MTU mismatch with 7.08 and "Unknown DTLS packet"
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Sat Jan 6 00:51:45 PST 2018
On Fri, 2018-01-05 at 11:31 -0500, Chaskiel Grundman wrote:
> It turns out I was mistaken. The gateway does *not* split the packet
> into 2 DTLS packets. It sends one large DTLS packet and openconnect
> reads the first 1290 bytes of plaintext as one packet and the rest as
> another.
>
> I do not use official anyconnect clients myself except on windows,
> which I have gotten a capture from. The ciphersuites are identical.
> the captures include the dtls handshake, and the largest data packet
> sent during setup. The linux capture also includes the packets
> corresponding to a >1290 byte ping (I used 1391 instead of 1291, so
> there's extra stuff coming back from the gateway corresponding to the
> IP fragmentation, but that does not obscure the fact that the gateway
> sends a packet with a 1344 byte DTLS payload, but the max that
> openconnect sends is 1328)
The openconnect client is quite strict with the data received by the
peer. It expects that the peer will have the same view on its
calculated MTU. Could you try this (untested) patch on client? Does it
improve the situation?
regards,
Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-the-server-to-exceed-the-calculate-MTU-size-by.patch
Type: text/x-patch
Size: 3126 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180106/ce6ddedd/attachment.bin>
More information about the openconnect-devel
mailing list