Re: TCP Sessions get disconnected at 6, 9 hours

Sun, 25 Feb 2024 09:04:19 -0800

Sorry, I should have included more information. And thanks for looking at this! 

On 2024-02-24 18:01, Daniel Lenski wrote:

First off, what is your `openconnect --version`?


   # openconnect --version
   OpenConnect version v9.12-106-ga79bba7d
   Using GnuTLS 3.7.10. Features present: PKCS#11, HOTP software token, TOTP 
software token, Yubikey OATH, System keys, DTLS, ESP
   Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
   Default vpnc-script (override with --script): ~/etc/vpnc/vpnc-script


Also the 9 hour disconnect is very iffy. The 6 hour disconnect is very 
constant and predictable, and within seconds of 6 hours.


I'll try with

   # openconnect --version
   OpenConnect version v9.12-122-g65853781
   Using GnuTLS 3.8.3. Features present: PKCS#11, RSA software token, HOTP 
software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
   Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
   Default vpnc-script (override with --script): ~/etc/vpnc/vpnc-script

soon. Also

   # uname -a
   Darwin <name>.local 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:31:00 
PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T6020 arm64 arm Darwin



It looks like you're collecting very detailed logs from OpenConnect
already (`--dump-http-traffic -vvv --timestamp`). What do those logs
show around the 6- and 9-hour marks? Anything that's unusual? Anything
*other than* the usual sent-a-packet/received-a-packet traffic?




I've looked at that and not seen anything unusual, but let me examine 
more, right at the 6 hour mark.I /think/ the last messages are only the 
“add host/add net” messages - I'm not seeing packet traffic in the 
stderr log file.




Are the users of the official PAN GP clients keeping SSH sessions open
for 6+ hours like you are?



Yes, I believe so. I'll verify.



Okay, so there's nothing specific to SSH, or even TCP, here. Both TCP
and UDP connections stop working around the 6/9 hour marks.




Yes, that seems to be the case (with the 9 hour mark being suspect as to 
whether it's consistent.


I'll get back with more information.

·Larry


_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel






















					Reply via email to