Debian Bug report logs - #835587
openconnect: Connection dies frequently, is restored after dead peer detection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matti Koskimies <matti@apulanta.fi>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openconnect: Connection dies frequently, is restored after dead peer detection

Date: Sat, 27 Aug 2016 12:47:29 +0300

Package: openconnect
Version: 7.06-2+b2
Severity: important

Dear Maintainer,

A couple of weeks back, my openconnect VPN connection started to freeze
frequently. I'm not sure what changed at the time. The connection comes back
after a while and I noticed from the logs that it is restored after a "DTLS
Dead Peer Detection detected dead peer!" message. So I found the --force-dpd
option and the situation is bearable, if I set the value to 2 or 3. What might
be the problem? Is it a bug or a configuration issue? On client or server?

openconnect.log is output of an exampla openconnect connection using -v option.



-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openconnect depends on:
ii  libc6            2.23-5
ii  libgnutls30      3.5.3-3
ii  libopenconnect5  7.06-2+b2
ii  libproxy1v5      0.4.11-5
ii  libxml2          2.9.4+dfsg1-1+b1
ii  vpnc-scripts     0.1~git20150318-1

openconnect recommends no packages.

openconnect suggests no packages.




*** /home/matti/openconnect.log
$ echo pass|sudo /usr/sbin/openconnect -v --force-dpd=3 --usergroup=$USERGROUP
--user=$USERNAME --passwd-on-stdin $SERVERNAME
POST https://$SERVERNAME/restricted
Attempting to connect to server $SERVER_IP:443
SSL negotiation with $SERVERNAME
Connected to HTTPS on $SERVERNAME
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 27 Aug 2016 09:21:27 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
POST https://$SERVERNAME/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sat, 27 Aug 2016 09:21:27 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004-2016 Cisco Systems, Inc.
X-CSTP-Address: $ADDRESS
X-CSTP-Netmask: 255.255.255.255
X-CSTP-Hostname: $HOSTNAME
X-CSTP-DNS: $DNS1
X-CSTP-DNS: $DNS2
X-CSTP-NBNS: $NBNS1
X-CSTP-NBNS: $NBNS2
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Idle-Timeout: 5400
X-CSTP-Disconnected-Timeout: 5400
X-CSTP-Default-Domain: $DOMAIN
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Rekey-Time: 3600
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-PAC-URL: $PAC_URL
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID:
80FD648BC40104FC32F5E5F012A93F86471611402E235C99BD294AF4A26300E1
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 3600
X-CSTP-MTU: 1200
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <elided>
CSTP connected. DPD 3, Keepalive 20
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
DTLS option X-DTLS-Session-ID :
80FD648BC40104FC32F5E5F012A93F86471611402E235C99BD294AF4A26300E1
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 3600
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS initialised. DPD 3, Keepalive 20
Connected tun0 as $IP, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Got DTLS DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Got DTLS DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Send CSTP DPD
Got DTLS DPD response
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Got DTLS DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Send CSTP DPD
Got CSTP DPD response
Send DTLS DPD
Send DTLS DPD
Send DTLS DPD
Send CSTP DPD
Got CSTP DPD response
DTLS Dead Peer Detection detected dead peer!
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).
Send CSTP DPD
Got CSTP DPD response

Message #10 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Marco Marzetti <marco@lamehost.it>

To: 835587@bugs.debian.org

Subject: openconnect: Connection dies frequently, is restored after dead peer detection

Date: Tue, 30 Aug 2016 22:26:36 +0200

I can confirm that i have same problem (debian testing here).
As far as i can see it started after i have updated libgnutls30 and 
libgnutls-openssl27 from 3.5.2-2 to 3.5.3-2 .

A few minutes ago i have updated to 3.5.3-3, but the problem is still 
there.

