You had it. It was a conflict with wireguard.
I disabled that, and it gave me the VPN prompt.
Now on to the service 
One other question, is there a way to have ziti act as an exit node to route all internet traffic through it?
1 Like
Geat, now ZME is running on Android and the big button is glowing green, but the Ziti Identity you added doesn't show any services available yet.
You want to use the Ziti console to add a Ziti Service for the Identity to use in an Android app, like a mobile web browser, and you want to "host" that Ziti Service in your Kubernetes cluster.
I didn't find a step-by-step guides about creating a Ziti Service with the Ziti console, but I found that the Kubernetes Service quickstart is a close match to what you're looking for, only it demonstrates creating the Ziti Service with the ziti CLI instead of the console.
So you're looking for a quick guide to intercept "service.domain.com" and have it exit from an identity toward "IP: 1.2.3.4", right? @jeremy.tellier can you blast out a quick post here that outlines how to do that?
Yes. I have traefik as my ingress, and it runs on a local-only IP address.
It listens for whatever hostname is requested and then routes everything accordingly.
So, if I request service1.domain.com or service2.domain.com, it will listen for that hostname and send it to the correct endpoint.
1 Like
Your other question is about using Ziti as an exit node on the hosting side and about using Ziti to capture all traffic on the client side, not just traffic that matches an authorized Ziti Service's address.
There's not a switch to flip that will do all of those things at once, but there's also nothing in Ziti that stops you from defining a Ziti Service for a huge number of IP addresses, i.e. entire subnets, and then hosting that Ziti Service behind the IP address of your choice.
I haven't done this myself, but I'm testing what @dariuszSki suggested in this post, which is to intercept all public IP ranges.
Very cool!
I will have a read
Generally, I always use the tunnel configs like this.
But I bet there is a better way to do it with Host and Intercept configs which I am sure someone will correct me with. That said, it is always easy for me to test like that, then if I have deeper, more complicated requirements, look into the other configs.
Then, don't forget to bind them to a "Service" and create the appropriate policies for access.
Even Easier.... Just use the + on the upper left, and make a simple service which does it all for you.
Ziti Services can be proxied on the client side with an intercept.v1 config, and reverse-proxied on the server side with a host.v1 config. Here's a doc about configs in general, with links to examples of both of these tunnelling config types: Service Configurations | OpenZiti
1 Like
Thank you all for the input!
Unfortunately, it does not seem to be happy.
I tried the simple service, but nothing resolved.
I also tried giving it the service's cluster IP address as well (just to test), but that did not work either.
If you can authorize an identity on another device it may be easier to diagnose issues with the initial setup. The client tunneller's log should give us a clue.
If the issue isn't local to Android then it'll start working their too once it's solved in Ziti.
What kind of server is it you're proxying, a web server? If so, then you could give your laptop permission to use that service too by assigning the same attribute you used to give permission to the Android handset.
Then, use cURL or the like to probe the intercept address with the tunneller running. The log location depends on which OS. I can help guide you if you share that info.
Will you share a sketch of your simple service? For example, service "myservice" allows #clients to consume the service by dialing myservice.private:4321 and #servers to provide the service by forwarding clients' requests to 127.1.2.3:4321.
I was writing an update, and I noticed a typographical error in the console.
I was going to open a pull request to fix it, but that made me realise that I was running an older release.
I upgraded that via helm, so everything below is up to date.
To remove as many moving pieces as possible, I just spun an nginx deployment up:
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --type=ClusterIP --port 80
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx ClusterIP 10.43.185.163 <none> 80/TCP 2s
In the "simple service" dialog, under Where is this hosted?, I selected the edge router.
For Send Traffic To?, I put the clusterip, 10.43.185.163.
For Who has access to this service?, I added my device.
For How to access?, I left it at nginx.ziti.
I had a look at the android logs and I saw this:
11-18 08:55:48.205 4247 4460 I o.o.n.d.ZitiDNSManager: assigned nginx.ziti => nginx.ziti/100.64.1.3 []
11-18 08:55:48.205 4247 4460 I o.o.n.d.ZitiDNSManager: registered: nginx.ziti => nginx.ziti/100.64.1.3
11-18 08:55:48.205 4247 4464 I o.o.n.d.ZitiDNSManager: removed entry=nginx.ziti/100.64.1.2
11-18 08:55:48.205 4247 4464 I o.o.n.d.ZitiDNSManager: registered: nginx.ziti => nginx.ziti/100.64.1.3
11-18 08:55:48.205 4247 4460 D o.o.i.ZitiContextImpl: [crJtg0XPf] got 1 services on t[DefaultDispatcher-worker-8]
11-18 08:55:48.205 4247 8126 D o.o.i.ZitiContextImpl: delaying service refresh for 60000ms
11-18 08:55:48.206 4247 4464 D o.o.i.ZitiContextImpl: [KIqzV0PXf] got 1 services on t[DefaultDispatcher-worker-3]
11-18 08:55:48.206 4247 4464 D o.o.i.ZitiContextImpl: delaying service refresh for 60000ms
11-18 08:55:48.934 4247 4306 W routing : not handling [IPv6 Header (40 bytes)]
11-18 08:55:48.934 4247 4306 W routing : Version: 6 (IPv6)
11-18 08:55:48.934 4247 4306 W routing : Traffic Class: 0x00
11-18 08:55:48.934 4247 4306 W routing : Flow Label: 0x00000
11-18 08:55:48.934 4247 4306 W routing : Payload length: 8 [bytes]
11-18 08:55:48.934 4247 4306 W routing : Next Header: 58 (ICMPv6)
11-18 08:55:48.934 4247 4306 W routing : Hop Limit: 255
11-18 08:55:48.934 4247 4306 W routing : Source address: /fe80::f8b6:d70e:83bb:cf20
11-18 08:55:48.934 4247 4306 W routing : Destination address: /ff02::2
11-18 08:55:48.934 4247 4306 W routing : at this time
11-18 08:55:48.937 4247 4306 V ziti-dns: ignoring received [ICMPv4 Common Header (4 bytes)]
11-18 08:55:48.937 4247 4306 V ziti-dns: Type: 3 (Destination Unreachable)
11-18 08:55:48.937 4247 4306 V ziti-dns: Code: 3 (Port Unreachable)
11-18 08:55:48.937 4247 4306 V ziti-dns: Checksum: 0xc5d2
11-18 08:55:51.618 4247 4247 W WindowOnBackDispatcher: sendCancelIfRunning: isInProgress=falsecallback=android.view.ViewRootImpl$$ExternalSyntheticLambda17@fcc8164
11-18 08:55:55.954 4247 4306 W routing : not handling [IPv6 Header (40 bytes)]
11-18 08:55:55.954 4247 4306 W routing : Version: 6 (IPv6)
11-18 08:55:55.954 4247 4306 W routing : Traffic Class: 0x00
11-18 08:55:55.954 4247 4306 W routing : Flow Label: 0x00000
11-18 08:55:55.954 4247 4306 W routing : Payload length: 8 [bytes]
11-18 08:55:55.954 4247 4306 W routing : Next Header: 58 (ICMPv6)
11-18 08:55:55.954 4247 4306 W routing : Hop Limit: 255
11-18 08:55:55.954 4247 4306 W routing : Source address: /fe80::f8b6:d70e:83bb:cf20
11-18 08:55:55.954 4247 4306 W routing : Destination address: /ff02::2
11-18 08:55:55.954 4247 4306 W routing : at this time
11-18 08:56:06.724 4247 4247 W WindowOnBackDispatcher: OnBackInvokedCallback is not enabled for the application.
11-18 08:56:06.724 4247 4247 W WindowOnBackDispatcher: Set 'android:enableOnBackInvokedCallback="true"' in the application manifest.
11-18 08:56:13.004 4247 8064 D routing : 0 active connections
11-18 08:56:13.105 4247 4306 W routing : not handling [IPv6 Header (40 bytes)]
11-18 08:56:13.105 4247 4306 W routing : Version: 6 (IPv6)
11-18 08:56:13.105 4247 4306 W routing : Traffic Class: 0x00
11-18 08:56:13.105 4247 4306 W routing : Flow Label: 0x00000
11-18 08:56:13.105 4247 4306 W routing : Payload length: 8 [bytes]
11-18 08:56:13.105 4247 4306 W routing : Next Header: 58 (ICMPv6)
11-18 08:56:13.105 4247 4306 W routing : Hop Limit: 255
11-18 08:56:13.105 4247 4306 W routing : Source address: /fe80::f8b6:d70e:83bb:cf20
11-18 08:56:13.105 4247 4306 W routing : Destination address: /ff02::2
11-18 08:56:13.105 4247 4306 W routing : at this time
Using the older version of the console, the android logs looked like this:
ziti-dns: closing attempted TCP connection: 53 (Domain Name Server)
ziti-dns: Type: 3 (Destination Unreachable)
ziti-dns: Code: 3 (Port Unreachable)
ziti-dns: Checksum: 0xc5ce
Thank you for digging up these details.
I assume you sent the reverse proxy traffic to 80/tcp on the cluster IP.
I do see the Android tunneller registering the available nginx.ziti intercept. Were you able to GET the default NGinx index with that setup, or was there still a problem with the end-to-end after upgrading Ziti console, and completing the Simple Service form?
One nuance to be aware of is that the edge router name you selected for hosting the Ziti Service in the Simple Service form is in fact a Ziti Identity that is created automatically when a "tunneller-enabled edge-router" is created. Such Ziti Identities are a child type Router when listing Identities. It can be assigned Identity roles like any other, but is automatically created and deleted along with its parent Router.
Sure thing!
I did, indeed.
I still cannot access nginx.ziti even after upgrading the console and recreating everything.
I did make sure to delete everything that the simple service created and re-created it.
For selecting the edge router, is that the correct procedure, or is that something to leave blank?
Not blank because something needs to host the Ziti Service. That Identity selected for hosting must be configured in a tunneller acting as a reverse proxy. The Router chart is set this way by default, and the Router type identity it creates automatically is a fine choice for hosting the Ziti Service. I believe that's what you did.
I'll ask for help analyzing the logs from ZME on Android.
Meanwhile, you can check the logs from the router and controller at the moment you try to connect to the Ziti Service in Android. I expect to see a definitive error message in one or both because the Ziti Service is clearly authorized for that client Identity you added to Android.
I deleted the controller and router pods just to get a clear start.
I also deleted the service bits in the console, and recreated them.
I tailed the controller and router logs as I tried to access nginx.ziti, but nothing was logged.
Here is a full log from the android tunnel:
11-19 17:26:32.324 12490 12490 D CompatibilityChangeReporter: Compat change id reported: 247079863; UID 10208; state: DISABLED
11-19 17:26:32.392 12490 12490 D nativeloader: InitApexLibraries:
11-19 17:26:32.392 12490 12490 D nativeloader: com_android_art: libnativehelper.so
11-19 17:26:32.392 12490 12490 D nativeloader: com_android_i18n: libicui18n.so:libicuuc.so:libicu.so
11-19 17:26:32.392 12490 12490 D nativeloader: com_android_neuralnetworks: libneuralnetworks.so
11-19 17:26:32.392 12490 12490 D nativeloader: InitDefaultPublicLibraries for_preload=0: libandroid.so:libaaudio.so:libamidi.so:libbinder_ndk.so:libc.so:libcamera2ndk.so:libclang_rt.hwasan-aarch64-android.so:libdl.so:libEGL.so:libGLESv1_CM.so:libGLESv2.so:libGLESv3.so:libjnigraphics.so:liblog.so:libmediandk.so:libm.so:libnativewindow.so:libOpenMAXAL.so:libOpenSLES.so:libRS.so:libstdc++.so:libsync.so:libvulkan.so:libwebviewchromium_plat_support.so:libz.so
11-19 17:26:32.392 12490 12490 D nativeloader: Configuring clns-1 for other apk /data/app/~~U972sVVNdAWIAg8xxOAdgA==/org.openziti.mobile-wB_vY6rRjsBdRhSViLr2FQ==/base.apk. target_sdk_version=33, uses_libraries=, library_path=/data/app/~~U972sVVNdAWIAg8xxOAdgA==/org.openziti.mobile-wB_vY6rRjsBdRhSViLr2FQ==/lib/arm64:/data/app/~~U972sVVNdAWIAg8xxOAdgA==/org.openziti.mobile-wB_vY6rRjsBdRhSViLr2FQ==/base.apk!/lib/arm64-v8a, permitted_path=/data:/mnt/expand:/data/user/0/org.openziti.mobile
11-19 17:26:32.393 12490 12490 D nativeloader: InitExtendedPublicLibraries: libedgetpu_dba.google.so
11-19 17:26:32.394 12490 12490 D nativeloader: InitVendorPublicLibraries: libOpenCL.so:libOpenCL-pixel.so:libedgetpu_client.google.so:libedgetpu_util.so:lib_aion_buffer.so:libmetrics_logger.so
11-19 17:26:32.394 12490 12490 D nativeloader: InitProductPublicLibraries:
11-19 17:26:32.409 12490 12490 V GraphicsEnvironment: Currently set values for:
11-19 17:26:32.409 12490 12490 V GraphicsEnvironment: angle_gl_driver_selection_pkgs=[]
11-19 17:26:32.409 12490 12490 V GraphicsEnvironment: angle_gl_driver_selection_values=[]
11-19 17:26:32.410 12490 12490 V GraphicsEnvironment: ANGLE GameManagerService for org.openziti.mobile: false
11-19 17:26:32.410 12490 12490 V GraphicsEnvironment: org.openziti.mobile is not listed in per-application setting
11-19 17:26:32.410 12490 12490 V GraphicsEnvironment: Neither updatable production driver nor prerelease driver is supported.
11-19 17:26:32.445 12490 12490 I o.o.i.ZitiImpl: ZitiSDK version 0.25.1 @344b49b()
11-19 17:26:32.505 12490 12524 D o.o.i.ZitiContextImpl: KIqzV0PXf[null]@https://ziti-controller.domain.com:8441 transitioned to Loading
11-19 17:26:32.508 12490 12531 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/version session=null t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:32.519 12490 12523 D o.o.i.ZitiContextImpl: crJtg0XPf[null]@https://ziti-controller.domain.com:8441 transitioned to Loading
11-19 17:26:32.519 12490 12534 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/version session=null t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:32.529 12490 12538 I DMABUFHEAPS: Using DMA-BUF heap named: vframe-secure
11-19 17:26:32.532 12490 12490 D AppCompatDelegate: Checking for metadata for AppLocalesMetadataHolderService : Service not found
11-19 17:26:32.559 12490 12490 D CompatibilityChangeReporter: Compat change id reported: 210923482; UID 10208; state: ENABLED
11-19 17:26:32.585 12490 12490 D CompatibilityChangeReporter: Compat change id reported: 171228096; UID 10208; state: ENABLED
11-19 17:26:32.612 12490 12490 W WindowOnBackDispatcher: OnBackInvokedCallback is not enabled for the application.
11-19 17:26:32.612 12490 12490 W WindowOnBackDispatcher: Set 'android:enableOnBackInvokedCallback="true"' in the application manifest.
11-19 17:26:32.624 12490 12490 D CompatibilityChangeReporter: Compat change id reported: 237531167; UID 10208; state: DISABLED
11-19 17:26:32.625 12490 12490 W libc : Access denied finding property "ro.debuggable"
11-19 17:26:32.664 12490 12538 E cutils-trace: Error opening trace file: No such file or directory (2)
11-19 17:26:32.697 12490 12490 I ZitiVPNService: onCreate()
11-19 17:26:32.702 12490 12558 D routing : 0 active connections
11-19 17:26:32.702 12490 12559 I ZitiVPNService: command monitor started
11-19 17:26:32.702 12490 12559 I ZitiVPNService: received cmd[stop]
11-19 17:26:32.702 12490 12559 I ZitiVPNService: tunnel stop success
11-19 17:26:32.704 12490 12557 I ZitiVPNService: network available: 121, caps:[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&VALIDATED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=271906Kbps LinkDnBandwidth>=80809Kbps TransportInfo: <SSID: <unknown ssid>, BSSID: 02:00:00:00:00:00, MAC: 02:00:00:00:00:00, IP: /192.168.1.175, Security type: 2, Supplicant state: COMPLETED, Wi-Fi standard: 5, RSSI: -52, Link speed: 702Mbps, Tx Link speed: 702Mbps, Max Supported Tx Link speed: 866Mbps, Rx Link speed: 650Mbps, Max Supported Rx Link speed: 866Mbps, Frequency: 5180MHz, Net ID: -1, Metered hint: false, score: 60, isUsable: true, CarrierMerged: false, SubscriptionId: -1, IsPrimary: -1, Trusted: true, Restricted: false, Ephemeral: false, OEM paid: false, OEM private: false, OSU AP: false, FQDN: <none>, Provider friendly name: <none>, Requesting package name: <none><none>MLO Information: , Is TID-To-Link negotiation supported by the AP: false, AP MLD Address: <none>, AP MLO Link Id: <none>, AP MLO Affiliated links: <none>> SignalStrength: -52 UnderlyingNetworks: Null]
11-19 17:26:37.683 12490 12534 D TrafficStats: tagSocket(55) with statsTag=0xffffffff, statsUid=-1
11-19 17:26:37.684 12490 12531 D TrafficStats: tagSocket(58) with statsTag=0xffffffff, statsUid=-1
11-19 17:26:37.924 12490 12563 D ProfileInstaller: Installing profile for org.openziti.mobile
11-19 17:26:38.114 12490 12524 I o.o.a.Controller: controller[https://ziti-controller.domain.com:8441/] version(v0.30.4/b9bf4d955c39)
11-19 17:26:38.114 12490 12526 I o.o.a.Controller: controller[https://ziti-controller.domain.com:8441/] version(v0.30.4/b9bf4d955c39)
11-19 17:26:38.166 12490 12531 D o.o.a.Controller: POST https://ziti-controller.domain.com:8441/edge/client/v1/authenticate?method=cert session=null t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.167 12490 12534 D o.o.a.Controller: POST https://ziti-controller.domain.com:8441/edge/client/v1/authenticate?method=cert session=null t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.296 12490 12524 D o.o.i.ZitiContextImpl: device1[KIqzV0PXf]@https://ziti-controller.domain.com:8441 transitioned to Active
11-19 17:26:38.297 12490 12523 D o.o.i.ZitiContextImpl: waiting for refresh 1789 seconds
11-19 17:26:38.297 12490 12570 D o.o.i.ZitiContextImpl: [crJtg0XPf] slept and restarting on t[DefaultDispatcher-worker-12]
