Error in ziti-edge-tunnel

I am trying to get an endpoint enrolled on my ziti network. Here are the steps taken -

1.Installed ziti-edge-tunnel from OpenZiti’s RPM repo
2. Confirmed that systemd-resolved is working
3. Enrolled the endpoint ( got success )
4. Started ziti-edge-tunnel service

Aug 31 23:24:53 ip-10-10-10-10.us-west-2.compute.internal ziti-edge-tunnel[3447]: [      627.424]   ERROR ziti-sdk:channel.c:875 on_channel_connect_internal() ch[0] failed to connect [-3008/unknown node or service]

Also see following error -

Aug 31 23:34:53 ip-10-10-10-10.us-west-2.compute.internal ziti-edge-tunnel[3447]: [      732.424]   WARN ziti-sdk:connect.c:344 connect_timeout() conn[0.0/Connecting] connect timeout: no suitable edge router

Identities

~ > ziti edge list identities                                                                                                                                          
╭───────────┬──────────────────────────────────┬────────┬────────────╮
│ ID        │ NAME                             │ TYPE   │ ATTRIBUTES │
├───────────┼──────────────────────────────────┼────────┼────────────┤
│ AAAAAAAA  │ er1                              │ Router │ all-routers│
│ BBBBBBBB  │ ep1                              │ Device │ all-eps    │
│ CCCCCCCC  │ ep2                              │ Device │ all-eps    │
╰───────────┴──────────────────────────────────┴────────┴────────────╯

Routers

~ > ziti edge list edge-routers                                                                                                                                        
╭───────────┬──────┬────────┬───────────────┬──────┬────────────╮
│ ID        │ NAME │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├───────────┼──────┼────────┼───────────────┼──────┼────────────┤
│ AAAAAAAA  │ er1  │ true   │ true          │    0 │ all-routers│
╰───────────┴──────┴────────┴───────────────┴──────┴────────────╯

edge-router-policies

~ > ziti edge list edge-router-policies                                                                                                                                
╭────────────────────────┬──────────────────────────────┬───────────────────┬────────────────╮
│ ID                     │ NAME                         │ EDGE ROUTER ROLES │ IDENTITY ROLES │
├────────────────────────┼──────────────────────────────┼───────────────────┼────────────────┤
│ xxxxxxxxxxxxxxxxxxxxxx │ erp-default-allow            │ #all-routers      │ #all-eps       │
│ AAAAAAAAA              │ edge-router-AAAAAAAA-system  │ @er1              │ @er1           │
╰────────────────────────┴──────────────────────────────┴───────────────────┴────────────────╯

Went through troubleshooting steps and made sure there is no PKI setup issue. ( er.cert is the edge-router identity cert and identity.ca obtained from tunneler host enrollment )

 > verifyCertAgainstPool ./er.cert ./identity.ca                                                                                                
    Verifying that this certificate:
        - ./er.cert
    is valid for this ca pool:
        - ./identity.ca

./er.cert: OK

============      SUCCESS!      ============

What am I missing?

TIA.

This seems to me that the endpoint is allowed to connect to an edge router (via policies, the endpoint is allowed to connect to a given router) but the edge router has an advertised address configured that isn’t resolvable/addressable by the endpoint.

I am pretty sure that’s the issue. So verify the address advertised in listeners.options for the edge router

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:8442
    options:
      advertise: ext_router_fqdn:8442 <-- is this address reachable by the endpoint?

Take a bow @TheLumberjack

Everything else checked out NACL, SG, R53 record except there was a typo in the advertised url ( . instead of - )
I see both endpoints are online now.

Thank you!

image1688×1689 125 KB

Nice!

Now on to the final frontier of service policies!