Followup: OpenConnect unusably slow

David Woodhouse dwmw2 at
Wed Jun 19 12:14:14 EDT 2013

On Wed, 2013-06-19 at 17:23 +0200, Thomas Richter wrote:
> If this is of any help: This is a DSL line by the German Telekom, which 
> is up to my knowledge PPPoe between my router and their system. But what 
> the MTU is, or whether MTU actually applies to this technology I do not 
> know.

Your MTU is likely to be 1492. There's 8 bytes of overhead for the PPP
part of PPPoE, which we subtract from the normal Ethernet MTU of 1500.

I note that then you are missing the incoming DTLS packets, you are
*actually* receiving one fragment out of the pair. This is often a
symptom of a poor network connection or driver. What's "special" about
fragmented packets (if they're fragmented locally) is that they are sent
in *quick* succession, really closely together. And often the second one
is lost.

However, in your case in the problematic period I'm looking at
(07:36:52) you are receiving the *second* fragment out of each packet
(offset 744 onwards), not the first. Which is really weird. That's
almost as if some firewall kicked in and started rejecting the start of
those packets (which contains the UDP port number etc.) but still had to
allow the fragments because it didn't know whether it could drop them.
Or something weird like that.

Can you get a packet capture from the public-facing side of your home
network, on the outbound interface of your DSL router? Or as far
"upstream" as you can, preferably on the outside of your NAT?

It would be interesting to get a packet capture from a router at the VPN
server end if you can, too. We'd check that they really are *sending*
the offending packets, and whether they're receiving any ICMP responses.

> > It's entirely possible that some complete retard would respond to this
> > breakage by deciding to fragment *all* outbound packets to a maximum of
> > 750 bytes, instead of fixing the broken firewall.
> >
> > It isn't necessarily related to your local network at all. It *might*
> > have been doing that before, on your working system. It probably was.
> Anyhow, I kept playing a bit, and set the MTU to 700 manually in a test 
> script. Result is that network connectivity becomes normal. So indeed, 
> packet segmentation *is* the source of the evil.

How precise is that? Does 700 work and 701 fail with missing packets?
I'd have thought it would be higher.

> However, why did this work before, 

I don't know. Can you make one of your machines fail again by
downgrading (perhaps just openconnect and openssl) to what you had
before? Even if you just install the old openconnect and relevant
libraries in a chroot? It would be very interesting to compare.

> and - probably more important - how I  can make it work with the network manager?

Simple answer:
 mv /usr/sbin/openconnect /usr/sbin/openconnect.real
 cat >> /usr/sbin/openconnect <<EOF
 exec $0.real --mtu=700 "$@"
 chmod +x /usr/sbin/openconnect

Ideally, we should add an option to the NetworkManager config properly,
for this and --no-dtls. And/or maybe just an arbitrary 'passthrough' of
manually-entered options to add to the openconnect command line.

> Neither do I. Did openconnect possibly adjust the MTU dynamically in 
> earlier releases?

No. ISTR your "upgraded" machines are still on the pathetically ancient
3.20 release; I dread to think what you were using before that. Perhaps
it was *so* old that it didn't do DTLS at all?

Newer versions will attempt to do some slightly more complex MTU
negotiation with the server (if the server is new enough to support
that), but it's all a bit hit-and-miss. The Cisco scheme for doing this
is very unreliable, and made even more so because we're not sure we
fully understand it. I'd certainly suggest trying 5.01 and seeing what
happens with it.

When you're on the university network and things are working, do you
*still* see these weirdly fragmented packets?

Alternatively, if you're at home and you do something else to trigger
incoming UDP packets from elsewhere, are *they* weirdly fragmented and
sometimes missing?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list