Wade, The timeout is pretty consistent, so I can see that being the case.
I'll try the SIGUSR2 and see if that works any better. Thanks! -- Ron On Wed, Aug 7, 2024 at 12:22 PM Cline, Wade <wade.cl...@intel.com> wrote: > > On Wed, Aug 07, 2024 at 09:00:45AM -0400, Ron Rossman Jr wrote: > > Hello! > > > > I've been using network-manager-openconnect (with the related > > libopenconnect-dev, libopenconnect5, > > network-manager-openconnect-gnome, network-manager-openconnect, > > openconnect, vpnc bits) and it's working great with Palo Alto > > GlobalProtect (both the on-prem and cloud hosted). > > > > The only issue I've noticed is my VPN tunnel session will apparently > > "time out" and all traffic just stalls until I disconnect from the VPN > > and reconnect. The Network-Manager VPN icon still shows things as the > > VPN link is still up, which throws me for a big loop at first. > > Does the timeout happen at a consistent time since the connection was > established? More specifically, does it happen at half the lifetime > value for the session? If so then you may be running into the ESP tunnel > failure issue[1]. A workaround is to send SIGUSR2 to the openconnect > process; this will cause the ESP tunnel to immediately close and a TCP > tunnel to be established. > > It's also worth noting that we've been observing TCP tunnel failures on > version 10.2.8h4 of the gateway that weren't in 10.2.5h6; these failures > appear to affect the proprietary GlobalProtect client and so do not > appear to be an OpenConnect implementation issue. > > Regards, > Wade > > [1] https://gitlab.com/openconnect/openconnect/-/issues/683 > > > I wasn't sure if this was expected behavior or if there's some setting > > I'm missing that would monitor the session inside the tunnel and show > > the VPN link as "down" in a UI way so it's easier to detect this > > timeout case. (I also wasn't sure if this was the right place to send > > this and if this is from the lower level openconnect part or the > > Network-Manager GUI part) > > > > Thanks! > > > > Ron Rossman Jr > > > > _______________________________________________ > > openconnect-devel mailing list > > openconnect-devel@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
