[vpnc-devel] Dead Peer Detection fix
mihai at xcyb.org
Tue Dec 28 11:09:26 CET 2010
The Dead Peer Detection mechanism implemented in vpnc has a small
issue. A lot of people are complaining about connections being dropped
with the following error message logged:
"connection terminated by dead peer detection"
This is caused by vpnc sending incorrect sequence numbers to the VPN
concentrator. The sequence numbers should be sent in big-endian byte
order, however they are sent in little-endian byte-order (on some
The initial SeqNo sent by vpnc is randomly chosen and it is
subsequently incremented. However when the least significant byte
rolls over (from vpnc's point of view) the other end notices that the
current SeqNo is less than the previous SeqNo.
This is an error message from a Cisco ASA showing the problem:
Dec 20 02:48:26 10.233.170.24 %ASA-6-713124: Group = somegroup,
Username = user.name, IP = 18.104.22.168, Received DPD sequence number
0x952942 in R_U_THERE, Next expected sequence number should be greater
vpnc SeqNo real SeqNo
42 29 94 fd fd 94 29 42
42 29 94 fe fe 94 29 42
42 29 94 ff ff 94 29 42
42 29 95 00 00 95 29 42 <--- real SeqNo is less than previous one
Depending on the initial [random] sequence number, the bug will
terminate the connection on the first DPD sent or it could survive 255
DPDs (in the most favourable case).
I created a patch  that uses htonl/ntohl macros to fix this.
More information about the vpnc-devel