On Fri, Nov 1, 2019 at 3:58 PM Adam Allgood <avram.meir@xxxxxxxxx> wrote: > > Hello again Dan, sorry for the delayed response. > > On Thu, Oct 24, 2019 at 2:46 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > > > Interesting. Even in your more verbose log, it appears that > > OpenConnect is totally and entirely failing to receive any response > > over the DTLS channel… except for the MTU DPD probe at the beginning. > > > > This is why I suggest upgrading to a more recent version in which > > David Woodhouse has made the DTLS MTU detection much more robust and… > > > > I updated to: > > OpenConnect version v8.05 > Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP > software token, System keys, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse > > Unfortunately I appear to be having the same problems. I'm kind of stumped here. It appears that the symptoms with DTLS enabled, and without DTLS, are pretty much identical: you receive *no incoming packets* from the VPN tunnel of any kind. Not even DPD responses. That suggests this is an issue with the basic protocol used by the client and server to communicate with each other, and not something at the network level (say, a misconfigured firewall). You mentioned that other users with *older* versions of OpenConnect can successfully connect and send traffic…? Exactly which versions of OpenConnect, and which OSes are they using? Can you test if your account works on one of their laptops? > On the command line, I saw: > > avrammeir@localhost:~$ sudo openconnect -vvv --dump --no-dtls -u > adam.allgood --cafile='/home/avrammeir/Downloads/UserNSSDB > 6cd262f44f10e19bc2ba48_DOD EMAIL CA-51 - U.S.pem' -c '<DELETED>' > cpvpn.ncep.noaa.gov/cac/ > no-dtls.txt > PIN required for <DELETED> > Enter PIN: > CSTP Dead Peer Detection detected dead peer! > unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date > Script '/usr/share/vpnc-scripts/vpnc-script' returned error 1 > Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out > unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date > Script '/usr/share/vpnc-scripts/vpnc-script' returned error 1 > ^CSocket connect canceled You can ignore this one. You're probably using an older vpnc-script that doesn't support the reason=attempt-reconnect (added in https://gitlab.com/openconnect/openconnect/issues/17)… … but this only matters for certain VPN routing configurations, and if the VPN can't send traffic anyway it's a lost cause. > Is there any information in this that can suggest why I'm receiving no > response after connecting? I would assume it's something wrong with > the way my office has configured the VPN, but AnyConnect on Windows > has no problems. If we can figure this out by determining what the older clients are doing to successfully connect, great. If not, we'll probably need a MITM dump to figure out what's new/different about your VPN. Thanks, Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
