ocserv:could not determine the owner of received UDP packet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2014-04-18 at 11:15 -0700, Kevin Cernekee wrote:
> On Fri, Apr 18, 2014 at 1:51 AM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos at gmail.com> wrote:
> > That means that the session (TCP/TLS) has timed out, but the phone
> > continues sending DTLS UDP packets and expecting the server to reply.
> > There is not much the server can do, as the session's credentials no
> > longer exist. What you could do is try to play with the various
> > timeout values in the server's configuration and see which one fits
> > your mobile better. In that case let us know.
> 
> FWIW, Cisco notes that DPD is used by their software to figure out
> when to fall back from DTLS to TLS:
> http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html#wp1090425
> Setting a more aggressive DPD interval could help the client determine
> that it needs to reconnect.  The downside is that DPD packets sent
> from the gateway will often cause wakeups on a sleeping mobile device,
> affecting battery life.

I'm afraid that there is something not nice there. The server shouldn't
have disassociated the UDP session from that process, not unless the
client changed its port, or it's some issue of the linux kernel (the udp
fd passing we do to the appropriate process is pretty undocumented).

I'd hope it is the former, but even in that case I don't see an easy
solution. Maybe just disable UDP/DTLS for these clients, or force the
DPD to less than 1.50 mins.

regards,
Nikos





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux