MTU mismatch with 7.08 and "Unknown DTLS packet"

Daniel Lenski dlenski at gmail.com
Thu Jan 4 11:23:13 PST 2018


On Wed, Jan 3, 2018 at 3:09 PM, Chaskiel Grundman <cgrundman at gmail.com> wrote:
>
> I am running:
> OpenConnect version v7.08
> Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP
> software token, TOTP software token, Yubikey OATH, System keys, DTLS
>
> on ubuntu artful. I'm not sure when this started, but openconnect is
> detecting and using a lower MTU than the VPN gateway and this causes
> problems for large UDP and ICMP packets. At login, it logs this:
>
> Got CONNECT response: HTTP/1.1 200 OK
> CSTP connected. DPD 60, Keepalive 120
> Established DTLS connection (using GnuTLS). Ciphersuite
> (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1300 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1299 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1298 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1297 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1296 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1295 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1294 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1293 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1292 -5)
> Failed to write to SSL socket: The transmitted packet is too large (EMSGSIZE).
> Failed to send DPD request (1291 -5)
> Detected MTU of 1290 bytes (was 1300)
>
> This seems to be the result of gnutls deciding that the DTLS max
> message size is 1290.
> Remote applications doing Path MTU detection (or TCP using MSS
> options) use an MTU of 1300 and an MSS of 1260
>
> On this connection, the VPN gateway seems to chop up a 1291-1300 byte
> packet into 2 DTLS messages. One is processed normally, and one
> generates an error:
> Unknown DTLS packet type 7e, len 10
> or
> Failed to write incoming packet: Invalid argument

There was a patch a few months ago to handle buggy Juniper VPNs which
send packets larger than the negotiated MTU
(http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/9ac5e232214b728f675a44c43e61986ff9245b57)
but I don't think anyone's observed this for a Cisco AnyConnect VPN.

Also, I'm confused by your problem description. If the remote side
(VPN gateway) thinks the MTU is 1300, but the local side (VPN client)
thinks the MTU is 1290, then the local side shouldn't be *sending*
oversize packets… rather it should be the other way around.

> The official client seems to work with this gateway, using an MTU of
> 1300 on the tunnel interface.

Does using `openconnect --mtu 1300` fix or change anything?

Thanks,
Dan



More information about the openconnect-devel mailing list