On Sat, 2014-11-15 at 10:04 +0000, David Woodhouse wrote: > > So the issue is to figure who is sending the UDP packets without an > > associated TCP session. > > > If a client is afflicted by NAT, especially CG-NAT, it's possible that > separate connections may appear to come from *different* IP addresses. > Some NAT setups have a *pool* of public-facing addresses. clients behind these nat types will have no issue as long as the nat keeps the UDP association. If it is lost there is nothing in the received packets that could allow ocserv to reassociate the session with the correct server. The recovery of such clients would depend on the timeout of openconnect client (after which a new DTLS session will be established). regards, Nikos
