-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connection dies with 'Protocol violation with EOF' after some time #92
Comments
The connection over which the tunnel was running was stable during that time? Any log entries of pppd which could provide a hint? |
The connection was stable during that time, I'm not really sure how to reproduce this, it seems that the tunnel breaks sometimes very few seconds after establishing (the first time I connected) then it worked flawlessly for half an hour (till I hang up). The last time I used it, I couldn't get any connection to work for longer than 30 seconds before it broke. Today I only got these messages out of pppd (and IMO they look fine?). The first connect failed, second and third where fine and manually closed. (I don't really see that first connect in the log though, not sure why)
|
This is how the pppd log looks for a failed connection
Here's the openforti log
|
@dwt thanks. Unfortunately, I can't see any hint from the logs you have provided, but here a few thoughts: |
Have you perhaps tried with a newer version of openfortivpn? I suspect this has been fixed in version 1.3.1 and newer. |
Sorry, I don't work at the place that requires this VPN anymore, so I can't. But thanks for the reminder! :) |
Thank you for the feedback! I'll close this ticket, there's not much we can do about it this context. If needed please reopen it. |
I have the same issue. Tried version 1.3.1 and 1.4.0 (both of them die after some time) on CentOS 6.4 and CentOS 7.3 (similar log and issue) openfortivpn debug log CentOS 6.4
pppd log CentOS 6.4
Reviewing the log for multiple times, I found that the connection is broken exactly after 5.1 minute. On Ubuntu 16.04 hower, I use the GUI https://github.com/theinvisible/openfortigui (which includes the 1.4.0 version right now). When I connect to the same VPN server I get a stable connection. So it seems that this issue is somehow OS / library related. |
@markri OK, I'm reopening this issue since you can reproduce this with CentOS and openfortivpn 1.4.0. Please note the initial poster was on Mac OS X 10.12.2. So is this OS / library related or not? This is a total mystery for now: could as well be identical symptoms with different reasons... Also does #50 help at all? Modifies |
Thnx, just tried the exact same install (without GUI) on Ubuntu. As it seems, the connection on Ubuntu spawns some messages every few seconds now and then (probably a keep-alive). These messages were missing in CentOS. Seems like you already were a step ahead 👍 about that As the default options file is empty but the "lock" option in both CentOS 6 and 7. My connection is now stable for over more than 10 minute now (it broke exactly at 5.1 minutes before). So it seems to be this exact issue. Will let it run over night, but for now we can assume that this (is / can be) fixed |
@markri Thanks for the feedback. I can't decide whether this is an openfortivpn bug or not. Someone more knowledgeable might comment here... |
To give some insight in the applied fix and results from the initiated connection over night The connection lasted 8 hours and 55 minutes with the
|
Indeed 8 hours is usually "good enough" but still, I wonder where "EOF" comes from and whether it's an openfortivpn bug or not. |
By the way, 8 hours is precisely the default timeout on the VPN server side. From the FortiOS™ Handbook SSL VPN for FortiOS 5.0:
I guess this is what happens here. If so there remain two issues:
|
Hello, I have the same problem. Can openfortivpn handle the re-authentication or should i use a crontab line to ensure openfortivpn is restarted when needed ? (i need to have openfortivpn working as a service) |
I believe it would be useful to detect the server-side timeout, if at all possible, and print something more useful than Error reading from SSL connection (Protocol violation with EOF). One would need to start a VPN connection in verbose mode and have a look at About re-authentication, I don't think it is handled right now, there is no loop in the relevant part of the code:
But then many sites use one-time passwords. I'm not certain this should be included within openfortivpn. |
I have started to work on this last week. What about adding an option, e.g. |
Hello @mrbaseman , did you end up merging your work in the master branch ? Otherwise, I would glady test your branch if you need to |
I haven't merged this into master yet. I have just rebased the branch on the current master and if you could test it, this would be good. Positive experience in the field is always a good argument for merging new features into the master branch. |
I have deployed your branch but i have trouble figuring out the value i should set for --loop ? I have set 3600 as i want openfortivpn to re-authenticate itself every hour but i am not sure this is what it does... |
it is the time in seconds which openfortivpn waits before reconnecting in a loop. It doesn't hang up a running connection by itself, but when it drops out it tries to reconnect. If the reconnect fails it waits again and tries another time until you hit Ctrl+C. If reconnecting fails due to an interrupted network connection you don't want to try reconnecting every second and fill the pppd log quite quickly. Therefore, you can adjust this interval to a suitable value. Personally I would choose something between 30 and 300 seconds. 0 means "don't try to reconnect" which is the default setting. |
Just for the record: I have noticed that if you have another device doing ssl deep inspection on the path between the openfortivpn and the box with the vpn server, you might as well see the 'Protocol violation with EOF' error message, but that's at the beginning of the communication, quite quickly after a successful authentication. |
Hello @mrbaseman , I have tested for a whole week with '--loop=5' and it works perfectly ! Do you have an ETA on the merge in the master branch ? |
Well, I have opened a pull request already a while ago (see above). Maybe your feedback has given the necessary kick for the merge now... |
We have decided to rename the option to --persistent instead of --loop. The behavior is exactly the same. I have merged it into the master branch now |
the |
For the record: I have noticed just in the FortiOS Handbook for 5.6 that there is a new server-side configuration option |
While --persistent is useful, in cases where idle timeouts on the server side are pretty low, lcp-echo-interval is still required (otherwise link is disrupted durring reconnects). To integrate with things like OpenWRT, having a --pppd-lcp-echo-interval option would be greatly appreciated because it would allow for a pure UCI configuration. |
@FinboySlick Thank you for this, quite interesting. Will follow-up in #802. |
Not sure what to make of it - the tunnel comes online and works for a short time, then dies with these error messages:
Running master from 19. of January 2017 on Mac OS X 10.12.2 (16C68).
What further information can I give to help you debug this problem?
The text was updated successfully, but these errors were encountered: