Issues staying connected to Pulse Secure on OpenConnect v8.10

John Hannafin john.hannafin at gmail.com
Mon Jan 11 17:02:41 EST 2021 

I'm running Fedora, and my work has a Pulse Secure VPN that I need to
access our internal assets.  Sometime last year, we noticed that at
some point between version 8.03 and 8.06, using openconnect would
become unreliable.  Using 8.03, I can run the command "sudo
openconnect --juniper --protocol=nc https://[REDACTED_HOSTNAME]", and
the VPN will stay active and work for as long as I needed it.  I
noticed with version 8.06 (perhaps earlier though?), that the VPN
would run for, about 15 minutes before failing and I'd have to quit
the VPN and resign in to get another 15 minutes or so of use.  This
behavior still exists in 8.10 today.  I can no longer run 8.03 due to
dependencies not existing for it in Fedora 33's repos, so I'm looking
to try and solve my problem for newer versions.  Any guidance or help
would be greatly appreciated.

I may be wrong, but it seems that the "Received ESP packet with
invalid SPI 0xe615d345" is the beginning of the problems, which
ultimately ends with "ESP detected dead peer", and then connectivity
is dead at that point.

I ran a verbose VPN, redacted DSIDs and hostnames.  It is pasted below:

jhannafin at raijin ~ $ sudo openconnect -v --juniper --protocol=nc
https://[REDACTED_HOST]
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
GET https://[REDACTED_HOST]/
Attempting to connect to server [REDACTED_IP]:443
Connected to [REDACTED_IP]:443
SSL negotiation with [REDACTED_HOST]
Connected to HTTPS on [REDACTED_HOST] with ciphersuite
(TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 302 Found
Location: /dana-na/auth/url_pYt8kE2M2C7u2FVR/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_pYt8kE2M2C7u2FVR; path=/dana-na/;
expires=Thu, 31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/; path=/; secure
Connection: close
Content-Length: 0
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body length:  (0)
GET https://[REDACTED_HOST]/dana-na/auth/url_pYt8kE2M2C7u2FVR/welcome.cgi
SSL negotiation with [REDACTED_HOST]
Connected to HTTPS on [REDACTED_HOST] with ciphersuite
(TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 11 Jan 2021 21:09:27 GMT
x-frame-options: SAMEORIGIN
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
frmLogin
username:jhannafin
password:
POST https://[REDACTED_HOST]/dana-na/auth/url_pYt8kE2M2C7u2FVR/login.cgi
Got HTTP response: HTTP/1.1 302 Moved
Set-Cookie: DSASSERTREF=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSID=[REDACTED]; path=/; secure
Set-Cookie: DSDID=[REDACTED]; path=/; secure; HttpOnly
Set-Cookie: DSFirstAccess=1610399373; path=/; secure
Set-Cookie: DSSIGNIN=url_pYt8kE2M2C7u2FVR; path=/; secure
Date: Mon, 11 Jan 2021 21:09:33 GMT
location: /dana/home/index.cgi
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Content-Length: 0
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body length:  (0)
GET https://[REDACTED_HOST]/dana/home/index.cgi
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: DSLastAccess=1610399374; path=/; Secure
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
Got HTTP response: HTTP/1.1 200 OK
Content-type: application/octet-stream
Pragma: no-cache
NCP-Version: 3
Set-Cookie: DSLastAccess=1610399374; path=/; Secure
Connection: close
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
> 0000:  13 00 00 04 00 00 00 06  00 72 61 69 6a 69 6e bb  |.........raijin.|
> 0010:  01 00 00 00 00                                    |.....|
Got KMP message 301 of size 316
Unknown TLV group 3 attr 1 len 1: 00
Unknown TLV group 3 attr 2 len 1: 01
Received split include route 0.0.0.0/0.0.0.0
Received MTU 1400 from server
Received DNS server 10.232.41.251
Received DNS server 10.102.136.251
Received DNS search domain man.co