Desired=Unknown/Install/Remove/Purge/Hold
| 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                            Version              Architecture    
     Description
+++-===============================-====================-====================-====================================================================
ii  libgnutls30:amd64               3.5.3-3              amd64           
     GNU TLS library - main runtime library
ii  libgnutls30:i386                3.5.3-3              i386            
     GNU TLS library - main runtime library



-- 
Marco

Message #15 received at 835587@bugs.debian.org (full text, mbox, reply):

From: David Woodhouse <dwmw2@infradead.org>

To: Marco Marzetti <marco@lamehost.it>, 835587@bugs.debian.org

Subject: Re: Bug#835587: openconnect: Connection dies frequently, is restored after dead peer detection

Date: Tue, 30 Aug 2016 22:23:22 +0100

[Message part 1 (text/plain, inline)]

On Tue, 2016-08-30 at 22:26 +0200, Marco Marzetti wrote:
> I can confirm that i have same problem (debian testing here).
> As far as i can see it started after i have updated libgnutls30 and 
> libgnutls-openssl27 from 3.5.2-2 to 3.5.3-2 .
> 
> A few minutes ago i have updated to 3.5.3-3, but the problem is
> still there.

Yes, the problem was introduced in 3.5.3. See
https://bugzilla.redhat.com/show_bug.cgi?id=1370881

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@intel.com                              Intel Corporation

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #20 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: David Woodhouse <dwmw2@infradead.org>, 835587@bugs.debian.org

Cc: Marco Marzetti <marco@lamehost.it>

Subject: Re: Bug#835587: openconnect: Connection dies frequently, is restored after dead peer detection

Date: Wed, 7 Sep 2016 14:50:56 +0200

[Message part 1 (text/plain, inline)]

Control: reassign -1 src:gnutls28 3.5.3-1
Control: affects -1 openconnect
Control: tags -1 patch

On Tue, Aug 30, 2016 at 10:23:22PM +0100, David Woodhouse wrote:

Hi,

> On Tue, 2016-08-30 at 22:26 +0200, Marco Marzetti wrote:
> > I can confirm that i have same problem (debian testing here).
> > As far as i can see it started after i have updated libgnutls30 and 
> > libgnutls-openssl27 from 3.5.2-2 to 3.5.3-2 .
> > 
> > A few minutes ago i have updated to 3.5.3-3, but the problem is
> > still there.
> 
> Yes, the problem was introduced in 3.5.3. See
> https://bugzilla.redhat.com/show_bug.cgi?id=1370881

Reassigning, I see there is a patch merged in
https://gitlab.com/gnutls/gnutls/merge_requests/56

Best Regards,
Bernhard

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: David Woodhouse <dwmw2@infradead.org>, 835587@bugs.debian.org

Cc: Marco Marzetti <marco@lamehost.it>

Subject: Re: Bug#835587: openconnect: Connection dies frequently, is restored after dead peer detection

Date: Wed, 7 Sep 2016 16:46:48 +0200

[Message part 1 (text/plain, inline)]

On Wed, Sep 07, 2016 at 02:50:56PM +0200, Bernhard Schmidt wrote:

Hi,

> Reassigning, I see there is a patch merged in
> https://gitlab.com/gnutls/gnutls/merge_requests/56

Unfortunately you need a few more patches on top of 3.5.3 for this to
apply (two for the testsuite, one other DTLS fix).

Attached patch compiles cleanly and fixes the problem for me.

Bernhard

[0001-Import-multiple-patches-from-upstream-git-to-fix-Ope.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Andreas Bourges <andy@bourges.de>

To: 835587@bugs.debian.org

Subject: still not working for me

Date: Thu, 08 Sep 2016 15:15:50 +0200

Hi,

...I was having the same problem as the OP for some weeks now - vpn hangs due 
to DPD timeouts.

-> just applied the patch and recompiled - but got no better result. VPN 
connection instantly failed again :(

What I did:

apt-get source libgnutls30
dpkg-buildpackage -us -uc -nc
dpkg -i libgnutls30_3.5.3-4_amd64.deb gnutls-bin_3.5.3-4_amd64.deb libgnutls-
openssl27_3.5.3-4_amd64.deb

Have I done anything wrong?

