On Sat, Apr 18, 2020 at 7:11 PM The Wanderer <wanderer@xxxxxxxxxxx> wrote: > > On 2020-04-18 at 21:52, Daniel Lenski wrote: > > > On Sat, Apr 18, 2020 at 6:30 PM The Wanderer <wanderer@xxxxxxxxxxx> > > Unless you can show that some other client software manages to keep > > the connection going >180 minutes, I have to assume that we're doing > > the best we can here. > > As I believe I recall that 8.05 or possibly 8.02 was working, I've now > downgraded to 8.05 and initiated another session. If it disconnects > overnight, I'll repeat with 8.02 in the morning (my next mandatory > on-shift is Monday). If that disconnects in its turn, then we can > consider it confirmed that the server has changed its behavior in the > meantime, and this has nothing to do with the upgrade and is not > OpenConnect's problem. > > If one of those remains connected, however - especially if the logs show > something else happening at this point - then it may be worth digging > deeper here. Agreed. I also have access to a GP VPN with a 3-hour rekey timeout. I'm running OpenConnect v8.08 right now, using vpn-slice to prevent idle timeouts, and I'll verify if it can keep the connection alive past the 3-hour mark. > >>> 6. Finally, one more strange thing in your log. Something (????) > >>> causes it to attempt a logout immediately after trying to > >>> fallback to HTTPS, but the logout *fails* (POST > >>> https://foo.bar.baz/ssl-vpn/logout.esp -> "Invalid user name"). > >> > >> Yeah, this is the thing that seemed weirdest to me. I certainly did > >> not do anything which should have led this logout attempt to happen > >> - as I noted in my original mail, I was asleep at the time. > >> > >> I just checked one of the other logs I've been grabbing of these > >> sessions in the meantime, and it does end with a similar logout > >> interaction. > > > > I'm guessing this is because of an inconsistent encoding of the > > domain parameter (or maybe something else). I've seen it happen > > before when the server domain is "(empty_domain)". just posted a > > patch to try to alleviate this issue. > > https://gitlab.com/openconnect/openconnect/-/merge_requests/93 > > Would it be worth my trying this patch, potentially, or is that not > likely to make any difference in my situation? It won't fix the rekey issue, but it (hopefully) will fix the issue preventing logout from succeeding, which is a minor security hole insofar as it leaves the authcookie usable, and may make the server think that you have multiple concurrent sessions open. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
