bug: bad mtu after rekeying?

me me at tinfoil.eu
Thu Mar 22 13:57:38 PDT 2018


I'm using OpenConnect to connect to a Cisco ASA. After a rekey, the
tunnel stops working until a manual restart.

My assumption:

After having a connection open for a while, a CSTP rekey occurs. During connection re-establishment it will try to redetect the MTU. When that fails, OpenConnect will internally set the MTU to MTU - 1, but not on the interface itself.

After that, the tunnel stops working because OpenConnect is unable to
decode the DTLS packets because the actual link MTU is <whatever> but
the OpenConnect internal state is MTU - 1.

See the following log, the actual configured MTU for this tunnel is 1200:

Mar 22 18:37:47 localhost openconnect[8957]: CSTP rekey due
Mar 22 18:37:47 localhost openconnect[8957]: SSL negotiation with
192.0.2.1
Mar 22 18:37:47 localhost openconnect[8957]: Server certificate verify
failed: signer not found
Mar 22 18:37:47 localhost openconnect[8957]: Connected to HTTPS on
192.0.2.1
Mar 22 18:37:47 localhost openconnect[8957]: Got CONNECT response:
HTTP/1.1 200 OK
Mar 22 18:37:47 localhost openconnect[8957]: CSTP connected. DPD 30,
Keepalive 20
Mar 22 18:37:47 localhost openconnect[8957]: Established DTLS connection
(using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Mar 22 18:37:50 localhost openconnect[8957]: Too long time in MTU detect
loop; MTU set to 1199.
Mar 22 18:37:50 localhost openconnect[8957]: Detected MTU of 1199 bytes
(was 1200)
Mar 22 18:38:20 localhost openconnect[8957]: Unknown DTLS packet type
f7, len 1
Mar 22 18:38:20 localhost openconnect[8957]: Unknown DTLS packet type
9a, len 1
Mar 22 18:38:20 localhost openconnect[8957]: Unknown DTLS packet type
8b, len 1
Mar 22 18:38:21 localhost openconnect[8957]: Unknown DTLS packet type
f7, len 1
...

The tunnel never recovers and similar messages will be printed forever.

The actual link MTU is not actually decreased, and 1200 is the right value anyway:

$ ip addr
...
8: vpn0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1200 qdisc
fq_codel state UP group default qlen 500
    link/none
    inet 192.0.2.2/32 brd 192.0.2.2 scope global vpn0
       valid_lft forever preferred_lft forever

Tested on Fedora 27 through Plasma NetworkManager applet. OpenConnect version v7.08.



More information about the openconnect-devel mailing list