Created attachment 551584 [details] emerge --info Since upgrading to openconnect-7.08 I can't connect to the Cisco AnnyConnect VPN of my university. More precisely: - networkmanager (version 1.10.10 with networkmanager-openconnect-1.2.4-r1) can establish the vpn connection - But ssh-sessions stall after a few seconds - and trying to load a https web page hungs on TLS handshake. I think this is similar to Bug 589156 and the same as https://bugs.archlinux.org/task/52632 Log messages when connection is established: openconnect[3228]: Connected to <vpn-server-ip>:443 openconnect[3228]: SSL negotiation with <vpn-server-ip> openconnect[3228]: Server certificate verify failed: signer not found openconnect[3228]: Connected to HTTPS on <vpn-server-ip> openconnect[3228]: Got CONNECT response: HTTP/1.1 200 OK openconnect[3228]: CSTP connected. DPD 30, Keepalive 20 openconnect[3228]: Connected as <client-ip>, using SSL openconnect[3228]: Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1). openconnect[3228]: DTLS connection compression using LZS. openconnect[3228]: Failed to read from SSL socket: The transmitted packet is too large (EMSGSIZE). openconnect[3228]: Failed to recv DPD request (1386) openconnect[3228]: SIOCSIFMTU: Operation not permitted With openconnect-7.07-r2 everything works as expected and the log reads: openconnect[856]: Connected to <vpn-server-ip>:443 openconnect[856]: SSL negotiation with <vpn-server-ip> openconnect[856]: Server certificate verify failed: signer not found openconnect[856]: Connected to HTTPS on <vpn-server-ip> openconnect[856]: Got CONNECT response: HTTP/1.1 200 OK openconnect[856]: CSTP connected. DPD 30, Keepalive 20 openconnect[856]: Connected as <client-ip>, using SSL openconnect[856]: Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1). openconnect[856]: DTLS connection compression using LZS. openconnect[856]: Failed to recv DPD request (1385): The transmitted packet is too large (EMSGSIZE). openconnect[856]: Failed to recv DPD request (1374): The transmitted packet is too large (EMSGSIZE). openconnect[856]: Failed to recv DPD request (1371): The transmitted packet is too large (EMSGSIZE). openconnect[856]: Detected MTU of 1370 bytes (was 1406) openconnect[856]: SIOCSIFMTU: Operation not permitted
The SIOCSIFMTU error looks suspicious. Are you telling openconnect to drop root privileges after connecting via the -U/--setuid option? If so, does it work if you don't do that?
It's networkmanager that calls openconnect. I don't know if networkmanager applies the -U/--setuid option. Is this configurable in the networkmanager GUI?
Let's get networkmanager out of the picture; can you reproduce the problem when calling openconnect from the command line?
I'm now at the office. Will try it at home tonight. But I never ran openconnect from the command line before. How do I find the correct options and arguments? Can I just look for the process called by networkmanager and copy&paste it to the command line?
(In reply to Horst Prote from comment #4) > But I never ran openconnect from the command line before. How do I find the > correct options and arguments? Can I just look for the process called by > networkmanager and copy&paste it to the command line? I think that should work, though it might require some small adjustments.
