MTU mismatch with 7.08 and "Unknown DTLS packet"

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Fri Jan 5 03:57:30 PST 2018


On Thu, Jan 4, 2018 at 12:09 AM, Chaskiel Grundman <cgrundman at gmail.com> wrote:
> I am running:
> OpenConnect version v7.08
> Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP
> software token, TOTP software token, Yubikey OATH, System keys, DTLS
>
> on ubuntu artful. I'm not sure when this started, but openconnect is
> detecting and using a lower MTU than the VPN gateway and this causes
> problems for large UDP and ICMP packets. At login, it logs this:
>
> Got CONNECT response: HTTP/1.1 200 OK
> CSTP connected. DPD 60, Keepalive 120
> Established DTLS connection (using GnuTLS). Ciphersuite
> (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1300 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1299 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1298 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1297 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1296 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1295 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1294 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1293 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1292 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1291 -5)
> Detected MTU of 1290 bytes (was 1300)
>
> This seems to be the result of gnutls deciding that the DTLS max
> message size is 1290.
> Remote applications doing Path MTU detection (or TCP using MSS
> options) use an MTU of 1300 and an MSS of 1260

The MTU here is how much data openconnect can transfer in a single
packet. The log you sent shows that anything larger than 1290 is
rejected by the link. What other applications see it depends on the
headers of their protocols, and is not really related.

> On this connection, the VPN gateway seems to chop up a 1291-1300 byte
> packet into 2 DTLS messages. One is processed normally, and one
> generates an error:
> Unknown DTLS packet type 7e, len 10
> or
> Failed to write incoming packet: Invalid argument

That seems to be a gateway problem. An openconnect packet cannot be
split into two DTLS packets as there is not enough information to
reconstruct them. What gateway is that?

> Based on tests with ping's -p switch, the "packet type" is just a byte
> of tunneled packet data.
> The official client seems to work with this gateway, using an MTU of
> 1300 on the tunnel interface.

Does it negotiate the same ciphersuites? Different ciphersuites allow
for different data MTU sizes. If it is the same, does the server
exhibit the same behavior and split packets into two DTLS packets? If
the latter is happening, are large packets being received by the
client or being lost?

regards,
Nikos



More information about the openconnect-devel mailing list