When I was conducting the experiment at ziti/ziti/cmd/demo/tutorials/first-service.md at release-next · openziti/ziti · GitHub, I encountered a problem. First, a service and a terminator were created on the server side, and then on the client side, I executed ziti demo ziti-echo-client --identity /home/ubuntu/founder-laptop.json trees are tall , but I got the error "The connection to the server echo was refused - did you specify the right host or port?"
The server steps like follows:
0、ziti edge login
1、ziti edge create service echo
2、ziti demo plain-echo-server --port 62239 > /dev/null 2>&1 &
3、ziti demo plain-echo-client --port 62239 trees are tall //the result does not has any problem
4、ziti edge create terminator echo {{ controller_hostname }}-edge-router tcp:localhost:62239
The Client steps like follows:
0、ziti edge login
1、ziti edge create identity user founder-laptop -o founder-laptop.jwt --role-attributes management
2、ziti edge enroll -j founder-laptop.jwt -o founder-laptop.json
3、ziti edge create service-policy echo-clients Dial --service-roles '@echo' --identity-roles '#management'
4、ziti edge create edge-router-policy echo-clients --edge-router-roles '@{{ controller_hostname }}-edge-router' --identity-roles '#management'
5、ziti edge create service-edge-router-policy echo --edge-router-roles '#all' --service-roles '@echo'
6、ziti demo ziti-echo-client --identity founder-laptop.json trees are tall
When I executed to the sixth step on the client side, I encountered the error "The connection to the server echo was refused - did you specify the right host or port?"
Hi @rootwang
I think you're confusing two different things. The server you are running is listening on the underlay network. To access it with your server example, on the client you would run:
ziti demo plain-echo-client --port 62239
As you have shown it, you're using the "application embedded" example. For that, you need to start the server differently and use the ziti-echo-server:
ziti demo ziti-echo-server --identity echo-server.json
plain --> ziti ... an easy thing to get wrong!
If you start the ziti-echo-server, it should work for you
Thank you for your reply, I run with "ziti demo first-service" and follow this step by step.
as you said, i start plain-echo-server on server, and then start plain-echo-client on client like
"ziti demo plain-echo-client --host ${server_public_ip} --port 62239 trees are tall ",but got i/o timeout.
Actually I have successfully executed ziti demo ziti-echo-server using the bind way, But actually, I wanted to test how to successfully connect from the client side using a terminator that I created myself.
Oh. My misunderstanding! I assume you're just trying to learn more? I don't create terminators manually, myself. I much prefer to use the "tunneling" features of a router instead and assign the router's identity the ability to bind the service (allowing the router/controller to create the terminator automatically). I haven't actually created a terminator manually in a long, long time. 
I'll try to go through the readme again and make sure the doc is accurate and follow-up.
Ok, after running through it a couple times, i suspect you're just not setting the port variable properly after starting the server. The underlay listening port started by the server is changing every time you run it...
After starting the server with:
ziti demo plain-echo-server
in a separate window, whatever the port is you should use. Here's a full gif showing all the steps:
And if helpful, here's every single command I ran on that bottom screen :
port=
ziti edge list ers
edgeRouterName="
ziti edge create terminator echo ${edgeRouterName} tcp:localhost:${port}
ziti demo plain-echo-client --port ${port} trees are tall
ziti edge create identity user founder-laptop -o founder-laptop.jwt --role-attributes management
ziti edge list identities 'name="founder-laptop"'
ziti edge enroll -j founder-laptop.jwt -o founder-laptop.json
ziti demo ziti-echo-client --identity founder-laptop.json trees are tall
ziti edge policy-advisor identities -q founder-laptop echo
ziti edge create service-policy echo-clients Dial --service-roles '@echo' --identity-roles '#management'
ziti edge list service-policies 'name="echo-clients"'
ziti edge policy-advisor identities -q founder-laptop echo
ziti demo ziti-echo-client --identity founder-laptop.json trees are tall
Thank you for your thorough and patient replies. I don't think the issue is with the port variable properly, as I specified the port when running the command with
"ziti demo plain-echo-client --port 62239".
I noticed that your server and client are running on the same machine. I was wondering if you could try running the server and client on two different machines.
