Bug 836558 - openconnect upgrade breaks VPN to Cisco routers
openconnect upgrade breaks VPN to Cisco routers
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openconnect (Show other bugs)
17
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: David Woodhouse
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-29 09:44 EDT by Stephen Satchell
Modified: 2012-11-30 12:46 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-07 17:55:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
F16 openconnect -v transcript (175.35 KB, text/plain)
2012-11-22 11:57 EST, Kayvan Sylvan
no flags Details
F17 openconnect -v transcript (11.30 KB, text/plain)
2012-11-22 11:58 EST, Kayvan Sylvan
no flags Details

  None (edit)
Description Stephen Satchell 2012-06-29 09:44:09 EDT
Description of problem:
When applying updates to Fedora 17 on Thursday 28 June 2012, after the process was complete, I was unable to make VPN connections to Cisco AnyConnect VPN portals.  Backing out the update returned proper fuctionality.

Version-Release number of selected component (if applicable):

openconnect-4.00-1.fc17.x86_64

How reproducible:
Every time, to multiple VPN portals


Steps to Reproduce:
1. Install security update (to 4.00-1)
2. Try to connect to VPN (Cisco 2811 router); NetworkManager reports failure
3. Downgrade to openconnect-3.18-1.fc17.x86_64, and to its dependencies
4. Connection to the same VPN works
  
Actual results:
/var/log/messages shows error "openconnect[2896]: SSL connection failure: A TLS fatal alert has been received." when version 4.00-1 is installed

Expected results:
Connection established, which was achieve by rolling back the update.

Additional info:
Cisco 2811 and 3841 routers, with GoDaddy certificates, running Cisco AnyConnect.  IOS version is not known, but is recent.
Comment 1 David Woodhouse 2012-06-29 10:04:16 EDT
If you attempt to connect with openconnect on the command line, with the '-v' option, what do you see? 

Run 'openconnect -v <yourserver>' and show me the full output, please. You can send it in private email (to dwmw2@infradead.org) if you prefer.

If you are also able to capture a packet trace with tcpdump when you connect with both old and new openconnect, that would also be helpful.

Some servers (or their firewalls) are very picky about the precise TLS options which are negotiated, and there may be some difference here... although I thought I'd made sure it the GnuTLS and OpenSSL versions were identical.
Comment 2 David Woodhouse 2012-06-29 10:19:53 EDT
Does the build at http://koji.fedoraproject.org/koji/taskinfo?taskID=4207628 fix this?
Comment 3 Stephen Satchell 2012-06-30 22:45:54 EDT
(In reply to comment #1)

> Run 'openconnect -v <yourserver>' and show me the full output, please. You
> can send it in private email (to dwmw2@infradead.org) if you prefer.

$ openconnect -v [redacted].com
Attempting to connect to [redacted].200:443
SSL negotiation with [redacted].com
SSL connection failure: A TLS fatal alert has been received.
Failed to open HTTPS connection to [redacted].com
Failed to obtain WebVPN cookie
Comment 4 Stephen Satchell 2012-06-30 23:22:50 EDT
(In reply to comment #2)
> Does the build at http://koji.fedoraproject.org/koji/taskinfo?taskID=4207628
> fix this?

Built a new Fedora 17 system on a 686 machine.

Verified the same result on that machine

-----

  Installed openconnect-4.02-2.fc17.i686.rpm 
  Installed openconnect-lib-compat-4.02-2.fc17.i686.rpm 

# openconnect -v [redacted].com
Attempting to connect to[redacted].200:443
SSL negotiation with [redacted].com
SSL connection failure: A TLS fatal alert has been received.
Failed to open HTTPS connection to [redacted].com
Failed to obtain WebVPN cookie

-----

Installed:
  openconnect-3.18-1.fc17.i686
  NetworkManager-openconnect.i686 0:0.9.3.997-1.fc17

# openconnect -v [redacted].com
Attempting to connect to [redacted].200:443
SSL negotiation with [redacted].com
Server certificate verify failed: unable to get local issuer certificate

Certificate from VPN server "[redacted].com" failed verification.
Reason: unable to get local issuer certificate
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on [redacted].com
GET https://[redacted].com/
Got HTTP response: HTTP/1.1 303 See Other
Content-Type: text/html
Content-Length: 0
Location: https://[redacted].com:443/webvpn.html
Set-Cookie: webvpncontext=00@OFFICE_CTX; path=/
Connection: Keep-Alive
HTTP body length:  (0)
GET https://[redacted].com/webvpn.html
Got HTTP response: HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/html
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpncontext=00@OFFICE_CTX; path=/
X-Transcend-Version: 1
Content-Length: 473
Connection: close
HTTP body length:  (473)
Fixed options give 
Please enter your username and password.
USERNAME:[redacted]
PASSWORD:[redacted]
SSL negotiation with [redacted].com
Server certificate verify failed: unable to get local issuer certificate
Connected to HTTPS on [redacted].com
POST https://[redacted].com/webvpn.html
Got HTTP response: HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/html
Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/
Set-Cookie: webvpn=<elided>; path=/
Set-Cookie: webvpnc=p:t&bu:/CACHE/webvpn/stc/&iu:1/&sh:5C36FFE3AEC06E62AE348C7DDA295F2BC45ACBCF&; path=/
X-Transcend-Version: 1
Content-Length: 147
Connection: Keep-Alive
HTTP body length:  (147)
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.4.198.38
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Keep: true
X-CSTP-DNS: 172.16.5.12
X-CSTP-Lease-Duration: 43200
X-CSTP-MTU: 1406
X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
X-CSTP-DPD: 300
X-CSTP-Keepalive: 30
X-CSTP-MSIE-Proxy: auto
CSTP connected. DPD 300, Keepalive 30
Connected tun0 as 10.4.198.38, using SSL
No work to do; sleeping for 29000 ms...
Send CSTP Keepalive
No work to do; sleeping for 30000 ms...
Comment 5 David Woodhouse 2012-07-01 15:16:09 EDT
OK, can I have the tcpdump captures please? Or better still, let me know the precise address of the server and I can do some basic testing here to work out what the difference is.

These servers are just a web server which is publicly accessible; they'll be receiving hundreds if not thousands of "random" connections a day; naming them doesn't hurt as long as you don't give usernames/passwords/etc. But if you'd be happier sending it in private email, that's OK.
Comment 6 David Woodhouse 2012-07-01 16:25:42 EDT
How about http://koji.fedoraproject.org/koji/taskinfo?taskID=4211343 ?

It's possibly not the use of SSLv3 vs. TLSv1, but the choice of cipher. We were restricting the ciphers that GnuTLS would use to only AES, and I know of at least one server out there which will accept only 3DES so is fixed by this version but not my previous test build. (Thankfully not everyone redacts their server addresses, so I get to make sure that openconnect actually keeps working for them... :)
Comment 7 Stephen Satchell 2012-07-01 20:30:41 EDT
Server address provided under separate cover.
Comment 8 Fedora Update System 2012-07-02 07:22:16 EDT
openconnect-4.03-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openconnect-4.03-1.fc17
Comment 9 Fedora Update System 2012-07-02 07:22:56 EDT
openconnect-4.03-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openconnect-4.03-1.fc16
Comment 10 Stephen Satchell 2012-07-02 15:07:57 EDT
openconnect-4.03-1.fc17.i686
openconnect-lib-compat-4.03-1.fc17.i686
  When installed in my test system, I was able to connect and establish a tunnel.  Thank you.
Comment 11 David Woodhouse 2012-07-02 16:02:24 EDT
Thanks for testing. It's still suboptimal that you don't seem to have DTLS support. Without that, you end up doing TCP over TCP, which is very bad for performance.

If you can capture a packet trace of the *UDP* packets between a real Cisco client and the server (if indeed the Cisco clients *do* manage to do DTLS given the restricted cipher set that your server permits), that would be very enlightening. I particularly need to see the cipher suites that are listed in the ClientHello/ServerHello part of the DTLS exchange.
Comment 12 Fedora Update System 2012-07-02 18:27:19 EDT
Package openconnect-4.03-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openconnect-4.03-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10153/openconnect-4.03-1.fc17
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-07-05 07:04:19 EDT
openconnect-4.04-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/openconnect-4.04-1.fc17
Comment 14 Fedora Update System 2012-07-05 07:04:55 EDT
openconnect-4.04-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/openconnect-4.04-1.fc16
Comment 15 Fedora Update System 2012-07-07 17:55:12 EDT
openconnect-4.04-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-07-07 17:55:32 EDT
openconnect-4.04-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 maurizio 2012-07-08 03:06:19 EDT
cuts people with  objects  ,  buy items on  the web  
   pirshing  , steals, zaffis, sasser,  AES to high !  starts  356  to 1024
Comment 18 Kayvan Sylvan 2012-11-22 10:25:53 EST
Just updated a fedora 16 system to fedora 17 and am seeing the same inability to connect to Cisco DSL VPN.
Comment 19 David Woodhouse 2012-11-22 10:34:50 EST
Kayvan: You are unable to connect with Fedora 17 to a Cisco VPN server that was *working* with Fedora 16? Please could you report the exact versions of OpenConnect that you were using in Fedora 16 and 17? They should be 4.06 and 4.07 respectively, and nothing in that update should have changed anything.

Please could you let me have (in private email if you prefer) the address of the VPN server. If it's the same bug, I should be able to reproduce fairly easily without having to try to log in at all. I don't think it *is* the same bug though, and I don't quite understand how it can even be anything similar.
Comment 20 Kayvan Sylvan 2012-11-22 11:56:44 EST
Yes, it was working with Fedora 16. In fact, it works with another Fedora 16 system I have. It may not be the same bug.

The Cisco SSL VPN is at vpn.playdom.com

I have attached the transcript of openconnect -v for both F16 and F17. Looks like the only difference I see is Dead Peer Detection is getting activated in the F17 case.
Comment 21 Kayvan Sylvan 2012-11-22 11:57:32 EST
Created attachment 649947 [details]
F16 openconnect -v transcript
Comment 22 Kayvan Sylvan 2012-11-22 11:58:07 EST
Created attachment 649948 [details]
F17 openconnect -v transcript
Comment 23 Kayvan Sylvan 2012-11-22 17:08:15 EST
Additional info:

I just spun up a Fedora 16 Live CD on VirtualBox and did:

yum install openconnect
openconnect -v myserver

and in another terminal window:

ping internal-server-name
978 packets transmitted, 978 received, 0% packet loss, time 978625ms.

Then I did the same with the Fedora 17 Live CD, with similar results. No packet loss and a reliable connection that seems solid.

However, the VirtalBox host, my machine that I upgraded from F16 to F17 (that used to work reliably with the Cisco VPN when it was on Fedora 16) only stays on the VPN for a minute or two before hanging and giving me the Dead Peer Detection messages in the openconnect log.

Any ideas?
Comment 24 David Woodhouse 2012-11-22 18:24:33 EST
Your *failing* version says:

CSTP connected. DPD 30, Keepalive 20
RTNETLINK answers: Network is unreachable


Can you show the output of 'ip route' and 'ip route get 209.66.74.34' from each system (working and non-working)? I wonder if in the latter case, your packets to the VPN server are actually being routed *through* the VPN (which is going to recurse and never work). 

Can you try using the latest vpnc-script as described at 
http://www.infradead.org/openconnect/vpnc-script.html ?
Comment 25 David Woodhouse 2012-11-22 19:14:31 EST
Sorry, I meant to be cleared: Those 'ip route' commands should be run when you have just connected the VPN, before it disconnects. I'd like to see the situation while it's connected.
Comment 26 Kayvan Sylvan 2012-11-22 22:08:09 EST
On the failing one:

$ ip route get 209.66.74.34
209.66.74.34 via 192.168.0.1 dev em1  src 192.168.0.35 
    cache 
$ ip route
default via 192.168.0.1 dev em1  proto static 
10.0.0.0/8 dev tun0  scope link 
10.217.128.0/19 dev tun0  scope link 
10.217.142.0/24 dev tun0  scope link 
10.217.148.23 dev tun0  scope link 
10.217.148.24 dev tun0  scope link 
10.217.160.0/22 dev tun0  scope link 
10.217.164.0/23 dev tun0  scope link 
139.104.0.0/16 dev tun0  scope link 
153.6.0.0/16 dev tun0  scope link 
153.7.0.0/16 dev tun0  scope link 
153.8.0.0/16 dev tun0  scope link 
157.23.0.0/16 dev tun0  scope link 
160.1.0.0/16 dev tun0  scope link 
167.13.0.0/16 dev tun0  scope link 
172.16.0.0/12 dev tun0  scope link 
172.16.10.0/24 dev tun0  scope link 
172.17.0.0/16 dev tun0  scope link 
172.18.0.0/16 dev tun0  scope link 
172.19.0.0/16 dev tun0  scope link 
192.124.33.0/24 dev tun0  scope link 
192.168.0.0/16 dev tun0  scope link 
192.168.0.0/16 dev em1  proto none  metric 1 notify 
192.195.63.0/24 dev tun0  scope link 
192.195.65.0/24 dev tun0  scope link 
192.195.67.0/24 dev tun0  scope link 
198.102.219.0/24 dev tun0  scope link 
198.178.187.0/24 dev tun0  scope link 
198.178.188.0/24 dev tun0  scope link 
198.178.189.0/24 dev tun0  scope link 
198.180.195.0/24 dev tun0  scope link 
198.200.186.0/24 dev tun0  scope link 
198.252.254.0/24 dev tun0  scope link 
199.88.194.0/24 dev tun0  scope link 
199.107.110.0/24 dev tun0  scope link 
199.181.130.0/24 dev tun0  scope link 
204.75.167.0/24 dev tun0  scope link 
204.87.208.0/24 dev tun0  scope link 
204.238.46.0/24 dev tun0  scope link 
206.18.65.0/24 dev tun0  scope link 
206.18.95.0/24 dev tun0  scope link 
208.246.35.0/24 dev tun0  scope link 
209.66.74.34 via 192.168.0.1 dev em1  src 192.168.0.35 

On the working one (the Fedora 17 virtual machine running in VirtualBox on the failing host):

$ ip route get 209.66.77.34
209.66.77.34 via 10.0.2.2 dev p2p1  src 10.0.2.15 
    cache 

$ ip route
default via 10.0.2.2 dev p2p1  proto static 
10.0.0.0/8 dev tun0  scope link 
10.0.2.0/24 dev p2p1  proto kernel  scope link  src 10.0.2.15 
10.217.128.0/19 dev tun0  scope link 
10.217.142.0/24 dev tun0  scope link 
10.217.148.23 dev tun0  scope link 
10.217.148.24 dev tun0  scope link 
10.217.160.0/22 dev tun0  scope link 
10.217.164.0/23 dev tun0  scope link 
139.104.0.0/16 dev tun0  scope link 
153.6.0.0/16 dev tun0  scope link 
153.7.0.0/16 dev tun0  scope link 
153.8.0.0/16 dev tun0  scope link 
157.23.0.0/16 dev tun0  scope link 
160.1.0.0/16 dev tun0  scope link 
167.13.0.0/16 dev tun0  scope link 
172.16.0.0/12 dev tun0  scope link 
172.16.10.0/24 dev tun0  scope link 
172.17.0.0/16 dev tun0  scope link 
172.18.0.0/16 dev tun0  scope link 
172.19.0.0/16 dev tun0  scope link 
192.124.33.0/24 dev tun0  scope link 
192.168.0.0/16 dev tun0  scope link 
192.195.63.0/24 dev tun0  scope link 
192.195.65.0/24 dev tun0  scope link 
192.195.67.0/24 dev tun0  scope link 
198.102.219.0/24 dev tun0  scope link 
198.178.187.0/24 dev tun0  scope link 
198.178.188.0/24 dev tun0  scope link 
198.178.189.0/24 dev tun0  scope link 
198.180.195.0/24 dev tun0  scope link 
198.200.186.0/24 dev tun0  scope link 
198.252.254.0/24 dev tun0  scope link 
199.88.194.0/24 dev tun0  scope link 
199.107.110.0/24 dev tun0  scope link 
199.181.130.0/24 dev tun0  scope link 
204.75.167.0/24 dev tun0  scope link 
204.87.208.0/24 dev tun0  scope link 
204.238.46.0/24 dev tun0  scope link 
206.18.65.0/24 dev tun0  scope link 
206.18.95.0/24 dev tun0  scope link 
208.246.35.0/24 dev tun0  scope link 
209.66.74.34 via 10.0.2.2 dev p2p1  src 10.0.2.15
Comment 27 Kayvan Sylvan 2012-11-22 22:47:20 EST
Thank you for the help in debugging this.

I used the newest script and it made no difference. It still times out with the same symptoms:

$ sudo openconnect -v --script ~/vpnc-script-20121122 vpn.playdom.com
Attempting to connect to 209.66.74.34:443
SSL negotiation with vpn.playdom.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.playdom.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.playdom.com
GET https://vpn.playdom.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 23 Nov 2012 03:07:26 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with vpn.playdom.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.playdom.com
GET https://vpn.playdom.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give 
Please enter your username and password.
Username:XXXXXXXXXXXX
Password:
POST https://vpn.playdom.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:1BB70FDEAB5A89FEC5EDD5D1796DE7B589AFF6CB&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
Set-Cookie: webvpnx=
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 971, snd mss 1380, adv mss 1460, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.217.142.152
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 10.217.148.23
X-CSTP-DNS: 10.217.148.24
X-CSTP-Lease-Duration: 864000
X-CSTP-Session-Timeout: 864000
X-CSTP-Idle-Timeout: 7200
X-CSTP-Disconnected-Timeout: 7200
X-CSTP-Default-Domain: corp.playdom.com
X-CSTP-Split-Include: 172.17.0.0/255.255.0.0
X-CSTP-Split-Include: 172.19.0.0/255.255.0.0
X-CSTP-Split-Include: 172.18.0.0/255.255.0.0
X-CSTP-Split-Include: 10.217.128.0/255.255.224.0
X-CSTP-Split-Include: 172.16.10.0/255.255.255.0
X-CSTP-Split-Include: 10.217.160.0/255.255.252.0
X-CSTP-Split-Include: 10.217.164.0/255.255.254.0
X-CSTP-Split-Include: 139.104.0.0/255.255.0.0
X-CSTP-Split-Include: 153.6.0.0/255.255.0.0
X-CSTP-Split-Include: 153.7.0.0/255.255.0.0
X-CSTP-Split-Include: 153.8.0.0/255.255.0.0
X-CSTP-Split-Include: 157.23.0.0/255.255.0.0
X-CSTP-Split-Include: 160.1.0.0/255.255.0.0
X-CSTP-Split-Include: 167.13.0.0/255.255.0.0
X-CSTP-Split-Include: 192.124.33.0/255.255.255.0
X-CSTP-Split-Include: 192.195.63.0/255.255.255.0
X-CSTP-Split-Include: 192.195.65.0/255.255.255.0
X-CSTP-Split-Include: 192.195.67.0/255.255.255.0
X-CSTP-Split-Include: 198.102.219.0/255.255.255.0
X-CSTP-Split-Include: 198.178.187.0/255.255.255.0
X-CSTP-Split-Include: 198.178.188.0/255.255.255.0
X-CSTP-Split-Include: 198.178.189.0/255.255.255.0
X-CSTP-Split-Include: 198.180.195.0/255.255.255.0
X-CSTP-Split-Include: 198.200.186.0/255.255.255.0
X-CSTP-Split-Include: 198.252.254.0/255.255.255.0
X-CSTP-Split-Include: 199.88.194.0/255.255.255.0
X-CSTP-Split-Include: 199.107.110.0/255.255.255.0
X-CSTP-Split-Include: 199.181.130.0/255.255.255.0
X-CSTP-Split-Include: 204.87.208.0/255.255.255.0
X-CSTP-Split-Include: 204.238.46.0/255.255.255.0
X-CSTP-Split-Include: 206.18.65.0/255.255.255.0
X-CSTP-Split-Include: 206.18.95.0/255.255.255.0
X-CSTP-Split-Include: 208.246.35.0/255.255.255.0
X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
X-CSTP-Split-Include: 192.168.0.0/255.255.0.0
X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
X-CSTP-Split-Include: 204.75.167.0/255.255.255.0
X-CSTP-Keep: true
X-CSTP-Rekey-Time: 1800
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: EDD632CB6FEFC436D650F58FE188B55877A676E2AC5F71C8428F3928750AB3A9
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 1800
X-CSTP-MTU: 958
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
CSTP connected. DPD 30, Keepalive 20
RTNETLINK answers: Network is unreachable
DTLS option X-DTLS-Session-ID : EDD632CB6FEFC436D650F58FE188B55877A676E2AC5F71C8428F3928750AB3A9
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Keepalive : 20
DTLS option X-DTLS-DPD : 30
DTLS option X-DTLS-Rekey-Time : 1800
DTLS option X-DTLS-CipherSuite : AES128-SHA
DTLS connected. DPD 30, Keepalive 20
Connected tun0 as 10.217.142.152, using SSL
No work to do; sleeping for 19000 ms...
No work to do; sleeping for 19000 ms...
Established DTLS connection (using OpenSSL)
No work to do; sleeping for 19000 ms...
Sent DTLS packet of 76 bytes; DTLS send returned 77
Sent DTLS packet of 76 bytes; DTLS send returned 77
No work to do; sleeping for 19000 ms...
Sent DTLS packet of 76 bytes; DTLS send returned 77
No work to do; sleeping for 19000 ms...
Received DTLS packet 0x00 of 135 bytes
No work to do; sleeping for 19000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 19000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 19000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 19000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 19000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 19000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 19000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 19000 ms...
Received DTLS packet 0x00 of 135 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 135 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 56 bytes; DTLS send returned 57
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 57 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 18000 ms...
Received DTLS packet 0x00 of 99 bytes
No work to do; sleeping for 18000 ms...
Sent DTLS packet of 60 bytes; DTLS send returned 61
No work to do; sleeping for 15000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 15000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 7000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 1000 ms...
Sent DTLS packet of 60 bytes; DTLS send returned 61
No work to do; sleeping for 1000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 1000 ms...
Send CSTP Keepalive
No work to do; sleeping for 10000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 7000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 6000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 1000 ms...
Send CSTP DPD
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 1000 ms...
Send DTLS DPD
No work to do; sleeping for 13000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 12000 ms...
Sent DTLS packet of 80 bytes; DTLS send returned 81
No work to do; sleeping for 12000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 12000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 11000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 9000 ms...
Sent DTLS packet of 65 bytes; DTLS send returned 66
No work to do; sleeping for 9000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 7000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 6000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 4000 ms...
Sent DTLS packet of 65 bytes; DTLS send returned 66
No work to do; sleeping for 4000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 1000 ms...
Send CSTP DPD
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 1000 ms...
Sent DTLS packet of 65 bytes; DTLS send returned 66
No work to do; sleeping for 1000 ms...
Send DTLS DPD
No work to do; sleeping for 13000 ms...
Sent DTLS packet of 80 bytes; DTLS send returned 81
No work to do; sleeping for 13000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 13000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 12000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 11000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 9000 ms...
Sent DTLS packet of 65 bytes; DTLS send returned 66
No work to do; sleeping for 9000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 7000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 6000 ms...
Sent DTLS packet of 81 bytes; DTLS send returned 82
No work to do; sleeping for 4000 ms...
Sent DTLS packet of 85 bytes; DTLS send returned 86
No work to do; sleeping for 4000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 70 bytes; DTLS send returned 71
No work to do; sleeping for 2000 ms...
Sent DTLS packet of 61 bytes; DTLS send returned 62
No work to do; sleeping for 1000 ms...
Send CSTP DPD
No work to do; sleeping for 2000 ms...
CSTP Dead Peer Detection detected dead peer!
^CFailed to reconnect to host vpn.playdom.com
Comment 28 David Woodhouse 2012-11-23 03:59:22 EST
Odd. It does look like you're losing connectivity to the VPN server somehow. We *did* have a bug in vpnc-script with newer kernels once, which ended up causing that. But this looks like something different.

Firstly, can you add --no-dtls to the command line in all cases; let's eliminate DTLS from the equation and run *just* the single TCP connection. Then, please can you try running a 'ping vpn.playdom.com' in another terminal, before you connect and leaving it running as you connect. It should never stop... but I *suspect* in the case of your failing setup, it might?

Also, can you run tcpdump somewhere suitable on your network and capture all traffic to/from the VPN server? For the VM case, running it on the outward-facing interface (eth0 or wlan0?) of the host would be OK. But really, as close to your upstream-facing router as possible. Ideally even outside any NAT or firewalling so we can see what packets you are *actually* spitting out onto the Internet.

This is *definitely* not the original bug #836558, FWIW. But we might as well continue...
Comment 29 Kayvan Sylvan 2012-11-23 19:49:04 EST
$ sudo openconnect -v --no-dtls --script ~/vpnc-script-20121122 vpn.playdom.com
Attempting to connect to 209.66.74.34:443
SSL negotiation with vpn.playdom.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.playdom.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.playdom.com
GET https://vpn.playdom.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sat, 24 Nov 2012 00:05:17 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with vpn.playdom.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.playdom.com
GET https://vpn.playdom.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give 
Please enter your username and password.
Username:XXXXXXXXXXXXX
Password:
POST https://vpn.playdom.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:1BB70FDEAB5A89FEC5EDD5D1796DE7B589AFF6CB&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
Set-Cookie: webvpnx=
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 971, snd mss 1380, adv mss 1460, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.217.142.174
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 10.217.148.23
X-CSTP-DNS: 10.217.148.24
X-CSTP-Lease-Duration: 864000
X-CSTP-Session-Timeout: 864000
X-CSTP-Idle-Timeout: 7200
X-CSTP-Disconnected-Timeout: 7200
X-CSTP-Default-Domain: corp.playdom.com
X-CSTP-Split-Include: 172.17.0.0/255.255.0.0
X-CSTP-Split-Include: 172.19.0.0/255.255.0.0
X-CSTP-Split-Include: 172.18.0.0/255.255.0.0
X-CSTP-Split-Include: 10.217.128.0/255.255.224.0
X-CSTP-Split-Include: 172.16.10.0/255.255.255.0
X-CSTP-Split-Include: 10.217.160.0/255.255.252.0
X-CSTP-Split-Include: 10.217.164.0/255.255.254.0
X-CSTP-Split-Include: 139.104.0.0/255.255.0.0
X-CSTP-Split-Include: 153.6.0.0/255.255.0.0
X-CSTP-Split-Include: 153.7.0.0/255.255.0.0
X-CSTP-Split-Include: 153.8.0.0/255.255.0.0
X-CSTP-Split-Include: 157.23.0.0/255.255.0.0
X-CSTP-Split-Include: 160.1.0.0/255.255.0.0
X-CSTP-Split-Include: 167.13.0.0/255.255.0.0
X-CSTP-Split-Include: 192.124.33.0/255.255.255.0
X-CSTP-Split-Include: 192.195.63.0/255.255.255.0
X-CSTP-Split-Include: 192.195.65.0/255.255.255.0
X-CSTP-Split-Include: 192.195.67.0/255.255.255.0
X-CSTP-Split-Include: 198.102.219.0/255.255.255.0
X-CSTP-Split-Include: 198.178.187.0/255.255.255.0
X-CSTP-Split-Include: 198.178.188.0/255.255.255.0
X-CSTP-Split-Include: 198.178.189.0/255.255.255.0
X-CSTP-Split-Include: 198.180.195.0/255.255.255.0
X-CSTP-Split-Include: 198.200.186.0/255.255.255.0
X-CSTP-Split-Include: 198.252.254.0/255.255.255.0
X-CSTP-Split-Include: 199.88.194.0/255.255.255.0
X-CSTP-Split-Include: 199.107.110.0/255.255.255.0
X-CSTP-Split-Include: 199.181.130.0/255.255.255.0
X-CSTP-Split-Include: 204.87.208.0/255.255.255.0
X-CSTP-Split-Include: 204.238.46.0/255.255.255.0
X-CSTP-Split-Include: 206.18.65.0/255.255.255.0
X-CSTP-Split-Include: 206.18.95.0/255.255.255.0
X-CSTP-Split-Include: 208.246.35.0/255.255.255.0
X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
X-CSTP-Split-Include: 192.168.0.0/255.255.0.0
X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
X-CSTP-Split-Include: 204.75.167.0/255.255.255.0
X-CSTP-Keep: true
X-CSTP-Rekey-Time: 1800
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: 1EA3C7330694FABA9804C1AB359252B92DC0F40DF5997A46295C2DE1E6A76122
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 1800
X-CSTP-MTU: 958
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 10.217.142.174, using SSL
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 76 bytes
Sending uncompressed data packet of 76 bytes
Sending uncompressed data packet of 76 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 134 bytes
No work to do; sleeping for 19000 ms...
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 19000 ms...
Received uncompressed data packet of 134 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 134 bytes
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 56 bytes
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 19000 ms...
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 19000 ms...
Received uncompressed data packet of 56 bytes
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 56 bytes
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 61 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
Received uncompressed data packet of 56 bytes
Received uncompressed data packet of 98 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 56 bytes
Sending uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 56 bytes
Received uncompressed data packet of 56 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 61 bytes
No work to do; sleeping for 18000 ms...
Received uncompressed data packet of 120 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 61 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 120 bytes
No work to do; sleeping for 20000 ms...
Send CSTP Keepalive
Sending uncompressed data packet of 62 bytes
No work to do; sleeping for 10000 ms...
Received uncompressed data packet of 78 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 70 bytes
No work to do; sleeping for 8000 ms...
Received uncompressed data packet of 86 bytes
No work to do; sleeping for 20000 ms...
Send CSTP Keepalive
No work to do; sleeping for 10000 ms...
Send CSTP DPD
No work to do; sleeping for 15000 ms...
Got CSTP DPD response
No work to do; sleeping for 20000 ms...
Send CSTP Keepalive
No work to do; sleeping for 10000 ms...
Sending uncompressed data packet of 65 bytes
No work to do; sleeping for 7000 ms...
Received uncompressed data packet of 265 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 65 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 265 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 61 bytes
No work to do; sleeping for 5000 ms...
Received uncompressed data packet of 237 bytes
No work to do; sleeping for 20000 ms...
Sending uncompressed data packet of 61 bytes
No work to do; sleeping for 20000 ms...
Received uncompressed data packet of 237 bytes
No work to do; sleeping for 20000 ms...

In /var/log/messages, I have this repeating message:

Nov 23 16:42:25 ksylvan-laptop acvpnagent[1196]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1698 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown

Currently the laptop is on wireless and it seems to be a stable VPN connection(!!!!????)

I'll do the same when connected to the wired connection and see what happens.
Comment 30 Kayvan Sylvan 2012-11-23 20:03:58 EST
Now I am only on Wired connection. Pretty soon after this, my connection gets the dreaded Dead Peer Detected message.

I'll repeat this with tcpdump running to see what we can find out.

$ sudo openconnect -v --no-dtls --script ~/vpnc-script-20121122 vpn.playdom.com
Attempting to connect to 209.66.74.34:443
SSL negotiation with vpn.playdom.com
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.playdom.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.playdom.com
GET https://vpn.playdom.com/
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Sat, 24 Nov 2012 00:23:49 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
SSL negotiation with vpn.playdom.com
Server certificate verify failed: signer not found
Connected to HTTPS on vpn.playdom.com
GET https://vpn.playdom.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Fixed options give 
Please enter your username and password.
Username:XXXXXXXXXX
Password:
POST https://vpn.playdom.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpnlogin=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn=<elided>; path=/; secure
Set-Cookie: webvpnc=bu:/CACHE/stc/&p:t&iu:1/&sh:1BB70FDEAB5A89FEC5EDD5D1796DE7B589AFF6CB&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest; path=/; secure
Set-Cookie: webvpnx=
X-Transcend-Version: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 971, snd mss 1380, adv mss 1460, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Address: 10.217.142.175
X-CSTP-Netmask: 255.255.255.0
X-CSTP-DNS: 10.217.148.23
X-CSTP-DNS: 10.217.148.24
X-CSTP-Lease-Duration: 864000
X-CSTP-Session-Timeout: 864000
X-CSTP-Idle-Timeout: 7200
X-CSTP-Disconnected-Timeout: 7200
X-CSTP-Default-Domain: corp.playdom.com
X-CSTP-Split-Include: 172.17.0.0/255.255.0.0
X-CSTP-Split-Include: 172.19.0.0/255.255.0.0
X-CSTP-Split-Include: 172.18.0.0/255.255.0.0
X-CSTP-Split-Include: 10.217.128.0/255.255.224.0
X-CSTP-Split-Include: 172.16.10.0/255.255.255.0
X-CSTP-Split-Include: 10.217.160.0/255.255.252.0
X-CSTP-Split-Include: 10.217.164.0/255.255.254.0
X-CSTP-Split-Include: 139.104.0.0/255.255.0.0
X-CSTP-Split-Include: 153.6.0.0/255.255.0.0
X-CSTP-Split-Include: 153.7.0.0/255.255.0.0
X-CSTP-Split-Include: 153.8.0.0/255.255.0.0
X-CSTP-Split-Include: 157.23.0.0/255.255.0.0
X-CSTP-Split-Include: 160.1.0.0/255.255.0.0
X-CSTP-Split-Include: 167.13.0.0/255.255.0.0
X-CSTP-Split-Include: 192.124.33.0/255.255.255.0
X-CSTP-Split-Include: 192.195.63.0/255.255.255.0
X-CSTP-Split-Include: 192.195.65.0/255.255.255.0
X-CSTP-Split-Include: 192.195.67.0/255.255.255.0
X-CSTP-Split-Include: 198.102.219.0/255.255.255.0
X-CSTP-Split-Include: 198.178.187.0/255.255.255.0
X-CSTP-Split-Include: 198.178.188.0/255.255.255.0
X-CSTP-Split-Include: 198.178.189.0/255.255.255.0
X-CSTP-Split-Include: 198.180.195.0/255.255.255.0
X-CSTP-Split-Include: 198.200.186.0/255.255.255.0
X-CSTP-Split-Include: 198.252.254.0/255.255.255.0
X-CSTP-Split-Include: 199.88.194.0/255.255.255.0
X-CSTP-Split-Include: 199.107.110.0/255.255.255.0
X-CSTP-Split-Include: 199.181.130.0/255.255.255.0
X-CSTP-Split-Include: 204.87.208.0/255.255.255.0
X-CSTP-Split-Include: 204.238.46.0/255.255.255.0
X-CSTP-Split-Include: 206.18.65.0/255.255.255.0
X-CSTP-Split-Include: 206.18.95.0/255.255.255.0
X-CSTP-Split-Include: 208.246.35.0/255.255.255.0
X-CSTP-Split-Include: 10.0.0.0/255.0.0.0
X-CSTP-Split-Include: 192.168.0.0/255.255.0.0
X-CSTP-Split-Include: 172.16.0.0/255.240.0.0
X-CSTP-Split-Include: 204.75.167.0/255.255.255.0
X-CSTP-Keep: true
X-CSTP-Rekey-Time: 1800
X-CSTP-Rekey-Method: new-tunnel
X-CSTP-DPD: 30
X-CSTP-Keepalive: 20
X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-DTLS-Session-ID: B8D0F75D01EC0B4D625B1DA51B6AF978EC5D6B46531CB99B0F906F5B1A41410E
X-DTLS-Port: 443
X-DTLS-Keepalive: 20
X-DTLS-DPD: 30
X-DTLS-Rekey-Time: 1800
X-CSTP-MTU: 958
X-DTLS-CipherSuite: AES128-SHA
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as 10.217.142.175, using SSL
No work to do; sleeping for 19000 ms...
Sending uncompressed data packet of 76 bytes
Comment 31 Kayvan Sylvan 2012-11-23 20:21:03 EST
Here's what the tcpdump looks like:

$ sudo -i tcpdump 'host 209.66.74.34'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:15:01.640377 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57938: Flags [.], ack 3061147757, win 8192, length 0
17:15:01.640436 IP ksylvan-laptop.57938 > 209.66.74.34.available.above.net.https: Flags [.], ack 1, win 15544, length 0
17:15:03.898897 IP ksylvan-laptop.57938 > 209.66.74.34.available.above.net.https: Flags [R.], seq 2, ack 1, win 15544, length 0
17:15:06.124293 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [S], seq 2366119978, win 14600, options [mss 1460,sackOK,TS val 108600482 ecr 0,nop,wscale 7], length 0
17:15:06.132749 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [S.], seq 448154891, ack 2366119979, win 8192, options [mss 1380], length 0
17:15:06.132795 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [.], ack 1, win 14600, length 0
17:15:06.181052 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1:85, ack 1, win 14600, length 84
17:15:06.190671 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [.], ack 85, win 8192, length 0
17:15:06.191652 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [P.], seq 1:529, ack 85, win 8192, length 528
17:15:06.191687 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [.], ack 529, win 15544, length 0
17:15:08.192505 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [P.], seq 85:224, ack 529, win 15544, length 139
17:15:08.202635 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [.], ack 224, win 8192, length 0
17:15:08.202671 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [P.], seq 224:271, ack 529, win 15544, length 47
17:15:08.211198 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [.], ack 271, win 8192, length 0
17:15:08.213311 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [P.], seq 529:576, ack 271, win 8192, length 47
17:15:08.213340 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [.], ack 576, win 15544, length 0
17:15:08.213913 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [P.], seq 271:446, ack 576, win 15544, length 175
17:15:08.224691 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [.], ack 446, win 8192, length 0
17:15:08.233130 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [P.], seq 576:892, ack 446, win 8192, length 316
17:15:08.233157 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [FP.], seq 892, ack 446, win 8192, length 0
17:15:08.233555 IP ksylvan-laptop.57945 > 209.66.74.34.available.above.net.https: Flags [F.], seq 446, ack 893, win 16616, length 0
17:15:08.233758 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [S], seq 1252895385, win 14600, options [mss 1460,sackOK,TS val 108602591 ecr 0,nop,wscale 7], length 0
17:15:08.241197 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57945: Flags [.], ack 447, win 8192, length 0
17:15:08.241929 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [S.], seq 3008347311, ack 1252895386, win 8192, options [mss 1380], length 0
17:15:08.241972 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 1, win 14600, length 0
17:15:08.242322 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1:85, ack 1, win 14600, length 84
17:15:08.252518 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 85, win 8192, length 0
17:15:08.253628 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 1:529, ack 85, win 8192, length 528
17:15:08.253655 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 529, win 15544, length 0
17:15:08.294279 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 85:224, ack 529, win 15544, length 139
17:15:08.304528 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 224, win 8192, length 0
17:15:08.304566 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 224:271, ack 529, win 15544, length 47
17:15:08.312896 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 271, win 8192, length 0
17:15:08.315078 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 529:576, ack 271, win 8192, length 47
17:15:08.315107 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 576, win 15544, length 0
17:15:08.315470 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 271:465, ack 576, win 15544, length 194
17:15:08.326460 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 465, win 8192, length 0
17:15:08.328863 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 576:1547, ack 465, win 8192, length 971
17:15:08.368828 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 1547, win 17478, length 0
17:15:14.082194 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 465:820, ack 1547, win 17478, length 355
17:15:14.094094 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 820, win 8192, length 0
17:15:14.107848 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 1547:2235, ack 820, win 8192, length 688
17:15:14.107891 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 2235, win 19420, length 0
17:15:14.108691 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 820:1388, ack 2235, win 19420, length 568
17:15:14.126964 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1388, win 8192, length 0
17:15:14.139810 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 2235:3615, ack 1388, win 8192, length 1380
17:15:14.139835 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 3615:3813, ack 1388, win 8192, length 198
17:15:14.139859 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 3813, win 24840, length 0
17:15:14.141778 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 3813:4936, ack 1388, win 8192, length 1123
17:15:14.181819 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 4936, win 27600, length 0
17:15:15.001511 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1388:1491, ack 4936, win 27600, length 103
17:15:15.012406 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1491, win 8192, length 0
17:15:15.013368 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 4936:5055, ack 1491, win 8192, length 119
17:15:15.013398 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 5055, win 27600, length 0
17:15:15.210727 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1491:1600, ack 5055, win 27600, length 109
17:15:15.234413 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1600, win 8192, length 0
17:15:15.234464 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1600:1818, ack 5055, win 27600, length 218
17:15:15.252667 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1818, win 8192, length 0
17:15:15.360768 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5055:5222, ack 1818, win 8192, length 167
17:15:15.360817 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 5222, win 30360, length 0
17:15:15.361554 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1818:1907, ack 5222, win 30360, length 89
17:15:15.379052 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5222:5389, ack 1818, win 8192, length 167
17:15:15.392998 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1907, win 8192, length 0
17:15:15.393046 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1907:1996, ack 5389, win 33120, length 89
17:15:15.393058 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5389:5478, ack 1907, win 8192, length 89
17:15:15.407167 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5478:5645, ack 1907, win 8192, length 167
17:15:15.407254 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 5645, win 35880, length 0
17:15:15.425584 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1996, win 8103, length 0
17:15:15.425640 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1996:2174, ack 5645, win 35880, length 178
17:15:15.425652 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 1996, win 8192, length 0
17:15:15.425662 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5645:5734, ack 1996, win 8192, length 89
17:15:15.444082 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2174, win 8192, length 0
17:15:15.444123 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2174:2263, ack 5734, win 35880, length 89
17:15:15.444134 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5734:5823, ack 2174, win 8192, length 89
17:15:15.444344 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5823:5912, ack 2174, win 8192, length 89
17:15:15.444403 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 5912, win 35880, length 0
17:15:15.469234 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2263, win 8103, length 0
17:15:15.469300 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2263:2441, ack 5912, win 35880, length 178
17:15:15.469312 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2263, win 8192, length 0
17:15:15.469323 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 5912:6001, ack 2263, win 8192, length 89
17:15:15.479319 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2441, win 8192, length 0
17:15:15.479381 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2441:2530, ack 6001, win 35880, length 89
17:15:15.480022 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6001:6090, ack 2441, win 8192, length 89
17:15:15.480551 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6090:6179, ack 2441, win 8192, length 89
17:15:15.480655 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 6179, win 35880, length 0
17:15:15.497813 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2530, win 8103, length 0
17:15:15.497866 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2530:2708, ack 6179, win 35880, length 178
17:15:15.497878 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2530, win 8192, length 0
17:15:15.497888 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6179:6268, ack 2530, win 8192, length 89
17:15:15.534765 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2708, win 8192, length 0
17:15:15.534815 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2708:2797, ack 6268, win 35880, length 89
17:15:15.534826 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6268:6357, ack 2708, win 8192, length 89
17:15:15.535046 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6357:6446, ack 2708, win 8192, length 89
17:15:15.535099 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 6446, win 35880, length 0
17:15:15.563821 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2797, win 8103, length 0
17:15:15.563874 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2797:2886, ack 6446, win 35880, length 89
17:15:15.563886 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2797, win 8192, length 0
17:15:15.564117 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6446:6535, ack 2797, win 8192, length 89
17:15:15.587217 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2886, win 8192, length 0
17:15:15.587257 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6535:6624, ack 2886, win 8192, length 89
17:15:15.587350 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 6624, win 35880, length 0
17:15:18.211684 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2886:2980, ack 6624, win 35880, length 94
17:15:18.220774 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 2980, win 8192, length 0
17:15:18.221704 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6624:6755, ack 2980, win 8192, length 131
17:15:18.260811 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 6755, win 38640, length 0
17:15:38.242235 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2980:3013, ack 6755, win 38640, length 33
17:15:38.348605 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 3013, win 8192, length 0
17:15:43.453595 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3013:3108, ack 6755, win 38640, length 95
17:15:43.462716 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 3108, win 8192, length 0
17:15:43.463369 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6755:6866, ack 3108, win 8192, length 111
17:15:43.463399 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 6866, win 38640, length 0
17:15:43.633023 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3108:3211, ack 6866, win 38640, length 103
17:15:43.642006 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 3211, win 8192, length 0
17:15:43.666909 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 6866:7071, ack 3211, win 8192, length 205
17:15:43.666964 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 7071, win 41400, length 0
17:15:43.667648 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3211:3314, ack 7071, win 41400, length 103
17:15:43.676755 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [.], ack 3314, win 8192, length 0
17:15:43.677717 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.57946: Flags [P.], seq 7071:7276, ack 3314, win 8192, length 205
17:15:43.716842 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [.], ack 7276, win 41400, length 0
17:16:03.698125 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33
17:16:03.923841 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33
17:16:04.376823 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33
17:16:05.281841 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33
17:16:07.093838 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33
17:16:10.713832 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33

And around when it starts to fail:

17:16:44.009635 IP ksylvan-laptop.57955 > 209.66.74.34.available.above.net.https: Flags [S], seq 2318184515, win 14600, options [mss 1460,sackOK,TS val 108698367 ecr 0,nop,wscale 7], length 0
17:16:45.009836 IP ksylvan-laptop.57955 > 209.66.74.34.available.above.net.https: Flags [S], seq 2318184515, win 14600, options [mss 1460,sackOK,TS val 108699368 ecr 0,nop,wscale 7], length 0
17:16:47.013822 IP ksylvan-laptop.57955 > 209.66.74.34.available.above.net.https: Flags [S], seq 2318184515, win 14600, options [mss 1460,sackOK,TS val 108701372 ecr 0,nop,wscale 7], length 0
17:16:51.017840 IP ksylvan-laptop.57955 > 209.66.74.34.available.above.net.https: Flags [S], seq 2318184515, win 14600, options [mss 1460,sackOK,TS val 108705376 ecr 0,nop,wscale 7], length 0
17:16:59.033847 IP ksylvan-laptop.57955 > 209.66.74.34.available.above.net.https: Flags [S], seq 2318184515, win 14600, options [mss 1460,sackOK,TS val 108713392 ecr 0,nop,wscale 7], length 0
17:17:01.417847 IP ksylvan-laptop.57946 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3314:3347, ack 7276, win 41400, length 33
17:17:15.049839 IP ksylvan-laptop.57955 > 209.66.74.34.available.above.net.https: Flags [S], seq 2318184515, win 14600, options [mss 1460,sackOK,TS val 108729408 ecr 0,nop,wscale 7], length 0
17:17:57.114271 IP ksylvan-laptop.57956 > 209.66.74.34.available.above.net.https: Flags [S], seq 555046057, win 14600, options [mss 1460,sackOK,TS val 108771472 ecr 0,nop,wscale 7], length 0
17:17:58.115835 IP ksylvan-laptop.57956 > 209.66.74.34.available.above.net.https: Flags [S], seq 555046057, win 14600, options [mss 1460,sackOK,TS val 108772474 ecr 0,nop,wscale 7], length 0
17:18:00.121835 IP ksylvan-laptop.57956 > 209.66.74.34.available.above.net.https: Flags [S], seq 555046057, win 14600, options [mss 1460,sackOK,TS val 108774480 ecr 0,nop,wscale 7], length 0
17:18:04.129836 IP ksylvan-laptop.57956 > 209.66.74.34.available.above.net.https: Flags [S], seq 555046057, win 14600, options [mss 1460,sackOK,TS val 108778488 ecr 0,nop,wscale 7], length 0
17:18:12.137832 IP ksylvan-laptop.57956 > 209.66.74.34.available.above.net.https: Flags [S], seq 555046057, win 14600, options [mss 1460,sackOK,TS val 108786496 ecr 0,nop,wscale 7], length 0
17:18:28.169854 IP ksylvan-laptop.57956 > 209.66.74.34.available.above.net.https: Flags [S], seq 555046057, win 14600, options [mss 1460,sackOK,TS val 108802528 ecr 0,nop,wscale 7], length 0
Comment 32 David Woodhouse 2012-11-24 11:20:33 EST
It's actually starting to fail at about 17:15:43.677717. That is the last packet you receive from the server. After that, it's all outbound traffic from your laptop to the server... and nothing gets back.

At this point, I'm inclined to blame something on your local network. Can you do the tcpdump somewhere upstream — on the router that actually connects you to the outside world, perhaps? 

Also: why is acvpnagent running? That's the Cisco client, which could be doing all kinds of weird things. Make it die.
Comment 33 Kayvan Sylvan 2012-11-25 02:42:10 EST
Okay, uninstalled the Cisco client and here is a tcpdump of the dying session from my router machine:

Script started on Sat 24 Nov 2012 11:35:48 PM PST
# tcpdump 'host 209.66.74.34'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
23:36:17.895833 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: S 1243144552:1243144552(0) win 14600 <mss 1460,sackOK,timestamp 217872252 0,nop,wscale 7>
23:36:17.903015 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: S 1278782144:1278782144(0) ack 1243144553 win 8192 <mss 1380>
23:36:17.904041 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: . ack 1 win 14600
23:36:17.957776 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: P 1:85(84) ack 1 win 14600
23:36:17.965825 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: . ack 85 win 8192
23:36:17.967065 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: P 1:529(528) ack 85 win 8192
23:36:17.968064 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: . ack 529 win 15544
23:36:22.125629 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: P 85:224(139) ack 529 win 15544
23:36:22.134553 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: . ack 224 win 8192
23:36:22.135571 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: P 224:271(47) ack 529 win 15544
23:36:22.143179 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: . ack 271 win 8192
23:36:22.145136 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: P 529:576(47) ack 271 win 8192
23:36:22.146130 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: . ack 576 win 15544
23:36:22.146148 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: P 271:446(175) ack 576 win 15544
23:36:22.156484 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: . ack 446 win 8192
23:36:22.164893 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: P 576:892(316) ack 446 win 8192
23:36:22.165044 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: FP 892:892(0) ack 446 win 8192
23:36:22.165903 IP satyr.sylvan.com.60697 > 209.66.74.34.available.above.net.https: F 446:446(0) ack 893 win 16616
23:36:22.165938 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: S 3710510590:3710510590(0) win 14600 <mss 1460,sackOK,timestamp 217876523 0,nop,wscale 7>
23:36:22.172999 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60697: . ack 447 win 8192
23:36:22.174181 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: S 839516788:839516788(0) ack 3710510591 win 8192 <mss 1380>
23:36:22.175180 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 1 win 14600
23:36:22.175199 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1:85(84) ack 1 win 14600
23:36:22.184794 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 85 win 8192
23:36:22.186024 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 1:529(528) ack 85 win 8192
23:36:22.187019 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 529 win 15544
23:36:22.217725 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 85:224(139) ack 529 win 15544
23:36:22.226703 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 224 win 8192
23:36:22.227703 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 224:271(47) ack 529 win 15544
23:36:22.235105 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 271 win 8192
23:36:22.237038 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 529:576(47) ack 271 win 8192
23:36:22.238030 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 271:465(194) ack 576 win 15544
23:36:22.246900 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 465 win 7998
23:36:22.247074 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 465 win 8192
23:36:22.249164 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 576:1547(971) ack 465 win 8192
23:36:22.290264 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 1547 win 17478
23:36:27.839413 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 465:820(355) ack 1547 win 17478
23:36:27.850538 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 820 win 8192
23:36:27.864612 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 1547:2235(688) ack 820 win 8192
23:36:27.865615 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 2235 win 19420
23:36:27.866694 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 820:1388(568) ack 2235 win 19420
23:36:27.880579 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 1388 win 8192
23:36:27.884864 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 2235:3615(1380) ack 1388 win 8192
23:36:27.885243 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 3615:3813(198) ack 1388 win 8192
23:36:27.885864 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 3813 win 24840
23:36:27.887086 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 3813:4936(1123) ack 1388 win 8192
23:36:27.928224 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 4936 win 27600
23:36:28.840663 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1388:1505(117) ack 4936 win 27600
23:36:28.849861 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 1505 win 8192
23:36:28.871570 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 4936:5053(117) ack 1505 win 8192
23:36:28.872572 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5053 win 27600
23:36:29.842658 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1505:1622(117) ack 5053 win 27600
23:36:29.851139 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 1622 win 8192
23:36:29.873761 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5053:5170(117) ack 1622 win 8192
23:36:29.874763 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5170 win 27600
23:36:30.843703 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1622:1739(117) ack 5170 win 27600
23:36:30.851927 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 1739 win 8192
23:36:30.874059 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5170:5287(117) ack 1739 win 8192
23:36:30.875055 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5287 win 27600
23:36:31.845009 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1739:1856(117) ack 5287 win 27600
23:36:31.853196 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 1856 win 8192
23:36:31.875574 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5287:5404(117) ack 1856 win 8192
23:36:31.876573 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5404 win 27600
23:36:32.846477 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1856:1973(117) ack 5404 win 27600
23:36:32.854745 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 1973 win 8192
23:36:32.877354 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5404:5521(117) ack 1973 win 8192
23:36:32.878348 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5521 win 27600
23:36:33.848101 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 1973:2090(117) ack 5521 win 27600
23:36:33.856271 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2090 win 8192
23:36:33.878404 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5521:5638(117) ack 2090 win 8192
23:36:33.879397 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5638 win 27600
23:36:34.849477 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2090:2207(117) ack 5638 win 27600
23:36:34.857779 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2207 win 8192
23:36:34.879690 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5638:5755(117) ack 2207 win 8192
23:36:34.880682 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5755 win 27600
23:36:35.850217 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2207:2324(117) ack 5755 win 27600
23:36:35.858322 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2324 win 8192
23:36:35.880452 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5755:5872(117) ack 2324 win 8192
23:36:35.881383 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: . ack 5872 win 27600
23:36:36.852029 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:36.860349 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:36.882270 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:37.013349 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:37.062315 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:37.070505 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:37.231386 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:37.485253 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:37.493540 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:37.650711 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:38.331344 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:38.339350 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:38.472656 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:39.861299 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:39.861323 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
23:36:39.861339 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:40.023280 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:40.031230 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:40.100012 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:43.032299 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
23:36:43.032323 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:43.320618 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:43.403348 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:43.411295 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:46.321301 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:46.321328 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
23:36:46.541266 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:49.542289 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:49.761951 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:50.171235 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:36:50.179300 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:36:52.762287 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:52.762307 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
23:36:52.982596 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:55.983289 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:56.203271 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:36:59.204294 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:36:59.423931 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:37:02.424288 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:37:02.644576 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:37:03.723439 IP satyr.sylvan.com.60698 > 209.66.74.34.available.above.net.https: P 2324:2441(117) ack 5872 win 27600
23:37:03.731567 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: . ack 2441 win 8192
23:37:05.645291 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:37:05.645312 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
23:37:05.865460 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:5989(117) ack 2441 win 8192
23:37:06.905402 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5989:6022(33) ack 2441 win 8192
23:37:08.866288 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 165
23:37:08.866309 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 81
23:37:09.086129 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:6022(150) ack 2441 win 8192
23:37:12.086291 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 198
23:37:12.306780 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:6022(150) ack 2441 win 8192
23:37:15.307297 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 198
23:37:15.527400 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:6022(150) ack 2441 win 8192
23:37:18.528291 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 198
23:37:18.748096 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:6022(150) ack 2441 win 8192
23:37:21.748293 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 198
23:37:21.968736 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:6022(150) ack 2441 win 8192
23:37:24.969296 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 198
23:37:25.189420 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.60698: P 5872:6022(150) ack 2441 win 8192
^C
138 packets captured
138 packets received by filter
0 packets dropped by kernel
# exit

Script done on Sat 24 Nov 2012 11:37:27 PM PST
Comment 34 David Woodhouse 2012-11-25 10:35:27 EST
23:36:36.882270 shows the server sending a packet of data (5872:5989) that the internal client doesn't ever seem to receive. The client just keeps acking as far as 5872, and no more. And eventually your router starts sending ICMP host unreachable in response to the active connection.

Would be interesting to capture both internal and external tcpdump from the *same* connection — I'm comparing comment 31 and comment 33 which are different connections. But basically it looks like your NAT box is doing something odd. Not sure why a difference in OpenConnect would make any difference to that, though.

Are you able to test this from a real connection without NAT, firewalling or any other brokenness?
Comment 35 Kayvan Sylvan 2012-11-25 18:18:19 EST
No, I'm not able to test this from a direct connection.

Here is the tcpdump output from the router machine and from the laptop, for the same session:

First: From the router machine:

Script started on Sun 25 Nov 2012 03:07:00 PM PST
# tcpdump 'host 209.66.74.34'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:08:46.878190 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: S 4243900987:4243900987(0) win 14600 <mss 1460,sackOK,timestamp 273821238 0,nop,wscale 7>
15:08:46.885097 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: S 2254758891:2254758891(0) ack 4243900988 win 8192 <mss 1380>
15:08:46.886135 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: . ack 1 win 14600
15:08:46.943599 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: P 1:85(84) ack 1 win 14600
15:08:46.952110 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: . ack 85 win 8192
15:08:46.953111 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: P 1:529(528) ack 85 win 8192
15:08:46.954109 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: . ack 529 win 15544
15:08:49.136733 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: P 85:224(139) ack 529 win 15544
15:08:49.145387 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: . ack 224 win 8192
15:08:49.146405 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: P 224:271(47) ack 529 win 15544
15:08:49.154247 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: . ack 271 win 8192
15:08:49.155954 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: P 529:576(47) ack 271 win 8192
15:08:49.156945 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: . ack 576 win 15544
15:08:49.156962 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: P 271:446(175) ack 576 win 15544
15:08:49.167571 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: . ack 446 win 8192
15:08:49.175445 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: P 576:892(316) ack 446 win 8192
15:08:49.175614 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: FP 892:892(0) ack 446 win 8192
15:08:49.176449 IP satyr.sylvan.com.33939 > 209.66.74.34.available.above.net.https: F 446:446(0) ack 893 win 16616
15:08:49.176484 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: S 2295074479:2295074479(0) win 14600 <mss 1460,sackOK,timestamp 273823537 0,nop,wscale 7>
15:08:49.183544 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33939: . ack 447 win 8192
15:08:49.184506 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: S 1701831959:1701831959(0) ack 2295074480 win 8192 <mss 1380>
15:08:49.185535 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 1 win 14600
15:08:49.185552 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1:85(84) ack 1 win 14600
15:08:49.194899 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 85 win 8192
15:08:49.196131 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 1:529(528) ack 85 win 8192
15:08:49.197122 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 529 win 15544
15:08:49.233328 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 85:224(139) ack 529 win 15544
15:08:49.241969 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 224 win 8192
15:08:49.242962 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 224:271(47) ack 529 win 15544
15:08:49.250389 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 271 win 8192
15:08:49.252294 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 529:576(47) ack 271 win 8192
15:08:49.253282 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 271:465(194) ack 576 win 15544
15:08:49.262155 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 465 win 7998
15:08:49.262341 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 465 win 8192
15:08:49.264429 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 576:1547(971) ack 465 win 8192
15:08:49.305618 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 1547 win 17478
15:08:55.458678 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 465:820(355) ack 1547 win 17478
15:08:55.470420 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 820 win 8192
15:08:55.483295 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 1547:2235(688) ack 820 win 8192
15:08:55.484287 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 2235 win 19420
15:08:55.485369 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 820:1388(568) ack 2235 win 19420
15:08:55.498729 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1388 win 8192
15:08:55.502750 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 2235:3615(1380) ack 1388 win 8192
15:08:55.503110 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 3615:3813(198) ack 1388 win 8192
15:08:55.503753 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 3813 win 24840
15:08:55.504954 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 3813:4936(1123) ack 1388 win 8192
15:08:55.545595 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 4936 win 27600
15:08:56.569927 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1388:1497(109) ack 4936 win 27600
15:08:56.578164 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1497 win 8192
15:08:56.579181 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1497:1715(218) ack 4936 win 27600
15:08:56.588948 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1715 win 8192
15:08:56.712130 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 4936:5103(167) ack 1715 win 8192
15:08:56.713131 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 5103 win 30360
15:08:56.713150 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1715:1804(89) ack 5103 win 30360
15:08:56.722735 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1804 win 8192
15:08:56.723415 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5103:5192(89) ack 1804 win 8192
15:08:56.725272 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1804:1893(89) ack 5192 win 30360
15:08:56.733819 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1893 win 8103
15:08:56.734001 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1893 win 8192
15:08:56.734261 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5192:5281(89) ack 1893 win 8192
15:08:56.736101 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1893:1982(89) ack 5281 win 30360
15:08:56.744452 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1982 win 8103
15:08:56.744609 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 1982 win 8192
15:08:56.744872 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5281:5370(89) ack 1982 win 8192
15:08:56.746855 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 1982:2071(89) ack 5370 win 30360
15:08:56.754768 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2071 win 8103
15:08:56.754944 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2071 win 8192
15:08:56.755442 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5370:5459(89) ack 2071 win 8192
15:08:56.778653 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5459:5626(167) ack 2071 win 8192
15:08:56.779646 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 5626 win 33120
15:08:56.780710 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2071:2160(89) ack 5626 win 33120
15:08:56.789011 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2160 win 8192
15:08:56.789714 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5626:5715(89) ack 2160 win 8192
15:08:56.791408 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2160:2249(89) ack 5715 win 33120
15:08:56.796164 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5715:5882(167) ack 2160 win 8192
15:08:56.799572 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2249 win 8103
15:08:56.799802 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2249 win 8192
15:08:56.800320 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5882:5971(89) ack 2249 win 8192
15:08:56.800564 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2249:2338(89) ack 5882 win 35880
15:08:56.808713 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2338 win 8103
15:08:56.808899 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2338 win 8192
15:08:56.809417 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 5971:6060(89) ack 2338 win 8192
15:08:56.809708 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2338:2427(89) ack 5971 win 35880
15:08:56.817607 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2427 win 8103
15:08:56.817791 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2427 win 8192
15:08:56.818258 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6060:6149(89) ack 2427 win 8192
15:08:56.818609 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2427:2516(89) ack 6060 win 35880
15:08:56.826951 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2516 win 8103
15:08:56.827131 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2516 win 8192
15:08:56.827653 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6149:6238(89) ack 2516 win 8192
15:08:56.827954 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2516:2605(89) ack 6149 win 35880
15:08:56.835811 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2605 win 8103
15:08:56.835998 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2605 win 8192
15:08:56.836556 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6238:6327(89) ack 2605 win 8192
15:08:56.836805 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2605:2694(89) ack 6238 win 35880
15:08:56.844689 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2694 win 8103
15:08:56.844863 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2694 win 8192
15:08:56.845143 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6327:6416(89) ack 2694 win 8192
15:08:56.845703 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 6416 win 35880
15:08:56.846778 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2694:2783(89) ack 6416 win 35880
15:08:56.854553 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2783 win 8192
15:08:56.855223 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6416:6505(89) ack 2783 win 8192
15:08:56.896605 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 6505 win 35880
15:09:00.362859 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2783:2881(98) ack 6505 win 35880
15:09:00.370860 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2881 win 8192
15:09:00.397938 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6505:6803(298) ack 2881 win 8192
15:09:00.398930 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 6803 win 38640
15:09:00.399974 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2881:2979(98) ack 6803 win 38640
15:09:00.408286 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 2979 win 8192
15:09:00.409289 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 6803:7101(298) ack 2979 win 8192
15:09:00.450611 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 7101 win 41400
15:09:00.581266 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 2979:3072(93) ack 7101 win 41400
15:09:00.590587 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3072 win 8192
15:09:00.591593 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3072:3166(94) ack 7101 win 41400
15:09:00.600261 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3166 win 8192
15:09:01.567899 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3166:3260(94) ack 7101 win 41400
15:09:01.576128 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3260 win 8192
15:09:01.576808 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 7101:7232(131) ack 3260 win 8192
15:09:01.577137 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 7232 win 41400
15:09:02.419792 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3260:3354(94) ack 7232 win 41400
15:09:02.428350 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3354 win 8192
15:09:02.429299 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 7232:7385(153) ack 3354 win 8192
15:09:02.430343 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 7385 win 41400
15:09:02.430360 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3354:3448(94) ack 7385 win 41400
15:09:02.439693 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3448 win 8192
15:09:02.440400 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: P 7385:7538(153) ack 3448 win 8192
15:09:02.481664 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: . ack 7538 win 41400
15:09:14.595791 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:14.603614 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:14.805584 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:14.813768 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:15.226470 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:15.234832 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:16.067534 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:16.076322 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:17.604288 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
15:09:17.604307 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
15:09:17.604326 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
15:09:17.751683 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:17.759967 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:21.119508 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:21.127696 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:27.847668 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:27.856041 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
15:09:30.353335 IP satyr.sylvan.com > 209.66.74.34.available.above.net: ICMP host satyr.sylvan.com unreachable, length 48
15:09:41.319600 IP satyr.sylvan.com.33940 > 209.66.74.34.available.above.net.https: P 3448:3541(93) ack 7538 win 41400
15:09:41.327961 IP 209.66.74.34.available.above.net.https > satyr.sylvan.com.33940: . ack 3541 win 8192
^C
147 packets captured
147 packets received by filter
0 packets dropped by kernel

Script done on Sun 25 Nov 2012 03:10:03 PM PST

And now, from the laptop (where I'm trying to connect):

Script started on Sun 25 Nov 2012 03:08:27 PM PST
$ sudo tcpdump -i em1 'host 209.66.74.34'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
15:08:46.880402 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [S], seq 4243900987, win 14600, options [mss 1460,sackOK,TS val 273821238 ecr 0,nop,wscale 7], length 0
15:08:46.888644 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [S.], seq 2254758891, ack 4243900988, win 8192, options [mss 1380], length 0
15:08:46.888689 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [.], ack 1, win 14600, length 0
15:08:46.945827 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1:85, ack 1, win 14600, length 84
15:08:46.955687 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [.], ack 85, win 8192, length 0
15:08:46.956695 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [P.], seq 1:529, ack 85, win 8192, length 528
15:08:46.956721 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [.], ack 529, win 15544, length 0
15:08:49.138929 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [P.], seq 85:224, ack 529, win 15544, length 139
15:08:49.149048 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [.], ack 224, win 8192, length 0
15:08:49.149084 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [P.], seq 224:271, ack 529, win 15544, length 47
15:08:49.157869 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [.], ack 271, win 8192, length 0
15:08:49.159463 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [P.], seq 529:576, ack 271, win 8192, length 47
15:08:49.159495 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [.], ack 576, win 15544, length 0
15:08:49.160008 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [P.], seq 271:446, ack 576, win 15544, length 175
15:08:49.171129 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [.], ack 446, win 8192, length 0
15:08:49.179066 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [P.], seq 576:892, ack 446, win 8192, length 316
15:08:49.179094 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [FP.], seq 892, ack 446, win 8192, length 0
15:08:49.179450 IP ksylvan-laptop.33939 > 209.66.74.34.available.above.net.https: Flags [F.], seq 446, ack 893, win 16616, length 0
15:08:49.179657 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [S], seq 2295074479, win 14600, options [mss 1460,sackOK,TS val 273823537 ecr 0,nop,wscale 7], length 0
15:08:49.187126 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33939: Flags [.], ack 447, win 8192, length 0
15:08:49.188105 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [S.], seq 1701831959, ack 2295074480, win 8192, options [mss 1380], length 0
15:08:49.188149 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 1, win 14600, length 0
15:08:49.188457 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1:85, ack 1, win 14600, length 84
15:08:49.198499 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 85, win 8192, length 0
15:08:49.199757 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 1:529, ack 85, win 8192, length 528
15:08:49.199785 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 529, win 15544, length 0
15:08:49.235550 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 85:224, ack 529, win 15544, length 139
15:08:49.245538 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 224, win 8192, length 0
15:08:49.245575 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 224:271, ack 529, win 15544, length 47
15:08:49.253930 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 271, win 8192, length 0
15:08:49.255891 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 529:576, ack 271, win 8192, length 47
15:08:49.256357 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 271:465, ack 576, win 15544, length 194
15:08:49.265757 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 465, win 7998, length 0
15:08:49.265788 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 465, win 8192, length 0
15:08:49.268137 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 576:1547, ack 465, win 8192, length 971
15:08:49.307841 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 1547, win 17478, length 0
15:08:55.460825 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 465:820, ack 1547, win 17478, length 355
15:08:55.474051 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 820, win 8192, length 0
15:08:55.486944 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 1547:2235, ack 820, win 8192, length 688
15:08:55.486982 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 2235, win 19420, length 0
15:08:55.487865 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 820:1388, ack 2235, win 19420, length 568
15:08:55.502371 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1388, win 8192, length 0
15:08:55.506744 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 2235:3615, ack 1388, win 8192, length 1380
15:08:55.506767 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 3615:3813, ack 1388, win 8192, length 198
15:08:55.506784 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 3813, win 24840, length 0
15:08:55.508758 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 3813:4936, ack 1388, win 8192, length 1123
15:08:55.547832 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 4936, win 27600, length 0
15:08:56.572124 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1388:1497, ack 4936, win 27600, length 109
15:08:56.581815 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1497, win 8192, length 0
15:08:56.581859 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1497:1715, ack 4936, win 27600, length 218
15:08:56.592551 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1715, win 8192, length 0
15:08:56.715680 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 4936:5103, ack 1715, win 8192, length 167
15:08:56.715730 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 5103, win 30360, length 0
15:08:56.716306 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1715:1804, ack 5103, win 30360, length 89
15:08:56.726286 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1804, win 8192, length 0
15:08:56.726974 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5103:5192, ack 1804, win 8192, length 89
15:08:56.727503 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1804:1893, ack 5192, win 30360, length 89
15:08:56.737459 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1893, win 8103, length 0
15:08:56.737495 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1893, win 8192, length 0
15:08:56.737742 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5192:5281, ack 1893, win 8192, length 89
15:08:56.738333 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1893:1982, ack 5281, win 30360, length 89
15:08:56.747945 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1982, win 8103, length 0
15:08:56.747982 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 1982, win 8192, length 0
15:08:56.748511 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5281:5370, ack 1982, win 8192, length 89
15:08:56.749087 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 1982:2071, ack 5370, win 30360, length 89
15:08:56.758344 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2071, win 8103, length 0
15:08:56.758368 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2071, win 8192, length 0
15:08:56.759010 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5370:5459, ack 2071, win 8192, length 89
15:08:56.782213 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5459:5626, ack 2071, win 8192, length 167
15:08:56.782308 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 5626, win 33120, length 0
15:08:56.782996 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2071:2160, ack 5626, win 33120, length 89
15:08:56.792657 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2160, win 8192, length 0
15:08:56.793207 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5626:5715, ack 2160, win 8192, length 89
15:08:56.793640 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2160:2249, ack 5715, win 33120, length 89
15:08:56.799835 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5715:5882, ack 2160, win 8192, length 167
15:08:56.803062 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2249, win 8103, length 0
15:08:56.803095 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2249:2338, ack 5882, win 35880, length 89
15:08:56.803316 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2249, win 8192, length 0
15:08:56.803953 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5882:5971, ack 2249, win 8192, length 89
15:08:56.812201 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2338, win 8103, length 0
15:08:56.812246 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2338:2427, ack 5971, win 35880, length 89
15:08:56.812254 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2338, win 8192, length 0
15:08:56.813014 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 5971:6060, ack 2338, win 8192, length 89
15:08:56.821192 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2427, win 8103, length 0
15:08:56.821220 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2427:2516, ack 6060, win 35880, length 89
15:08:56.821229 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2427, win 8192, length 0
15:08:56.821830 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6060:6149, ack 2427, win 8192, length 89
15:08:56.830533 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2516, win 8103, length 0
15:08:56.830559 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2516:2605, ack 6149, win 35880, length 89
15:08:56.830568 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2516, win 8192, length 0
15:08:56.831243 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6149:6238, ack 2516, win 8192, length 89
15:08:56.839329 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2605, win 8103, length 0
15:08:56.839361 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2605:2694, ack 6238, win 35880, length 89
15:08:56.839369 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2605, win 8192, length 0
15:08:56.840123 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6238:6327, ack 2605, win 8192, length 89
15:08:56.848281 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2694, win 8103, length 0
15:08:56.848310 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2694, win 8192, length 0
15:08:56.848742 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6327:6416, ack 2694, win 8192, length 89
15:08:56.848823 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 6416, win 35880, length 0
15:08:56.849285 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2694:2783, ack 6416, win 35880, length 89
15:08:56.858153 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2783, win 8192, length 0
15:08:56.858799 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6416:6505, ack 2783, win 8192, length 89
15:08:56.898845 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 6505, win 35880, length 0
15:09:00.365100 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2783:2881, ack 6505, win 35880, length 98
15:09:00.374510 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2881, win 8192, length 0
15:09:00.401513 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6505:6803, ack 2881, win 8192, length 298
15:09:00.401557 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 6803, win 38640, length 0
15:09:00.402203 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2881:2979, ack 6803, win 38640, length 98
15:09:00.411929 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 2979, win 8192, length 0
15:09:00.412868 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 6803:7101, ack 2979, win 8192, length 298
15:09:00.452867 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 7101, win 41400, length 0
15:09:00.584348 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 2979:3072, ack 7101, win 41400, length 93
15:09:00.594097 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 3072, win 8192, length 0
15:09:00.594131 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3072:3166, ack 7101, win 41400, length 94
15:09:00.603869 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 3166, win 8192, length 0
15:09:01.570096 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3166:3260, ack 7101, win 41400, length 94
15:09:01.579761 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 3260, win 8192, length 0
15:09:01.580310 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 7101:7232, ack 3260, win 8192, length 131
15:09:01.580336 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 7232, win 41400, length 0
15:09:02.422031 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3260:3354, ack 7232, win 41400, length 94
15:09:02.431972 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 3354, win 8192, length 0
15:09:02.432806 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 7232:7385, ack 3354, win 8192, length 153
15:09:02.432832 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 7385, win 41400, length 0
15:09:02.433442 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3354:3448, ack 7385, win 41400, length 94
15:09:02.443292 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [.], ack 3448, win 8192, length 0
15:09:02.444000 IP 209.66.74.34.available.above.net.https > ksylvan-laptop.33940: Flags [P.], seq 7385:7538, ack 3448, win 8192, length 153
15:09:02.483885 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [.], ack 7538, win 41400, length 0
15:09:14.598064 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:14.807822 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:15.228854 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:16.069855 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:17.753873 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:21.121814 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:27.849864 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
15:09:41.321875 IP ksylvan-laptop.33940 > 209.66.74.34.available.above.net.https: Flags [P.], seq 3448:3541, ack 7538, win 41400, length 93
^C
135 packets captured
135 packets received by filter
0 packets dropped by kernel


Script done on Sun 25 Nov 2012 03:09:58 PM PST
Comment 36 David Woodhouse 2012-11-26 03:23:39 EST
That's interesting. There's a 12-second period when the link is idle. And during that time, your NAT box seems to have completely forgotten about the connection. If you can't get a proper Internet connection, can you at least fix the NAT box so it doesn't time out so quickly?

There's a similar pause in the trace in comment 31, from 17:15:43.716842 to
17:16:03.698125.

I don't see a similar pause in comment 33; maybe that's a *different* brokenness in your NAT? And I don't understand why one version of OpenConnect sees this, and another doesn't. Perhaps it's something coincidental... like the Fedora 16 installation constantly spewing something like mDNS on the VPN link so it never goes idle for that long?

Once thing you can try, if you can't fix the network, is reducing the keepalive values to make sure the link doesn't go idle for so long. We already have a --force-dpd option, so try --force-dpd=5. And we can look at making a --force-keepalive option too.

Of course, there's still the fact that you couldn't make *new* outbound connections, when one died and it tried to reconnect. Your latest tcpdump doesn't include that, but an earlier internal one showed your laptop sending SYN packets to open a new connection, and never getting anything back. I'm guessing that's a brokenness in your NAT box too?

What *are* you using for the NAT?
Comment 37 Kayvan Sylvan 2012-11-30 12:46:45 EST
I have an old Fedora 9 box acting as my NAT and internal router.

Note You need to log in before you can comment on or make changes to this bug.