Unknown TLV group 2 attr 3 len 4: 01 00 00 00
ESP compression: 0
ESP encryption: 0x02 (AES-128)
ESP HMAC: 0x02 (SHA1)
ESP key lifetime: 1200 seconds
ESP key lifetime: 0 bytes
ESP replay protection: 1
Unknown TLV group 8 attr 11 len 4: 00 00 00 00
ESP port: 4500
ESP to SSL fallback: 15 seconds
Unknown TLV group 8 attr 8 len 4: 00 00 00 3c
Received internal IP address 10.232.158.227
Received netmask 255.255.255.255
Received internal gateway address 10.200.200.200
ESP SPI (outbound): d4520f1d
64 bytes of ESP secrets
oNCP negotiation request outgoing:
> 0000:  8e 00 00 00 00 00 00 00  01 2f 01 00 00 00 01 00  |........./......|
> 0010:  00 00 00 00 00 10 00 06  00 00 00 0a 00 02 00 00  |................|
> 0020:  00 04 00 00 05 78 00 00  00 00 00 00 01 2e 01 00  |.....x..........|
> 0030:  00 00 01 00 00 00 00 00  00 56 00 07 00 00 00 50  |.........V.....P|
> 0040:  00 01 00 00 00 04 e6 15  d3 45 00 02 00 00 00 40  |.........E.....@|
> 0050:  9f 4c 9b ea 50 be dd b2  09 2d f6 38 de ab 25 ae  |.L..P....-.8..%.|
> 0060:  40 ea 84 7f d7 8b 37 86  3b b7 b1 6c c2 01 47 57  |@.....7.;..l..GW|
> 0070:  f0 d3 73 0e 00 00 00 00  00 00 00 00 00 00 00 00  |..s.............|
> 0080:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
Send ESP probes
Connected as 10.232.158.227, using SSL, with ESP in progress
ESP session established with server
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Requeueing failed ESP send: Resource temporarily unavailable
Incoming KMP message 302 of size 181 (got 181)
Got KMP message 301 of size 181
ESP compression: 0
ESP encryption: 0x02 (AES-128)
ESP HMAC: 0x02 (SHA1)
ESP key lifetime: 1200 seconds
ESP key lifetime: 0 bytes
ESP replay protection: 1
Unknown TLV group 8 attr 11 len 4: 00 00 00 00
ESP port: 4500
ESP to SSL fallback: 15 seconds
Unknown TLV group 8 attr 8 len 4: 00 00 00 3c
ESP SPI (outbound): 6aaf4c11
64 bytes of ESP secrets
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Send ESP probes for DPD
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Send ESP probes for DPD
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
Send ESP probes for DPD
Received ESP packet with invalid SPI 0xe615d345
Received ESP packet with invalid SPI 0xe615d345
ESP detected dead peer
Send ESP probes
^CGET https://[REDACTED_HOST]/dana-na/auth/logout.cgi
SSL negotiation with [REDACTED_HOST]
Connected to HTTPS on [REDACTED_HOST] with ciphersuite
(TLS1.2)-(RSA)-(AES-128-GCM)
Got HTTP response: HTTP/1.1 302 Moved
Set-Cookie: DSID=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSLastAccess=x; path=/; expires=Thu, 01 Jan 1970 22:00:00
GMT; secure
Set-Cookie: DSFirstAccess=x; path=/; expires=Thu, 01 Jan 1970 22:00:00
GMT; secure
Set-Cookie: DSRemoteSSOReferer=x; path=/; expires=Thu, 01 Jan 1970
22:00:00 GMT; secure
Set-Cookie: DSRemoteSSOType=x; path=/; expires=Thu, 01 Jan 1970
22:00:00 GMT; secure
Set-Cookie: DSOSMLOGIN=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSHCSTARTED=x; path=/dana-na/; expires=Thu, 01 Jan 1970
22:00:00 GMT; secure
Set-Cookie: DSCheckBrowser=x; path=/; expires=Thu, 01 Jan 1970
22:00:00 GMT; secure
Set-Cookie: DSJSAMInitialized=x; path=/; expires=Thu, 01 Jan 1970
22:00:00 GMT; secure
Set-Cookie: DSDID=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSLaunchURL=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Date: Mon, 11 Jan 2021 21:28:06 GMT
location: /dana-na/auth/url_pYt8kE2M2C7u2FVR/welcome.cgi?p=logout&u=useruid55d825f68075299be65f949681dec6ce9a8d9925&signinUrl=5sL8X8clBgABAAAAkj15IPRk106An7ppCVe0wwJBl8RWD3Hm0yMSS3xhYpl7kaXjvxKEyis4PpC07EuC
ds-connection: close
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Content-Length: 0
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body length:  (0)
Logout successful.
User cancelled (SIGINT/SIGTERM); exiting.

More information about the openconnect-devel mailing list