Connection dies frequently, is restored after dead peer detection

Matti Koskimies matti at apulanta.fi
Wed Sep 7 07:04:03 PDT 2016 

Version: 7.06-2+b2 (Debian sid)


A couple of weeks back, my openconnect VPN connection started to freeze
frequently. I'm not sure what changed at the time. The connection comes
back after a while and I noticed from the logs that it is restored
after a "DTLS Dead Peer Detection detected dead peer!" message. So I
found the --force-dpd option and the situation is bearable, if I set
the value to 2 or 3. What might be the problem? Is it a bug or a
configuration issue? On client or server?

I experience the same behavior using lan or wlan and with network-
manager-openconnect as well as the openconnect command.

Below is a cleaned output of an example openconnect connection using -v
option:

$ echo pass|sudo /usr/sbin/openconnect -v --force-dpd=3 --
usergroup=$USERGROUP -
-user=$USERNAME --passwd-on-stdin $SERVERNAME
POST https://$SERVERNAME/restricted
Attempting to connect to server $SERVER_IP:443
SSL negotiation with $SERVERNAME
Connected to HTTPS on $SERVERNAME
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 27 Aug 2016 09:21:27 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
POST https://$SERVERNAME/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 27 Aug 2016 09:21:27 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004-2016 Cisco Systems, Inc.
X-CSTP-Address: $ADDRESS
X-CSTP-Netmask: 255.255.255.255
X-CSTP-Hostname: $HOSTNAME
X-CSTP-DNS: $DNS1
X-CSTP-DNS: $DNS2
X-CSTP-NBNS: $NBNS1
X-CSTP-NBNS: $NBNS2
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 5400
X-CSTP-Disconnected-Timeout: 5400
X-CSTP-Default-Domain: $DOMAIN
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Rekey-Time: 3600
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-PAC-URL: $PAC_URL
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: $ID
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 3600
X-CSTP-MTU: 1200
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <elided>
CSTP connected. DPD 3, Keepalive 20
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
DTLS option X-DTLS-Session-ID : $ID
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 3600
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS initialised. DPD 3, Keepalive 20
Connected tun0 as $IP, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
[...]
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Send DTLS DPD
Send DTLS DPD
Send CSTP DPD
Got CSTP DPD response
DTLS Dead Peer Detection detected dead peer!
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Send CSTP DPD
Got CSTP DPD response


Br,

Matti Koskimies

More information about the openconnect-devel mailing list