Diagnosing error "SSL read error: The TLS connection was non-properly terminated"
Kevin Cernekee
cernekee at gmail.com
Thu Apr 17 19:08:54 PDT 2014
On Thu, Apr 17, 2014 at 6:46 PM, John Hendy <jw.hendy at gmail.com> wrote:
> $ sudo pacman -Q | grep curl
> curl 7.36.0-1
>
> I can't connect with that script -- my credentials get denied and
> there's a message to contact my company IT Help Desk. If I recall
> correctly, I used to get that message when trying with the anyconnect
> client if I hadn't started the /etc/rc.d/hostscan service.
Hmm, OK, I'm probably missing some data from the request.
>> Could you post the result from connecting with "openconnect -v" so we
>> can see if the gateway has DTLS disabled?
>
> Here's the verbose output using the csd-wrapper.sh I posted earlier:
> - http://pastebin.com/5ZcNpUuj
If DTLS is enabled on the gateway you should see some X-DTLS fields, like this:
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 192.168.6.14
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address: 2001:db8::2
X-CSTP-Netmask: 2001:db8::2/32
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 36000
X-CSTP-Disconnected-Timeout: 36000
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Rekey-Time: 240
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID:
88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 240
X-CSTP-MTU: 1406
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <elided>
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID :
88697A32A530784A738CB60D4B715D9DEC9C9EF6274AB2D2A857BB80C2BCF52E
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 240
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS initialised. DPD 30, Keepalive 20
Connected (script) as 192.168.6.14 + 2001:db8::2/32, using SSL
No work to do; sleeping for 20000 ms...
No work to do; sleeping for 20000 ms...
Established DTLS connection (using OpenSSL). Ciphersuite AES128-SHA.
If you can get in touch with your ASA admin, they can re-enable DTLS
(i.e. disable no-tls mode) with these commands:
config term
webvpn
enable outside
That is the first thing I would try if experiencing performance or
stability problems on a poor connection.
More information about the openconnect-devel
mailing list