On Mon, Apr 27, 2020 at 7:45 PM Daniel Lenski <[email protected]> wrote:
>
> What version of OpenConnect are you running? What version of
> vpnc-script? (If it's the standard one provided by a Linux
> distribution, what distribution and version?)
Bah. Apologies. In hindsight this seems so obvious to include.
$ uname -a # arch linux
Linux voltaur 5.6.6-arch1-1 #1 SMP PREEMPT Tue, 21 Apr 2020 10:35:16
+0000 x86_64 GNU/Linux
$ openconnect --version
OpenConnect version v8.05
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP
software token, TOTP software token, Yubikey OATH, System keys, DTLS,
ESP
Supported protocols: anyconnect (default), nc, gp, pulse
$ vpnc --version
vpnc version 0.5.3
$ pacman -Qo /etc/vpnc/vpnc-script
/etc/vpnc/vpnc-script is owned by vpnc 1:0.5.3.r462.r78-1
> OpenConnect logs various specific messages when it loses a connection,
> which you should see if you're running with `-vvv`. Are you sure the
> connection is being dropped? Do `ip addr` and `ip route` show the VPN
> network device (by default tun0) and the routes to it disappear?
### functioning vpn
$ ip addr
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1367 qdisc
fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.xx.xx.xx/32 scope global tun0
valid_lft forever preferred_lft forever
$ ip route # contains tun0, omitting the rest
10.xx.xx.xx/19 dev tun0 scope link
### after failure
# tun0 still in ip addr and ip route
# /etc/resolv.conf changed
> It appears more likely to me that *something other than OpenConnect*
> is overwriting your /etc/resolv.conf… possibly NetworkManager,
> possibly dhcpcd… not 100% sure.
Wow, it appears this is exactly what's going on. After resolv.conf
gets overwritten, if I restore it to the state when I first connect to
VPN, I still have the connection!
I use wicd for network management. I don't have networkmanager
installed. I can pursue this in a separate endeavor now that we've
ruled out openconnect. That said, if you have tips on where I might
look to figure out why something is hijacking resolv.conf when
something else is still controlling it, that would be appreciated!
Many thanks,
John
> On Mon, Apr 27, 2020 at 3:47 PM John Hendy <[email protected]> wrote:
> >
> > Greetings,
> >
> > For some time, I've been getting an automatic, silent disconnection.
> > My bash session with openconnect appears fine, but /etc/resolv.conf
> > will show that it's not on my VPN anymore.
> >
> > I'm pretty ignorant to network technology; I've done everything to
> > leverage my corporate VPN with openconnect via the posts/instructions
> > of others. Just adding that as I'll need some assistance with tracking
> > down exactly what's going on. I can post the full log if you'd like,
> > but after the initial connection stuff, there were only three unique
> > messages (with various values for bytes and ms):
> >
> > Sending uncompressed data packet of 40 bytes
> > No work to do; sleeping for 18000 ms...
> > Received uncompressed data packet of 524 bytes
> >
> > When I used a regex to remove those (thinking I'd see some message of
> > interest when it disconnected), there was nothing else left in the
> > file!
> >
> > The symptom is corporate addresses will start to hang and ultimately
> > give a "Hmmm. We're having trouble finding that site." My
> > /etc/resolv.conf will go from having an mmm search domain and 10.x.x.x
> > address to:
> >
> > $ cat /etc/resolv.conf
> > # Generated by dhcpcd from wlp3s0.dhcp
> > # /etc/resolv.conf.head can replace this line
> > nameserver 8.8.8.8
> > nameserver 37.235.1.177
> > # /etc/resolv.conf.tail can replace this line
> >
> > My openconnect command appears not to know this, though.
> >
> > This is the command I'm using:
> >
> > $ sudo openconnect -vvv --csd-wrapper /usr/lib/openconnect/csd-post.sh
> > gra.3m.com
> >
> > I'd estimate the connection lasts for ~10min or so. I can verify if
> > that would be helpful.
> >
> >
> > Many thanks for any suggestions,
> > John
> > _______________________________________________
> > openconnect-devel mailing list
> > [email protected]
> > http://lists.infradead.org/mailman/listinfo/openconnect-devel
_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel
