Globalprotect "dead peer" debugging

Karl O. Pinc kop at karlpinc.com
Thu Aug 1 09:29:45 PDT 2024 

Hi,

What's the "right way" to debug the following?
(Log below is _not_ -vvv, etc.)
Basically, the VPN works for a bit, goes in-and-out, and then fails.

<snip>
SAML REDIRECT authentication in progress
prelogin-cookie: 
POST https://vpn.example.com/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=gp-azure-sso-saml-auth-1
GlobalProtect login returned usually-equals-4=4
GlobalProtect login returned usually-equals-unknown=unknown
POST https://vpn.example.com/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1422 for ESP tunnel
POST https://vpn.example.com/ssl-vpn/hipreportcheck.esp
Trying to run HIP Trojan script '/usr/libexec/openconnect/hipreport.sh'.
HIP script '/usr/libexec/openconnect/hipreport.sh' completed successfully (report is 4326 bytes).
POST https://vpn.example.com/ssl-vpn/hipreport.esp
HIP report submitted successfully.
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.
Configured as READACTEDIPV4NUMBER1, with SSL disconnected and ESP established
Session authentication will expire at Fri, 02 Aug 2024 11:02:56 CDT
VPN now accessible through 'ssh fec0::1'
Using vhost-net for tun acceleration, ring size 32
ESP detected dead peer
Failed to connect ESP tunnel; using HTTPS instead.
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
GPST Dead Peer Detection detected dead peer!
POST https://vpn.example.com/ssl-vpn/getconfig.esp
SSL negotiation with vpn.example.com
Connected to HTTPS on vpn.example.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
POST https://vpn.example.com/ssl-vpn/hipreportcheck.esp
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.
ESP detected dead peer
Failed to connect ESP tunnel; using HTTPS instead.
Failed to reconnect to host vpn.example.com: Connection timed out
POST https://vpn.example.com/ssl-vpn/logout.esp

Failed to reconnect to host vpn.example.com: Connection timed out
Failed to open HTTPS connection to vpn.example.com
Logout failed.
Unrecoverable I/O error; exiting.

Thanks for the help.

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

More information about the openconnect-devel mailing list