We have a user that is complaining repeatedly about disconnecting SSL VPN (TCP) with Connect Client 2.2.90
SFOS is 19.5.2
I assume his ISP uses IPv4 sharing / DS-Lite.
Nevertheless, when he connects, he is connecting with an IPv4 address and that is written in the sslvpn.log.
XG is not communicating with IPv6 to the outside world.
User is using MFA.
Authentication is successful after the second attempt and the routes are pushed to the client.
Then in the logs IPv6 Server messages appear and finally the connections is no longer working and timing out.
The user assured, he can access all internet sites normally or watch videos online when his SSL VPN disconnects.
full XG log:
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Is IPv4 :1 2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 SENT CONTROL [username@domain.de]: 'PUSH_REPLY,route-gateway 10.242.254.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 172.1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,dhcp-option DOMAIN domain.de,ifconfig 10.242.254.10 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) 2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-07-31 09:36:35Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20837 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20837, sid=9d129e4b 8a60abb8 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_VER=2.5.6 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_PLAT=win 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_PROTO=6 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_NCP=2 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZ4=1 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZ4v2=1 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZO=1 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_COMP_STUB=1 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_COMP_STUBv2=1 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_TCPNL=1 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 TLS: Username/Password authentication deferred for username 'username' [CN SET] 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 [username] Peer Connection Initiated with [AF_INET6]::ffff:82.207.250.180:20837 2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 PUSH: Received control message: 'PUSH_REQUEST' 2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 Delayed exit in 5 seconds 2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 SENT CONTROL [username]: 'AUTH_FAILED' (status=1) 2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 Connection reset, restarting [0] 2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 SIGUSR1[soft,connection-reset] received, client-instance restarting 2023-07-31 09:39:18Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20631 2023-07-31 09:39:18Z [26682] 82.207.250.180:20631 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20631, sid=6b1ce399 cf70d970 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_VER=2.5.6 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_PLAT=win 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_PROTO=6 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_NCP=2 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZ4=1 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZ4v2=1 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZO=1 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_COMP_STUB=1 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_COMP_STUBv2=1 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_TCPNL=1 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 TLS: Username/Password authentication deferred for username 'username' [CN SET] 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 [username] Peer Connection Initiated with [AF_INET6]::ffff:82.207.250.180:20631 2023-07-31 09:39:20Z [26682] 82.207.250.180:20631 PUSH: Received control message: 'PUSH_REQUEST' 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn/conf.d/username@domain.de 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI_sva: pool returned IPv4=10.xxx.xxx.12, IPv6=2001:db8::b 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_64f93902632f062d.tmp 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_535eed8033428f84.tmp 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: Learn: 10.xxx.xxx.12 -> username@domain.de/82.207.250.180:20631 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: primary virtual IP for username@domain.de/82.207.250.180:20631: 10.xxx.xxx.12 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: Learn: 2001:db8::b -> username@domain.de/82.207.250.180:20631 2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: primary virtual IPv6 for username@domain.de/82.207.250.180:20631: 2001:db8::b 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 PUSH: Received control message: 'PUSH_REQUEST' 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Host:::ffff:82.207.250.180 Port:20631 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Is IPv4 :1 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 send_push_reply(): suppress sending 'tun-ipv6' 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Host:::ffff:82.207.250.180 Port:20631 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Is IPv4 :1 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 SENT CONTROL [username@domain.de]: 'PUSH_REPLY,route-gateway 10.242.254.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 172.1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,dhcp-option DOMAIN domain.de,ifconfig 10.xxx.xxx.12 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Connection timed out (code=110) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) message repeated 60 times 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32) 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 Connection reset, restarting [0] 2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 SIGUSR1[soft,connection-reset] received, client-instance restarting 2023-07-31 09:43:44Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20635 2023-07-31 09:43:44Z [26682] 82.207.250.180:20635 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20635, sid=81331d69 1e954c8b
Client log:
Any idea what could cause the gateway reset here?