On Thu, Apr 17, 2014 at 6:18 PM, Kevin Cernekee <cernekee at gmail.com> wrote: > On Thu, Apr 17, 2014 at 2:29 PM, John Hendy <jw.hendy at gmail.com> wrote: >> I finally got openconnect to work with my company's Cisco VPN system >> via some various help from the web and a co-worker on setting up a >> csd-wrapper. However, I'm getting constant disconnection/reconnection >> behaviors. Here's the output from my recent session: >> - http://pastebin.com/wyHTzjwR >> >> That error is generated every few seconds. One internal site seems to >> go on operating reasonably fine (though very slow), while my company >> mail client (browser-based) won't send any emails and requests >> frequent re-authentication. >> >> Here's the ~/.cisco/csd-wrapper.sh script used: > > I would not expect the CSD wrapper to interfere with a connection that > has already been established. It should be a one-shot deal, > pre-logon. > > Can you confirm that cstub isn't running in the background while the > connection is up? I'm vpn'd in right now, and did `ps ax | grep -i cstub` with no hits. Just in case, though, I did `ps as | grep -i cs` and get a hit for cscan: 8731 pts/0 S+ 0:00 sudo openconnect --csd-wrapper /home/jwhendy/.cisco/csd-wrapper.sh --csd-user jwhendy gra.3m.com 8732 pts/0 S+ 0:00 openconnect --csd-wrapper /home/jwhendy/.cisco/csd-wrapper.sh --csd-user jwhendy gra.3m.com 8733 pts/0 Z+ 0:00 [csd-wrapper.sh] <defunct> 8757 pts/0 S+ 0:00 /home/jwhendy/.cisco/hostscan/bin/cscan It looks like what you thought: csd-wrapper gets run and then stops (when I quit openconnect, that defunct entry goes away). I also noticed that when re-checking after being vpn'd for ~10min (with openconnect still going), the cscan entry wasn't there anymore, either. I quit and restarted openconnect and it looks like it ran for ~1min. >> Is this the case of a simple openconnect argument I'm not using/need >> to specify or something else? Consider me completely ignorant with >> respect to network/tunneling/etc., but I'm happy to collect any other >> information suggested and post back. This is what seemed obvious to >> start with, and I couldn't find any hits for the exact error I'm >> getting. In fact, searching google for the exact phrase "SSL read >> error: The TLS connection was non-properly terminated" only gets me >> the pastebin I just posted. >> >> Is this an error message specific to my company, or should these >> messages be standard across all of them? > > The error corresponds to GNUTLS_E_PREMATURE_TERMINATION > > I think this means that we were expecting to read a TLS record, but > the connection was unexpectedly closed. You could check this with > tcpdump/wireshark and see if there is a TCP RST originating from the > other side. > I've got tcpdump running with `tcpdump -i wlan0`, but (of course), I can't get the issue to replicate now. I was at a coffee shop earlier and am now at home, but it's happened at home as well, so perhaps I just need to wait and then post back. Not having done this before, would I just copy the output of tcpdump here near the time the SSL errors are occurring? Is there any sensitive information from that I need to redact? Current output looks like this (sorry for over-censoring...): 19:09:01.574979 IP xxx.com.https > bigBang.60453: Flags [P.], seq xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 1429 19:09:01.575013 IP xxx.com.https > bigBang.60453: Flags [P.], seq xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 229 19:09:01.575028 IP bigBang.60453 > xxx.com.https: Flags [.], ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 0 19:09:01.594260 IP xxx.com.https > bigBang.60453: Flags [.], ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 0 19:09:01.594293 IP bigBang.60453 > xxx.com.https: Flags [P.], seq xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 170 19:09:01.620287 IP xxx.com.https > bigBang.60453: Flags [.], ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 0 19:09:01.691203 IP xxx.com.https > bigBang.60453: Flags [P.], seq xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 101 19:09:01.730066 IP bigBang.60453 > xxx.com.https: Flags [.], ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 0 19:09:02.099072 IP bigBang.60453 > xxx.com.https: Flags [P.], seq xxx:xxx, ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 309 19:09:02.128060 IP xxx.com.https > bigBang.60453: Flags [.], ack xxx, win xxx, options [nop,nop,TS val xxx ecr xxx], length 0 I'll pass along this info for now, and will just let openconnect run until if and when it starts reconnecting, posting back with tcpdump output. I also plan to remove my current version and install the git version from Arch's AUR: - https://aur.archlinux.org/packages/openconnect-git/ I'll try and reproduce the issue with that version and also report back on the results. > What versions of openconnect and GnuTLS are you running? Have you > tried upgrading? Garsh. I'm realizing that what I thought was a decent first email lacked some critical information... sorry! Arch Linux, x86_64 $ uname -a Linux bigBang 3.14.1-1-ARCH #1 SMP PREEMPT Mon Apr 14 20:40:47 CEST 2014 x86_64 GNU/Linux $ sudo pacman -Qi openconnect # Arch's versioning... which appears different than the below Name : openconnect Version : 1:5.03-1 Description : Open client for Cisco AnyConnect VPN Architecture : x86_64 URL : http://www.infradead.org/openconnect.html Licenses : GPL Groups : None Provides : None Depends On : libxml2 gnutls libproxy vpnc Optional Deps : None Required By : None Optional For : None Conflicts With : None Replaces : None Installed Size : 1157.00 KiB Packager : Bart?omiej Piotrowski <bpiotrowski at archlinux.org> Build Date : Wed 26 Feb 2014 12:34:44 AM CST Install Date : Wed 26 Mar 2014 08:13:19 PM CDT Install Reason : Explicitly installed Install Script : No Validated By : Signature $ openconnect --version OpenConnect version v5.03 Using GnuTLS. Features present: PKCS#11, DTLS $ sudo pacman -Q | grep gnutls gnutls 3.3.0-1 Many thanks for the quick reply, John P.S. Probably not the place to do this, but since the page welcomes updates... the list of available packages page could be updated to list Arch Linux. - http://www.infradead.org/openconnect/packages.html Something like (to steal from Fedora's entry): Arch Linux - Both openconnect and network-manager-openconnect packages are included in the Arch Linux extra repository. Install with `# pacman -S openconnect` or `# pacman -S network-manager-openconnect`. (Whether or not they are truly up to date would be openconnect's call; the current version is 5.03, but I see 5.99 is out. Then again, the package is flagged out of date, so it should be updated soon: https://www.archlinux.org/packages/?name=openconnect.)
