Need help to decipher this warning

My transit routers are showing these warnings and I am not sure what does that mean. Appreciate any suggestions.

Ziti version: 0.26.11

Nov 15 18:37:00 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2044], replyFor [-1]","time":"2022-11-15T18:37:00.910Z"}
Nov 15 18:37:50 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2102], replyFor [-1]","time":"2022-11-15T18:37:50.911Z"}
Nov 15 18:38:15 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2132], replyFor [-1]","time":"2022-11-15T18:38:15.910Z"}
Nov 15 18:38:20 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2140], replyFor [-1]","time":"2022-11-15T18:38:20.910Z"}
Nov 15 18:38:25 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2146], replyFor [-1]","time":"2022-11-15T18:38:25.910Z"}
Nov 15 18:38:30 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2154], replyFor [-1]","time":"2022-11-15T18:38:30.910Z"}
Nov 15 18:38:45 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"","func":"*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2172], replyFor [-1]","time":"2022-11-15T18:38:45.910Z"}


Hi @av-dev ,
Those are control channel messages which are specific to edge routers. I’m guessing that you created the routers as edge routers, but then configured them to run without the edge portion, so the handlers that would normally be receiving/reacting to those messages aren’t present.

In the short term you could either enable the edge functionality on those routers or delete those edge routers from the model and recreate them as fabric/transit routers:

ziti fabric create router /path/to/router/client.cert

Longer term, we do have facilities to manage enrollment of fabric/transit routers in the edge API, but they are not currently exposed via the ziti CLI. There’s an issue to address that: Add CLI options to manage /edge/v1/transit-routers · Issue #897 · openziti/ziti · GitHub which I’ll hopefully get to shortly.

Let me know if that makes sense,

1 Like

aah that makes sense. I did create them as edge routers initially and removed “edge” part from the config . So if i don’t take any action and want to run these routers as transit routers only, are these harmless warnings which can be ignored or you would recommend to delete the current edge router enrollment and re-enroll as transit routers?

You’re going to get some extra traffic, for sure. I can’t think of any other adverse effects off the top of my head, but I would probably err on the side of caution and recreate them.

That helps. Thank you so much for the quick reply.

one quick follow up question though -

I have been using following to create edge routers

#"${ZITI_BIN_DIR-}/ziti" edge create edge-router "${ZITI_EDGE_ROUTER_RAWNAME}" -o "${ZITI_HOME}/${ZITI_EDGE_ROUTER_RAWNAME}.jwt" -t -a "mydefault"

From the command you referenced above, do I need to obtain a cert and key before? Can I use my third party CA cert here? If I remember correctly, edge routers enrollment is a closed loop and cant use third party CA provided identity certificates. Are Transit routers different in that aspect?

For now, all routers pki is maintained by the controller in that way. So, no difference in what the router’s intention is.

Thanks @TheLumberjack How do I get the cert for transit router then?

> ziti fabric create router -h                                                                                                             
creates a router managed by the Ziti Controller

  ziti fabric create router <path-to-cert> [flags]

For edge router, the cert is provided by the controller as part of the enrollment, right?

Or do I enroll it as edge router to obtain the certificate, then delete that edge router from the controller and use that cert to enroll the transit router?

Oh, I had missed that Paul referenced the ziti fabric command. I was only referring to edge routers. I’m unfamiliar with using that command, I’ll have to defer back to Paul. Apologies for the confusion

You can either use openssl to generate the certs (which can be complicated), or use ziti edge create edge-router. I’m working on adding support for creating transit routers to the CLI to solve this problem.

Perfect. So right now in my current setup, i already got the cert based on what I did earlier ( enrolled as edge routers ) so i just point fabric router to that cert and run command?

Yes, should work :+1:

yeah that it did. And its expected for those routers to not show up in “ziti edge list edge-routers” since they are not edge routers and there are no identities corresponding to those routers as well, right?

The transit routers will only show up in “ziti fabric list routers”?

Yes, that’s the expected behavior.

1 Like