Hi, I have 3 edge routers set up each with a test service (HTTP). All of them are deployed via docker compose. I can access 2 of the services fine via the Ziti Edge Client on Mac without issue. But for the 3rd I see the error “unable to get service token either by JWT parsing or id lookup” in the packet tunnel logs.
How do I diagnose / fix this issue?
unable to get service token either by JWT parsing or id lookup This is an error message we don’t currently expect to see, but we've been receiving internal reports of it when environments are moved to 1.7.x (or later) for the first time while leaving edge clients (e.g., tunnelers, desktop clients) running. In 1.7.x, service tokens were changed from UUIDs to JWTs.
In that scenario, if a client is left running, the controller(s) update fast enough that the client doesn’t think it needs to re-authenticate and then attempts to resume using a cached set of local service tokens, we see that error.
So, to resolve this, you can try one or both of the following:
Restart the client having problems to trigger re-authentication
Stop each controller in your environment in turn and run ziti controller delete-sessions <ctrl_config_file> or ziti controller delete-sessions-from-db <db file>
#1 is obvious what it is doing. #2 is clearing legacy API Sessions for clients who are still using them.
There is still a possibility that #2 alone won’t fix it; this occurs when newer API Sessions are in use. In which case, #1 is the only remedy.
I don’t work with the Mac client, so I don’t know the steps to restart it to trigger authentication.
Hi this is odd then - my MacOS tunneller is v2.52 (551) while my controller is 1.7 - and this is all so new I don’t think I’d have anything old running. However, restarting the client did fix it! Thank you.