TCP Sessions get disconnected at 6, 9 hours

Larry Ploetz lploetz at gmail.com
Sun Feb 25 09:03:44 PST 2024 

Sorry, I should have included more information. And thanks for looking 
at this!

On 2024-02-24 18:01, Daniel Lenski wrote:
> First off, what is your `openconnect --version`?

    # openconnect --version
    OpenConnect version v9.12-106-ga79bba7d
    Using GnuTLS 3.7.10. Features present: PKCS#11, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
    Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
    Default vpnc-script (override with --script): ~/etc/vpnc/vpnc-script

Also the 9 hour disconnect is very iffy. The 6 hour disconnect is very 
constant and predictable, and within seconds of 6 hours.

I'll try with

    # openconnect --version
    OpenConnect version v9.12-122-g65853781
    Using GnuTLS 3.8.3. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
    Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
    Default vpnc-script (override with --script): ~/etc/vpnc/vpnc-script

soon. Also

    # uname -a
    Darwin <name>.local 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:31:00 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T6020 arm64 arm Darwin


> It looks like you're collecting very detailed logs from OpenConnect
> already (`--dump-http-traffic -vvv --timestamp`). What do those logs
> show around the 6- and 9-hour marks? Anything that's unusual? Anything
> *other than* the usual sent-a-packet/received-a-packet traffic?


I've looked at that and not seen anything unusual, but let me examine 
more, right at the 6 hour mark.I /think/ the last messages are only the 
“add host/add net” messages - I'm not seeing packet traffic in the 
stderr log file.


> Are the users of the official PAN GP clients keeping SSH sessions open
> for 6+ hours like you are?


Yes, I believe so. I'll verify.


> Okay, so there's nothing specific to SSH, or even TCP, here. Both TCP
> and UDP connections stop working around the 6/9 hour marks.


Yes, that seems to be the case (with the 9 hour mark being suspect as to 
whether it's consistent.

I'll get back with more information.

·Larry

More information about the openconnect-devel mailing list