On Mon, Mar 25, 2019 at 10:29 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > On Sun, 2019-03-24 at 19:13 +0200, Daniel Lenski wrote: > > > > Do I have this right? High packet loss from client→VPN, low packet > > loss from VPN→client? > > > > If so, I'm guessing your problems are MTU-related. > > Hm, wouldn't we expect that to be more consistent? If the full-sized > packets are getting lost, that would just stall and not lose the > *occasional* packet? Yeah… should be. My guess is based on a couple of previous less-detailed reports from users of earlier versions with GP. > If it really is a repeatable drop every N packets, I might be inclined > to look at sequence numbers and epoch handling. Are we doing any ESP > rekeying? We are rekeying, but only using the most naïve "tunnel rekey" method. AFAIK, that's all that GP supports. https://gitlab.com/openconnect/openconnect/blob/v8.02/gpst.c#L1153-1157 After a certain time has elapsed, we tear down the TLS connection and reconnect (using the same auth cookie), which also invalidates the previous ESP keys and requires us to start using new ones. We should handle late incoming packets using the "old" ESP keys correctly, using the same method as with Juniper. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
