Hi everyone,
I am new to OpenZiti and currently setting up a PoC environment on Ubuntu. I can access the Ziti Admin Console (ZAC) via the web interface, but I am struggling with the following issues:
-
Edge Router Status: My edge router (ana-router) shows as "Offline" and "Unverified" in the ZAC. I have created the router in the UI, but the status never turns green.
-
Desktop Edge Error: When I try to enroll an identity using a JWT on the Ziti Desktop Edge (Windows), I get an "Unexpected Error! Read operation timed out".
-
Connectivity: When checking the service logs, I see: request[/version] failed: -4039(connection timed out) and failed to fetch CA bundle CONTROLLER_UNAVAILABLE.
-
Network Setup:
-
Controller IP: 192.168.5.20
-
I can access ZAC, but ping ziti-controller from my Windows machine returns a timeout.
-
I am not using a VPN currently to avoid IP conflicts.
My Questions:
-
How can I manually trigger the enrollment for the Edge Router on the Ubuntu host to move it from "Unverified" to "Online"?
-
Is the "Unexpected Error" on the Desktop app strictly related to the ping timeout, or could it be a TLS/SAN mismatch issue?
-
Should I be looking at the listeners section in the router config for binding: tunnel as mentioned in some other threads?
Environment:
Any help would be greatly appreciated. Thanks!
Hi @cyberpolat, welcome to the community and to OpenZiti!
How'd you setup the controller and router? Did you use docker? a quickstart? the linux package?
Did you look at all the logs from the router?
The ziti CLI comes with a command called ziti ops verify traffic. It's a great tool to use to make sure you have your overlay setup properly. It'll actually try to pass traffic through your overlay. Can you run that and let's see what you end up with? Here's what a successful run would look like:
ziti ops verify traffic
WARNING no prefix and mode [] is not 'both'. default prefix of 2026-01-11-1740 will be used
INFO generating P-384 EC key
INFO generating P-384 EC key
INFO waiting 10s for terminator for service: 2026-01-11-1740.traffic
INFO successfully bound service: 2026-01-11-1740.traffic.
INFO Server is listening for a connection and will exit when one is received.
INFO found terminator for service: 2026-01-11-1740.traffic
INFO found service named: 2026-01-11-1740.traffic
INFO Server has accepted a connection and will exit soon.
INFO successfully dialed service: 2026-01-11-1740.traffic.
INFO traffic test successfully detected
INFO client complete
INFO Server complete. exiting
My expectation is that you have somehow setup the router away from the controller and the router cannot connect to the controller, I'm gonna guess that it's due to the 'advertised' addresses from the controller.
See if that helps?
Docker Compose on an Ubuntu host ı know that but ı am not sure about quickstar thing, ı am using ubuntu server, ı looked the all the logs from the ziti desktop app, ı play with some yaml configutaion (add some screenshot if it helps)
-the code you said “ziti ops verify traffic" dosent work for me ı run it in ubuntu cli it says comand not found, ı asked the gemini gave me some simialiar codes ı think here there the results:” sudo docker logs ziti-router” “sudo docker exec -it ziti-controller ziti ops verify traffic” this is the commands ı used
-another question my ziti desktop client should be another pc with diffrent ip right? or is it makeing any diffrent
Yeni WinRAR ZIP arşivi.zip (251.7 KB) (ı added the screenshots in izp file ı cant add screenshots öore than one error came up)
I figured out how to make it online and verified. The issue was that my Ubuntu machine didn’t have access to the JWT file, so I created the same file manually on Ubuntu and gave it the correct permissions. After that, the problem was solved. However, now I’m having issues with identities, and I can’t connect through the Edge desktop client.
2- I added the logs as a TXT file, and you can review them. I also included some screenshots. My router is currently online and verified. I’m thinking the issue might be related to my YAML file—it may be working only on the local network. I tried the same thing on my phone using the QR code, but I received the same error: “Ziti controller is not available.”
ziti logs.txt (16.7 KB)
Looking at your logs, you have not set the advertised addresses properly. You can see this in the logs:
ctrl[https://ziti-controller:1280] request[/version] failed:
From your desktop edge for windows, it will need to be able to access this controller on its advertised address and it'll need to access routers via their addresses as well.
This is a step that is fundamental to the original docker compose up command. You will want to down -v your setup and 'up' with the appropriate advertised addresses.
Have a look at this thread. I think it's what you need now Authentication Error (UNAUTHORIZED) when enrolling Identity (QuickStart Docker Compose) - #2 by TheLumberjack
I solved the problem by adding my Ubuntu server’s IP address to the Windows hosts file. Then I fixed a network-related issue and deleted the old JWT files stored on my PC. After that, I was able to connect to the server.
The old JWT files were located at:
C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry
There was also an entry related to the hosts file, where I added the Ubuntu server’s IP address.
ı thing these problem was solved thank you for answering my questions.
now ı try to add some sevrices for the ıdentties 
That's a fine workaround as long as you're just doing PoC type stuff. Your phone obviously won't work with that setup but as long as you understand that, it's fine. I do this sort of thing myself. It's easy to forget you've added it to the hosts file though, beware.
