Problems maintaining openconnect VPN ... looks like MTU issue

[James Bottomley]

I can establish an openconnect session just fine, but clicking on
certain internal websites or uploading files causes it to die.  The
message in the logs when it dies is:

2013-05-07T16:05:44.412857-07:00 dabdike openconnect[31278]: Attempting to connect to 199.115.105.249:443
2013-05-07T16:05:44.426232-07:00 dabdike openconnect[31278]: SSL negotiation with wavpn.sw.ru
2013-05-07T16:05:44.468655-07:00 dabdike openconnect[31278]: Connected to HTTPS on wavpn.sw.ru
2013-05-07T16:05:44.484071-07:00 dabdike openconnect[31278]: Got CONNECT response: HTTP/1.1 200 OK
2013-05-07T16:05:44.486165-07:00 dabdike openconnect[31278]: CSTP connected. DPD 30, Keepalive 20
2013-05-07T16:05:44.534758-07:00 dabdike openconnect[31278]: Connected vpn0 as 10.10.65.251, using SSL
2013-05-07T16:05:53.035643-07:00 dabdike openconnect[31278]: DTLS handshake failed: 2
2013-05-07T16:06:20.168218-07:00 dabdike openconnect[31278]: SSL wrote too few bytes! Asked for 654, sent 0
2013-05-07T16:06:20.171367-07:00 dabdike openconnect[31278]: Send BYE packet: Internal error
2013-05-07T16:06:20.172621-07:00 dabdike openconnect[31278]: SSL_write failed: 1
2013-05-07T16:06:20.173937-07:00 dabdike openconnect[31278]: 140673877575400:error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry:s3_pkt.c:871:

The DTLS handshake failed looks like a red herring because that fills my
logs even if the connection is successful:

2013-05-07T16:17:13.001040-07:00 dabdike openconnect[31655]: DTLS handshake failed: 1
2013-05-07T16:17:13.032813-07:00 dabdike openconnect[31655]: 140411814278888:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake failure:d1_pkt.c:1166:SSL alert number 40

If I lower the MTU of vpn0 to 499 instead of the default 999, the
connection doesn't break nearly as frequently.

James