...running on a up-to-date sid installation. Since I do a lot of homeoffice, I'm 
pretty badly affected by this bug :(

Thanks and regards,

Andy

Message #45 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Andreas Bourges <andy@bourges.de>

To: 835587@bugs.debian.org

Subject: Re: still not working for me

Date: Thu, 08 Sep 2016 15:20:58 +0200

...forgot to mention that I also applied the patch from above ;-)

regards,

Andy

Message #50 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: Andreas Bourges <andy@bourges.de>, 835587@bugs.debian.org

Subject: Re: Bug#835587: still not working for me

Date: Thu, 8 Sep 2016 16:19:43 +0200

[Message part 1 (text/plain, inline)]

On Thu, Sep 08, 2016 at 03:15:50PM +0200, Andreas Bourges wrote:

> -> just applied the patch and recompiled - but got no better result.
> VPN connection instantly failed again :(

Does downgrading to the packages from
http://snapshot.debian.org/package/gnutls28/3.5.2-3/ help in your case?

Bernhard

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 835587-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 835587-close@bugs.debian.org

Subject: Bug#835587: fixed in gnutls28 3.5.3-5

Date: Thu, 08 Sep 2016 19:05:35 +0000

Source: gnutls28
Source-Version: 3.5.3-5

We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 835587@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls28 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Sep 2016 19:56:58 +0200
Source: gnutls28
Binary: libgnutls28-dev libgnutls30 gnutls-bin gnutls-doc libgnutlsxx28 libgnutls-openssl27
Architecture: source
Version: 3.5.3-5
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 835587
Description: 
 gnutls-bin - GNU TLS library - commandline utilities
 gnutls-doc - GNU TLS library - documentation and examples
 libgnutls28-dev - GNU TLS library - development files
 libgnutls30 - GNU TLS library - main runtime library
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutlsxx28 - GNU TLS library - C++ runtime library
Changes:
 gnutls28 (3.5.3-5) experimental; urgency=medium
 .
   * Pull DTLS fixes from upstream GIT master.
     45_01-tests-enhance-the-DTLS-window-unit-test-to-account-f.patch
     45_02-dtls-ensure-that-the-DTLS-window-doesn-t-get-stalled.patch
     45_03-tests-mini-dtls-record-modified-expected-order-to-ac.patch
     45_04-Import-DTLS-sliding-window-validation-from-OpenConne.patch
     Closes: #835587
Checksums-Sha1: 
 ee6b9fe15f2879d5288d2eae5317edd486e59ad2 3097 gnutls28_3.5.3-5.dsc
 9c8c9d1ea9701ee57ebbcecf4e05aa16cd6cea69 287 gnutls28_3.5.3.orig.tar.xz.asc
 22e0c74fed04a40751768b288238a675dfb29e77 103544 gnutls28_3.5.3-5.debian.tar.xz
Checksums-Sha256: 
 973538e39eef4d886faf022776ab677a1f40064f442eb315c4e21f59c4180764 3097 gnutls28_3.5.3-5.dsc
 c66ccab79264ec870c280ba236de817d2104f2cbdad89730c206e5422531a0a3 287 gnutls28_3.5.3.orig.tar.xz.asc
 0e725e9d641358129f21108a67e745677ab12d49af8a534752d3826c06fcd3ff 103544 gnutls28_3.5.3-5.debian.tar.xz
Files: 
 0eabc8dfe314bc935a737626780671ab 3097 libs optional gnutls28_3.5.3-5.dsc
 fc141b0cc5fb8edaa1cccd4965d8b353 287 libs optional gnutls28_3.5.3.orig.tar.xz.asc
 b32950103c7894790ae176eefed52408 103544 libs optional gnutls28_3.5.3-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX0bMfAAoJEKVPAYVDghSEyB4P/AmUxK9JNIlB2/4m9aIU8adA
O4+gGjm/1HAHWC92DMFqPjEF41wK6yBq93XJYQkaWHdeyK/ba9hGz6RitAaWRF8D
rax8NZQ5OIb+Q//52Z4DM+HHHLxd6JjdnXEc/mIUDXb1kRwqaPl8ibblyeMvnjQb
jYxa+DThiLSqzZU4XqUXlomLJA0I4R6n4Mi9dzgmkc1hxCNled7nNOwLGzzLYqFg
EWWrIVo5YoARW5HUfS4LjsuE0bIIveyYEtQvKXOH9p9g49RWvwGWgKOUK1iCVte1
x6/BVHVMT6EbrSJA2QXxAT7OJ8AIENB646JtAMCakPQWOm7brzyyrDD5G4Ubkuzz
GVu86hL0g4G3pQVussVi4rtUGxW/oDWqYXIgRbTOfff/gKKo3VbsF0u1yM47SWXk
FzUzk9Rh6TERysfWuB/GRChczx3K4zac3myaUZBWozgCIBhjdgVPnzMasp71hrv+
udpZ/7tmroeJ7P5CMPeExBddYVUYP7CML+LG8JHI/lG2cd3j0ckVYxi0YZWEN7P0
EFjHRSGyHvMWW+EWN3PD5zAIdtNzNcE9qonhVXL+jEf6IDInXzagFislevqdsm15
iopBi5QQVwjWERRSAhbkBgLqIK5KlwUg/whmpjQN8jL5RChIMbR5eunq0S8TSnYJ
RDC0C5mpKnNKlahPXabo
=IET1
-----END PGP SIGNATURE-----

Message #60 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Andreas Bourges <andy@bourges.de>

To: Bernhard Schmidt <berni@debian.org>

Cc: 835587@bugs.debian.org

Subject: Re: Bug#835587: still not working for me

Date: Fri, 09 Sep 2016 08:26:06 +0200

On Donnerstag, 8. September 2016 16:19:43 CEST Bernhard Schmidt wrote:
> Does downgrading to the packages from
> http://snapshot.debian.org/package/gnutls28/3.5.2-3/ help in your case?

No - downgraded and got another hang right away. But maybe there's an 
additional problem - the hang happens far more often when connected via WLAN 
than via ethernet :(

But the log shows the DPD  error anyway :(

thanks,

Andy

-- 
<bdale> Bdale is a contraction of Barksdale.
<Lo-lan-do> Hm.  It's definItely not something I'll ever remember.
<Lo-lan-do> Mind if I call you Wensleydale instead?

Message #65 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Andreas Bourges <andy@bourges.de>

To: Bernhard Schmidt <berni@debian.org>

Cc: 835587@bugs.debian.org

Subject: Re: Bug#835587: still not working for me

Date: Mon, 12 Sep 2016 11:38:21 +0200

Hi,

...just wanted to let you know that the latest updates in sid seem to fix my 
problem. Looks like I did something wrong, when applying the patch or when 
downgrading to the snapshot packages.

Anyway - using the new packages for >2h now and had no hang!


Thanks a lot!

Andy 

Message #70 received at 835587@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Andreas Bourges <andy@bourges.de>, 835587@bugs.debian.org, Bernhard Schmidt <berni@debian.org>

Subject: openconnect + gnutls: Re: Bug#835587: still not working for me

Date: Tue, 13 Sep 2016 00:49:24 +0200

[Message part 1 (text/plain, inline)]

On Mon 2016-09-12 11:38:21 +0200, Andreas Bourges wrote:

> ...just wanted to let you know that the latest updates in sid seem to fix my 
> problem. Looks like I did something wrong, when applying the patch or when 
> downgrading to the snapshot packages.
>
> Anyway - using the new packages for >2h now and had no hang!

I was also having the problem with openconnect hanging with "dead peer
detected" when using openconnect.

I can confirm that upgrading libgnutls30 from 3.5.3-4 to 3.5.4-2 also
seems to have resolved the problem for me.

thanks for the work sorting this out!

       --dkg

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.