Ubuntu
vpnc-scripts package

[SRU] openconnect throws errors and routing issues after connection.

Bug #1871184 reported by lastpokemon
36
This bug affects 8 people
Affects Status Importance Assigned to Milestone
vpnc-scripts (Debian)
Fix Released
Unknown
vpnc-scripts (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

NOTE: Ubuntu 20.04 is still affected, but Ubuntu 20.10 and later are not.

Its being reported since 19.10 that open connect trows the following error after the connection has been established. I noticed that I would be able to connect the company VPN but connection to certain company sites that might be accessible from outside will timeout this indicates some routing issues. the bellow errors are thrown all the time

Error: ipv4: Invalid values in header for route get request.
Usage: ip route { list | flush } SELECTOR
       ip route save SELECTOR
       ip route restore
       ip route showdump
       ip route get [ ROUTE_GET_FLAGS ] ADDRESS
                            [ from ADDRESS iif STRING ]
                            [ oif STRING ] [ tos TOS ]
                            [ mark NUMBER ] [ vrf NAME ]
                            [ uid NUMBER ] [ ipproto PROTOCOL ]
                            [ sport NUMBER ] [ dport NUMBER ]
       ip route { add | del | change | append | replace } ROUTE
SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ]
            [ table TABLE_ID ] [ vrf NAME ] [ proto RTPROTO ]
            [ type TYPE ] [ scope SCOPE ]
ROUTE := NODE_SPEC [ INFO_SPEC ]
NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ]
             [ table TABLE_ID ] [ proto RTPROTO ]
             [ scope SCOPE ] [ metric METRIC ]
             [ ttl-propagate { enabled | disabled } ]
INFO_SPEC := { NH | nhid ID } OPTIONS FLAGS [ nexthop NH ]...
NH := [ encap ENCAPTYPE ENCAPHDR ] [ via [ FAMILY ] ADDRESS ]
     [ dev STRING ] [ weight NUMBER ] NHFLAGS
FAMILY := [ inet | inet6 | mpls | bridge | link ]
OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ as [ to ] ADDRESS ]
           [ rtt TIME ] [ rttvar TIME ] [ reordering NUMBER ]
           [ window NUMBER ] [ cwnd NUMBER ] [ initcwnd NUMBER ]
           [ ssthresh NUMBER ] [ realms REALM ] [ src ADDRESS ]
           [ rto_min TIME ] [ hoplimit NUMBER ] [ initrwnd NUMBER ]
           [ features FEATURES ] [ quickack BOOL ] [ congctl NAME ]
           [ pref PREF ] [ expires TIME ] [ fastopen_no_cookie BOOL ]
TYPE := { unicast | local | broadcast | multicast | throw |
          unreachable | prohibit | blackhole | nat }
TABLE_ID := [ local | main | default | all | NUMBER ]
SCOPE := [ host | link | global | NUMBER ]
NHFLAGS := [ onlink | pervasive ]
RTPROTO := [ kernel | boot | static | NUMBER ]
PREF := [ low | medium | high ]
TIME := NUMBER[s|ms]
BOOL := [1|0]
FEATURES := ecn
ENCAPTYPE := [ mpls | ip | ip6 | seg6 | seg6local ]
ENCAPHDR := [ MPLSLABEL | SEG6HDR ]
SEG6HDR := [ mode SEGMODE ] segs ADDR1,ADDRi,ADDRn [hmac HMACKEYID] [cleanup]
SEGMODE := [ encap | inline ]
ROUTE_GET_FLAGS := [ fibmatch ]

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openconnect 8.05-1
ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27
Uname: Linux 5.4.0-21-generic x86_64
ApportVersion: 2.20.11-0ubuntu22
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 6 20:02:33 2020
InstallationDate: Installed on 2020-04-05 (0 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Beta amd64 (20200402)
SourcePackage: openconnect
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
lastpokemon (lastpokemon) wrote :
Revision history for this message
Dan Lenski (lenski) wrote :

This is a bug in vpnc-scripts, not in OpenConnect per se. Upstream Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955016

We fixed this bug a few months ago in: https://gitlab.com/openconnect/vpnc-scripts/-/merge_requests/5

Long story short:

1) Old versions of `vpnc-script` with old versions iproute2 were silently doing the wrong thing (creating split-exclude routes always as `/32`)
2) Old `vpnc-script` with new iproute2 fails noisily, as you're showing.
3) New `vpnc-script` with new iproute2 works correctly.

We need the Ubuntu package maintainers to pull in the latest vpnc-script, as Debian packagers have already done: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955016

Revision history for this message
lastpokemon (lastpokemon) wrote :

Hi Dan

Thanks I already suspected vpnc-script, can I just pull the script and throw it in /etc/vpnc-script/

Can you send the link to the last script please. I'm just getting lost in git

Nash

Revision history for this message
Dan Lenski (lenski) wrote :

@laspokemon, yes, you should be able to overwrite your global vpnc-script with the latest version from the master branch. Raw source here:

https://gitlab.com/openconnect/vpnc-scripts/-/raw/master/vpnc-script

You will likely want to overwrite `/usr/share/vpnc-scripts/vpnc-script`, since this is the location used by Debian/Ubuntu packaging, and where the Debian/Ubuntu openconnect packages look for the script by default.

Mike Miller (mtmiller)
affects: openconnect (Ubuntu) → vpnc-scripts (Ubuntu)
Revision history for this message
lastpokemon (lastpokemon) wrote :

I can confirm that

1- downloading the vpn-script https://gitlab.com/openconnect/vpnc-scripts/-/blob/master/vpnc-script

2- then putting it on /etc/vpnc/

3- then running sudo openconnect --script=/etc/vpnc/vpnc-script myaccess.myvpn.com

has solved the issue.

Thanks

Bug Watch Updater (bug-watch-updater)
Changed in vpnc-scripts (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vpnc-scripts (Ubuntu):
status: New → Confirmed
Revision history for this message
linuxball (linuxball) wrote :

I run Ubuntu 20.04 + openconnect 8.05-1 and since today I have this issue, too. I did not have it when I used openconnect the last time (one or two weeks ago).

1) Downloading the script https://gitlab.com/openconnect/vpnc-scripts/-/raw/master/vpnc-script

2) + installing it in /usr/share/vpnc-scripts/ (owner: root, group: root, permissions: -rwxr-xr-x)

has solved the issue.

Hint: The script "vpnc-script" was changed 5 days ago, so this change might have fixed my problem.

Revision history for this message
linuxball (linuxball) wrote :

PS: Package vpnc-scripts 0.1~git20190117-1 (focal) was / is up to date.

Revision history for this message
Moses Moore (moses-ubuntu) wrote :

Using Ubuntu 20.10 now, with openconnect=8.10-1 and vpnc-scripts=0.1~git20200226-1
I dropped the --script parameter, and I did not see errors about misusing "ip route", and routing to hosts over the VPN seems to be okay.

$ openconnect --authgroup=$REDACTED --cert-expire-warning=5 --compression=none --no-deflate --disable-ipv6 --timestamp --user=$USER --dump-http-traffic --verbose https://webportal.${COMPANY}/+webvpn+/

$ ip r
default via 192.168.1.1 dev eth0 proto dhcp metric 100
10.0.0.0/8 dev tun0 scope link
10.123.196.0/24 dev tun0 scope link
xxx.xxx.186.23 dev tun0 scope link
xxx.xxx.186.25 dev tun0 scope link

Revision history for this message
Eugen Eisler (eoeisler) wrote :

I had the same problem on Ubuntu 20.04.1 LTS, 5.4.0-52-generic.

I replaced
/usr/share/vpnc-scripts/
with current master from
https://gitlab.com/openconnect/vpnc-scripts/-/raw/master/vpnc-script,
and now it works without errors.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Fixed in 0.1~git20200226-1. However, for the fix to arrive in Ubuntu 20.04, this needs a SRU.

summary: - openconnect throws errors and routing issues after connection.
+ [SRU] openconnect throws errors and routing issues after connection.
Changed in vpnc-scripts (Ubuntu):
status: Confirmed → Fix Released
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.