Delay before key is serverd
Teddy Hogeborn
teddy at recompile.se
Thu Jan 30 11:24:08 CET 2020
Dick Middleton <dick at lingbrae.com> writes:
> I have a problem with a long delay between my client prompting from
> the passcode and the mandos server responding. The delay seems to be
> around 75..90s consistently.
>
> With debug on the server I can see the server starts and goes quiet
> once zeroconf is started. I start the client which prompts after 10s
> or so but there is no response from the server.
>
> The next thing that happens is the checker is started (although I'm
> not sure it's relevant) and then it all works. The checker interval
> is the default PT2M (2 minutes).
[…]
> Mnndos serves the key quickly when tested from the client using
> mandos-client from the CLI. This problem is confined to client boot.
>
> What I can't work out is whether this is a network issue or mandos
> client or server is holding off for something.
[…]
> Jan 30 07:30:23 mimas mandos[17108]: Mandos [17108]: INFO: TCP connection from: ('fe80::1e1b:dff:fe94:eeb0', 39296, 0, 2)
I'm guessing that the Mandos server has a real, globally reachable, IPv6
address. This causes Avahi to use that address when announcing the
_mandos._tcp service. But, the clients only have link-local IPv6
addresses, and if there is no IPv6 Router Advertisement (RA) on the
network, the clients don't have a route to reach global IPv6 addresses.
We have implemented a workaround for this, which is why it works after
the initial connect by the client first times out.
The easiest fix is for you to provide Router Advertisements; this will
give each client a default route which they can use to reach the Mandos
server on the first attempt without timing out.
We'll look into ways we could lower the timeout before the workaround is
used, but this workaround is only meant to be used for when the provider
of the RA packets itself is the Mandos client and can't get a default
route from itself yet.
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20200130/8f460e6a/attachment.sig>
More information about the Mandos-Dev
mailing list