Pulse with ESP has problems with Kerberos Tickets
David Woodhouse
dwmw2 at infradead.org
Fri May 20 05:45:31 PDT 2022
On Fri, 2022-05-20 at 12:38 +0000, Schütz Dominik wrote:
> Hi,
>
> On some Ubuntu 20.04 clients with OpenConnect v9.01 and "--protocol=pulse" we have the problem that with ESP the Kerberos tickets are not correct. If you use the official Pulse UI for Ubuntu and ESP, the problems do not occur.
>
>
> We get the following messages on port 88:
> # tcpdump -i any -nn -q -e host xx.x.x.x
> ...
> 11:05:39.369009 Out xx.x.xxx.xxx.51144 > xx.x.x.xx.88: UDP, bad length 2007 > 1368
Hm, which end is that capture from? Can you capture at *both* ends? And
is that port 51144 on the client side, sending to the KDC on the VPN?
I suspect a fragmentation issue. Can you reproduce with large ping
packets, e.g. 'ping -s 2000'? Perhaps you can reproduce to a host on
the VPN where you *can* do a packet capture, if capturing on/near the
KDC is hard.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220520/031d96d2/attachment.p7s>
More information about the openconnect-devel
mailing list