patch

Brian Dolbec dolsen at gentoo.org
Wed Jul 6 16:26:23 PDT 2016 

On Wed, 6 Jul 2016 17:39:05 -0500
William Hubbs <williamh at gentoo.org> wrote:

> Sorry about that, I didn't attach the patch.
> 
> Here it is.
> 
> William
> 

Here is a sanitized snipit of my syslog showing the error sequence.  
I only removed/masked private info and some irrelevant cron entries. 

Jul  6 14:18:04 vpn1 openconnect[13191]: Connected to xxx.xxx.xxx.xxx:443 
Jul  6 14:18:04 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> 
Jul  6 14:18:04 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> 
Jul  6 14:18:04 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> 
Jul  6 14:18:04 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> 
Jul  6 14:18:04 vpn1 openconnect[13191]: Connected as xxx.xxx.xxx.xxx, using SSL 
Jul  6 14:18:04 vpn1 openconnect[13191]: ESP session established with server 
Jul  6 15:26:28 vpn1 openconnect[13191]: ESP detected dead peer 
Jul  6 15:42:44 vpn1 openconnect[13191]: SSL read error: Error in the pull function.; reconnecting. 
Jul  6 15:42:44 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> 
Jul  6 15:42:44 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> 
Jul  6 15:42:44 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> 
Jul  6 15:42:44 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> 
Jul  6 15:42:44 vpn1 openconnect[13191]: ESP session established with server 


I have done debug runs with openconnect, but get just a more detailed version of
the general sequence above.  Sometimes it would fail to reconnect.

For some history.  Things were initially working fine.  Then the security team updated the 
firmware on the Juniper appliance, things started becoming more unstable.  
Then, they replaced the appliance with a new juniper appliance and did another update
to the original appliance.  (to be kept as a backup).

My connection usually cycles around the 1 hour and 10 to 20 minute mark.  Nearly 
always with the dead peer detection.  The security/network team and I did a number 
of tests, looking at logs at both ends.  What they eventually did was keep the old 
appliance connected (but not in the DNS) and have re-configured it to an ssl 
connection only (no dead peer check).  With me adding an entry to my /etc/hosts 
file for it to connect to that old appliance rather than the new one.  
With that, I am normally able to stay connected for 12 hours without issue.  
But due to licensing and other reasons, they can not keep the old appliance 
in operation much longer.

Since I work remotely, my vpn connection to the office is essential.
Any help you can offer to help improve things would be greatly appreciated.
I can even run the openconnect live git sources (any branch) on my vpn virtual machine
that I use for all my work systems that need the vpn connection.  So, I will be able to 
provide you with any sanitized logs to help you improve things.

Thank you

-- 
Brian Dolbec <dolsen>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 951 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160706/c5ac9ddf/attachment.sig>

More information about the openconnect-devel mailing list