Invalid edge router for session

I’m troubleshooting this router log message.

[ 587.842]   ERROR edge/tunnel.DialAndRun: {error=[invalid edge router for session] service=[testapi-service]} tunnel failed

I encountered this while configuring the router as a proxy client, i.e. tunnel mode “proxy” with dial permission for a Ziti service. The router log shows that it begins listening for the service on the configured proxy port, but when I send data to the port it emits that error. I used policy-advisor to make certain the service and router policies are aligned.

I intended to configure the router to only serve as a proxy, not edge or transport. It panicked during startup when I did not provide the edge binding, so I have added that even though no SDKs will be configured with a router policy for this router’s edge listener. I have this router config.

v: 3

  cert:        ${ZITI_ROUTER_IDENTITY_DIR}/client.crt
  server_cert: ${ZITI_ROUTER_IDENTITY_DIR}/tls.crt
  key:         ${ZITI_ROUTER_IDENTITY_DIR}/tls.key
  ca:          ${ZITI_ROUTER_IDENTITY_DIR}/ca.crt

  endpoint:    tls:ziti-controller-ctrl.ziti.svc:443

    - binding: transport
  - binding: edge
    address: tls:
        advertise: proxy1.ziti.svc:443
        connectTimeoutMs: 1000
        getSessionTimeout: 60
  - binding: tunnel
        mode: proxy
          - "testapi-service:8080"
  reportInterval: 5s
  intervalAgeThreshold: 5s

        - localhost
        - proxy1.ziti.svc

    latencyProbeInterval: 10
    xgressDialQueueLength: 1000
    xgressDialWorkerCount: 128
    linkDialQueueLength: 1000
    linkDialWorkerCount: 32

The controller emits a message at the same time as the router which is whenever I send data to the client proxy port.

[76632.710]   ERROR edge/controller/handler_edge_ctrl.(*baseRequestHandler).returnError [ch{fVCMmw-MqG}->u{classic}->i{RN5y}]: {error=[invalid edge router for session] routerId=[fVCMmw-MqG] operation=[tunnel.create.circuit]} responded with error

The cause of this error was a missing service edge router policy (SERP). The client identity is a router’s built-in tunneler with mode “proxy”, and I learned that it is required for any services that are accessed by a built-in client tunnel to also match a SERP that includes the tunneler’s attached router.

For example, consider purpleRouter has tunneler enabled with mode proxy. This causes Ziti to spawn an identity of type Router named purpleRouter. Ziti additionally creates an edge router policy of type System automatically, giving the tunneler identity permission to dial its attached router. Two additional things are needed that are not created automatically because they are not predictable for all situations:

  1. a service policy of type Dial matching the tunneler identity and the target service(s)
  2. a service edge router policy matching the attached router and the target service(s)