Closed nmschulte closed 3 months ago
I'm not sure if this is L2TPv3 or not, but it states:
7.1. Malformed AVPs and Control Messages ... A control message with a malformed header MUST be discarded.
5.2. Mandatory AVPs and Setting the M Bit ... If the M bit is not set on an unrecognized AVP, the AVP MUST be ignored when received, processing the control message as if the AVP were not present.
Hi, thanks for reporting this @nmschulte !
I read through the Arch forum thread which covers quite a lot of ground...
level=error tunnel_name=t1 function=transport message="frame receive failed" error="malformed header: length 17024 exceeds buffer bounds of 30"
I think this is just informational logging and hence can probably be safely ignored.
Both RFC3931 (L2TPv3) and RFC2661 (L2TPv2) suggest that a malformed header should cause the control connection to be torn down.
However currently go-l2tp doesn't do this -- the logging above is advisory, but unless the message parsing fails due to an unrecognised mandatory AVP it shouldn't cause the connection to fail. You can see the handling here in the transport code:
https://github.com/katalix/go-l2tp/blob/master/l2tp/transport.go#L269
level=error tunnel_name=t1 message="bad control message" message_type=avpMsgTypeSli error="no specification for v2 message avpMsgTypeSli"
I suspect this is the root cause of the issue. Currently go-l2tp doesn't handle the SLI message, which does trigger the tunnel to send CDN and tear down the session:
https://github.com/katalix/go-l2tp/blob/master/l2tp/l2tp_dynamic_tunnel.go#L304
I'll see about adding SLI support which should address this issue.
Great, thank you for your time!
I've been able to reproduce this issue -- it is indeed caused by go-l2tp not handling SLI.
The "malformed header" logging is interesting, and seems to be caused by a race condition in the LNS -- or possibly a clash of expectations between the LAC and LNS.
On the client (LAC) side, go-l2tp instantiates the dataplane (creates a session instance in the kernel) once its ICCN message has been acked by the server (LNS).
However, if the LNS sends the initial PPP LCP packet /before/ sending the ICCN ack, then on the client side the kernel doesn't know how to handle the PPP LCP frame and hence passes it up to userspace to figure out. This ends up causing the "malformed header" log message because go-l2tp isn't really set up for directly handling data packets.
To an extent the latter isn't a big deal (since the error logging doesn't break anything per-se), however it's a confusing log line which doesn't help when debugging problems, so it's worth fixing too.
I have local fixes for both these issues which I'll get pushed to gh and rolled out in to the Debian packaging when I can.
Thanks again for your report.
Thank you!
Hi, I am running into #4. My current solution is to use
xl2tpd
vsgo-l2tp
/kl2tp
.As noted there, it can be observed in the logs that the length reported matches the tunnel ID:
Interestingly,
xl2tpd
debug logs state:Particularly, this is supposedly some Cisco Meraki gear:
I haven't compared with
xl2tpd
's implementation yet, but it would be nice ifgo-l2tpd
/kl2tpd
supported this equipment/setup. Presumably, it simply needs to ignore the Set-Link-Info AVP message type in this case.