Enrollment of Demo Service identity fails

I downloaded the ziti-edge-tunnel from Release v0.22.12 · openziti/ziti-tunnel-sdk-c · GitHub

and ran the lines below to add the downloaded identity and enroll it during the Demo Service walkthrough provided at

(zitipy) nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti-sdk-py/sample/cloud/DemoTutorial$ sudo ziti-edge-tunnel add --jwt "$(< ./Demo-Identity.jwt)" --identity demoIdentity
[sudo] password for nyck33: 
received response <{"Success":true,"Code":0}

so that looks okay but the next step of enrolling the identity

(zitipy) nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti-sdk-py/sample/cloud/DemoTutorial$ ./ziti-edge-tunnel enroll --jwt - --identity ./demoIdentity.json < ./Demo-Identity.jwt
(37478)[        0.000]    INFO ziti-sdk:utils.c:199 ziti_log_set_level() set log level: root=3/INFO
(37478)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.35.4 @9756522(HEAD) starting at (2023-10-27T10:33:33.934)
(37478)[        0.000]    INFO ziti-sdk:utils.c:199 ziti_log_set_level() set log level: root=3/INFO
(37478)[        0.000]    INFO ziti-sdk:utils.c:170 ziti_log_init() Ziti C SDK version 0.35.4 @9756522(HEAD) starting at (2023-10-27T10:33:33.934)
(37478)[        0.000]    INFO ziti-sdk:ziti_enroll.c:92 ziti_enroll() Ziti C SDK version 0.35.4 @9756522(HEAD) starting enrollment at (2023-10-27T10:33:33.934)
(37478)[        1.874]   ERROR ziti-sdk:ziti_enroll.c:236 enroll_cb() failed to enroll with controller: https://ef92055e-781c-4fbe-8557-633a7a7b2ba4.production.netfoundry.io:443 INVALID_ENROLLMENT_TOKEN (The supplied token is not valid)
(37478)[        1.874]   ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2140 enroll_cb() enrollment failed: INVALID_ENROLLMENT_TOKEN(-3)
(zitipy) nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti-sdk-py/sample/cloud/DemoTutorial$ ls
Demo-Identity.jwt  ziti-edge-tunnel

How can I get this working? The GUI Edge on Ubuntu, even if I click "Add Identity" and select the identity downloaded from https://nfconsole.io, it never gets running either.

The link on this page is dead as well: https://support.netfoundry.io/hc/en-us/articles/8703369547405-Enrolling-MFA-from-Ziti-Edge-Tunnel-for-Linux

where it says To install and enroll ZET in Linux click here

Related to this, I downloaded the VirtualBox .ova and ran it, logged in as the default username and password, changed the password then it says 'Please register before you try the help command' when I try to type in nhelp. Then I look here: https://support.netfoundry.io/hc/en-us/articles/360016129312

/opt/netfoundry/router-registration {key}

I am unsure what the key is here so I clicked on the link "How to Register the Edge Router VM" but I can't access it: https://support.netfoundry.io/hc/en-us/articles/360034337892 It says, " You're not authorized to access this page".

How do I need to login or sign up to get access to that page (I'd like to read it if it solves the problems above I'm facing)?

How do I reference the jwt downloaded from NetFoundry cloud in that command to register the VM --jwt?

Hi @nyck33

Thank you for finding those dead links...they're always an issue! :sweat_smile:

Can you please give a bit more detail on what it is you're working on? This thread goes from ziti-edge-tunnel to SDK, then asking about ERs, which are all very large topics individually.

This link is now fixed.

Fixed this one is as well & it now points to the correct article here.

The VM image we produce as part of the NetFoundry(CloudZiti) is intended to be used as an Edge-Router & the interface is asking you to register it as such with the command: router-registration {key}.

This key is not a JWT, but a 10 digit key created in the nfconsole as part of the creation of an Edge-Router, you can read more about creating & managing Edge-Routers here.

1 Like


Thank you immensely for your detailed guidance. I now comprehend the full procedure: Initializing an Edge Router in the cloud, downloading its corresponding key, and subsequently entering it into the terminal to register the VM-based Edge Router.

If I understand correctly, once all policies are aptly configured, the Ziti network will dynamically determine the optimal route for data transfer. For instance, it may choose a pathway from my local Flask server to a local Edge Router and then onto the NetFoundry Cloud Edge Router. Alternatively, it may establish a direct link from my local Flask server to the NetFoundry Cloud Edge Router, depending on which route is deemed most efficient.

Is my understanding accurate?

Hi @nyck33

Yes, our default method is called smartrouting & it's based on static & dynamic cost factors.

Here's a brief description of how it works: https://support.netfoundry.io/hc/en-us/articles/4410429194125-NetFoundry-Smart-Routing

With some details:

1 Like