Login Create an Account

All Topics » Pulse Connect Secure



Linux client disconnection after 40-50 min


alex
Contributor (0)
Jun 13, 2017 2:51pm
Hi,

I've tried to use Pulse client for Linux 8.2, but I face the issue. The client successfully establish connection and after 40-50 minutes closes session. Windows client works perfectly. Unfortunately, it's not convenient to use Windows machine. I would like to run pulse secure client on Linux. The following messages are thrown to pulsesvc.log before the disconnecting:

20170613165145.174129 pulsesvc[p5736.t5736] ipsec.warn ESP tunnel expired in:0x898A83A6, out:0x45B28332 (engine.cpp:377)
20170613165145.174202 pulsesvc[p5736.t5736] ipsec.warn Cleaning up sa 0x898A83A6 (esp.cpp:64)
20170613165145.174213 pulsesvc[p5736.t5736] ipsec.info Switching to NCP mode (tunnel.cpp:666)
20170613165145.174221 pulsesvc[p5736.t5736] ipsec.info send kmp message 303 size 13 (tunnel.cpp:240)
20170613165149.179615 pulsesvc[p5736.t5736] pulsesvc.info bytes sent = 16842, recvd = 29633 (pulsesvc.cpp:784)
20170613165149.179650 pulsesvc[p5736.t5736] pulsesvc.info pkts sent = 272, recvd = 272 (pulsesvc.cpp:785)
20170613165159.181883 pulsesvc[p5736.t5736] pulsesvc.info bytes sent = 16842, recvd = 29633 (pulsesvc.cpp:784)
20170613165159.181920 pulsesvc[p5736.t5736] pulsesvc.info pkts sent = 272, recvd = 272 (pulsesvc.cpp:785)
20170613165204.429488 pulsesvc[p5736.t5738] dsssl.error SSL_read failed with error 5/104 (DSSSLSock.cpp:2120)
20170613165204.429536 pulsesvc[p5736.t5738] dsssl.error SSL_read failed with error 5 (DSSSLSock.cpp:2129)
20170613165204.429545 pulsesvc[p5736.t5738] DSSSL_recv.error returned 0x5 error. (ncp_dsssl.cpp:931)
20170613165204.429674 pulsesvc[p5736.t5736] ncphandler.info control channel disconnected due to error 5, reconnecting (ncphandler.cpp:343)
20170613165204.429686 pulsesvc[p5736.t5736] session.info reconnecting attempts = 1 (session.cpp:705)
20170613165204.429694 pulsesvc[p5736.t5736] session.info Registering new timer for reconnection (session.cpp:708)
20170613165204.429724 pulsesvc[p5736.t5736] rmon.info Collecting latest routes from the system (routemon.cpp:1474)
20170613165204.429884 pulsesvc[p5736.t5736] rmon.info Found best route via ifc enp0s3 (routemon.cpp:1843)
20170613165204.429892 pulsesvc[p5736.t5736] rmon.info Found best route via ifc enp0s3 (routemon.cpp:1843)
20170613165204.429896 pulsesvc[p5736.t5736] rmon.info best route to 200.70.195.120 is 200.70.195.120/255.255.255.255 via 0xF75807B0 metric: 1 (routemon.cpp:1495)
20170613165204.429902 pulsesvc[p5736.t5736] rmon.info Found best route via ifc enp0s3 (routemon.cpp:1843)
20170613165204.429906 pulsesvc[p5736.t5736] rmon.info Found best route via ifc enp0s3 (routemon.cpp:1843)
20170613165204.429910 pulsesvc[p5736.t5736] rmon.info Found best route via ifc enp0s3 (routemon.cpp:1843)
20170613165204.429914 pulsesvc[p5736.t5736] rmon.info best route to gateway: 10.0.2.2/255.255.255.255 gw 0.0.0.0 via 0x2E636E49 metric 1 (routemon.cpp:2010)
20170613165204.429919 pulsesvc[p5736.t5736] rmon.info next hop gateway route already exists (routemon.cpp:2049)
20170613165204.429924 pulsesvc[p5736.t5736] rmon.info Host route to 200.70.195.120 already exists, will not add a new one (routemon.cpp:1544)
20170613165204.429937 pulsesvc[p5736.t5736] rmon.error Setting Best route 82c446d0 202000a ffffffff f75807b0 enp0s3 (routemon.cpp:1548)
20170613165204.429942 pulsesvc[p5736.t5736] session.info Interface has been changed m_best_if_2_ive = 20, if_id = f75807b0. So reconnect from UI (session.cpp:736)
20170613165204.429947 pulsesvc[p5736.t5736] session.info disconnecting from ive 200.70.195.120 with reason 6 (session.cpp:599)
20170613165204.429951 pulsesvc[p5736.t5736] adapter.info closing tun adapter 0000000B (adapter.cpp:997)
20170613165204.429956 pulsesvc[p5736.t5736] dsxp.info isRegistered returned false for 0x8996350 -1 (dsio.cpp:992)
20170613165204.440824 pulsesvc[p5736.t5736] dsxp.info isRegistered returned false for 0x8999a64 -1 (dsio.cpp:992)
20170613165204.440865 pulsesvc[p5736.t5736] sysdeps.info restoring DNS settings... (sysdeps.cpp:975)
20170613165204.440959 pulsesvc[p5736.t5736] sysdeps.error rename /etc/jnpr-nc-hosts.bak => /etc/hosts failed wirh error 2 (sysdeps.cpp:982)
20170613165204.440984 pulsesvc[p5736.t5736] session.info Session Terminated. Removing ip6tables entries (session.cpp:637)
20170613165204.440997 pulsesvc[p5736.t5736] session.info Executing '/sbin/ip6tables -D INPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null' (syscmd.cpp:445)
20170613165204.442155 pulsesvc[p5736.t5736] session.info /sbin/ip6tables status 0x100 (syscmd.cpp:542)
20170613165204.442717 pulsesvc[p5736.t5736] session.error Failed to execute command /sbin/ip6tables -D INPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null. DSSysCmd::executeAndWait returned 256. (session.cpp:1359)
20170613165204.442785 pulsesvc[p5736.t5736] session.info Executing '/sbin/ip6tables -D OUTPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null' (syscmd.cpp:445)
20170613165204.443626 pulsesvc[p5736.t5736] session.info /sbin/ip6tables status 0x100 (syscmd.cpp:542)
20170613165204.451871 pulsesvc[p5736.t5736] session.error Failed to execute command /sbin/ip6tables -D OUTPUT -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null. DSSysCmd::executeAndWait returned 256. (session.cpp:1366)
20170613165204.452504 pulsesvc[p5736.t5736] session.info Executing '/sbin/ip6tables -D FORWARD -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null' (syscmd.cpp:445)
20170613165204.453342 pulsesvc[p5736.t5736] session.info /sbin/ip6tables status 0x100 (syscmd.cpp:542)
20170613165204.459170 pulsesvc[p5736.t5736] session.error Failed to execute command /sbin/ip6tables -D FORWARD -j DROP -m comment --comment nc_client >/dev/null 2>/dev/null. DSSysCmd::executeAndWait returned 256. (session.cpp:1373)
20170613165204.460390 pulsesvc[p5736.t5736] ncp.error ncpTearDown for IVE 200.70.195.120 (ncp.cpp:624)
20170613165204.460697 pulsesvc[p5736.t5738] worker.error NCP worker has been requested to stop (ncp_dsssl.cpp:716)
20170613165204.460874 pulsesvc[p5736.t5738] conn.info cleanup 0 (ncp.cpp:1599)
20170613165204.460939 pulsesvc[p5736.t5738] conn.info cleanup 0 (ncp.cpp:1599)
20170613165204.460978 pulsesvc[p5736.t5738] writer.error thread exit (ncp.cpp:2131)
20170613165204.461083 pulsesvc[p5736.t5736] ncphandler.info teardown done (ncphandler.cpp:354)
20170613165204.472252 pulsesvc[p5736.t5736] ncp.error ncpCleanup for IVE 200.70.195.120 (ncp.cpp:766)


Could anyone help with this? Is there some way to keep the connection?

Thank you,
Alexander



ruc
Pulse Secure Contributor (16)
Jun 22, 2017 9:03am
Hi Alex - The first log entry 'ipsec.warn ESP tunnel expired in:0x898A83A6, out:0x45B28332' indicates that the ESP communication channel is expiring. I would check the following:

1. Have your IT admin check the Pulse Connect Secure gateway for the idle and max timeout values for the role assigned to you when using Pulse Linux client. (it is possible you are assigned a different role when accessing from windows which has a longer timeout value)

2. Note the timestamp of a disconnect. Have your IT admin check the 'user access logs' for your ID around that timestamp. This may indicate why your session was dropped.

3. If the timeouts are the not the issue the next step will be to start tcpdump on your machine's physical interface and also on the virtual VPN interface/adapter. Once timeout occurs check the tcpdump captured on physical interface and check the ESP packets (usually UDP 4500) If the ESP packets have stopped arriving from gateway it could indicate an issue where an intermediate device (firewall) has closed the UDP socket.

This is not exhaustive list, let us know what you find out.

Thanks
zanyterp
Pulse Secure Contributor (35)
Jun 22, 2017 12:44pm
To tag along with Ruc, another item to do is check your TCP keep-alive timers. If they are more than two minutes, can you adjust it down and test? This _should_ allow the connection to remain alive past the 40-50 minute mark.