Ubuntu
vpnc package

vpnc drops connection with reason "connection terminated by dead peer detection" after few minutes

Bug #700767 reported by nicolas mouart
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
vpnc (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: vpnc

Hi,

I'm using vpnc to connect to a Pix 501. vpnc drops the connection after few minutes.
Starting vpnc in no detach mode with debug level 2, I can see that the connection is dropped with reason "connection terminated by dead peer detection".
NOTE: On the pix side I have enabled debugging feature : "debug crypto isakmp"

After connection is initiated successfully the first notification works fine.

On the Pix side :

ISAMKP (0): received DPD_R_U_THERE from peer <client IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1

On client side :

got r-u-there ack

But after a couple of minutes, the client display the following message : "dead peer detected, terminating" and finally "connection terminated by dead peer detection".

On the pix side :

ISAMKP (0): received DPD_R_U_THERE from peer <client IP>
ISAMKP (0): DPD_R_U_THERE: received seq_no 3848362003 out of range, expected 3831584788

I found the reason here, this is a known issue :

http://www.gossamer-threads.com/lists/vpnc/devel/3488

It is fix by this patch http://xcyb.org/vpnc/dpd_big-endian.diff.

I recompiled vpnc with the patch and it works fine after this.

I hope it helps.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: vpnc 0.5.3r449-2
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Uname: Linux 2.6.35-24-generic x86_64
Architecture: amd64
Date: Sun Jan 9 19:06:10 2011
ProcEnviron:
 LANG=en_GB.utf8
 SHELL=/bin/bash
SourcePackage: vpnc

Revision history for this message
nicolas mouart (nicolas-mouart) wrote :
Revision history for this message
Ilis (ilis) wrote :

The same bug.

   lifetime status: 331 of 28800 seconds used, 17|11 of 4608000 kbytes used
   dead peer detected, terminating
   lifetime status: 336 of 28800 seconds used, 17|11 of 4608000 kbytes used
vpnc[17956]: connection terminated by dead peer detection

vpnc version: 0.5.3r449-2

$ uname -a
Linux ... 2.6.35-25-generic #44-Ubuntu SMP Fri Jan 21 17:40:48 UTC 2011 i686 GNU/Linux

DISTRIB_RELEASE=10.10

Ilis (ilis)
Changed in vpnc (Ubuntu):
status: New → Confirmed
Revision history for this message
Jan (jan-welker) wrote :

Same problem here:

vpnc[2958]: connection terminated by dead peer detection

Using Ubuntu 10.10

Revision history for this message
Ilis (ilis) wrote :

The same ubuntu 11.04

Version: 0.5.3r449-2.1

   lifetime status: 331 of 28800 seconds used, 23|19 of 4608000 kbytes used
   NAT-T mode, adding non-esp marker
vpnc[11959]: connection terminated by dead peer detection

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Could it be that because of the network design you should disable dead peer detection in the UI? Please try this and report back here if it fixes the issue. Thanks!

Changed in vpnc (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Ilis (ilis) wrote :

I can't find option to disable dead peer detection in man pages for vpnc.

Network design allow to work for many windows users (it's corporate vpn-server)

I think problem is well described in first message of this thread.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

You can disable DPD in two ways:

1) Add:
DPD idle timeout (our side) 0
to your config file.

2) pass --dpd-idle 0 to vpnc when you start it.

Both are listed in the manpage.

This however doesn't mean it shouldn't be fixed in the development release (and provided it's small enough a change, backported to Natty); so for now I'll mark this Triaged/Medium and I'll try to tackle this ASAP.

Changed in vpnc (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
tags: added: bitesize lucid natty
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Added the tags for other affected releases, I guess the fix might be backportable to each of them, provided it's small enough (pending someone to look into it).

Added the bitesize tag too since this should be easy enough to tackle for new contributors; it's a matter of updating vpnc in Oneiric, and applying rev 451 as a possible SRU to the others (as long as it's not too intrusive or depends on rev 450... etc).

Revision history for this message
Ilis (ilis) wrote :

It's look works well with DPD disabled

lifetime status: 1191 of 28800 seconds used, 204|171 of 4608000 kbytes used

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vpnc - 0.5.3r550-3

---------------
vpnc (0.5.3r550-3) unstable; urgency=medium

  [ John-John Tedro ]
  * Add bug_799429.patch (closes: #799429)

  [ Helmut Grohne ]
  * Fix FTCBFS: Use triplet-prefixed build tools (closes: #839015)

  [ Dan Lenski ]
  * Add Mihai Maties dpd_big-endian.patch LP: #700767
  * Add Dan Lenski's restore_original_cwd_after_vpnc_main_loop.patch
    LP: #1612100 closes: #833988

  [ Florian Schlichting ]
  * Recommend iproute2 instead of transitional iproute (closes: #824682)
  * Declare compliance with Debian Policy 3.9.8
  * Use secure URIs for Homepage and VCS fields
  * Add debhelper and dpkg-dev minimum versions for restriction formula
    support, drop pre-dependency on dpkg version satisfied in oldstable

 -- Florian Schlichting <email address hidden> Wed, 23 Nov 2016 21:40:52 +0100

Changed in vpnc (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.