Thread Info
  • State Verified Answer
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 957 views
  • Users 0 members are here
Options
Suggested

Routine check_open_vpn_connections.sh How to avoid disconnections?

Igor Wolf

Hello community,

I'm facing a situation that I don't understand because it's directly affecting my operation. I have a Sophos that establishes VPN s2s connections with other Sophos devices, all of them are on the same version: Model: ASG Software - Firmware version: 9.718-5 - Pattern version: 236916.

One relevant point, I have network ranges /24 as remote gateways and local networks /24, among these s2s connections.

Upon noticing that the VPN drops (flapping) were occurring at the same time every day, upon further analysis, I realized that the crontab of the software has the following process below, which is causing these flaps exactly at these times.

35 0,6,12,18 * * * root /usr/local/bin/check_open_vpn_connections.sh 

 

#!/bin/sh
#
# Check for orphaned vpn connection in the database

TMPFILE="/tmp/$(basename $0).$$.tmp"
HASTATE="/opt/tmpfs/ha_state"
HAMASTER="/opt/tmpfs/ha/master"

if [ -f $HASTATE ]; then
  if [ ! -f $HAMASTER ]; then
    exit 0;
  fi
fi

psql -U reporting -c \
'select src_ip, virt_ip, virt_ip6, logintime, service from vpn '\
'where status = 0 and logintime = logouttime LIMIT 1000' > $TMPFILE

function delete_line() {
  TYPE=$1
  LINE=$2
  R_IP=$3
  V_IP=$4
  V_IP6=$5
  TIME=`echo $LINE | grep "$TYPE" | awk '{print $7 " " $8}'`

  #sql string
  DELETE="DELETE FROM vpn"
  WHERE="WHERE status=0 AND service='$TYPE' AND src_ip='$R_IP'"
  if [ "x$V_IP" != "x" ]; then
    AND_VIP="AND virt_ip='$V_IP'"
  else
    AND_VIP=""
  fi
  if [ "x$V_IP6" != "x" ]; then
    AND_VIP6="AND virt_ip6='$V_IP6'"
  else
    AND_VIP6=""
  fi
  AND_TIME="AND logintime='$TIME'"

  echo "$DELETE $WHERE $AND_VIP $AND_VIP6 $AND_TIME"
  psql -U reporting -c "$DELETE $WHERE $AND_VIP $AND_VIP6 $AND_TIME"
}


function openvpn() {
  # check openvpn
  SERVICE="SSL VPN"
  R_IP=
  V_IP=
  V_IP6=
  OPENVPN_STATUS_FILE="/var/sec/chroot-openvpn/var/run/openvpn-status.log"

  while read line
  do
    R_IP=`echo "$line" | grep "$SERVICE" | awk '{print $1}'`
    V_IP=`echo "$line" | grep "$SERVICE" | awk '{print $3}'`
    V_IP6=`echo "$line" | grep "$SERVICE" | awk '{print $5}'`

    if [ "x$R_IP" != "x" ]; then
      grep "$R_IP" "$OPENVPN_STATUS_FILE" | grep -q "$V_IP"
      if [ $? -ne 0 ]; then
        delete_line "$SERVICE" "$line" "$R_IP" "$V_IP" "$V_IP6"
      fi
    fi
  done <$TMPFILE
}


function pptp() {
  # check pptp
  SERVICE="PPTP"
  R_IP=
  V_IP=
  while read line
  do
    R_IP=`echo "$line" | grep "$SERVICE" | awk '{print $1}'`

    if [ "x$R_IP" != "x" ]; then
      netstat | grep "$SERVICE" | grep -q "$R_IP"
      if [ $? -ne 0 ]; then
        delete_line "$SERVICE" "$line" "$R_IP"
      fi
    fi
  done <$TMPFILE
}


function ipsec() {
  # check ipsec
  R_IP=
  V_IP=
  SERVICE="IPsec"
  while read line
  do
    R_IP=`echo $line | grep "$SERVICE" | awk '{print $1}'`

    if [ "x$R_IP" != "x" ]; then
      /usr/local/bin/ipsec status | grep -q "$R_IP"
      if [ $? -ne 0 ]; then
        delete_line "$SERVICE" "$line" $R_IP
      fi
    fi
  done <$TMPFILE
}


#cleanup db
pptp
ipsec
openvpn


rm $TMPFILE

exit 0

At these times, disconnections are occurring. Is there any action I can take to prevent a similar problem from happening again? Can I also comment out this routine so that these situations do not persist?

Unfiltered HTML