Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The connection is disconnected after a period of time #273

Open
Chen-T opened this issue Nov 29, 2023 · 8 comments
Open

The connection is disconnected after a period of time #273

Chen-T opened this issue Nov 29, 2023 · 8 comments

Comments

@Chen-T
Copy link

Chen-T commented Nov 29, 2023

Hi, after I successfully connect with the GUI, the connection will be disconnected after a period of time, and I need to manually reconnect. Is there any way to automatically reconnect? If there is one, please let me know, thank you.
@MurKit
Copy link

MurKit commented Apr 12, 2024

Having the same issue, with cli on Ubuntu.

Successfully connected at 06:19:
[2024-04-12T06:19:29Z INFO  gpclient::connect] Wrote PID 21884 to /var/run/gpclient.lock
10 Min later:
[2024-04-12T06:28:29Z INFO  openconnect::ffi] GlobalProtect rekey due
[2024-04-12T06:28:29Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/getconfig.esp
[2024-04-12T06:28:29Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:28:29Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:28:29Z WARN  openconnect::ffi] Allow Automatic Restoration of SSL VPN is disabled
[2024-04-12T06:28:29Z WARN  openconnect::ffi] Cookie is no longer valid, ending session
[2024-04-12T06:28:29Z WARN  openconnect::ffi] Reconnect failed
[2024-04-12T06:28:29Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/logout.esp
[2024-04-12T06:28:29Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:28:29Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:28:29Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
[2024-04-12T06:28:29Z INFO  openconnect::ffi] openconnect_mainloop returned -1, exiting

@yuezk
Copy link
Owner

yuezk commented Apr 12, 2024

Hi @MurKit, does this client ever worked for you? And could you please provide the full log to me to further investigate? Thanks.

@MurKit
Copy link

MurKit commented Apr 12, 2024

hey @yuezk, thanks for your attention. Yes, it works great, but maybe I'm missing some options as I run the client?

$ sudo gpclient connect smth.com
[2024-04-12T06:46:42Z INFO  gpclient::cli] gpclient started: 2.1.4 (2024-04-10)
[2024-04-12T06:46:42Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
[2024-04-12T06:46:42Z INFO  gpapi::portal::prelogin] Prelogin with params: {"tmp": "tmp", "default-browser": "1", "cas-support": "yes", "os-version": "Linux Ubuntu 20.04.1 LTS", "ipv6-support": "yes", "clientos": "Linux", "clientVer": "4100"}
[2024-04-12T06:46:42Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-12T06:46:42Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
[2024-04-12T06:46:42Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15
[2024-04-12T06:46:42Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/****************/saml2?SAMLRequest=j**********%3D&RelayState=**********%3D&SigAlg=h**********6&Signature=a**********%3D
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Raise window in 1 second(s)

(process:23077): libsoup-WARNING **: 09:46:44.004: gssapi step failed: Unspecified GSS failure.  Minor code may provide more information: SPNEGO cannot find mechanisms to negotiate
[2024-04-12T06:46:45Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Login
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/***********************/login
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/common/SAS/ProcessAuth
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Loaded uri: https://m**********m/SAML20/SP/ACS
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Got auth data from headers
[2024-04-12T06:47:06Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-04-12T06:47:06Z INFO  gpclient::connect] Connecting to the only available gateway: hhjhhjh (smth.com)
[2024-04-12T06:47:06Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-04-12T06:47:06Z INFO  openconnect::ffi] openconnect version: v9.12-0-focal1
[2024-04-12T06:47:06Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-04-12T06:47:06Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-04-12T06:47:06Z INFO  openconnect::ffi] OS: linux
[2024-04-12T06:47:06Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-04-12T06:47:06Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-04-12T06:47:06Z INFO  openconnect::ffi] MTU: 0
[2024-04-12T06:47:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/getconfig.esp
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Connected to **********
[2024-04-12T06:47:06Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 10 minutes.
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Idle timeout is 10 minutes.
[2024-04-12T06:47:06Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-04-12T06:47:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/hipreportcheck.esp
[2024-04-12T06:47:06Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum eb96666666663e622d31d066666633667.
        VPN connectivity may be disabled or limited without HIP report submission.
        You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-04-12T06:47:06Z INFO  openconnect::ffi] ESP session established with server
[2024-04-12T06:47:06Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-04-12T06:47:06Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 11
[2024-04-12T06:47:06Z INFO  gpclient::connect] Wrote PID 23019 to /var/run/gpclient.lock
[2024-04-12T06:56:06Z INFO  openconnect::ffi] GlobalProtect rekey due
[2024-04-12T06:56:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/getconfig.esp
[2024-04-12T06:56:06Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:56:06Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:56:06Z WARN  openconnect::ffi] Allow Automatic Restoration of SSL VPN is disabled
[2024-04-12T06:56:06Z WARN  openconnect::ffi] Cookie is no longer valid, ending session
[2024-04-12T06:56:06Z WARN  openconnect::ffi] Reconnect failed
[2024-04-12T06:56:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/logout.esp
[2024-04-12T06:56:06Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:56:06Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:56:06Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
[2024-04-12T06:56:06Z INFO  openconnect::ffi] openconnect_mainloop returned -1, exiting
[2024-04-12T06:56:06Z INFO  gpclient::connect] Removing PID file

@yuezk
Copy link
Owner

yuezk commented Apr 12, 2024

Looks the tunnel timeout is 10 minutes, I never met this before, not sure whether the timeout is configured from the VPN server side or the client side. I will investigate if the timeout can be set via the client.

[2024-04-12T06:47:06Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 10 minutes.
... ...
[2024-04-12T06:56:06Z INFO  openconnect::ffi] GlobalProtect rekey due

And the timeout of my VPN is 180 minutes.
image

@MurKit
Copy link

MurKit commented Apr 12, 2024

I suspect the timeout is set from the server.

Also, the gui client from globalprotect did not disconnect, but it has a bad GUI and a weird autostart without closing the previous instances.

@yuezk
Copy link
Owner

yuezk commented Apr 12, 2024
edited

It could be set from the client side if the official client did not disconnect.

@yuezk
Copy link
Owner

yuezk commented Apr 13, 2024
edited

I found some information regarding this problem:

  1. Your administrator has changed the default Inactivity Logout period to 10 minutes (default is 180 minutes). OpenConnect uses this field to do rekey operations periodically.
  2. Your administrator has checked the Disable Automatic Restoration of SSL VPN to prevent the SSL VPN restoration, that's why we saw the rekey failed in the logs. (The default is allow automatic restoration)
  3. The reason why the official client doesn't disconnect after 10 minutes could be that it doesn't use the Inactivity Lgout period as the the session timeout value. But OpenConnect uses it and there is no way to change it. I also found a discussion regarding this on OpenConnect's email list but there seems to be no result.

The workaround for this is to enable automatic restoration of SSL VPN from the server side, or increase the Inactivity Logout period to delay the rekey period.

This is the official doc regarding this.
image

@MurKit
Copy link

MurKit commented Apr 18, 2024

So, guess it's not possible when a user can't affect decisions how to set up the server. Maybe the official app has some options and therefore works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuezk @MurKit @Chen-T