GnuTLS error (at worker-vpn.c:1573): Error in the pull function.

Wed Oct 22 04:19:42 PDT 2025

Hi!

openconnect client (for Android v1.12) gets disconnected ~every 30 minutes:

server log (ocserv 1.3.0-2 amd64 from debian 13)
===
Oct 22 11:43:58 server_fqdn ocserv[122365]: TLS[<3>]: ASSERT:
../../lib/buffers.c[_gnutls_io_read_buffered]:568
Oct 22 11:43:58 server_fqdn ocserv[122365]: TLS[<3>]: ASSERT:
../../lib/record.c[recv_headers]:1169
Oct 22 11:43:58 server_fqdn ocserv[122365]: TLS[<3>]: ASSERT:
../../lib/record.c[_gnutls_recv_in_buffers]:1292
Oct 22 11:43:58 server_fqdn ocserv[122365]: TLS[<3>]: ASSERT:
../../lib/record.c[gnutls_record_recv_packet]:1875
Oct 22 11:43:58 server_fqdn ocserv[122365]: worker[username]: user_ip
GnuTLS error (at worker-vpn.c:1573): Error in the pull function.
Oct 22 11:43:58 server_fqdn ocserv[122362]: sec-mod: received request
from pid 122365 and uid 104
Oct 22 11:43:58 server_fqdn ocserv[122365]: worker[username]: user_ip
sending message 'sm: worker cli stats' to secmod
Oct 22 11:43:58 server_fqdn ocserv[122362]: sec-mod: cmd [size=100]
sm: worker cli stats
Oct 22 11:43:58 server_fqdn ocserv[122365]: worker[username]: user_ip
sent periodic stats (in: 185292, out: 395975) to sec-mod
Oct 22 11:43:58 server_fqdn systemd-networkd[1250]: vpns0: Link DOWN
Oct 22 11:43:58 server_fqdn ocserv[122354]:
main[username]:user_ip:4125 worker terminated
Oct 22 11:43:58 server_fqdn ocserv[122354]:
main[username]:user_ip:4125 sending msg sm: session close to sec-mod
Oct 22 11:43:58 server_fqdn systemd-networkd[1250]: vpns0: Lost carrier
Oct 22 11:43:58 server_fqdn ocserv[122362]: sec-mod: received request
sm: session close
Oct 22 11:43:58 server_fqdn ocserv[122362]: sec-mod: cmd [size=43] sm:
session close
Oct 22 11:43:58 server_fqdn ocserv[122362]: sec-mod: temporarily
closing session for username (session: jLtp2B)
Oct 22 11:43:58 server_fqdn ocserv[122354]:
main[username]:user_ip:4125 user disconnected (reason: unspecified
error, rx: 185292, tx: 395975)
===

client does not notice this for quite a long time (10 minutes - is
there a way to shorten this somehow, btw?) and finally gets:
===
2025-10-22 11:54:16 LIB: Read error on SSL session: Error in the pull function.
2025-10-22 11:54:16 LIB: SSL negotiation with server_fqdn
2025-10-22 11:54:16 LIB: Connected to HTTPS on server_fqdn with
ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-256-GCM)
2025-10-22 11:54:16 LIB: Got inappropriate HTTP CONNECT response:
HTTP/1.1 405 Method Not Allowed
===

This probably happens only with UDP/DTLS enabled (need to double-check that).

Seems like (https://gitlab.com/gnutls/gnutls/-/blob/master/lib/record.c?ref_type=heads#L1875
, https://gitlab.com/gnutls/gnutls/-/blob/master/lib/buffers.c?ref_type=heads#L568
) gnutls_read() returns negative value (but why there is no assertion
param in the log?!), but why that happens... deeper investigation is
needed.

Any tips on debugging this would be welcome (this is, let's say, a
test/non-production server, so I could build a server with any debug).

Thanks.