WARNING: vpn-slice ignores reason=reconnect

[eitzenbe]

When using openconnect against GPA VPN Gateway with split vpn, after some time the vpn tunnel routes stall after the following message is shown on console:

Potential IPv6-related GlobalProtect config tag <gw-address-v6>: XXXXXXXXXXXXX::bad:beef
This build does not support GlobalProtect IPv6 due to a lack of
of information on how it is configured. Please report this
to <[email protected]>.
No MTU received. Calculated 1406 for ESP tunnel
POST https://XXXXXXXXXXXX/ssl-vpn/hipreportcheck.esp
WARNING: vpn-slice ignores reason=reconnect
ESP session established with server

[dlenski]

after some time

How long is "some time"? Does it match the rekey and/or HIP report intervals sent by the server, and shown in OpenConnect's logging output? (That'd be my guess 👇)

…the vpn tunnel routes stall after the following message is shown on console:

I don't believe this has anything to do with vpn-slice (the "normal" vpnc-script does similarly little upon reason=reconnect), but if you can demonstrate otherwise then please explain.

Need more info to be sure (openconnect -vvvv --dump; ip route before-and-after), but one guess is that the server doesn't like something about the HIP report (re)check and is blocking your connectivity after that point.

I'm not clear what's causing the reconnect, but perhaps a re-key on the same interval as the HIP check.

Please build the latest-and-greatest OpenConnect from source, since it improves the logging for GlobalProtect among other things, and file an issue with more details upstream at https://gitlab.com/openconnect/openconnect/issues.