1271973 – no more vpn dialog after previous canceling

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1271973 - no more vpn dialog after previous canceling

Summary: no more vpn dialog after previous canceling

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	NetworkManager-libreswan
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	7.2
Assignee:	Lubomir Rintel
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-15 08:14 UTC by Vladimir Benes
Modified:	2015-11-19 11:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:	NetworkManager-libreswan-1.0.6-3.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 11:06:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
NetworkManager's log (11.95 KB, text/plain) 2015-10-15 08:15 UTC, Vladimir Benes	no flags	Details
[nm-libreswan 1/3] Early fail race fix (1.53 KB, text/plain) 2015-10-21 15:28 UTC, Lubomir Rintel	no flags	Details
full log (24.03 KB, text/plain) 2015-10-22 08:03 UTC, Vladimir Benes	no flags	Details
[nm-libreswan 2/3] Fix for 100% cpu load on disconnect (2.20 KB, text/plain) 2015-10-22 12:38 UTC, Lubomir Rintel	no flags	Details
[nm-libreswan 3/3] Fix reconnecting after a failure (3.00 KB, text/plain) 2015-10-22 12:41 UTC, Lubomir Rintel	no flags	Details
[nm] Avoid disconnecting connection following an unsuccessful connection attempt (854 bytes, text/plain) 2015-10-22 12:42 UTC, Lubomir Rintel	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2315	0	normal	SHIPPED_LIVE	Moderate: NetworkManager security, bug fix, and enhancement update	2015-11-19 10:06:58 UTC

Description Vladimir Benes 2015-10-15 08:14:15 UTC

Description of problem:
Canceling gnome's dialog after entering wrong password and leads to an inconsistent libreswan vpn state. I can then connect w/o entering any credentials seeing an lock icon for a short period in GS but it disappears again in a while. I am not connected anytime. 
 
Version-Release number of selected component (if applicable):
NetworkManager-1.0.6-21.el7.x86_64
gnome-shell-3.14.4-36.el7.x86_64
NetworkManager-libreswan-1.0.6-1.el7.x86_64
libreswan-3.12-10.1.el7_1.x86_64


How reproducible:
always

Steps to Reproduce:
1.start vpn connection
2.enter incorrect password 
3.cancel dialog when re-questioned
4.try to connect once more

Actual results:
no more dialog

Expected results:
should have dialog again

Additional info:

Comment 1 Vladimir Benes 2015-10-15 08:15:26 UTC

Created attachment 1083164 [details]
NetworkManager's log

Comment 2 Lubomir Rintel 2015-10-20 18:06:34 UTC

I can't reproduce this one. Seems like the nm-libreswan-service is stuck somehow and doesn't respond.

I'm wondering if you could check if it's really running and check what blocks it (attach gdb and get a traceback or maybe just strace it to see if it is caught in a loop)?

Comment 3 Vladimir Benes 2015-10-21 10:22:48 UTC

(In reply to Lubomir Rintel from comment #2)
> I can't reproduce this one. Seems like the nm-libreswan-service is stuck
> somehow and doesn't respond.
> 
We've reproduced together. You just need to connect, write in incorrect password and then when second dialog appears press cancel button.

> I'm wondering if you could check if it's really running and check what
> blocks it (attach gdb and get a traceback or maybe just strace it to see if
> it is caught in a loop)?

Comment 4 Lubomir Rintel 2015-10-21 15:28:40 UTC

Created attachment 1085201 [details]
[nm-libreswan 1/3] Early fail race fix

Brew build: https://brewweb.devel.redhat.com/taskinfo?taskID=9991436

Comment 5 Vladimir Benes 2015-10-22 08:02:44 UTC

Lubo,
it's slightly better as I can see another dialog after unsuccessful connection but that dialog doesn't work anymore with these errors:
 
Oct 22 09:52:08 trautenberg NetworkManager[927]: <info>  VPN plugin state changed: starting (3)
Oct 22 09:52:08 trautenberg NetworkManager[927]: <info>  VPN connection 'redhat' (ConnectInteractive) reply received.
Oct 22 09:52:08 trautenberg NetworkManager[927]: <warn>  VPN connection 'redhat' failed to connect interactively: 'Already connecting!'.
Oct 22 09:52:08 trautenberg NetworkManager[927]: <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active.
Oct 22 09:52:14 trautenberg NetworkManager[927]: <info>  VPN plugin state changed: starting (3)
Oct 22 09:52:14 trautenberg NetworkManager[927]: <info>  VPN connection 'redhat' (ConnectInteractive) reply received.
Oct 22 09:52:14 trautenberg NetworkManager[927]: <warn>  VPN connection 'redhat' failed to connect interactively: 'Already connecting!'.
Oct 22 09:52:14 trautenberg NetworkManager[927]: <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active.

whole log attached (3 incorrect attempts + new opening and 2 immediate failures)

Comment 6 Vladimir Benes 2015-10-22 08:03:34 UTC

Created attachment 1085437 [details]
full log

Comment 7 Vladimir Benes 2015-10-22 08:34:40 UTC

and whatmore it's eating a lot of CPU:
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                                                                                              
 3554 root      20   0  262752   3804   3012 R 100.0  0.0   0:56.65 nm-libreswan-se

it sits there for 3 minutes and then goes away. I can reconnect after it's gone.

Comment 8 Lubomir Rintel 2015-10-22 12:38:31 UTC

Created attachment 1085489 [details]
[nm-libreswan 2/3] Fix for 100% cpu load on disconnect

Comment 9 Lubomir Rintel 2015-10-22 12:41:14 UTC

Created attachment 1085491 [details]
[nm-libreswan 3/3] Fix reconnecting after a failure

Comment 10 Lubomir Rintel 2015-10-22 12:42:30 UTC

Created attachment 1085494 [details]
[nm] Avoid disconnecting connection following an unsuccessful connection attempt

Comment 11 Lubomir Rintel 2015-10-22 12:52:48 UTC

https://brewweb.devel.redhat.com/taskinfo?taskID=9998325
https://brewweb.devel.redhat.com/taskinfo?taskID=9998015

Comment 12 Thomas Haller 2015-10-23 14:12:56 UTC

All patches LGTM. Didn't test though.

Comment 13 Lubomir Rintel 2015-10-23 16:38:47 UTC

nm-1-0:

26094b7 service: always tear down the connection on helper failure
f516f6b service: watch for pty master hangups
636b2a5 service: don't delete connection while it's being upped

master:

50fc66b service: always tear down the connection on helper failure
984035d service: watch for pty master hangups
f58fde3 service: don't delete connection while it's being upped

Comment 17 Vladimir Benes 2015-10-29 14:52:21 UTC

this works well with current libreswan and NM package.

Comment 18 errata-xmlrpc 2015-11-19 11:06:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2315.html

Note You need to log in before you can comment on or make changes to this bug.