Mailing List Archive: vpnc: devel

vpnc connection hangs on fedora 12

1 2

View All

Index | Next | Previous | View Threaded

rayvittal-lists at yahoo

Nov 20, 2009, 10:20 AM

Post #1 of 32 (4698 views)
Permalink

vpnc connection hangs on fedora 12

I am able to successfully connect to my workplace (Cisco ASA 5510) with the vpnc bundled with fc12 (ver 0.5.3).
The login works smoothly, the routes get set up correctly. I can even browse some internal web sites -- for a few seconds

The connection stops working after a few packets are exchanged. I've tried all the natt modes with pretty much the same results.How do I go about debugging this issue?

I was on Fedora 8 previously and used the cisco proprietary vpn client without any issues.

The cisco vpn client doesn't work on FC12 (even after patching the code to conform to the new network API). With this client, login/auth works. Routes are setup correctly. However the connection is frozen

My kernel version is 2.6.31.5-127.fc12.x86_64

rayvittal-clist at yahoo

Nov 19, 2009, 8:16 PM

Post #2 of 32 (4413 views)
Permalink

vpnc connection hangs on fedora 12 [In reply to]

I am able to successfully connect to my workplace (Cisco ASA 5510) with the vpnc bundled with fc12 (ver 0.5.3).
However the connection stops working after a few packets are exchanged. How do I go about debugging this issue? I was on Fedora 8 previously and used the cisco proprietary vpn client without any issues. I've tried all the natt modes with pretty much the same results.

The cisco vpn client doesn't work on FC12 (even after patching the code to conform to the new network API).
My kernel version is 2.6.31.5-127.fc12.x86_64

netllama at gmail

Nov 20, 2009, 10:28 AM

Post #3 of 32 (4607 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

Join the club. I've had this problem for a while now. Sadly, no one
seems to have any clear ideas on what is causing it.

On Fri, Nov 20, 2009 at 10:20 AM, C V <rayvittal-lists [at] yahoo> wrote:
> I am able to successfully connect to my workplace (Cisco ASA 5510) with the
> vpnc bundled with fc12 (ver 0.5.3).
> The login works smoothly, the routes get set up correctly. I can even browse
> some internal web sites -- for a few seconds
>
> The connection stops working after a few packets are exchanged. I've tried
> all the natt modes with pretty much the same results.How do I go about
> debugging this issue?
>
> I was on Fedora 8 previously and used the cisco proprietary vpn client
> without any issues.
>
> The cisco vpn client doesn't work on FC12 (even after patching the code to
> conform to the new network API). With this client, login/auth works. Routes
> are setup correctly. However the connection is frozen
>
> My kernel version is 2.6.31.5-127.fc12.x86_64

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman netllama [at] gmail
LlamaLand https://netllama.linux-sxs.org

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 20, 2009, 10:56 AM

Post #4 of 32 (4604 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
> Join the club. I've had this problem for a while now. Sadly, no one
> seems to have any clear ideas on what is causing it.

Do you ever get a message about "recvfrom: no route to host" ? I get
that with new concentrators we have at work that do load balancing
(ASA5xxx series) while the old concentrators that didn't (Cisco 3000
series) worked just fine with vpnc.

I'm interesting in solving this issue too and while I've investigated
it, I haven't gotten around to setting up my test ASA5505 for debugging
yet.

Dan

> On Fri, Nov 20, 2009 at 10:20 AM, C V <rayvittal-lists [at] yahoo> wrote:
> > I am able to successfully connect to my workplace (Cisco ASA 5510) with the
> > vpnc bundled with fc12 (ver 0.5.3).
> > The login works smoothly, the routes get set up correctly. I can even browse
> > some internal web sites -- for a few seconds
> >
> > The connection stops working after a few packets are exchanged. I've tried
> > all the natt modes with pretty much the same results.How do I go about
> > debugging this issue?
> >
> > I was on Fedora 8 previously and used the cisco proprietary vpn client
> > without any issues.
> >
> > The cisco vpn client doesn't work on FC12 (even after patching the code to
> > conform to the new network API). With this client, login/auth works. Routes
> > are setup correctly. However the connection is frozen
> >
> > My kernel version is 2.6.31.5-127.fc12.x86_64
>
>
>

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

netllama at gmail

Nov 20, 2009, 10:58 AM

Post #5 of 32 (4595 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
> On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
>> Join the club. I've had this problem for a while now. Sadly, no one
>> seems to have any clear ideas on what is causing it.
>
> Do you ever get a message about "recvfrom: no route to host" ? I get
> that with new concentrators we have at work that do load balancing
> (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
> series) worked just fine with vpnc.

Where would I see that message if it was present? Is not happening on
stdout/stderr from vpnc.

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 20, 2009, 11:05 AM

Post #6 of 32 (4596 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
> >> Join the club. I've had this problem for a while now. Sadly, no one
> >> seems to have any clear ideas on what is causing it.
> >
> > Do you ever get a message about "recvfrom: no route to host" ? I get
> > that with new concentrators we have at work that do load balancing
> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
> > series) worked just fine with vpnc.
>
> Where would I see that message if it was present? Is not happening on
> stdout/stderr from vpnc.

Ok, interesting. It is for me on a few different machines I have. The
routing table seems to be OK and everything, but no traffic gets through
even though the connection seems successful.

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

netllama at gmail

Nov 20, 2009, 11:07 AM

Post #7 of 32 (4600 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, Nov 20, 2009 at 11:05 AM, Dan Williams <dcbw [at] redhat> wrote:
> On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
>> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
>> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
>> >> Join the club. I've had this problem for a while now. Sadly, no one
>> >> seems to have any clear ideas on what is causing it.
>> >
>> > Do you ever get a message about "recvfrom: no route to host" ? I get
>> > that with new concentrators we have at work that do load balancing
>> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
>> > series) worked just fine with vpnc.
>>
>> Where would I see that message if it was present? Is not happening on
>> stdout/stderr from vpnc.
>
> Ok, interesting. It is for me on a few different machines I have. The
> routing table seems to be OK and everything, but no traffic gets through
> even though the connection seems successful.

That's not the problem that I'm having, and I don't think its what the
original poster was describing either. For me, everything works for
some random period of time, and then it all silently dies, even though
vpnc is still running.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman netllama [at] gmail
LlamaLand https://netllama.linux-sxs.org

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

jengelh at medozas

Nov 20, 2009, 11:13 AM

Post #8 of 32 (4601 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Friday 2009-11-20 19:20, C V wrote:

>I am able to successfully connect to my workplace (Cisco ASA 5510) with the
>vpnc bundled with fc12 (ver 0.5.3).
>The login works smoothly, the routes get set up correctly. I can even browse
>some internal web sites -- for a few seconds
>
>The connection stops working after a few packets are exchanged. I've tried
>all the natt modes with pretty much the same results.How do I go about
>debugging this issue?

Post the output of `ip addr` and `ip route` perhaps.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 20, 2009, 11:31 AM

Post #9 of 32 (4606 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, 2009-11-20 at 11:07 -0800, Lonni J Friedman wrote:
> On Fri, Nov 20, 2009 at 11:05 AM, Dan Williams <dcbw [at] redhat> wrote:
> > On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
> >> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
> >> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
> >> >> Join the club. I've had this problem for a while now. Sadly, no one
> >> >> seems to have any clear ideas on what is causing it.
> >> >
> >> > Do you ever get a message about "recvfrom: no route to host" ? I get
> >> > that with new concentrators we have at work that do load balancing
> >> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
> >> > series) worked just fine with vpnc.
> >>
> >> Where would I see that message if it was present? Is not happening on
> >> stdout/stderr from vpnc.
> >
> > Ok, interesting. It is for me on a few different machines I have. The
> > routing table seems to be OK and everything, but no traffic gets through
> > even though the connection seems successful.
>
> That's not the problem that I'm having, and I don't think its what the
> original poster was describing either. For me, everything works for
> some random period of time, and then it all silently dies, even though
> vpnc is still running.

What do teh "Debug 3" logs say at this point? If you ping your internal
gateway does vpnc show packets being sent, or does vpnc not send packets
at all? Lets try to isolate the problem.

dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

dcbw at redhat

Nov 20, 2009, 11:32 AM

Post #10 of 32 (4599 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, 2009-11-20 at 10:20 -0800, C V wrote:
> I am able to successfully connect to my workplace (Cisco ASA 5510)
> with the vpnc bundled with fc12 (ver 0.5.3).
> The login works smoothly, the routes get set up correctly. I can even
> browse some internal web sites -- for a few seconds
>
> The connection stops working after a few packets are exchanged. I've
> tried all the natt modes with pretty much the same results.How do I go
> about debugging this issue?
>
> I was on Fedora 8 previously and used the cisco proprietary vpn client
> without any issues.
>
> The cisco vpn client doesn't work on FC12 (even after patching the
> code to conform to the new network API). With this client, login/auth
> works. Routes are setup correctly. However the connection is frozen
>
> My kernel version is 2.6.31.5-127.fc12.x86_64

Can you run vpnc with the "Debug 3" (which won't dump sensitive
information at all) and then post the debug log here? Mark in the log
right when you find the connection has frozen.

Dan

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

netllama at gmail

Nov 20, 2009, 11:36 AM

Post #11 of 32 (4606 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, Nov 20, 2009 at 11:31 AM, Dan Williams <dcbw [at] redhat> wrote:
> On Fri, 2009-11-20 at 11:07 -0800, Lonni J Friedman wrote:
>> On Fri, Nov 20, 2009 at 11:05 AM, Dan Williams <dcbw [at] redhat> wrote:
>> > On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
>> >> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
>> >> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
>> >> >> Join the club. I've had this problem for a while now. Sadly, no one
>> >> >> seems to have any clear ideas on what is causing it.
>> >> >
>> >> > Do you ever get a message about "recvfrom: no route to host" ? I get
>> >> > that with new concentrators we have at work that do load balancing
>> >> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
>> >> > series) worked just fine with vpnc.
>> >>
>> >> Where would I see that message if it was present? Is not happening on
>> >> stdout/stderr from vpnc.
>> >
>> > Ok, interesting. It is for me on a few different machines I have. The
>> > routing table seems to be OK and everything, but no traffic gets through
>> > even though the connection seems successful.
>>
>> That's not the problem that I'm having, and I don't think its what the
>> original poster was describing either. For me, everything works for
>> some random period of time, and then it all silently dies, even though
>> vpnc is still running.
>
> What do teh "Debug 3" logs say at this point? If you ping your internal
> gateway does vpnc show packets being sent, or does vpnc not send packets
> at all? Lets try to isolate the problem.

I'l get that info for you tonight. thanks.

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

rayvittal-lists at yahoo

Nov 20, 2009, 2:08 PM

Post #12 of 32 (4598 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

I do remember trying this. But the logs stop after the vpnc daemonizes. They don't show up in /var/log/messages either.

________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Fri, November 20, 2009 11:36:51 AM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

On Fri, Nov 20, 2009 at 11:31 AM, Dan Williams <dcbw [at] redhat> wrote:
> On Fri, 2009-11-20 at 11:07 -0800, Lonni J Friedman wrote:
>> On Fri, Nov 20, 2009 at 11:05 AM, Dan Williams <dcbw [at] redhat> wrote:
>> > On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
>> >> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
>> >> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
>> >> >> Join the club. I've had this problem for a while now. Sadly, no one
>> >> >> seems to have any clear ideas on what is causing it.
>> >> >
>> >> > Do you ever get a message about "recvfrom: no route to host" ? I get
>> >> > that with new concentrators we have at work that do load balancing
>> >> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
>> >> > series) worked just fine with vpnc.
>> >>
>> >> Where would I see that message if it was present? Is not happening on
>> >> stdout/stderr from vpnc.
>> >
>> > Ok, interesting. It is for me on a few different machines I have. The
>> > routing table seems to be OK and everything, but no traffic gets through
>> > even though the connection seems successful.
>>
>> That's not the problem that I'm having, and I don't think its what the
>> original poster was describing either. For me, everything works for
>> some random period of time, and then it all silently dies, even though
>> vpnc is still running.
>
> What do teh "Debug 3" logs say at this point? If you ping your internal
> gateway does vpnc show packets being sent, or does vpnc not send packets
> at all? Lets try to isolate the problem.

I'l get that info for you tonight. thanks.

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

spamfilter at zingo

Nov 20, 2009, 2:16 PM

Post #13 of 32 (4593 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

>>> That's not the problem that I'm having, and I don't think its what the
>>> original poster was describing either. For me, everything works for
>>> some random period of time, and then it all silently dies, even though
>>> vpnc is still running.

Just to make sure check /etc/resolv.conf before after the problem
I was viseting one company where the guest wifi connection that got
my resole.conf reset:ed to the values before I executed vpnc a short random
while after the connection. Just changing it back made it work (I had it open in
an editor so I just saved it again) at that location and it never got resetted again.
(atleast for 8h) I don't know what triggered the resolve.conf update
and it was easy enoght to workaround so I nevered bothered.
In my case it was the "domain" that got updated so my intranet
"short" name didn't work anymore. I was there a few times and always got
this problem so I think it was something in theire setup maybe giving away
a short dhcp renew time the first time or something.

--
Zingo Andersen (zingo.org and vectrace.com)

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

netllama at gmail

Nov 20, 2009, 6:05 PM

Post #14 of 32 (4586 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, Nov 20, 2009 at 11:31 AM, Dan Williams <dcbw [at] redhat> wrote:
> On Fri, 2009-11-20 at 11:07 -0800, Lonni J Friedman wrote:
>> On Fri, Nov 20, 2009 at 11:05 AM, Dan Williams <dcbw [at] redhat> wrote:
>> > On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
>> >> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
>> >> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
>> >> >> Join the club. I've had this problem for a while now. Sadly, no one
>> >> >> seems to have any clear ideas on what is causing it.
>> >> >
>> >> > Do you ever get a message about "recvfrom: no route to host" ? I get
>> >> > that with new concentrators we have at work that do load balancing
>> >> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
>> >> > series) worked just fine with vpnc.
>> >>
>> >> Where would I see that message if it was present? Is not happening on
>> >> stdout/stderr from vpnc.
>> >
>> > Ok, interesting. It is for me on a few different machines I have. The
>> > routing table seems to be OK and everything, but no traffic gets through
>> > even though the connection seems successful.
>>
>> That's not the problem that I'm having, and I don't think its what the
>> original poster was describing either. For me, everything works for
>> some random period of time, and then it all silently dies, even though
>> vpnc is still running.
>
> What do teh "Debug 3" logs say at this point? If you ping your internal
> gateway does vpnc show packets being sent, or does vpnc not send packets
> at all? Lets try to isolate the problem.

I just ran the test after connecting with 'vpnc --debug=3'. After
being connected for 11 minutes, the connection suddenly died. The
entire time, I was ssh'd into a remote host (over the VPN), running
top to keep some activity going.

Unfortunately, there was no output from vpnc to stdout or stderr when
the connection died. There was also no new vpnc output in
/var/log/messages. Regardless, I've attached the output that vpnc
spewed when I first established the connection, as well as what
appeared in /var/log/messages, and the output from running 'ip route'
and 'ip addr'. The output from those two ip commands was the same
immediately after connecting with vpn as right after the connection
silently died.

Let me know if I can provide any additional information to debug this further.

thanks!

Attachments:

vpnc.out (31.3 KB)

netllama at gmail

Nov 20, 2009, 6:07 PM

Post #15 of 32 (4591 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Fri, Nov 20, 2009 at 2:16 PM, Zingo Andersen <spamfilter [at] zingo> wrote:
>>>> That's not the problem that I'm having, and I don't think its what the
>>>> original poster was describing either. For me, everything works for
>>>> some random period of time, and then it all silently dies, even though
>>>> vpnc is still running.
>
> Just to make sure check /etc/resolv.conf before after the problem
> I was viseting one company where the guest wifi connection that got
> my resole.conf reset:ed to the values before I executed vpnc a short random
> while after the connection. Just changing it back made it work (I had it open in
> an editor so I just saved it again) at that location and it never got resetted again.
> (atleast for 8h) I don't know what triggered the resolve.conf update
> and it was easy enoght to workaround so I nevered bothered.
> In my case it was the "domain" that got updated so my intranet
> "short" name didn't work anymore. I was there a few times and always got
> this problem so I think it was something in theire setup maybe giving away
> a short dhcp renew time the first time or something.

I doubt that's the problem, as I'm not experiencing a DNS failure, but
a complete inability to transmit packets over the VPN connection. For
example, I can have an active ssh connection to a remote host over the
VPN, and it will die, as if someone yanked out the CAT5. Even if
/etc/resolv.conf was completely hosed on my end, that shouldn't have
happened.

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

rayvittal-lists at yahoo

Nov 20, 2009, 10:21 PM

Post #16 of 32 (4579 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

Mine doesn't last more than a couple of minutes. I've attached ip route, debug output and resolv.conf contents before and after

________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Cc: cbw [at] redhat
Sent: Fri, November 20, 2009 6:05:07 PM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

On Fri, Nov 20, 2009 at 11:31 AM, Dan Williams <dcbw [at] redhat> wrote:
> On Fri, 2009-11-20 at 11:07 -0800, Lonni J Friedman wrote:
>> On Fri, Nov 20, 2009 at 11:05 AM, Dan Williams <dcbw [at] redhat> wrote:
>> > On Fri, 2009-11-20 at 10:58 -0800, Lonni J Friedman wrote:
>> >> On Fri, Nov 20, 2009 at 10:56 AM, Dan Williams <dcbw [at] redhat> wrote:
>> >> > On Fri, 2009-11-20 at 10:28 -0800, Lonni J Friedman wrote:
>> >> >> Join the club. I've had this problem for a while now. Sadly, no one
>> >> >> seems to have any clear ideas on what is causing it.
>> >> >
>> >> > Do you ever get a message about "recvfrom: no route to host" ? I get
>> >> > that with new concentrators we have at work that do load balancing
>> >> > (ASA5xxx series) while the old concentrators that didn't (Cisco 3000
>> >> > series) worked just fine with vpnc.
>> >>
>> >> Where would I see that message if it was present? Is not happening on
>> >> stdout/stderr from vpnc.
>> >
>> > Ok, interesting. It is for me on a few different machines I have. The
>> > routing table seems to be OK and everything, but no traffic gets through
>> > even though the connection seems successful.
>>
>> That's not the problem that I'm having, and I don't think its what the
>> original poster was describing either. For me, everything works for
>> some random period of time, and then it all silently dies, even though
>> vpnc is still running.
>
> What do teh "Debug 3" logs say at this point? If you ping your internal
> gateway does vpnc show packets being sent, or does vpnc not send packets
> at all? Lets try to isolate the problem.

I just ran the test after connecting with 'vpnc --debug=3'. After
being connected for 11 minutes, the connection suddenly died. The
entire time, I was ssh'd into a remote host (over the VPN), running
top to keep some activity going.

Unfortunately, there was no output from vpnc to stdout or stderr when
the connection died. There was also no new vpnc output in
/var/log/messages. Regardless, I've attached the output that vpnc
spewed when I first established the connection, as well as what
appeared in /var/log/messages, and the output from running 'ip route'
and 'ip addr'. The output from those two ip commands was the same
immediately after connecting with vpn as right after the connection
silently died.

Let me know if I can provide any additional information to debug this further.

thanks!

Attachments:

vpnc.out.gz (7.57 KB)

jengelh at medozas

Nov 21, 2009, 1:18 AM

Post #17 of 32 (4586 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Saturday 2009-11-21 07:21, C V wrote:

>Mine doesn't last more than a couple of minutes. I've attached ip route,
>debug output and resolv.conf contents before and after

Hm, so it is not http://www.gossamer-threads.com/lists/vpnc/devel/3325 .
What about the addrs/routes after it dies?

Could NM/DHCP be interfering?--I just had that today, though not with
vpnc, but dhclient just changed the default route (which would be the
tnunel device in my case) back to the default gw as obtained from a
DHCPRENEW.

If you attach strace to vpnc after it died, does it look to hang
on send(..) or something, or does it still output packets onto the
network (tcpdump)?
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

netllama at gmail

Nov 22, 2009, 10:05 AM

Post #18 of 32 (4560 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Sat, Nov 21, 2009 at 1:18 AM, Jan Engelhardt <jengelh [at] medozas> wrote:
>
> On Saturday 2009-11-21 07:21, C V wrote:
>
>>Mine doesn't last more than a couple of minutes. I've attached ip route,
>>debug output and resolv.conf contents before and after
>
> Hm, so it is not http://www.gossamer-threads.com/lists/vpnc/devel/3325 .
> What about the addrs/routes after it dies?
>
> Could NM/DHCP be interfering?--I just had that today, though not with
> vpnc, but dhclient just changed the default route (which would be the
> tnunel device in my case) back to the default gw as obtained from a
> DHCPRENEW.
>
> If you attach strace to vpnc after it died, does it look to hang
> on send(..) or something, or does it still output packets onto the
> network (tcpdump)?

Attached is the strace output from the vpnc process immediately after
the connection to the remote end has seemingly died.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman netllama [at] gmail
LlamaLand https://netllama.linux-sxs.org

Attachments:

vpnc-strace.log (9.82 KB)

rayvittal-lists at yahoo

Nov 22, 2009, 6:03 PM

Post #19 of 32 (4557 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

The problem appears to be that the home router is ARPing for the fedora 12 machine's address and not getting a response. That is, the connection fails as soon as the arp entry for the machine initiating the vpn connection ages out.

________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Cc: cbw [at] redhat
Sent: Sun, November 22, 2009 10:05:23 AM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

On Sat, Nov 21, 2009 at 1:18 AM, Jan Engelhardt <jengelh [at] medozas> wrote:
>
> On Saturday 2009-11-21 07:21, C V wrote:
>
>>Mine doesn't last more than a couple of minutes. I've attached ip route,
>>debug output and resolv.conf contents before and after
>
> Hm, so it is not http://www.gossamer-threads.com/lists/vpnc/devel/3325 .
> What about the addrs/routes after it dies?
>
> Could NM/DHCP be interfering?--I just had that today, though not with
> vpnc, but dhclient just changed the default route (which would be the
> tnunel device in my case) back to the default gw as obtained from a
> DHCPRENEW.
>
> If you attach strace to vpnc after it died, does it look to hang
> on send(..) or something, or does it still output packets onto the
> network (tcpdump)?

Attached is the strace output from the vpnc process immediately after
the connection to the remote end has seemingly died.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman netllama [at] gmail
LlamaLand https://netllama.linux-sxs.org

netllama at gmail

Nov 22, 2009, 6:13 PM

Post #20 of 32 (4564 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

OK, how can I fix/prevent that from happening?

On Sun, Nov 22, 2009 at 6:03 PM, C V <rayvittal-lists [at] yahoo> wrote:
> The problem appears to be that the home router is ARPing for the fedora 12
> machine's address and not getting a response. That is, the connection fails
> as soon as the arp entry for the machine initiating the vpn connection ages
> out.
>
> ________________________________
> From: Lonni J Friedman <netllama [at] gmail>
> To: vpnc list to send bug reports and discussions with developers
> <vpnc-devel [at] unix-ag>
> Cc: cbw [at] redhat
> Sent: Sun, November 22, 2009 10:05:23 AM
> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>
> On Sat, Nov 21, 2009 at 1:18 AM, Jan Engelhardt <jengelh [at] medozas> wrote:
>>
>> On Saturday 2009-11-21 07:21, C V wrote:
>>
>>>Mine doesn't last more than a couple of minutes. I've attached ip route,
>>>debug output and resolv.conf contents before and after
>>
>> Hm, so it is not http://www.gossamer-threads.com/lists/vpnc/devel/3325 .
>> What about the addrs/routes after it dies?
>>
>> Could NM/DHCP be interfering?--I just had that today, though not with
>> vpnc, but dhclient just changed the default route (which would be the
>> tnunel device in my case) back to the default gw as obtained from a
>> DHCPRENEW.
>>
>> If you attach strace to vpnc after it died, does it look to hang
>> on send(..) or something, or does it still output packets onto the
>> network (tcpdump)?
>
> Attached is the strace output from the vpnc process immediately after
> the connection to the remote end has seemingly died.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

rayvittal-lists at yahoo

Nov 22, 2009, 6:40 PM

Post #21 of 32 (4555 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

In my case it appears to be a route confusion issue. My home LAN is 192.168.1.0/24 and so is my work LAN. So after the VPN is established, I have 2 routes:
192.168.1.0/24 dev tap0 scope link [ this is the work LAN ]
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.107 metric 2 [this is the home LAN]

When my home router arps for 192.168.1.107 (the address of my wireless adapter), I suspect that this dual route prevents the arp response from going over the local LAN (it doesn't go over the VPN either, but I am not sure why).

When I deleted the work LAN route, I was able to access other networks at work (for example 192.168.10.0/24).

Anyway, this used to work just fine in Fedora 8. Not sure what changed in Fedora 12 that the ARP response won't go over the device it was received on.

The solution for me will be to pick a non-overlapping network for my home LAN (for example 172.31.41.0/24). But I have quite a few devices with static IPs on my home LAN so this will have to wait for a day when I have more free time.

--
C V

________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Sun, November 22, 2009 6:13:33 PM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

OK, how can I fix/prevent that from happening?

On Sun, Nov 22, 2009 at 6:03 PM, C V <rayvittal-lists [at] yahoo> wrote:
> The problem appears to be that the home router is ARPing for the fedora 12
> machine's address and not getting a response. That is, the connection fails
> as soon as the arp entry for the machine initiating the vpn connection ages
> out.
>
> ________________________________
> From: Lonni J Friedman <netllama [at] gmail>
> To: vpnc list to send bug reports and discussions with developers
> <vpnc-devel [at] unix-ag>
> Cc: cbw [at] redhat
> Sent: Sun, November 22, 2009 10:05:23 AM
> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>
> On Sat, Nov 21, 2009 at 1:18 AM, Jan Engelhardt <jengelh [at] medozas> wrote:
>>
>> On Saturday 2009-11-21 07:21, C V wrote:
>>
>>>Mine doesn't last more than a couple of minutes. I've attached ip route,
>>>debug output and resolv.conf contents before and after
>>
>> Hm, so it is not http://www.gossamer-threads.com/lists/vpnc/devel/3325 .
>> What about the addrs/routes after it dies?
>>
>> Could NM/DHCP be interfering?--I just had that today, though not with
>> vpnc, but dhclient just changed the default route (which would be the
>> tnunel device in my case) back to the default gw as obtained from a
>> DHCPRENEW.
>>
>> If you attach strace to vpnc after it died, does it look to hang
>> on send(..) or something, or does it still output packets onto the
>> network (tcpdump)?
>
> Attached is the strace output from the vpnc process immediately after
> the connection to the remote end has seemingly died.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

rayvittal-lists at yahoo

Nov 22, 2009, 6:52 PM

Post #22 of 32 (4546 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

To further clarify, after the VPN connects, the vpn device (tap0) gets an ip address in the 192.168.9.0/24 network. And the remote end sends a whole bunch of routes to be installed including 192.168.1.0/24.
My temporary solution is to delete the work LAN route and add host specific routes to go through tap0 for machines on the 192.168.1.0/24 work LAN that I really care about.

________________________________
From: C V <rayvittal-lists [at] yahoo>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Sun, November 22, 2009 6:40:30 PM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

In my case it appears to be a route confusion issue. My home LAN is 192.168.1.0/24 and so is my work LAN. So after the VPN is established, I have 2 routes:
192.168.1.0/24 dev tap0 scope link [ this is the work LAN ]
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.107 metric 2 [this is the home LAN]

When my home router arps for 192.168.1.107 (the address of my wireless adapter), I suspect that this dual route prevents the arp response from going over the local LAN (it doesn't go over the VPN either, but I am not sure why).

When I deleted the work LAN route, I was able to access other networks at work (for example 192.168.10.0/24).

Anyway, this used to work just fine in Fedora 8. Not sure what changed in Fedora 12 that the ARP response won't go over the device it was received on.

The solution for me will be to pick a non-overlapping network for my home LAN (for example 172.31.41.0/24). But I have quite a few devices with static IPs on my home LAN so this will have to wait for a day when I have more free time.

--
C V

________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Sun, November 22, 2009 6:13:33 PM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

OK, how can I fix/prevent that from happening?

On Sun, Nov 22, 2009 at 6:03 PM, C V <rayvittal-lists [at] yahoo> wrote:
> The problem appears to be that the home router is ARPing for the fedora 12
> machine's address and not getting a response. That is, the connection fails
> as soon as the arp entry for the machine initiating the vpn connection ages
> out.
>
> ________________________________
> From: Lonni J Friedman <netllama [at] gmail>
> To: vpnc list to send bug reports and discussions with developers
> <vpnc-devel [at] unix-ag>
> Cc: cbw [at] redhat
> Sent: Sun, November 22, 2009 10:05:23 AM
> Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12
>
> On Sat, Nov 21, 2009 at 1:18 AM, Jan Engelhardt <jengelh [at] medozas> wrote:
>>
>> On Saturday 2009-11-21 07:21, C V wrote:
>>
>>>Mine doesn't last more than a couple of minutes. I've attached ip route,
>>>debug output and resolv.conf contents before and after
>>
>> Hm, so it is not http://www.gossamer-threads.com/lists/vpnc/devel/3325 .
>> What about the addrs/routes after it dies?
>>
>> Could NM/DHCP be interfering?--I just had that today, though not with
>> vpnc, but dhclient just changed the default route (which would be the
>> tnunel device in my case) back to the default gw as obtained from a
>> DHCPRENEW.
>>
>> If you attach strace to vpnc after it died, does it look to hang
>> on send(..) or something, or does it still output packets onto the
>> network (tcpdump)?
>
> Attached is the strace output from the vpnc process immediately after
> the connection to the remote end has seemingly died.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/

jengelh at medozas

Nov 22, 2009, 10:22 PM

Post #23 of 32 (4557 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Monday 2009-11-23 03:40, C V wrote:

>In my case it appears to be a route confusion issue. My home LAN is
>192.168.1.0/24 and so is my work LAN.

Aha! That is naturally never going to work -- irrespective of vpnc.

>So after the VPN is established, I
>have 2 routes:
>192.168.1.0/24 dev tap0 scope link [ this is the work LAN ]
>192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.107
>metric 2 [this is the home LAN]
>
>When my home router arps for 192.168.1.107 (the address of my wireless
>adapter), I suspect that this dual route prevents the arp response from
>going over the local LAN (it doesn't go over the VPN either, but I am not
>sure why).

If the chosen interface has the NOARP flag set (`ip a`),
there will be no arps sent. That is a valid case, btw.

