"ESP detected dead peer": Connection with --protocol=nc drops consistently after ~20 min, v9.12
Hey!
Thanks for making this very useful piece of software: I absolutely loathe using the Pulse Secure Connect client.
I'm running into a familiar bug that seems to have been reported before (1, 2) and fixed in this commit. I wonder if there's been some regression causing this to pop up again.
My OpenConnect version:
OpenConnect version v9.12
Using GnuTLS 3.8.0. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /nix/store/ic71wd7cxrhxqzxb4hsfrpbglw64fyf9-vpnc-scripts-unstable-2023-01-03/bin/vpnc-script
My logs (with `-v`)
Attempting to connect to server <REDACTED IP ADDRESS:PORT>
Connected to <REDACTED IP ADDRESS:PORT>
SSL negotiation with <REDACTED DOMAIN>
Connected to HTTPS on vpn.jh.edu with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-type: application/octet-stream
Pragma: no-cache
NCP-Version: 3
Set-Cookie: DSLastAccess=1687155669; path=/; Secure
Connection: close
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
> 0000: 17 00 00 04 00 00 00 0a 00 72 61 6a 2d 6c 61 70 |.........raj-lap|
> 0010: 74 6f 70 bb 01 00 00 00 00 |top......|
Got KMP message 301 of size 431
Unknown TLV group 3 attr 1 len 1: 00
Unknown TLV group 3 attr 2 len 1: 00
Received split include route 0.0.0.0/0.0.0.0
Received MTU 1400 from server
Received DNS server <REDACTED IP ADDRESS>
Received DNS server <REDACTED IP ADDRESS>
Received DNS search domain <REDACTED>
Unknown TLV group 2 attr 3 len 4: 01 00 00 00
Received WINS server 255.255.255.255
ESP compression: 0
ESP encryption: 0x02 (AES-128)
ESP HMAC: 0x02 (SHA1)
ESP key lifetime: 1200 seconds
ESP key lifetime: 0 bytes
ESP replay protection: 1
Unknown TLV group 8 attr 11 len 4: 00 00 00 00
ESP port: 4500
ESP to SSL fallback: 15 seconds
Unknown TLV group 8 attr 8 len 4: 00 00 00 3c
Unknown TLV group 8 attr 12 len 1: 00
Received internal IP address <REDACTED IP ADDRESS>
Received netmask 255.255.255.255
Received internal gateway address <REDACTED IP ADDRESS>
ESP SPI (outbound): 7363978a
64 bytes of ESP secrets
oNCP negotiation request outgoing:
> 0000: 8e 00 00 00 00 00 00 00 01 2f 01 00 00 00 01 00 |........./......|
> 0010: 00 00 00 00 00 10 00 06 00 00 00 0a 00 02 00 00 |................|
> 0020: 00 04 00 00 05 78 00 00 00 00 00 00 01 2e 01 00 |.....x..........|
> 0030: 00 00 01 00 00 00 00 00 00 56 00 07 00 00 00 50 |.........V.....P|
> 0040: 00 01 00 00 00 04 11 c7 e7 3b 00 02 00 00 00 40 |.........;.....@|
> 0050: 97 17 34 95 13 7c 95 00 bc af f6 ae f4 1c 5b 32 |..4..|........[2|
> 0060: 91 7d 17 7e 65 a8 9b e8 3a b7 d7 cd 1c a9 e1 b0 |.}.~e...:.......|
> 0070: 40 a8 f0 c4 00 00 00 00 00 00 00 00 00 00 00 00 |@...............|
> 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Send ESP probes
UDP SO_SNDBUF: 89600
Configured as <REDACTED IP ADDRESS>, with SSL connected and ESP in progress
Detected virtual address range 0x1000-0x7ffffffff000
Using vhost-net for tun acceleration, ring size 32
Send ESP probes
Send ESP probes
ESP session established with server
Requeueing failed ESP send: Resource temporarily unavailable
<TRUNCATED: several identical lines>
Requeueing failed ESP send: Resource temporarily unavailable
Send ESP probes for DPD
Send ESP probes for DPD
Send ESP probes for DPD
ESP detected dead peer
Send ESP probes
UDP SO_SNDBUF: 89600
Send ESP probes
Send ESP probes
Send ESP probes
Send ESP probes
Send ESP probes
Send ESP probes
^CGET https://vpn.jh.edu/dana-na/auth/logout.cgi
SSL negotiation with vpn.jh.edu
^CConnected to HTTPS on vpn.jh.edu with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
TLS/DTLS read cancelled
Error reading HTTP response: Interrupted system call
Logout failed.
User cancelled (SIGINT/SIGTERM); exiting.
I can send more verbose logs if you'd like. The only thing I noted was that the ESP key lifetime was 20 min, which is close to the amount of time the VPN runs before the "ESP detected dead peer" message is shown.
Probably irrelevant: when I was on a more unstable internet connection (that cut out frequently for ~20 s every few minutes), the VPN kept dying after ~5 min, ~10 min, etc., but I'm not sure if the VPN connection is supposed to be more robust.
I can try to troubleshoot further: let me know what would be most helpful!
EDIT: Also, I can't get the VPN working with --protocol=pulse
. Since my university uses Microsoft's SSO/SAML authentication that requires me to enter a 2FA code to get the cookie, I wrote a small wrapper to open a browser window and extract the cookie. I don't think that should cause any issues, but if so, let me know.
EDIT: I'm running NixOS, and I'm not sure if that could be causing any quirks.