Re: VPN seems to connect but fails to get a response from the peer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Dec 17, 2019 at 5:24 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
>
> Perhaps the server is in a round-robin DNS and you really are getting
> different servers (hence difference certificate fingerprints) every
> time. You'd do better to *fix* the certificate problem. Can't you
> install the appropriate SSL CA so that they're properly trusted?

I will put in a ticket with my IT networking folks, but unfortunately
they are beyond swamped and this issue will likely be extremely low
priority for them since the majority of users can access the VPN with
no problems.

> Or maybe it's something going wrong with the routing setup. Maybe your
> *outbound* packets aren't actually reaching the VPN server? Or the
> inbound packets on the public network are being firewalled locally and
> not reaching openconnect?
>
> Can you get a packet capture on your local network to correlate with a
> DTLS send/receive debug log like the ones you showed before? And can
> you show the output of 'ip route' before and after connecting?
>

I connected while running sudo tcpdump -i any, which produced a
humongous file. Here is a sample of the output (trying to find where
the connection to the VPN is made):

22:32:51.058707 IP localhost.30011 > localhost.43934: Flags [P.], seq
6565:6577, ack 15694, win 350, options [nop,nop,TS val 32971139 ecr
32971139], length 12
22:32:51.094305 IP localhost.43934 > localhost.30011: Flags [P.], seq
15694:15722, ack 6577, win 3635, options [nop,nop,TS val 32971175 ecr
32971139], length 28
22:32:51.094520 IP localhost.30011 > localhost.43934: Flags [P.], seq
6577:6589, ack 15722, win 350, options [nop,nop,TS val 32971175 ecr
32971175], length 12
22:32:51.130243 IP localhost.43934 > localhost.30011: Flags [P.], seq
15722:15750, ack 6589, win 3635, options [nop,nop,TS val 32971211 ecr
32971175], length 28
22:32:51.130456 IP localhost.30011 > localhost.43934: Flags [P.], seq
6589:6601, ack 15750, win 350, options [nop,nop,TS val 32971211 ecr
32971211], length 12
22:32:51.166144 IP localhost.43934 > localhost.30011: Flags [P.], seq
15750:15778, ack 6601, win 3635, options [nop,nop,TS val 32971247 ecr
32971211], length 28
22:32:51.166362 IP localhost.30011 > localhost.43934: Flags [P.], seq
6601:6613, ack 15778, win 350, options [nop,nop,TS val 32971247 ecr
32971247], length 12
22:32:51.201903 IP localhost.43934 > localhost.30011: Flags [P.], seq
15778:15806, ack 6613, win 3635, options [nop,nop,TS val 32971282 ecr
32971247], length 28
22:32:51.205718 IP localhost.30011 > localhost.43934: Flags [P.], seq
6613:6625, ack 15806, win 350, options [nop,nop,TS val 32971286 ecr
32971282], length 12
22:32:51.223364 IP localhost.43934 > localhost.30011: Flags [P.], seq
15806:15834, ack 6625, win 3635, options [nop,nop,TS val 32971304 ecr
32971286], length 28
22:32:51.223599 IP localhost.30011 > localhost.43934: Flags [P.], seq
6625:6637, ack 15834, win 350, options [nop,nop,TS val 32971304 ecr
32971304], length 12
22:32:51.259141 IP localhost.43934 > localhost.30011: Flags [P.], seq
15834:15862, ack 6637, win 3635, options [nop,nop,TS val 32971340 ecr
32971304], length 28
22:32:51.259406 IP localhost.30011 > localhost.43934: Flags [P.], seq
6637:6649, ack 15862, win 350, options [nop,nop,TS val 32971340 ecr
32971340], length 12
22:32:51.294607 IP localhost.43934 > localhost.30011: Flags [P.], seq
15862:15890, ack 6649, win 3635, options [nop,nop,TS val 32971375 ecr
32971340], length 28
22:32:51.294820 IP localhost.30011 > localhost.43934: Flags [P.], seq
6649:6661, ack 15890, win 350, options [nop,nop,TS val 32971375 ecr
32971375], length 12
22:32:51.316029 IP6 :: > ff02::16: HBH ICMP6, multicast listener
report v2, 1 group record(s), length 28
22:32:51.329336 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 141
22:32:51.329363 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 221
22:32:51.329380 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 301
22:32:51.329396 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 381
22:32:51.329413 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 461
22:32:51.329430 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 541
22:32:51.329447 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 621
22:32:51.329465 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 701
22:32:51.329483 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 781
22:32:51.329502 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 861
22:32:51.329521 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 941
22:32:51.329541 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 1021
22:32:51.329561 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 1101
22:32:51.329581 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 1181
22:32:51.329602 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 1261
22:32:51.329623 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 1341
22:32:51.329647 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, bad
length 1421 > 1376
22:32:51.329648 IP 192.168.1.197 > 140.90.73.186: udp
22:32:51.329677 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, bad
length 1469 > 1376
22:32:51.329679 IP 192.168.1.197 > 140.90.73.186: udp
22:32:51.329686 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 125
22:32:51.329714 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, bad
length 1469 > 1376
22:32:51.329716 IP 192.168.1.197 > 140.90.73.186: udp

I get a lot of this, and then it settles into this pattern:

22:33:21.461356 IP 192.168.1.197 > 140.90.73.186: udp
22:33:21.461360 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 173
22:33:21.461364 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 253
22:33:21.461369 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 333
22:33:21.461373 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 413
22:33:21.461377 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 493
22:33:21.461382 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 573
22:33:21.461388 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 653
22:33:21.461393 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 733
22:33:21.461399 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 813
22:33:21.461444 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, bad
length 1469 > 1376
22:33:21.461445 IP 192.168.1.197 > 140.90.73.186: udp
22:33:21.461450 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 173
22:33:21.461454 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 253
22:33:21.461459 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 333
22:33:21.461464 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 413
22:33:21.461470 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 493
22:33:21.461475 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 573
22:33:21.461481 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 653
22:33:21.461488 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 733
22:33:21.461495 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, length 813
22:33:21.461523 IP 192.168.1.197.41287 > 140.90.73.186.443: UDP, bad
length 1469 > 1376
22:33:21.461524 IP 192.168.1.197 > 140.90.73.186: udp

Is this helpful? I'll see if I can capture packets on my Xubuntu
system that connects successfully, and email samples separately.

As for ip route, before connecting to vpn:

(bionic)avrammeir@localhost:~$ ip route
100.115.92.0/30 dev arcbr0 proto kernel scope link src 100.115.92.1
100.115.92.8/30 dev arc_wlan0 proto kernel scope link src 100.115.92.9
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.197

And after connecting (I did this in a separate connection attempt from
the packet captures):

(bionic)avrammeir@localhost:~$ ip route
default dev tun0 scope link
100.115.92.0/30 dev arcbr0 proto kernel scope link src 100.115.92.1
100.115.92.8/30 dev arc_wlan0 proto kernel scope link src 100.115.92.9
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.197
192.168.56.0/24 dev tun0 scope link

Thank you!
Adam

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux