TCP Sessions get disconnected at 6, 9 hours
Larry Ploetz
lploetz at gmail.com
Sun Feb 25 09:03:44 PST 2024
Sorry, I should have included more information. And thanks for looking
at this!
On 2024-02-24 18:01, Daniel Lenski wrote:
> First off, what is your `openconnect --version`?
# openconnect --version
OpenConnect version v9.12-106-ga79bba7d
Using GnuTLS 3.7.10. Features present: PKCS#11, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): ~/etc/vpnc/vpnc-script
Also the 9 hour disconnect is very iffy. The 6 hour disconnect is very
constant and predictable, and within seconds of 6 hours.
I'll try with
# openconnect --version
OpenConnect version v9.12-122-g65853781
Using GnuTLS 3.8.3. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): ~/etc/vpnc/vpnc-script
soon. Also
# uname -a
Darwin <name>.local 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:31:00 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T6020 arm64 arm Darwin
> It looks like you're collecting very detailed logs from OpenConnect
> already (`--dump-http-traffic -vvv --timestamp`). What do those logs
> show around the 6- and 9-hour marks? Anything that's unusual? Anything
> *other than* the usual sent-a-packet/received-a-packet traffic?
I've looked at that and not seen anything unusual, but let me examine
more, right at the 6 hour mark.I /think/ the last messages are only the
“add host/add net” messages - I'm not seeing packet traffic in the
stderr log file.
> Are the users of the official PAN GP clients keeping SSH sessions open
> for 6+ hours like you are?
Yes, I believe so. I'll verify.
> Okay, so there's nothing specific to SSH, or even TCP, here. Both TCP
> and UDP connections stop working around the 6/9 hour marks.
Yes, that seems to be the case (with the 9 hour mark being suspect as to
whether it's consistent.
I'll get back with more information.
·Larry
More information about the openconnect-devel
mailing list