On the subject of the SIOCSIFMTU error: Running the openconnect command as root does not show this error but the problem remains. So I think the SIOCSIFMTU error is not relevant. 1) Tests with net-vpn/openconnect-7.08 on command line: ======================================================= /usr/sbin/openconnect --servercert sha1:<hash-value> --verbose --interface vpn0 <vpn-server-ip>:443 POST https://<vpn-server-ip>/ Attempting to connect to server <vpn-server-ip>:443 Connected to <vpn-server-ip>:443 SSL negotiation with <vpn-server-ip> Server certificate verify failed: signer not found Connected to HTTPS on <vpn-server-ip> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Oct 2018 19:25:22 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Please enter your username and password. Username:<my-user> Password: POST https://<vpn-server-ip>/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Oct 2018 19:25:36 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1379, snd mss 1388, adv mss 1448, pmtu 1500 Got CONNECT response: HTTP/1.1 200 OK X-DTLS-Session-ID: 6EE06F8659BBB6F68FF022F31F9B6DBC8986E7E8AD7A269895C9C6094648F88F X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1303 X-DTLS-MTU: 1406 X-DTLS-CipherSuite: DHE-RSA-AES256-SHA X-DTLS-Content-Encoding: lzs X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <elided> CSTP connected. DPD 30, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) DTLS option X-DTLS-Session-ID : 6EE06F8659BBB6F68FF022F31F9B6DBC8986E7E8AD7A269895C9C6094648F88F DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-MTU : 1406 DTLS option X-DTLS-CipherSuite : DHE-RSA-AES256-SHA DTLS option X-DTLS-Content-Encoding : lzs DTLS initialised. DPD 30, Keepalive 20 Connected as <client-ip>, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1). DTLS connection compression using LZS. Initiating IPv4 MTU detection (min=703, max=1406) Failed to read from SSL socket: The transmitted packet is too large (EMSGSIZE). Failed to recv DPD request (1406) Send CSTP Keepalive Send DTLS DPD Send CSTP DPD Got DTLS DPD response Got CSTP DPD response Send DTLS Keepalive Send CSTP Keepalive ... I aborted this here. This sets the MTU to 1406 and is not working. /usr/sbin/openconnect --servercert sha1:<hash-value> --base-mtu=1454 --verbose --interface vpn0 <vpn-server-ip>:443 POST https://<vpn-server-ip>/ Attempting to connect to server <vpn-server-ip>:443 Connected to <vpn-server-ip>:443 SSL negotiation with <vpn-server-ip> Server certificate verify failed: signer not found Connected to HTTPS on <vpn-server-ip> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Oct 2018 19:27:46 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Please enter your username and password. Username:<my-user> Password: POST https://<vpn-server-ip>/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Oct 2018 19:27:56 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) TCP_INFO rcv mss 1379, snd mss 1388, adv mss 1422, pmtu 1474 Got CONNECT response: HTTP/1.1 200 OK ... X-DTLS-Session-ID: 4477DF69E66338F4FC300777C6E45F83D415AB6F0152E498789CC4F137228B81 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1303 X-DTLS-MTU: 1370 X-DTLS-CipherSuite: DHE-RSA-AES256-SHA X-DTLS-Content-Encoding: lzs X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <elided> CSTP connected. DPD 30, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) DTLS option X-DTLS-Session-ID : 4477DF69E66338F4FC300777C6E45F83D415AB6F0152E498789CC4F137228B81 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-MTU : 1370 DTLS option X-DTLS-CipherSuite : DHE-RSA-AES256-SHA DTLS option X-DTLS-Content-Encoding : lzs DTLS initialised. DPD 30, Keepalive 20 Connected as <client-ip>, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1). DTLS connection compression using LZS. Initiating IPv4 MTU detection (min=685, max=1370) No change in MTU after detection (was 1370) ... I aborted this here. This one works as the MTU detection of openconnect is not needed because of the --base-mtu=1454 option. 1) Test with net-vpn/openconnect-7.07-r2 on command line: ========================================================= /usr/sbin/openconnect --servercert sha1:<hash-value> --verbose --interface vpn0 <vpn-server-ip>:443 POST https://<vpn-server-ip>/ Attempting to connect to server <vpn-server-ip>:443 Connected to <vpn-server-ip>:443 SSL negotiation with <vpn-server-ip> Server certificate verify failed: signer not found Connected to HTTPS on <vpn-server-ip> Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Oct 2018 20:39:25 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Please enter your username and password. Username:<my-user> Password: POST https://<vpn-server-ip>/ Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Mon, 22 Oct 2018 20:39:30 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) Got CONNECT response: HTTP/1.1 200 OK ... X-DTLS-Session-ID: 22960A70911086AB9B7010F811F6E10DEA10DD039C4EB8649607B198B6A9B1F2 X-DTLS-Port: 443 X-DTLS-Keepalive: 20 X-DTLS-DPD: 30 X-CSTP-MTU: 1406 X-DTLS-CipherSuite: AES256-SHA X-DTLS-Content-Encoding: lzs X-CSTP-Routing-Filtering-Ignore: false X-CSTP-Quarantine: false X-CSTP-Disable-Always-On-VPN: false X-CSTP-Client-Bypass-Protocol: false X-CSTP-TCP-Keepalive: true X-CSTP-Post-Auth-XML: <elided> CSTP connected. DPD 30, Keepalive 20 CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) DTLS option X-DTLS-Session-ID : 22960A70911086AB9B7010F811F6E10DEA10DD039C4EB8649607B198B6A9B1F2 DTLS option X-DTLS-Port : 443 DTLS option X-DTLS-Keepalive : 20 DTLS option X-DTLS-DPD : 30 DTLS option X-DTLS-CipherSuite : AES256-SHA DTLS option X-DTLS-Content-Encoding : lzs DTLS initialised. DPD 30, Keepalive 20 Connected as <client-ip>, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1). DTLS connection compression using LZS. Initiating IPv4 MTU detection (min=703, max=1406) Failed to recv DPD request (1385): The transmitted packet is too large (EMSGSIZE). Failed to recv DPD request (1374): The transmitted packet is too large (EMSGSIZE). Failed to recv DPD request (1371): The transmitted packet is too large (EMSGSIZE). Detected MTU of 1370 bytes (was 1406) Send CSTP Keepalive This one sets the MTU to 1370 and works. So the main difference I see between the working (7.07-r2) and not working (7.08) version are these lines: With 7.07-r2 ============ TCP_INFO ... is missing here! X-CSTP-MTU: 1406 X-DTLS-MTU: is missing here! X-DTLS-CipherSuite: AES256-SHA Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1). Initiating IPv4 MTU detection (min=703, max=1406) Failed to recv DPD request (1385): The transmitted packet is too large (EMSGSIZE). Failed to recv DPD request (1374): The transmitted packet is too large (EMSGSIZE). Failed to recv DPD request (1371): The transmitted packet is too large (EMSGSIZE). Detected MTU of 1370 bytes (was 1406) With 7.08 ========= TCP_INFO rcv mss 1379, snd mss 1388, adv mss 1448, pmtu 1500 X-CSTP-MTU: 1303 X-DTLS-MTU: 1406 X-DTLS-CipherSuite: DHE-RSA-AES256-SHA Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1). DTLS connection compression using LZS. Initiating IPv4 MTU detection (min=703, max=1406) Failed to read from SSL socket: The transmitted packet is too large (EMSGSIZE). Failed to recv DPD request (1406)
I would suggest seeking help upstream. http://www.infradead.org/openconnect/mail.html
You might also try openconnect-9999 to see if the problem has already been fixed upstream.
openconnect-9999 does not fix the problem. But I searched https://lists.infradead.org/pipermail/openconnect-devel/ and found https://lists.infradead.org/pipermail/openconnect-devel/2018-January/004647.html and the OP of this thread opened the issue https://gitlab.com/gnutls/gnutls/issues/360 at gnutls. The proposed fix works as per the OP and was integrated in gnutls-3.6.x. Will test this at home tonight.
Unfortunately gnutls-3.6.3 (which includes the changes from https://gitlab.com/gnutls/gnutls/issues/360) does not fix the problem for me. As a workaround I will now set the correct MTU value (for me its 1370) by this script: cat /etc/NetworkManager/dispatcher.d/20-mtu_change #!/bin/bash INTERFACE=$1 STATUS=$2 if [ "$STATUS" = "vpn-up" ]; then ip link set "$INTERFACE" mtu 1370 fi
