is
detecting and using a lower MTU than the VPN gateway and this causes
problems for large UDP and ICMP packets. At login, it logs this:

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 60, Keepalive 120
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1300 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1299 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1298 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1297 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1296 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1295 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1294 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1293 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1292 -5)
Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
Failed to send DPD request (1291 -5)
Detected MTU of 1290 bytes (was 1300)

This seems to be the result of gnutls deciding that the DTLS max
message size is 1290.
Remote applications doing Path MTU detection (or TCP using MSS
options) use an MTU of 1300 and an MSS of 1260

On this connection, the VPN gateway seems to chop up a 1291-1300 byte
packet into 2 DTLS messages. One is processed normally, and one
generates an error:
Unknown DTLS packet type 7e, len 10
or
Failed to write incoming packet: Invalid argument

Based on tests with ping's -p switch, the "packet type" is just a byte
of tunneled packet data.

The official client seems to work with this gateway, using an MTU of
1300 on the tunnel interface.

More information about the openconnect-devel mailing list