Unable to connect: IllegalStateException

[ypid]

Hi

Nice program although I could not get it to work. I run CyanogenMod 11 M7 jflte. Installed AndIodine from FDroid. It might be worth noting that I have a Paketfilte (Whitelisting) in place (AndIodine is allowed of course).

https://img.bi/#/Rszgz6r!MoRfn3zWOoxXh7PYKjrrFwi4LUklNF9VeezwFmCD

08-05 17:05:37.870 D/FRAGMENT_LIST( 9515): Call VPN Service for configuration: 1
08-05 17:05:37.900 D/ConfigDatabase( 9515): Selected: last_used=null id=1 nameserver= raw_mode=1 nameserver_mode=LEAVE_DEFAULT top_domain=$DOMAIN request_type=AUTODETECT lazy_mode=1 default_route=0 name=$NAME DNS password=$PW tunnel_nameserver=
08-05 17:05:37.910 D/VPN_SERVICE( 9515): VPN Thread enter
08-05 17:05:37.910 D/VPN_SERVICE( 9515): Send: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECT (has extras) }
08-05 17:05:37.910 D/MAIN    ( 9515): Got intent: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECT flg=0x10 (has extras) }
08-05 17:05:37.910 W/InputMethodManagerService(  703): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@41a07a60 attribute=null, token = android.os.BinderProxy@41e172f0
08-05 17:05:37.920 D/NATIVE  ( 9515): Message: Opened UDP socket
08-05 17:05:37.920 D/NATIVE  ( 9515): Message: Using DNS type ) av  queries
08-05 17:05:37.940 D/VPN_SERVICE( 9515): Send: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECT (has extras) }
08-05 17:05:37.960 D/MAIN    ( 9515): Got intent: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECT flg=0x10 (has extras) }
08-05 17:05:37.960 D/FRAGMENT_STATUS( 9515): Got intent: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECT flg=0x10 (has extras) }
08-05 17:05:37.970 D/NATIVE  ( 9515): Message: Version ok, both using protocol v 0x763de9ec. You are user #1986071442
08-05 17:05:38.020 D/NATIVE  ( 9515): Message: Server tunnel IP is   =v
08-05 17:05:38.020 D/NATIVE  ( 9515): Message: Testing raw UDP data to the server (skip with -r)
08-05 17:05:38.030 E/MP-Decision( 1004): num online cores: 1 reqd : 2 available : 4 rq_depth:0.900000 hotplug_avg_load_dw: 53
08-05 17:05:38.030 E/MP-Decision( 1004): UP cpu:1 core_idx:1 Nw:1.900000 Tw:140 total_time_up:0.000000
08-05 17:05:38.070 D/NATIVE  ( 9515): Message:
08-05 17:05:38.070 D/NATIVE  ( 9515): Message: Server is at    @  T  , trying raw login:
08-05 17:05:38.070 D/NATIVE  ( 9515): Message: OK
08-05 17:05:38.070 D/NATIVE  ( 9515): Message: Sending raw traffic directly to    @  T  8av  fv
08-05 17:05:38.080 D/NATIVE  ( 9515): Message: Handshake successful, leave native code
08-05 17:05:38.080 D/VPN_SERVICE( 9515): Handshake successful
08-05 17:05:38.080 D/VPN_SERVICE( 9515): Send: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECTED (has extras) }
08-05 17:05:38.080 D/VPN_SERVICE( 9515): Build tunnel for configuration: ip=192.168.20.4 netbits=24 mtu=1130
08-05 17:05:38.080 D/VPN_SERVICE( 9515): Build tunnel interface
08-05 17:05:38.090 D/Vpn     (  703): setting state=CONNECTING, reason=establish
08-05 17:05:38.090 D/VpnJni  (  703): Address added on tun0: 192.168.20.4/24
08-05 17:05:38.110 D/FRAGMENT_STATUS( 9515): Got intent: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_CONNECTED flg=0x10 (has extras) }
08-05 17:05:38.120 D/Vpn     (  703): setting state=FAILED, reason=establish
08-05 17:05:38.120 W/Netd    (  249): No subsystem found in netlink event
08-05 17:05:38.120 W/Netd    (  249): No subsystem found in netlink event
08-05 17:05:38.120 E/NetlinkEvent(  249): Unknown ifindex 14 in RTM_DELADDR
08-05 17:05:38.120 D/NetlinkEvent(  249): Unexpected netlink message. type=0x11
08-05 17:05:38.190 I/iptables(  249): iptables: No chain/target/match by that name.
08-05 17:05:38.190 I/iptables(  249): iptables terminated by exit(1)
08-05 17:05:38.190 E/Netd    (  249): exec() res=0, status=256 for /system/bin/iptables -t mangle -D st_mangle_POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
08-05 17:05:38.190 I/ip6tables(  249): ip6tables: No chain/target/match by that name.
08-05 17:05:38.210 I/ip6tables(  249): ip6tables terminated by exit(1)
08-05 17:05:38.210 E/Netd    (  249): exec() res=0, status=256 for /system/bin/ip6tables -t mangle -D st_mangle_POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
08-05 17:05:38.210 I/iptables(  249): iptables: No chain/target/match by that name.
08-05 17:05:38.210 I/iptables(  249): iptables terminated by exit(1)
08-05 17:05:38.210 E/Netd    (  249): exec() res=0, status=256 for /system/bin/iptables -t nat -D st_nat_POSTROUTING -o tun0 -m mark --mark 60 -j MASQUERADE
08-05 17:05:38.210 W/System.err( 9515): java.lang.IllegalStateException: command '93 interface fwmark rule add tun0' failed with '400 93 Failed to add fwmark rule (Success)'
08-05 17:05:38.210 W/System.err( 9515):         at android.os.Parcel.readException(Parcel.java:1473)
08-05 17:05:38.210 W/System.err( 9515):         at android.os.Parcel.readException(Parcel.java:1419)
08-05 17:05:38.210 W/System.err( 9515):         at android.net.IConnectivityManager$Stub$Proxy.establishVpn(IConnectivityManager.java:1564)
08-05 17:05:38.210 W/System.err( 9515):         at android.net.VpnService$Builder.establish(VpnService.java:472)
08-05 17:05:38.210 W/System.err( 9515):         at org.xapek.andiodine.IodineVpnService.runTunnel(IodineVpnService.java:317)
08-05 17:05:38.210 W/System.err( 9515):         at org.xapek.andiodine.IodineVpnService.run(IodineVpnService.java:224)
08-05 17:05:38.210 W/System.err( 9515):         at java.lang.Thread.run(Thread.java:841)
08-05 17:05:38.210 D/VPN_SERVICE( 9515): Send: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_ERROR (has extras) }
08-05 17:05:38.220 D/VPN_SERVICE( 9515): VPN Thread exit
08-05 17:05:38.220 D/MAIN    ( 9515): Got intent: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_ERROR flg=0x10 (has extras) }
08-05 17:05:38.230 D/FRAGMENT_STATUS( 9515): Got intent: Intent { act=org.xapek.andiodine.IodineVpnService.STATUS_ERROR flg=0x10 (has extras) }

