VPN connection fails after one hour^H^H^H^H security-association idle-time expiry

I have exactly the same problem on Fedora 12 with my university network. see https://bugzilla.redhat.com/show_bug.cgi?id=504855

I have a friend on Gentoo with the same problem.

There are people stating that this is a regression: http://ubuntuforums.org/showthread.php?p=7497214

Did some troubleshooting the other day. I have access to the Cisco router terminating the ipsec tunnels. This error occurs when rekeying ipsec/negotiating new ipsec sas.

A me too message.
after playing with the sa lifetime on the vpn server, vpnc or hangs, or just doesn't work anymore (blackhole) after the expire of the SA lifetime(er).

This is with ubuntu 9.10 (32 bits) and and new ubuntu 10.04 alpha both runs 0.5.3 vpnc.

quite annoying, and ran many times into it, but wasn't able to pinpoint, but with a SA liftime of 120 seconds (minimum in cisco ios) i can confirm it's a rekey issue.
the first message in cisco ios (15.x) is :

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=17 local=<snip> remote=<snip> spi=<snip> seqno=00000001

hope this will help to pinpoint a solution.

Regards,

Arjan Filius

Changed the subject, as the 1 hour as mentionned is vpn server dependent, what it actually triggers is the sa liftime

In cisco ios 15.x ios can trigger/guide this bug to a more debugable time with :

cisco ios vpn server config:
crypto dynamic-map ......
 set security-association lifetime seconds 120

those 120 seconds are the minimum, but at least better than waiting for a default value while debugging.
Hope that helps

Regards,

Somebody seems to have written a patch to fix this problem: http://www.gossamer-threads.com/lists/vpnc/devel/3442

Hi, tested the patches from http://www.gossamer-threads.com/lists/vpnc/devel/3442 ( makovick) and i've got succes!

as i described i had set my cisco vpn security assosiation on 120 to pinpoint/debug it with ease.
and with that setup i seem to work without problems this time.

also i worked with this patched vpnc today whole day with vpnc to my work, however i wasn't aware of any problems with that, it proved at least also to be stable (enough).

For me this patch is a keeper, and i will notify makovick in person (i'm not on the vpnc mailing list)

Regards,

Arjan Filius

Hi, i see this bug is attached to a redhat bug.
I can state that the CPU issue described in the redhat bug is now what i experienced, so i state this is different, and we should not wait on redhat with this. and .. there hasn't been activity on there for 4 months.

personally i'd like to see this in lucid asap, but until then i keep my patched version active.

I'm not sure i can vote for "Nominate for release" now.

Regards,

Arjan Filius

I had success getting my VPN to work with the patch this morning as well. I'll hit the button since it's been driving 3 of us at work nuts.

These patches from makovick seem to have fixed it for me too. I was getting timeouts after 60 minutes, I have been connected for the first time for 100 mins so far.

The patches also fixed the problem for me. The VPN hasn't ever been so stable for me before.

Hi,

I am not sure about having the same problem.
I have 10.04 official, fresh installation. My vpnc "disconnects" after about 16 minutes.

I tried various setups, tried Makovick-patches, and I reached the point, where there are no error messages, everything seems to be okay, but the other side of the vpn is not reachable... :(

With nm-applet:
Connection successful, got the login banner. Everíthing is okay, speed is right.
Syslog says:
--
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.vpnc'...
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 9690
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' just appeared, activating connections
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN plugin state changed: 1
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN plugin state changed: 3
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN connection 'WORK' (Connect) reply received.
Aug 25 14:09:40 cashy-laptop NetworkManager: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Aug 25 14:09:40 cashy-laptop kernel: [63073.336892] tun0: Disabled Privacy Extensions
Aug 25 14:09:40 cashy-laptop NetworkManager: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN connection 'WORK' (IP Config Get) reply received.
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> VPN Gateway: xxx.xxx.xxx.xxx
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Tunnel Device: tun0
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Internal IP4 Address: 10.100.101.239
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Internal IP4 Prefix: 24
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Internal IP4 Point-to-Point Address: 10.100.101.239
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Maximum Segment Size (MSS): 0
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Static Route: 192.168.110.0/24 Next Hop: 192.168.110.0
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Internal IP4 DNS: 84.2.44.1
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Internal IP4 DNS: 84.2.46.1
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> DNS Domain: '(none)'
Aug 25 14:09:40 cashy-laptop NetworkManager: <info> Login Banner:
---
And not so suddenly, after 16 minutes:
---
Aug 25 14:09:41 cashy-laptop NetworkManager: <info> VPN connection WORK' (IP Config Get) complete.
Aug 25 14:09:41 cashy-laptop NetworkManager: <info> Policy set 'Auto HOME' (wlan0) as default for routing and DNS.
Aug 25 14:09:41 cashy-laptop NetworkManager: <info> VPN plugin state changed: 4
Aug 25 14:09:41 cashy-laptop nm-dispatcher.action: Script '/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error status 1.
---

With patched vpnc (vpnc-0.5.3r449) nearly the same:
Login, and login banner, counter starts to tick.
Ticks and ticks, but after 16 minutes ping works with 100% packet loss.

Earlier ...

Additionally:

I got this in syslog next time, when vpn hung:
---
Aug 25 14:26:38 cashy-laptop NetworkManager: SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Aug 25 14:26:38 cashy-laptop NetworkManager: <info> VPN plugin failed: 1
Aug 25 14:26:38 cashy-laptop NetworkManager: <info> VPN plugin state changed: 6
Aug 25 14:26:38 cashy-laptop NetworkManager: <info> VPN plugin state change reason: 0
Aug 25 14:26:38 cashy-laptop NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Aug 25 14:26:39 cashy-laptop NetworkManager: <info> Policy set 'Auto HOME' (wlan0) as default for routing and DNS.
Aug 25 14:26:39 cashy-laptop nm-dispatcher.action: Script '/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error status 1.
Aug 25 14:26:52 cashy-laptop NetworkManager: <debug> [1282739212.001864] ensure_killed(): waiting for vpn service pid 9690 to exit
Aug 25 14:26:52 cashy-laptop NetworkManager: <debug> [1282739212.001961] ensure_killed(): vpn service pid 9690 cleaned up
---

hi,

How does one apply the patches from http://www.gossamer-threads.com/lists/vpnc/devel/3442?

thank you.
GFB

This bug was fixed in the package vpnc - 0.5.3r449-2.1

---------------
vpnc (0.5.3r449-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Bug fix: "Disconnects after an hour and loops trying to reconnect",
    thanks to Daniel Schepler (Closes: #496718, LP: #479632). Patch taken
    from upstream: http://www.gossamer-threads.com/lists/vpnc/devel/3442
 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 15 Nov 2010 09:21:03 +0000

Hi there:

Can somebody explain how to apply the fix to lucid.

Launchpad says natty has been updated. Will it be backported to lucid (since its supposed to be a LTS release ?).

Came across this bug after googling for a while. My vpn disconnects at exactly 1hour like clockwork.

Thanks!

Answering my own question:

I downloaded the deb from natty repos and installed it manually in lucid. I guess this shouldn't be the official way. But I checked that the dependencies haven't changed from the previous version and I usually keep a note of all the s/w I installed 'unofficially'.

Hi all,

I tried the new package located here: https://launchpad.net/ubuntu/natty/i386/vpnc/0.5.3r449-2.1

Still working. After 25 minutes. Seems to be correct.

Thanks to all,
  cashy

Sorry, I made a mistake.

It only seemed to be correct. It wasn't working well. After 16-17 minutes, connection hangs up.

So the problem is still pending...

cashy

All,

I'm working on getting my Ubuntu 10.04 (Core2Duo Platform, AMD/x64 Installlation) talking to my CISCO backend (ASA5540, 8.05 Firmware) since the beginning of the week. What I can confirm after successful testing is that the P2 re-key mechanisms are working fine with 0.5.3r449-2.1 (i.e. re-key on time AND data is definitely working). However, the P1 re-key isn't working and I'm dropped out immediately.

With 0.5.3r449-2 I was witnessing constant (and unfortunately unsuccessful) P2 re-key attempts which ultimately lead into the tear-down of the tunnel as too many unauthenticated ESP frames hit the ASA. I'm unsure if the P1 re-key problem existed as well as the P1 proposal usually has got a longer lifetime than the P2 proposal.

I agree with Cashy that this has to be flagged as open, however not within the original context as this isn't affecting the IPSEC SA anymore. The problem seems to be within the IKE SA (maybe ISAKMP).

Thanks & regards,
Markus

Just to clarify: as I wrote: "However, the P1 re-key isn't working and I'm dropped out immediately.", immediately has to be understood as immediately at the time where the IKE re-key handled by the ISAKMP takes place.

Thanks & regards,
Markus

Has anyone fix this issue?

I am using ubuntu 11.10 and vpnc 0.5.3r449-2.1 and still have this problem, the connection hung up and I should stop the vpn to fix it.

$lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ uname -a
Linux noc03 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:48:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
gcampuris@noc03:~$ apt-cache policy vpnc
vpnc:
  Installed: 0.5.3r449-2.1
  Candidate: 0.5.3r449-2.1
  Version table:
 *** 0.5.3r449-2.1 0
        500 http://ar.archive.ubuntu.com/ubuntu/ oneiric/universe amd64 Packages
        100 /var/lib/dpkg/status
$ apt-cache policy network-manager-vpnc
network-manager-vpnc:
  Installed: 0.9.0-0ubuntu1
  Candidate: 0.9.0-0ubuntu1
  Version table:
 *** 0.9.0-0ubuntu1 0
        500 http://ar.archive.ubuntu.com/ubuntu/ oneiric/universe amd64 Packages
        100 /var/lib/dpkg/status
$ apt-cache policy network-manager-vpnc-gnome
network-manager-vpnc-gnome:
  Installed: 0.9.0-0ubuntu1
  Candidate: 0.9.0-0ubuntu1
  Version table:
 *** 0.9.0-0ubuntu1 0
        500 http://ar.archive.ubuntu.com/ubuntu/ oneiric/universe amd64 Packages
        100 /var/lib/dpkg/status
$

Thanks.-

this bug is closed, and the fix has been in Ubuntu since vpnc/0.5.3r449-2.1 (likely 11.04)

if there are other, similar issues, please do not discuss them here, but open a new bug for that

and please check if any such issue is already fixed in vpnc/0.5.3r512-1 (in 12.04), which is the first SVN snapshot (new upstream version) since 2010 and should fix a fair number of issues discussed on the developer list in recent years

hi Arjan,

How this patched can we use in ubuntu 13.10??

In your 7 blog you have shared two patches for vpn connection
how can we use it??
I m new user of ubuntu