Ntermittent Disconnection Issue – Ziti Controller & Public Router in GKE (v1.15)

I have a Ziti Controller and Public Router deployed in a GKE cluster, running version 1.1.15 of the controller.

I am experiencing an issue where all identities randomly go offline and reconnect after 1-2 minutes. This occurs at least once or twice a week.

My setup:

• The controller and router are running on GKE spot instances.
• There are no recent pod restarts or resource exhaustion issues observed.
• The controller logs show "service has no terminators" errors, and the router logs indicate closed channels and timeout errors when this happens.

Could you help troubleshoot and provide guidance on making this connection more stable?

If all identities are going offline, my expectation would be the controller and/or routers were all disconnected from the internet.

You state you're using 'GKE spot instances'. My immediate inclination is that these instances are getting rate limited for CPU, taken offline, paused or something along these lines. This feels highly likely to be the problem to me.

NetFoundry operates hundreds of openziti networks and we've never had this particular observation to my knowledge. We've definitely seen cloud providers throttle / pause instances before. It sounds like what's happening to me.

Ok then probably I'll switch controllers from spot instances to standard nodes and I'll keep monitoring that.
So general it's not recommended to run on spot instances?

"Generally not" would be my response. But I mean, as long as they work for you, I'd say go for it. If you can tolerate these 1-2 minutes of random disconnectedness and things are fine afterwards, it sounds like they are working "well enough" for you. If you can't tolerate that, then I'd suggest moving to something that has more clear and discreet guarantees.

This particular issue is often a bit tricky to track down in practicality just because it looks like everything "just stops" for a minute. Nothing in the logs etc. That makes debugging the issue difficult. It sounds like that's the issue what you're hitting and it can be quite a frustrating thing to track down. I would definitely recommend you take that out of the equation, but from the description this doesn't sound like anything I've seen or heard about that would be OpenZiti-related.

Do u want me to try increasing timeout? If so which one would be appropriate?

Meanwhile on this weekend will try switching controller and fabric router to standard node and will keep monitor

I ve moved to standard nodes, looks ok now, but still on my IOT devce which is runnign edge tunnel i get below error and node disconnect for few seconds and coming back online ,
logs

Mar 17 01:00:01 aly-gw-1 ziti-edge-tunnel[3857600]: About to run tunnel service... ziti-edge-tunnel
Mar 17 11:41:08 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    38466.984]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:192.168.0.223:52043 err=-14, terminating connection
Mar 17 11:41:08 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    38466.993]    WARN ziti-sdk:channel.c:553 dispatch_message() ch[0] received message without conn_id or for unknown connection ct[ED72] conn_id[39]
Mar 17 11:44:58 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    38697.605]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:192.168.0.223:54051 err=-14, terminating connection
Mar 17 11:44:58 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    38697.606]    WARN ziti-sdk:channel.c:553 dispatch_message() ch[0] received message without conn_id or for unknown connection ct[ED72] conn_id[53]
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:35:25 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45324.032]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
Mar 17 13:36:17 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45376.003]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:60716 err=-13, terminating connection
Mar 17 13:36:50 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45409.028]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:60716 err=-13, terminating connection
Mar 17 13:39:00 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45539.027]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:45920 err=-13, terminating connection
Mar 17 13:39:31 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45570.039]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:45920 err=-13, terminating connection
Mar 17 13:41:49 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45708.054]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:60354 err=-13, terminating connection
Mar 17 13:44:08 aly-gw-1 ziti-edge-tunnel[3857600]: (3857600)[    45847.208]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:46668 err=-13, terminating connection\

im runnign ziti controller and router on GKE private cluster
on router this is my configuration for forwarder, do i need modify this?
forwarder: │
│ latencyProbeInterval: 10 │
│ linkDialQueueLength: 1000 │
│ linkDialWorkerCount: 32 │
│ rateLimitedQueueLength: 5000 │
│ rateLimitedWorkerCount: 64 │
│ xgressDialQueueLength: 1000 │
│ xgressDialWorkerCount: 128

Do we have any recommended CPU and memory for Router and controller?

Not really. It's entirely dependent on how many clients there are and how much data they are pushing and what their communication profiles look like.

I would recommend you monitor CPU and network. If either of these are high, it's time to add another router, more CPU etc. Generally speaking though, I would expect 2cpu and 8gb of RAM to go a long way for starters.

Operating a network at scale is a challenge. If you're under 50 (50 is just a random number that's a very modest number I choose) identities though, there must be something more fundamentally wrong with the underlying vm/hardware overlay itself. This isn't something I've seen with any of the networks NetFoundry provides. I also haven't ever seen it on the networks I run. I use all the default values.

