Page MenuHomeVyOS Platform

Openconnect VPN broken: ocserv-worker general protection fault on client connect
Closed, ResolvedPublicBUG

Description

open-connect server VPN is not working in VyOS 1.3.0-epa2 due to general protection fault in ocserv-worker process on client connect. Clients are unable to connect.

Issue is reproducible with both cisco AnyConnect client and native open-connect client.

ocserver config:

# show vpn openconnect 
 authentication {
     mode radius
     radius {
         server 192.168.xx.xx {
             key ********
         }
         source-address 192.168.xx.1
     }
 }
 listen-ports {
     tcp 443
     udp 443
 }
 network-settings {
     client-ip-settings {
         subnet 192.168.xxx.0/24
     }
     name-server 192.168.xx.xx
     name-server 192.168.xx.xx
     push-route 192.168.xx.0/24
 }
 ssl {
     cert-file /config/auth/cert-chain.pem
     key-file /config/auth/key.pem
 }

dmesg:

traps: ocserv-worker[xxxxx] general protection fault ip:xxxxxxx sp:xxxxxxxx error:0 in libc-2.28.so

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-epa2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

dutty renamed this task from ocserv-worker general protection fault on client connect to Openconnect VPN broken: ocserv-worker general protection fault on client connect.Oct 23 2021, 12:19 PM

The client (IP: 192.168.122.78) doesn't connect to VyOS via OpenConnect VPN.
Tested on version: VyOS 1.3.0-epa2

VyOS configuration:

set interfaces ethernet eth0 address '192.168.122.100/24'
set interfaces ethernet eth1 address '10.10.10.1/24'
set vpn openconnect authentication local-users username user password '123'
set vpn openconnect authentication mode 'local'
set vpn openconnect network-settings client-ip-settings subnet '10.10.10.0/24'
set vpn openconnect network-settings name-server '1.1.1.1'
set vpn openconnect ssl ca-cert-file '/config/auth/ca.pem'
set vpn openconnect ssl cert-file '/config/auth/servercert.pem'
set vpn openconnect ssl key-file '/config/auth/serverkey.pem'

VyOS logs:

Oct 23 12:56:46 vyos ocserv[3924]: main:192.168.122.78:51039 user disconnected (reason: unspecified, rx: 0, tx: 0)
Oct 23 12:56:46 vyos kernel: traps: ocserv-worker[4936] general protection fault ip:7f7a1ee4613b sp:7fffd02cacd8 error:0 in libc-2.28.so[7f7a1edc6000+148000]
Oct 23 12:56:46 vyos ocserv[3924]: main:192.168.122.78:51040 user disconnected (reason: unspecified, rx: 0, tx: 0)
Oct 23 12:56:46 vyos kernel: traps: ocserv-worker[4937] general protection fault ip:7f7a1ee4613b sp:7fffd02cacd8 error:0 in libc-2.28.so[7f7a1edc6000+148000]

Windows OpenConnect-GUI VPN Client version: 1.5.3 logs:

2021-10-23 15:22:59 |  fd8 | POST https://192.168.122.100/
2021-10-23 15:22:59 |  fd8 | Attempting to connect to server 192.168.122.100:443
2021-10-23 15:22:59 |  fd8 | Connected to 192.168.122.100:443
2021-10-23 15:22:59 |  fd8 | There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
2021-10-23 15:22:59 |  fd8 | There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
2021-10-23 15:22:59 |  fd8 | There was a non-CA certificate in the trusted list: CN=Root Agency.
2021-10-23 15:22:59 |  fd8 | SSL negotiation with 192.168.122.100
2021-10-23 15:22:59 |  fd8 | Server certificate verify failed: signer not found
2021-10-23 15:22:59 |  fd8 | Connected to HTTPS on 192.168.122.100
2021-10-23 15:22:59 |  fd8 | Failed to read from SSL socket: The TLS connection was non-properly terminated.
2021-10-23 15:22:59 |  fd8 | Error fetching HTTPS response
2021-10-23 15:22:59 |  fd8 | GET https://192.168.122.100/
2021-10-23 15:22:59 |  fd8 | Attempting to connect to server 192.168.122.100:443
2021-10-23 15:22:59 |  fd8 | Connected to 192.168.122.100:443
2021-10-23 15:22:59 |  fd8 | SSL negotiation with 192.168.122.100
2021-10-23 15:22:59 |  fd8 | Server certificate verify failed: signer not found
2021-10-23 15:22:59 |  fd8 | Connected to HTTPS on 192.168.122.100
2021-10-23 15:22:59 |  fd8 | Failed to read from SSL socket: The TLS connection was non-properly terminated.
2021-10-23 15:22:59 |  fd8 | Error fetching HTTPS response
2021-10-23 15:22:59 |  fd8 | Authentication error; cannot obtain cookie
2021-10-23 15:22:59 |  de4 | Disconnected
Unknown Object (User) changed the task status from Open to Confirmed.Oct 25 2021, 7:57 AM
zsdc closed this task as a duplicate of T3919: Openconnect VPN broken on 1.3-epa2.
zsdc added subscribers: imilos, sgaraev.
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.

Fixed VyOS 1.3-beta-202111150443

vyos@r4-epa2:~$ show openconnect-server sessions 
interface    username    ip             remote IP      RX       TX         state      uptime
-----------  ----------  -------------  -------------  -------  ---------  ---------  --------
sslvpn0      user        100.64.12.193  192.168.122.1  0 bytes  152 bytes  connected  1m:49s
vyos@r4-epa2:~$