Re: GlobalProtect connection loss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Apr 18, 2020 at 7:11 PM The Wanderer <wanderer@xxxxxxxxxxx> wrote:
>
> On 2020-04-18 at 21:52, Daniel Lenski wrote:
>
> > On Sat, Apr 18, 2020 at 6:30 PM The Wanderer <wanderer@xxxxxxxxxxx>
> > Unless you can show that some other client software manages to keep
> > the connection going >180 minutes, I have to assume that we're doing
> > the best we can here.
>
> As I believe I recall that 8.05 or possibly 8.02 was working, I've now
> downgraded to 8.05 and initiated another session. If it disconnects
> overnight, I'll repeat with 8.02 in the morning (my next mandatory
> on-shift is Monday). If that disconnects in its turn, then we can
> consider it confirmed that the server has changed its behavior in the
> meantime, and this has nothing to do with the upgrade and is not
> OpenConnect's problem.
>
> If one of those remains connected, however - especially if the logs show
> something else happening at this point - then it may be worth digging
> deeper here.

Agreed.

I also have access to a GP VPN with a 3-hour rekey timeout. I'm
running OpenConnect v8.08 right now, using vpn-slice to prevent idle
timeouts, and I'll verify if it can keep the connection alive past the
3-hour mark.

> >>> 6. Finally, one more strange thing in your log. Something (????)
> >>> causes it to attempt a logout immediately after trying to
> >>> fallback to HTTPS, but the logout *fails* (POST
> >>> https://foo.bar.baz/ssl-vpn/logout.esp -> "Invalid user name").
> >>
> >> Yeah, this is the thing that seemed weirdest to me. I certainly did
> >> not do anything which should have led this logout attempt to happen
> >> - as I noted in my original mail, I was asleep at the time.
> >>
> >> I just checked one of the other logs I've been grabbing of these
> >> sessions in the meantime, and it does end with a similar logout
> >> interaction.
> >
> > I'm guessing this is because of an inconsistent encoding of the
> > domain parameter (or maybe something else). I've seen it happen
> > before when the server domain is "(empty_domain)". just posted a
> > patch to try to alleviate this issue.
> > https://gitlab.com/openconnect/openconnect/-/merge_requests/93
>
> Would it be worth my trying this patch, potentially, or is that not
> likely to make any difference in my situation?

It won't fix the rekey issue, but it (hopefully) will fix the issue
preventing logout from succeeding, which is a minor security hole
insofar as it leaves the authcookie usable, and may make the server
think that you have multiple concurrent sessions open.

Dan

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux