Page MenuHomeVyOS Platform
Create Task
Maniphest T593

xl2tpd: udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device
Closed, ResolvedPublicBUG
Actions

Description

Wanted to connect via L2TP from an iOS 11 device. But same happens with Windows 10.

Mar 23 08:26:28 AC1 xl2tpd[2626]: udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device
Mar 23 08:26:30 AC1 xl2tpd[2626]: message repeated 2 times: [ udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device]
Mar 23 08:26:31 AC1 xl2tpd[2626]: udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device
Mar 23 08:26:33 AC1 xl2tpd[2626]: message repeated 2 times: [ udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device]
Mar 23 08:26:34 AC1 xl2tpd[2626]: Maximum retries exceeded for tunnel 21254.  Closing.
Mar 23 08:26:34 AC1 xl2tpd[2626]: udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device
Mar 23 08:26:35 AC1 xl2tpd[2626]: udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device
Mar 23 08:26:35 AC1 xl2tpd[2626]: udp_xmit failed to xxx.xxx.xxx.xxx:63817 with err=-1:No such device

configuration used is:

cpo@AC1# show vpn l2tp
 remote-access {
     authentication {
         mode radius
         radius-server xxx.xx.xxx.xx {
             key yyy
         }
         radius-server xxx.xx.xxx.xx {
             key yyy
         }
     }
     client-ip-pool {
         start xxx.xxx.xxx.1
         stop xxx.xxx.xxx.14
     }
     dns-servers {
         server-1 xxx.xx.xxx.xx
         server-2 xxx.xx.xxx.xx
     }
     idle 180
     ipsec-settings {
         authentication {
             mode pre-shared-secret
             pre-shared-secret xxx
         }
         ike-lifetime 60
         lifetime 600
     }
     mtu 1400
     outside-address x.x.x.x
     outside-nexthop x.x.x.x
 }

Probably related to some kernel changes introduced by T583. Falling back to VyOS 999.201802241630 using Kernel 4.4.113-amd64-vyos works as expected.

See:

Details

Difficulty level
Unknown (require assessment)
Version
999.201803162053
Why the issue appeared?
Issues in third-party code

Related Objects
Search...

Event Timeline

c-po claimed this task.Mar 23 2018, 7:30 AM
c-po created this task.
c-po moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.
c-po updated the task description. (Show Details)Mar 23 2018, 7:33 AM
c-po changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
c-po updated the task description. (Show Details)Mar 23 2018, 7:42 AM
c-po added a comment.Mar 26 2018, 10:16 AM

Problem still exists when adding to /etc/xl2tpd/xl2tpd.conf:

[global]
force userspace = yes
ipsec saref = no
c-po added a comment.Mar 26 2018, 12:06 PM

Problem still exists with Kernel 4.14.30

syncer added a subscriber: syncer.Mar 26 2018, 12:11 PM

@c-po any idea which device is missing

c-po added a comment.Mar 27 2018, 6:41 AM

@syncer not yet, but my first guess is that this message is missleading. I‘ll look into it after my vacation.

syncer triaged this task as Normal priority.Apr 7 2018, 11:01 AM
c-po updated the task description. (Show Details)Apr 12 2018, 5:08 PM
c-po added a comment.Apr 13 2018, 12:42 PM

From https://github.com/xelerance/xl2tpd/issues/147 and https://github.com/xelerance/xl2tpd/pull/148

With kernel 4.15, in the ancillary IP_PKTINFO data received during a recvmsg()
call, ipi_ifindex is a bogus value that results in an ENODEV error in the
subsequent sendmsg() call.

This fix no longer attempts to obtain the ancillary IP_PKTINFO data, except if
ipsecsaref is set to yes, e.g. when wanting to use a KLIPS patched kernel.

gconfig.ipsecsaref and gconfig.forceuserspace were implicitly set to zero, now
are explicitly set to zero in file.c for clarity.

Now I have to figure out how to integrate this into the VyOS ISO build ...

c-po added subscribers: UnicronNL, dmbaturin.Apr 13 2018, 12:58 PM

This is the patch for xl2tpd 1.3.6 (https://github.com/xelerance/xl2tpd/tree/debian-jessie) found in Debian Jessie:

Fix for ENODEV (No such device) error with Linux kernel > 4.14

With kernel 4.15, in the ancillary IP_PKTINFO data received during a recvmsg()
call, ipi_ifindex is a bogus value that results in an ENODEV error in the
subsequent sendmsg() call.

This fix no longer attempts to obtain the ancillary IP_PKTINFO data, except if
ipsecsaref is set to yes, e.g. when wanting to use a KLIPS patched kernel.

gconfig.ipsecsaref and gconfig.forceuserspace were implicitly set to zero, now
are explicitly set to zero in file.c for clarity.

