[SRU] openconnect throws errors and routing issues after connection.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vpnc-scripts (Debian) |
Fix Released
|
Unknown
|
|||
vpnc-scripts (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
NOTE: Ubuntu 20.04 is still affected, but Ubuntu 20.10 and later are not.
Its being reported since 19.10 that open connect trows the following error after the connection has been established. I noticed that I would be able to connect the company VPN but connection to certain company sites that might be accessible from outside will timeout this indicates some routing issues. the bellow errors are thrown all the time
Error: ipv4: Invalid values in header for route get request.
Usage: ip route { list | flush } SELECTOR
ip route save SELECTOR
ip route restore
ip route showdump
ip route get [ ROUTE_GET_FLAGS ] ADDRESS
ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
[ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
[ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
[ table TABLE_ID ] [ proto RTPROTO ]
[ scope SCOPE ] [ metric METRIC ]
[ ttl-propagate { enabled | disabled } ]
INFO_SPEC := { NH | nhid ID } OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
[ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
[ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
[ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
[ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
[ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
[ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
[ pref PREF ] [ expires TIME ] [ fastopen_no_cookie BOOL ]
TYPE := { unicast | local | broadcast | multicast | throw |
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 | seg6 | seg6local ]
ENCAPHDR := [ MPLSLABEL | SEG6HDR ]
SEG6HDR := [ mode SEGMODE ] segs ADDR1,ADDRi,ADDRn [hmac HMACKEYID] [cleanup]
SEGMODE := [ encap | inline ]
ROUTE_GET_FLAGS := [ fibmatch ]
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openconnect 8.05-1
ProcVersionSign
Uname: Linux 5.4.0-21-generic x86_64
ApportVersion: 2.20.11-0ubuntu22
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 6 20:02:33 2020
InstallationDate: Installed on 2020-04-05 (0 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Beta amd64 (20200402)
SourcePackage: openconnect
UpgradeStatus: No upgrade log present (probably fresh install)
affects: | openconnect (Ubuntu) → vpnc-scripts (Ubuntu) |
Changed in vpnc-scripts (Debian): | |
status: | Unknown → Fix Released |
This is a bug in vpnc-scripts, not in OpenConnect per se. Upstream Debian bug: https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 955016
We fixed this bug a few months ago in: https:/ /gitlab. com/openconnect /vpnc-scripts/ -/merge_ requests/ 5
Long story short:
1) Old versions of `vpnc-script` with old versions iproute2 were silently doing the wrong thing (creating split-exclude routes always as `/32`)
2) Old `vpnc-script` with new iproute2 fails noisily, as you're showing.
3) New `vpnc-script` with new iproute2 works correctly.
We need the Ubuntu package maintainers to pull in the latest vpnc-script, as Debian packagers have already done: https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 955016