Re: VPN seems to connect but fails to get a response from the peer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 1, 2019 at 3:58 PM Adam Allgood <avram.meir@xxxxxxxxx> wrote:
>
> Hello again Dan, sorry for the delayed response.
>
> On Thu, Oct 24, 2019 at 2:46 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote:
> >
> > Interesting. Even in your more verbose log, it appears that
> > OpenConnect is totally and entirely failing to receive any response
> > over the DTLS channel… except for the MTU DPD probe at the beginning.
> >
> > This is why I suggest upgrading to a more recent version in which
> > David Woodhouse has made the DTLS MTU detection much more robust and…
> >
>
> I updated to:
>
> OpenConnect version v8.05
> Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP
> software token, System keys, DTLS, ESP
> Supported protocols: anyconnect (default), nc, gp, pulse
>
> Unfortunately I appear to be having the same problems.

I'm kind of stumped here.

It appears that the symptoms with DTLS enabled, and without DTLS, are
pretty much identical: you receive *no incoming packets* from the VPN
tunnel of any kind. Not even DPD responses.

That suggests this is an issue with the basic protocol used by the
client and server to communicate with each other, and not something at
the network level (say, a misconfigured firewall).

You mentioned that other users with *older* versions of OpenConnect
can successfully connect and send traffic…? Exactly which versions of
OpenConnect, and which OSes are they using? Can you test if your
account works on one of their laptops?

> On the command line, I saw:
>
> avrammeir@localhost:~$ sudo openconnect -vvv --dump --no-dtls -u
> adam.allgood --cafile='/home/avrammeir/Downloads/UserNSSDB
> 6cd262f44f10e19bc2ba48_DOD EMAIL CA-51 - U.S.pem' -c '<DELETED>'
> cpvpn.ncep.noaa.gov/cac/ > no-dtls.txt
> PIN required for <DELETED>
> Enter PIN:
> CSTP Dead Peer Detection detected dead peer!
> unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date
> Script '/usr/share/vpnc-scripts/vpnc-script' returned error 1
> Failed to reconnect to host cpvpn.ncep.noaa.gov: Connection timed out
> unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date
> Script '/usr/share/vpnc-scripts/vpnc-script' returned error 1
> ^CSocket connect canceled

You can ignore this one. You're probably using an older vpnc-script
that doesn't support the reason=attempt-reconnect (added in
https://gitlab.com/openconnect/openconnect/issues/17)…
… but this only matters for certain VPN routing configurations, and if
the VPN can't send traffic anyway it's a lost cause.

> Is there any information in this that can suggest why I'm receiving no
> response after connecting? I would assume it's something wrong with
> the way my office has configured the VPN, but AnyConnect on Windows
> has no problems.

If we can figure this out by determining what the older clients are
doing to successfully connect, great. If not, we'll probably need a
MITM dump to figure out what's new/different about your VPN.

Thanks,
Dan

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux