TCP Sessions get disconnected at 6, 9 hours

Larry Ploetz lploetz at gmail.com
Wed Feb 21 16:58:28 PST 2024 

After 6 hours I don't see any request for a HIP report in openconnect's 
stdout or stderr.

On 2024-02-21 13:29, Larry Ploetz wrote:
> Thanks for the reply Daniel.
>
> On 2024-02-20 00:25, Daniel Lenski wrote:
>> On Wed, Jan 31, 2024 at 4:16 PM Larry Ploetz<lploetz at gmail.com> wrote:
>>> I've noticed that all my ssh sessions, regardless of when they start
>>> relative to the start of openconnect, get disconnected after 
>>> openconnect
>>> has been up 6 hours, and 9 hours (about - ± 5 minutes). I assume that
>>> would happen with other long lasting TCP sessions (I've tried with 
>>> socat
>>> a few times and that seems to be the case).
>> Do you have some reason to think that this has anything to do with
>> OpenConnect per se, as opposed to being a limitation of the servers
>> you're connecting to… or perhaps of some other middlebox on the
>> network?
> All network connections through openconnect disconnect 6 and 9 hours 
> after openconnect is started, regardless of when those network 
> connections began relative to openconnect starting. The PAN VPN box is 
> the only middlebox, and I suspect it a lot, but I haven't heard of 
> anyone here who are using Global Protect having this issue.
>>> I'm using openconnect with GlobalProtect, which has a 12 hour time out.
>> Other than your ssh sessions getting disconnected after 6/9 hours,
>> does the VPN connection continue working normally after that? That is,
>> can you continue opening *new* TCP connections over it?
> Yes, starting new connections works fine after the 6 hour 
> disconnection. It seems like there might be a minute or two while UDP 
> connections to the DNSs don't work, at the 6 and 9 hour marks.
>>> Here's my command:
>>>
>>>      openconnect --csd-wrapper openconnect/trojans/hipreport.sh 
>>> --protocol=gp --script=/etc/vpnc/vpnc-script --dump-http-traffic 
>>> --timestamp -vvv --user=larryp --syslog --passwd-on-stdin 
>>> https://<ELIDED>.com < <ELIDED> > outfile 2> errfile & echo $! > 
>>> pidfiled
>> Does it connect over TLS, or over ESP? Are there any messages about a
>> requirement to periodically resubmit the HIP report?
>
> I assume TLS, but then I see this line in stderr
>
>    [2024-02-21 12:24:57] No MTU received. Calculated 1326 for ESP tunnel
>
> I don't see any messages about HIP reports other than the ones in 
> stdout at startup of openconnect, but I may have to check again after 
> 18:24 today. I do vaguely recall something about HIP reports - I think 
> that's why I added --csd-wrapper.
>
> Thanks again!
> ·Larry
>
>

More information about the openconnect-devel mailing list