cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
0
Helpful
0
Replies

Android Anyconnect with Openconnect over cellular disconnects quickly

I have OpenWRT set up with OpenConnect as a VPN server, in Anyconnect compatible mode.

 

Because I didn't have two internet connections, I did some testing with a laptop tethered to an Android phone, so laptop -> android -> cell network -> home OpenWRT.  That works fine, it stays up and stable, if pretty slow.

 

Then I shifted to the Android anyconnect client with the same phone and cellular connection.  It will work for a couple minutes and disconnects.  Yes, it's a cellular connection and thus suspect, but that same connection works fine tethered to a laptop and windows AnyConnect, so I suspect something Android specific.

 

The Android is Pixel 2XL and running 4.8.00826 (latest in playstore) and the OS is fully patched.

 

The OpenConnect log is not very helpful: 

Thu Nov  7 08:29:02 2019 daemon.info ocserv[1982]: main[redacteduser]:<<phoneIPv4>>:28620 user logged in
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> suggesting DPD of 1800 secs
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> configured link MTU is 1500
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> peer's link MTU is 1500
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> sending IPv4 <<correct local address>>
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> sending IPv6 <<correct local address>>
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> IPv6 routes/DNS disabled because the agent is not openconnect.
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> adding DNS <<Correct local DNS>> 
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Include route <<One correct route>>/255.255.255.0
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Include route <<One correct route>>/255.255.255.0
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Include route <<One correct route>>/255.255.254.0
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Include route 0.0.0.0/128.0.0.0
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Include route 128.0.0.0/128.0.0.0
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> DTLS ciphersuite: AES256-GCM-SHA384
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> DTLS data MTU 1434
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Link MTU is 1500 bytes
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> selected DTLS compression method lzs
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> selected CSTP compression method lzs
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> setting up legacy DTLS (resumption) connection
Thu Nov  7 08:29:09 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> received BYE packet; exiting
Thu Nov  7 08:29:09 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> sent periodic stats (in: 4235, out: 15748) to sec-mod
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> Link MTU is 1500 bytes
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> selected DTLS compression method lzs
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> selected CSTP compression method lzs
Thu Nov  7 08:29:02 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> setting up legacy DTLS (resumption) connection
Thu Nov  7 08:29:09 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> received BYE packet; exiting
Thu Nov  7 08:29:09 2019 daemon.info ocserv[10332]: worker[redacteduser]: <<phoneIPv4>> sent periodic stats (in: 4235, out: 15748) to sec-mod
Thu Nov  7 08:29:09 2019 daemon.info ocserv[2134]: sec-mod: invalidating session of user 'redacteduser' (session: aI4L68)
Thu Nov  7 08:29:09 2019 daemon.info ocserv[1982]: main[redacteduser]:<<phoneIPv4>>:28620 user disconnected (reason: user disconnected, rx: 4235, tx: 15748)
Thu Nov  7 08:29:10 2019 daemon.info ocserv[2134]: sec-mod: session open but with non-existing SID!
Thu Nov  7 08:29:10 2019 daemon.info ocserv[1982]: main:<<phoneIPv4>>:21022 could not open session
Thu Nov  7 08:29:10 2019 daemon.info ocserv[1982]: main:<<phoneIPv4>>:21022 failed authentication attempt for user ''
Thu Nov  7 08:29:10 2019 daemon.warn ocserv[10556]: worker: <<phoneIPv4>> failed cookie authentication attempt
Thu Nov  7 08:29:10 2019 daemon.info ocserv[1982]: main:<<phoneIPv4>>:21022 user disconnected (reason: unspecified, rx: 0, tx: 0)

The reason for the 0.0.0.0/1 and 128.0.0.0/1 route is to fool it into not doing a split tunnel, not sure if there's a better way but that works.

 

Generally the log looks like this, with the disconnect coming instantly after the output of connection details but there is a period, usually of a minute or so when there's connectivity, so I cannot quite explain that.  I've gotten connectivity long enough, for example, to get a display from a security camera, not just a few pings.


Again... same phone, same cellular connection, same server-side configuration with a tethered laptop (windows 10 anyconnect 4.6.01103), work fine.

 

I realize OpenConnect is not a Cisco product, much less OpenWRT, but hoping someone may have a clue what to look for to debug, or what setting might affect only android?   Thanks.

 

Linwood

 

PS. Plan to head out today and find an independent wifi connection for the phone and see if it makes any difference, but I really want it to work over the cellular connection if possible.

0 Replies 0