06-09-2021 06:55 AM - edited 06-10-2021 12:17 AM
Hi all,
I am trying to automate the deployment of GlobalProtect software in laptops with Ubuntu installed and I have faced an issue not easy to explain. The operating system is being deployed automatically in chroot mode, and one of the last steps involves installing the package of GlobaProtect as root ( dpkg -i GlobalProtect-latest.deb)
After the laptop is restarted and a user logins, if the user tries to run the globalprotect command, it always receive the message:
:~$ globalprotect
Unable to establish a new GlobalProtect connection as a GlobalProtect connection is already established from this Linux system by the same user or another user.
Does not matter the attempts to reinstall the software later (With sudo or directly as root) the software does not allow any option and only shows above message.
I can confirm the software runs as root originally, or as under the user name after reinstallation:
Preparing to unpack .../GlobalProtect_deb-5.2.6.0-18.deb ...
gp service is running and we need to stop it...
Disable service...
PanGPA is running and we need to stop it...
stop gpa for sudo user username
Disable gpa user service...
Start upgrading gp...
Unpacking globalprotect (5.2.6-18) over (5.2.6-18) ...
systemd is detected.
Setting up globalprotect (5.2.6-18) ...
Enable gp service...
Starting gp service...
enable ping
net.ipv4.ping_group_range = 0 0
Starting gpa...
start GPA for sudo user username
Processing triggers for man-db (2.9.1-1) ...
~$ ps -ef | grep global
root 1559 1 0 15:16 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPS
root 2522 2510 0 15:35 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPA start
username 2663 2654 0 15:35 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPA start
Any clue why the messages keeps suggesting that there is any connection?
06-10-2021 02:28 AM
Hi @Villabrille
What is your connection method configured as ? Is your connection method set to 'on-demand' ?
This exact issue has been discussed several times ... any tips on these pages ?:
Are there any GP logs from the time the issue occurs you can look at ?
Cheers,
-Kiwi.
06-10-2021 07:25 AM
Hi Kiwi,
thanks for you reply. Those links have been reviewed, but the assumption that the issue is on the server side or that it gets solved with disconnect or disable on the client are pointing to the incorrect source. There is no setup performed or any account configured, so how can the application knows anything about the server as it is suggested on the links?
For those interested, you can try the solution suggested below (it worked in my case at all times that I tested it)....
The issue is clearly not at the server side, since we cannot run any globalprotect disable or globalprotect disconnect the application is not accepting any modifier (just outputting the error)
Let me add that at that point I just installed as root (without any account logged in) and stated that I still did not configure either any account or any server where to connect, it's clearly not a matter of missconfiguration on the server side.
Let me share the experiences here. You can easily reproduce the error by running the installation of the package as root (only) or in chroot.
Solution:
run the following commands:
:-$ sudo systemctl stop gpd --> Unfortunately, it does not do anything, but....
:-$ sudo systemctl disable gpd
Now there will be two PIDs, one (2953 as an example) belongs to the PanGPA and the second (2571 as an example) belongs to the /lib/systemd/systemd --user that you also have to kill otherwise the system will relaunch PanGPA.
:-$ ps -ef | grep global
root 2953 2571 0 15:19 ? 00:00:00 /opt/paloaltonetworks/globalprotect/PanGPA start
kill both:
:-$ sudo kill -9 $(ps -ef | grep -v grep | grep global | awk '{ print $2 " "$3}') --> Or kill them separately with kill -9 2953 and kill -9 2571 (or the PID that the output shows).
Unfortunately, now you are forced to initiate a X-Window session in the computer (it does not work remotely through SSH) and then you have to run in a terminal window:
:-$ sudo dpkg-reconfigure globalprotect
Magia! now you are able to run globalprotect (as a normal user) without the annoying message.
(eventually, the system can show you a message suggesting to run systemctl --user daemon-reload, you can run it as well.
Then you can run globalprotect connect --portal host.supersecure.org
Note: All those commands where using the GlobalProtect_deb-5.2.6.0-18.deb version (not the UI version, since it does not integrate at all in Ubuntu, the GlobalProtect GUI Window is being showed at login, but if you click anywhere else, the window disappear and you cannot find it anymore 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
