vpnc dead peer detection disconnects immediately

Bug #93413 reported by Lee Connell
78
This bug affects 2 people
Affects Status Importance Assigned to Milestone
vpnc (Debian)
Fix Released
Unknown
vpnc (Ubuntu)
Fix Released
Medium
Anton
Feisty
Fix Released
Medium
Michael Bienia

Bug Description

Binary package hint: vpnc

This was not a problem with 3.3, with 4.0 this is happening and disconnects my vpn almost immediately.

Mar 18 11:28:04 lee-laptop vpnc[12104]: connection terminated by dead peer detection

ProblemType: Bug
Architecture: i386
Date: Sun Mar 18 11:30:25 2007
DistroRelease: Ubuntu 7.04
Uname: Linux lee-laptop 2.6.20-11-generic #2 SMP Thu Mar 15 08:03:07 UTC 2007 i686 GNU/Linux

Revision history for this message
Mitch Anderson (metarx) wrote :

I'm also having this same issue.

However, mine will stay connected for < 30 seconds. Tho it seems it depends on the amount of data. Its about long enough for me to ssh into a host and su to root, and then it stops responding, and this error is in /var/log/syslog

Mar 18 19:43:28 carnage vpnc[11612]: connection terminated by dead peer detection

Uname: Linux carnage 2.6.20-12-generic #2 SMP Sun Mar 18 03:07:14 UTC 2007 i686 GNU/Linux

Date: Sun Mar 18 19:45:57 MDT 2007

Revision history for this message
Peter Adamka (malmo) wrote :

I got the same issue.
There is no workarround for this.

>uname -a
Linux phobos 2.6.20-11-generic #2 SMP Thu Mar 15 08:03:07 UTC 2007 i686

Revision history for this message
Jeb Benbow (jebenbow) wrote :

+1

I downgraded to 0.3.3 to get things working again.

$ uname -a
Linux strongbadia 2.6.20-11-generic #2 SMP Thu Mar 15 03:43:56 UTC 2007 x86_64 GNU/Linux

Revision history for this message
DevenPhillips (deven-phillips) wrote :

Yet another vote for this being a problem. I'm on Feisty with all of the latest packages as of this morning. I get disconnected withing 60 seconds every time.

Deven Phillips, CISSP, CCNA
Systems Administrator
Metal Sales Manufacturing Corp.

Revision history for this message
gfunicus (tsuther) wrote :

Same problem here, 5 to 30 seconds until disconnect.

$ apt-show-versions vpnc
vpnc/feisty uptodate 0.4.0-2ubuntu1

$ uname -a
Linux AngryButler68 2.6.20-13-386 #2 Sun Mar 25 00:18:53 UTC 2007 i686 GNU/Linux

Revision history for this message
Ante Karamatić (ivoks) wrote :

I'm marking this confirmed since couple of users reported this. I use vpnc on daily basis and this kind of thing never hapend.

Changed in vpnc:
importance: Undecided → Medium
status: Unconfirmed → Confirmed
Revision history for this message
DevenPhillips (deven-phillips) wrote :

Ante,

    Are you using the 4.x vpnc?

Deven

Revision history for this message
DevenPhillips (deven-phillips) wrote :

Additional Information:

Version installed: vpnc-0.4.0-2ubuntu1

Connecting to PIX 515 using Group Auth and XAuth.

Log message: vpnc[13375]: connection terminated by dead peer detection

See attachment for output from "vpnc-connect --debug 3 --no-detach <Profile>"

Revision history for this message
Wilbur Harvey (wilbur-harvey-spirentcom) wrote :

I also have the same problem. It lasts about 30 seconds and dies every time.
I have all the latest Feisty updates as of 03/29/2007

wharvey@nforce41:~$ apt-show-versions vpnc
vpnc/feisty uptodate 0.4.0-2ubuntu1

A few weeks ago everything worked fine.

To the same server:
WindowsXP default VPNC client works fine.
Cisco Client for my Mac works fine.
Default Mac client won't connect at all.

Revision history for this message
thomasn80 (thomasn80) wrote :

I don't know how to install an older version except doing the way I just did:

Added into /etc/apt/source.list:

deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe

Started Synaptics, searched for 'vpnc' and deinstalled my current version. Then I chose the menu Package and from there chose 'Force Version' to install v0.3.3+SVN.

This solved the problem, I now have a stable connection.

Revision history for this message
DevenPhillips (deven-phillips) wrote : Re: [Bug 93413] Re: vpnc dead peer detection disconnects immediately

What devices are everyone connecting to. Could this problem be specific to
the PIX? Are any VPN concentrator users having this issue?

Deven Phillips, CISSP, CCNA

On 4/3/07, ThomasNovin <email address hidden> wrote:
>
> I don't know how to install an older version except doing the way I just
> did:
>
> Added into /etc/apt/source.list:
>
> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
>
> Started Synaptics, searched for 'vpnc' and deinstalled my current
> version. Then I chose the menu Package and from there chose 'Force
> Version' to install v0.3.3+SVN.
>
> This solved the problem, I now have a stable connection.
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Mitch Anderson (metarx) wrote :

The one I was connecting to was a Cisco Pix 515. Which I know is very
old. Its been since swapped with a newer ASA, but I have yet to test to
see if I'm still having problems with the ASA. But after seeing someone
else having problems also with an older PIX, I've wondered myself if its
just a problem with connecting to them.

DevenPhillips wrote:
> What devices are everyone connecting to. Could this problem be specific to
> the PIX? Are any VPN concentrator users having this issue?
>
> Deven Phillips, CISSP, CCNA
>
> On 4/3/07, ThomasNovin <email address hidden> wrote:
>> I don't know how to install an older version except doing the way I just
>> did:
>>
>> Added into /etc/apt/source.list:
>>
>> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
>> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
>>
>> Started Synaptics, searched for 'vpnc' and deinstalled my current
>> version. Then I chose the menu Package and from there chose 'Force
>> Version' to install v0.3.3+SVN.
>>
>> This solved the problem, I now have a stable connection.
>>
>> --
>> vpnc dead peer detection disconnects immediately
>> https://bugs.launchpad.net/bugs/93413
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>

Revision history for this message
DevenPhillips (deven-phillips) wrote :

PIX 515 isn't all that old. We just bought ours about 1.5 years ago.

Deven Phillips, CISSP, CCNA

On 4/3/07, Mitch <email address hidden> wrote:
>
> The one I was connecting to was a Cisco Pix 515. Which I know is very
> old. Its been since swapped with a newer ASA, but I have yet to test to
> see if I'm still having problems with the ASA. But after seeing someone
> else having problems also with an older PIX, I've wondered myself if its
> just a problem with connecting to them.
>
> DevenPhillips wrote:
> > What devices are everyone connecting to. Could this problem be specific
> to
> > the PIX? Are any VPN concentrator users having this issue?
> >
> > Deven Phillips, CISSP, CCNA
> >
> > On 4/3/07, ThomasNovin <email address hidden> wrote:
> >> I don't know how to install an older version except doing the way I
> just
> >> did:
> >>
> >> Added into /etc/apt/source.list:
> >>
> >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >>
> >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> >> version. Then I chose the menu Package and from there chose 'Force
> >> Version' to install v0.3.3+SVN.
> >>
> >> This solved the problem, I now have a stable connection.
> >>
> >> --
> >> vpnc dead peer detection disconnects immediately
> >> https://bugs.launchpad.net/bugs/93413
> >> You received this bug notification because you are a direct subscriber
> >> of the bug.
> >>
> >
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Lee Connell (lee-a-connell) wrote :

i have issue on 501, 506, 515 until I roll back to vpnc 3.3

>From: Mitch <email address hidden>
>Reply-To: Bug 93413 <email address hidden>
>To: <email address hidden>
>Subject: Re: [Bug 93413] Re: vpnc dead peer detection disconnects
>immediately
>Date: Tue, 03 Apr 2007 16:47:45 -0000
>
>The one I was connecting to was a Cisco Pix 515. Which I know is very
>old. Its been since swapped with a newer ASA, but I have yet to test to
>see if I'm still having problems with the ASA. But after seeing someone
>else having problems also with an older PIX, I've wondered myself if its
>just a problem with connecting to them.
>
>DevenPhillips wrote:
> > What devices are everyone connecting to. Could this problem be specific
>to
> > the PIX? Are any VPN concentrator users having this issue?
> >
> > Deven Phillips, CISSP, CCNA
> >
> > On 4/3/07, ThomasNovin <email address hidden> wrote:
> >> I don't know how to install an older version except doing the way I
>just
> >> did:
> >>
> >> Added into /etc/apt/source.list:
> >>
> >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> >>
> >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> >> version. Then I chose the menu Package and from there chose 'Force
> >> Version' to install v0.3.3+SVN.
> >>
> >> This solved the problem, I now have a stable connection.
> >>
> >> --
> >> vpnc dead peer detection disconnects immediately
> >> https://bugs.launchpad.net/bugs/93413
> >> You received this bug notification because you are a direct subscriber
> >> of the bug.
> >>
> >
>
>--
>vpnc dead peer detection disconnects immediately
>https://bugs.launchpad.net/bugs/93413
>You received this bug notification because you are a direct subscriber
>of the bug.

_________________________________________________________________
The average US Credit Score is 675. The cost to see yours: $0 by Experian.
http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE

Revision history for this message
DevenPhillips (deven-phillips) wrote :

So, it appears that the issue may be specific to the PIX devices.

