Bug 479937

Summary: [OpenConnect] Timeout after authentication connecting to GlobalProtect VPN
Product: [Plasma] plasmashell Reporter: Knut Andre Tidemann <knut.tidemann>
Component: Networking in generalAssignee: Plasma Bugs List <plasma-bugs-null>
Status: CONFIRMED ---    
Severity: normal CC: kdedev, mss, nate, postix
Priority: NOR    
Version First Reported In: 5.27.10   
Target Milestone: 1.0   
Platform: Arch Linux   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=503535
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Knut Andre Tidemann 2024-01-17 10:54:30 UTC 
SUMMARY
When trying to connect to my work place's GlobalProtect VPN, the connection times out after the authentication and gateway selection phase. This used to work some time ago (roughly 1 year ago), but I do not use this often enough to pinpoint when in stopped working. It could also be something that changed one the server side.

What does work is to connect using 'nmcli --ask connection up VPN', so it's definitely something with plasma-nm.

STEPS TO REPRODUCE
1. Connect to GlobalProtect VPN
2. Enter username / password and log in
3. Select gateway and the authentication window closes. Timeout occurs in ~1 minute.

OBSERVED RESULT
Log output is somewhat lacking:

Jan 17 11:17:16 kyle NetworkManager[790]: <info>  [1705486636.7962] vpn[0x64677478fac0,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN"]: starting openconnect
Jan 17 11:17:16 kyle NetworkManager[790]: <info>  [1705486636.7964] audit: op="connection-activate" uuid="040f8208-cd33-45b7-8f5a-8805f67317d1" name="VPN" pid=1205 uid=1000 result="success"
Jan 17 11:17:16 kyle kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 17 11:17:16 kyle kded5[1146]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth
Jan 17 11:17:16 kyle kded5[1146]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:16 kyle plasmashell[1205]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:16 kyle kded5[1146]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:16 kyle plasmashell[1205]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:17 kyle plasmashell[1205]: file:///usr/lib/qt/qml/org/kde/plasma/extras/PlaceholderMessage.qml:238:5: QML Heading: Binding loop detected for property "verticalAlignment"
Jan 17 11:17:18 kyle kded5[1146]: QFormLayout::takeAt: Invalid index 0
Jan 17 11:17:39 kyle kded5[1146]: QFormLayout::takeAt: Invalid index 0
Jan 17 11:17:39 kyle kded5[1146]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:39 kyle kded5[1146]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::Connecting
Jan 17 11:17:39 kyle NetworkManager[790]: <info>  [1705486659.2530] manager: (vpn0): new Tun device (/org/freedesktop/NetworkManager/Devices/3)
Jan 17 11:17:39 kyle plasmashell[1205]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:39 kyle kded5[1146]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:39 kyle NetworkManager[790]: <info>  [1705486659.2563] audit: op="connection-update" uuid="040f8208-cd33-45b7-8f5a-8805f67317d1" name="VPN" args="connection.timestamp,vpn.secrets" pid=1146 uid=1000 result="success"
Jan 17 11:17:39 kyle NetworkManager[3631]: POST https://1.2.3.4/ssl-vpn/getconfig.esp
Jan 17 11:17:39 kyle plasmashell[1205]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jan 17 11:17:39 kyle NetworkManager[3631]: Connected to 1.2.3.4:443
Jan 17 11:17:39 kyle NetworkManager[3631]: SSL negotiation with 1.2.3.4
Jan 17 11:17:39 kyle NetworkManager[3631]: Server certificate verify failed: signer not found
Jan 17 11:17:39 kyle NetworkManager[3631]: Connected to HTTPS on 1.2.3.4 with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Jan 17 11:17:46 kyle NetworkManager[790]: <info>  [1705486666.3772] audit: op="statistics" interface="enp6s0" ifindex=2 args="2000" pid=1205 uid=1000 result="success"
Jan 17 11:17:48 kyle plasmashell[1205]: file:///usr/lib/qt/qml/org/kde/plasma/extras/PlaceholderMessage.qml:238:5: QML Heading: Binding loop detected for property "verticalAlignment"
Jan 17 11:17:49 kyle kwin_wayland[1006]: This plugin does not support raise()
Jan 17 11:18:39 kyle NetworkManager[790]: <warn>  [1705486719.9773] vpn[0x64677478fac0,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN"]: connect timeout exceeded
Jan 17 11:18:39 kyle nm-openconnect-[3613]: Connect timer expired, disconnecting.
Jan 17 11:18:39 kyle NetworkManager[3631]: TLS/DTLS read cancelled
Jan 17 11:18:39 kyle NetworkManager[3631]: Error reading HTTP response: Interrupted system call
Jan 17 11:18:39 kyle NetworkManager[3631]: Creating SSL connection failed
Jan 17 11:18:39 kyle NetworkManager[3631]: User cancelled (SIGINT/SIGTERM); exiting.

EXPECTED RESULT
When using nmcli the connection goes through right away. The log output looks very similar, it just continues with more connection info instead of the timeout error.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux 
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.114.0
Qt Version: 5.15.12
Kernel Version: 6.7.0-arch3-1 (64-bit)
Graphics Platform: Wayland
Processors: 24 × AMD Ryzen 9 5900X 12-Core Processor
Memory: 31.3 GiB of RAM
Graphics Processor: AMD Radeon RX 6800 XT
Manufacturer: Gigabyte Technology Co., Ltd.
Product Name: X570 AORUS ELITE
System Version: -CF

ADDITIONAL INFORMATION
Comment 1 Ben Cooksley 2024-12-23 18:26:00 UTC 
Bulk transfer as requested in T17796
Comment 2 TraceyC 2025-07-02 20:45:11 UTC 
Thanks for the bug report. I'm sorry we weren't able to get to this yet. There have been many fixes and improvements since this was reported, and this issue may have been fixed.

Can you please re-test on your system with Plasma 6.4.2 or later and let us know if you can still reproduce the problem? If you can, please set this report back to REPORTED. Thanks!
Comment 3 Knut Andre Tidemann 2025-07-16 17:17:17 UTC 
This is still an issue in Plasma 6.4.3 (tested in 6.4.2 as well).

When connecting from the plasma widget (or typing nmcli connection up VPN without --ask), the login prompt appears.
I enter the Username and Password, wait a few seconds to get the 2FA prompt on my phone and accept that.

Then the login succeeds and I'm presented with the 'Gateway' option where the only one available is already selected and press the 'Login' button. The dialog then closes but the VPN connection is disconnected.

When entering credentials from the CLI with nmcli --ask, everything works, the Gateway is auto selected to the same as displayed in the dialog (we only have one anyways).