Oh. Interesting. You're running the server and router on the same server, correct? I can setup a test where I run on two different machines, sure. I'll give it a try
Actually, I have set up three machines,the controller and edge router are running on one machine, while the client and server are running on the other two separate machines.
Oh, and you make the Terminator with this?
4、ziti edge create terminator echo {{ controller_hostname }}-edge-router tcp:localhost:62239
I'd think you need to change that localhost to whatever the machine name is that runs the service.
That command instructs the router where to offload data towards. So you probably want that to be
tcp: address-of-the-running-the-server:62239
That seems like it's probably the issue
I tried it, but is not work. Here is whole execution processes. I'm wondering if you could take some time to help me figure out where the issue is. Thank you.
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge login ${controller_pub_ip}:8441 -u admin -p admin -y
Token: 6acd981a-56a2-46e6-8ccb-7213004d1c42
Saving identity 'default' to /home/ubuntu/.config/ziti/ziti-cli.json
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge list ers
╭────────────┬──────────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID │ NAME │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼──────────────────────────┼────────┼───────────────┼──────┼────────────┤
│ EzVALXXC.c │ ip-10-1-2-34-edge-router │ true │ true │ 0 │ public │
╰────────────┴──────────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-1 of 1
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create service echo
New service echo created with id: F53Ou5YPAHp2uJZRA6qyu
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti demo plain-echo-server --port 62239 > /home/ubuntu/echo.log 2>&1 &
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create terminator echo ip-10-1-2-34-edge-router tcp:localhost:62239
New terminator created with id: 3nlxPIlE4w5BRlIvnZMHBB
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create identity user founder-laptop -o /home/ubuntu/founder-laptop.jwt --role-attributes management
Command "user" is deprecated, this command is deprecated, specifying identity type is no longer required
New identity founder-laptop created with id: tzwsVwB5j
Enrollment expires at 2024-05-24T08:05:19.343Z
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge enroll -j /home/ubuntu/founder-laptop.jwt -o /home/ubuntu/founder-laptop.json
INFO generating 4096 bit RSA key
INFO enrolled successfully. identity file written to: /home/ubuntu/founder-laptop.json
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create service-policy echo-clients Dial --service-roles '@echo' --identity-roles '#management'
New service policy echo-clients created with id: UCBk7bWrhnDDMaIeSqzue
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create edge-router-policy echo-clients --edge-router-roles '@ip-10-1-2-34-edge-router' --identity-roles '#management'
New edge router policy echo-clients created with id: urSukPDrcHuuGw9fW38YQ
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create service-edge-router-policy echo --edge-router-roles '#all' --service-roles '@echo'
New service edge router policy echo created with id: 5NAPT70gJ9C1j1UVOO0KUp
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti demo ziti-echo-client --identity /home/ubuntu/founder-laptop.json trees are tall
The connection to the server echo was refused - did you specify the right host or port?
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge list terminators
╭────────────────────────┬─────────┬──────────────────────────┬────────────────┬─────────────────────┬──────────┬──────┬────────────┬──────────────╮
│ ID │ SERVICE │ ROUTER │ BINDING │ ADDRESS │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├────────────────────────┼─────────┼──────────────────────────┼────────────────┼─────────────────────┼──────────┼──────┼────────────┼──────────────┤
│ 3nlxPIlE4w5BRlIvnZMHBB │ echo │ ip-10-1-2-34-edge-router │ edge_transport │ tcp:localhost:62239 │ │ 0 │ default │ 20 │
╰────────────────────────┴─────────┴──────────────────────────┴────────────────┴─────────────────────┴──────────┴──────┴────────────┴──────────────╯
results: 1-1 of 1
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ lsof -i:62239
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ziti 1711 ubuntu 3u IPv4 23752 0t0 TCP localhost:62239 (LISTEN)
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge delete terminator 3nlxPIlE4w5BRlIvnZMHBB
delete of terminator with id 3nlxPIlE4w5BRlIvnZMHBB: OK
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create terminator echo ip-10-1-2-34-edge-router tcp:10.3.1.188:62239
New terminator created with id: 4y5qQ9ZEYzJeygSF3WkR1A
