OpenZiti Config "openziti" dns

hello everyone
I've been configuring OpenZiti for my lab network for 3 days! Something is missing or something I don't understand...

Let me explain! on my infrastructure I have my router with port 443 open for my Traefik reverse Proxy, I configured Openziti with Let's Encrypt all this is OK I have my certificates and I put them in OpenZiti. Problems with the "Edge Router" it absolutely searches for "openziti' in DNS except that I put "ziti.mondomains.org" in the api but impossible to finish... is something escaping me? Is Openziti the DNS mandatory on the controller? we cannot set โ€œpersonalโ€ DNS for the edge router?

I am attaching my config file

Thank you in advance for your help

v: 3

db: "/root/.ziti/quickstart/openziti/db/ctrl.db"

identity:
cert: "/root/.ziti/quickstart/openziti/pki/openziti-intermediate/certs/openziti-client.chain.pem"
server_cert: "/root/.ziti/quickstart/openziti/pki/openziti-intermediate/certs/openziti-server.chain.pem"
key: "/root/.ziti/quickstart/openziti/pki/openziti-intermediate/keys/openziti-server.key"
ca: "/root/.ziti/quickstart/openziti/pki/cas.pem"

trustDomain: ziti.mondomains.org

ctrl:
listener: tls:0.0.0.0:6262

healthChecks:
boltCheck:
interval: 30s
timeout: 20s
initialDelay: 30s

edge:
api:
sessionTimeout: 30m
address: ziti.mondomains.org:1280
enrollment:
signingCert:
cert: /root/.ziti/quickstart/openziti/pki/signing.pem
key: /root/.ziti/quickstart/openziti/pki/openziti-signing-intermediate/keys/openziti-signing-intermediate.key
edgeIdentity:
duration: 180m
edgeRouter:
duration: 180m

web:

  • name: client-management
    bindPoints:
    • interface: 0.0.0.0:1280
      address: ziti.mondomains.org:1280
      identity:
      ca: "/root/.ziti/quickstart/openziti/pki/openziti-edge-controller-root-ca/certs/openziti-edge-controller-root-ca.cert"
      key: "/root/.ziti/quickstart/openziti/pki/openziti-edge-controller-intermediate/keys/openziti-server.key"
      server_cert: "/root/.ziti/quickstart/openziti/pki/openziti-edge-controller-intermediate/certs/openziti-server.chain.pem"
      cert: "/root/.ziti/quickstart/openziti/pki/openziti-edge-controller-intermediate/certs/openziti-client.chain.pem"
      alt_server_certs:
      • server_cert: "/root/.ziti/quickstart/openziti/ssl/certificate.pem"
        server_key: "/root/.ziti/quickstart/openziti/ssl/private.pem"
        options:
        idleTimeout: 5000ms
        readTimeout: 5000ms
        writeTimeout: 100000ms
        minTLSVersion: TLS1.2
        maxTLSVersion: TLS1.3
        apis:
    • binding: edge-management
      options: {}
    • binding: edge-client
      options: {}
    • binding: fabric
      options: {}
    • binding: edge-oidc
      options: {}
    • binding: zac
      options:
      location: ./console
      indexFile: index.html

I specify that I can access openziti from the outside whether on port 1280, 6262 or 10800 through my traefik reverse proxy and even if I deploy a second router I have an error: impossible to resolve the openziti host

However, I tried to follow the documentation but it is sometimes not very clear or still lacks information
Also for information, the ports are easily accessible from the outside, my reverse proxy manages to send to the right ports when necessary, in this case I do not think that it is a question of port but rather of DNS "openziti"

The control endpoint is part of the router's configuration. If you created the router, then changed the information in the controller's config, the router doesn't know about it. Check the router config and make sure the ctrl endpoint is configured to the proper values. Once it can connect to the controller, it can get the other information it needs dynamically.

Hi @Dejan60, welcome to the community and to OpenZiti (and zrok/BrowZer)!

Before we go too far -- did you do this with "alt server certs"? If not, we probably should back up and verify things first. Looking at the config you posted, i don't see those alt sever certs configured and this will likely lead to problems. OpenZiti doesn't tolerate not running it's own PKI. You must let it do this. Putting it behind a reverse http proxy and terminating TLS will cause problems.

There's a ziti CLI command that's currently: ziti ops verify-traffic (soon to be ziti ops verify traffic). Could you run that? I expect it will fail due to TLS-related issues

I think we should start from the top. Let OpenZiti start and run it's own PKI, then layer on top of that the LetsEncrypt certs using OpenZiti -- not traefik.

I'm going to add a "using ziti with a proxy" doc task because this problem DOES come up all the time and you're right, there's no doc for it....

Thank you very much in advance for your valuable answers.

This morning, we properly reinstalled a Debian machine with a Controller and an Edge Router then the GUI.

I left traefik aside for the moment. I will do this later when OpenZiti is in place and everything is OK. So I use the Openziti PKI certificate as you recommend by default! at the DNS level it is now OK with a new installation service by service without using quick scripts. :slight_smile:

I generated access for my friend who was able to connect, we then created a service and it no longer worked, he couldn't connect to the service (even though he pinged the machine).

The same I tried to do with the documentation on this subject and open discussions but nothing! So I contacted ChatGPT which again suggested a certificate error.

The purpose of the service is that my friend has access to Frigate on port 5000 (frigate is installed in an LXC on my proxmox)

root@openziti:/var/log# ziti ops verify-traffic
WARNING no prefix and mode [] is not 'both'. default prefix of 2025-01-30-1542 will be used
INFO    generating P-384 EC key
INFO    generating P-384 EC key
INFO    waiting 10s for terminator for service: 2025-01-30-1542.verify-traffic
INFO    successfully bound service: 2025-01-30-1542.verify-traffic.

INFO    Server is listening for a connection and will exit when one is received.
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  errorType="*rest_util.APIFormattedError" error="error for request J6l80nLlZ: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
INFO    previous apiSession refreshed
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request DKA80nLl2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request uD680nLl2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
ERROR   failed to create bind session for service 0xc000fcc9f0  error="error for request uD680nLl2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request bgL8jn6lZ: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request uQV804L.Z: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request 0Ae804L.2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
INFO    previous apiSession refreshed
ERROR   failed to create bind session for service 0xc000fcc9f0  error="error for request 0Ae804L.2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request TAou0nLlZ: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  errorType="*rest_util.APIFormattedError" error="error for request Ksouj4Ll2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request 2ZU8jn6.Z: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
ERROR   failed to create bind session for service 0xc000fcc9f0  error="error for request 2ZU8jn6.Z: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  error="error for request 1ZSu04Ll2: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2025-01-30-1542.verify-traffic  errorType="*rest_util.APIFormattedError" error="error for request bvX80nLlZ: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
FATAL   terminator not found for service: 2025-01-30-1542.verify-traffic
root@openziti:/var/log#

root@openziti:/var/log# ziti edge list terminators
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ SERVICE โ”‚ ROUTER โ”‚ BINDING   โ”‚ ADDRESS            โ”‚ IDENTITY โ”‚ COST โ”‚ PRECEDENCE โ”‚ DYNAMIC COST โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 6qJULuwRHgIC1j0FXj2g9Y โ”‚ Frigate โ”‚ Home   โ”‚ transport โ”‚ 192.168.1.170:5000 โ”‚          โ”‚    0 โ”‚ default    โ”‚            0 โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1
root@openziti:/var/log# ziti edge list service-policies
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ NAME                 โ”‚ SEMANTIC โ”‚ SERVICE ROLES                   โ”‚ IDENTITY ROLES                          โ”‚ POSTURE CHECK ROLES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 12u3v9hGr9ARwpp8axROzN โ”‚ Frigate-bind-policy  โ”‚ AnyOf    โ”‚ @Frigate                        โ”‚ @Home @Antoine                          โ”‚                     โ”‚
โ”‚ 1l1yrRAc6tec1wOjbTwfuG โ”‚ 2025-01-30-1542.bind โ”‚ AllOf    โ”‚ #2025-01-30-1542.verify-traffic โ”‚ #2025-01-30-1542.verify-traffic.binders โ”‚                     โ”‚
โ”‚ 45q1HBbmfPFv6nx8zEJnTq โ”‚ Frigate-Access       โ”‚ AnyOf    โ”‚ @Frigate                        โ”‚ #Home @Antoine                          โ”‚                     โ”‚
โ”‚ 4LAhXK6znCas642QEqs9Xi โ”‚ 2025-01-30-1542.dial โ”‚ AllOf    โ”‚ #2025-01-30-1542.verify-traffic โ”‚ #2025-01-30-1542.verify-traffic.dialers โ”‚                     โ”‚
โ”‚ 6IP2LWvxyIeRzSq11tsRZQ โ”‚ Frigate-dial-policy  โ”‚ AnyOf    โ”‚ @Frigate                        โ”‚ @Home @Antoine                          โ”‚                     โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-5 of 5
root@openziti:/var/log# ziti edge policy-advisor identities -q
ERROR: 2025-01-30-1542.server (0) -> 2025-01-30-1542.verify-traffic (0) Common Routers: (0/0) Dial: N Bind: Y
  - Identity has no edge routers assigned. Adjust edge router policies.
  - Service has no edge routers assigned. Adjust service edge router policies.

ERROR: 2025-01-30-1542.client (0) -> 2025-01-30-1542.verify-traffic (0) Common Routers: (0/0) Dial: Y Bind: N
  - Identity has no edge routers assigned. Adjust edge router policies.
  - Service has no edge routers assigned. Adjust service edge router policies.

OKAY : Home (1) -> Frigate (1) Common Routers: (1/1) Dial: Y Bind: Y

OKAY : Antoine (1) -> Frigate (1) Common Routers: (1/1) Dial: Y Bind: Y

ERROR: Default Admin
  - Identity does not have access to any services. Adjust service policies.

root@openziti:/var/log#

NO_EDGE_ROUTERS_AVAILABLE

this an easy one to fix... OpenZiti operates in a "you have no access to anything" mode by default. You just need to grant your users (identities) and your services access to routers.

You do this by creating an edge-router-policy for identities and a service-edge-router-policy for services.

I highly recommend you make "#all/#all" policies by default. It's just easier to give all identities and all services access to all routers and using service policies to control access...

So - just make a new erp/serp with "#all/#all"

I use the quickstart a lot which has this idea of "public" routers but it's mostly the same idea... I'm sure you get it, but if not let us know! cheers

Thank you.

I admit that I still have difficulty understanding everything but it will come... I have just done as you recommended, however still the same problem. and now it informs us of an error whereas previously it was OKAY

ERROR: Antoine (0) -> Frigate (1) Common Routers: (0/0) Dial: Y Bind: N

  • Identity has no edge routers assigned. Adjust edge router policies.

Allways the same in log :

[2025-01-30T15:11:49.697Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.43/NvVuHA9-/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:49.697Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:11:50.098Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[ziti.DOMAINE:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2025-01-30T15:11:50.098Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.44/xzSkBmPe/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:50.098Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:11:50.348Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[ziti.DOMAINE:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2025-01-30T15:11:50.348Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.45/l4BOY_2R/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:50.348Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:11:50.738Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[ziti.DOMAINE:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2025-01-30T15:11:50.738Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.46/6L28Do5H/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:50.738Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:11:50.973Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[ziti.DOMAINE:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2025-01-30T15:11:50.973Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.47/DiM_Ihh0/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:50.973Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:11:51.390Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[ziti.DOMAINE.xyz:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2025-01-30T15:11:51.390Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.48/WilCPQlq/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:51.390Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:11:51.640Z]   ERROR ziti-sdk:ziti_ctrl.c:527 ctrl_body_cb() ctrl[ziti.DOMAINE:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2025-01-30T15:11:51.640Z]    WARN ziti-sdk:connect.c:468 connect_get_net_session_cb() conn[0.49/MlKL_att/Connecting](Frigate) failed to get 'Dial' session for service[Frigate]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
[2025-01-30T15:11:51.641Z]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: ziti edge router is not available
[2025-01-30T15:12:10.643Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-30T15:12:10.643Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 30697ms (attempt = 3)

I dont know if it's possible to add router in identity with GUI ?
at least I can't find the possibility. I think once my first service is established, everything will be clearer :slight_smile:

This makes me think you have a misconfiguration still. You can choose to send the output of these commands here -- or you can inspect them and discover where the problem is

ziti edge list erps
ziti edge list identities
ziti edge list edge-routers

My guess is you just don't have the edge-router-policy setup just right... I expect there to be some mismatch in the erp.

I think I'm missing something


root@openziti:/var/log# ziti edge list erps
ziti edge list identities
ziti edge list edge-routers
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ NAME                          โ”‚ EDGE ROUTER ROLES โ”‚ IDENTITY ROLES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 63jPOvaQj3l77BNXy1rIYf โ”‚ AllEdgeRouter                 โ”‚ #public           โ”‚ #all           โ”‚
โ”‚ WEpKl1SGxz             โ”‚ edge-router-WEpKl1SGxz-system โ”‚ @Home             โ”‚ @Home          โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-2 of 2
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME          โ”‚ TYPE    โ”‚ ATTRIBUTES โ”‚ AUTH-POLICY โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ WEpKl1SGxz โ”‚ Home          โ”‚ Router  โ”‚            โ”‚ Default     โ”‚
โ”‚ YGVNUnL.Zx โ”‚ Antoine       โ”‚ Default โ”‚            โ”‚ Default     โ”‚
โ”‚ oNcwUnuLr  โ”‚ Default Admin โ”‚ Default โ”‚            โ”‚ Default     โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-3 of 3
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME โ”‚ ONLINE โ”‚ ALLOW TRANSIT โ”‚ COST โ”‚ ATTRIBUTES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ WEpKl1SGxz โ”‚ Home โ”‚ true   โ”‚ true          โ”‚    0 โ”‚            โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1
root@openziti:/var/log#

you need to grant the 'public' attribute to the home router. Or you can update your policy to #all/#all. right now it's #public/#all, #all identities have access to #public routers. you have no #public routers.

ziti edge update edge-router Home -a "public"

either way would work, update the erp or the router

thank, i think that we are progressing well

now: unable to access this page


2025-01-30T15:45:17.888Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1432 run() 	- C SDK Version    : 1.3.7:HEAD@g94225a3
[2025-01-30T15:45:17.888Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1433 run() 	- Tunneler SDK     : v1.3.9
[2025-01-30T15:45:17.888Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1434 run() ============================================================================
[2025-01-30T15:45:17.889Z]    INFO ziti-sdk:utils.c:198 ziti_log_set_level() set log level: root=3/INFO
[2025-01-30T15:45:17.890Z]    INFO ziti-edge-tunnel:tun.c:195 tun_open() Wintun v0.0 loaded
[2025-01-30T15:45:17.892Z]    INFO ziti-edge-tunnel:tun.c:166 flush_dns() DnsFlushResolverCache succeeded
[2025-01-30T15:45:17.943Z]    INFO ziti-edge-tunnel:tun.c:98 WintunLogger() Using existing driver 0.14
[2025-01-30T15:45:17.949Z]    INFO ziti-edge-tunnel:tun.c:98 WintunLogger() Creating adapter
[2025-01-30T15:45:18.086Z]    INFO ziti-edge-tunnel:tun.c:449 if_change_cb() default route is now via if_idx[13]
[2025-01-30T15:45:18.086Z]    INFO ziti-edge-tunnel:tun.c:455 if_change_cb() updating excluded routes
[2025-01-30T15:45:19.335Z]    INFO ziti-edge-tunnel:windows-scripts.c:491 is_nrpt_policies_effective() NRPT policies are effective in this system
[2025-01-30T15:45:19.939Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:865 run_tunnel() Setting interface metric to 255
[2025-01-30T15:45:19.944Z]    INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v1.3.9)
[2025-01-30T15:45:19.948Z]    INFO tunnel-cbs:ziti_dns.c:173 seed_dns() DNS configured with range 100.64.0.0 - 100.127.255.255 (4194302 ips)
[2025-01-30T15:45:19.948Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1027 run_tunneler_loop() Loading identity files from C:\Windows\system32\config\systemprofile\AppData\Roaming\NetFoundry
[2025-01-30T15:45:19.948Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:403 load_identities() loading identity file: antoine (7).json
[2025-01-30T15:45:19.955Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1163 load_ziti_async() attempting to load ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json]
[2025-01-30T15:45:19.955Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1170 load_ziti_async() loading ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json]
[2025-01-30T15:45:19.955Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:420 load_id_cb() identity[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json] loaded
[2025-01-30T15:45:19.955Z]    INFO ziti-sdk:ziti.c:505 ziti_start_internal() ztx[0] enabling Ziti Context
[2025-01-30T15:45:20.012Z]    INFO ziti-sdk:ziti.c:522 ziti_start_internal() ztx[0] using tlsuv[v0.33.4/OpenSSL 3.3.1 4 Jun 2024]
[2025-01-30T15:45:20.012Z]    INFO ziti-sdk:ziti_ctrl.c:632 ziti_ctrl_init() ctrl[(null):] using https://ziti.domaine:1280
[2025-01-30T15:45:20.012Z]    INFO ziti-sdk:ziti.c:600 ztx_init_controller() ztx[0] Loading ziti context with controller[https://ziti.domaine:1280]
[2025-01-30T15:45:20.241Z]    INFO ziti-sdk:ziti.c:1912 version_pre_auth_cb() ztx[0] connected to Legacy controller https://ziti.domaine:1280 version v1.1.15(0eec47ce3c80 2024-10-02T12:59:41Z)
[2025-01-30T15:45:20.293Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:986 on_ziti_event() ziti_ctx[Antoine] connected to controller
[2025-01-30T15:45:20.297Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:456 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json] context event : status is OK
[2025-01-30T15:45:20.320Z]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[0] (Home) new channel for ztx[0] identity[Antoine]
[2025-01-30T15:45:20.320Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[Antoine] added edge router Home@192.168.1.36
[2025-01-30T15:45:20.323Z]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[0] reconnecting NOW
[2025-01-30T15:45:20.346Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Frigate] with intercept.v1 = { "addresses": [ "192.168.1.170" ], "portRanges": [ { "high": 5000, "low": 5000 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-30T15:45:20.346Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Frigate]
[2025-01-30T15:45:20.346Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Frigate:1u6YUOfKAxNUTURyN2o0Lz ===============
[2025-01-30T15:45:21.285Z]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2025-01-30T15:45:40.330Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-30T15:45:40.330Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 6135ms (attempt = 1)
[2025-01-30T15:46:01.375Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:53041 err=-13, terminating connection
[2025-01-30T15:46:01.903Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:53043 err=-13, terminating connection
[2025-01-30T15:46:06.476Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-30T15:46:06.476Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 5174ms (attempt = 2)
[2025-01-30T15:46:23.826Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:53067 err=-13, terminating connection
[2025-01-30T15:46:23.826Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:53066 err=-13, terminating connection
[2025-01-30T15:46:31.663Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-30T15:46:31.663Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 17088ms (attempt = 3)

I specify that I use an edge router on the same machine as the controller, and that my service is accessible on another container in LCX where no ziti router or tunnel is installed. In practice I think it is the router which will redirect to the Frigate web service

I have set Policie Frigate #public i dont know it's the true solution, but again problem :

[2025-01-30T17:13:56.471Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:986 on_ziti_event() ziti_ctx[Antoine] connected to controller
[2025-01-30T17:13:56.475Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:456 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json] context event : status is OK
[2025-01-30T17:13:56.498Z]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[0] (Home) new channel for ztx[0] identity[Antoine]
[2025-01-30T17:13:56.498Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[Antoine] added edge router Home@192.168.1.36
[2025-01-30T17:13:56.501Z]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[0] reconnecting NOW
[2025-01-30T17:13:56.523Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Wazuh] with intercept.v1 = { "addresses": [ "192.168.1.83" ], "portRanges": [ { "high": 443, "low": 443 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-30T17:13:56.523Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Wazuh]
[2025-01-30T17:13:56.523Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Frigate] with intercept.v1 = { "addresses": [ "192.168.1.170" ], "portRanges": [ { "high": 5000, "low": 5000 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-30T17:13:56.523Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Frigate]
[2025-01-30T17:13:56.523Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:958 on_service() hosting server_address[?:192.168.1.170:5000] service[Frigate]
[2025-01-30T17:13:56.523Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Wazuh:66Dz7CsoM3mUMyOlMPnEMY ===============
[2025-01-30T17:13:56.523Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Frigate:1u6YUOfKAxNUTURyN2o0Lz ===============
[2025-01-30T17:13:57.459Z]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2025-01-30T17:14:16.513Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-30T17:14:16.513Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 5196ms (attempt = 1)

Service is not reachable. I have try with other service like Wazuh on 443 https but same result no reachable

yes, it looks like your initial NO_EDGE_ROUTERS error is resolved.

based on this, it looks to me like the server is forcefully terminating the connection and you're sending data through properly to the other end. This can be for lots of different reasons. The first thing I would do is look at the logs for the identity that hosts the service. Is the identity that router? If so, look at that router's logs for any hints or tips.

If there are no logs, I would think the traffic is being tunneled correctly, and the remote server has forcefully rejected the connection. This is common if you mess up the bind side port, or if the host is not resolvable etc.

Look at the logs from your router (assuming the router is binding that service).

Can you share the host.v1 config IP and port that you used? Can you verify, when on the router, that the router can connect to that host and port?

what is strange is that we have a message that the services do not allow connections :

192.168.1.83 n'autorise pas la connexion.

Voici quelques conseils :

ERR_CONNECTION_REFUSED

192.168.1.170 n'autorise pas la connexion.

Voici quelques conseils :

ERR_CONNECTION_REFUSED

I just looked whether on my Wazuh or Frigate on the server side I have no trace of connection refusal or failure

however in the router I see this :

janv. 31 09:42:35 openziti ziti[466]: {"_context":"ch{edge}-\u003eu{classic}-\u003ei{VB1j}","error":"read tcp 192.168.1.36:3022-\u003e192.168.1.142:50843: read: connection reset by peer","file":"github.com/openziti/channel/v3@v3.0.5/imp>
lines 1254-1314/1314 (END)

question also I created a terminator for Frigate but there is none for Wazuh, is the terminator mandatory? Or should it be created by itself when the connection is established?

root@openziti:/var/log# ziti edge list terminators
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ SERVICE โ”‚ ROUTER โ”‚ BINDING โ”‚ ADDRESS                โ”‚ IDENTITY โ”‚ COST โ”‚ PRECEDENCE โ”‚ DYNAMIC COST โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 4hoggMa0PPV79Rop92NYnz โ”‚ Frigate โ”‚ Home   โ”‚ tunnel  โ”‚ 4hoggMa0PPV79Rop92NYnz โ”‚          โ”‚    0 โ”‚ default    โ”‚            0 โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ NAME                          โ”‚ EDGE ROUTER ROLES โ”‚ IDENTITY ROLES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 63jPOvaQj3l77BNXy1rIYf โ”‚ AllEdgeRouter                 โ”‚ #public           โ”‚ #all           โ”‚
โ”‚ WEpKl1SGxz             โ”‚ edge-router-WEpKl1SGxz-system โ”‚ @Home             โ”‚ @Home          โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-2 of 2
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME          โ”‚ TYPE    โ”‚ ATTRIBUTES โ”‚ AUTH-POLICY โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 9chwLHMQ37 โ”‚ Dejan         โ”‚ Default โ”‚            โ”‚ Default     โ”‚
โ”‚ WEpKl1SGxz โ”‚ Home          โ”‚ Router  โ”‚            โ”‚ Default     โ”‚
โ”‚ YGVNUnL.Zx โ”‚ Antoine       โ”‚ Default โ”‚ public     โ”‚ Default     โ”‚
โ”‚ oNcwUnuLr  โ”‚ Default Admin โ”‚ Default โ”‚            โ”‚ Default     โ”‚
โ”‚ qb.GBkUnq5 โ”‚ Arnaud        โ”‚ Default โ”‚ public     โ”‚ Default     โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-5 of 5
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME โ”‚ ONLINE โ”‚ ALLOW TRANSIT โ”‚ COST โ”‚ ATTRIBUTES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ WEpKl1SGxz โ”‚ Home โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ public     โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1

I try to give you as much information as possible :

frigate service config :

{
"createdAt": "2025-01-30T15:10:25.823Z",
"id": "1u6YUOfKAxNUTURyN2o0Lz",
"tags": {},
"updatedAt": "2025-01-30T15:10:25.823Z",
"config": null,
"configs": [
"1vyyniCSg3gfX8kMjKqnf",
"3Zw2XUCnpYT9ewOheOWzR6"
],
"encryptionRequired": true,
"maxIdleTimeMillis": 0,
"name": "Frigate",
"permissions": [
"Invalid"
],
"postureQueries": [
{
"isPassing": true,
"policyId": "dummy invalid policy: no posture checks defined",
"policyType": "Invalid",
"postureQueries":
}
],
"roleAttributes": [
"public"
],
"terminatorStrategy": "smartrouting"
}

frigate host :

{
"_links": {
"self": {
"href": "./configs/3Zw2XUCnpYT9ewOheOWzR6"
}
},
"createdAt": "2025-01-30T15:10:25.810Z",
"id": "3Zw2XUCnpYT9ewOheOWzR6",
"tags": {},
"updatedAt": "2025-01-30T15:10:25.810Z",
"configType": {
"_links": {
"self": {
"href": "./config-types/NH5p4FpGR"
}
},
"entity": "config-types",
"id": "NH5p4FpGR",
"name": "host.v1"
},
"configTypeId": "NH5p4FpGR",
"data": {
"address": "192.168.1.170",
"port": 5000,
"forwardProtocol": true,
"allowedProtocols": [
"tcp"
],
"httpChecks": ,
"portChecks":
},
"name": "Frigate-host-config"
}

frigate intercept :

{
"_links": {
"self": {
"href": "./configs/1vyyniCSg3gfX8kMjKqnf"
}
},
"createdAt": "2025-01-30T15:10:25.792Z",
"id": "1vyyniCSg3gfX8kMjKqnf",
"tags": {},
"updatedAt": "2025-01-30T15:10:25.792Z",
"configType": {
"_links": {
"self": {
"href": "./config-types/g7cIWbcGg"
}
},
"entity": "config-types",
"id": "g7cIWbcGg",
"name": "intercept.v1"
},
"configTypeId": "g7cIWbcGg",
"data": {
"portRanges": [
{
"high": 5000,
"low": 5000
}
],
"addresses": [
"192.168.1.170"
],
"protocols": [
"tcp",
"udp"
]
},
"name": "Frigate-intercept-config"
}

frigate bind policy :

{
"_links": {
"identities": {
"href": "./service-policies/2mztivm7GU4iQu5k2wkADi/identities"
},
"posture-checks": {
"href": "./service-policies/2mztivm7GU4iQu5k2wkADi/posture-checks"
},
"self": {
"href": "./service-policies/2mztivm7GU4iQu5k2wkADi"
},
"services": {
"href": "./service-policies/2mztivm7GU4iQu5k2wkADi/services"
}
},
"createdAt": "2025-01-30T15:10:25.854Z",
"id": "2mztivm7GU4iQu5k2wkADi",
"tags": {},
"updatedAt": "2025-01-30T17:13:01.429Z",
"identityRoles": [
"#public",
"@WEpKl1SGxz"
],
"identityRolesDisplay": [
{
"name": "#public",
"role": "#public"
},
{
"name": "@Home",
"role": "@WEpKl1SGxz"
}
],
"name": "Frigate-bind-policy",
"postureCheckRoles": null,
"postureCheckRolesDisplay": ,
"semantic": "AnyOf",
"serviceRoles": [
"#public",
"@1u6YUOfKAxNUTURyN2o0Lz"
],
"serviceRolesDisplay": [
{
"name": "#public",
"role": "#public"
},
{
"name": "@Frigate",
"role": "@1u6YUOfKAxNUTURyN2o0Lz"
}
],
"type": "Bind"
}

frigate dial policy :

{
"_links": {
"identities": {
"href": "./service-policies/3CPH6ADt2fOYfm6GDjCKvu/identities"
},
"posture-checks": {
"href": "./service-policies/3CPH6ADt2fOYfm6GDjCKvu/posture-checks"
},
"self": {
"href": "./service-policies/3CPH6ADt2fOYfm6GDjCKvu"
},
"services": {
"href": "./service-policies/3CPH6ADt2fOYfm6GDjCKvu/services"
}
},
"createdAt": "2025-01-30T15:10:25.837Z",
"id": "3CPH6ADt2fOYfm6GDjCKvu",
"tags": {},
"updatedAt": "2025-01-31T08:48:37.591Z",
"identityRoles": [
"#public",
"@9chwLHMQ37",
"@YGVNUnL.Zx",
"@qb.GBkUnq5"
],
"identityRolesDisplay": [
{
"name": "#public",
"role": "#public"
},
{
"name": "@Dejan",
"role": "@9chwLHMQ37"
},
{
"name": "@Antoine",
"role": "@YGVNUnL.Zx"
},
{
"name": "@Arnaud",
"role": "@qb.GBkUnq5"
}
],
"name": "Frigate-dial-policy",
"postureCheckRoles": null,
"postureCheckRolesDisplay": ,
"semantic": "AnyOf",
"serviceRoles": [
"#public",
"@1u6YUOfKAxNUTURyN2o0Lz"
],
"serviceRolesDisplay": [
{
"name": "#public",
"role": "#public"
},
{
"name": "@Frigate",
"role": "@1u6YUOfKAxNUTURyN2o0Lz"
}
],
"type": "Dial"
}

router home :

{
"createdAt": "2025-01-30T11:32:11.864Z",
"id": "WEpKl1SGxz",
"tags": {},
"updatedAt": "2025-01-31T08:37:05.352Z",
"appData": {},
"cost": 0,
"disabled": false,
"hostname": "192.168.1.36",
"isOnline": true,
"name": "Home",
"noTraversal": false,
"supportedProtocols": {
"tls": "tls://192.168.1.36:3022"
},
"syncStatus": "SYNC_DONE",
"certPem": "-----BEGIN CERTIFICATE-----MASQUED FOR SECURITY**-----END CERTIFICATE-----\n",
"fingerprint": "d1213fde0659cfa413c67975206055f42021c055",
"isTunnelerEnabled": true,
"isVerified": true,
"roleAttributes": [
"public"
],
"unverifiedCertPem": null,
"unverifiedFingerprint": null,
"versionInfo": {
"arch": "amd64",
"buildDate": "2024-10-02T12:59:41Z",
"os": "linux",
"revision": "0eec47ce3c80",
"version": "v1.1.15"
},
"badges": [
{
"label": "Online",
"class": "online",
"circle": "true"
}
]
}

With CURL my debian where is installed router and controller have acces to service whitout problem

log from client :

[2025-01-31T09:16:29.133Z]   ERROR ziti-sdk:legacy_auth.c:270 refresh_delay() local clock is 16 seconds ahead UTC (as reported by controller)
[2025-01-31T09:16:29.159Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:986 on_ziti_event() ziti_ctx[Arnaud] connected to controller
[2025-01-31T09:16:29.166Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:456 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\arnaud.json] context event : status is OK
[2025-01-31T09:16:29.191Z]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[0] (Home) new channel for ztx[0] identity[Arnaud]
[2025-01-31T09:16:29.191Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[Arnaud] added edge router Home@192.168.1.36
[2025-01-31T09:16:29.207Z]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[0] reconnecting NOW
[2025-01-31T09:16:29.223Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Wazuh] with intercept.v1 = { "addresses": [ "192.168.1.83" ], "portRanges": [ { "high": 443, "low": 443 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T09:16:29.223Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Wazuh]
[2025-01-31T09:16:29.223Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Frigate] with intercept.v1 = { "addresses": [ "192.168.1.170" ], "portRanges": [ { "high": 5000, "low": 5000 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T09:16:29.223Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Frigate]
[2025-01-31T09:16:29.223Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:958 on_service() hosting server_address[?:192.168.1.170:5000] service[Frigate]
[2025-01-31T09:16:29.223Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Wazuh:66Dz7CsoM3mUMyOlMPnEMY ===============
[2025-01-31T09:16:29.223Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Frigate:1u6YUOfKAxNUTURyN2o0Lz ===============
[2025-01-31T09:16:30.154Z]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2025-01-31T09:16:49.221Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:16:49.221Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 7387ms (attempt = 1)
[2025-01-31T09:17:16.614Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:17:16.614Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 10681ms (attempt = 2)
[2025-01-31T09:17:47.302Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:17:47.302Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 24495ms (attempt = 3)
[2025-01-31T09:18:31.806Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:18:31.806Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 50226ms (attempt = 4)
[2025-01-31T09:25:16.666Z]    INFO ziti-edge-tunnel:config-utils.c:134 update_config_done() updated config file ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json]
[2025-01-31T09:25:16.676Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:986 on_ziti_event() ziti_ctx[Antoine] connected to controller
[2025-01-31T09:25:16.680Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:456 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json] context event : status is OK
[2025-01-31T09:25:16.702Z]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[0] (Home) new channel for ztx[0] identity[Antoine]
[2025-01-31T09:25:16.702Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[Antoine] added edge router Home@192.168.1.36
[2025-01-31T09:25:16.707Z]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[0] reconnecting NOW
[2025-01-31T09:25:16.727Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Wazuh] with intercept.v1 = { "addresses": [ "192.168.1.83" ], "portRanges": [ { "high": 443, "low": 443 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T09:25:16.727Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Wazuh]
[2025-01-31T09:25:16.727Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Frigate] with intercept.v1 = { "addresses": [ "192.168.1.170" ], "portRanges": [ { "high": 5000, "low": 5000 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T09:25:16.727Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Frigate]
[2025-01-31T09:25:16.727Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:958 on_service() hosting server_address[?:192.168.1.170:5000] service[Frigate]
[2025-01-31T09:25:16.727Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Wazuh:66Dz7CsoM3mUMyOlMPnEMY ===============
[2025-01-31T09:25:16.727Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Frigate:1u6YUOfKAxNUTURyN2o0Lz ===============
[2025-01-31T09:25:17.610Z]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2025-01-31T09:25:36.721Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:25:36.721Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 8394ms (attempt = 1)
[2025-01-31T09:26:05.140Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:26:05.140Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 3208ms (attempt = 2)
[2025-01-31T09:26:28.370Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:26:28.370Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 34128ms (attempt = 3)
[2025-01-31T09:27:22.518Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:27:22.518Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 26439ms (attempt = 4)
[2025-01-31T09:28:08.977Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:28:08.977Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 132961ms (attempt = 5)
[2025-01-31T09:30:42.036Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:30:42.036Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 43236ms (attempt = 6)
[2025-01-31T09:31:45.298Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T09:31:45.298Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 50982ms (attempt = 7)
root@openziti:/var/log# ziti ops verify-traffic
WARNING no prefix and mode [] is not 'both'. default prefix of 2025-01-31-1119 will be used
INFO    generating P-384 EC key
INFO    generating P-384 EC key
INFO    waiting 10s for terminator for service: 2025-01-31-1119.verify-traffic
INFO    successfully bound service: 2025-01-31-1119.verify-traffic.

INFO    Server is listening for a connection and will exit when one is received.
INFO    new service session                           session token=d215e028-1840-49c0-91ac-b98337f9f670
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
ERROR   tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.1.36  router=Home
FATAL   terminator not found for service: 2025-01-31-1119.verify-traffic
root@openziti:/var/log#

Well, I just understood that I had to leave 127.0.0.1 and not the router IP!

Now I have a terminator which is created automatically:

root@openziti:/var/lib/private/ziti-router# ziti ops verify-traffic
WARNING no prefix and mode [] is not 'both'. default prefix of 2025-01-31-1123 will be used
INFO    generating P-384 EC key
INFO    generating P-384 EC key
INFO    waiting 10s for terminator for service: 2025-01-31-1123.verify-traffic
INFO    successfully bound service: 2025-01-31-1123.verify-traffic.

INFO    Server is listening for a connection and will exit when one is received.
INFO    new service session                           session token=2098dd15-861f-4c69-993f-b0073e66ee68
INFO    found terminator for service: 2025-01-31-1123.verify-traffic
INFO    found service named: 2025-01-31-1123.verify-traffic
INFO    Server has accepted a connection and will exit soon.
INFO    successfully dialed service: 2025-01-31-1123.verify-traffic.
INFO    verify-traffic test successfully detected
INFO    Server complete. exiting
INFO    client complete
root@openziti:/var/lib/private/ziti-router#

after this
router log :

janv. 31 11:27:03 openziti ziti[1329]: {"arch":"amd64","build-date":"2024-10-02T12:59:41Z","configFile":"config.yml","file":"github.com/openziti/ziti/ziti/router/run.go:71","func":"github.com/openziti/ziti/ziti/router.run","go-version":>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/metrics/pool_metrics.go:50","func":"github.com/openziti/ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1","idleTime":>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/metrics/pool_metrics.go:50","func":"github.com/openziti/ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1","idleTime":>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/metrics/pool_metrics.go:50","func":"github.com/openziti/ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1","idleTime":>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/internal/edgerouter/config.go:154","func":"github.com/openziti/ziti/router/internal/edgerouter.(*Config).LoadConfigFromMap","level":"info","msg":"cached dat>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/internal/edgerouter/config.go:171","func":"github.com/openziti/ziti/router/internal/edgerouter.(*Config).LoadConfigFromMap","level":"warning","msg":"Invalid>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/forwarder/faulter.go:78","func":"github.com/openziti/ziti/router/forwarder.(*Faulter).run","level":"info","msg":"started","time":"2025-01-31T11:27:03.127Z"}
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/forwarder/scanner.go:52","func":"github.com/openziti/ziti/router/forwarder.(*Scanner).run","level":"info","msg":"started","time":"2025-01-31T11:27:03.127Z"}
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/subscriber.go:320","func":"github.com/openziti/ziti/common.syncAllSubscribersEvent.process","level":"info","msg":"sync all subscribers","subs":0,"time":"202>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:346","func":"github.com/openziti/ziti/router.(*Router).showOptions","level":"info","msg":"ctrl = {\"OutQueueSize\":4,\"MaxQueuedConnects\":1,\"Max>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:352","func":"github.com/openziti/ziti/router.(*Router).showOptions","level":"info","msg":"metrics = {\"ReportInterval\":60000000000,\"IntervalAgeT>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/metrics/pool_metrics.go:50","func":"github.com/openziti/ziti/common/metrics.ConfigureGoroutinesPoolMetrics.GoroutinesPoolMetricsConfigF.func1.1","idleTime":>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:666","func":"github.com/openziti/ziti/router.(*Router).initializeHealthChecks","level":"info","msg":"starting health check with ctrl ping initiall>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:481","func":"github.com/openziti/ziti/router.(*Router).startXlinkDialers","level":"info","msg":"started Xlink dialer with binding [transport]","ti>
janv. 31 11:27:03 openziti ziti[1329]: {"addr":"tls:0.0.0.0:3022","error":"no network interface found for 0.0.0.0","file":"github.com/openziti/ziti/router/xlink_transport/config.go:76","func":"github.com/openziti/ziti/router/xlink_trans>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/metrics/pool_metrics.go:50","func":"github.com/openziti/ziti/router/xlink_transport.(*listener).Listen.GoroutinesPoolMetricsConfigF.func1.1","idleTime":1000>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:506","func":"github.com/openziti/ziti/router.(*Router).startXlinkListeners","level":"info","msg":"started Xlink listener with binding [transport] >
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge/factory.go:158","func":"github.com/openziti/ziti/router/xgress_edge.(*Factory).CreateListener","level":"info","msg":"xgress edge listener option>
janv. 31 11:27:03 openziti ziti[1329]: {"address":{},"file":"github.com/openziti/ziti/router/xgress_edge/listener.go:87","func":"github.com/openziti/ziti/router/xgress_edge.(*listener).Listen","level":"info","msg":"starting channel list>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/common/metrics/pool_metrics.go:50","func":"github.com/openziti/ziti/router/xgress_edge.(*listener).Listen.GoroutinesPoolMetricsConfigF.func1.1","idleTime":10000000>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:544","func":"github.com/openziti/ziti/router.(*Router).startXgressListeners","level":"info","msg":"created xgress listener [edge] at [tls:0.0.0.0:>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/factory.go:122","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*Factory).CreateListener","level":"info","msg":"xgress edge t>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:544","func":"github.com/openziti/ziti/router.(*Router).startXgressListeners","level":"info","msg":"created xgress listener [tunnel] at []","time":>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:728","func":"github.com/openziti/ziti/router.(*Router).getInitialCtrlEndpoints","level":"info","msg":"controller endpoints file [endpoints] doesn'>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/router.go:555","func":"github.com/openziti/ziti/router.(*Router).startControlPlane","level":"info","msg":"router configured with 1 controller endpoints","ti>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge/accept.go:159","func":"github.com/openziti/ziti/router/xgress_edge.(*Acceptor).Run","level":"info","msg":"starting","time":"2025-01-31T11:27:03.>
janv. 31 11:27:03 openziti ziti[1329]: {"endpoint":{"tls:ziti.DOMAINE:1280":{}},"file":"github.com/openziti/ziti/router/env/ctrls.go:95","func":"github.com/openziti/ziti/router/env.(*networkControllers).UpdateControllerEndpoints","lev>
janv. 31 11:27:03 openziti ziti[1329]: {"endpoint":"tls:ziti.DOMAINE:1280","file":"github.com/openziti/ziti/router/env/ctrls.go:134","func":"github.com/openziti/ziti/router/env.(*networkControllers).connectToControllerWithBackoff","le>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge/factory.go:77","func":"github.com/openziti/ziti/router/xgress_edge.(*Factory).NotifyOfReconnect","level":"info","msg":"control channel reconnect>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/factory.go:57","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*Factory).NotifyOfReconnect","level":"info","msg":"control cha>
janv. 31 11:27:03 openziti ziti[1329]: {"ctrlId":"NetFoundry Inc. Client DCK586wpH","file":"github.com/openziti/ziti/router/link/link_registry.go:386","func":"github.com/openziti/ziti/router/link.(*linkRegistryImpl).NotifyOfReconnect",">
janv. 31 11:27:03 openziti ziti[1329]: {"endpoint":"tls:ziti.DOMAINE:1280","file":"github.com/openziti/ziti/router/env/ctrls.go:140","func":"github.com/openziti/ziti/router/env.(*networkControllers).connectToControllerWithBackoff.func>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/factory.go:134","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*Factory).CreateDialer","level":"info","msg":"xgress edge tun>
janv. 31 11:27:03 openziti ziti[1329]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{KZ1P}","file":"github.com/openziti/ziti/router/handler_ctrl/validate_terminators_v2.go:94","func":"github.com/openziti/ziti/router/handler_ctrl.(>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/handler_edge_ctrl/hello.go:82","func":"github.com/openziti/ziti/router/handler_edge_ctrl.(*helloHandler).HandleReceive.func1","level":"info","msg":"received>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/state/apiSessionAdded.go:203","func":"github.com/openziti/ziti/router/state.(*apiSessionAddedHandler).instantSync","level":"info","msg":"first api session s>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/state/apiSessionAdded.go:268","func":"github.com/openziti/ziti/router/state.(*apiSessionSyncTracker).Add","level":"info","msg":"received api session sync ch>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/state/manager.go:608","func":"github.com/openziti/ziti/router/state.(*ManagerImpl).StartHeartbeat","level":"info","msg":"heartbeat starting","time":"2025-01>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/tunneler.go:71","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*tunneler).Start","level":"info","mode":"host","msg":"creatin>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge/certchecker.go:124","func":"github.com/openziti/ziti/router/xgress_edge.(*CertExpirationChecker).Run","level":"info","msg":"waiting 0s to renew >
janv. 31 11:27:03 openziti ziti[1329]: {"error":"exit status 1","file":"github.com/openziti/ziti/tunnel/dns/server.go:57","func":"github.com/openziti/ziti/tunnel/dns.flushDnsCaches","level":"warning","msg":"unable to flush dns caches, c>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/tunnel/dns/server.go:89","func":"github.com/openziti/ziti/tunnel/dns.NewDnsServer","level":"info","msg":"starting dns server...","time":"2025-01-31T11:27:03.166Z"}
janv. 31 11:27:03 openziti ziti[1329]: {"error":"dns server failed to start: listen udp 127.0.0.1:53: bind: permission denied","file":"github.com/openziti/ziti/router/xgress_edge_tunnel/tunneler.go:75","func":"github.com/openziti/ziti/r>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/tunnel/dns/dummy.go:37","func":"github.com/openziti/ziti/tunnel/dns.NewDummyResolver","level":"warning","msg":"dummy resolver does not store hostname/ip mappings",>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/tunnel/intercept/iputils.go:51","func":"github.com/openziti/ziti/tunnel/intercept.SetDnsInterceptIpRange","level":"info","msg":"dns intercept IP range: 100.64.0.1 >
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:155","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":"info","msg":"adding service",">
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:257","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).addService","level":"info","msg":"Hosting newly available ser>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:155","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":"info","msg":"adding service",">
janv. 31 11:27:03 openziti ziti[1329]: {"error":null,"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:260","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).addService","level":"warning","msg":"service is >
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:397","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).establishTerminatorWithRetry.func1","level":">
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:488","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).HandleTunnelResponse","level":"info","msg":"r>
janv. 31 11:27:03 openziti ziti[1329]: {"createDuration":2927841,"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:510","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).HandleTunnelResponse>
janv. 31 11:27:03 openziti ziti[1329]: {"channel":"ctrl","file":"github.com/openziti/ziti/router/handler_edge_ctrl/extendEnrollmentCerts.go:126","fingerprint":"0c10252dfd0736700227aa72a548de4a5460c7ca","func":"github.com/openziti/ziti/r>
janv. 31 11:27:03 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge/certchecker.go:124","func":"github.com/openziti/ziti/router/xgress_edge.(*CertExpirationChecker).Run","level":"info","msg":"waiting 8591h59m59.7>
janv. 31 11:27:04 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/state/apiSessionAdded.go:124","func":"github.com/openziti/ziti/router/state.(*apiSessionAddedHandler).applySync","level":"info","msg":"finished synchronizin>
janv. 31 11:27:29 openziti ziti[1329]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/factory.go:134","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*Factory).CreateDialer","level":"info","msg":"xgress edge tun>
janv. 31 11:27:29 openziti ziti[1329]: {"_context":"ch{ctrl}-\u003eu{reconnecting}-\u003ei{KZ1P}","file":"github.com/openziti/ziti/router/handler_ctrl/validate_terminators_v2.go:94","func":"github.com/openziti/ziti/router/handler_ctrl.(>
lines 1678-1738/1738 (END)

and now client log :

