dead connection after "Error in the pull function"
Daniel Lenski
dlenski at gmail.com
Wed Aug 10 11:36:46 PDT 2022
On Wed, Aug 10, 2022 at 1:21 AM Bernd Schubert
<bernd.schubert at fastmail.fm> wrote:
> I had found this thread
>
> https://askubuntu.com/questions/1273285/vpn-openconnect-pulse-disconnects-itself-in-ubuntu-20
>
> and according to the discussion the issue is supposed to be resolved
> with 8.20.
No.
I think you are referring to my comment
(https://askubuntu.com/a/1368954) on that discussion. As my comment
indicates, the issue that was fixed in v8.20 is…
(a) Only applicable to connecting with --protocol=nc, NOT RELEVANT to
connecting with --protocol=pulse. Pulse servers typically support both
protocols.
(b) A different kind of error. The error YOU are encountering is an
error in the SSL/TLS channel of the VPN; the error described in that
discussion is an error in the ESP channel.
> Any idea what is going on
My theory is that, because we have no known keepalive mechanism for
the Pulse TLS channel, it eventually gets disconnected due to some
TCP/TLS socket timeout.
> … or how to debug it?
(1) Add --timestamp so that you can see if there's a reproducible
timing of the problem. For example, does it always occur exactly 10
minutes after you initially connect?
(2) You describe this problem as a "dead connection", but it appears
from your log that OpenConnect is successfully detecting the loss of
connectivity on the SSL channel and reconnecting. Does the VPN
continue working after reconnecting?
```
Send ESP probes for DPD
Send ESP probes for DPD
Send ESP probes for DPD
Read error on SSL session: Error in the pull function. <-- error here
SSL negotiation with <server>
Connected to HTTPS on <server> with ciphersuite
(TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)
Got HTTP response: HTTP/1.1 101 Switching Protocols
…
<continues to reconnect and refetch the configuration>
```
Dan
>
>
> Thanks,
> Bernd_______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel
More information about the openconnect-devel
mailing list