Hello, David Woodhouse <dwmw2 at infradead.org> ?rta (2009. szeptember 15. 21:27): > On Tue, 2009-09-15 at 21:17 +0200, Horv?th Szabolcs wrote: >> >> ctsp_bye() is called: >> >> Connected mycompany.tun0 as internal.ip, using SSL + deflate >> [...] >> Send BYE packet: Client received SIGINT > > Right. So we need to work out what the server is expecting the client to > do when it disconnects. > Please note that I'm not a programmer, I just want to solve this issue. Today I had some time to sniff this SSL VPN connection: http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam I found that the disconnection mechanism is cstp_bye() in cstp.c. 1. When I disconnect with OpenConnect, the following happens (output from od -c) 0010440 377 377 7 250 035 343 S T F 001 \0 026 005 \0 C l 0010460 i e n t r e c e i v e d S I 0010500 G I N T 0010504 It seems that openconnect sends this packet with SSL_write() and the connection closes. The connection entry stucks on the Cisco ASA. Log on the ASA's side: Sep 16 16:35:13 %ASA-3-722009: Group <IQSYS-ADM> User <hsz> IP <client.ip> SVC Message: 3/CRITICAL: lient received SIGINT. Sep 16 16:35:13 %ASA-5-722037: Group <IQSYS-ADM> User <hsz> IP <client.ip> SVC closing connection: Transport closing. Sep 16 16:35:13 %ASA-6-722023: Group <IQSYS-ADM> User <hsz> IP <client.ip> TCP SVC connection terminated with compression Strange: "lient received SIGINT." ??? 2. When I disconnect with AnyConnect (output from od -c) 0006000 352 S T F 001 \0 5 005 \0 260 T h e u s 0006020 e r h a s r e q u e s t e d 0006040 t o d i s c o n n e c t t 0006060 h e c o n n e c t i o n . 0006076 It seems that anyconnect sends this packet and closes the connection. The connection entry is freed on the Cisco ASA. Packet analyze: bye_pkt[0-3] = 'S', 'T', 'F', 1, -- ok bye_pkt[4] = reason_len >> 8 -- 0, ok bye_pkt[5] = reason_len & 0xff; -- "5" or dec(53), ok bye_pkt[6] = AC_PKT_DISCONN = 5; -- ok bye_pkt[7] = 0; -- ok I've no idea what the octal(260) is at bye_pkt[8]. The quit message starts from bye_pkt[9]. 3. Rude hack in mainloop.c: //vpninfo->quit_reason = "Client received SIGINT"; vpninfo->quit_reason = "\xb0The user has requested to disconnect the connection."; make, etc. 0010000 A E S 1 2 8 - S H A \r \n \r \n S T 0010020 F 001 \0 5 005 \0 260 T h e u s e r 0010040 h a s r e q u e s t e d t o 0010060 d i s c o n n e c t t h e 0010100 c o n n e c t i o n . S T F 001 \0 0010120 017 005 \0 260 U s e r R e q u e s t 0010140 e d 0010142 The ASA replies back with "STF 0x01 0x00 0x0f 0x05 0xb0 User Requested" and closes the connection. Wow. The connection entry is freed on the Cisco ASA! Log on the ASA's side: Sep 16 16:34:42 %ASA-5-722012: Group <IQSYS-ADM> User <hsz> IP <client.ip> SVC Message: 16/NOTICE: The user has requested to disconnect the connection.. Sep 16 16:34:42 %ASA-5-722037: Group <IQSYS-ADM> User <hsz> IP <client.ip> SVC closing connection: User Requested. Sep 16 16:34:42 %ASA-6-716002: Group <IQSYS-ADM> User <hsz> IP <client.ip> WebVPN session terminated: User Requested. Sep 16 16:34:42 %ASA-4-113019: Group = TG-IQSYS-ADM, Username = hsz, IP = client.ip, Session disconnected. Session Type: SSL, Duration: 0h:00m:10s, Bytes xmt: 112024282, Bytes rcv: 21820106, Reason: User Requested As far as I can understand, there is something new in the disconnect message. (0xb0 before the "The user has requested to disconnect the connection." message). I know this is a rude hack, but it works for me. The tcpdump output can be found at http://hsz.tmp.hu/openconnect-bug.zip (only the few last important bytes) What else should I test? Szabolcs ps.: starting tomorrow I will be on an off-site training without any access to my test environment. apologize for the late reply.
