Re: GlobalProtect connection loss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 20, 2020 at 6:10 PM The Wanderer <wanderer@xxxxxxxxxxx> wrote:
>
> On 2020-04-20 at 14:04, The Wanderer wrote:
>
> > On 2020-04-20 at 13:34, Daniel Lenski wrote:
> >
> >> On Sun, Apr 19, 2020 at 3:57 PM The Wanderer
> >> <wanderer@xxxxxxxxxxx> wrote:
> >>> If you need me to do the 8.08 equivalent, please let me know as
> >>> soon as reasonably practical.
> >>
> >> I expect it will give the same result.
> >
> > It did not; it terminated after just over three hours, as before. I
> > already sent a mail with the results of that, albeit without any
> > commentary on the fact that it terminated after 3 hours (because
> > that's the currently expected result when using 8.08, in my
> > environment, so I didn't think it needed mentioning).

Sorry, I missed that you sent two nearly-identically-named logs. To be
absolutely certain that I understand.

vpn-3hours-nodisconnect-fullmanualinvocation-headtail-obfuscated.log:
this one was generated by OpenConnect v8.05
vpn-3hours-disconnect-fullmanualinvocation-headtail-obfuscated.log:
this one was generated by OpenConnect v8.08

Assuming I've got that right, additional things to double check:

1) The command lines to OpenConnect were 100% precisely identical in both cases?
2) I see errors about “Cannot find device "tun0"” in both logs. Not
sure why that is happening.
3) Was the ONLY TRAFFIC to the VPN, in both cases, the keepalive
daemon you're running?

If that's the case… I see no potentially-meaningful differences
between the two logs.

Actually, I see *one*, which does arise from a change between v8.05 and v8.08:

1) You haven't specified a HIP report script with --csd-wrapper. That
seems to be fine, because your VPN isn't *asking* for a HIP report
submission.
2) One of the main changes between v8.05 and v8.08 is that we
introduced intermittent/periodic HIP checking.
3) As a side effect of these changes, if you don't specify a HIP
report script, OpenConnect no longer even *asks* the server if we
should submit a HIP report on rekey/reconnection… it only does this
once.
4) As a result, in your v8.08 log, we don't ping
/ssl-vpn/hipreportcheck.esp when we rekey… but we do in the v8.05 log.

I haven't actually seen any server where this makes any difference at
all, but it's *possible* that your server doesn't like us going three
hours without asking for a /ssl-vpn/hipreportcheck.esp… even though
the answer is going to be “no submission needed.”

Can you try one of the following?

1) Easy: run v8.08 with `--csd-wrapper
openconnect_src_directory/trojans/hipreport.sh`. The HIP report won't
actually get submitted because the server isn't asking for one, but
v8.08 will at least ping /ssl-vpn/hipreportcheck.esp at the
server-requested interval (1 hour).
2) Slightly harder: Apply the attached patch to v8.08, recompiling,
and retest. With this modification, OpenConnect will still do the
/ssl-vpn/hipreportcheck.esp at the interval requested by the server (1
hour in your case), even when no --csd-wrapper is specified.

If either of these makes a difference, then—hooray!—we've figured out
a very subtle, strange, but apparently significant behavior of your
server. If not, I am well and truly stumped.

Dan


>
> To clarify the current situation, and the reasons I sent those two logs:
>
> The 8.05 log was sent to demonstrate that the server is not irreparably
> broken. Because 8.05 is capable of retaining, recovering,
> re-establishing, or in some other way keeping up the connection for well
> over the 3-hour period at which 8.08 cuts off, this cannot be entirely
> the server's fault; there must be something going on in OpenConnect
> here.
>
> The 8.08 log was sent to provide a full, everything-in-one-file,
> properly-interleaved log of the disconnect-after-3-hours failure
> scenario.
>
> *Something* about the code differences between 8.05 and 8.08 is causing
> this. We just need to figure out what. I'm hoping those logs are good
> enough to let us do that, or at least enough to let us predict in
> advance from the log contents whether the post-rekey disconnect will
> later happen - because I really do not want to try to bisect this when
> each trial takes over three hours, even if there *don't* happen to be
> any "something else is broken" stop-off points in between.
>
> --
>    The Wanderer
>
> The reasonable man adapts himself to the world; the unreasonable one
> persists in trying to adapt the world to himself. Therefore all
> progress depends on the unreasonable man.         -- George Bernard Shaw
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/openconnect-devel
diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index 16a3050e..73910760 100644
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -404,10 +404,7 @@ static int parse_portal_xml(struct openconnect_info *vpninfo, xmlNode *xml_node,
 				for (x2 = x->children; x2; x2 = x2->next) {
 					if (!xmlnode_get_val(x2, "hip-report-interval", &hip_interval)) {
 						int sec = atoi(hip_interval);
-						if (!vpninfo->csd_wrapper)
-							vpn_progress(vpninfo, PRG_INFO, _("Ignoring portal's HIP report interval (%d minutes), because no HIP report script provided.\n"),
-										 sec/60);
-						else if (vpninfo->trojan_interval)
+						if (vpninfo->trojan_interval)
 							vpn_progress(vpninfo, PRG_INFO, _("Ignoring portal's HIP report interval (%d minutes), because interval is already set to %d minutes.\n"),
 										 sec/60, vpninfo->trojan_interval/60);
 						else {
diff --git a/gpst.c b/gpst.c
index 989fc9b4..b4422613 100644
--- a/gpst.c
+++ b/gpst.c
@@ -915,17 +915,20 @@ static int run_hip_script(struct openconnect_info *vpninfo)
 #endif
 
 	if (!vpninfo->csd_wrapper) {
-		vpn_progress(vpninfo, PRG_ERR,
-		             _("WARNING: Server asked us to submit HIP report with md5sum %s.\n"
-		               "    VPN connectivity may be disabled or limited without HIP report submission.\n    %s\n"),
-		             vpninfo->csd_token,
+		/* Only warn once */
+		if (!vpninfo->last_trojan) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("WARNING: Server asked us to submit HIP report with md5sum %s.\n"
+				       "    VPN connectivity may be disabled or limited without HIP report submission.\n    %s\n"),
+				     vpninfo->csd_token,
 #if defined(_WIN32) || defined(__native_client__)
-		             _("However, running the HIP report submission script on this platform is not yet implemented.")
+				     _("However, running the HIP report submission script on this platform is not yet implemented.")
 #else
-		             _("You need to provide a --csd-wrapper argument with the HIP report submission script.")
+				     _("You need to provide a --csd-wrapper argument with the HIP report submission script.")
 #endif
-			);
-		/* XXX: Many GlobalProtect VPNs work fine despite allegedly requiring HIP report submission */
+				);
+			/* XXX: Many GlobalProtect VPNs work fine despite allegedly requiring HIP report submission */
+		}
 		return 0;
 	}
 
@@ -1044,12 +1047,10 @@ int gpst_setup(struct openconnect_info *vpninfo)
 	if (ret)
 		goto out;
 
-	/* Always check HIP once (even if no --csd-wrapper specified) */
-	if (!vpninfo->last_trojan) {
-		ret = check_and_maybe_submit_hip_report(vpninfo);
-		if (ret)
-			goto out;
-	}
+	/* Always check HIP after getting configuration */
+	ret = check_and_maybe_submit_hip_report(vpninfo);
+	if (ret)
+		goto out;
 
 	/* Default HIP re-checking to 3600 seconds unless already set by
 	 * --force-trojan or portal config. There's no point to rechecking
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel

[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux