not properly disconnected sessions with openconnect
Horváth Szabolcs
hszhsz at gmail.com
Wed Sep 16 10:49:00 EDT 2009
Hello,
David Woodhouse <dwmw2 at infradead.org> írta (2009. szeptember 15. 21:27):
> On Tue, 2009-09-15 at 21:17 +0200, Horváth Szabolcs wrote:
>>
>> ctsp_bye() is called:
>>
>> Connected mycompany.tun0 as internal.ip, using SSL + deflate
>> [...]
>> Send BYE packet: Client received SIGINT
>
> Right. So we need to work out what the server is expecting the client to
> do when it disconnects.
>
Please note that I'm not a programmer, I just want to solve this issue.
Today I had some time to sniff this SSL VPN connection:
http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam
I found that the disconnection mechanism is cstp_bye() in cstp.c.
1. When I disconnect with OpenConnect, the following happens (output from od -c)
0010440 377 377 7 250 035 343 S T F 001 \0 026 005 \0 C l
0010460 i e n t r e c e i v e d S I
0010500 G I N T
0010504
It seems that openconnect sends this packet with SSL_write() and the
connection closes.
The connection entry stucks on the Cisco ASA.
Log on the ASA's side:
Sep 16 16:35:13 %ASA-3-722009: Group <IQSYS-ADM> User <hsz> IP
<client.ip> SVC Message: 3/CRITICAL: lient received SIGINT.
Sep 16 16:35:13 %ASA-5-722037: Group <IQSYS-ADM> User <hsz> IP
<client.ip> SVC closing connection: Transport closing.
Sep 16 16:35:13 %ASA-6-722023: Group <IQSYS-ADM> User <hsz> IP
<client.ip> TCP SVC connection terminated with compression
Strange: "lient received SIGINT." ???
2. When I disconnect with AnyConnect (output from od -c)
0006000 352 S T F 001 \0 5 005 \0 260 T h e u s
0006020 e r h a s r e q u e s t e d
0006040 t o d i s c o n n e c t t
0006060 h e c o n n e c t i o n .
0006076
It seems that anyconnect sends this packet and closes the connection.
The connection entry is freed on the Cisco ASA.
Packet analyze:
bye_pkt[0-3] = 'S', 'T', 'F', 1, -- ok
bye_pkt[4] = reason_len >> 8 -- 0, ok
bye_pkt[5] = reason_len & 0xff; -- "5" or dec(53), ok
bye_pkt[6] = AC_PKT_DISCONN = 5; -- ok
bye_pkt[7] = 0; -- ok
I've no idea what the octal(260) is at bye_pkt[8].
The quit message starts from bye_pkt[9].
3. Rude hack in mainloop.c:
//vpninfo->quit_reason = "Client received SIGINT";
vpninfo->quit_reason = "\xb0The user has requested to disconnect the
connection.";
make, etc.
0010000 A E S 1 2 8 - S H A \r \n \r \n S T
0010020 F 001 \0 5 005 \0 260 T h e u s e r
0010040 h a s r e q u e s t e d t o
0010060 d i s c o n n e c t t h e
0010100 c o n n e c t i o n . S T F 001 \0
0010120 017 005 \0 260 U s e r R e q u e s t
0010140 e d
0010142
The ASA replies back with "STF 0x01 0x00 0x0f 0x05 0xb0 User
Requested" and closes the connection.
Wow. The connection entry is freed on the Cisco ASA!
Log on the ASA's side:
Sep 16 16:34:42 %ASA-5-722012: Group <IQSYS-ADM> User <hsz> IP
<client.ip> SVC Message: 16/NOTICE: The user has requested to
disconnect the connection..
Sep 16 16:34:42 %ASA-5-722037: Group <IQSYS-ADM> User <hsz> IP
<client.ip> SVC closing connection: User Requested.
Sep 16 16:34:42 %ASA-6-716002: Group <IQSYS-ADM> User <hsz> IP
<client.ip> WebVPN session terminated: User Requested.
Sep 16 16:34:42 %ASA-4-113019: Group = TG-IQSYS-ADM, Username = hsz,
IP = client.ip, Session disconnected. Session Type: SSL, Duration:
0h:00m:10s, Bytes xmt: 112024282, Bytes rcv: 21820106, Reason: User
Requested
As far as I can understand, there is something new in the disconnect
message. (0xb0 before the "The user has requested to disconnect the
connection." message).
I know this is a rude hack, but it works for me.
The tcpdump output can be found at
http://hsz.tmp.hu/openconnect-bug.zip (only the few last important
bytes)
What else should I test?
Szabolcs
ps.: starting tomorrow I will be on an off-site training without any
access to my test environment. apologize for the late reply.
More information about the openconnect-devel
mailing list