--- xl2tpd-1.3.6+dfsg.orig/file.c
+++ xl2tpd-1.3.6+dfsg/file.c
@@ -42,6 +42,8 @@ int init_config ()

     gconfig.port = UDP_LISTEN_PORT;
     gconfig.sarefnum = IP_IPSEC_REFINFO; /* default use the latest we know */
+    gconfig.ipsecsaref = 0; /* default off - requires patched KLIPS kernel module */
+    gconfig.forceuserspace = 0; /* default off - allow kernel decap of data packets */
     gconfig.listenaddr = htonl(INADDR_ANY); /* Default is to bind (listen) to all interfaces */
     gconfig.debug_avp = 0;
     gconfig.debug_network = 0;
--- xl2tpd-1.3.6+dfsg.orig/network.c
+++ xl2tpd-1.3.6+dfsg/network.c
@@ -78,23 +78,27 @@ int init_network (void)
      * For L2TP/IPsec with KLIPSng, set the socket to receive IPsec REFINFO
      * values.
      */
-    arg=1;
-    if(setsockopt(server_socket, IPPROTO_IP, gconfig.sarefnum,
-                 &arg, sizeof(arg)) != 0) {
-           l2tp_log(LOG_CRIT, "setsockopt recvref[%d]: %s\n", gconfig.sarefnum, strerror(errno));
-
-           gconfig.ipsecsaref=0;
-    }
-
-    arg=1;
-    if(setsockopt(server_socket, IPPROTO_IP, IP_PKTINFO, (char*)&arg, sizeof(arg)) != 0) {
-           l2tp_log(LOG_CRIT, "setsockopt IP_PKTINFO: %s\n", strerror(errno));
+    if (!gconfig.ipsecsaref)
+    {
+        l2tp_log (LOG_INFO, "Not looking for kernel SAref support.\n");
     }
-#else
+    else
     {
-       l2tp_log(LOG_INFO, "No attempt being made to use IPsec SAref's since we're not on a Linux machine.\n");
+        arg=1;
+        if(setsockopt(server_socket, IPPROTO_IP, gconfig.sarefnum,  &arg, sizeof(arg)) != 0) {
+            l2tp_log(LOG_CRIT, "setsockopt recvref[%d]: %s\n", gconfig.sarefnum, strerror(errno));
+            gconfig.ipsecsaref=0;
+        }
+        else
+        {
+            arg=1;
+            if(setsockopt(server_socket, IPPROTO_IP, IP_PKTINFO, (char*)&arg, sizeof(arg)) != 0) {
+                l2tp_log(LOG_CRIT, "setsockopt IP_PKTINFO: %s\n", strerror(errno));
+            }
+        }
     }
-
+#else
+    l2tp_log(LOG_INFO, "No attempt being made to use IPsec SAref's since we're not on a Linux machine.\n");
 #endif

     /* turn off UDP checksums */

@UnicronNL @dmbaturin any Idea how this can be easily integrated in vyos-build?

c-po added a comment.Apr 13 2018, 3:02 PM

An ISO for testing can be found here: https://www.mybll.net/vyos-1.2.0-rolling-201804131440-xl2tpd-fix-amd64.iso

logan.attwood added a subscriber: logan.attwood.Apr 13 2018, 7:04 PM

No luck. Where do I grab the xl2tpd logs @c-po

c-po added a comment.Apr 13 2018, 7:18 PM

@logan.attwood show log

c-po added a parent task: T605: xl2tpd: Update to version 1.3.(6|12).Apr 16 2018, 7:51 PM
c-po moved this task from In Progress to Finished on the VyOS 1.2 Crux board.Apr 20 2018, 2:30 PM
c-po added a comment.Apr 20 2018, 2:37 PM

As interim solution I created https://ci.vyos.net/job/xl2tpd and forked xl2tpd to github.com/vyos (containing a backported patch from me).

... builds triggered ....

Fixed by forking xl2tpd and backporting the patch from 1.3.12 release branch

c-po added a comment.Apr 20 2018, 3:07 PM
This comment was removed by c-po.
c-po added a comment.Apr 20 2018, 3:08 PM

Working again...

cpo@AC1:~$ show version
Version:          VyOS 1.2.0-rolling+201804201635
Built by:         [email protected]
Built on:         Fri 20 Apr 2018 16:35 UTC
Build ID:         f0e3bc9c-672a-47c9-9252-f6ae1b270782

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    fooo

Copyright:        VyOS maintainers and contributors
c-po added a comment.May 29 2018, 7:31 PM

@syncer this is implemented and working with a patched xl2tpd (T605).

c-po moved this task from Finished to VyOS 1.2.0-rc1 on the VyOS 1.2 Crux board.May 29 2018, 7:32 PM
c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
syncer closed this task as Resolved.May 29 2018, 7:33 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.
syncer added a project: VyOS-1.2.0-GA.Jan 25 2019, 2:38 PM