Need help to decipher this warning

av-dev · November 15, 2022, 6:42pm

My transit routers are showing these warnings and I am not sure what does that mean. Appreciate any suggestions.

Ziti version: 0.26.11

Nov 15 18:37:00 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2044], replyFor [-1]","time":"2022-11-15T18:37:00.910Z"}
Nov 15 18:37:50 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2102], replyFor [-1]","time":"2022-11-15T18:37:50.911Z"}
Nov 15 18:38:15 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2132], replyFor [-1]","time":"2022-11-15T18:38:15.910Z"}
Nov 15 18:38:20 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2140], replyFor [-1]","time":"2022-11-15T18:38:20.910Z"}
Nov 15 18:38:25 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2146], replyFor [-1]","time":"2022-11-15T18:38:25.910Z"}
Nov 15 18:38:30 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2154], replyFor [-1]","time":"2022-11-15T18:38:30.910Z"}
Nov 15 18:38:45 ip-10-213-0-21 ziti-router[95110]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{jn0k}","file":"github.com/openziti/channel/v2@v2.0.12/impl.go:359","func":"github.com/openziti/channel/v2.(*channelImpl).rxer","level":"warning","msg":"dropped message. type [20202], sequence [2172], replyFor [-1]","time":"2022-11-15T18:38:45.910Z"}

TIA

plorenz · November 15, 2022, 6:55pm

Hi @av-dev ,
Those are control channel messages which are specific to edge routers. I’m guessing that you created the routers as edge routers, but then configured them to run without the edge portion, so the handlers that would normally be receiving/reacting to those messages aren’t present.

In the short term you could either enable the edge functionality on those routers or delete those edge routers from the model and recreate them as fabric/transit routers:

ziti fabric create router /path/to/router/client.cert

Longer term, we do have facilities to manage enrollment of fabric/transit routers in the edge API, but they are not currently exposed via the ziti CLI. There’s an issue to address that: Add CLI options to manage /edge/v1/transit-routers · Issue #897 · openziti/ziti · GitHub which I’ll hopefully get to shortly.

Let me know if that makes sense,
Cheers,
Paul

av-dev · November 15, 2022, 7:04pm

aah that makes sense. I did create them as edge routers initially and removed “edge” part from the config . So if i don’t take any action and want to run these routers as transit routers only, are these harmless warnings which can be ignored or you would recommend to delete the current edge router enrollment and re-enroll as transit routers?

plorenz · November 15, 2022, 7:29pm

You’re going to get some extra traffic, for sure. I can’t think of any other adverse effects off the top of my head, but I would probably err on the side of caution and recreate them.

av-dev · November 15, 2022, 7:35pm

That helps. Thank you so much for the quick reply.

av-dev · November 15, 2022, 7:37pm

one quick follow up question though -

I have been using following to create edge routers

#"${ZITI_BIN_DIR-}/ziti" edge create edge-router "${ZITI_EDGE_ROUTER_RAWNAME}" -o "${ZITI_HOME}/${ZITI_EDGE_ROUTER_RAWNAME}.jwt" -t -a "mydefault"

From the command you referenced above, do I need to obtain a cert and key before? Can I use my third party CA cert here? If I remember correctly, edge routers enrollment is a closed loop and cant use third party CA provided identity certificates. Are Transit routers different in that aspect?

TheLumberjack · November 15, 2022, 7:55pm

For now, all routers pki is maintained by the controller in that way. So, no difference in what the router’s intention is.

av-dev · November 15, 2022, 7:57pm

Thanks @TheLumberjack How do I get the cert for transit router then?

> ziti fabric create router -h                                                                                                             
creates a router managed by the Ziti Controller

Usage:
  ziti fabric create router <path-to-cert> [flags]

For edge router, the cert is provided by the controller as part of the enrollment, right?

av-dev · November 15, 2022, 8:16pm

Or do I enroll it as edge router to obtain the certificate, then delete that edge router from the controller and use that cert to enroll the transit router?

TheLumberjack · November 15, 2022, 8:18pm

Oh, I had missed that Paul referenced the ziti fabric command. I was only referring to edge routers. I’m unfamiliar with using that command, I’ll have to defer back to Paul. Apologies for the confusion

plorenz · November 15, 2022, 8:43pm

You can either use openssl to generate the certs (which can be complicated), or use ziti edge create edge-router. I’m working on adding support for creating transit routers to the CLI to solve this problem.

av-dev · November 15, 2022, 8:45pm

Perfect. So right now in my current setup, i already got the cert based on what I did earlier ( enrolled as edge routers ) so i just point fabric router to that cert and run command?

plorenz · November 15, 2022, 9:08pm

Yes, should work

av-dev · November 15, 2022, 9:21pm

yeah that it did. And its expected for those routers to not show up in “ziti edge list edge-routers” since they are not edge routers and there are no identities corresponding to those routers as well, right?

The transit routers will only show up in “ziti fabric list routers”?

plorenz · November 15, 2022, 9:57pm

Yes, that’s the expected behavior.

Topic		Replies	Views
Warning Messages in ZET Logs Support	2	142	July 4, 2023
Log tuning for ziti-router?	3	120	March 17, 2023
Edge router starting error	10	321	February 14, 2023
Failed to connect, reason=encryption required on service, terminator did not send public header Ziti Overlay	4	184	June 19, 2023
Misc notes after a few days of working with ziti General Questions	3	292	October 24, 2022

Need help to decipher this warning

Related Topics