Hi, On Sun, Nov 16, 2014 at 11:01 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sat, 2014-11-15 at 19:55 +0200, ?smail D?nmez wrote: >> Hi, >> >> On Sat, Nov 15, 2014 at 5:19 PM, ?smail D?nmez <ismail at donmez.ws> wrote: >> > Hi, >> > >> > On Sat, Nov 15, 2014 at 5:03 PM, Nikos Mavrogiannopoulos >> > <nmav at gnutls.org> wrote: >> >> An untested patch for openconnect follows. Would that Ismail fix the >> >> issue you notice? >> > >> > Testing the patch now, but... >> > >> >> (in an unrelated issue for some reason DPD detection here didn't work >> >> for DTLS which didn't try to reconnect - I don't know if Ismail has the >> >> output of openconnect) >> > >> > I don't have the openconnect logs BUT it said DPD detected and >> > reconnect, this is when the ocserv sets up the second connection and >> > at this point everything goes berserk. >> >> Patch didn't help, here is the openconnect(.git) logs: > > Hi, > Thanks to tcpkill I managed to simulate your use case. Could you try > the openconnect patch as well as the latest ocserv in git? This version seems to be creating a new session every minute. On the client side: POST https://i10z.com:1443/ Attempting to connect to server 104.40.138.253:1443 SSL negotiation with i10z.com Connected to HTTPS on i10z.com XML POST enabled Please enter your username POST https://i10z.com:1443/auth Please enter your password. Password: POST https://i10z.com:1443/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 440, Keepalive 32400 Connected tun1 as 10.10.0.121, using SSL DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. DTLS handshake failed: Resource temporarily unavailable, try again. On the server side: Nov 16 10:42:42 i10z ocserv[45018]: sec-mod: performing maintenance Nov 16 10:42:42 i10z ocserv[45018]: sec-mod: active sessions 0, banned entries 0 Nov 16 10:41:58 i10z ocserv[45017]: message repeated 3 times: [ main: new DTLS session from 212.156.31.134:51296 (record v254.255, hello v1.0)] Nov 16 10:43:03 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:22620 (record v254.255, hello v1.0) Nov 16 10:43:21 i10z ocserv[45017]: message repeated 2 times: [ main: new DTLS session from 212.156.31.134:22620 (record v254.255, hello v1.0)] Nov 16 10:44:21 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:9870 (record v254.255, hello v1.0) Nov 16 10:44:37 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:9870 (record v254.255, hello v1.0) Nov 16 10:45:36 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:22008 (record v254.255, hello v1.0) Nov 16 10:46:13 i10z ocserv[45017]: message repeated 2 times: [ main: new DTLS session from 212.156.31.134:22008 (record v254.255, hello v1.0)] Nov 16 10:47:13 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:24857 (record v254.255, hello v1.0) Nov 16 10:47:42 i10z ocserv[45018]: sec-mod: performing maintenance Nov 16 10:47:42 i10z ocserv[45018]: sec-mod: active sessions 0, banned entries 0 Nov 16 10:47:43 i10z ocserv[45017]: message repeated 2 times: [ main: new DTLS session from 212.156.31.134:24857 (record v254.255, hello v1.0)] Nov 16 10:48:43 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:2323 (record v254.255, hello v1.0) Nov 16 10:49:13 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:2323 (record v254.255, hello v1.0) Nov 16 10:50:13 i10z ocserv[45017]: main: new DTLS session from 212.156.31.134:29242 (record v254.255, hello v1.0) The connection never dropped, I am still running it to see if it breaks. But the speed really got slowed down. I would get 500-600kb/s easily now I only get 100kb/s. Thanks!
