This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routine check_open_vpn_connections.sh How to avoid disconnections?

Hello community,

I'm facing a situation that I don't understand because it's directly affecting my operation. I have a Sophos that establishes VPN s2s connections with other Sophos devices, all of them are on the same version: Model: ASG Software - Firmware version: 9.718-5 - Pattern version: 236916.

One relevant point, I have network ranges /24 as remote gateways and local networks /24, among these s2s connections.

Upon noticing that the VPN drops (flapping) were occurring at the same time every day, upon further analysis, I realized that the crontab of the software has the following process below, which is causing these flaps exactly at these times.

35 0,6,12,18 * * * root /usr/local/bin/check_open_vpn_connections.sh 

 

#!/bin/sh
#
# Check for orphaned vpn connection in the database

TMPFILE="/tmp/$(basename $0).$$.tmp"
HASTATE="/opt/tmpfs/ha_state"
HAMASTER="/opt/tmpfs/ha/master"

if [ -f $HASTATE ]; then
  if [ ! -f $HAMASTER ]; then
    exit 0;
  fi
fi

psql -U reporting -c \
'select src_ip, virt_ip, virt_ip6, logintime, service from vpn '\
'where status = 0 and logintime = logouttime LIMIT 1000' > $TMPFILE

function delete_line() {
  TYPE=$1
  LINE=$2
  R_IP=$3
  V_IP=$4
  V_IP6=$5
  TIME=`echo $LINE | grep "$TYPE" | awk '{print $7 " " $8}'`

  #sql string
  DELETE="DELETE FROM vpn"
  WHERE="WHERE status=0 AND service='$TYPE' AND src_ip='$R_IP'"
  if [ "x$V_IP" != "x" ]; then
    AND_VIP="AND virt_ip='$V_IP'"
  else
    AND_VIP=""
  fi
  if [ "x$V_IP6" != "x" ]; then
    AND_VIP6="AND virt_ip6='$V_IP6'"
  else
    AND_VIP6=""
  fi
  AND_TIME="AND logintime='$TIME'"

  echo "$DELETE $WHERE $AND_VIP $AND_VIP6 $AND_TIME"
  psql -U reporting -c "$DELETE $WHERE $AND_VIP $AND_VIP6 $AND_TIME"
}


function openvpn() {
  # check openvpn
  SERVICE="SSL VPN"
  R_IP=
  V_IP=
  V_IP6=
  OPENVPN_STATUS_FILE="/var/sec/chroot-openvpn/var/run/openvpn-status.log"

  while read line
  do
    R_IP=`echo "$line" | grep "$SERVICE" | awk '{print $1}'`
    V_IP=`echo "$line" | grep "$SERVICE" | awk '{print $3}'`
    V_IP6=`echo "$line" | grep "$SERVICE" | awk '{print $5}'`

    if [ "x$R_IP" != "x" ]; then
      grep "$R_IP" "$OPENVPN_STATUS_FILE" | grep -q "$V_IP"
      if [ $? -ne 0 ]; then
        delete_line "$SERVICE" "$line" "$R_IP" "$V_IP" "$V_IP6"
      fi
    fi
  done <$TMPFILE
}


function pptp() {
  # check pptp
  SERVICE="PPTP"
  R_IP=
  V_IP=
  while read line
  do
    R_IP=`echo "$line" | grep "$SERVICE" | awk '{print $1}'`

    if [ "x$R_IP" != "x" ]; then
      netstat | grep "$SERVICE" | grep -q "$R_IP"
      if [ $? -ne 0 ]; then
        delete_line "$SERVICE" "$line" "$R_IP"
      fi
    fi
  done <$TMPFILE
}


function ipsec() {
  # check ipsec
  R_IP=
  V_IP=
  SERVICE="IPsec"
  while read line
  do
    R_IP=`echo $line | grep "$SERVICE" | awk '{print $1}'`

    if [ "x$R_IP" != "x" ]; then
      /usr/local/bin/ipsec status | grep -q "$R_IP"
      if [ $? -ne 0 ]; then
        delete_line "$SERVICE" "$line" $R_IP
      fi
    fi
  done <$TMPFILE
}


#cleanup db
pptp
ipsec
openvpn


rm $TMPFILE

exit 0

At these times, disconnections are occurring. Is there any action I can take to prevent a similar problem from happening again? Can I also comment out this routine so that these situations do not persist?



This thread was automatically locked due to age.
Parents
  • Are the connections getting re-established after dropping?

    If so, it would seem the simplest fix is to just change the time of the cronjob. As you posted above, it's set to run at 35min past the hour at hours 0,6,12, and 18. I assume the one at 12 (noon) is the one causing issues. You can change it to run at different times during the day.

    How to implement this is a bit more difficult. Because of how utm runs, any change you make in the physical cronjob file will get overwritten periodically as the software regenerates these files often.

    I had to make a similar change  on my install because the dhcp timeout was not long enough for my isp. I have a different cronjob script running every 10 min to verify connectivity and perform other maintenance tasks (such as readjusting the dhcp timeout). In your case this script would change the cronjob interval likely using the 'sed' function. I don't believe cronjob service requires a restart after such changes.

    Of course the most simplest solution would be to adjust this interval in middleware directly. I don't know how to do this.

    /etc/crontab-static does not get rewritten and survives updates. 

  • The specific connections don't even reach to alert via email.

    From what I've gathered, I can't manually make adjustments directly in /etc/crontab. Every time I reopen it, it rewrites with the old information. I tried adjusting it with crontab running and also with it stopped, but every time I start it or reboot, it overwrites all the configurations.

    Can you detail how I can completely stop these routines from being executed, as they are causing a lot of interruptions in the VPN?

    I need a way to stop this routine - /usr/local/bin/check_open_vpn_connections.sh

Reply
  • The specific connections don't even reach to alert via email.

    From what I've gathered, I can't manually make adjustments directly in /etc/crontab. Every time I reopen it, it rewrites with the old information. I tried adjusting it with crontab running and also with it stopped, but every time I start it or reboot, it overwrites all the configurations.

    Can you detail how I can completely stop these routines from being executed, as they are causing a lot of interruptions in the VPN?

    I need a way to stop this routine - /usr/local/bin/check_open_vpn_connections.sh

Children
  • I don't know if this is the best way, but

    chmod -x /usr/local/bin/check_open_vpn_connections.sh

    That will take away its execute permission, permanently.  I don't know of any mechanism built into utm to let you actually adjust the time settings for these jobs. Since the same values are getting rewritten, that means they exist somewhere in middleware.

    I didn't understand your answer about vpn connection after the flopping. Are the clients able to reconnect?