No Terminator error routing from any private ERS

I’, doing multiple tests on Ziti and specially with the new HA capabilities, however, I’m a bit stuck now. I have the following architecture:

The problem I’m facing, is that there’s no way I can make my private ER can forward the traffic to any destination, unless I manually create a terminator, which works if I just route a sigle port, but I want to forward all ports for this test.

These are the commands I’ve been using. I have tried not only my local server, but to test that:

ziti edge create config "icarus-client" intercept.v1 '{"protocols":["tcp"],"addresses":[""], "portRanges":[{"low":80, "high":80}]}'
ziti edge create config "icarus-server"  host.v1 '{"protocol":"tcp", "address":"","port":80}'
ziti edge create service icarus-cli --configs "icarus-client,icarus-server"
ziti edge create service-policy icarus.bind.policy Bind --service-roles '@icarus-cli' --identity-roles "@private1-edge-router,@private2-edge-router"
ziti edge create service-policy icarus.dial.policy Dial --service-roles '@icarus-cli' --identity-roles '@MyPC'

Everytime i tried to access from “MyPC” to icarus-cli service I received the same error:

ziti-controller[112054]: {"_context":"ch{UpQPrWloh}-\u003eu{classic}-\u003ei{WJ7o}","error":"service gBKkIuUASo has no terminators","file":"","func":"*baseRequestHandler).returnError","level":"error","msg":"responded with error","operation":"create.circuit","routerId":"UpQPrWloh","time":"2022-04-29T17:12:12.897Z","token":"955984dc-2e79-4d85-a4d3-7fcdcbac1b94"}

However if I change the Bind policy to use the public ER instead of the private ones, it actually works and the terminator is properly created.

My Private ER where created with this command:

"${ZITI_BIN_DIR}/ziti" edge create edge-router "${ZITI_EDGE_ROUTER_NEW_NAME}" -o "${ZITI_EDGE_ROUTER_NEW_NAME}.jwt" -t

Any clues?

Thank you!

After getting crazy about this, and wanted to clean up everything and start from scratch, I decided to take a closer look into the routers configuration.
And I found the real problem was I didn’t read everything.

My ERS were created with the -t parameter, that being said the configuration (when listing the ers with the command ziti edge ls ers shows that actually they have the isTunnelerEnabled property enabled. However you need to do an additional configuration as plorenz said in this thread.

So I just had to add the listener for the tunnel as follows:

  - binding: tunnel
      mode: host

After restart the ERS I was able to access my services properly.

I hope Ziggy will be happy now!

Thanks folks!