Custom Service Failure

olivy · August 3, 2023, 7:00pm

Hello,

I have tested this on several ubuntu 22.04LTS servers (CLI only) and so far proving unstable. I created a new service which runs a shell script to start up Palo Alto Networks globalprotect VPN client and auto-connect back to our data center. The script loops every minute to ping an IP address inside the data center and in the event of failure, reconnect VPN client. I’ve had several approaches with the code and so far it is unstable. Sometimes it can be stable until I reboot and then it doesn’t work. The service or script is spooling up multiple instances of globalprotect client which makes it fail to connect to VPN anymore. Here is the service file:
cat /etc/systemd/system/myVpn.service
[Unit]
Description=My Vpn Connection
Wants=network.target
After=syslog.target network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/myvpn.sh
ExecStop=/bin/sh -c ‘globalprotect disconnect’
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

The script is:

cat /usr/local/bin/myvpn.sh
#!/bin/bash

#Variables
ping_targets=“x.x.x.x”
failed_hosts=“”

#Start gp client vpn and log the event
globalprotect connect -p x.x.x.x -u xxxx

echo “myVpn.service: ## Starting globalprotect ##” | systemd-cat -p info

#Check connectivity every minute
while :

do

TIMESTAMP=$(date ‘+%Y-%m-%d %H:%M:%S’)

echo “myVpn.service: ${TIMESTAMP} checking opmgr central reachable over vpn” | systemd-cat -p info

ping -c 1 x.x.x.x > /dev/null
if [ $? -ne 0 ]; then
if [ “$failed_hosts” == “” ]; then
failed_hosts=“x.x.x.x”
else
failed_hosts=“$failed_hosts, ‘x.x.x.x’”
fi
fi

if [ “$failed_hosts” != “” ]; then
globalprotect connect -p x.x.x.x -u xxxx
echo “myVpn.service: ## Reconnecting due to packet loss ##” | systemd-cat -p info
fi

sleep 60

done

I removed usernames and IP addresses and replaced them with x for security reasons. I appreciate any feedback or advise with this. It’s frustrating when I had the first test server stable all weekend long and yesterday it also lost vpn connection. Is this better accomplished as a crontab job instead of a service?

Thanks!

Lubos · April 2, 2024, 5:23am

Multiple Instances: The main issue you’re facing with multiple instances of the GlobalProtect client starting up could be due to the VPN connection attempt within the loop without checking if an existing connection is active or necessary. This can lead to redundant connection attempts and potentially conflict with existing sessions.
Service Restart Behavior: Your service is designed to restart on failure, but given your script’s structure, it might not exit (and thus trigger a restart) when you expect it to, especially if the connection attempts are failing silently within the loop.