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti demo ziti-echo-client --identity /home/ubuntu/founder-laptop.json hello world
[ 5.174] ERROR sdk-golang/ziti/edge/network.(*edgeConn).Connect: {sessionId=[0xc0004f9f20] marker=[eyMEhwRw] connId=[1]} timeout waiting for message reply: context deadline exceeded
Unable to connect to the server: unable to dial service 'echo': timeout waiting for message reply: context deadline exceeded
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge list services
╭───────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├───────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ F53Ou5YPAHp2uJZRA6qyu │ echo │ true │ smartrouting │ │
╰───────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge list service-policy services echo-clients
╭───────────────────────┬──────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├───────────────────────┼──────┼────────────┼─────────────────────┼────────────┤
│ F53Ou5YPAHp2uJZRA6qyu │ echo │ true │ smartrouting │ │
╰───────────────────────┴──────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge list terminators
╭────────────────────────┬─────────┬──────────────────────────┬────────────────┬──────────────────────┬──────────┬──────┬────────────┬──────────────╮
│ ID │ SERVICE │ ROUTER │ BINDING │ ADDRESS │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├────────────────────────┼─────────┼──────────────────────────┼────────────────┼──────────────────────┼──────────┼──────┼────────────┼──────────────┤
│ 4y5qQ9ZEYzJeygSF3WkR1A │ echo │ ip-10-1-2-34-edge-router │ edge_transport │ tcp:10.3.1.188:62239 │ │ 0 │ default │ 55 │
╰────────────────────────┴─────────┴──────────────────────────┴────────────────┴──────────────────────┴──────────┴──────┴────────────┴──────────────╯
results: 1-1 of 1
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge delete terminator 4y5qQ9ZEYzJeygSF3WkR1A
delete of terminator with id 4y5qQ9ZEYzJeygSF3WkR1A: OK
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge create terminator echo ip-10-1-2-34-edge-router tcp:3.123.20.232:62239
New terminator created with id: 453HjQnISeXMLeERk3Hmta
ubuntu@ip-10-3-1-188:~$
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti demo ziti-echo-client --identity /home/ubuntu/founder-laptop.json hello world
[ 5.171] ERROR sdk-golang/ziti/edge/network.(*edgeConn).Connect: {marker=[zPNTBCcb] connId=[1] sessionId=[0xc0004f9f90]} timeout waiting for message reply: context deadline exceeded
Unable to connect to the server: unable to dial service 'echo': timeout waiting for message reply: context deadline exceeded
ubuntu@ip-10-3-1-188:~$ /home/ubuntu/ziti edge list terminators
╭────────────────────────┬─────────┬──────────────────────────┬────────────────┬────────────────────────┬──────────┬──────┬────────────┬──────────────╮
│ ID │ SERVICE │ ROUTER │ BINDING │ ADDRESS │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├────────────────────────┼─────────┼──────────────────────────┼────────────────┼────────────────────────┼──────────┼──────┼────────────┼──────────────┤
│ 453HjQnISeXMLeERk3Hmta │ echo │ ip-10-1-2-34-edge-router │ edge_transport │ tcp:3.123.20.232:62239 │ │ 0 │ default │ 0 │
╰────────────────────────┴─────────┴──────────────────────────┴────────────────┴────────────────────────┴──────────┴──────┴────────────┴──────────────╯
results: 1-1 of 1
I just successful run it on the machine where the controller and edge router installed, but still not work on the client or server side. I do not understand what the difference between them.
Ok. I'll give it a try in a couple hours and post back my findings
You can't use three machines...
I set up my whole environment and then started the server and remembered something else I'd forgotten and lost along the way. That server exclusively listens on 127.0.0.1. This means you MUST run the server on the same machine as the router, or you need to build the ziti executable with this line set to 0.0.0.0 (or whatever IP) for it to work
You can use two different computers, but you MUST run the server on the machine the router is on due to how the code is written.
Dunno how this worked...
I don't know how this command could have worked for you:
ziti demo plain-echo-client --port 62239 trees are tall //the result does not has any problem
On my machine, I get:
$ ziti demo plain-echo-client --port 62239 trees are tall //the result does not has any problem
[ 0.001] INFO ziti/ziti/cmd/helpers.StandardErrorMessage: Connection error: Get http://localhost:62239?input=trees+are+tall+%2F%2Fthe+result+does+not+has+any+problem: dial tcp 127.0.0.1:62239: connect: connection refused
The connection to the server localhost:62239 was refused - did you specify the right host or port?
