VPN via openconnect not working since full system update

meismarv · 2022-03-13 07:32:35

Hello everyone

Yesterday, i had VPN to university (Cisco AnyConnect) working on both my computer and laptop with openconnect. Then I updated my computer. The output of openconnect 8.20 looks different. And there was appareantly no connection. I could not ping any server in the university network (except my own ip address. After a minute or so, openconnect would say

DTLS Dead Peer Detection detected dead peer!
CSTP Dead Peer Detection detected dead peer!

At the same time it was still working on my Laptop.

Then I thought this looks like it is an issue with openconnect. But downgrading openconnect to 8.10 would not solve the issue. The output of openconnect would return to what I was used to, but I still can not connect.

Any idea what I could check or which component/package could cause the issue or what I can check?

full openconnect ouput (privatized):

$ pass foo/bar | sudo openconnect --cafile="/path/to/cert.pem" --authgroup=extern --user="foo" --passwd-on-stdin --verbose https://vpn.foo
connection with profile extern
POST https://vpn.FOO
Attempting to connect to server [IP6FOO]:443
Connected to [2001:FOO]:443
SSL negotiation with vpn.FOO
Connected to HTTPS on vpn.FOO with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 13 Mar 2022 06:55:51 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
POST https://vpn.FOO
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 13 Mar 2022 06:55:52 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
POST https://vpn.FOO
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 13 Mar 2022 06:55:52 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1368, snd mss 1368, adv mss 1420, pmtu 1492
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
X-CSTP-Address: IP4FOO
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Address-IP6: IP6FOO
X-CSTP-Hostname: DOMAINFOO
X-CSTP-DNS: IP4FOO
X-CSTP-DNS: IP4FOO
X-CSTP-DNS-IP6: IP6FOO
X-CSTP-DNS-IP6: IP6FOO
X-CSTP-Lease-Duration: 1209600
X-CSTP-Session-Timeout: none
X-CSTP-Session-Timeout-Alert-Interval: 60
X-CSTP-Session-Timeout-Remaining: none
X-CSTP-Idle-Timeout: 3600
X-CSTP-Disconnected-Timeout: 3600
X-CSTP-Default-Domain: FOO
X-CSTP-Split-Include: IP4FOO/255.255.0.0
X-CSTP-Split-Include-IP6: IP6FOO/40
X-CSTP-Keep: true
X-CSTP-Tunnel-All-DNS: false
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: FOO
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-CSTP-MTU: 1287
X-DTLS-MTU: 1356
X-DTLS12-CipherSuite: ECDHE-RSA-AES256-GCM-SHA384
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <elided>
CSTP connected. DPD 30, Keepalive 20
DTLS option X-DTLS-Session-ID : FOO
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-MTU : 1356
DTLS option X-DTLS12-CipherSuite : ECDHE-RSA-AES256-GCM-SHA384
DTLS initialised. DPD 30, Keepalive 20
Connected as IP4FOO + IP6FOO, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).
Initiating MTU detection (min=576, max=1356)
No change in MTU after detection (was 1356)
Send CSTP Keepalive
Send DTLS DPD
Send CSTP DPD
Send DTLS DPD
Send CSTP DPD
Send DTLS DPD
Send CSTP DPD
DTLS Dead Peer Detection detected dead peer!
CSTP Dead Peer Detection detected dead peer!

Last edited by meismarv (2022-03-13 11:54:53)

-thc · 2022-03-13 07:58:32

You can do

cat /var/log/pacman.log | grep -a upgraded

to give yourself an overview what exactly was done during that update.

https://archlinux.org/packages/extra/x8 … enconnect/ shows you possibly updated dependencies.

You forgot to privatize the first connect.

Last edited by -thc (2022-03-13 08:31:35)

meismarv · 2022-03-13 12:33:22

Ok, so of the dependencies the following pkgs were updated:

[2022-03-12T20:45:40+0100] [ALPM] upgraded libxml2 (2.9.12-7 -> 2.9.13-1)
[2022-03-12T20:46:19+0100] [ALPM] upgraded vpnc (1:0.5.3.r496.r153-2 -> 1:0.5.3.r501.r196-1)

I downgraded vpnc and it is working again! Thanks.

I will file an issue here https://github.com/streambinder/vpnc/issues.

Edit: the issue, lets see.

Edit2: new issue at vpnc-script repo where I narrowed it down.

Last edited by meismarv (2022-03-15 21:32:09)

Arch Linux

#1 2022-03-13 07:32:35

VPN via openconnect not working since full system update

#2 2022-03-13 07:58:32

Re: VPN via openconnect not working since full system update

#3 2022-03-13 12:33:22

Re: VPN via openconnect not working since full system update

Board footer