Hello all,
I am using OpenWrt 22.03.6 (and 23.05.2) with default settings on a WiFi router to connect my local network to the internet via a remote Cisco AnyConnect VPN.
This worked fine for the longest time, using OpenConnect. Recently something must have changed in the configuration of the server, which made it no longer successfully bring up the interface on boot (it still worked fine when starting the interface manually via LuCI). I took this as an excuse to update to a fresh 23.05.2 - where the same settings fail with the same symptoms at all times. (Back to 22.03.6 I could reproduce the same behavior as earlier.) I am beginning to think that there is some timing-dependent cause of this malaise.
The same symptoms always:
- No problem with the initial connection; 2FA prompt gets shown
- DTLS connection gets established (using GnuTLS, (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM))
Write error on DTLS session: Error in the push function.- The RX counter of the interface never sees any packets.
- No connectivity.
When I ran openconnect with added verbosity, I got the following context:
Sat Jan 27 09:21:05 2024 daemon.info openconnect[2624]: Send DTLS DPD
Sat Jan 27 09:21:05 2024 daemon.notice openconnect[2624]: Write error on DTLS session: Error in the push function.
Sat Jan 27 09:21:05 2024 daemon.notice openconnect[2624]: Failed to send DPD request. Expect disconnect
Sat Jan 27 09:21:05 2024 daemon.info openconnect[2624]: Send CSTP DPD
Sat Jan 27 09:21:05 2024 daemon.info openconnect[2624]: No work to do; sleeping for 2000 ms...
Sat Jan 27 09:21:05 2024 daemon.notice openconnect[2624]: Write error on DTLS session: The specified session has been invalidated for some reason.
Any idea what could be causing this?
Comparing logs, I am wondering if it could be some race condition with the interface-bringup, or firewall reload... e.g. (just selected lines)
Sat Jan 27 10:12:55 2024 daemon.notice netifd: Interface 'vpn' is now up
Sat Jan 27 10:12:55 2024 daemon.notice netifd: Network device 'vpn-vpn' link is up
Sat Jan 27 10:12:55 2024 daemon.notice openconnect[2644]: Write error on DTLS session: Error in the push function.
Sat Jan 27 10:12:56 2024 user.notice firewall: Reloading firewall due to ifup of vpn (vpn-vpn)
Sat Jan 27 10:39:46 2024 daemon.notice netifd: Interface 'vpn' is now up
Sat Jan 27 10:39:46 2024 daemon.notice openconnect[2222]: Write error on DTLS session: Error in the push function.
Sat Jan 27 10:39:46 2024 daemon.notice netifd: Network device 'vpn-vpn' link is up
Sat Jan 27 10:39:46 2024 user.notice firewall: Reloading firewall due to ifup of vpn (vpn-vpn)
Thanks in advance for any ideas or suggestions.
Gohai