Version: 7.06-2+b2 (Debian sid) A couple of weeks back, my openconnect VPN connection started to freeze frequently. I'm not sure what changed at the time. The connection comes back after a while and I noticed from the logs that it is restored after a "DTLS Dead Peer Detection detected dead peer!" message. So I found the --force-dpd option and the situation is bearable, if I set the value to 2 or 3. What might be the problem? Is it a bug or a configuration issue? On client or server? I experience the same behavior using lan or wlan and with network- manager-openconnect as well as the openconnect command. Below is a cleaned output of an example openconnect connection using -v option: $ echo pass|sudo /usr/sbin/openconnect -v --force-dpd=3 -- usergroup=$USERGROUP - -user=$USERNAME --passwd-on-stdin $SERVERNAME POST https://$SERVERNAME/restricted Attempting to connect to server $SERVER_IP:443 SSL negotiation with $SERVERNAME Connected to HTTPS on $SERVERNAME Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sat, 27 Aug 2016 09:21:27 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Please enter your username and password. POST https://$SERVERNAME/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sat, 27 Aug 2016 09:21:27 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) Got CONNECT response: HTTP/1.1 200 OK X-CSTP-Version: 1 X-CSTP-Protocol: Copyright (c) 2004-2016 Cisco Systems, Inc. X-CSTP-Address: $ADDRESS X-CSTP-Netmask: 255.255.255.255 X-CSTP-Hostname: $HOSTNAME X-CSTP-DNS: $DNS1 X-CSTP-DNS: $DNS2 X-CSTP-NBNS: $NBNS1 X-CSTP-NBNS: $NBNS2 X-CSTP-Lease-Duration: 1209600 X-CSTP-Session-Timeout: none X-CSTP-Idle-Timeout: 5400 X-CSTP-Disconnected-Timeout: 5400 X-CSTP-Default-Domain: $DOMAIN X-CSTP-Keep: true X-CSTP-Tunnel-All-DNS: false X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 30 X-CSTP-Keepalive: 20 X-CSTP-MSIE-Proxy-PAC-URL: $PAC_URL X-CSTP-MSIE-Proxy-Lockdown: true X-CSTP-Smartcard-Removal-Disconnect: true X-DTLS-Session-ID: $ID X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-DTLS-Rekey-Time: 3600 X-CSTP-MTU: 1200 X-DTLS-CipherSuite: AES128-SHA X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <elided> CSTP connected. DPD 3, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) DTLS option X-DTLS-Session-ID : $ID DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-Rekey-Time : 3600 DTLS option X-DTLS-CipherSuite : AES128-SHA DTLS initialised. DPD 3, Keepalive 20 Connected tun0 as $IP, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1). Send CSTP DPD Got CSTP DPD response Send CSTP DPD Got CSTP DPD response [...] Send CSTP DPD Got CSTP DPD response Send DTLS DPD Send CSTP DPD Got CSTP DPD response Send DTLS DPD Send DTLS DPD Send DTLS DPD Send CSTP DPD Got CSTP DPD response DTLS Dead Peer Detection detected dead peer! Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1). Send CSTP DPD Got CSTP DPD response Br, Matti Koskimies
