On Fri, 2011-09-09 at 14:04 -0700, sebastian.moeller wrote: > > happy user of openconect under macosx here. Recently I ran into issues > with a recently updated ASA. DTLS kept on dropping (and until the > first message of the fall back to https the vpn did not work at all) > This sounds very similar to theissue tackeld in one of the recent > commits. Only in my case the solution was to fix my version of > openssl. Version 1.0.0.d has a known issue with a timer that seemed to > have caused the problem in my case. Ah, thanks for this information. I thought those retransmits of the ChangeCipherSpec and Finished messages were *supposed* to happen. Since we don't get a response back from the server, we have no way of knowing they were received... so if we don't make *sure* by retransmitting occasionally, then *all* our data packets could be lost. I think the biggest issue is that our ChangeCipherSpec messages are "malformed", according to the Cisco server. Because the *retransmit* code doesn't have the special case to do the Cisco non-RFC-compliant version of the ChangeCipherSpec message. My attempts to remedy that didn't seem to help, and I don't really want to make people wait for a new version of OpenSSL ? so the call to dtls1_stop_timer() seems to be the best approach for now, I think. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5818 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20110909/7536b5f8/attachment.bin>
