SSH fails with connection timed out - in VPN and hangs here "expecting SSH2_MSG_KEX_ECDH_REPLY" + Ubuntu 16.04.6 LTS

Tried with putty no issues.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1874257

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Hello Team,

We tried to change the MTU setting to 1200, still no luck.

Shared all information in the comment.

Please let me know

Thanks
Jay

After changing the VPN interface MTU to 1100, fixed the problem.

May I know why this behaviour occurred?

Hello,

This is an issue with VPN MTU configuration. May I know the root cause why this is causing the issue? After adjusted the MTU , this is fixed.

As the same time putty works without any modification.

Why ssh client not negotiating properly with the default MTU

It could be a noisy or unreliable connection to the server. Probably that data corruption is happening to the packet when it is sent, which is my assumption

https://en.wikipedia.org/wiki/Maximum_transmission_unit
https://en.wikipedia.org/wiki/Forward_error_correction

From ubuntu community point of view any suggestions>

thanks
Jay

Thank you for taking the time to file a bug report.

In order to reproduce the bug you faced, could you please share your config files? OpenSSH and OpenVPN ones. Otherwise we cannot do anything.

Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Hello Lucas,

Thanks for taking this up. Yes I can provide you the required information.

Why I believe this is a bug, is due to using putty there were no issues.

So ssh client is causing the issue. For fixing reducing the MTU of VPN tunnel interface fixed the issue.

So I think there is still a problem with ssh client with negotiating the SSH communication.

===
$dpkg -l | grep -i openssh
ii openssh-client 1:7.2p2-4ubuntu2.8 -->
ii openssh-server 1:7.2p2-4ubuntu2.8
ii openssh-sftp-server 1:7.2p2-4ubuntu2.8

$cat /etc/ssh/ssh_config

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
# Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,<email address hidden>,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
ForwardX11Trusted yes
ForwardX11Timeout 596h

For VPN client connection we are using open-connect, so usually connect via
$sudo openconnect <domain-name>

$dpkg -l | grep openconnect
ii libopenconnect5:amd64 7.06-2build2 amd64 open client for Cisco AnyConnect VPN - shared library
ii openconnect 7.06-2build2 amd64 open client for Cisco AnyConnect VPN

I'm marking this bug status to confirmed.

Thanks
Jay

It appears you are using *OpenConnect*, although both the strings OpenVPN and OpenConnect appear in prior posts. These are *completely different* VPN clients.

You are using an *ancient* old release of OpenConnect v7.06. The automatic MTU detection logic has been vastly improved in newer versions of OpenConnect: https://www.infradead.org/openconnect/changelog.html

So yes, this is indeed a bug in OpenConnect's MTU handling, but likely one which we've long since fixed upstream.

Yeah Dan, thanks for chiming in.
In particular that would be at least (but not lmited to) the changes:

8.04
Rework DTLS MTU detection. (#10)
7.08
Support automatic DTLS MTU detection with OpenSSL.
7.07
Automatic DTLS MTU detection.

Ubuntu has these newer versions.
Bionic 18.04 is on 7.08 and the most recent LTS Focal is at 8.05.
The current development release is at the latest 8.09 of openconnect.

These are new features added in 7.07 and 7.08 - IMHO they do not qualify for a SRU release into Xenial [1] - especially since you can "get away" with a config change that mitigates the issue.

[1]: https://wiki.ubuntu.com/StableReleaseUpdates

Thanks Dan and chris for the update,
I can understand this will not backport in Xenial openconnect version correct.
Because most of our Ubuntu desktop/laptop running on 16.04.6 LTS version and i see it has support agreement until April 2021.

If there is any chance to backport this MTU detection handling on openconnect 7.06, then it would be really great.

Thanks
Jay

See this AskUbuntu item on this bug
https://askubuntu.com/questions/1229456/ssh-fails-with-connection-timed-out-in-vpn-and-hangs-here-expecting-ssh2-msg

I resolved this with the suggested setting:
> As a temporary workaround, setting the KEX algorithm manually solves this problem for me.
> Add KexAlgorithms ecdh-sha2-nistp521 to the corresponding SSH config, or add -oKexAlgorithms=ecdh-sha2-nistp521 to the command line args for one time use.

This is still a current problem

$ dpkg -l | grep -i openvpn
ii network-manager-openvpn 1.8.14-1 amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.8.14-1 amd64 network management framework (OpenVPN plugin GNOME GUI)
ii openvpn 2.5.1-3ubuntu1 amd64 virtual private network daemon

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 21.10
Release: 21.10
Codename: impish

@Stuart-ward wrote…

> This is still a current problem
>
> $ dpkg -l | grep -i openvpn
> ii network-manager-openvpn 1.8.14-1 amd64 network management framework (OpenVPN plugin core)
> ii network-manager-openvpn-gnome 1.8.14-1 amd64 network management framework (OpenVPN plugin GNOME GUI)
> ii openvpn 2.5.1-3ubuntu1 amd64 virtual private network daemon

Once again, OpenConnect and OpenVPN are *not* the same thing. At all.

For your VPN connection, are you using OpenConenct (the original subject of this bug report), or are you using OpenVPN (completely different and should have a separate bug files)?

I faced with same issue after changed router from Zyxel Keenetic Lite to Xiaomi A4 Giga Edition.

My connection use PPPOE on router.

Ubuntu 21.10 and openconnect VPN.

@family-gan are you saying this is an issue in Ubuntu Impish (21.10)? It seems to be already fixed in supported releases. Could you share any steps to reproduce it? If you consider the issue you are facing different than the one discussed in this bug please consider filing a separate bug.

Ubuntu Xenial has reached end of standard support, so I marked its task as Won't Fix.