MINIMAL steps to use TWO computers
Computer 1 -- Where the router is - run the server
port=62239
ziti demo plain-echo-server --port $port
Computer 2 -- some other machine -- configure then run the client
Clean everything up:
ziti edge delete service echo
ziti edge delete identities founder-laptop echo-server
ziti edge delete service-policies where true
ziti edge delete edge-router-policies where 'isSystem = false'
ziti edge delete service-edge-router-policies where true
Run/Configure things
port=62239
edgeRouterName="ip-172-31-47-200-edge-router"
ziti edge create service echo
ziti edge create identity user founder-laptop -o founder-laptop.jwt --role-attributes management
ziti edge enroll -j founder-laptop.jwt -o founder-laptop.json
ziti edge create terminator echo ${edgeRouterName} tcp:localhost:${port}
ziti edge create service-policy echo-clients Dial --service-roles '@echo' --identity-roles '#management'
ziti edge create edge-router-policy echo-clients --edge-router-roles "@${edgeRouterName}" --identity-roles '#management'
ziti edge create service-edge-router-policy echo --edge-router-roles '#all' --service-roles '@echo'
ziti demo ziti-echo-client --identity founder-laptop.json trees are tall
Hope this clears everything up!
ADDENDUM - EDIT:
You could always spin up a python server somewhere (or whatever) and use that you just can't use the example server.
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
notice it listens on 0.0.0.0 not 127.0.0.1
Please excuse me for getting back to you so late, i think you are right, and i ran this command on the server too, it worked. this two command run on the same machine.
ziti demo plain-echo-server --port 62239 > /dev/null 2>&1 &
ziti demo plain-echo-client --port 62239 trees are tall
I think you're all set now, right? I am assuming you're moving on, but if you're still stuck somehow lemme know. Cheers
Yes, I have already figured it out as you suggested. It indeed took me a long long time 
, but finally i understood the relationship between service, terminator, and server. Thank you for your patient and good help again.
2 Likes
Sorry to brother you again, i still encounted the same problem in the second way with a little difference from yours.
Computer 1 -- Run the edge router and controller
Computer 2 -- Run the server
Computer 3 -- configure then run the client
At first, I modified some codes that your mentioned and go build it.
The codes is
bindAddr := fmt.Sprintf("127.0.0.1:%v", s.Port)
s.listener, err = net.Listen("tcp", bindAddr)
changed to
bindAddr := fmt.Sprintf("0.0.0.0:%v", s.Port)
s.listener, err = net.Listen("tcp4", bindAddr)
then run the server
port=62239
ziti demo plain-echo-server --port $port
log is
plain-http-echo-server: listening on 0.0.0.0:62239
and then run the client
....
....
ubuntu@ip-10-2-1-27:~$ ./ziti demo ziti-echo-client --identity /home/ubuntu/founder-laptop.json trees are tall
The connection to the server echo was refused - did you specify the right host or port?
the other commands is same with you, so I didn't include them.
You kept all the commands identical to what I posted? for example, you ran this exact command?
ziti edge create terminator echo ${edgeRouterName} tcp:localhost:${port}
IF that's the case, the localhost is the issue... You should:
- make sure the router can access the server you started - it won't be
localhost:${port}, it'll be something else.
- Assuming the router can use curl or wget to access the server, then update the
create terminator command and use the correct IP/Hostname and port
I changed "localhost:${port}" to "${server_pub_ip}:${port}", it worked. thank you.
I list the differences between bind and create terminator by manual
bind :
1. create a identity to bind the service
2. ziti edge create service-policy echo-bind Bind ...
create terminator by manual
1. no need to create an identity
2. ziti edge create terminator
3. for example:ziti edge create edge-router-policy ssh-clients --edge-router-roles "@#{edge-router-name}" --identity-roles '#clients'
4. the edge route need to access the server
I remembered you mentioned that the bind way is more commonly used, but I found created by manual more convenient for management. I would like to ask, what are the differences in their usage scenarios In your opinion?
