Arch Linux

drelyn86

Member

From: Indianapolis, IN

Registered: 2009-04-10

Posts: 80

NetworkManager 1.0.4-1 (and 1.0.6-1) Regression: OpenConnect

I'd like to make a note of an issue I've been having this week with NetworkManager 1.0.4-1 and OpenConnect.

With this update, many connections are not working when connected to the VPN. Based on the Red Hat bug report here, this is caused by an incorrect calculation of the maximum transmission unit (MTU) for the VPN interface.

Downgrading to version 1.0.2-4 fixes the issue. However, as described in the bug report, the following script will correct the MTU setting. The script should be placed in /etc/NetworkManager/dispatcher.d/pre-up.d/ and made executable.

#!/bin/bash
#
# Forcefully setup the MTU of the vpn0 device as being 94 lower than the
# MTU of the device responsible for the default gateway if the current
# MTU is too high to allow openconnect VPNs to work properly

TARGET_DEVICE="vpn0"
REQUIRED_MTU_OVERHEAD=94

#echo "Event $1 $2" >> /tmp/test.log
if [ "$2" != "pre-up" ]; then
    exit 0
fi

if [[ "$1" == "$TARGET_DEVICE" ]]; then
        # Grab the default device name
        default_gw_device=$(route -n | grep ^0\. | sed 's/.*UG[ 0-9]*//')
        default_gw_mtu=$(ifconfig | grep "$default_gw_device" | sed 's/.*mtu //')
        max_vpn_mtu=$(expr $default_gw_mtu - $REQUIRED_MTU_OVERHEAD)
        current_mtu=$(ifconfig | grep "$1" | sed 's/.*mtu //')
        if (( $max_vpn_mtu < $current_mtu )); then
                #echo Setting MTU for $1 to $max_vpn_mtu
                ip link set "$1" mtu "$max_vpn_mtu"
        fi
fi

Last edited by drelyn86 (2015-08-28 12:28:13)

domanov

Member

From: Italy

Registered: 2006-11-10

Posts: 45

Re: NetworkManager 1.0.4-1 (and 1.0.6-1) Regression: OpenConnect

Hi there,

I suffered from this problem as well, and the script does not work for me. However, doing by hand:

# ip link set vpn0 mtu 1186

after starting the vpn through networkmanager applet solves it for me.

The "1186" comes from the MTU of my wifi connection, which via ifconfig I find out being "1280", minus the "94" overhead as indicated in the script.

Hope this helps others too.
Cheers,
domanov

rlo

Member

From: Stockholm, Sweden

Registered: 2013-07-18

Posts: 3

Re: NetworkManager 1.0.4-1 (and 1.0.6-1) Regression: OpenConnect

Hi,

The script from the bug report works. You need to install the deprecated package net-tools for ifconfig and route.

I removed those lines and hard coded the mtu (1500 on my physical iface).

#!/bin/bash

if [ "$2" != "pre-up" ]; then
  exit 0
fi

if [[ "$1" == "vpn0" ]]; then
  ip link set "$1" mtu 1406
fi

With this one you can skip the manual step.

drelyn86

Member

From: Indianapolis, IN

Registered: 2009-04-10

Posts: 80

Re: NetworkManager 1.0.4-1 (and 1.0.6-1) Regression: OpenConnect

The issue persists in networkmanager 1.0.6-1. The workaround script continues to work provided that (as rlo pointed out) you have the net-tools package installed.

gnunn

Member

Registered: 2013-10-21

Posts: 96

Re: NetworkManager 1.0.4-1 (and 1.0.6-1) Regression: OpenConnect

I've been having issues lately with OpenConnect with a Cisco AnyConnect VPN, unfortunately I only use the VPN infrequently so I'm not sure when it started. My symptoms is that it works infrequently, some sites load fine while others never seem to load at all. The Cisco AnyConnect client works fine and OpenConnect used to work fine as well.

Seeing this post I tried the script however it doesn't seem to change the MTU at all for me though I have ifconfig and route installed. Interestingly, if I set the MTU manually to 1406 (1500 which is my eth0 MTU - 94 overhead) it still doesn't work however setting it lower to 1400 works fine, not sure why.

The other thing that strikes me as strange is resolv.conf. When I use OpenConnect, it adds the VPN domain as the first entry to the search line and the VPN DNS servers first to resolv.conf, however it keeps the native connection domain and nameservers in resolv.conf as well. The native AnyConnect client only as the VPN entries included, could this be causing some issues as well?

soleen

Member

Registered: 2008-10-20

Posts: 5

Re: NetworkManager 1.0.4-1 (and 1.0.6-1) Regression: OpenConnect

Another workaround from bug report worked for me:

$ sudo setcap cap_net_admin+ep /usr/bin/openconnect