David, This looks like a very similar issue to the one from Juniper oNCP where packets sometimes arrive that are larger than the negotiated MTU. Patch was "Do not drop vpn connection if packet arrived is larger than MTU": http://git.infradead.org/users/dwmw2/openconnect.git/commit/9ac5e232214b728f675a44c43e61986ff9245b57 There's also a similar behavior incorporated into ESP and the GlobalProtect GPST, as merged, because GlobalProtect has *no* real way to negotiate MTU. >:-( Anyway, here's what's in cstp.c : int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type, unsigned char *buf, int len) { struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->ip_info.mtu); Any issues with writing a similar patch to allow receipt of extra-chunky oversized CSTP packets? Whether compressed or uncompressed. -Dan On Tue, Jul 31, 2018 at 5:32 AM, Jeroen Balduyck <jeroen.balduyck at gmail.com> wrote: > On Opnsense (Freebsd) I'm running Openconnect in client mode. I get > this unusual error: > > LZS decompression failed: File too large. > > > Related debug output: > > X-DTLS-CipherSuite: PSK-NEGOTIATE > X-CSTP-Base-MTU: 1406 > X-CSTP-MTU: 1340 > DTLS option X-DTLS-DPD : 90 > DTLS option X-DTLS-Port : 22 > DTLS option X-DTLS-Rekey-Time : 172838 > DTLS option X-DTLS-Rekey-Method : ssl > DTLS MTU reduced to 1322 > Established DTLS connection (using OpenSSL). Ciphersuite PSK-AES256-CBC-SHA. > Initiating IPv4 MTU detection (min=661, max=1322) > No change in MTU after detection (was 1322) > > DNS-queries and ping work (= small packets), but browsing the web I > get packet loss during the TLS-connection setup. Ergo, HTTPS websites > won't open. I think the server may be sending packets that are too > large? On my Macbook the Openconnect interface MTU is 1340 opposed to > 1322 on Opnsense. Is there some kind of MTU mismatch going on between > client (Opnsense) and server? > > Regards, > Jeroen > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel at lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel
