dead connection after "Error in the pull function"

Daniel Lenski dlenski at
Wed Aug 10 11:36:46 PDT 2022

On Wed, Aug 10, 2022 at 1:21 AM Bernd Schubert
<bernd.schubert at> wrote:
> I had found this thread
> and according to the discussion the issue is supposed to be resolved
> with 8.20.


I think you are referring to my comment
( on that discussion. As my comment
indicates, the issue that was fixed in v8.20 is…

(a) Only applicable to connecting with --protocol=nc, NOT RELEVANT to
connecting with --protocol=pulse. Pulse servers typically support both

(b) A different kind of error. The error YOU are encountering is an
error in the SSL/TLS channel of the VPN; the error described in that
discussion is an error in the ESP channel.

> Any idea what is going on

My theory is that, because we have no known keepalive mechanism for
the Pulse TLS channel, it eventually gets disconnected due to some
TCP/TLS socket timeout.

> … or how to debug it?

(1) Add --timestamp so that you can see if there's a reproducible
timing of the problem. For example, does it always occur exactly 10
minutes after you initially connect?

(2) You describe this problem as a "dead connection", but it appears
from your log that OpenConnect is successfully detecting the loss of
connectivity on the SSL channel and reconnecting. Does the VPN
continue working after reconnecting?

Send ESP probes for DPD
Send ESP probes for DPD
Send ESP probes for DPD
Read error on SSL session: Error in the pull function.     <-- error here
SSL negotiation with <server>
Connected to HTTPS on <server> with ciphersuite
Got HTTP response: HTTP/1.1 101 Switching Protocols
<continues to reconnect and refetch the configuration>


> Thanks,
> Bernd_______________________________________________
> openconnect-devel mailing list
> openconnect-devel at

More information about the openconnect-devel mailing list