Cisco VPN does not work (connection hangs through vpnc) after upgaded to wily

Bug #1504435 reported by LGB [Gábor Lénárt] on 2015-10-09
This bug affects 2 people
Affects Status Importance Assigned to Milestone
network-manager-vpnc (Ubuntu)

Bug Description

I've used the same vpnc config (set up with network manager) since years, without issues. After upgraded to wily, it does not work anymore though. The VPN connection itself is established, however opening a web page just stalls. Using ssh through the VPN connection also work, but eg givin an 'ls' command hangs after some lines and the connection freezes. It seems, more than a few bytes sent through a connection over VPN hangs. I've tried to turn TCP ECN and window scaling (through the /proc interface) off, since in my experience, it caused problems with old firewalls etc. However it did not helped either with my current issue.

Using tcpdump to capture the network traffic (on interface tun0, I inspected the cap file with wireshark then) indicated "TCP Dup ACK" and "Server: TCP Previous segment not captured" and similar messages. The firewall behind the vpn termination is also Linux, it reported invalid state packets (so the connection tracking information is not NEW, ESTABLISHED or RELATED, but INVALID, which is dropped by the global policy, and I can't change that because of company level firewall policy).

From my experience I have the suspect that it can be some kind of MTU issue (my usual "hang on traffic" reaction is the checklist: TCP ecn, window scaling, banned related icmp messages, and the MTU issues), though it didn't required any "manual tuning" before previous ubuntu versions, and also I am not sure where I should modify something, what what it is ...

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: vpnc 0.5.3r550-2
ProcVersionSignature: Ubuntu 4.2.0-14.16-generic 4.2.2
Uname: Linux 4.2.0-14-generic i686
ApportVersion: 2.19.1-0ubuntu2
Architecture: i386
CurrentDesktop: Unity
Date: Fri Oct 9 10:03:21 2015
InstallationDate: Installed on 2014-05-08 (519 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140417)
SourcePackage: vpnc
UpgradeStatus: Upgraded to wily on 2015-10-08 (0 days ago)
modified.conffile..etc.vpnc.default.conf: [deleted]

LGB [Gábor Lénárt] (lgb) wrote :
LGB [Gábor Lénárt] (lgb) wrote :

It seems to be an MTU problem, indeed, as after this command:

ip li set mtu 1200 dev tun0

everything works again! I am just curious now: no modification on the VPN terminator/network/everything, the change was only at my side to upgrade to wily, and it worked out-of-the-box, without any workaround (like the command above) before the upgrade.

Changed in vpnc (Ubuntu):
status: New → Incomplete
status: Incomplete → New
LGB [Gábor Lénárt] (lgb) wrote :

Some tests:

Part of the output of command "ip link" :

On a 15.04 system, after connecting to the VPNC, it works nicely, without any workaround:

tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 500

After connecting to VPNC on a machine upgraded to wily, it does NOT work:

tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 500

Entering command "ip li set mtu 1412 dev tun0" after the VPNC connection on a machine upgraded to wily, now it works:

tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 500

Thus, it seems, for some reason, 1412 MTU is set in pre-wily systems when connected to vpnc, while it's not the case with wily, and needs a manual workaround?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vpnc (Ubuntu):
status: New → Confirmed
Florian Schlichting (fschlich) wrote :

vpnc didn't change in wily, but network manager did. reassigning to network-manager-vpnc, which I assume will need to drive vpnc differently

affects: vpnc (Ubuntu) → network-manager-vpnc (Ubuntu)
Changed in network-manager-vpnc (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers