The connection is disconnected after a period of time

[Chen-T]

Hi, after I successfully connect with the GUI, the connection will be disconnected after a period of time, and I need to manually reconnect. Is there any way to automatically reconnect? If there is one, please let me know, thank you.

[MurKit]

Having the same issue, with cli on Ubuntu.

Successfully connected at 06:19:
[2024-04-12T06:19:29Z INFO  gpclient::connect] Wrote PID 21884 to /var/run/gpclient.lock
10 Min later:
[2024-04-12T06:28:29Z INFO  openconnect::ffi] GlobalProtect rekey due
[2024-04-12T06:28:29Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/getconfig.esp
[2024-04-12T06:28:29Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:28:29Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:28:29Z WARN  openconnect::ffi] Allow Automatic Restoration of SSL VPN is disabled
[2024-04-12T06:28:29Z WARN  openconnect::ffi] Cookie is no longer valid, ending session
[2024-04-12T06:28:29Z WARN  openconnect::ffi] Reconnect failed
[2024-04-12T06:28:29Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/logout.esp
[2024-04-12T06:28:29Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:28:29Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:28:29Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
[2024-04-12T06:28:29Z INFO  openconnect::ffi] openconnect_mainloop returned -1, exiting

[yuezk]

Hi @MurKit, does this client ever worked for you? And could you please provide the full log to me to further investigate? Thanks.

[MurKit]

hey @yuezk, thanks for your attention. Yes, it works great, but maybe I'm missing some options as I run the client?

$ sudo gpclient connect smth.com
[2024-04-12T06:46:42Z INFO  gpclient::cli] gpclient started: 2.1.4 (2024-04-10)
[2024-04-12T06:46:42Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
[2024-04-12T06:46:42Z INFO  gpapi::portal::prelogin] Prelogin with params: {"tmp": "tmp", "default-browser": "1", "cas-support": "yes", "os-version": "Linux Ubuntu 20.04.1 LTS", "ipv6-support": "yes", "clientos": "Linux", "clientVer": "4100"}
[2024-04-12T06:46:42Z INFO  gpauth::cli] gpauth started: 2.1.4 (2024-04-10)
[2024-04-12T06:46:42Z INFO  gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
[2024-04-12T06:46:42Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15
[2024-04-12T06:46:42Z INFO  gpauth::auth_window] Load the SAML request as URI...
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/****************/saml2?SAMLRequest=j**********%3D&RelayState=**********%3D&SigAlg=h**********6&Signature=a**********%3D
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-12T06:46:43Z INFO  gpauth::auth_window] Raise window in 1 second(s)

(process:23077): libsoup-WARNING **: 09:46:44.004: gssapi step failed: Unspecified GSS failure.  Minor code may provide more information: SPNEGO cannot find mechanisms to negotiate
[2024-04-12T06:46:45Z WARN  gpapi::utils::window] Failed to raise window: Failed to raise window: GlobalProtect Login
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/***********************/login
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-12T06:46:54Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/common/SAS/ProcessAuth
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Loaded uri: https://m**********m/SAML20/SP/ACS
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-04-12T06:47:06Z INFO  gpauth::auth_window] Got auth data from headers
[2024-04-12T06:47:06Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-04-12T06:47:06Z INFO  gpclient::connect] Connecting to the only available gateway: hhjhhjh (smth.com)
[2024-04-12T06:47:06Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-04-12T06:47:06Z INFO  openconnect::ffi] openconnect version: v9.12-0-focal1
[2024-04-12T06:47:06Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-04-12T06:47:06Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-04-12T06:47:06Z INFO  openconnect::ffi] OS: linux
[2024-04-12T06:47:06Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-04-12T06:47:06Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-04-12T06:47:06Z INFO  openconnect::ffi] MTU: 0
[2024-04-12T06:47:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/getconfig.esp
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Connected to **********
[2024-04-12T06:47:06Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 10 minutes.
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Idle timeout is 10 minutes.
[2024-04-12T06:47:06Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-04-12T06:47:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/hipreportcheck.esp
[2024-04-12T06:47:06Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum eb96666666663e622d31d066666633667.
        VPN connectivity may be disabled or limited without HIP report submission.
        You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-04-12T06:47:06Z INFO  openconnect::ffi] ESP session established with server
[2024-04-12T06:47:06Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-04-12T06:47:06Z INFO  openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-04-12T06:47:06Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 11
[2024-04-12T06:47:06Z INFO  gpclient::connect] Wrote PID 23019 to /var/run/gpclient.lock
[2024-04-12T06:56:06Z INFO  openconnect::ffi] GlobalProtect rekey due
[2024-04-12T06:56:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/getconfig.esp
[2024-04-12T06:56:06Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:56:06Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:56:06Z WARN  openconnect::ffi] Allow Automatic Restoration of SSL VPN is disabled
[2024-04-12T06:56:06Z WARN  openconnect::ffi] Cookie is no longer valid, ending session
[2024-04-12T06:56:06Z WARN  openconnect::ffi] Reconnect failed
[2024-04-12T06:56:06Z INFO  openconnect::ffi] POST https://smth.com/ssl-vpn/logout.esp
[2024-04-12T06:56:06Z INFO  openconnect::ffi] SSL negotiation with smth.com
[2024-04-12T06:56:06Z INFO  openconnect::ffi] Connected to HTTPS on smth.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-04-12T06:56:06Z INFO  openconnect::ffi] Logout successful.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
[2024-04-12T06:56:06Z INFO  openconnect::ffi] openconnect_mainloop returned -1, exiting
[2024-04-12T06:56:06Z INFO  gpclient::connect] Removing PID file

[yuezk]

Looks the tunnel timeout is 10 minutes, I never met this before, not sure whether the timeout is configured from the VPN server side or the client side. I will investigate if the timeout can be set via the client.

[2024-04-12T06:47:06Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 10 minutes.
... ...
[2024-04-12T06:56:06Z INFO  openconnect::ffi] GlobalProtect rekey due

And the timeout of my VPN is 180 minutes.

[MurKit]

I suspect the timeout is set from the server.

Also, the gui client from globalprotect did not disconnect, but it has a bad GUI and a weird autostart without closing the previous instances.

[yuezk]

It could be set from the client side if the official client did not disconnect.

[yuezk]

I found some information regarding this problem:

1. Your administrator has changed the default Inactivity Logout period to 10 minutes (default is 180 minutes). OpenConnect uses this field to do rekey operations periodically.
2. Your administrator has checked the Disable Automatic Restoration of SSL VPN to prevent the SSL VPN restoration, that's why we saw the rekey failed in the logs. (The default is allow automatic restoration)
3. The reason why the official client doesn't disconnect after 10 minutes could be that it doesn't use the Inactivity Lgout period as the the session timeout value. But OpenConnect uses it and there is no way to change it. I also found a discussion regarding this on OpenConnect's email list but there seems to be no result.

The workaround for this is to enable automatic restoration of SSL VPN from the server side, or increase the Inactivity Logout period to delay the rekey period.

This is the official doc regarding this.

[MurKit]

So, guess it's not possible when a user can't affect decisions how to set up the server. Maybe the official app has some options and therefore works.

[Davetwo]

File transfer using Remmina didn't work. Also jdbc connections to postres didn't work. Using standard Windows client working all well. .. unfortunately have to use a windows wm for it.