11-19 17:26:38.297 12490 12527 D o.o.i.ZitiContextImpl: [KIqzV0PXf] slept and restarting on t[DefaultDispatcher-worker-6]
11-19 17:26:38.297 12490 12524 D o.o.i.ZitiContextImpl: waiting for refresh 1790 seconds
11-19 17:26:38.297 12490 12528 D o.o.i.ZitiContextImpl: device2[crJtg0XPf]@https://ziti-controller.domain.com:8441 transitioned to Active
11-19 17:26:38.298 12490 12534 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-identity/edge-routers session=clp63xdy3006l0d6cxhkihref t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.298 12490 12531 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-api-session/service-updates session=clp63xdy5006m0d6clu79lcul t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.299 12490 12577 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-identity/edge-routers session=clp63xdy5006m0d6clu79lcul t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.299 12490 12578 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-api-session/service-updates session=clp63xdy3006l0d6cxhkihref t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.301 12490 12578 D TrafficStats: tagSocket(115) with statsTag=0xffffffff, statsUid=-1
11-19 17:26:38.301 12490 12577 D TrafficStats: tagSocket(120) with statsTag=0xffffffff, statsUid=-1
11-19 17:26:38.315 12490 12570 D o.o.i.ZitiContextImpl: current edge routers = []
11-19 17:26:38.323 12490 12531 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/services?offset=0&limit=25 session=clp63xdy5006m0d6clu79lcul t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.338 12490 12525 I o.o.n.d.ZitiDNSManager: assigned nginx.ziti => nginx.ziti/100.64.1.2 []
11-19 17:26:38.338 12490 12525 I o.o.n.d.ZitiDNSManager: registered: nginx.ziti => nginx.ziti/100.64.1.2
11-19 17:26:38.339 12490 12525 D o.o.i.ZitiContextImpl: [KIqzV0PXf] got 1 services on t[DefaultDispatcher-worker-3]
11-19 17:26:38.374 12490 12525 D o.o.i.ZitiContextImpl: current edge routers = [EdgeRouter(name=edge-router, hostname=, supportedProtocols={tls=tls://ziti-router.domain.com:8443}, urls=null)]
11-19 17:26:38.375 12490 12525 D o.o.i.ZitiContextImpl: delaying service refresh for 60000ms
11-19 17:26:38.377 12490 12578 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/services?offset=0&limit=25 session=clp63xdy3006l0d6cxhkihref t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:26:38.382 12490 12527 I o.o.n.d.ZitiDNSManager: registered: nginx.ziti => nginx.ziti/100.64.1.2
11-19 17:26:38.382 12490 12527 D o.o.i.ZitiContextImpl: [crJtg0XPf] got 1 services on t[DefaultDispatcher-worker-6]
11-19 17:26:38.382 12490 12527 D o.o.i.ZitiContextImpl: delaying service refresh for 60000ms
11-19 17:26:44.801 12490 12527 D o.o.i.ZitiContextImpl: device1[KIqzV0PXf]@https://ziti-controller.domain.com:8441 transitioned to Disabled
11-19 17:26:47.528 12490 12490 I ZitiVPNService: onStartCommand Intent { act=start cmp=org.openziti.mobile/.ZitiVPNService }, 1
11-19 17:26:47.528 12490 12490 I ZitiVPNService: monitor=StandaloneCoroutine{Active}@f494780
11-19 17:26:47.529 12490 12559 I ZitiVPNService: received cmd[start]
11-19 17:26:47.529 12490 12559 I ZitiVPNService: startTunnel()
11-19 17:26:47.531 12490 12559 I ZitiRouteManager: route CIDRBlock(ip=/fd00:7a69:7469::2, bits=128) added
11-19 17:26:47.531 12490 12559 D ZitiVPNService: adding route CIDRBlock(ip=/fd00:7a69:7469::2, bits=128)
11-19 17:26:47.531 12490 12490 I ZitiVPNService: restarting tunnel due to Intent { act=route_change }
11-19 17:26:47.531 12490 12559 D ZitiVPNService: excluding org.openziti.mobile
11-19 17:26:47.532 12490 12559 D CompatibilityChangeReporter: Compat change id reported: 160794467; UID 10208; state: ENABLED
11-19 17:26:47.533 12490 12559 I ZitiVPNService: creating tunnel interface
11-19 17:26:47.556 12490 12559 I ZitiVPNService: starting tunnel for fd=java.io.FileDescriptor@ced69fe
11-19 17:26:47.558 12490 12559 I ZitiVPNService: tunnel start success
11-19 17:26:47.558 12490 12580 I Tunnel : starting reader
11-19 17:26:47.558 12490 12559 I ZitiVPNService: received cmd[restart]
11-19 17:26:47.558 12490 12559 I ZitiVPNService: restarting tunnel
11-19 17:26:47.558 12490 12559 I Tunnel : closing
11-19 17:26:47.558 12490 12581 I Tunnel : running tunnel reader [Thread[tunnel-reader,5,main]]
11-19 17:26:47.559 12490 12580 I Tunnel : running tunnel writer [Thread[tunnel-dispatch,5,main]]
11-19 17:26:47.559 12490 12581 E Tunnel : unexpected!
11-19 17:26:47.559 12490 12581 E Tunnel : java.io.IOException: Bad file descriptor
11-19 17:26:47.559 12490 12581 E Tunnel : at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
11-19 17:26:47.559 12490 12581 E Tunnel : at sun.nio.ch.FileDispatcherImpl.read(FileDispatcherImpl.java:53)
11-19 17:26:47.559 12490 12581 E Tunnel : at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
11-19 17:26:47.559 12490 12581 E Tunnel : at sun.nio.ch.IOUtil.read(IOUtil.java:192)
11-19 17:26:47.559 12490 12581 E Tunnel : at sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:197)
11-19 17:26:47.559 12490 12581 E Tunnel : at org.openziti.mobile.Tunnel.readerRun(Tunnel.kt:65)
11-19 17:26:47.559 12490 12581 E Tunnel : at org.openziti.mobile.Tunnel$reader$1$invokeSuspend$$inlined$Runnable$1.run(Runnable.kt:19)
11-19 17:26:47.559 12490 12581 E Tunnel : at java.lang.Thread.run(Thread.java:1012)
11-19 17:26:47.560 12490 12581 E Tunnel : closing with exception
11-19 17:26:47.560 12490 12581 E Tunnel : java.io.IOException: Bad file descriptor
11-19 17:26:47.560 12490 12581 E Tunnel : at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
11-19 17:26:47.560 12490 12581 E Tunnel : at sun.nio.ch.FileDispatcherImpl.read(FileDispatcherImpl.java:53)
11-19 17:26:47.560 12490 12581 E Tunnel : at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
11-19 17:26:47.560 12490 12581 E Tunnel : at sun.nio.ch.IOUtil.read(IOUtil.java:192)
11-19 17:26:47.560 12490 12581 E Tunnel : at sun.nio.ch.FileChannelImpl.read(FileChannelImpl.java:197)
11-19 17:26:47.560 12490 12581 E Tunnel : at org.openziti.mobile.Tunnel.readerRun(Tunnel.kt:65)
11-19 17:26:47.560 12490 12581 E Tunnel : at org.openziti.mobile.Tunnel$reader$1$invokeSuspend$$inlined$Runnable$1.run(Runnable.kt:19)
11-19 17:26:47.560 12490 12581 E Tunnel : at java.lang.Thread.run(Thread.java:1012)
11-19 17:26:47.619 12490 12559 I ZitiVPNService: startTunnel()
11-19 17:26:47.619 12490 12580 I Tunnel : reader was cancelled
11-19 17:26:47.619 12490 12559 I ZitiRouteManager: route CIDRBlock(ip=/fd00:7a69:7469::2, bits=128) added
11-19 17:26:47.619 12490 12559 D ZitiVPNService: adding route CIDRBlock(ip=/fd00:7a69:7469::2, bits=128)
11-19 17:26:47.619 12490 12559 D ZitiVPNService: excluding org.openziti.mobile
11-19 17:26:47.619 12490 12490 I ZitiVPNService: restarting tunnel due to Intent { act=route_change }
11-19 17:26:47.620 12490 12559 I ZitiVPNService: creating tunnel interface
11-19 17:26:47.620 12490 12580 I Tunnel : reader() finished StandaloneCoroutine was cancelled
11-19 17:26:47.620 12490 12580 I Tunnel : writer() finished StandaloneCoroutine was cancelled
11-19 17:26:47.637 12490 12559 I ZitiVPNService: starting tunnel for fd=java.io.FileDescriptor@aca487b
11-19 17:26:47.637 12490 12580 I Tunnel : starting reader
11-19 17:26:47.638 12490 12559 I ZitiVPNService: tunnel restart success
11-19 17:26:47.638 12490 12580 I Tunnel : running tunnel writer [Thread[tunnel-dispatch,5,main]]
11-19 17:26:47.638 12490 12584 I Tunnel : running tunnel reader [Thread[tunnel-reader,5,main]]
11-19 17:26:47.653 12490 12557 I ZitiVPNService: network available: 129, caps:[ Transports: WIFI|VPN Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=271906Kbps LinkDnBandwidth>=80809Kbps TransportInfo: <VpnTransportInfo{type=1, sessionId=null, bypassable=false longLivedTcpConnectionsExpensive=false}> OwnerUid: 10208 UnderlyingNetworks: Null]
11-19 17:26:47.657 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:47.657 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:47.657 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:47.657 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:47.657 12490 12580 W routing : Payload length: 36 [bytes]
11-19 17:26:47.657 12490 12580 W routing : Next Header: 0 (IPv6 Hop-by-Hop Option)
11-19 17:26:47.657 12490 12580 W routing : Hop Limit: 1
11-19 17:26:47.657 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:47.657 12490 12580 W routing : Destination address: /ff02::16
11-19 17:26:47.657 12490 12580 W routing : at this time
11-19 17:26:47.657 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:47.657 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:47.657 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:47.657 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:47.657 12490 12580 W routing : Payload length: 8 [bytes]
11-19 17:26:47.657 12490 12580 W routing : Next Header: 58 (ICMPv6)
11-19 17:26:47.657 12490 12580 W routing : Hop Limit: 255
11-19 17:26:47.657 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:47.657 12490 12580 W routing : Destination address: /ff02::2
11-19 17:26:47.657 12490 12580 W routing : at this time
11-19 17:26:47.658 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:47.658 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:47.658 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:47.658 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:47.658 12490 12580 W routing : Payload length: 56 [bytes]
11-19 17:26:47.658 12490 12580 W routing : Next Header: 0 (IPv6 Hop-by-Hop Option)
11-19 17:26:47.658 12490 12580 W routing : Hop Limit: 1
11-19 17:26:47.658 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:47.658 12490 12580 W routing : Destination address: /ff02::16
11-19 17:26:47.658 12490 12580 W routing : at this time
11-19 17:26:47.717 12490 12557 I ZitiVPNService: network: 129 is lost
11-19 17:26:47.754 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:47.754 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:47.754 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:47.754 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:47.754 12490 12580 W routing : Payload length: 56 [bytes]
11-19 17:26:47.754 12490 12580 W routing : Next Header: 0 (IPv6 Hop-by-Hop Option)
11-19 17:26:47.754 12490 12580 W routing : Hop Limit: 1
11-19 17:26:47.754 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:47.754 12490 12580 W routing : Destination address: /ff02::16
11-19 17:26:47.754 12490 12580 W routing : at this time
11-19 17:26:47.978 12490 12557 I ZitiVPNService: network available: 121, caps:[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&VALIDATED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=271906Kbps LinkDnBandwidth>=80809Kbps TransportInfo: <SSID: <unknown ssid>, BSSID: 02:00:00:00:00:00, MAC: 02:00:00:00:00:00, IP: /192.168.1.175, Security type: 2, Supplicant state: COMPLETED, Wi-Fi standard: 5, RSSI: -52, Link speed: 702Mbps, Tx Link speed: 702Mbps, Max Supported Tx Link speed: 866Mbps, Rx Link speed: 650Mbps, Max Supported Rx Link speed: 866Mbps, Frequency: 5180MHz, Net ID: -1, Metered hint: false, score: 60, isUsable: true, CarrierMerged: false, SubscriptionId: -1, IsPrimary: -1, Trusted: true, Restricted: false, Ephemeral: false, OEM paid: false, OEM private: false, OSU AP: false, FQDN: <none>, Provider friendly name: <none>, Requesting package name: <none><none>MLO Information: , Is TID-To-Link negotiation supported by the AP: false, AP MLD Address: <none>, AP MLO Link Id: <none>, AP MLO Affiliated links: <none>> SignalStrength: -52 UnderlyingNetworks: Null]
11-19 17:26:48.053 12490 12557 I ZitiVPNService: network available: 130, caps:[ Transports: WIFI|VPN Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_ROAMING&FOREGROUND&NOT_CONGESTED&NOT_SUSPENDED&NOT_VCN_MANAGED LinkUpBandwidth>=271906Kbps LinkDnBandwidth>=80809Kbps TransportInfo: <VpnTransportInfo{type=1, sessionId=null, bypassable=false longLivedTcpConnectionsExpensive=false}> OwnerUid: 10208 UnderlyingNetworks: Null]
And the rest:
11-19 17:26:48.579 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:48.579 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:48.579 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:48.579 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:48.579 12490 12580 W routing : Payload length: 56 [bytes]
11-19 17:26:48.579 12490 12580 W routing : Next Header: 0 (IPv6 Hop-by-Hop Option)
11-19 17:26:48.579 12490 12580 W routing : Hop Limit: 1
11-19 17:26:48.579 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:48.579 12490 12580 W routing : Destination address: /ff02::16
11-19 17:26:48.579 12490 12580 W routing : at this time
11-19 17:26:51.748 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:51.748 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:51.748 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:51.748 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:51.748 12490 12580 W routing : Payload length: 8 [bytes]
11-19 17:26:51.748 12490 12580 W routing : Next Header: 58 (ICMPv6)
11-19 17:26:51.748 12490 12580 W routing : Hop Limit: 255
11-19 17:26:51.748 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:51.748 12490 12580 W routing : Destination address: /ff02::2
11-19 17:26:51.748 12490 12580 W routing : at this time
11-19 17:26:59.944 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:26:59.944 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:26:59.944 12490 12580 W routing : Traffic Class: 0x00
11-19 17:26:59.944 12490 12580 W routing : Flow Label: 0x00000
11-19 17:26:59.944 12490 12580 W routing : Payload length: 8 [bytes]
11-19 17:26:59.944 12490 12580 W routing : Next Header: 58 (ICMPv6)
11-19 17:26:59.944 12490 12580 W routing : Hop Limit: 255
11-19 17:26:59.944 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:26:59.944 12490 12580 W routing : Destination address: /ff02::2
11-19 17:26:59.944 12490 12580 W routing : at this time
11-19 17:27:02.702 12490 12558 D routing : 0 active connections
11-19 17:27:16.478 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:27:16.480 12490 12580 E tcp:/100.64.0.0:40010 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:16.481 12490 12580 I routing : created tcp:/100.64.0.0:40010 -> /100.64.1.2:443
11-19 17:27:16.482 12490 12527 D tcp-conn: tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:16.482 12490 12527 D tcp:/100.64.0.0:40010 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:16.494 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:27:16.494 12490 12580 I routing : removing tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443
11-19 17:27:16.730 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:27:16.731 12490 12580 E tcp:/100.64.0.0:40016 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:16.731 12490 12580 I routing : created tcp:/100.64.0.0:40016 -> /100.64.1.2:443
11-19 17:27:16.731 12490 12527 D tcp-conn: tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:16.731 12490 12527 D tcp:/100.64.0.0:40016 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:16.742 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:27:16.742 12490 12580 I routing : removing tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443
11-19 17:27:16.835 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:27:16.835 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:27:16.835 12490 12580 W routing : Traffic Class: 0x00
11-19 17:27:16.835 12490 12580 W routing : Flow Label: 0x00000
11-19 17:27:16.835 12490 12580 W routing : Payload length: 8 [bytes]
11-19 17:27:16.835 12490 12580 W routing : Next Header: 58 (ICMPv6)
11-19 17:27:16.835 12490 12580 W routing : Hop Limit: 255
11-19 17:27:16.835 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:27:16.835 12490 12580 W routing : Destination address: /ff02::2
11-19 17:27:16.835 12490 12580 W routing : at this time
11-19 17:27:18.500 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:27:18.502 12490 12580 E tcp:/100.64.0.0:40010 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:18.502 12490 12580 I routing : created tcp:/100.64.0.0:40010 -> /100.64.1.2:443
11-19 17:27:18.503 12490 12527 D tcp-conn: tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:18.503 12490 12527 D tcp:/100.64.0.0:40010 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:18.755 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:27:18.757 12490 12580 E tcp:/100.64.0.0:40016 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:18.757 12490 12580 I routing : created tcp:/100.64.0.0:40016 -> /100.64.1.2:443
11-19 17:27:18.757 12490 12527 D tcp-conn: tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:18.757 12490 12527 D tcp:/100.64.0.0:40016 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:22.725 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:27:22.725 12490 12580 I routing : removing tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443
11-19 17:27:22.981 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:27:22.982 12490 12580 I routing : removing tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443
11-19 17:27:30.917 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:27:30.922 12490 12580 E tcp:/100.64.0.0:40010 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:30.922 12490 12580 I routing : created tcp:/100.64.0.0:40010 -> /100.64.1.2:443
11-19 17:27:30.924 12490 12527 D tcp-conn: tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:30.924 12490 12527 D tcp:/100.64.0.0:40010 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:31.172 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:27:31.174 12490 12580 E tcp:/100.64.0.0:40016 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:31.174 12490 12580 I routing : created tcp:/100.64.0.0:40016 -> /100.64.1.2:443
11-19 17:27:31.174 12490 12527 D tcp-conn: tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:31.175 12490 12527 D tcp:/100.64.0.0:40016 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:32.704 12490 12558 D routing : 2 active connections
11-19 17:27:32.704 12490 12558 V routing : (/100.64.0.0:40010, /100.64.1.2:443)/Closed
11-19 17:27:32.705 12490 12558 V routing : (/100.64.0.0:40016, /100.64.1.2:443)/Closed
11-19 17:27:38.378 12490 12525 D o.o.i.ZitiContextImpl: [KIqzV0PXf] slept and restarting on t[DefaultDispatcher-worker-3]
11-19 17:27:38.379 12490 12800 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-identity/edge-routers session=clp63xdy5006m0d6clu79lcul t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:27:38.379 12490 12799 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-api-session/service-updates session=clp63xdy5006m0d6clu79lcul t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:27:38.383 12490 12525 D o.o.i.ZitiContextImpl: [crJtg0XPf] slept and restarting on t[DefaultDispatcher-worker-3]
11-19 17:27:38.384 12490 12801 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-identity/edge-routers session=clp63xdy3006l0d6cxhkihref t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:27:38.384 12490 12802 D o.o.a.Controller: GET https://ziti-controller.domain.com:8441/edge/client/v1/current-api-session/service-updates session=clp63xdy3006l0d6cxhkihref t[OkHttp https://ziti-controller.domain.com:8441/...]
11-19 17:27:38.386 12490 12801 D TrafficStats: tagSocket(55) with statsTag=0xffffffff, statsUid=-1
11-19 17:27:38.386 12490 12799 D TrafficStats: tagSocket(81) with statsTag=0xffffffff, statsUid=-1
11-19 17:27:38.386 12490 12800 D TrafficStats: tagSocket(82) with statsTag=0xffffffff, statsUid=-1
11-19 17:27:38.386 12490 12802 D TrafficStats: tagSocket(58) with statsTag=0xffffffff, statsUid=-1
11-19 17:27:38.514 12490 12525 D o.o.i.ZitiContextImpl: current edge routers = [EdgeRouter(name=edge-router, hostname=, supportedProtocols={tls=tls://ziti-router.domain.com:8443}, urls=null)]
11-19 17:27:38.518 12490 12525 D o.o.i.ZitiContextImpl: delaying service refresh for 60000ms
11-19 17:27:38.519 12490 12525 D o.o.i.ZitiContextImpl: current edge routers = []
11-19 17:27:38.519 12490 12525 D o.o.i.ZitiContextImpl: delaying service refresh for 60000ms
11-19 17:27:47.044 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:27:47.047 12490 12580 E tcp:/100.64.0.0:40010 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:47.048 12490 12580 I routing : created tcp:/100.64.0.0:40010 -> /100.64.1.2:443
11-19 17:27:47.048 12490 12529 D tcp-conn: tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:47.049 12490 12529 D tcp:/100.64.0.0:40010 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:47.299 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:27:47.300 12490 12580 E tcp:/100.64.0.0:40016 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:27:47.301 12490 12580 I routing : created tcp:/100.64.0.0:40016 -> /100.64.1.2:443
11-19 17:27:47.301 12490 12529 D tcp-conn: tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:27:47.301 12490 12529 D tcp:/100.64.0.0:40016 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:27:51.652 12490 12580 W routing : not handling [IPv6 Header (40 bytes)]
11-19 17:27:51.652 12490 12580 W routing : Version: 6 (IPv6)
11-19 17:27:51.652 12490 12580 W routing : Traffic Class: 0x00
11-19 17:27:51.652 12490 12580 W routing : Flow Label: 0x00000
11-19 17:27:51.652 12490 12580 W routing : Payload length: 8 [bytes]
11-19 17:27:51.652 12490 12580 W routing : Next Header: 58 (ICMPv6)
11-19 17:27:51.652 12490 12580 W routing : Hop Limit: 255
11-19 17:27:51.652 12490 12580 W routing : Source address: /fe80::bedb:e4e2:e1a0:6431
11-19 17:27:51.652 12490 12580 W routing : Destination address: /ff02::2
11-19 17:27:51.652 12490 12580 W routing : at this time
11-19 17:28:02.704 12490 12558 D routing : 2 active connections
11-19 17:28:02.704 12490 12558 V routing : (/100.64.0.0:40010, /100.64.1.2:443)/Closed
11-19 17:28:02.704 12490 12558 V routing : (/100.64.0.0:40016, /100.64.1.2:443)/Closed
11-19 17:28:04.224 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:04.224 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:04.224 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:04.224 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:04.224 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:04.224 12490 12580 W routing : Identification: 59190
11-19 17:28:04.224 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:04.224 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:04.224 12490 12580 W routing : TTL: 64
11-19 17:28:04.224 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:04.224 12490 12580 W routing : Header checksum: 0x89f0
11-19 17:28:04.224 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:04.224 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:05.221 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:05.221 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:05.221 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:05.221 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:05.221 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:05.221 12490 12580 W routing : Identification: 59412
11-19 17:28:05.221 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:05.221 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:05.221 12490 12580 W routing : TTL: 64
11-19 17:28:05.221 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:05.221 12490 12580 W routing : Header checksum: 0x8912
11-19 17:28:05.221 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:05.221 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:06.245 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:06.245 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:06.245 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:06.245 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:06.245 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:06.245 12490 12580 W routing : Identification: 59548
11-19 17:28:06.245 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:06.245 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:06.245 12490 12580 W routing : TTL: 64
11-19 17:28:06.245 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:06.245 12490 12580 W routing : Header checksum: 0x888a
11-19 17:28:06.245 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:06.245 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:07.267 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:07.267 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:07.267 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:07.267 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:07.267 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:07.267 12490 12580 W routing : Identification: 59757
11-19 17:28:07.267 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:07.267 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:07.267 12490 12580 W routing : TTL: 64
11-19 17:28:07.267 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:07.267 12490 12580 W routing : Header checksum: 0x87b9
11-19 17:28:07.267 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:07.267 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:08.291 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:08.291 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:08.291 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:08.291 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:08.291 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:08.291 12490 12580 W routing : Identification: 59917
11-19 17:28:08.291 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:08.291 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:08.291 12490 12580 W routing : TTL: 64
11-19 17:28:08.291 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:08.291 12490 12580 W routing : Header checksum: 0x8719
11-19 17:28:08.291 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:08.291 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:09.315 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:09.315 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:09.315 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:09.315 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:09.315 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:09.315 12490 12580 W routing : Identification: 59934
11-19 17:28:09.315 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:09.315 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:09.315 12490 12580 W routing : TTL: 64
11-19 17:28:09.315 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:09.315 12490 12580 W routing : Header checksum: 0x8708
11-19 17:28:09.315 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:09.315 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:10.338 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:10.338 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:10.338 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:10.338 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:10.338 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:10.338 12490 12580 W routing : Identification: 60124
11-19 17:28:10.338 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:10.338 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:10.338 12490 12580 W routing : TTL: 64
11-19 17:28:10.338 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:10.338 12490 12580 W routing : Header checksum: 0x864a
11-19 17:28:10.338 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:10.338 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:11.363 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:11.363 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:11.363 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:11.363 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:11.363 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:11.363 12490 12580 W routing : Identification: 60356
11-19 17:28:11.363 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:11.363 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:11.363 12490 12580 W routing : TTL: 64
11-19 17:28:11.363 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:11.363 12490 12580 W routing : Header checksum: 0x8562
11-19 17:28:11.363 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:11.363 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:12.387 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:12.387 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:12.387 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:12.387 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:12.387 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:12.387 12490 12580 W routing : Identification: 60547
11-19 17:28:12.387 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:12.387 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:12.387 12490 12580 W routing : TTL: 64
11-19 17:28:12.387 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:12.387 12490 12580 W routing : Header checksum: 0x84a3
11-19 17:28:12.387 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:12.387 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:13.413 12490 12580 W routing : dropping unhandled packet [IPv4 Header (20 bytes)]
11-19 17:28:13.413 12490 12580 W routing : Version: 4 (IPv4)
11-19 17:28:13.413 12490 12580 W routing : IHL: 5 (20 [bytes])
11-19 17:28:13.413 12490 12580 W routing : TOS: [precedence: 0 (Routine)] [tos: 0 (Default)] [mbz: 0]
11-19 17:28:13.413 12490 12580 W routing : Total length: 84 [bytes]
11-19 17:28:13.413 12490 12580 W routing : Identification: 60599
11-19 17:28:13.413 12490 12580 W routing : Flags: (Reserved, Don't Fragment, More Fragment) = (false, true, false)
11-19 17:28:13.413 12490 12580 W routing : Fragment offset: 0 (0 [bytes])
11-19 17:28:13.413 12490 12580 W routing : TTL: 64
11-19 17:28:13.413 12490 12580 W routing : Protocol: 1 (ICMPv4)
11-19 17:28:13.413 12490 12580 W routing : Header checksum: 0x846f
11-19 17:28:13.413 12490 12580 W routing : Source address: /100.64.0.0
11-19 17:28:13.413 12490 12580 W routing : Destination address: /100.64.1.2
11-19 17:28:19.505 12490 12490 W WindowOnBackDispatcher: OnBackInvokedCallback is not enabled for the application.
11-19 17:28:19.505 12490 12490 W WindowOnBackDispatcher: Set 'android:enableOnBackInvokedCallback="true"' in the application manifest.
11-19 17:28:20.324 12490 12580 V routing : got msg[(/100.64.0.0:40010, /100.64.1.2:443)]: 60 bytes
11-19 17:28:20.326 12490 12580 E tcp:/100.64.0.0:40010 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:28:20.326 12490 12580 I routing : created tcp:/100.64.0.0:40010 -> /100.64.1.2:443
11-19 17:28:20.327 12490 12529 D tcp-conn: tcp:/100.64.0.0:40010 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:28:20.327 12490 12580 V routing : got msg[(/100.64.0.0:40016, /100.64.1.2:443)]: 60 bytes
11-19 17:28:20.327 12490 12529 D tcp:/100.64.0.0:40010 -> /100.64.1.2:443: sending to peer packet_size[40]
11-19 17:28:20.327 12490 12580 E tcp:/100.64.0.0:40016 -> /100.64.1.2:443: could not find Ziti Service for dst[/100.64.1.2:443]
11-19 17:28:20.328 12490 12580 I routing : created tcp:/100.64.0.0:40016 -> /100.64.1.2:443
11-19 17:28:20.328 12490 12529 D tcp-conn: tcp:/100.64.0.0:40016 -> nginx.ziti/100.64.1.2:443/LISTEN transitioning to Closed
11-19 17:28:20.328 12490 12529 D tcp:/100.64.0.0:40016 -> /100.64.1.2:443: sending to peer packet_size[40]
OK, thanks for the Android logs. I'll add them to the bundle and ask for help analyzing them.
Meanwhile, let's prove the Ziti policies are aligned.
❯ kubectl get secrets "ziti-controller-admin-secret" \
--namespace miniziti \
--output go-template='{{index .data "admin-password" | base64decode }}' \
| xargs ziti edge login ziti-controller.domain.com:443 \
--yes --username admin \
--password
❯ ziti edge policy-advisor services -q
OKAY : httpbin-host (1) -> httpbin-service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : miniziti-client (1) -> httpbin-service (1) Common Routers: (1/1) Dial: Y Bind: N
❯ ziti edge policy-advisor identities -q
ERROR: Default Admin
- Identity does not have access to any services. Adjust service policies.
OKAY : httpbin-host (1) -> httpbin-service (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : miniziti-client (1) -> httpbin-service (1) Common Routers: (1/1) Dial: Y Bind: N
ERROR: miniziti-router
- Identity does not have access to any services. Adjust service policies.
You can re-run the policy-advisor without the -q flag to print the explanation for the various policy determinations.
Thank you for the information
ziti edge policy-advisor services -q
ERROR: user1 (0) -> Nginx (0) Common Routers: (0/0) Dial: Y Bind: N
- Identity has no edge routers assigned. Adjust edge router policies.
- Service has no edge routers assigned. Adjust service edge router policies.
ERROR: edge-router (1) -> Nginx (0) Common Routers: (0/0) Dial: N Bind: Y
- Service has no edge routers assigned. Adjust service edge router policies.
ERROR: user2 (0) -> Nginx (0) Common Routers: (0/0) Dial: Y Bind: N
- Identity has no edge routers assigned. Adjust edge router policies.
- Service has no edge routers assigned. Adjust service edge router policies.
ziti edge policy-advisor identities -q
ERROR: user1 (0) -> Nginx (0) Common Routers: (0/0) Dial: Y Bind: N
- Identity has no edge routers assigned. Adjust edge router policies.
- Service has no edge routers assigned. Adjust service edge router policies.
ERROR: edge-router (1) -> Nginx (0) Common Routers: (0/0) Dial: N Bind: Y
- Service has no edge routers assigned. Adjust service edge router policies.
ERROR: user2 (0) -> Nginx (0) Common Routers: (0/0) Dial: Y Bind: N
- Identity has no edge routers assigned. Adjust edge router policies.
- Service has no edge routers assigned. Adjust service edge router policies.
ERROR: Default Admin
- Identity does not have access to any services. Adjust service policies.
Router Policies aren't set up yet. Unless you have regional traffic steering requirements, you can add a blanket policy for each: "Edge Router Policy" for all Identities, "Service Edge Router Policy" for all Services.
ziti edge create edge-router-policy "all-routers" \
--edge-router-roles '#all' --identity-roles '#all'
ziti edge create service-edge-router-policy "all-routers" \
--edge-router-roles '#all' --service-roles '#all'
NOTE: you'll see these in the Ziti Console too, and they can be created there instead of using the CLI if you wish. Only the policy-advisor requires the CLI, of the admin actions we've discussed here.