>When I deleted the work LAN route, I was able to access other networks at
>work (for example 192.168.10.0/24).
>
>Anyway, this used to work just fine in Fedora 8. Not sure what changed in
>Fedora 12 that the ARP response won't go over the device it was received on.

(Basic) route selection has always been independent of the
incoming device, so what you have observed may have been
pure luck. Outgoing routes are chosen by prefix first, then
whatever comes first; first depends on the order the routes
were added (for the specific kernel that I have tried).

>The solution for me will be to pick a non-overlapping network for my home
>LAN (for example 172.31.41.0/24). But I have quite a few devices with static
>IPs on my home LAN so this will have to wait for a day when I have more free
>time.

Praise the DHCP once again :)
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

netllama at gmail

Nov 23, 2009, 6:27 PM

Post #24 of 32 (4557 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

On Sun, Nov 22, 2009 at 10:22 PM, Jan Engelhardt <jengelh [at] medozas> wrote:
>
> On Monday 2009-11-23 03:40, C V wrote:
>
>>In my case it appears to be a route confusion issue. My home LAN is
>>192.168.1.0/24 and so is my work LAN.
>
> Aha! That is naturally never going to work -- irrespective of vpnc.
>
>>So after the VPN is established, I
>>have 2 routes:
>>192.168.1.0/24 dev tap0 scope link [ this is the work LAN ]
>>192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.107
>>metric 2 [this is the home LAN]
>>
>>When my home router arps for 192.168.1.107 (the address of my wireless
>>adapter), I suspect that this dual route prevents the arp response from
>>going over the local LAN (it doesn't go over the VPN either, but I am not
>>sure why).
>
> If the chosen interface has the NOARP flag set (`ip a`),
> there will be no arps sent. That is a valid case, btw.
>

I'm a bit confused. Are you saying that a potential workaround for
this problem is to disable ARPs? On which interface should I be doing
that:
0) the eth0 interface inside the OS that is establishing the VPN connection
1) the tun0 interface inside the OS that is establishing the VPN
connection (that vpnc sets up)
2) somewhere else

For the record, eth0 on my system has a 10.0.0.x IP address. The tun0
interface usually ends up with a 10.2.x.x IP address.

thanks

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

rayvittal-lists at yahoo

Nov 23, 2009, 8:51 PM

Post #25 of 32 (4531 views)
Permalink

Re: vpnc connection hangs on fedora 12 [In reply to]

To see if the problem (and solution) is the same as I experienced, it is useful to run tcpdump on eth0
-> tcpdump -i eth0 arp
If you see your router asking for your eth0 mac but with no response then this could be the same problem.

If so, it is likely that the VPN server has installed another route to 10.0.0.x which is overriding the one for you home LAN.
The solution is to delete the route added by the VPN server. Routes can be listed using 'ip route'

________________________________
From: Lonni J Friedman <netllama [at] gmail>
To: vpnc list to send bug reports and discussions with developers <vpnc-devel [at] unix-ag>
Sent: Mon, November 23, 2009 6:27:44 PM
Subject: Re: [vpnc-devel] vpnc connection hangs on fedora 12

On Sun, Nov 22, 2009 at 10:22 PM, Jan Engelhardt <jengelh [at] medozas> wrote:
>
> On Monday 2009-11-23 03:40, C V wrote:
>
>>In my case it appears to be a route confusion issue. My home LAN is
>>192.168.1.0/24 and so is my work LAN.
>
> Aha! That is naturally never going to work -- irrespective of vpnc.
>
>>So after the VPN is established, I
>>have 2 routes:
>>192.168.1.0/24 dev tap0 scope link [ this is the work LAN ]
>>192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.107
>>metric 2 [this is the home LAN]
>>
>>When my home router arps for 192.168.1.107 (the address of my wireless
>>adapter), I suspect that this dual route prevents the arp response from
>>going over the local LAN (it doesn't go over the VPN either, but I am not
>>sure why).
>
> If the chosen interface has the NOARP flag set (`ip a`),
> there will be no arps sent. That is a valid case, btw.
>

I'm a bit confused. Are you saying that a potential workaround for
this problem is to disable ARPs? On which interface should I be doing
that:
0) the eth0 interface inside the OS that is establishing the VPN connection
1) the tun0 interface inside the OS that is establishing the VPN
connection (that vpnc sets up)
2) somewhere else

For the record, eth0 on my system has a 10.0.0.x IP address. The tun0
interface usually ends up with a 10.2.x.x IP address.

thanks

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads