On 2020-04-20 at 13:34, Daniel Lenski wrote: > On Sun, Apr 19, 2020 at 3:57 PM The Wanderer <wanderer@xxxxxxxxxxx> > wrote: >> >> On 2020-04-19 at 15:04, The Wanderer wrote: >>> I've got it running now (using the command from my innermost >>> non-routing-script script, verbatim except for omitting >>> --passwd-on-stdin and recombining it back onto one line, with >>> that redirection modification added). I'll go grocery shopping >>> pretty soon, and close the session and report results before the >>> end of the night. The every-30-seconds ping keepalive to a >>> machine across the VPN is running alongside it. >>> >>> This is with 8.05, by the way - the version from the most recent >>> set of logs, which so far has not seen the connection drop like >>> this. I can run a similar check (most likely overnight tonight) >>> with 8.08, if desired. >> >> The result of this, from about 3.3 hours' worth, is attached - >> again trimmed to head (ending a reasonable distance after the >> tunnel starts normal operation) and tail (starting a reasonable >> distance before the rekey, ending with EOF), compressed, and >> obfuscated probably more than is necessary. > > Everything in this log looks perfectly 100% fine. You connect, you > get a 180 minute rekey interval, 179 minutes later OpenConnect does > a rekey, it reconnects to ESP… everything works fine. Matches my own > testing with versions ranging from pre-v8.0 to v8.08. Yep - this result, with 8.05, is perfectly 100% fine. >> If you need me to do the 8.08 equivalent, please let me know as >> soon as reasonably practical. > > I expect it will give the same result. It did not; it terminated after just over three hours, as before. I already sent a mail with the results of that, albeit without any commentary on the fact that it terminated after 3 hours (because that's the currently expected result when using 8.08, in my environment, so I didn't think it needed mentioning). I'm currently doing another day live-connected with 8.08, although without the verbose logging this time. If nothing is found as a resolution for this, I'm probably going to need to downgrade to 8.05 semi-permanently. >> I've discovered one reason to keep using a wrapper script for >> calling openconnect. When I exited with Ctrl+C (which as I >> understand matters should be producing SIGINT), which in the past >> has apparently killed the wrapper script and led openconnect to >> exit cleanly, this time it apparently terminated openconnect where >> it sat - with the result that my original /etc/resolv.conf, >> adjusted by the Debian-shipped vpnc routing script, was left in its >> tunnel-up state. > > Sending SIGINT (Ctrl-C) or SIGTERM to OpenConnect *is* the correct > way to close it cleanly. When OpenConnect receives SIGINT or SIGTERM, > it runs the vpnc-script with reason=disconnect, sends a logout to the > VPN server, and closes the tunnel. This has been the case since v8.0. > Prior to v8.0, SIGINT behaved more like SIGHUP: it would run the > vpnc-script to remove the routes, and would close the tunnel, but > *would not* send a logout request to the VPN server. > > If this isn't working correctly, I'll again conjecture that it's > because of your wrapper scripts. I would find that plausible myself, but this only happened when I did *not* use the wrapper script. When I was using the wrapper script, the shutdown happened cleanly. I have no idea what happened in this particular case, and I'm not currently much concerned about it, as I'm only likely to be launching this way for testing purposes. I only mentioned it in case there was something obvious I was missing. My current best guess (and it's not a very good one) is that somehow this is because I'm piping the output to tee, and it's tee that's receiving the SIGINT. That doesn't make a lot of sense given what I've observed with other programs, but it's all I've managed to think of. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
