SSL VPN with IPv4 but message TCPv6_SERVER: Connection timed out (code=110) and Broken pipe (code=32)

Question

We have a user that is complaining repeatedly about disconnecting SSL VPN (TCP) with Connect Client 2.2.90 
 SFOS is 19.5.2 
 I assume his ISP uses IPv4 sharing / DS-Lite. 
 Nevertheless, when he connects, he is connecting with an IPv4 address and that is written in the sslvpn.log. 
 XG is not communicating with IPv6 to the outside world. 
 User is using MFA. 
 Authentication is successful after the second attempt and the routes are pushed to the client. 
 Then in the logs IPv6 Server messages appear and finally the connections is no longer working and timing out. 
 The user assured, he can access all internet sites normally or watch videos online when his SSL VPN disconnects. 
 full XG log: 
 2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Is IPv4 :1
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 SENT CONTROL [username@domain.de]: 'PUSH_REPLY,route-gateway 10.242.254.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 172.1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,dhcp-option DOMAIN domain.de,ifconfig 10.242.254.10 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 05:56:37Z [26682] username@domain.de/82.207.250.180:20622 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 09:36:35Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20837
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20837, sid=9d129e4b 8a60abb8
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_VER=2.5.6
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_PLAT=win
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_PROTO=6
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_NCP=2
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZ4=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZ4v2=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_LZO=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_COMP_STUB=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_COMP_STUBv2=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 peer info: IV_TCPNL=1
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 TLS: Username/Password authentication deferred for username 'username' [CN SET]
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-07-31 09:36:35Z [26682] 82.207.250.180:20837 [username] Peer Connection Initiated with [AF_INET6]::ffff:82.207.250.180:20837
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 PUSH: Received control message: 'PUSH_REQUEST'
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 Delayed exit in 5 seconds
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 Connection reset, restarting [0]
2023-07-31 09:36:37Z [26682] 82.207.250.180:20837 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-07-31 09:39:18Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20631
2023-07-31 09:39:18Z [26682] 82.207.250.180:20631 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20631, sid=6b1ce399 cf70d970
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=1, hidden-CA-Details, CN=firewallname.domain.de, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 VERIFY OK: depth=0, hidden-CA-Details, CN=username@domain.de_170BF773AB0, emailAddress=mailaddress@domain.de
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_VER=2.5.6
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_PLAT=win
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_PROTO=6
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_NCP=2
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZ4=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZ4v2=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_LZO=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_COMP_STUB=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_COMP_STUBv2=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 peer info: IV_TCPNL=1
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 TLS: Username/Password authentication deferred for username 'username' [CN SET]
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2023-07-31 09:39:19Z [26682] 82.207.250.180:20631 [username] Peer Connection Initiated with [AF_INET6]::ffff:82.207.250.180:20631
2023-07-31 09:39:20Z [26682] 82.207.250.180:20631 PUSH: Received control message: 'PUSH_REQUEST'
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn/conf.d/username@domain.de
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI_sva: pool returned IPv4=10.xxx.xxx.12, IPv6=2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 PLUGIN_CALL: POST /lib/openvpn-plugin-utm.so/PLUGIN_CLIENT_CONNECT status=0
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_64f93902632f062d.tmp
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_535eed8033428f84.tmp
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_pool_remote_ipv6:2001:db8::b
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 ifconfig_remote_ip: 82.207.250.180, isipv4c: 1
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: Learn: 10.xxx.xxx.12 -> username@domain.de/82.207.250.180:20631
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: primary virtual IP for username@domain.de/82.207.250.180:20631: 10.xxx.xxx.12
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: Learn: 2001:db8::b -> username@domain.de/82.207.250.180:20631
2023-07-31 09:39:20Z [26682] username@domain.de/82.207.250.180:20631 MULTI: primary virtual IPv6 for username@domain.de/82.207.250.180:20631: 2001:db8::b
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 PUSH: Received control message: 'PUSH_REQUEST'
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Host:::ffff:82.207.250.180 Port:20631
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Is IPv4 :1
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 send_push_reply(): suppress sending 'tun-ipv6'
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Host:::ffff:82.207.250.180 Port:20631
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Is IPv4 :1
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 SENT CONTROL [username@domain.de]: 'PUSH_REPLY,route-gateway 10.242.254.1,sndbuf 0,rcvbuf 0,ping 45,ping-restart 180,route 172.1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,dhcp-option DOMAIN domain.de,ifconfig 10.xxx.xxx.12 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 09:39:25Z [26682] username@domain.de/82.207.250.180:20631 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Connection timed out (code=110)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
message repeated 60 times
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 write TCPv6_SERVER: Broken pipe (code=32)
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 Connection reset, restarting [0]
2023-07-31 09:41:44Z [26682] username@domain.de/82.207.250.180:20622 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-07-31 09:43:44Z [26682] TCP connection established with [AF_INET6]::ffff:82.207.250.180:20635
2023-07-31 09:43:44Z [26682] 82.207.250.180:20635 TLS: Initial packet from [AF_INET6]::ffff:82.207.250.180:20635, sid=81331d69 1e954c8b

Client log: 
 
 Any idea what could cause the gateway reset here?

Giridhar Katti · Answer

Hi, 
 We will take a look at the logs. We will discuss internally within the team and update this thread with our findings/recommendations.

Praneeth · Answer

Are there other users connecting to the tunnel from the same ISP network as the issue-facing user? Are they facing this issue? Can you also check SCC users connecting from other ISPs facing this issue? Since the underlying TCP connection is getting reset just suspecting the ISP network.

SSL VPN with IPv4 but message TCPv6_SERVER: Connection timed out (code=110) and Broken pipe (code=32)

Top Replies