Hello! We've recently installed a new Cisco ASA and Linux guys including me use OpenConnect v2.01. We have one issue: it looks like when we disconnect with OpenConnect by pressing ctrl-c, the ASA doesn't close that connections, therefore we cannot reconnect. Logs/symptoms: 1. Using OpenConnect 1.1. When I open a connection with OpenConnect, a vpn-sessiondb entry shows up: Username???? : hsz??????????????????? Index??????? : 1632 Assigned IP? : 10.32.123.5??????????? Public IP??? : 84.0.29.222 Protocol???? : Clientless SSL-Tunnel License????? : SSL VPN Encryption?? : RC4??????????????????? Hashing????? : SHA1 Bytes Tx???? : 102158335????????????? Bytes Rx???? : 20227661 Group Policy : COMPANY1?????????????? Tunnel Group : TG-COMPANY1 Login Time?? : 19:36:43 MET-DST Tue Sep 15 2009 Duration???? : 0h:13m:44s NAC Result?? : Unknown VLAN Mapping : N/A??????????????????? VLAN???????? : none It is normal, the same happens when I connect with AnyConnect. 1.2. When I disconnect with OpenConnect, vpn-sessiondb looks like the following: Username : hsz Index : 1632 Public IP : 84.0.29.222 Protocol : Clientless License : SSL VPN Encryption : RC4 Hashing : SHA1 Bytes Tx : 99321601 Bytes Rx : 19746584 Group Policy : COMPANY1 Tunnel Group : TG-COMPANY1 Login Time : 19:36:43 MET-DST Tue Sep 15 2009 Duration : 0h:14m:12s NAC Result : Unknown VLAN Mapping : N/A VLAN : none When I use AnyConnect and I disconnect, there is no vpn-session record associated to the user. I think the problem starts here, OpenConnect doesn't cleanly close the connection. One "Clientless" entry stucks on the ASA. 1.3. After that I reconnect with OpenConnect, vpn-sessiondb looks like the following: Username : hsz Index : 1632 Public IP : 84.0.29.222 Protocol : Clientless License : SSL VPN Encryption : RC4 Hashing : SHA1 Bytes Tx : 99321914 Bytes Rx : 19746923 Group Policy : COMPANY1 Tunnel Group : TG-COMPANY1 Login Time : 19:36:43 MET-DST Tue Sep 15 2009 Duration : 0h:14m:44s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Username : hsz Index : 1633 Assigned IP : 10.32.123.5 Public IP : 84.0.29.222 Protocol : Clientless SSL-Tunnel License : SSL VPN Encryption : RC4 Hashing : SHA1 Bytes Tx : 99323307 Bytes Rx : 19746923 Group Policy : COMPANY1 Tunnel Group : TG-COMPANY1 Login Time : 19:51:23 MET-DST Tue Sep 15 2009 Duration : 0h:00m:04s NAC Result : Unknown VLAN Mapping : N/A VLAN : none Two entries for one user. There is no traffic through the VPN - specifically, if I ping a host inside the VPN, the packet goes through the destination device, the ping reply comes back - but the ASA can't handle it: there are more than one entry to the user. In addition when I manually disconnect the stucked session (vpn-sessiondb logoff index 1632) the newly built openconnect (index 1633) starts working immediately. 2. Logs Relevant ASA logs when I disconnect with AnyConnect: Sep 15 20:00:19 %ASA-5-722012: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC Message: 16/NOTICE: The user has requested to disconnect the connection.. Sep 15 20:00:19 %ASA-5-722037: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC closing connection: User Requested. Sep 15 20:00:19 %ASA-7-609002: Teardown local-host outside:10.32.123.5 duration 0:00:18 Sep 15 20:00:19 %ASA-6-716002: Group <COMPANY1> User <hsz> IP <84.0.29.222> WebVPN session terminated: User Requested. Sep 15 20:00:19 %ASA-4-113019: Group = TG-COMPANY1, Username = hsz, IP = 84.0.29.222, Session disconnected. Session Type: SSL, Duration: 0h:00m:20s, Bytes xmt: 99324826, Bytes rcv: 19753888, Reason: User Requested Sep 15 20:00:19 %ASA-6-737014: IPAA: Freeing AAA address 10.32.123.5 Sep 15 20:00:19 %ASA-6-302014: Teardown TCP connection 260869 for outside:84.0.29.222/41521 to identity:ASA-IP/443 duration 0:00:18 bytes 3130 TCP FINs Sep 15 20:00:19 %ASA-6-722023: Group <COMPANY1> User <hsz> IP <84.0.29.222> TCP SVC connection terminated with compression Sep 15 20:00:19 %ASA-7-722029: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC Session Termination: Conns: 1, DPD Conns: 0, Comp resets: 0, Dcmp resets: 0. Sep 15 20:00:19 %ASA-7-722030: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC Session Termination: In: 0 (+61) bytes, 0 (+1) packets, 0 drops. Sep 15 20:00:19 %ASA-7-722031: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC Session Termination: Out: 1393 (+23) bytes, 1 (+1) packets, 0 drops. Sep 15 20:00:19 %ASA-6-725007: SSL session with client outside:84.0.29.222/41521 terminated. Sep 15 20:00:24 %ASA-6-302014: Teardown TCP connection 260867 for outside:84.0.29.222/41516 to identity:ASA-IP/443 duration 0:00:24 bytes 305 TCP Reset-O Sep 15 20:00:24 %ASA-6-725007: SSL session with client outside:84.0.29.222/41516 terminated. Sep 15 20:00:24 %ASA-6-302014: Teardown TCP connection 260866 for outside:84.0.29.222/41515 to identity:ASA-IP/443 duration 0:00:24 bytes 268 TCP Reset-O Sep 15 20:00:24 %ASA-7-609002: Teardown local-host outside:84.0.29.222 duration 0:00:24 Sep 15 20:00:24 %ASA-6-725007: SSL session with client outside:84.0.29.222/41515 terminated. Relevant ASA logs when I disconnect with OpenConnect (much shorter): Sep 15 20:03:47 %ASA-3-722009: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC Message: 3/CRITICAL: lient received SIGINT. Sep 15 20:03:47 %ASA-5-722037: Group <COMPANY1> User <hsz> IP <84.0.29.222> SVC closing connection: Transport closing. Sep 15 20:03:47 %ASA-6-302014: Teardown TCP connection 260873 for outside:84.0.29.222/41831 to identity:ASA-IP/443 duration 0:00:19 bytes 5607 TCP Reset-O Sep 15 20:03:47 %ASA-7-609002: Teardown local-host outside:84.0.29.222 duration 0:00:19 Sep 15 20:03:47 %ASA-6-722023: Group <COMPANY1> User <hsz> IP <84.0.29.222> TCP SVC connection terminated with compression Sep 15 20:03:47 %ASA-6-725007: SSL session with client outside:84.0.29.222/41831 terminated. I clearly see two differences: by disconnecting with OpenConnect, the ASA doesn't close this "WebVPN" thing and there is no "Freeing AAA address" line. How is it suggested to close the VPN connections with openconnect - ctrl+c should work? Why don't the openconnect close that "WebVPN" - like the anyconnect do so? If you need more information or logs, please let me know. I'm using Debian GNU/Linux 5.0. regards, Szabolcs
