not properly disconnected sessions with openconnect

Horváth Szabolcs hszhsz at gmail.com
Tue Sep 15 14:45:31 EDT 2009 

Hello!

We've recently installed a new Cisco ASA and Linux guys including me
use OpenConnect v2.01.

We have one issue: it looks like when we disconnect with OpenConnect
by pressing ctrl-c, the ASA doesn't close that connections, therefore
we cannot reconnect.

Logs/symptoms:

1. Using OpenConnect

1.1. When I open a connection with OpenConnect, a vpn-sessiondb entry shows up:

Username     : hsz                    Index        : 1632
Assigned IP  : 10.32.123.5            Public IP    : 84.0.29.222
Protocol     : Clientless SSL-Tunnel
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 102158335              Bytes Rx     : 20227661
Group Policy : COMPANY1               Tunnel Group : TG-COMPANY1
Login Time   : 19:36:43 MET-DST Tue Sep 15 2009
Duration     : 0h:13m:44s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

It is normal, the same happens when I connect with AnyConnect.

1.2. When I disconnect with OpenConnect, vpn-sessiondb looks like the following:

Username     : hsz                    Index        : 1632
Public IP    : 84.0.29.222
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 99321601               Bytes Rx     : 19746584
Group Policy : COMPANY1               Tunnel Group : TG-COMPANY1
Login Time   : 19:36:43 MET-DST Tue Sep 15 2009
Duration     : 0h:14m:12s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

When I use AnyConnect and I disconnect, there is no vpn-session record
associated to the user.
I think the problem starts here, OpenConnect doesn't cleanly close the
connection. One "Clientless" entry stucks on the ASA.

1.3. After that I reconnect with OpenConnect, vpn-sessiondb looks like
the following:

Username     : hsz                    Index        : 1632
Public IP    : 84.0.29.222
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 99321914               Bytes Rx     : 19746923
Group Policy : COMPANY1               Tunnel Group : TG-COMPANY1
Login Time   : 19:36:43 MET-DST Tue Sep 15 2009
Duration     : 0h:14m:44s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Username     : hsz                    Index        : 1633
Assigned IP  : 10.32.123.5            Public IP    : 84.0.29.222
Protocol     : Clientless SSL-Tunnel
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 99323307               Bytes Rx     : 19746923
Group Policy : COMPANY1               Tunnel Group : TG-COMPANY1
Login Time   : 19:51:23 MET-DST Tue Sep 15 2009
Duration     : 0h:00m:04s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Two entries for one user. There is no traffic through the VPN -
specifically, if I ping a host inside the VPN,
the packet goes through the destination device, the ping reply comes
back - but the ASA can't handle it: there are more than one entry to
the user.

In addition when I manually disconnect the stucked session
(vpn-sessiondb logoff index 1632) the newly built openconnect (index
1633) starts working immediately.

2. Logs

Relevant ASA logs when I disconnect with AnyConnect:

Sep 15 20:00:19 %ASA-5-722012: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC Message: 16/NOTICE: The user has requested to
disconnect the connection..
Sep 15 20:00:19 %ASA-5-722037: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC closing connection: User Requested.
Sep 15 20:00:19 %ASA-7-609002: Teardown local-host outside:10.32.123.5
duration 0:00:18
Sep 15 20:00:19 %ASA-6-716002: Group <COMPANY1> User <hsz> IP
<84.0.29.222> WebVPN session terminated: User Requested.
Sep 15 20:00:19 %ASA-4-113019: Group = TG-COMPANY1, Username = hsz, IP
= 84.0.29.222, Session disconnected. Session Type: SSL, Duration:
0h:00m:20s, Bytes xmt:
 99324826, Bytes rcv: 19753888, Reason: User Requested
Sep 15 20:00:19 %ASA-6-737014: IPAA: Freeing AAA address 10.32.123.5
Sep 15 20:00:19 %ASA-6-302014: Teardown TCP connection 260869 for
outside:84.0.29.222/41521 to identity:ASA-IP/443 duration 0:00:18
bytes 3130 TCP FINs
Sep 15 20:00:19 %ASA-6-722023: Group <COMPANY1> User <hsz> IP
<84.0.29.222> TCP SVC connection terminated with compression
Sep 15 20:00:19 %ASA-7-722029: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC Session Termination: Conns: 1, DPD Conns: 0, Comp
resets: 0, Dcmp resets: 0.
Sep 15 20:00:19 %ASA-7-722030: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC Session Termination: In: 0 (+61) bytes, 0 (+1)
packets, 0 drops.
Sep 15 20:00:19 %ASA-7-722031: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC Session Termination: Out: 1393 (+23) bytes, 1 (+1)
packets, 0 drops.
Sep 15 20:00:19 %ASA-6-725007: SSL session with client
outside:84.0.29.222/41521 terminated.
Sep 15 20:00:24 %ASA-6-302014: Teardown TCP connection 260867 for
outside:84.0.29.222/41516 to identity:ASA-IP/443 duration 0:00:24
bytes 305 TCP Reset-O
Sep 15 20:00:24 %ASA-6-725007: SSL session with client
outside:84.0.29.222/41516 terminated.
Sep 15 20:00:24 %ASA-6-302014: Teardown TCP connection 260866 for
outside:84.0.29.222/41515 to identity:ASA-IP/443 duration 0:00:24
bytes 268 TCP Reset-O
Sep 15 20:00:24 %ASA-7-609002: Teardown local-host outside:84.0.29.222
duration 0:00:24
Sep 15 20:00:24 %ASA-6-725007: SSL session with client
outside:84.0.29.222/41515 terminated.

Relevant ASA logs when I disconnect with OpenConnect (much shorter):

Sep 15 20:03:47 %ASA-3-722009: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC Message: 3/CRITICAL: lient received SIGINT.
Sep 15 20:03:47 %ASA-5-722037: Group <COMPANY1> User <hsz> IP
<84.0.29.222> SVC closing connection: Transport closing.
Sep 15 20:03:47 %ASA-6-302014: Teardown TCP connection 260873 for
outside:84.0.29.222/41831 to identity:ASA-IP/443 duration 0:00:19
bytes 5607 TCP Reset-O
Sep 15 20:03:47 %ASA-7-609002: Teardown local-host outside:84.0.29.222
duration 0:00:19
Sep 15 20:03:47 %ASA-6-722023: Group <COMPANY1> User <hsz> IP
<84.0.29.222> TCP SVC connection terminated with compression
Sep 15 20:03:47 %ASA-6-725007: SSL session with client
outside:84.0.29.222/41831 terminated.

I clearly see two differences: by disconnecting with OpenConnect, the
ASA doesn't close this "WebVPN" thing and there is no "Freeing AAA
address" line.


How is it suggested to close the VPN connections with openconnect -
ctrl+c should work?
Why don't the openconnect close that "WebVPN" - like the anyconnect do so?

If you need more information or logs, please let me know. I'm using
Debian GNU/Linux 5.0.

regards,
Szabolcs

More information about the openconnect-devel mailing list