I cant access the deployed Web-App even with a Enrolled device

Support
1

I am unable to access the web application that is under OpenZiti, despite my device being enrolled, while other enrolled devices can access the app without issue. What could be causing this access problem?
While the identity ansh-mobile can access the web app using the custom address but ansh-desktop cant access the webapp. I have made sure that ziti desktop edge is on, on the desktop.

If you do need any other Information, pls do let me know

image
image1256×549 79.7 KB

image
image1254×548 80.3 KB

image
image398×462 61.5 KB

image
image396×473 11.2 KB

image
image1320×406 50.8 KB

2

Hello, Can any moderator help me in this.

3

I am not a moderator and can probably not help.

Are ansh-mobile and ansh-desktop using the same OpenZiti router?

Are the service policies and service router policies setup correctly?

4

Both identities are using the same router, and same service. Service policies and service router policies are setup correctly. other Desktop identities can access in my private network, but only my desktop can’t, even my mobile identity can access the webapp. I also reinstalled Ziti desktop client.
For this no logs are showing up, Because it is not even creating a dial event.

5

On the Desktop machine does the name resolution work?

nslookup wazuh.ii.lan # do you get an unexptected IP?
nslookup wazuh.ii.lan 100.64.0.2 # or whatever the overlay IP address of the OpenZiti DNS is
ping wazuh.ii.lan
6

my desktop:
My machine cant resolve wazuh.ii.lan idk why, but my mate can

image
image1217×628 96.8 KB

Another desktop with the same service and same router:

WhatsApp Image 2025-10-17 at 14.26.19
WhatsApp Image 2025-10-17 at 14.26.191351×724 118 KB

He can access the service but i can’t. Main thing is, It was working all fine, until about 3 days ago it stopped working, i also restarted controller and router, but still same issue.

7

You should check the ZDEW service log.

8

[2025-10-17T05:47:39.397Z] DEBUG ziti-edge-tunnel:tun.c:538 refresh_routes() refreshing excluded routes
[2025-10-17T05:47:39.397Z] DEBUG ziti-sdk:legacy_auth.c:238 auth_timer_cb() refreshing session[0000029169705ed0]
[2025-10-17T05:47:39.397Z] VERBOSE ziti-sdk:ziti_ctrl.c:145 start_request() ctrl[https://azc.example.com:1280] starting GET[/current-api-session]
[2025-10-17T05:47:39.397Z] VERBOSE ziti-edge-tunnel:ziti-edge-tunnel.c:2687 endpoint_status_change_function() invoking endpoint status change command
[2025-10-17T05:47:39.397Z] DEBUG ziti-edge-tunnel:ipc_event.c:119 send_events_message() Events Message => {"Op":"status","Status":{"Active":false,"Duration":82651985,"StartTime":"2025-10-16T06:50:07.412938Z","Identities":[{"Name":"ansh-desktop","Identifier":"c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\ansh-desktop.json","FingerPrint":"ansh-desktop","Active":true,"Loaded":true,"Config":{"ztAPI":"https://azc.example.com:1280"},"ControllerVersion":"v1.6.8","IdFileStatus":false,"NeedsExtAuth":false,"MfaEnabled":true,"MfaNeeded":true,"Metrics":{"Up":0,"Down":0},"MfaMinTimeout":0,"MfaMaxTimeout":0,"MfaMinTimeoutRem":0,"MfaMaxTimeoutRem":0,"MinTimeoutRemInSvcEvent":0,"MaxTimeoutRemInSvcEvent":0,"Deleted":false,"Notified":false}],"IpInfo":{"Ip":"100.64.0.1","Subnet":"255.192.0.0","MTU":65535,"DNS":"100.64.0.2"},"LogLevel":"verbose","ServiceVersion":{"Version":"v1.7.13","BuildDate":"Thu-09/25/2025-17:27:03-"},"TunIpv4":"100.64.0.1","TunIpv4Mask":10,"AddDns":false,"ApiPageSize":25,"TunName":"ziti-tun0"}}
[2025-10-17T05:47:39.397Z] WARN ziti-sdk:posture.c:1054 ziti_endpoint_state_change() ztx[1] endpoint is disabled
[2025-10-17T05:47:39.397Z] DEBUG tunnel-cbs:ziti_tunnel_ctrl.c:716 process_cmd() Endpoint status change function is invoked for c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\ansh-desktop.json with woken 1 and unlocked 0
[2025-10-17T05:47:39.399Z] DEBUG ziti-edge-tunnel:windows-scripts.c:536 update_symlink() Executing update symlink script :
[2025-10-17T05:47:39.399Z] DEBUG ziti-edge-tunnel:windows-scripts.c:537 update_symlink() powershell -Command "Get-Item -Path "C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log" | Remove-Item;New-Item -Itemtype SymbolicLink -Path "C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log" -Target "C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log.202510170000.log" | Out-Null"

9

Even tried Re enrolling my deskstop Identity without MFA (Just in case), Even in logs it now says my Identity is Active, Theoretically This should work and it was working 5 days before and RN it is not working.

