Project

General

Profile

Issue #613

StrongSwan fails to reconnect after no internet for long period of time

Added by Le Hoang over 5 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
5.1.3
Resolution:
Won't fix

Description

We are currently using your StrongSwan Android application and have noticed a problem when the device is disconnected from the internet for an extended period of time.

Steps to produce bug:
1. Connect to VPN server
2. Turn off WiFi and sim data
3. Wait for 10 minutes
4. Turn on WiFi or sim data
5. Wait 3 minutes

After the final 3 minutes has elapsed, traffic is no longer tunnelled through the VPN. The Android VPN session Notification is still in the notification drawer but when we try to disconnect, there is no response from StrongSwan and the notification stays there. Attempts at reconnecting do not work (Unspecified Error). The only was of starting up a VPN connection again is by rebooting the device.

This has been reproduced on a Galaxy S5 at least 3 times.

After closer inspection we have found that the following error is thrown:

setting up TUN device for CHILD_SA android{1}
W/System.err(10435): java.lang.IllegalStateException: command '218 interface fwmark uid add tun1 0 99999' failed with '400 218 Failed to add uid rule (Invalid argument)'
at android.os.Parcel.readException(Parcel.java:1473)
W/System.err(10435): at android.os.Parcel.readException(Parcel.java:1419)
W/System.err(10435): at android.net.IConnectivityManager$Stub$Proxy.establishVpn(IConnectivityManager.java:1960)
W/System.err(10435): at android.net.VpnService$Builder.establish(VpnService.java:471)
W/System.err(10435): at org.strongswan.android.logic.CharonVpnService$BuilderAdapter.establish(CharonVpnService.java:589)
W/System.err(10435): at dalvik.system.NativeStart.run(Native Method)
I/charon(10435): 13[LIB] builder: failed to build TUN device
I/charon(10435): 13[DMN] failed to setup TUN device

We have attached the log file with the events before and after the error was thrown.

log.txt (29 KB) log.txt Le Hoang, 09.06.2014 17:36

Related issues

Is duplicate of Issue #462: strongswan android app can not use on android 4.4 OS Feedback06.12.2013

History

#1 Updated by Le Hoang over 5 years ago

I can not reproduce this on Nexus 4 (4.4.3), HTC One X (4.2.2) or Galaxy S3 (4.1.2). The connection gets re-established correctly. I have tried several more times on the Galaxy S5 (4.4.2) and the issue occurs consistently.

#2 Updated by Tobias Brunner over 5 years ago

  • Is duplicate of Issue #462: strongswan android app can not use on android 4.4 OS added

#3 Updated by Tobias Brunner over 5 years ago

  • Category set to android
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner
  • Priority changed from High to Normal

This is a known issue (#462, 62410) ever since Android 4.4 was released. Are you sure this is fixed with 4.4.3?

#4 Updated by Le Hoang over 5 years ago

I am unable to reproduce the issue with 4.4.3 on my Nexus 4. I have tried three times and they have all re-established the connection successfully (Although there is about 1 minute delay where I can not access the internet at all).

#5 Updated by Tobias Brunner over 5 years ago

That's great. I just updated a Nexus 5 to 4.4.3 and it, in fact, seems to work as it did on older releases, especially when roaming between networks.

Although there is about 1 minute delay where I can not access the internet at all.

Not sure what that's about. Does it take that long to connect to the WiFi? Or does that delay happen after that connection is established? Do you have logs from that test?

#6 Updated by Le Hoang over 5 years ago

The WiFi is up but the old VPN session is still active. It takes about a minute before the new session is established. When I monitor the VPN notification that tells me the duration of the session, this will reset to 0 after about 1 minute (before this time I can not access the internet). Unfortunately I do not have logs for this.

#7 Updated by Tobias Brunner over 5 years ago

I see. I suppose it's the retransmission timeout on the old SA that hits after a minute and only after that the new connection gets established. I described some possible solutions to recover more quickly from such situations in #455#note-2.

#8 Updated by Le Hoang over 5 years ago

We rely on your StrongSwan Android Application for many 4.4.2 devices. We have noticed that AnyConnect pauses the VPN connection when the internet has been disconnected. This means it can avoid the bug. Would it be possible to implement a feature like this in a future release?

#9 Updated by Tobias Brunner over 5 years ago

Would it be possible to implement a feature like this in a future release?

Maybe but I currently have no plans to do so. Disabling the TUN device may let unencrypted traffic leave the device (also see #616). And since Google apparently fixed the issue it will only cost time and energy to implement a workaround that is not really needed anymore.

#10 Updated by Le Hoang over 5 years ago

Thanks for considering, Tobias. The problem is that the Google fix only applies to Android version 4.4.3, and there are a lot of 4.4 - 4.4.2 devices out there for whom 4.4.3 is not yet available. Whilst the root cause is an Android bug, the impact is that StrongSwan fails to reconnect automatically when an internet connection is lost (This can be as simple as a single underground train journey)... and then it crashes when reconnection is attempted. The only fix is to reboot the device which is very impractical. Imagine having to reboot your device each time you lost internet connection. From a user perspective, this renders the app unusable. If there was any chance of you considering further, it would be greatly appreciated. All the best, Le.

#11 Updated by Tobias Brunner over 1 year ago

  • Status changed from Feedback to Closed
  • Resolution set to Won't fix

Also available in: Atom PDF