TCP Sessions get disconnected at 6, 9 hours

[Daniel Lenski]

First off, what is your `openconnect --version`?

On Wed, Feb 21, 2024 at 11:24 AM Larry Ploetz <lploetz at gmail.com> wrote:
> On 2024-02-20 00:25, Daniel Lenski wrote:
> > Do you have some reason to think that this has anything to do with
> > OpenConnect per se, as opposed to being a limitation of the servers
> > you're connecting to… or perhaps of some other middlebox on the
> > network?
>
> All network connections through openconnect disconnect 6 and 9 hours after openconnect is started, regardless of when those network connections began relative to openconnect starting.

It looks like you're collecting very detailed logs from OpenConnect
already (`--dump-http-traffic -vvv --timestamp`). What do those logs
show around the 6- and 9-hour marks? Anything that's unusual? Anything
*other than* the usual sent-a-packet/received-a-packet traffic?

> The PAN VPN box is the only middlebox, and I suspect it a lot, but I haven't heard of anyone here who are using Global Protect having this issue.

Are the users of the official PAN GP clients keeping SSH sessions open
for 6+ hours like you are?

> > Other than your ssh sessions getting disconnected after 6/9 hours,
> > does the VPN connection continue working normally after that? That is,
> > can you continue opening *new* TCP connections over it?
>
> Yes, starting new connections works fine after the 6 hour disconnection. It seems like there might be a minute or two while UDP connections to the DNSs don't work, at the 6 and 9 hour marks.

Okay, so there's nothing specific to SSH, or even TCP, here. Both TCP
and UDP connections stop working around the 6/9 hour marks.