Question on network-manager-openconnect status behavior

Cline, Wade wade.cline at intel.com
Wed Aug 7 09:22:11 PDT 2024


On Wed, Aug 07, 2024 at 09:00:45AM -0400, Ron Rossman Jr wrote:
> Hello!
> 
> I've been using network-manager-openconnect (with the related
> libopenconnect-dev, libopenconnect5,
> network-manager-openconnect-gnome, network-manager-openconnect,
> openconnect, vpnc bits) and it's working great with Palo Alto
> GlobalProtect (both the on-prem and cloud hosted).
> 
> The only issue I've noticed is my VPN tunnel session will apparently
> "time out" and all traffic just stalls until I disconnect from the VPN
> and reconnect. The Network-Manager VPN icon still shows things as the
> VPN link is still up, which throws me for a big loop at first.

Does the timeout happen at a consistent time since the connection was
established?  More specifically, does it happen at half the lifetime
value for the session?  If so then you may be running into the ESP tunnel
failure issue[1].  A workaround is to send SIGUSR2 to the openconnect
process; this will cause the ESP tunnel to immediately close and a TCP
tunnel to be established.

It's also worth noting that we've been observing TCP tunnel failures on
version 10.2.8h4 of the gateway that weren't in 10.2.5h6; these failures
appear to affect the proprietary GlobalProtect client and so do not
appear to be an OpenConnect implementation issue.

Regards,
Wade

[1] https://gitlab.com/openconnect/openconnect/-/issues/683

> I wasn't sure if this was expected behavior or if there's some setting
> I'm missing that would monitor the session inside the tunnel and show
> the VPN link as "down" in a UI way so it's easier to detect this
> timeout case. (I also wasn't sure if this was the right place to send
> this and if this is from the lower level openconnect part or the
> Network-Manager GUI part)
> 
> Thanks!
> 
> Ron Rossman Jr
> 
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel



More information about the openconnect-devel mailing list