10

The logs that you've shared so far aren't sufficient. They don't show any sort of error that would indicate a problem. Can you make sure the problem identity has the ability to dial the service?

Using your ziti cli run a policy-advisor command:

ziti edge policy-advisor identites -q

Let's first clarify that ansh-desktop has dial privs to the service that provides wazuh.ii.lan.

You cannot use nslookup without providing the dns nameserver ip. The ZDEW uses the windows NRPT and nslookup is not aware of the NRPT. You can however use powershell's Resolve-DnsName command. for example:

Resolve-DnsName mattermost.tools.netfoundry.io

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
mattermost.tools.netfoundry.io                 A      60    Answer     100.100.0.10

My guess right now since you show 1 service is that your identity has bind priviliges but not dial. Show the ziti cli command results and let's verify dial privs

11

image

other Systems have the same permission and can access.

image
image972×150 7.21 KB

My desktop :backhand_index_pointing_up:
image
My colleague desktop :backhand_index_pointing_up:
We are accessing through same LAN.

12

I expect that ansh-desktop is online at the time you ran that Resolve-DnsName and that the identity is enabled.. :slight_smile: Have you had a look through the logs at all? If you want to do a Main Menu->Feedback and send me that zip file here via DM i can have a look.

Right now, my guess is that there's something "busted" in Windows. We've actually seen that before when supporting NetFoundry customers. "Fixing" windows through the usual dsim and sfc commands can often fix the issue.

On that failed machine, try an nslookup directly to the tunneler too:

nslookup wazuh.ii.lan 100.64.0.2

Another thing to look out for are endpoint monitoring software, competing VPN clients and sometimes the network provider itself. Looking at your friend's resopnse i see 192.168.5.11. That's an exceptionally strange IP for that address. Has that user changed the IP range of their TUN device in Main Menu -> Advanced Settings -> Tunnel Config???

There's something new/strange going on here that isn't what I normally see so it seems like maybe that might be related?

It'd be helpful if you can send me a feedback zip file to look at.

13

Yes ansh-desktop is online during the time i ran resolve dns command and identity is also enabled.
If you dont mind, can you provide email address, so that i can send the log zip file.

image
image525×183 3.91 KB

14

sure. you can send to clint at openziti.org or if you want to DM here on discourse you should be able to send a zip. that nslookup seems odd too. do you know if your other friend changed the tun address to 192.168.x.x?

15

yeah i fixed my friends issue, wazuh.ii.lan is resolving through Openziti.

2025-10-27_173312.zip (3.1 MB)
Also i cant access that link, it says page not found.

16

Thanks for the zip. Looking through your logs the thing that catches my eye is the ziti-tun adapter name:

   Description . . . . . . . . . . . : OpenZiti Tunnel #2

Let's do this, can you open device manager and go to network adapters and can you show me all the adapters you have listed? Do you possibly have TWO in there?

Regardless of how many you have I want you to:

  • stop the ziti desktop edge for windows
  • right click on each "openziti tunnel"
  • choose "uninstall device"
    image
    image450×253 9.86 KB
  • check the "Attempt to remove the driver for this device"
    image
    image342×234 7.84 KB
  • click "uninstall"
  • start the ZDEW back up
  • open an administrator command prompt and run ipconfig /all
  • find the OpenZiti line (it should look like mine)
    Unknown adapter ziti-tun0:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : OpenZiti Tunnel
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 100.100.0.0(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

If that doesn't fix things, can you share a screen shot of your Main Menu -> Advanced Settings -> Tunnel Config?

image
image369×230 5.53 KB

If all that doesn't resolve the problem -- did you try the dsim and sfc commands ?

For example, from ChatGPT:

To repair Windows using DISM and SFC commands, use the following steps:

  1. Run DISM (Deployment Imaging Service and Management Tool):
DISM /Online /Cleanup-Image /RestoreHealth

This command scans for corruption in the Windows image and attempts to repair it.

  1. Run SFC (System File Checker):
sfc /scannow

This command scans the system for missing or corrupted system files and repairs them.

Recommended Sequence:

  1. Run DISM first to repair the system image.
  2. Run SFC to fix any corrupted system files.
17

issue is fixed now. thanks for the help @TheLumberjack

18

Do you know what fixed it? was it 'fixing' windows? was it multiple network interfaces/removing the driver? I'm curious to know 'how' it went wrong, if you know

19

it started working after this.