[GH-ISSUE #2700] Health check status not invalidated when Newt site goes offline #4153

New Issue

Closed

opened 2026-04-20 08:37:27 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-20 08:37:27 -05:00

Owner

Copy Link

Originally created by @strausmann on GitHub (Mar 24, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2700

Description

When a Newt agent disconnects (site goes offline), the health check status of all targets routed through that site remains "healthy" in the dashboard. Pangolin correctly detects the site as offline, but does not invalidate the cached health check results for targets on that site.

This causes Pangolin to continue routing traffic to targets through a dead tunnel, resulting in timeouts for users.

Steps to Reproduce

1. Configure a resource with multiple targets across different sites (e.g., 3 targets via Site A, 1 target via Site B)
2. Enable health checks on all targets
3. Verify all targets show "healthy"
4. Stop the Newt agent on Site A (e.g., docker stop pangolin-newt)
5. Observe: Site A shows "Offline" in the Sites dashboard
6. Observe: All targets via Site A still show "healthy" in the resource configuration

Expected Behavior

When a site goes offline, all targets routed through that site should immediately transition to "unhealthy" or "unknown" status. Pangolin should not route traffic to targets on offline sites.

Actual Behavior

• Site correctly shows "Offline"
• Target health check status retains the last known value ("healthy")
• Pangolin continues to route traffic through the dead tunnel
• Users experience sporadic timeouts (requests randomly hit the dead route)

Root Cause Analysis

Based on log analysis:

1. Health checks run through the Newt tunnel (Pangolin → WebSocket → Newt → HTTP → target)
2. When Newt disconnects, no new health check results arrive
3. The last-known-good status stays in the database and is displayed as current
4. Additionally: newt/disconnecting message type throws an exception instead of triggering state cleanup:

   Unsupported message type: newt/disconnecting
   

5. Pangolin continues sending health check requests to the disconnected Newt (phantom checks)

Environment

• Pangolin: Enterprise Edition (PostgreSQL)
• Newt: v1.10.3
• Setup: 4 targets for Proxmox VE (172.16.50.8:8006) across 4 sites, 1 site taken offline

Suggested Fix

When a Newt disconnect is detected:

1. Set all target health checks on that site to "unknown" or "unhealthy"
2. Handle the newt/disconnecting message type (currently throws exception)
3. Stop sending health check requests to disconnected sites
4. When Newt reconnects, resume health checks and let them naturally transition back to "healthy"

Originally created by @strausmann on GitHub (Mar 24, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2700 ## Description When a Newt agent disconnects (site goes offline), the health check status of all targets routed through that site remains "healthy" in the dashboard. Pangolin correctly detects the site as offline, but does not invalidate the cached health check results for targets on that site. This causes Pangolin to continue routing traffic to targets through a dead tunnel, resulting in timeouts for users. ## Steps to Reproduce 1. Configure a resource with multiple targets across different sites (e.g., 3 targets via Site A, 1 target via Site B) 2. Enable health checks on all targets 3. Verify all targets show "healthy" 4. Stop the Newt agent on Site A (e.g., `docker stop pangolin-newt`) 5. Observe: Site A shows "Offline" in the Sites dashboard 6. Observe: All targets via Site A **still show "healthy"** in the resource configuration ## Expected Behavior When a site goes offline, all targets routed through that site should immediately transition to "unhealthy" or "unknown" status. Pangolin should not route traffic to targets on offline sites. ## Actual Behavior - Site correctly shows "Offline" - Target health check status retains the last known value ("healthy") - Pangolin continues to route traffic through the dead tunnel - Users experience sporadic timeouts (requests randomly hit the dead route) ## Root Cause Analysis Based on log analysis: 1. Health checks run **through the Newt tunnel** (Pangolin → WebSocket → Newt → HTTP → target) 2. When Newt disconnects, no new health check results arrive 3. The last-known-good status stays in the database and is displayed as current 4. Additionally: `newt/disconnecting` message type throws an exception instead of triggering state cleanup: ``` Unsupported message type: newt/disconnecting ``` 5. Pangolin continues sending health check requests to the disconnected Newt (phantom checks) ## Environment - Pangolin: Enterprise Edition (PostgreSQL) - Newt: v1.10.3 - Setup: 4 targets for Proxmox VE (172.16.50.8:8006) across 4 sites, 1 site taken offline ## Suggested Fix When a Newt disconnect is detected: 1. Set all target health checks on that site to `"unknown"` or `"unhealthy"` 2. Handle the `newt/disconnecting` message type (currently throws exception) 3. Stop sending health check requests to disconnected sites 4. When Newt reconnects, resume health checks and let them naturally transition back to "healthy"

GiteaMirror closed this issue 2026-04-20 08:37:28 -05:00

GiteaMirror commented 2026-04-20 08:37:29 -05:00

Author

Owner

Copy Link

@strausmann commented on GitHub (Mar 24, 2026):

Code Analysis — Root Cause Identified

After analyzing the source code, the root cause is clear:

Health Check Flow

Health checks run on the Newt agent (remote), not on the Pangolin server. The Newt performs HTTP checks against the target and reports status back via WebSocket to server/routers/target/handleHealthcheckStatusMessage.ts, which updates targetHealthCheck.hcHealth in the database.

The Bug: Three disconnect paths, none invalidate HC status

When a Newt disconnects, three code paths handle the cleanup — but none of them reset target health check status:

Code Path	File	What it does	What it misses
Explicit disconnect	`server/routers/newt/handleNewtDisconnectingMessage.ts`	Sets `sites.online = false`	Does NOT touch `targetHealthCheck.hcHealth`
Offline checker (ping timeout)	`server/routers/newt/handleNewtPingMessage.ts` (L26-78)	Sets `sites.online = false`	Does NOT touch `targetHealthCheck.hcHealth`
WebSocket close	`server/routers/ws/ws.ts` (L376)	Removes client from tracking	Does NOT touch `targetHealthCheck.hcHealth`

Mitigation in Traefik Config (partial)

`server/lib/traefik/getTraefikConfig.ts` (L500) does filter out targets from offline sites when generating Traefik config — but only if at least one other site for that resource is online. This means:

• Multi-site resources: Traffic routing is partially protected (offline site targets excluded)
• Single-site resources: No protection — the stale "healthy" status causes routing to a dead tunnel

The Dashboard Problem

Even with the Traefik mitigation, the dashboard always shows the stale DB value. Users see green "healthy" badges for targets on an offline site, which is misleading.

Suggested Fix

In each of the three disconnect handlers, add a query to reset health check status:

```typescript
// After setting sites.online = false:
await db.update(targetHealthCheck)
.set({ hcHealth: "unknown" })
.where(
inArray(
targetHealthCheck.targetId,
db.select({ id: targets.targetId })
.from(targets)
.where(eq(targets.siteId, siteId))
)
);
```

This ensures targets transition to "unknown" immediately when their Newt disconnects, and naturally recover to "healthy" when the Newt reconnects and health checks resume.

<!-- gh-comment-id:4118875041 --> @strausmann commented on GitHub (Mar 24, 2026): ## Code Analysis — Root Cause Identified After analyzing the source code, the root cause is clear: ### Health Check Flow Health checks run on the **Newt agent** (remote), not on the Pangolin server. The Newt performs HTTP checks against the target and reports status back via WebSocket to `server/routers/target/handleHealthcheckStatusMessage.ts`, which updates `targetHealthCheck.hcHealth` in the database. ### The Bug: Three disconnect paths, none invalidate HC status When a Newt disconnects, three code paths handle the cleanup — but **none of them reset target health check status**: | Code Path | File | What it does | What it misses | |-----------|------|-------------|---------------| | Explicit disconnect | \`server/routers/newt/handleNewtDisconnectingMessage.ts\` | Sets \`sites.online = false\` | Does NOT touch \`targetHealthCheck.hcHealth\` | | Offline checker (ping timeout) | \`server/routers/newt/handleNewtPingMessage.ts\` (L26-78) | Sets \`sites.online = false\` | Does NOT touch \`targetHealthCheck.hcHealth\` | | WebSocket close | \`server/routers/ws/ws.ts\` (L376) | Removes client from tracking | Does NOT touch \`targetHealthCheck.hcHealth\` | ### Mitigation in Traefik Config (partial) \`server/lib/traefik/getTraefikConfig.ts\` (L500) does filter out targets from offline sites when generating Traefik config — **but only if at least one other site for that resource is online**. This means: - Multi-site resources: Traffic routing is partially protected (offline site targets excluded) - **Single-site resources: No protection** — the stale "healthy" status causes routing to a dead tunnel ### The Dashboard Problem Even with the Traefik mitigation, the dashboard always shows the stale DB value. Users see green "healthy" badges for targets on an offline site, which is misleading. ### Suggested Fix In each of the three disconnect handlers, add a query to reset health check status: \`\`\`typescript // After setting sites.online = false: await db.update(targetHealthCheck) .set({ hcHealth: "unknown" }) .where( inArray( targetHealthCheck.targetId, db.select({ id: targets.targetId }) .from(targets) .where(eq(targets.siteId, siteId)) ) ); \`\`\` This ensures targets transition to "unknown" immediately when their Newt disconnects, and naturally recover to "healthy" when the Newt reconnects and health checks resume.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

fix-3104

dev

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

crowdin_dev

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#4153