Here is the journal from the failed attempt:
Jul 16 19:04:27 kyle plasmashell[1456]: QDBusObjectPath: invalid path ""
Jul 16 19:04:27 kyle NetworkManager[869]: <info>  [1752685467.7828] vpn[0x560275e0fa20,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN"]: starting openconnect
Jul 16 19:04:27 kyle NetworkManager[869]: <info>  [1752685467.7829] audit: op="connection-activate" uuid="040f8208-cd33-45b7-8f5a-8805f67317d1" name="VPN" pid=1456 uid=1000 result="success"
Jul 16 19:04:27 kyle kernel: tun: Universal TUN/TAP device driver, 1.6
Jul 16 19:04:27 kyle kded6[1400]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth
Jul 16 19:04:27 kyle systemd[1158]: Created slice Slice /app/dbus-:1.2-org.kde.kwalletd6.
Jul 16 19:04:27 kyle systemd[1158]: Started dbus-:1.2-org.kde.kwalletd6@0.service.
Jul 16 19:04:27 kyle kwalletd6[2253]: g_dbus_proxy_get_object_path: assertion 'G_IS_DBUS_PROXY (proxy)' failed
Jul 16 19:04:44 kyle kded6[1400]: QFormLayout::takeAt: Invalid index 0
Jul 16 19:04:51 kyle kded6[1400]: QFormLayout::takeAt: Invalid index 0
Jul 16 19:04:51 kyle kded6[1400]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::Connecting
Jul 16 19:04:51 kyle NetworkManager[869]: <info>  [1752685491.9195] manager: (vpn0): new Tun device (/org/freedesktop/NetworkManager/Devices/3)
Jul 16 19:04:51 kyle NetworkManager[869]: <info>  [1752685491.9221] audit: op="connection-update" uuid="040f8208-cd33-45b7-8f5a-8805f67317d1" name="VPN" args="vpn.secrets" pid=1400 uid=1000 result="success"
Jul 16 19:04:51 kyle NetworkManager[2292]: POST https://10.0.0.1/ssl-vpn/getconfig.esp
Jul 16 19:04:51 kyle NetworkManager[2292]: Connected to 10.0.0.1:443
Jul 16 19:04:51 kyle NetworkManager[2292]: SSL negotiation with 10.0.0.1
Jul 16 19:04:51 kyle NetworkManager[2292]: Server certificate verify failed: signer not found
Jul 16 19:04:51 kyle NetworkManager[2292]: Connected to HTTPS on 10.0.0.1 with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Jul 16 19:04:51 kyle NetworkManager[2292]: Failed to read from TLS/DTLS socket: Error in the pull function.
Jul 16 19:04:51 kyle NetworkManager[2292]: Error reading HTTP response: Input/output error
Jul 16 19:04:51 kyle NetworkManager[2292]: Creating SSL connection failed
Jul 16 19:04:51 kyle NetworkManager[2292]: Unrecoverable I/O error; exiting.
Jul 16 19:04:51 kyle NetworkManager[869]: <warn>  [1752685491.9726] vpn[0x560275e0fa20,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN"]: dbus: failure: connect-failed (1)
Jul 16 19:04:51 kyle NetworkManager[869]: <warn>  [1752685491.9726] vpn[0x560275e0fa20,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN"]: dbus: failure: connect-failed (1) 

And here is the log from the good attempt:
Jul 16 19:05:33 kyle NetworkManager[869]: <info>  [1752685533.4833] agent-manager: agent[48a8c656e7732405,:1.77/nmcli-connect/1000]: agent registered
Jul 16 19:05:33 kyle NetworkManager[869]: <info>  [1752685533.4873] vpn[0x560275e0fa20,040f8208-cd33-45b7-8f5a-8805f67317d1,"VPN"]: starting openconnect
Jul 16 19:05:33 kyle NetworkManager[869]: <info>  [1752685533.4875] audit: op="connection-activate" uuid="040f8208-cd33-45b7-8f5a-8805f67317d1" name="VPN" pid=2423 uid=1000 result="success"
Jul 16 19:05:33 kyle kded6[1400]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth
Jul 16 19:05:43 kyle kded6[1400]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::Connecting
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.3861] manager: (vpn0): new Tun device (/org/freedesktop/NetworkManager/Devices/4)
Jul 16 19:05:43 kyle NetworkManager[2446]: POST https://sslvpn.example.com/ssl-vpn/getconfig.esp
Jul 16 19:05:43 kyle NetworkManager[2446]: Connected to 10.0.0.1:443
Jul 16 19:05:43 kyle NetworkManager[2446]: SSL negotiation with sslvpn.example.com
Jul 16 19:05:43 kyle NetworkManager[2446]: Server certificate verify failed: signer not found
Jul 16 19:05:43 kyle NetworkManager[2446]: Connected to HTTPS on sslvpn.example.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Jul 16 19:05:43 kyle NetworkManager[2446]: Tunnel timeout (rekey interval) is 840 minutes.
Jul 16 19:05:43 kyle NetworkManager[2446]: Idle timeout is 840 minutes.
Jul 16 19:05:43 kyle NetworkManager[2446]: No MTU received. Calculated 1422 for ESP tunnel
Jul 16 19:05:43 kyle NetworkManager[2446]: POST https://sslvpn.example.com/ssl-vpn/hipreportcheck.esp
Jul 16 19:05:43 kyle NetworkManager[2446]: WARNING: Server asked us to submit HIP report with md5sum 740e9de209f406a1aac6d081832f3fcf.
Jul 16 19:05:43 kyle NetworkManager[2446]:     VPN connectivity may be disabled or limited without HIP report submission.
Jul 16 19:05:43 kyle NetworkManager[2446]:     You need to provide a --csd-wrapper argument with the HIP report submission script.
Jul 16 19:05:43 kyle NetworkManager[2446]: ESP session established with server
Jul 16 19:05:43 kyle NetworkManager[2446]: ESP tunnel connected; exiting HTTPS mainloop.
Jul 16 19:05:43 kyle NetworkManager[2446]: Configured as 172.21.200.193, with SSL disconnected and ESP established
Jul 16 19:05:43 kyle NetworkManager[2446]: Session authentication will expire at Thu Jul 17 19:05:43 2025
Jul 16 19:05:43 kyle kded6[1400]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::GettingIpConfig
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4663] device (vpn0): state change: unmanaged -> unavailable (reason 'connection-assumed', managed-type: 'external')
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4670] device (vpn0): state change: unavailable -> disconnected (reason 'connection-assumed', managed-type: 'external')
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4673] device (vpn0): Activation: starting connection 'vpn0' (db589ff7-1b20-4140-b4f4-8e8347dd83d4)
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4679] device (vpn0): state change: disconnected -> prepare (reason 'none', managed-type: 'external')
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4680] device (vpn0): state change: prepare -> config (reason 'none', managed-type: 'external')
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4681] device (vpn0): state change: config -> ip-config (reason 'none', managed-type: 'external')
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4683] device (vpn0): state change: ip-config -> ip-check (reason 'none', managed-type: 'external')
Jul 16 19:05:43 kyle systemd[1]: Starting Network Manager Script Dispatcher Service...
Jul 16 19:05:43 kyle openconnect[2446]: Using vhost-net for tun acceleration, ring size 32
Jul 16 19:05:43 kyle systemd[1]: Started Network Manager Script Dispatcher Service.
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4914] device (vpn0): state change: ip-check -> secondaries (reason 'none', managed-type: 'external')
Jul 16 19:05:43 kyle systemd-resolved[571]: vpn0: Bus client set default route setting: no
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4915] device (vpn0): state change: secondaries -> activated (reason 'none', managed-type: 'external')
Jul 16 19:05:43 kyle polkitd[958]: Unregistered Authentication Agent for unix-process:2423:12139 (system bus name :1.77, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 16 19:05:43 kyle polkitd[958]: Unregistered Authentication Agent for unix-process:unknown (system bus name :1.77, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 16 19:05:43 kyle NetworkManager[869]: <info>  [1752685543.4916] device (vpn0): Activation: successful, device activated.
Jul 16 19:05:43 kyle systemd-resolved[571]: vpn0: Bus client set DNS server list to: 172.20.2.3, 172.20.2.6
Jul 16 19:05:46 kyle NetworkManager[869]: <info>  [1752685546.0125] audit: op="statistics" interface="enp6s0" ifindex=2 args="2000" pid=1456 uid=1000 result="success"

Note that the logs have been anonymized with 10.0.0.1 IP address and 'example.com'-domain.
Comment 4 Nate Graham 2025-08-19 22:56:06 UTC 
*** Bug 504637 has been marked as a duplicate of this bug. ***
Comment 5 TraceyC 2025-09-30 21:33:42 UTC 
I've confirmed that a newly imported, valid OpenVPN config fails to connect