Deven

On 4/3/07, Lee Connell <email address hidden> wrote:
>
> i have issue on 501, 506, 515 until I roll back to vpnc 3.3
>
> >From: Mitch <email address hidden>
> >Reply-To: Bug 93413 <email address hidden>
> >To: <email address hidden>
> >Subject: Re: [Bug 93413] Re: vpnc dead peer detection disconnects
> >immediately
> >Date: Tue, 03 Apr 2007 16:47:45 -0000
> >
> >The one I was connecting to was a Cisco Pix 515. Which I know is very
> >old. Its been since swapped with a newer ASA, but I have yet to test to
> >see if I'm still having problems with the ASA. But after seeing someone
> >else having problems also with an older PIX, I've wondered myself if its
> >just a problem with connecting to them.
> >
> >DevenPhillips wrote:
> > > What devices are everyone connecting to. Could this problem be
> specific
> >to
> > > the PIX? Are any VPN concentrator users having this issue?
> > >
> > > Deven Phillips, CISSP, CCNA
> > >
> > > On 4/3/07, ThomasNovin <email address hidden> wrote:
> > >> I don't know how to install an older version except doing the way I
> >just
> > >> did:
> > >>
> > >> Added into /etc/apt/source.list:
> > >>
> > >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > >>
> > >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> > >> version. Then I chose the menu Package and from there chose 'Force
> > >> Version' to install v0.3.3+SVN.
> > >>
> > >> This solved the problem, I now have a stable connection.
> > >>
> > >> --
> > >> vpnc dead peer detection disconnects immediately
> > >> https://bugs.launchpad.net/bugs/93413
> > >> You received this bug notification because you are a direct
> subscriber
> > >> of the bug.
> > >>
> > >
> >
> >--
> >vpnc dead peer detection disconnects immediately
> >https://bugs.launchpad.net/bugs/93413
> >You received this bug notification because you are a direct subscriber
> >of the bug.
>
> _________________________________________________________________
> The average US Credit Score is 675. The cost to see yours: $0 by Experian.
>
> http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
gfunicus (tsuther) wrote :

I do not appear to have the problem on at least one ASA Version 7.1(2), but
do seem to have a problem on multiple pix's.

On 4/3/07, DevenPhillips <email address hidden> wrote:
>
> So, it appears that the issue may be specific to the PIX devices.
>
> Deven
>
> On 4/3/07, Lee Connell <email address hidden> wrote:
> >
> > i have issue on 501, 506, 515 until I roll back to vpnc 3.3
> >
> > >From: Mitch <email address hidden>
> > >Reply-To: Bug 93413 <email address hidden>
> > >To: <email address hidden>
> > >Subject: Re: [Bug 93413] Re: vpnc dead peer detection disconnects
> > >immediately
> > >Date: Tue, 03 Apr 2007 16:47:45 -0000
> > >
> > >The one I was connecting to was a Cisco Pix 515. Which I know is very
> > >old. Its been since swapped with a newer ASA, but I have yet to test
> to
> > >see if I'm still having problems with the ASA. But after seeing
> someone
> > >else having problems also with an older PIX, I've wondered myself if
> its
> > >just a problem with connecting to them.
> > >
> > >DevenPhillips wrote:
> > > > What devices are everyone connecting to. Could this problem be
> > specific
> > >to
> > > > the PIX? Are any VPN concentrator users having this issue?
> > > >
> > > > Deven Phillips, CISSP, CCNA
> > > >
> > > > On 4/3/07, ThomasNovin <email address hidden> wrote:
> > > >> I don't know how to install an older version except doing the way I
> > >just
> > > >> did:
> > > >>
> > > >> Added into /etc/apt/source.list:
> > > >>
> > > >> deb http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > > >> deb-src http://se.archive.ubuntu.com/ubuntu/ edgy universe
> > > >>
> > > >> Started Synaptics, searched for 'vpnc' and deinstalled my current
> > > >> version. Then I chose the menu Package and from there chose 'Force
> > > >> Version' to install v0.3.3+SVN.
> > > >>
> > > >> This solved the problem, I now have a stable connection.
> > > >>
> > > >> --
> > > >> vpnc dead peer detection disconnects immediately
> > > >> https://bugs.launchpad.net/bugs/93413
> > > >> You received this bug notification because you are a direct
> > subscriber
> > > >> of the bug.
> > > >>
> > > >
> > >
> > >--
> > >vpnc dead peer detection disconnects immediately
> > >https://bugs.launchpad.net/bugs/93413
> > >You received this bug notification because you are a direct subscriber
> > >of the bug.
> >
> > _________________________________________________________________
> > The average US Credit Score is 675. The cost to see yours: $0 by
> Experian.
> >
> >
> http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE
> >
> > --
> > vpnc dead peer detection disconnects immediately
> > https://bugs.launchpad.net/bugs/93413
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Anivair (anivair) wrote :

I'm having this same problem. Some code from /var/log/syslog (not too much):

Apr 5 13:45:51 ltsp-2 vpnc[30422]: connection terminated by dead peer detection

That's all that is relevant. I'm connecting to a Cisco 3060 Concentrator. Not PIX at all.

Revision history for this message
OrkanSpec (orkanspec) wrote :

I have the same problem. vpnc disconnects in less than a minute in feisty.

Revision history for this message
Jeb Benbow (jebenbow) wrote :

With the feisty release only a week away what should we do to resolve this bug?

The Debian bug report lists a fix to be removing the patch 06_stolen_from_head.dpatch
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=416180)

Another option would be to revert back to VPNC 3.3

Luca, Can you point this in the right direction?

Revision history for this message
thomas michel (tom-michel) wrote :

Hi,

it does not seem to be specific to pix asa. I got the same problem here with a Cisco 1812 Router.

Revision history for this message
DevenPhillips (deven-phillips) wrote :

No, the bug is not PIX specific. The problem appears to be with the Dead Peer Detection code in vpnc. I have spoken with people on the vpnc development team and they are looking for people to help in debugging the problem. I would recommend rolling back to 0.3.3 for Feisty final release though.... This bug is not going to be fixed in time for release.

Deven Phillips, CISSP, CCNA

Revision history for this message
Dennis Krul (launchpad-themirror) wrote :

I have similar problems with the vpnc package.

