iPhone AnyConnect will connect to OpenConnect server frequently in sleep mode

Qingjia Zhu qingjiazhu at gmail.com
Wed Sep 16 07:24:07 PDT 2015 

Hi,

I've been bothered by this for long and did many research and
experiments but couldn't solve it, so I have to ask..

I'm running OpenConnect server 0.10.6 on CentOS 7, and AnyConnect 4.x
on iPhone 5

I use certificates authentication, and everything worked well, on
iPhone I can do a single click and I'm connected, I'm happy.

When I put my iPhone into sleep mode, in some seconds or a minute, the
connection between iPhone and the server is dropped with error message
in /var/log/messages "worker[0.9.2342.19200300.100.1.1]: 120.42.4.168
worker-vpn.c:1048: GnuTLS error (at worker-vpn.c:1048): The TLS
connection was non-properly terminated."  and  "too short UDP packet"

This is fine. I expect that, because it is in sleep mode and if I wake
up my iPhone manually, it will get reconnected automatically, so this
is not a problem.

BUT, the problem is, even if I do NOT wake up my phone, I still find
iPhone will connect to the server automatically very often. By very
often I mean the reconnection will happen almost every minute or every
two minutes, sometimes even just a few seconds after the connection
was dropped. Then the connection will dropped again in a minute or so,
then it will reconnect again in a minute or so. This all happened when
iPhone is in sleep mode. When the reconnection happens, I can find

1) in /var/log/message, there is 'ocserv[21763]: worker:
tlslib.c:378: no certificate was found' printed. I don't know why,
because I'm using certificate authentication well.
2) I can confirm the reconnection happens because there is 'vpns0'
created when I do a 'ifconfig'
3) Again, the iPhone is in sleep mode, it was not wake up manually or
by any iOS notification.

In /etc/ocserv/ocserv.conf, I have below settings
keepalive = 324000
dpd = 90
mobile-dpd = 3600

Because I set mobile-dpd to be an hour, so I do not expect iPhone to
be waken up by the server such frequently.  I only expect the server
to wake up iPhone with a dpd message every hour so iPhone will only
reconnect every hour once in sleep mode.

I would appreciate any hints to the problem, and let me know if you
need any more info.

This is a big problem to me, because if I leave my iPhone in sleep for
a night, the reconnection will happen more than a hundred times, so I
appreciate your help to troubleshoot this!

PS, other configuration options in ocserv.conf, not sure if they can
be of any help

tcp-port = 3306
udp-port = 3306
isolate-workers = true
try-mtu-discovery = false
cookie-timeout = 324000
cisco-client-compat = true

More information about the openconnect-devel mailing list