]> www.infradead.org Git - users/dwmw2/openconnect.git/commitdiff
Attempt to allow Fortinet reconnect over TCP
authorDavid Woodhouse <dwmw2@infradead.org>
Tue, 27 Apr 2021 23:14:52 +0000 (00:14 +0100)
committerDavid Woodhouse <dwmw2@infradead.org>
Tue, 27 Apr 2021 23:24:38 +0000 (00:24 +0100)
We can't just reconnect; we have to fetch the XML config again. Even that
isn't always sufficient; it seems the server only allows *one* reconnect
before it starts to fail.

The *first* reconnection shows this in server logs:

[2326:root:0]ipcp: down ppp:0x7f1e1d218000 caller:0x7f1e1d15f900 tun:37
[2326:root:78]sslvpn_ppp_deassociate_fd_to_ipaddr:318 deassociate 10.212.134.200 to tun (ssl.root:37)
[2326:root:78]tunnel is down, wait for next connection.
[2326:root:78]sslvpn_release_dynip:1309 free app session, idx[0]
...
[2326:root:79]req: /remote/fortisslvpn_xml
[2326:root:79]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:79]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:79]sslvpn_reserve_dynip:1275 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[2326:root:79]req: /remote/sslvpn-tunnel
[2326:root:79]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[2326:root:79]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:79]sslvpn_tunnel_handler,153, Calling tunnel.
[2326:root:79]tunnelEnter:498 0x7f1e1d15f900:0x7f1e1d1e9000 sslvpn user[dwmw2],type 1,logintime 0 vd 0
[2326:root:79]sconn 0x7f1e1d15f900 (0:root) vfid=0 local=[178.238.156.110] remote=[90.155.92.213] dynamicip=[10.212.134.200]
[2326:root:79]Prepare to launch ppp service...

The *second* reconnection doesn't say anything about waiting for next
connection:

[2326:root:0]ipcp: down ppp:0x7f1e1d21a800 caller:0x7f1e1d15f900 tun:37
[2326:root:79]sslvpn_ppp_deassociate_fd_to_ipaddr:318 deassociate 10.212.134.200 to tun (ssl.root:37)
[2326:root:79]sslvpn_release_dynip:1309 free app session, idx[0]
...
[2326:root:7a]req: /remote/fortisslvpn_xml
[2326:root:7a]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:7a]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:7a]sslvpn_reserve_dynip:1275 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[2326:root:0]sslvpn_internal_remove_apsession_by_idx:2586 free app session, idx[0]
[2326:root:7a]req: /remote/sslvpn-tunnel
[2326:root:7a]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[2326:root:7a]deconstruct_session_id:426 decode session id ok, user=…
[2326:root:7a]sslvpn_tunnel_handler,153, Calling tunnel.
[2326:root:7a]tunnelEnter:498 0x7f1e1d15f900:0x7f1e1d1e9000 sslvpn user[dwmw2],type 1,logintime 0 vd 0
[2326:root:7a]tunnelEnter:520 failed to retrieve tunnel address

Compare with the behaviour when we don't get the XML config again and
just try to re-establish PPP:

[385:root:0]ipcp: down ppp:0x7f19b6084800 caller:0x7f19b5fb2b00 tun:36
[385:root:f]sslvpn_ppp_deassociate_fd_to_ipaddr:318 deassociate 10.212.134.200 to tun (ssl.root:36)
[385:root:f]tunnel is down, wait for next connection.
[385:root:f]sslvpn_release_dynip:1309 free app session, idx[0]
...
[385:root:10]req: /remote/sslvpn-tunnel
[385:root:10]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[385:root:10]deconstruct_session_id:426 decode session id ok, user=…
[385:root:10]sslvpn_tunnel_handler,153, Calling tunnel.
[385:root:10]tunnelEnter:498 0x7f19b5fb2b00:0x7f19b6043800 sslvpn user[dwmw2],type 1,logintime 0 vd 0
[385:root:10]tunnelEnter:512 no more IP address available.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
fortinet.c

index d32e69436d2bcb89e91c58243f3a5093e332906d..057f6810694528ce85789c5c20146a561283ecd1 100644 (file)
@@ -614,15 +614,7 @@ int fortinet_connect(struct openconnect_info *vpninfo)
 {
        int ret = 0;
 
-       if (!vpninfo->ppp) {
-               /* Initial connection */
-               ret = fortinet_configure(vpninfo);
-       } else if (vpninfo->ppp->ppp_state != PPPS_DEAD) {
-               /* TLS/DTLS reconnection with already-established PPP session
-                * (PPP session will persist past reconnect.)
-                */
-               ret = ppp_reset(vpninfo);
-       }
+       ret = fortinet_configure(vpninfo);
        if (ret) {
        err:
                openconnect_close_https(vpninfo, 0);