On Tue, 2013-07-02 at 13:20 +0200, Thomas Richter wrote: > Dear openconnect members, > > how can it happen that from some access points, openconnect does not > get > any type of connection at all? This happened yesterday at the Vienna > airport, with the attached connection log. At that point, openconnect > just got stuck, no further log output, but no tunnel either. > > The cisco anyconnect client was successful under the very same > situation, so I wonder what was going on there? The vpn endpoint was > reachable. Looks like a typical broken firewall on the server side. You request a page, over a link which has an MTU lower than the normal 1500 bytes. Perhaps the location you were connecting from was through a tunnel or a PPPoE link or something? Server tries to send at 1500-byte packet to you. Some intermediate router realises it won't fit into the tunnel/PPPoE/whatever and sends back an ICMP "needs fragmentation" error. The server is *supposed* to see that, and resend the data in smaller packets. If a broken firewall eats the ICMP, the server never notices and just keeps sending the same too-big packets over and over again. If you reduce the MTU on your *local* Ethernet, does that make things work? It'll set the MSS in the TCP negotiation lower, so the server won't send packets which are as large. Not entirely sure what the Cisco client would be doing differently. If you could capture its connection with tcpdump, and the openconnect one, we could compare. Perhaps it's lowering its MSS somehow; is there a sockopt that will do that? But really, the right fix is to round up all the sysadmins who like to block ICMP, and break their fingers. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20130702/8186cec7/attachment.bin>