On Wed, 6 Jul 2016 17:39:05 -0500 William Hubbs <williamh at gentoo.org> wrote: > Sorry about that, I didn't attach the patch. > > Here it is. > > William > Here is a sanitized snipit of my syslog showing the error sequence. I only removed/masked private info and some irrelevant cron entries. Jul 6 14:18:04 vpn1 openconnect[13191]: Connected to xxx.xxx.xxx.xxx:443 Jul 6 14:18:04 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> Jul 6 14:18:04 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> Jul 6 14:18:04 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> Jul 6 14:18:04 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> Jul 6 14:18:04 vpn1 openconnect[13191]: Connected as xxx.xxx.xxx.xxx, using SSL Jul 6 14:18:04 vpn1 openconnect[13191]: ESP session established with server Jul 6 15:26:28 vpn1 openconnect[13191]: ESP detected dead peer Jul 6 15:42:44 vpn1 openconnect[13191]: SSL read error: Error in the pull function.; reconnecting. Jul 6 15:42:44 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> Jul 6 15:42:44 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> Jul 6 15:42:44 vpn1 openconnect[13191]: SSL negotiation with vpn.<ourcompany> Jul 6 15:42:44 vpn1 openconnect[13191]: Connected to HTTPS on vpn.<ourcompany> Jul 6 15:42:44 vpn1 openconnect[13191]: ESP session established with server I have done debug runs with openconnect, but get just a more detailed version of the general sequence above. Sometimes it would fail to reconnect. For some history. Things were initially working fine. Then the security team updated the firmware on the Juniper appliance, things started becoming more unstable. Then, they replaced the appliance with a new juniper appliance and did another update to the original appliance. (to be kept as a backup). My connection usually cycles around the 1 hour and 10 to 20 minute mark. Nearly always with the dead peer detection. The security/network team and I did a number of tests, looking at logs at both ends. What they eventually did was keep the old appliance connected (but not in the DNS) and have re-configured it to an ssl connection only (no dead peer check). With me adding an entry to my /etc/hosts file for it to connect to that old appliance rather than the new one. With that, I am normally able to stay connected for 12 hours without issue. But due to licensing and other reasons, they can not keep the old appliance in operation much longer. Since I work remotely, my vpn connection to the office is essential. Any help you can offer to help improve things would be greatly appreciated. I can even run the openconnect live git sources (any branch) on my vpn virtual machine that I use for all my work systems that need the vpn connection. So, I will be able to provide you with any sanitized logs to help you improve things. Thank you -- Brian Dolbec <dolsen> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 951 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160706/c5ac9ddf/attachment.sig>
