Help with creating a router

Support
41

Hi @bodleytunes,

The "connection reset" issue, in my experience, is usually an indicator that something app-related (not ziti-related) is going on. For example, if your app (ssh) doesn't trust the connection, ssh might reject your connection immediately and that shows up as a 'connection reset'. My GUESS based on your video, is your root user doesn't have your ssh key. Use ssh -vvv root@10.12.10.9 and see if anything in the output helps. I expect something will...

As for the UDP/snmp issue, I'm not sure I follow. When you tunnel traffic with OpenZiti, we tunnel the bytes, not the UDP/TCP packet. So when the bytes get to the remote side, the remote side will open/initiate its own udp/tcp connection. The source ip will look like that identity's IP, not the source IP from the initiating tunneler. Is that what you're asking?

42

Just having a to and fro with ChatGPT and sending over tcpdumps etc, it seems to think the connection begins but then the client side never responds and something in the middle is causing connection to be killed.

Also I have some output from the local ziti router.

ssh output

be2b67ee4cdc:~# ssh root@10.12.10.9 -vvv
OpenSSH_9.7p1, OpenSSL 3.3.0 9 Apr 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: include /etc/ssh/ssh_config.d/*.conf matched no files
debug2: resolve_canonicalize: hostname 10.12.10.9 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 10.12.10.9 [10.12.10.9] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.7
kex_exchange_identification: read: Connection reset by peer
Connection reset by 10.12.10.9 port 22



05-23T10:12:13.049Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:103","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"tproxy config: udpCheckInterval =  [30s]","time":"2025-05-23T10:12:13.049Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:277","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*interceptor).addIptablesChain","level":"info","msg":"added iptables 'mangle' link 'PREROUTING' --\u003e 'NF-INTERCEPT'","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:143","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.New","level":"info","msg":"no lan interface specified with '-lanIf'. please ensure firewall accepts intercepted service addresses","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2/tunneler.go:150","func":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2.(*tunneler).NotifyIdentityEvent","level":"info","msg":"identity updated xUEQ-4UCo, eventType: identity.full-state","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2/tunneler.go:160","func":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2.(*tunneler).NotifyServiceChange","level":"info","msg":"service changed for local-router-lsk15. service snmp-service was access.gained","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:155","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":"info","msg":"adding service","service":"snmp-service","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:226","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).addService","level":"info","msg":"starting tunnel for newly available service snmp-service","serviceId":"5vYnRfmnxE5a8N7cpwHxT","serviceName":"snmp-service","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:241","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*interceptor).newTproxy","level":"info","msg":"tproxy listening on udp:127.0.0.1:57027, remoteAddr: \u003cnil\u003e","time":"2025-05-23T10:12:13.054Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:555","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*tProxy).addInterceptAddr","level":"info","msg":"Adding rule iptables -t mangle -A NF-INTERCEPT [-m comment --comment snmp-service -d 10.12.10.9/32 -p udp --dport 161:161 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip=127.0.0.1 --on-port=57027]","time":"2025-05-23T10:12:13.055Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2/tunneler.go:160","func":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2.(*tunneler).NotifyServiceChange","level":"info","msg":"service changed for local-router-lsk15. service ssh-service was access.gained","time":"2025-05-23T10:12:13.056Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:155","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":"info","msg":"adding service","service":"ssh-service","time":"2025-05-23T10:12:13.056Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:226","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).addService","level":"info","msg":"starting tunnel for newly available service ssh-service","serviceId":"4VNjVPeiJ6Ew6AN9IuJYVy","serviceName":"ssh-service","time":"2025-05-23T10:12:13.056Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:228","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*interceptor).newTproxy","level":"info","msg":"tproxy listening on tcp:127.0.0.1:46177","time":"2025-05-23T10:12:13.056Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:555","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*tProxy).addInterceptAddr","level":"info","msg":"Adding rule iptables -t mangle -A NF-INTERCEPT [-m comment --comment ssh-service -d 10.12.10.9/32 -p tcp --dport 22:22 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip=127.0.0.1 --on-port=46177]","time":"2025-05-23T10:12:13.056Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/tunnel/intercept/tproxy/tproxy_linux.go:310","func":"github.com/openziti/ziti/tunnel/intercept/tproxy.(*tProxy).acceptTCP","level":"info","msg":"received connection: 10.12.10.9:22 --\u003e 10.12.10.9:47474","time":"2025-05-23T10:13:28.917Z"}
ziti-router-1  | {"_channels":["establishPath"],"attempt":1,"attemptNumber":"2","circuitId":"lis8vQUaz","context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{NetFoundry Inc. Client LIboJaJ32/98Ya}","error":"invalid link destination 2SYIhX0zqPktxzfpkuDpF6","file":"github.com/openziti/ziti/router/handler_ctrl/route.go:140","func":"github.com/openziti/ziti/router/handler_ctrl.(*routeHandler).fail","level":"error","msg":"failure while handling route update","serviceId":"4VNjVPeiJ6Ew6AN9IuJYVy","time":"2025-05-23T10:13:28.985Z"}
ziti-router-1  | {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{NetFoundry Inc. Client LIboJaJ32/98Ya}","file":"github.com/openziti/ziti/router/handler_ctrl/fault.go:65","func":"github.com/openziti/ziti/router/handler_ctrl.(*faultHandler).handleFault","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link fault reported, closing","time":"2025-05-23T10:13:28.985Z"}
ziti-router-1  | {"_context":"ch{l/3MIE29zGJh6l3KHGAE5wOL}-\u003eu{classic}-\u003ei{3MIE29zGJh6l3KHGAE5wOL/OoP7}","file":"github.com/openziti/ziti/router/handler_link/close.go:56","func":"github.com/openziti/ziti/router/handler_link.(*closeHandler).HandleClose.func1","iteration":1,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link closed","routerId":"xUEQ-4UCo","time":"2025-05-23T10:13:28.985Z"}
ziti-router-1  | {"_context":"ch{l/3MIE29zGJh6l3KHGAE5wOL}-\u003eu{classic}-\u003ei{xUEQ-4UCo/4dp4}","file":"github.com/openziti/ziti/router/handler_link/close.go:56","func":"github.com/openziti/ziti/router/handler_link.(*closeHandler).HandleClose.func1","iteration":1,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link closed","routerId":"xcPcN-mto","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_state.go:106","func":"github.com/openziti/ziti/router/link.(*linkState).updateStatus","iteration":1,"key":"default-\u003etls:xcPcN-mto-\u003edefault","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"status updated","newState":"linkFailed","oldState":"established","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_state.go:106","func":"github.com/openziti/ziti/router/link.(*linkState).updateStatus","iteration":1,"key":"default-\u003etls:xcPcN-mto-\u003edefault","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"status updated","newState":"dialing","oldState":"linkFailed","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_registry.go:543","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).evaluateLinkState","iteration":2,"key":"default-\u003etls:xcPcN-mto-\u003edefault","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"queuing link to dial","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_registry.go:555","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).evaluateLinkState.func1","iteration":2,"key":"default-\u003etls:xcPcN-mto-\u003edefault","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"dialing link","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","file":"github.com/openziti/ziti/router/xlink_transport/dialer.go:101","func":"github.com/openziti/ziti/router/xlink_transport.(*dialer).dialSplit","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"dialing link with split payload/ack channels","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","file":"github.com/openziti/ziti/router/xlink_transport/dialer.go:123","func":"github.com/openziti/ziti/router/xlink_transport.(*dialer).dialSplit","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"dialing payload channel","time":"2025-05-23T10:13:28.986Z"}
ziti-router-1  | {"_channels":["link","linkListener"],"dialerBinding":"","file":"github.com/openziti/ziti/router/xlink_transport/listener.go:130","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","linkProtocol":"tls","msg":"binding link channel","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.004Z"}
ziti-router-1  | {"_channels":["link","linkListener"],"channelType":1,"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","dialerBinding":"","file":"github.com/openziti/ziti/router/xlink_transport/listener.go:155","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).bindSplitChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","linkProtocol":"tls","msg":"accepted part of split conn","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.004Z"}
ziti-router-1  | {"dialed":true,"file":"github.com/openziti/ziti/router/handler_link/bind.go:97","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link destination support heartbeats","routerId":"xcPcN-mto","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.004Z"}
ziti-router-1  | {"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","file":"github.com/openziti/ziti/router/xlink_transport/dialer.go:144","func":"github.com/openziti/ziti/router/xlink_transport.(*dialer).dialSplit","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"dialing ack channel","time":"2025-05-23T10:13:29.004Z"}
ziti-router-1  | {"ctrlId":"NetFoundry Inc. Client LIboJaJ32","error":"exceeded maximum [2] retries creating circuit [c/lis8vQUaz] (error creating route for [s/lis8vQUaz] on [r/xUEQ-4UCo] (invalid link destination 2SYIhX0zqPktxzfpkuDpF6))","file":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2/fabric.go:115","func":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2.(*fabricProvider).TunnelService","level":"warning","msg":"failed to dial fabric","service":"ssh-service","time":"2025-05-23T10:13:29.018Z"}
ziti-router-1  | {"error":"exceeded maximum [2] retries creating circuit [c/lis8vQUaz] (error creating route for [s/lis8vQUaz] on [r/xUEQ-4UCo] (invalid link destination 2SYIhX0zqPktxzfpkuDpF6))","file":"github.com/openziti/ziti/tunnel/tunnel.go:49","func":"github.com/openziti/ziti/tunnel.DialAndRun","level":"error","msg":"tunnel failed","service":"ssh-service","time":"2025-05-23T10:13:29.018Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/handler_link/bind.go:140","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).verifyRouter","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"successfully verified router for link","routerId":"xUEQ-4UCo","time":"2025-05-23T10:13:29.035Z"}
ziti-router-1  | {"dialed":false,"file":"github.com/openziti/ziti/router/handler_link/bind.go:97","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link destination support heartbeats","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.035Z"}
ziti-router-1  | {"_channels":["link","linkListener"],"dialerBinding":"","file":"github.com/openziti/ziti/router/xlink_transport/listener.go:130","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","linkProtocol":"tls","msg":"binding link channel","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"_channels":["link","linkListener"],"channelType":2,"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","dialerBinding":"","file":"github.com/openziti/ziti/router/xlink_transport/listener.go:155","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).bindSplitChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","linkProtocol":"tls","msg":"accepted part of split conn","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"dialed":true,"file":"github.com/openziti/ziti/router/handler_link/bind.go:97","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link destination support heartbeats","routerId":"xcPcN-mto","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"destId":"xcPcN-mto","dialed":true,"file":"github.com/openziti/ziti/router/accepter.go:23","func":"github.com/openziti/ziti/router.(*xlinkAccepter).Accept","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"accepted new link","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"dest":"xcPcN-mto","dialed":true,"file":"github.com/openziti/ziti/router/link/link_registry.go:274","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).applyLink","level":"info","linkProtocol":"tls","msg":"link registered","newLinkId":"3MIE29zGJh6l3KHGAE5wOL","newLinkIteration":2,"time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_state.go:106","func":"github.com/openziti/ziti/router/link.(*linkState).updateStatus","iteration":2,"key":"default-\u003etls:xcPcN-mto-\u003edefault","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"status updated","newState":"established","oldState":"dialing","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_registry.go:691","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).notifyControllersOfLinks","level":"info","msg":"attempting to queue link notifications","op":"link-notify","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_registry.go:694","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).notifyControllersOfLinks.func1","level":"info","msg":"link notifications starting","op":"link-notify","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"ctrlId":"NetFoundry Inc. Client LIboJaJ32","file":"github.com/openziti/ziti/router/link/link_registry.go:749","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).sendNewLinks","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"notified controller of new link","op":"link-notify","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/link/link_registry.go:698","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).notifyControllersOfLinks.func1.1","level":"info","msg":"link notifications exiting","op":"link-notify","time":"2025-05-23T10:13:29.036Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/handler_link/bind.go:140","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).verifyRouter","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"successfully verified router for link","routerId":"xUEQ-4UCo","time":"2025-05-23T10:13:29.066Z"}
ziti-router-1  | {"dialed":false,"file":"github.com/openziti/ziti/router/handler_link/bind.go:97","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link destination support heartbeats","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.066Z"}
ziti-router-1  | {"destId":"xUEQ-4UCo","dialed":false,"file":"github.com/openziti/ziti/router/accepter.go:23","func":"github.com/openziti/ziti/router.(*xlinkAccepter).Accept","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"accepted new link","time":"2025-05-23T10:13:29.066Z"}
ziti-router-1  | {"_channels":["link","linkListener"],"channelType":2,"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","dialerBinding":"","file":"github.com/openziti/ziti/router/xlink_transport/listener.go:181","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).bindSplitChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","linkProtocol":"tls","msg":"accepted link","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.066Z"}
ziti-router-1  | {"dest":"xUEQ-4UCo","dialed":false,"file":"github.com/openziti/ziti/router/link/link_registry.go:274","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).applyLink","level":"info","linkProtocol":"tls","msg":"link registered","newLinkId":"3MIE29zGJh6l3KHGAE5wOL","newLinkIteration":2,"time":"2025-05-23T10:13:29.066Z"}
ziti-router-1  | {"_channels":["link","linkListener"],"channelType":2,"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","dialerBinding":"","file":"github.com/openziti/ziti/router/xlink_transport/listener.go:184","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).bindSplitChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","linkProtocol":"tls","msg":"link registered","routerId":"xUEQ-4UCo","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.066Z"}
43 
ziti-router-1  | {"dialed":true,"file":"github.com/openziti/ziti/router/handler_link/bind.go:97","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).BindChannel","iteration":2,"level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"link destination support heartbeats","routerId":"xcPcN-mto","routerVersion":"v1.5.4","time":"2025-05-23T10:13:29.004Z"}
ziti-router-1  | {"connId":"7db657b5-2fec-4753-9892-96f4bc9aec41","file":"github.com/openziti/ziti/router/xlink_transport/dialer.go:144","func":"github.com/openziti/ziti/router/xlink_transport.(*dialer).dialSplit","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"dialing ack channel","time":"2025-05-23T10:13:29.004Z"}
ziti-router-1  | {"ctrlId":"NetFoundry Inc. Client LIboJaJ32","error":"exceeded maximum [2] retries creating circuit [c/lis8vQUaz] (error creating route for [s/lis8vQUaz] on [r/xUEQ-4UCo] (invalid link destination 2SYIhX0zqPktxzfpkuDpF6))","file":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2/fabric.go:115","func":"github.com/openziti/ziti/router/xgress_edge_tunnel_v2.(*fabricProvider).TunnelService","level":"warning","msg":"failed to dial fabric","service":"ssh-service","time":"2025-05-23T10:13:29.018Z"}
ziti-router-1  | {"error":"exceeded maximum [2] retries creating circuit [c/lis8vQUaz] (error creating route for [s/lis8vQUaz] on [r/xUEQ-4UCo] (invalid link destination 2SYIhX0zqPktxzfpkuDpF6))","file":"github.com/openziti/ziti/tunnel/tunnel.go:49","func":"github.com/openziti/ziti/tunnel.DialAndRun","level":"error","msg":"tunnel failed","service":"ssh-service","time":"2025-05-23T10:13:29.018Z"}
ziti-router-1  | {"file":"github.com/openziti/ziti/router/handler_link/bind.go:140","func":"github.com/openziti/ziti/router/handler_link.(*bindHandler).verifyRouter","level":"info","linkId":"3MIE29zGJh6l3KHGAE5wOL","msg":"successfully verified router for link","routerId":"xUEQ-4UCo","time":"2025-05-23T10:13:29.035Z"}

Looks suspicious :thinking:

44

Could this be MTU or packet size related?

This ziti overlay is actually going over an existing VPN (a Zerotier VPN) but I'm assuming zerotier deals with the packet size appropriately.

Is there a ziti config setting similar to doing things with clamping MSS size or anything if I'm running it over an existing VPN?

Jon.

45

I suppose anything is possible, but usually not with ziti

So this is absolutely "questionable". I cannot vouch for the efficacy of running ziti over a vpn. It "should" be fine as you say, however the Zerotier client may cause issues, maybe? Not sure how likely that is but it's definitely possible. Multiple zero trust/vpn clients on the client side routinely cause issues "in general" so I'd recommend you remove that from the equation.

As ziti is a zero trust overlay, we don't run it over a VPN in our own day-to-day stuff. I don't know if anyone does. I would not expect it to matter but it might. As such, there's no tuning of that nature that I know of in ziti.

Can we level set though, you seem to be on to a 'new' issue? Maybe it's worth making a new discourse post taht's more focused on the current problem?

46

Oh I just tried reducing mtu to 1300 via the config files and that didn't work either. The dialer and listener has binding options for mtu ziti/zititest/models/dtls-west/configs/router.yml.tmpl at main · openziti/ziti · GitHub

Sure will create a new one. And yeah its getting confusing now as its kind of working but two new problems, the cut off of the SSH connection and the other one seems to be that when testing UDP (snmp walk) the traffic seems to ingress via the tproxy but nothing emerges at the other end, it kind of dissappears into the ether.