Sorry, In 1. below I meant rh.cb.com:80 intercepted, not sales.cb.com:80 ...
Then I tested from laprh laptop ...
You need to authenticate using the ziti edge login command first. Then policy advisor will function.
For the logs it's always best to look at the client logs first for errors. depending on the error you see, you'll either know the issue based on those logs or if not you then would want to look in the router logs.
Please do use code blocks when sharing configuration or console output. It's easier to read.
This is generally because the identity wasn't authorized to dial the service or the service was misconfigured. Policy advisor will tell you if the identity is authorized properly. Misconfigurations can be hard to spot for us humans, we sometimes tend to not be as thorough as computers, but if there's a misconfiguration you just have to review the service you made and double check all the ports and hostname etc.
With ziti login ...
PS C:\Users\Nei> ziti edge policy-advisor identities -q
OKAY : ziti-edge-router (1) -> sshdebian2 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ziti-edge-router (1) -> ftpdebian2 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ziti-edge-router (1) -> wwwrh (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ziti-edge-router (1) -> local-mgmt-api (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ziti-edge-router (1) -> sshdebian1 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ziti-edge-router (1) -> wwwsales (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ziti-edge-router (1) -> ftpdebian1 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : debian-nei (1) -> local-mgmt-api (1) Common Routers: (1/1) Dial: Y Bind: N
ERROR: Default Admin
- Identity does not have access to any services. Adjust service policies.
OKAY : sales1 (1) -> wwwsales (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : itguy (1) -> sshdebian2 (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : itguy (1) -> ftpdebian2 (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : itguy (1) -> wwwrh (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : itguy (1) -> sshdebian1 (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : itguy (1) -> wwwsales (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : itguy (1) -> ftpdebian1 (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : rh1 (1) -> wwwrh (1) Common Routers: (1/1) Dial: Y Bind: N
PS C:\Users\Nei>
PS C:\Users\Nei> ziti edge policy-advisor services sshdebian2 -q
OKAY : ziti-edge-router (1) -> sshdebian2 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : itguy (1) -> sshdebian2 (1) Common Routers: (1/1) Dial: Y Bind: N
PS C:\Users\Nei>
You can't just show me the output, it's not enough context. You need to look at the output and ensure the identity you expect to have dial privileges, does. Do you see your identity that is supposed to be able to dial "sales.cb.com", have dial privs?
Have you looked at the logs yet, you need to always look at the logs for errors, generally starting with the client and then on the offloading identity? What do the logs say?
Also, please use code fences. I edited your post to show you how to do that. It makes the output much more readible
Clint, I am sorry if I am not being clear.
The problem is I can't ssh to Debian 2. The dialing identity (itguy) is correct and it can ssh to Debian 1. The same identity can ftp to Debian 1 and Debian 2. It is just the ssh to Debian 2 that the identity can't dial due to some IP address resolution. I compared the configuration with other services and they look OK to me.
That's why I presented the output of ziti (repeated below)
PS C:\Users\Nei> ziti edge policy-advisor services sshdebian2 -q
OKAY : ziti-edge-router (1) -> sshdebian2 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : itguy (1) -> sshdebian2 (1) Common Routers: (1/1) Dial: Y Bind: N
PS C:\Users\Nei> ziti edge policy-advisor services sshdebian1 -q
OKAY : ziti-edge-router (1) -> sshdebian1 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : itguy (1) -> sshdebian1 (1) Common Routers: (1/1) Dial: Y Bind: N
PS C:\Users\Nei> ziti edge policy-advisor services ftpdebian1 -q
OKAY : ziti-edge-router (1) -> ftpdebian1 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : itguy (1) -> ftpdebian1 (1) Common Routers: (1/1) Dial: Y Bind: N
PS C:\Users\Nei> ziti edge policy-advisor services ftpdebian2 -q
OKAY : ziti-edge-router (1) -> ftpdebian2 (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : itguy (1) -> ftpdebian2 (1) Common Routers: (1/1) Dial: Y Bind: N
Regarding to the logs, I asked before in the thread which (and where to look for them). I am guessing they are the ones found in the Desktop Edge (Service Logs and Application Logs). If they are the ones, I don't understand their contents and they are big (can't paste their content here and can't upload the log files either) ... If these are not the logs, please let me know where to find them.
Again, sorry for not having the experience you may be expecting.
Clint, good news! I made the missing part work (SSH to Debian 2). Don't ask my why but I removed the name ssh2.cb.com in the intercept and readded it. Just that. Maybe there was a hidden character not visible to human eyes in that field ...
Now going to next steps of tests ...
Thank you for your time and patience
@nei.chiaradia that's really great to hear. You were on my list of things "to do" so I'm glad you got it sorted.
When pasting logs or config into a forum, the "back tick" character is used. See this post about what that means and how to do it Posting code or preformatted text - Using Discourse - Discourse Meta
It does make the post easier for me to read and that makes it easier for me (or others to) to help.
Glad you got things sorted!