Rolling back to 0.3.3 is not an option for me, because my environment requires the 'vendor' option which is introduced in 0.4.0.

Compiling 0.4.0 from source solves the problem for me.

In my opinion the best solution is to remove the patch and package vpnc as is.

Revision history for this message
James Tait (jamestait) wrote :

I have currently rolled back to 0.3.3 but I'm willing to help out with fixing 0.4.0. While I can't offer unrestricted access to our production PIX, I'm quite happy to supply debug output where it will help. Note that I'm not really familiar with the Debian/Ubuntu build process, so I'd need to get up to speed on that first and also take some advice on what sensitive bits (usernames, passwords, etc) I'd need to be wary of in the output.

Revision history for this message
Claus (clauslund) wrote :

I'm seeing this problem as well ... and would be willing to help troubleshoot as much as needed. However, I'm at the same point as James Tait (I'd need very specific instructions on what to do and what to look for).

I'm connecting to a PIX 515...

Revision history for this message
Rocco (rocco) wrote :

Same problem, connecting to a PIX. Is there a smooth way around this problem while this is fixed in Ubuntu?

Revision history for this message
artt (cualquiercosa) wrote :

I've solved it by rebuilding without the patch:

cd /usr/src
sudo apt-get source vpnc
cd vpnc-0.4.0/debian/patches

sudo gedit 00list

remove the line 06_stolen_from_head

cd ../..
sudo debian/rules binary

cd ..

sudo apt-get remove vpnc
sudo dpkg -i vpnc_0.4.0-2ubuntu1_i386.deb

if you had installed network-manager-vpnc you'll have to reinstall it

be careful when upgrading the system, don't update vpnc or you will get the patched version

Revision history for this message
James Tait (jamestait) wrote :

I'm working on a patch to allow a config option to disable RFC3706 Dead Peer Detection. All being well should be available in the next day or so.

Revision history for this message
James Tait (jamestait) wrote :

I'm attaching above-mentioned patch for someone with greater knowledge than me to test.

The patch is completely untested as I currently have no idea about building and packaging in Ubuntu. I'm sure I'll get up to speed eventually, but in the meantime if someone else is able to apply the patch and make any required changes to get it working then it can be tested, rather than waiting for me to learn what I need to learn to test it myself.

Revision history for this message
Amit Kucheria (amitk) wrote :

Comment 26 by artt fixes problems for me as well. Connecting to a Cisco here...

Revision history for this message
aoyoyo (naiyanat) wrote :

can't apt-get source vpnc

Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to find a source package for vpnc

<b>my /etc/apt/source.list</b>
deb http://us.archive.ubuntu.com/ubuntu feisty universe
deb http://wine.budgetdedicated.com/apt feisty main
deb http://th.archive.ubuntu.com/ubuntu/ feisty main restricted
deb-src http://th.archive.ubuntu.com/ubuntu/ feisty main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://th.archive.ubuntu.com/ubuntu/ feisty-updates main restricted
deb-src http://th.archive.ubuntu.com/ubuntu/ feisty-updates main restricted

## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
# deb http://th.archive.ubuntu.com/ubuntu/ edgy universe
#deb-src http://th.archive.ubuntu.com/ubuntu/ edgy universe

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://th.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse
#deb-src http://th.archive.ubuntu.com/ubuntu/ edgy-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu feisty-security main restricted
deb-src http://security.ubuntu.com/ubuntu feisty-security main restricted
deb http://security.ubuntu.com/ubuntu edgy-security universe
#deb-src http://security.ubuntu.com/ubuntu edgy-security universe
deb http://archive.ubuntu.com/ubuntu/ feisty-proposed restricted main multiverse universe
deb http://archive.ubuntu.com/ubuntu/ feisty-backports restricted main multiverse universe

Revision history for this message
James Tait (jamestait) wrote :

aoyoyo, I think you need to add universe to the deb-src line, thus:

deb-src http://th.archive.ubuntu.com/ubuntu/ feisty main restricted universe

Revision history for this message
aoyoyo (naiyanat) wrote :

Hi James,

You have something else. I got this error.

aoyoyo@aoyoyo-laptop:/usr/src$ sudo apt-get source vpnc
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Could not open file /var/lib/apt/lists/th.archive.ubuntu.com_ubuntu_dists_feisty_universe_source_Sources - open (2 No such file or directory)

Revision history for this message
artt (cualquiercosa) wrote :

I think you have to do an

apt-get update

before you can access the repository

Revision history for this message
aoyoyo (naiyanat) wrote :

functioning. thanks a lot artt.

Revision history for this message
Tomas Thiemel (thiemel) wrote :

SOLUTION
https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/93413/comments/26
WORKS
even on x86_64 - just change
"sudo dpkg -i vpnc_0.4.0-2ubuntu1_i386.deb"
to
"sudo dpkg -i vpnc_0.4.0-2ubuntu1_amd64.deb"

* artt, you saved my life! :-) *

Yesterday, I upgraded from Ubuntu 6.10 to 7.04 and today I had problem to connect to internet via school's WiFi network and VPN, sice I found the solution.

It was hard to find ("to google") this solution, so here are some "key words" to help the solution:
===================
...
VPNC started in foreground...
lifetime status: 3 of 7200 seconds used, 0|0 of 0 kbytes used
...
lifetime status: 31 of 7200 seconds used, 36|15 of 0 kbytes used
dead peer detected, terminating
S7.10
S8
===================
vpnc
disconnect
dead peer detected, terminating
===================

Revision history for this message
DevenPhillips (deven-phillips) wrote :

I also concur with the results. artt's removal of the 06 patch fixes the client for me.

Revision history for this message
James Tait (jamestait) wrote :

But doesn't removing the 06 patch completely disable DPD and some other functionality even for those devices with which it works?

Revision history for this message
Fernando (fernando-medina) wrote :

Downloaded the vpnc sources and removed the 06 line as stated. I got a error trying to compile the Debian way, so I just removed the vpnc packages then just make, make install and my vpnc is now working perfectly again.

I think this is pretty serious big, and seems fairly simple to fix, at least temporarily, why is it not getting done?

thanks to all in the forum,

Revision history for this message
DevenPhillips (deven-phillips) wrote :

As of yesterday, the configuration option to disable Dead Peer Detection in vpnc is in the CVS repository for vpnc. Can we get an updated Ubuntu package soon?

Revision history for this message
James Tait (jamestait) wrote :

If I understand DevenPhillips' last message correctly, this is no longer required, but I'm attaching the corrected, tested patch to allow disabling of Dead Peer Detection.

I have an AMD64 package available if others would like to test it.

If you wish to build your own package:

  - place this file in vpnc-0.4.0/debian/patches
  - cd vpnc-0.4.0
  - echo 09_config_disable_dpd.dpatch >> debian/patches/00list
  - sudo debian/rules binary

Changed in vpnc:
status: Unknown → Unconfirmed
Michael Bienia (geser)
Changed in vpnc:
assignee: nobody → geser
status: Confirmed → In Progress
Martin Pitt (pitti)
Changed in vpnc:
status: In Progress → Needs Info
James Tait (jamestait)
Changed in vpnc:
status: Needs Info → Fix Committed
Martin Pitt (pitti)
Changed in vpnc:
status: Unconfirmed → Fix Committed
26 comments hidden view all 106 comments
Revision history for this message
James Tait (jamestait) wrote :

Works for me in Feisty.

Revision history for this message
Panda_N_Shark (info-codedmind) wrote :

Problem solve for me.

Ubuntu feisty connect to a pix

Thanks

Revision history for this message
thomasn80 (thomasn80) wrote :

The problem with 20 minutes was not related, I had the same problem in 0.3.3+SVN. Fix is OK.

Michael Bienia (geser)
Changed in vpnc:
assignee: nobody → geser
importance: Undecided → Medium
status: Fix Committed → Fix Released
Revision history for this message
TomasHnyk (sup) wrote :

Works for me, at least as much as I can say after 1,5 hour long testing.

Revision history for this message
Emmet Hikory (persia) wrote :

I've unsubscribed ubuntu-universe-sponsors, as no further Ubuntu uploads are currently required for this bug. If an alternate solution requires sponsorship in the future, please resubscribe. Thank you.

Changed in vpnc:
status: Unconfirmed → Fix Released
Revision history for this message
Michael Bienia (geser) wrote :

The fixed package works for me too.

The package has been available a week for testing and I count (including me) 5 "works for me" and no regressions. This should be enough to get the package moved to feisty-updates.
Thanks for the testing.

Changed in vpnc:
status: Fix Released → Unconfirmed
Revision history for this message
Martin Pitt (pitti) wrote :

Copied to feisty-updates.

Changed in vpnc:
status: Fix Committed → Fix Released
Revision history for this message
OrkanSpec (orkanspec) wrote :

Just another confirmation: works for me.
Kubuntu 7.04 amd64
vpnc 0.4.0-2ubuntu1.1
It has been the best version so far.
The previous version 0.4.0-2ubuntu1 disconnected in a minute.
vpnc in Dapper and Edgy disconnected in 10-15 minutes.
Current version does not disconnect - I have tested it for 40 minutes.

Revision history for this message
Alarik Myrin (alarik-sknt) wrote :
Download full text (11.6 KiB)

I'm trying out the suggestion posted here:

https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/93413/comments/26

I must be missing a package. When I try this step:

sudo debian/rules binary

I get the following output:

dh_testdir
# Add here commands to compile the package.
/usr/bin/make
make[1]: libgcrypt-config: Command not found
make[1]: Entering directory `/usr/src/vpnc-0.4.0'
gcc -W -Wall -O0 -Wmissing-declarations -Wwrite-strings -g -DVERSION=\"0.4.0\" -c -o tunip.o tunip.c
tunip.c:84:20: error: gcrypt.h: No such file or directory
In file included from vpnc.h:24,
                 from tunip.c:87:
tunip.h:42: error: expected specifier-qualifier-list before ‘gcry_cipher_hd_t’
tunip.c: In function ‘encap_rawip_recv’:
tunip.c:189: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:190: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:191: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:192: error: ‘struct ike_sa’ has no member named ‘bufsize’
tunip.c: In function ‘encap_udp_recv’:
tunip.c:218: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:219: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:220: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:221: error: ‘struct ike_sa’ has no member named ‘bufsize’
tunip.c: In function ‘encap_any_decap’:
tunip.c:230: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:230: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:230: error: ‘struct ike_sa’ has no member named ‘var_header_size’
tunip.c:231: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:231: error: ‘struct ike_sa’ has no member named ‘bufpayload’
tunip.c:231: error: ‘struct ike_sa’ has no member named ‘var_header_size’
tunip.c:232: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c: In function ‘tun_send_ip’:
tunip.c:245: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c:246: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:254: error: ‘struct ike_sa’ has no member named ‘buf’
tunip.c: In function ‘hmac_compute’:
tunip.c:283: error: ‘gcry_md_hd_t’ undeclared (first use in this function)
tunip.c:283: error: (Each undeclared identifier is reported only once
tunip.c:283: error: for each function it appears in.)
tunip.c:283: error: expected ‘;’ before ‘md_ctx’
tunip.c:289: warning: implicit declaration of function ‘gcry_md_open’
tunip.c:289: error: ‘md_ctx’ undeclared (first use in this function)
tunip.c:289: error: ‘GCRY_MD_FLAG_HMAC’ undeclared (first use in this function)
tunip.c:291: warning: implicit declaration of function ‘gcry_md_setkey’
tunip.c:293: warning: implicit declaration of function ‘gcry_md_write’
tunip.c:294: warning: implicit declaration of function ‘gcry_md_final’
tunip.c:295: warning: implicit declaration of function ‘gcry_md_read’
tunip.c:295: warning: assignment makes pointer from integer without a cast
tunip.c:304: warning: implicit declaration of function ‘gcry_md_close’
tunip.c: In function ‘encap_esp_encapsulate’:
tunip.c:328: error: ‘struct ike_sa’ has no member named ‘buflen’
tunip.c:328: error: ‘struct ike_sa’ has no member named ‘var_header_size’
tunip.c:328: error: ‘struct ike_sa’ has ...

Revision history for this message
TomasHnyk (sup) wrote :

Alarik Myrin
Why don't you just use the updated package? It should be in feisty-updates by now.

Revision history for this message
Alarik Myrin (alarik-sknt) wrote :

Ah yes, there it is, thank you.

Alarik

Revision history for this message
ih (ih-ad) wrote : Had to enable feisty-updates

The fix works.

Only want to point out that for some reason by default feisty-updates was not enabled (this is a clean install of 7.04 AMD64)

I had to enable it in Synaptic / Settings / Repositories in the "Updates" tab

Revision history for this message
TomasHnyk (sup) wrote :

I think I had to do the same think, though I do not remember since I tweaked the sources.list by hand anyway.

Could you please fill this as another bug? Search if it has not been reported before though. It might be by design but that would be strange since that would mean we do not trust our own updates...

Revision history for this message
ih (ih-ad) wrote :

I filed bug 119248 for the "feisty-updates not enabled by default"
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/119248

Revision history for this message
tanas (macarvalho) wrote :

Hate to say but I still get the "no response from target" message with 0.4.0ubuntu1.1 (yes I'm sure it's 1.1 and not 1).
Downgraded to 0.3.3 and it is working fine.
(then I upgraded back to 0.4.0-1.1 which failed again, and then back to 0.3.3 which worked fine)

(sorry, I'm a sort of newbie and couldn't find any log file)

Revision history for this message
TomasHnyk (sup) wrote :

tanas: do you ever connect? If not, you are probably not facing this bug.
If you indeed connect and disconnect exactly after 30 seconds, you probably are facing this bug - but that should not be possible, heh:-).

Revision history for this message
tanas (macarvalho) wrote :

I was indeed connected with 0.3.3.
vpnc said I was connected;
During the connection I checked my IP, and it was no longer the one I had before, but the IP from the VPN Server I was connected to;
I was able to connect to online services that depend on the vpn connection (intranet for instance);

With 0.4.0 I get the "no response" message after 14 or 15 seconds (not 30... possibly a new bug?) after I entered the password

Revision history for this message
TomasHnyk (sup) wrote :

Are you trying from the command line? Do you ever get an IP from the VPN server? (with current version)

Revision history for this message
tanas (macarvalho) wrote : Re: [Bug 93413] Re: vpnc dead peer detection disconnects immediately

Yep, from the command line (sudo vpnc-connect)

I dont know if I get the VPN server IP.. just have 15 seconds to
check.. Is there any way to check that?

Revision history for this message
TomasHnyk (sup) wrote :

well, the simplest probably is to open another gnome-terminal and periodically run ifconfig - if you do not see something there, it is unlikely you are dealing with this bug (open anoter bug, maybe try to go upstream first - link to vpnc mailing list is somewhere above)

Revision history for this message
tanas (macarvalho) wrote :

Uhm, I am behind a firewall, so ifconfig just gives the usual 192.168...
I tried a more primitive method: connecting with vpnc during a download. The download rate never decreased (which I guess it would if I were connected to the vpn server).
So I guess it is indeed a new bug

Revision history for this message
tanas (macarvalho) wrote :

thanks anyway!

Revision history for this message
TomasHnyk (sup) wrote :

it does not matter if you are behind a firewall, vpn gives you a new IP address anyway. a new interface called tun or tap is created usually.

Revision history for this message
tanas (macarvalho) wrote :

Sorry, I meant behind a router.
I tried my primitive test (downloading while connecting) using 0.3.3
and the download was interrupted immediately after introducing the
login.

On 25/06/07, TomasHnyk <email address hidden> wrote:
> it does not matter if you are behind a firewall, vpn gives you a new IP
> address anyway. a new interface called tun or tap is created usually.
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Lynoure Braakman (lynoure) wrote :

I'm having this problem (disconnecting after 30s) with up-to-date feisty with feisty-updates in use.

Revision history for this message
ih (ih-ad) wrote :

It is fixed in version vpnc-0.4.0-2ubuntu1.1 (notice the .1 at the end)

Go to Synaptic and check what version is it that you have installed and what version is available for install.

Also check your repositories list.

Revision history for this message
tanas (macarvalho) wrote :

I guess that message was just intended for Lynoure, because I have the
problem with the 1.1 package as well (but not with the 0.3.3)

On 06/07/07, ih <email address hidden> wrote:
> It is fixed in version vpnc-0.4.0-2ubuntu1.1 (notice the .1 at the end)
>
> Go to Synaptic and check what version is it that you have installed and
> what version is available for install.
>
> Also check your repositories list.
>
> --
> vpnc dead peer detection disconnects immediately
> https://bugs.launchpad.net/bugs/93413
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
ih (ih-ad) wrote :

Hmm... Maybe it's a different problem or manifestation of said problem.

I definitely had the problem and it was definitely fixed for me with the 1.1 release (of 0.4). I am using it pretty much every day for extended periods of time. I had only one case when conenctivity disappeared, but network manager was still showing me as connected.

Revision history for this message
jan_k (wobble-gmx) wrote :

I can second tanas's experience. Connection break-down after about 30 seconds with the lates vpnc, but not with 0.3.3

Revision history for this message
tanas (macarvalho) wrote :

I am so sorry for the report above. On a clean Feisty installation
(same computer, same server) I was able to connect using vpnc
0.4.0ubuntu1.1 to my Cisco VPN Server.
I can however garantee that the problem I had before (also with
feisty) was consistent: 0.4.0-1.1 didn't work but 0.3.3 did. I tried
several times, totally removing ("Complete removal" option on
synaptics) everything related to vpnc between different attempts.

Revision history for this message
Ranjan (ranjansimon) wrote :

I have the same problem with 0.4.0ubunutu1.1 . It connects fine and is alive for sometime but disconnects suddenly without any notification. Here is the debug output
---------------------------------------------------------------------------
length: 0014
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 03 (ISAKMP_IPSEC_PROTO_IPSEC_ESP)
d.spi_length: 04
d.num_spi: 0002
d.spi: de42663b
d.spi: 2d7d6df3
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 001c
d.doi: 00000001 (ISAKMP_DOI_IPSEC)
d.protocol: 01 (ISAKMP_IPSEC_PROTO_ISAKMP)
d.spi_length: 10
d.num_spi: 0001
d.spi: d71ee671 b4ba9d01 41a8f878 11098722
DONE PARSING PAYLOAD type: 0c (ISAKMP_PAYLOAD_D)
PARSING PAYLOAD type: 00 (ISAKMP_PAYLOAD_NONE)
PARSE_OK

NAT-T mode, adding non-esp marker
S8
--------------------------------------

Any suggestions

Changed in vpnc:
status: New → Fix Released
Revision history for this message
NetherBen (bcx) wrote :

Try fooling with the value for --dpd-idle

  --dpd-idle <0,10-86400>
  DPD idle timeout (our side) <0,10-86400>
      Send DPD packet after not receiving anything for <idle> seconds.
      Use 0 to disable DPD completely (both ways).
    Default: 300

i.e.

In your config file have the line:

DPD idle timeout (our side) 0

(to disable it)

Revision history for this message
cbrmichi (cbrmichi) wrote :

how to do this with network-manager-vpnc?

Revision history for this message
knarf (launchpad-ubuntu-f) wrote :

For network-manager-vpnc you can either patch the program:

--- nm-vpnc-service.c.org 2008-05-01 21:40:38.000000000 +0200
+++ nm-vpnc-service.c 2008-05-01 20:58:24.000000000 +0200
@@ -379,6 +379,8 @@ static gint nm_vpnc_start_vpnc_binary (N
  g_ptr_array_add (vpnc_argv, (gpointer) (*vpnc_binary));
  g_ptr_array_add (vpnc_argv, (gpointer) "--non-inter");
  g_ptr_array_add (vpnc_argv, (gpointer) "--no-detach");
+ g_ptr_array_add (vpnc_argv, (gpointer) "--dpd-idle");
+ g_ptr_array_add (vpnc_argv, (gpointer) "0");
  g_ptr_array_add (vpnc_argv, (gpointer) "-");
  g_ptr_array_add (vpnc_argv, NULL);

or (simpler but possibly less flexible) replace /usr/bin/vpnc with a short script which adds --dpd-idle 0 to the command line. I took the former approach, you can make up the latter...

Revision history for this message
Julian Zeidler (julian-zeidlers) wrote :

da isses nimm option 2.

am besten du speicherst ein kleines script in /usr/local/bin ab

etwa der art:
#!/bin/bash
sudo vpnc-disconnect
sudo vpnc-connect outside --dpd-idle 0

knarf schrieb:
> For network-manager-vpnc you can either patch the program:
>
> --- nm-vpnc-service.c.org 2008-05-01 21:40:38.000000000 +0200
> +++ nm-vpnc-service.c 2008-05-01 20:58:24.000000000 +0200
> @@ -379,6 +379,8 @@ static gint nm_vpnc_start_vpnc_binary (N
> g_ptr_array_add (vpnc_argv, (gpointer) (*vpnc_binary));
> g_ptr_array_add (vpnc_argv, (gpointer) "--non-inter");
> g_ptr_array_add (vpnc_argv, (gpointer) "--no-detach");
> + g_ptr_array_add (vpnc_argv, (gpointer) "--dpd-idle");
> + g_ptr_array_add (vpnc_argv, (gpointer) "0");
> g_ptr_array_add (vpnc_argv, (gpointer) "-");
> g_ptr_array_add (vpnc_argv, NULL);
>
> or (simpler but possibly less flexible) replace /usr/bin/vpnc with a
> short script which adds --dpd-idle 0 to the command line. I took the
> former approach, you can make up the latter...
>
>

Revision history for this message
AlienMind (hosujael) wrote :

a more logical aproach:

mv /usr/sbin/vpnc /usr/sbin/vpnc2
vi /usr/sbin/vpnc #new file with content:

#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
cat | /usr/sbin/vpnc2 --non-inter --no-detach --dpd-idle 0 -

chmod +x /usr/sbin/vpnc

Revision history for this message
Mondin Marco (mondin-marco) wrote :

A similar aproach, I used that work whit kvpnc is:

sudo mv /usr/sbin/vpnc /usr/sbin/vpnc2
sudo nano /usr/sbin/vpnc

Put this lines in file:
#!/bin/bash --dpd-idle 0 $*

sudo chmod +x /usr/sbin/vpnc

It is a similar solution, but don't hang kvpnc.

Revision history for this message
Mondin Marco (mondin-marco) wrote :

Excuse me, i lost same thing:

A similar aproach, I used that work whit kvpnc is:

sudo mv /usr/sbin/vpnc /usr/sbin/vpnc2
sudo nano /usr/sbin/vpnc

Put this lines in file:
#!/bin/bash
/usr/sbin/vpnc2 --dpd-idle 0 $*

sudo chmod +x /usr/sbin/vpnc

It is a similar solution, but don't hang kvpnc.

Revision history for this message
burtbick (list-burtbicksler) wrote :

With Hardy (8.04) and KVPNC from the repository I was experiencing a similar problem.

I could get connected with our Cisco VPN, but then after a few seconds the connection would go down and shortly after that would not reconnect until I Quit KVPNC.

I played around with some timing and in Network/General I noticed the Use connection status check and that the interval was initially set to a relatively small value (I think it was 5 or 10). This happened to be the same interval that I was seeing the failure from the ping being sent out

After turning on level 3 logging I noticed that the failure was tied to a "ping" message being sent out. The message was error: Ping to IPAddr within 1 checks every 5s has been failed!

I then kicked the interval up to 20 seconds, and I could now stay connected for 20 seconds! But every 20 seconds it would report failure, drop the connection and reconnect. But in this case it appeared that it did not get into the state where I would have to quit KVPNC and restart it in order to connect again.

For good measure I changed the interval to 40 seconds, and now every 40 seconds it reports the Ping failure, drops the connection and reconnects.

So, next I disabled the connection status check to test and see what would happen.

Now the connection has been up for over 42 Minutes (not seconds) and as far as I can see the connection is still fine and dandy. I can function via ssh and also a fish:// session in Konqueror for browsing and copying files.

Has anyone seen this problem (with the Ping used to do the connection status check failing), and if so did you find a solution to the problem? If not, and you are having regular drops of the connection you might want to try disabling the connection status check and see if that makes a difference.

Of course I would like to have the connection status check working, but disabling the connection status check at least appears to allow me to use KVPNC to access my work network for the moment.

I should also note that I have had this problem with Kubuntu 7.04 before but never had the time to ferret out what might be going on, and I had a build of the Cisco Linux VPN client that I could use on 7.04.

Revision history for this message
burtbick (list-burtbicksler) wrote :

OK, What I suspected (and kind of confirmed) was that whatever is being used as the address to ping when the connection status check is enabled but the specific IP address is unchecked doesn't work in all cases.

To test my theory I turned the connection status check back on, also checked the use specific address and entered an IP address of a machine behind the VPN that I knew I could ping.

That worked for 5+ hours yesterday, and for over an hour today. Then I started to get failures and again (K)VPNC was doing auto retries and got into a mode where it would not see the network without Quiting KVPNC and restarting it. Then it was fine for a few minutes and repeated. I expect that the machine behind the VPN was unable to respond to the ping request in a timely fashion. Since I turned off the connection status check again no problems with the connection going down.

But I wanted to report that it appears that you need to use the specific IP address option with the connection status check if you are having a similar problem. Now to find a machine behind the VPN that doesn't get bogged down, or increase the timeout for the ping test if that is possible.

Burt

Anton (bogatyia)
Changed in vpnc (Ubuntu):
assignee: Michael Bienia (geser) → Anton (bogatyia)
Displaying first 40 and last 40 comments. View all 106 comments or add a comment.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.