TCP Sessions get disconnected at 6, 9 hours

[Daniel Lenski]

On Wed, Jan 31, 2024 at 4:16 PM Larry Ploetz <lploetz at gmail.com> wrote:
> I've noticed that all my ssh sessions, regardless of when they start
> relative to the start of openconnect, get disconnected after openconnect
> has been up 6 hours, and 9 hours (about - ± 5 minutes). I assume that
> would happen with other long lasting TCP sessions (I've tried with socat
> a few times and that seems to be the case).

Do you have some reason to think that this has anything to do with
OpenConnect per se, as opposed to being a limitation of the servers
you're connecting to… or perhaps of some other middlebox on the
network?

> I'm using openconnect with GlobalProtect, which has a 12 hour time out.

Other than your ssh sessions getting disconnected after 6/9 hours,
does the VPN connection continue working normally after that? That is,
can you continue opening *new* TCP connections over it?

> Here's my command:
>
>     openconnect --csd-wrapper openconnect/trojans/hipreport.sh --protocol=gp --script=/etc/vpnc/vpnc-script --dump-http-traffic --timestamp -vvv --user=larryp --syslog --passwd-on-stdin https://<ELIDED>.com < <ELIDED> > outfile 2> errfile & echo $! > pidfiled

Does it connect over TLS, or over ESP? Are there any messages about a
requirement to periodically resubmit the HIP report?