Question on network-manager-openconnect status behavior

Ron Rossman Jr ronrossman at gmail.com
Wed Aug 7 11:13:52 PDT 2024 

Wade,

The timeout is pretty consistent, so I can see that being the case.

I'll try the SIGUSR2 and see if that works any better.

Thanks!

-- Ron

On Wed, Aug 7, 2024 at 12:22 PM Cline, Wade <wade.cline at intel.com> wrote:
>
> On Wed, Aug 07, 2024 at 09:00:45AM -0400, Ron Rossman Jr wrote:
> > Hello!
> >
> > I've been using network-manager-openconnect (with the related
> > libopenconnect-dev, libopenconnect5,
> > network-manager-openconnect-gnome, network-manager-openconnect,
> > openconnect, vpnc bits) and it's working great with Palo Alto
> > GlobalProtect (both the on-prem and cloud hosted).
> >
> > The only issue I've noticed is my VPN tunnel session will apparently
> > "time out" and all traffic just stalls until I disconnect from the VPN
> > and reconnect. The Network-Manager VPN icon still shows things as the
> > VPN link is still up, which throws me for a big loop at first.
>
> Does the timeout happen at a consistent time since the connection was
> established?  More specifically, does it happen at half the lifetime
> value for the session?  If so then you may be running into the ESP tunnel
> failure issue[1].  A workaround is to send SIGUSR2 to the openconnect
> process; this will cause the ESP tunnel to immediately close and a TCP
> tunnel to be established.
>
> It's also worth noting that we've been observing TCP tunnel failures on
> version 10.2.8h4 of the gateway that weren't in 10.2.5h6; these failures
> appear to affect the proprietary GlobalProtect client and so do not
> appear to be an OpenConnect implementation issue.
>
> Regards,
> Wade
>
> [1] https://gitlab.com/openconnect/openconnect/-/issues/683
>
> > I wasn't sure if this was expected behavior or if there's some setting
> > I'm missing that would monitor the session inside the tunnel and show
> > the VPN link as "down" in a UI way so it's easier to detect this
> > timeout case. (I also wasn't sure if this was the right place to send
> > this and if this is from the lower level openconnect part or the
> > Network-Manager GUI part)
> >
> > Thanks!
> >
> > Ron Rossman Jr
> >
> > _______________________________________________
> > openconnect-devel mailing list
> > openconnect-devel at lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/openconnect-devel

More information about the openconnect-devel mailing list