cancel
Showing results for 
Search instead for 
Did you mean: 

Ubuntu 16.04 and 16.10 problems connecting to VPN

Highlighted
New Contributor

Ubuntu 16.04 and 16.10 problems connecting to VPN

Hi all,

It seems that a number of people are having difficulty connecting to PulseSecure VPNs when using Ubuntu 16.04 and 16.10 as the client operating system. The workaround, it turns out, is to completely disable IPV6 on the Ubuntu machines.

There are detailed discussions on the Linux kernel developers' forums about what is going on here, at https://bugzilla.kernel.org/show_bug.cgi?id=121131 and https://bugzilla.redhat.com/show_bug.cgi?id=1343091#c17.

I've tripped over this myself, and I'm using the workaround described (here's how to disable IPV6 on Ubuntu 16.x: https://support.purevpn.com/how-to-disable-ipv6-linuxubuntu) ; but in case other people are seeing the issue, I thought I'd pass it along.

Dave
Tags (1)
8 REPLIES 8
Highlighted
Moderator

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

Thank you for sharing; are you seeing this with both Pulse & Network Connect?
I am not sure if we have IPv6 support for Linux yet; but if it is there, I would expect it only in the Pulse client
Highlighted
New Contributor

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

Sorry, I don't know the distinction between those two products. On Ubuntu, there are two things I've tried using to connect to my company's VPN:

1) a Java jar file that runs under 32-bit Java, and requires a 32-bit version of Firefox on 64-bit Ubuntu, or
2) The Ubuntu PulseSecure client (via https://pulsesecure.flexnetoperations.com/control/plss/download)

The Ubuntu PulseSecure client does not work at my company. I suspect that some of the issue has to do with the host-checking that our setup requires.

The Java jar file only works when IPV6 is disabled.

Does that help answer your question?
Moderator

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

Thank you for the further information
The .jar is the legacy connection client (Network Connect) and does not support IPv6
Pulse Secure is the new client and I think it may, as of 8.2R5(?) support IPv6 for Linux clients. Do you know if there has been a case opened for checking why Network Connect works and Pulse does not for Host Checker?
Highlighted
Occasional Contributor

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

You just need to disable IPv6 on the tun0 interface.
Highlighted
Occasional Contributor

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

net.ipv6.conf.tun0.disable_ipv6 = 1

The problem is related to this packet
00:21:15.000000 0a:01:01:01:01:01 > 0a:02:02:02:02:02, ethertype IPv6 (0x86dd), length 90: fe80::6638:20f2:f6cb:1ded > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28

This packet was extracted by stracing the ncsvc process
Highlighted
New Contributor

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

Hello, I have opened a case about that as well - the number is 00250296. I am still at the point of working to reproduce it within PulseSecure with the engineer there. I'm not sure what his difficulty is; as you can see from the below, people with detailed technical information have already analyzed this...
Highlighted
New Contributor

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

Hello, I have opened a case about that as well - the number is 00250296. I am still at the point of working to reproduce it within PulseSecure with the engineer there. I'm not sure what his difficulty is; as you can see from the below, people with detailed technical information have already analyzed this...
Highlighted
Occasional Contributor

Re: Ubuntu 16.04 and 16.10 problems connecting to VPN

strace -f -s 100 -o strace.txt ./ncui -h -f my.cert.der -c DSID=xxxxxx


tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:111 P-t-P:111.228 Mask:255.255.255.255
inet6 addr: fe80::b761:1e1d:3581:ee73/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:76 (76.0 b)




In the strace output

29475 "\x60\x00\x00\x00\x00\x24\x00\x01\xfe\x80\x00\x00\x00\x00\x00\x00\x3c\x27\x46\x9b\xd9\xcb\x99\xa0\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\x3a\x00\x05\x02\x00\x00\x01\x00\x8f\x00\x79\xda\x00\x00\x00\x01\x04\x00\x00\x00\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02", 2048) = 76
29475 write(4, "20170406001032.413773 ncsvc[p29475.t29475] adapter.warn Bad ip packet len 76 - should be 0 (adapter."..., 109) = 109


\x60\x00\x00\x00\x00\x24\x00\x01 \xfe\x80\x00\x00\x00\x00\x00\x00
\x3c\x27\x46\x9b\xd9\xcb\x99\xa0 \xff\x02\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x16 \x3a\x00\x05\x02\x00\x00\x01\x00
\x8f\x00\x79\xda\x00\x00\x00\x01 \x04\x00\x00\x00\xff\x02\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x02


00000000 60 00 00 00 00 24 00 01 fe 80 00 00 00 00 00 00
00000010 3c 27 46 9b d9 cb 99 a0 ff 02 00 00 00 00 00 00
00000020 00 00 00 00 00 00 00 16 3a 00 05 02 00 00 01 00
00000030 8f 00 79 da 00 00 00 01 04 00 00 00 ff 02 00 00
00000040 00 00 00 00 00 00 00 00 00 00 00 02

text2pcap -e 86dd out.pcap


tcpdump -r out.pcap -n -e
reading from file out.pcap, link-type EN10MB (Ethernet)
00:43:21.000000 0a:01:01:01:01:01 > 0a:02:02:02:02:02, ethertype IPv6 (0x86dd), length 90: fe80::3c27:469b:d9cb:99a0 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28