Any idea?

[faxm0dem]

Same here since a few cm versions

[yvesf]

Actually, I fear there is nothing I can do about this error, I'm getting it too on my device. I found more details here: https://wiki.strongswan.org/issues/462

Update: search for fwmark here: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-android.html The error doesn't appear with mtu >= 1280
see here

andiodine/src/org/xapek/andiodine/IodineVpnService.java

Line 315 in 5d8801d

// the VPN framework fails if mtu < 1280

[faxm0dem]

Indeed I have the same IllegalStateException using Anyconnect.

[yvesf]

Please try to force your iodined to use 1280 as mtu for the tun dev with the -m option.
Btw, the mtu is not to be confused with the 'fragment' size.

[faxm0dem]

It's working indeed. Thanks, as far as I'm concerned this is an acceptable workaround

[ypid]

Also works for me. Thanks 👍

[yvesf]

thanks for the feedback. I will add a try-catch for this exception with
a specific hint about this.

[yvesf]

I'll tag the current HEAD with v1.2 as soon as I got some positive response about the latest change. (build signed with debug keys: https://www.xapek.org/~yvesf/public/IodineMain-debug-v1.2-rc1.apk)

Now, if you connect and run into this problem, the app will show you a link to this page instead of a full log with no information.
The log-output will stay visible until you press the 'Close' button.

[ypid]

Thanks for the build. With the 1280 as mtu it works as expected and with the default mtu it gives a note and links to this issue. One thing I noticed is that the link is not click able. Everything else works as expected.

[yvesf]

This specific issue is solved in HEAD, will be fixed in (git-tag) v1.1 .

For follow-up of this problem and workaround see #9