Reconnecting appear every 4 minutes

[dapao9999]

Reconnecting every 4 minutes as described in the image

[TommyLau]

It seems to be a problem(or designed to?) of ocserv.

This is just a Docker container of ocserv, it cannot solve the program issue running in Docker.

I will keep this open for awhile, and check whether the issue is related to Docker.

[TheNomad11]

I observed the same issue. Now I installed a non-docker version of ocserv and the issue disappeared. The reconnecting issue might be related to Docker then

[TommyLau]

@TheNomad11 Thank you for your information. And it reminds me that mine got the same issues, the client will reconnect in a few minutes too. And before we know anything further, it might as you said it could be related to Docker itself.

[fxpester]

hit this just now, running on google cloud on ubuntu 16.04

[fxpester]

funny part, I used this - https://github.com/evshiron/docker-ocserv - and everything working ok, no reconnects

[TommyLau]

It seems that image is using Fedora as the base image, could it be the problem of the Linux system? Looking into it, thanks again for your information.

[TommyLau]

Are you using AnyConnect as the client, or you are just using OpenConnect as the client? I saw that Dockerfile had disabled Cisco compatibility in the config file.

[fxpester]

ok, new attempt to use your solution: docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocserv

• result: everything ok, user test working perfectly for 10 minutes.

docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -d test
docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -g "Route,All" tommy

• result: when I try to connect as user tommy It is not working, in AnyConnect logs:

   10:56:16 AM    Contacting x.x.x.x.
   10:56:22 AM    User credentials entered.
   10:56:26 AM    User credentials entered.
   10:56:26 AM    Connection attempt has failed.
   10:56:26 AM    Ready to connect.

  Nothing in docker logs. and inside container I can see (passwd ommited by me):

  /etc/ocserv # cat ocpasswd
  tommy:Route,All:$1$xxxxxxxxxxxxx

[fxpester]

looks like problem in chinese character in group description, for now fixed it by editing ./ocserv.conf remove 'Route' group and set group 'All' as default

[TommyLau]

@s7lx Do you have time to look into this issue? I'm not using the group function, and I setup ocserv.conf file separately.

[fxpester]

I guess it is cause I don`t have chinese lang support in my win10, and cisco anyconnect works ok for first connect, then it tries to cache group description, but fails to read cache afterwards. So first connect is ok, but all next fail.

[TommyLau]

Have you ever removed the Chinese characters and have another try? Whether it works correctly or not?

[fxpester]

yes, I removed them, cleared anyconnect cache, and now I can connect to both groups

[long1215]

最新版本还是每4分钟重新连接

[TommyLau]

@long1215 Yup, looks like a program with Docker or maybe something else, which I have no clue at all.

[itshaadi]

I have the same problem openconnect keeps saying:

SSL read error: The TLS connection was non-properly terminated.; reconnecting.

it is worth mentioning that this error occurs on a TCP based connection. also UDP packets are unable to reach the server. (I'm guessing that my ISP is responsible for that)

DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)

[TommyLau]

@itshaadi Are you using UDP? Have you ever tried to use TCP protocol?

[itshaadi]

UDP is completely blocked in iran. I am using 443/TCP at the moment. and this problem occurs on TCP.

[TommyLau]

I cannot reproduce this issue, only the reconnect occurs to me, could it be the low level network issue from your Internet provider?

[itshaadi]

DTLS handshake failed: Error in the push function. is indeed a low level network issue from my ISP. as I said UDP ports are completely unreachable. however reconnect error could be an issue related to Docker. or your configuration for ocserv.

[chunlaw]

Quick fix: set the isolate-worker in the .conf file to false

My colleague @jonathan-tan has found that it is the problem of the kernel function seccomp_init() and seccomp_rule_add() in the function disable_system_calls in the source code. You can see if you change the auth-timeout in the .conf file from 240 to 10, the reconnecting behaviour occurs every 10 seconds.

Edited: As it is the system function, it is related to Alpine Linux (the docker base image) has overriden alarm() to setitimer() and hence causing the misbehaviour.