I think you still have something external to OpenZiti causing you problems. That's what it seems to me if you're getting that error intermittently. This seems to me to be a monitoring challenge

I believe I’ve identified the root cause — one of my main production Edge Routers on AWS EC2 had a full disk, which prevented it from writing syslogs. This likely triggered repeated connection failures from all identities, eventually causing intermittent issues with the Ziti controller and the public Edge Router.

I’ve cleared the old logs and brought the volume usage down from 100% to 45%. So far, there haven’t been any dropped connections. I’ll continue monitoring to ensure stability.

@TheLumberjack I still have intermedient issue. Could someone help me to troubleshoot this and make it more consistent?

2025-03-26T21:55:44.648669954Z (6)[    72417.008]    INFO ziti-sdk:ziti.c:1484 edge_routers_cb() ztx[0] removing channel[gke-fabric-router@tls://ziti-router.xxx.xxx:443]: no longer available                                 │
│ 2025-03-26T21:55:44.649129975Z (6)[    72417.008]    INFO ziti-sdk:channel.c:222 ziti_channel_close() ch[0] closing[gke-fabric-router]                                                                                        │
│ 2025-03-26T21:55:44.649148729Z (6)[    72417.008]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1064 on_ziti_event() ztx[aly-gke-identity] router gke-fabric-router disconnected                                                      │
│ 2025-03-26T21:55:44.649156852Z (6)[    72417.008]    WARN ziti-sdk:conn_bridge.c:317 on_ziti_data() br[0.507] closing bridge due to error: -17(ziti edge router is not available)                                             │
│ 2025-03-26T21:55:44.649182924Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649227093Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649249924Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649257446Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649263497Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649269524Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649275835Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649281725Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649287496Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649293193Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649299059Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649304067Z (6)[    72417.008]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T21:55:44.649688246Z (6)[    72417.008]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1067 on_ziti_event() ztx[aly-gke-identity] router gke-fabric-router removed                                                           │
│ 2025-03-26T21:56:11.455920379Z (6)[    72443.816]   ERROR tlsuv:tls_link.c:83 TLS read -4095(end of file)                                                                                                                     │
│ 2025-03-26T21:59:32.469677504Z (6)[    72644.829]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[1] (gke-fabric-router) new channel for ztx[0] identity[aly-gke-identity]                                               │
│ 2025-03-26T21:59:32.469736124Z (6)[    72644.829]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[aly-gke-identity] added edge router gke-fabric-router@ziti-router.xxx.xxx                                  │
│ 2025-03-26T21:59:32.469746735Z (6)[    72644.829]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[1] reconnecting NOW                                                                                                   │
│ 2025-03-26T21:59:32.527834420Z (6)[    72644.888]    INFO ziti-sdk:channel.c:712 hello_reply_cb() ch[1] connected. EdgeRouter version: v1.1.15|0eec47ce3c80|2024-10-02T12:59:41Z|linux|amd64                                  │
│ 2025-03-26T21:59:32.528042103Z (6)[    72644.888]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1061 on_ziti_event() ztx[aly-gke-identity] router gke-fabric-router connected                                                         │
│ 2025-03-26T22:00:25.235780770Z (6)[    72697.595]    INFO tunnel-cbs:ziti_hosting.c:638 on_hosted_client_connect() hosted_service[wazuh-agent-svc] client[aly-gw-4] client_src_addr[tcp:100.64.0.1:57866] dst_addr[tcp:wazuh- │
│ 2025-03-26T22:00:33.860000023Z (6)[    72706.219]    INFO tunnel-cbs:ziti_hosting.c:638 on_hosted_client_connect() hosted_service[wazuh-agent-svc] client[aly-hosogi-gw] client_src_addr[tcp:100.64.0.1:37296] dst_addr[tcp:w │
│ 2025-03-26T22:00:42.089664391Z (6)[    72714.449]    INFO tunnel-cbs:ziti_hosting.c:638 on_hosted_client_connect() hosted_service[wazuh-agent-svc] client[aly-gw-2] client_src_addr[tcp:100.64.0.1:33556] dst_addr[tcp:wazuh- │
│ 2025-03-26T22:00:44.028560185Z (6)[    72716.388]    INFO tunnel-cbs:ziti_hosting.c:638 on_hosted_client_connect() hosted_service[wazuh-agent-svc] client[aly-hosogi-gw] client_src_addr[tcp:100.64.0.1:55402] dst_addr[tcp:w │
│ 2025-03-26T22:13:31.463112961Z (6)[    73483.823]    INFO ziti-sdk:ziti.c:1484 edge_routers_cb() ztx[0] removing channel[gke-fabric-router@tls://ziti-router.xxx.xxx:443]: no longer available                                 │
│ 2025-03-26T22:13:31.463179514Z (6)[    73483.823]    INFO ziti-sdk:channel.c:222 ziti_channel_close() ch[1] closing[gke-fabric-router]                                                                                        │
│ 2025-03-26T22:13:31.463190083Z (6)[    73483.823]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1064 on_ziti_event() ztx[aly-gke-identity] router gke-fabric-router disconnected                                                      │
│ 2025-03-26T22:13:31.463240618Z (6)[    73483.823]    WARN ziti-sdk:conn_bridge.c:317 on_ziti_data() br[0.510] closing bridge due to error: -17(ziti edge router is not available)                                             │
│ 2025-03-26T22:13:31.463846243Z (6)[    73483.823]    WARN ziti-sdk:conn_bridge.c:317 on_ziti_data() br[0.508] closing bridge due to error: -17(ziti edge router is not available)                                             │
│ 2025-03-26T22:13:31.463996783Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464139014Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464151116Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464158148Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464164522Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464196970Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464258021Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464277774Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464284386Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464290416Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464296893Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464313519Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available
│ 2025-03-26T22:13:31.464284386Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464290416Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464296893Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.464313519Z (6)[    73483.823]    WARN ziti-sdk:bind.c:463 on_message() binding failed: -17/ziti edge router is not available                                                                              │
│ 2025-03-26T22:13:31.465988899Z (6)[    73483.823]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1067 on_ziti_event() ztx[aly-gke-identity] router gke-fabric-router removed                                                           │
│ 2025-03-26T22:15:22.033255345Z (6)[    73594.393]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[2] (gke-fabric-router) new channel for ztx[0] identity[aly-gke-identity]                                               │
│ 2025-03-26T22:15:22.033755188Z (6)[    73594.393]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[aly-gke-identity] added edge router gke-fabric-router@ziti-router.xxx.xxx                                     │
│ 2025-03-26T22:15:22.033794628Z (6)[    73594.393]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[2] reconnecting NOW                                                                                                   │
│ 2025-03-26T22:15:22.079973984Z (6)[    73594.439]    INFO ziti-sdk:channel.c:712 hello_reply_cb() ch[2] connected. EdgeRouter version: v1.1.15|0eec47ce3c80|2024-10-02T12:59:41Z|linux|amd64                                  │
│ 2025-03-26T22:15:22.080032786Z (6)[    73594.439]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1061 on_ziti_event() ztx[aly-gke-identity] router gke-fabric-router connected  

This is log that i got from one identity, which is same case for other identity as well, this

@qrkourier one Quick question: If I installed the router using a JWT file during the initial setup using helm upgrade --install, do I need to use the same JWT file again when performing an upgrade?
I assume the JWT was only required for the initial enrollment—am I right?
Also, could you explain how helm upgrade works in this context?

Because I get this intermedient issue only after I upgrade router couple of month before from 0.36 to 1.1.5
I just old jwt file as a placeholder to upgrade router via helm.
Do u think will that be any issues on this?

No, there's no problem supplying a dummy value for enrollmentJwt during Helm release upgrade operations. You will only need to supply a valid enrollment token during initial or re-enrollment.

The value is used to set an environment variable for the router which is only used for enrollment, so an empty value will simply be ignored if the router's PVC already contains an identity certificate obtained during enrollment.

Did you encounter an error when enrollmentJwt was empty or undefined? In my testing just now, it was only required for enrollment and it was unnecessary to supply any dummy values for subsequent upgrade operations that did not entail re-enrollment.

Ok yeah I didn't had issue while running I'm just trying to trace out my issues.
Probably as a last option I'm running edge tunnel in GKe as daemonset probably I'll switch to reverse proxy pod and check if that is becoming stable.
Not sure what I'm missing it it is tough to trace the issue.

What's the symptom of the problem you encountered intermittently?

I assume the symptom correlates with your log messages about gke-fabric-router being unavailable.

Some router unavailable messages could point to a condition where an edge router is advertising a listener that is not reachable, which may be harmless as long as at least one edge listener is reachable.

However, an edge router that was in use and became unavailable seems to point toward that router's deployment being terminated or unpublished in some way. I'd check a correlated time frame from that edge router's log to learn if it encountered any internal error, and look for evidence that the router's ports were available or not during that time frame.

Are you able to trigger the failure mode reliably?

@qrkourier Even today i got the issue, but with same logs on edge tunnel, but not able to trace anything from router or controller.

controller i see only these logs

{"circuitCount":9,"file":"github.com/openziti/ziti/controller/handler_ctrl/circuit_confirmation.go:47","func":"github.com/openziti/ziti/controller/handler_ctrl.(*circuitConfirmationHandler).HandleReceive","level":"info"," │
│ msg":"received circuit confirmation request","routerId":"PT9mKNWot","time":"2025-04-02T12:47:43.122Z"} │
│ {"_context":"tls:0.0.0.0:1280","error":"EOF","file":"github.com/openziti/transport/v2@v2.0.146/tls/listener.go:257","func":"github.com/openziti/transport/v2/tls.(*sharedListener).processConn","level":"error","msg":"handsh │
│ ake failed","remote":"10.0.3.4:55364","time":"2025-04-02T12:47:44.010Z"} │
│ {"file":"github.com/openziti/ziti/controller/network/fault.go:32","func":"github.com/openziti/ziti/controller/network.(*Network).fault","level":"info","msg":"network fault processing for [314] circuits","time":"2025-04-02 │
│ T12:47:46.260Z"} │
│ {"circuitCount":9,"file":"github.com/openziti/ziti/controller/handler_ctrl/circuit_confirmation.go:47","func":"github.com/openziti/ziti/controller/handler_ctrl.(*circuitConfirmationHandler).HandleReceive","level":"info"," │
│ msg":"received circuit confirmation request","routerId":"p3-taAC8gI","time":"2025-04-02T12:47:51.834Z"} │
│ {"_context":"ch{sTp8vPU8g}-\u003eu{classic}-\u003ei{aLrl}","error":"service 26ZlMZPqTpxdFSOwcXBax6 has no terminators","file":"github.com/openziti/ziti/controller/handler_edge_ctrl/common.go:79","func":"github.com/openzit │
│ i/ziti/controller/handler_edge_ctrl.(*baseRequestHandler).returnError","level":"error","msg":"responded with error","operation":"create.circuit","routerId":"sTp8vPU8g","time":"2025-04-02T12:47:55.843Z","token":"bcdad952-4 │
│ b2d-46d2-bf08-768e30f51f85"} │
│ {"file":"github.com/openziti/ziti/controller/network/fault.go:32","func":"github.com/openziti/ziti/controller/network.(*Network).fault","level":"info","msg":"network fault processing for [314] circuits","time":"2025-04-02 │
│ T12:48:01.261Z"} │
│ {"_context":"tls:0.0.0.0:1280","error":"EOF","file":"github.com/openziti/transport/v2@v2.0.146/tls/listener.go:257","func":"github.com/openziti/transport/v2/tls.(*sharedListener).processConn","level":"error","msg":"handsh │
│ ake failed","remote":"10.0.3.3:48748","time":"2025-04-02T12:48:04.439Z"} │
│ {"circuitCount":109,"file":"github.com/openziti/ziti/controller/handler_ctrl/circuit_confirmation.go:47","func":"github.com/openziti/ziti/controller/handler_ctrl.(*circuitConfirmationHandler).HandleReceive","level":"info" │
│ ,"msg":"received circuit confirmation request","routerId":"sTp8vPU8g","time":"2025-04-02T12:48:04.818Z"} │
│ {"file":"github.com/openziti/ziti/controller/network/fault.go:32","func":"github.com/openziti/ziti/controller/network.(*Network).fault","level":"info","msg":"network fault processing for [314] circuits","time":"2025-04-02 │
│ T12:48:16.262Z"}
this is my router yaml file

ctrl:
  endpoint: ziti-ctrl.xxxx.xxxx:443
edge:
  advertisedHost: router.xxxx.xxxx
  advertisedPort: 443
  service:
    type: ClusterIP
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      kubernetes.io/ingress.allow-http: "false"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
linkListeners:
  transport:
    advertisedHost: router-tp.xxxx.xxxx
    advertisedPort: 443
    service:
      enabled: true
      type: ClusterIP
    ingress:
      enabled: true
      ingressClassName: nginx
      annotations:
        kubernetes.io/ingress.allow-http: "false"
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"

My controller , router are running on standard nodes.

not sure where to troubleshoot and make it more stable.
Im running only one router as public like on url.
is there anything that i need to increase like timeout or something like that?

My controller and router are running 1.15 version. All my ziti edge tunnel each one is running. different version.
does that matters?

Ziti router upgraded version is 1.1.15

Screenshot 2025-04-02 at 21.56.521562×126 13 KB

but on ziti console still it shows 1.0.0 not reflecting?

Screenshot 2025-04-02 at 21.56.062190×580 43.3 KB

identities

how to confirm if my router is deployed with 1.1.15 version properly?

One more wierd thing, i was using 0.36 version earlier and then i migrated to v1.1.15 and move to spot instances in OCT 2024, after that im getting this issue very frequently and i thought it is related to Spot instance, but i wonder if there is any issue with 1.1.15 version? do u need to me upgrade and check?