[2025-01-31T10:28:44.351Z]    INFO ziti-edge-tunnel:config-utils.c:134 update_config_done() updated config file ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json]
[2025-01-31T10:28:44.362Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:986 on_ziti_event() ziti_ctx[Antoine] connected to controller
[2025-01-31T10:28:44.367Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:456 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antoine (7).json] context event : status is OK
[2025-01-31T10:28:44.389Z]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[0] (Home) new channel for ztx[0] identity[Antoine]
[2025-01-31T10:28:44.389Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[Antoine] added edge router Home@127.0.0.1
[2025-01-31T10:28:44.393Z]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[0] reconnecting NOW
[2025-01-31T10:28:44.415Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Wazuh] with intercept.v1 = { "addresses": [ "192.168.1.83" ], "portRanges": [ { "high": 443, "low": 443 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T10:28:44.416Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Wazuh]
[2025-01-31T10:28:44.416Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Frigate] with intercept.v1 = { "addresses": [ "192.168.1.170" ], "portRanges": [ { "high": 5000, "low": 5000 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T10:28:44.416Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Frigate]
[2025-01-31T10:28:44.416Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:958 on_service() hosting server_address[?:192.168.1.170:5000] service[Frigate]
[2025-01-31T10:28:44.416Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Wazuh:66Dz7CsoM3mUMyOlMPnEMY ===============
[2025-01-31T10:28:44.416Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - 2025-01-31-1119.verify-traffic:4baZizYindSMmnrJkK8xnV ===============
[2025-01-31T10:28:44.416Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Frigate:1u6YUOfKAxNUTURyN2o0Lz ===============
[2025-01-31T10:28:45.295Z]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2025-01-31T10:28:46.429Z]   ERROR ziti-sdk:channel.c:958 on_tls_connect() ch[0] failed to connect to ER[Home] [-4078/connection refused]
[2025-01-31T10:28:46.429Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 8264ms (attempt = 1)
[2025-01-31T10:28:56.749Z]   ERROR ziti-sdk:channel.c:958 on_tls_connect() ch[0] failed to connect to ER[Home] [-4078/connection refused]
[2025-01-31T10:28:56.749Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 4808ms (attempt = 2)
[2025-01-31T10:29:03.605Z]   ERROR ziti-sdk:channel.c:958 on_tls_connect() ch[0] failed to connect to ER[Home] [-4078/connection refused]
[2025-01-31T10:29:03.605Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 28379ms (attempt = 3)
[2025-01-31T10:29:15.210Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2684 scm_service_stop() stopping via service
[2025-01-31T10:29:15.210Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2688 scm_service_stop() service stop waiting on condition...
[2025-01-31T10:29:15.210Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2653 stop_tunnel_and_cleanup() Control request to stop tunnel service received...
[2025-01-31T10:29:15.210Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2655 stop_tunnel_and_cleanup() notifying any clients of impending shutdown
[2025-01-31T10:29:15.210Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:320 process_cmd() ziti dump started 
[2025-01-31T10:29:15.210Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:380 process_cmd() ziti dump finished 
[2025-01-31T10:29:15.210Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2663 stop_tunnel_and_cleanup() removing nrpt rules
[2025-01-31T10:29:15.210Z]    INFO ziti-edge-tunnel:windows-scripts.c:326 remove_all_nrpt_rules() removing NRPT rules matching filter: $_.Comment.StartsWith('Added by ziti-edge-tunnel')
[2025-01-31T10:29:15.859Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2666 stop_tunnel_and_cleanup() cleaning instance config 
[2025-01-31T10:29:15.859Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:2669 stop_tunnel_and_cleanup() ============================ service ends ==================================
[2025-01-31T10:29:15.893Z]   ERROR ziti-edge-tunnel:tun.c:363 tun_read() failed to receive packet: 38

in client log i can see : ER[Home] [-4078/connection refused]



root@openziti:/var/lib/private/ziti-router# ziti fabric ls terminators
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ SERVICE โ”‚ ROUTER โ”‚ BINDING โ”‚ ADDRESS                โ”‚ INSTANCE โ”‚ COST โ”‚ PRECEDENCE โ”‚ DYNAMIC COST โ”‚ HOST ID    โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 6zj27v73gJ2oY19IvrKd9r โ”‚ Frigate โ”‚ Home   โ”‚ tunnel  โ”‚ 6zj27v73gJ2oY19IvrKd9r โ”‚          โ”‚    0 โ”‚ default    โ”‚            0 โ”‚ WEpKl1SGxz โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1
root@openziti:/var/lib/private/ziti-router#

Ok, you're making progress. :slight_smile:

failed to connect to ER[Home] [-4078/connection refused]

This makes me think that the router is advertising an address that is incorrect. When you ran verify-traffic before, did you run it on the same machine as the openziti controller and router? If so, could you run verify-traffic on any other machine and on the "client" machine?

Sometimes people setup the router to 'advertise' an address that is not routable outside of the local network, or outside of the local machine. When that happens, clients can't connect.

Open the configuration of the router, find the edge binding and see what the address is. mine looks like this:

  - binding: edge
    address: tls:0.0.0.0:8442
    options:
      advertise: ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442
      connectTimeoutMs: 5000
      getSessionTimeout: 60

from the client - can you confirm that host:port is availalbe? generally using something like openssl. I use this command: openssl s_client -connect ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442 2>&1 </dev/null | tail -10, for example:

openssl s_client -connect ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8442 2>&1 </dev/null | tail -10
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
40E7A2806F750000:error:0A00045C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1593:SSL alert number 116

from the client - is it able to connect to the router's advertised host/port? I'm guessing "no"

here my router config :

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:3022
      advertise:        tls:127.0.0.1:3022
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: 127.0.0.1:3022
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host

i don't undestrand "run verify-traffic on any other machine"

If I'm not mistaken, I don't need to install openziti service on the other machines?
so how to execute this command for a service not installed?

Maybe I misunderstood, but for me I have a controller and a router in my LAN which serves as an access point and gives the right to redirect traffic through it
knowing that we still manage to ping the machines so the ICMP traffic passes correctly

I have again set advertise IP and now connection router is OK but allway service unaivaible but ping OK

[2025-01-31T13:29:16.666Z]    INFO ziti-sdk:channel.c:272 new_ziti_channel() ch[0] (Home) new channel for ztx[0] identity[Dejan]
[2025-01-31T13:29:16.666Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:1057 on_ziti_event() ztx[Dejan] added edge router Home@192.168.1.36
[2025-01-31T13:29:16.680Z]    INFO ziti-sdk:channel.c:814 reconnect_channel() ch[0] reconnecting NOW
[2025-01-31T13:29:16.764Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[frigate] with intercept.v1 = { "addresses": [ "192.168.1.170" ], "portRanges": [ { "high": 5000, "low": 5000 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T13:29:16.764Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[frigate]
[2025-01-31T13:29:16.764Z]    INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[Wazuh] with intercept.v1 = { "addresses": [ "192.168.1.83" ], "portRanges": [ { "high": 443, "low": 443 } ], "protocols": [ "tcp", "udp" ] }
[2025-01-31T13:29:16.764Z]    INFO tunnel-cbs:ziti_tunnel_ctrl.c:943 on_service() starting intercepting for service[Wazuh]
[2025-01-31T13:29:16.764Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - frigate:7SC97MxuXD8Jz0FCD9Pjr9 ===============
[2025-01-31T13:29:16.764Z]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:582 on_event() =============== service event (added) - Wazuh:66Dz7CsoM3mUMyOlMPnEMY ===============
[2025-01-31T13:29:17.450Z]    INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[0] first run or potential controller restart detected
[2025-01-31T13:29:36.691Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T13:29:36.691Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 4246ms (attempt = 1)
[2025-01-31T13:29:56.071Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50669 err=-13, terminating connection
[2025-01-31T13:29:57.112Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50674 err=-13, terminating connection
[2025-01-31T13:29:57.112Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50673 err=-13, terminating connection
[2025-01-31T13:29:57.112Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50672 err=-13, terminating connection
[2025-01-31T13:29:57.625Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50675 err=-13, terminating connection
[2025-01-31T13:29:59.420Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50676 err=-13, terminating connection
[2025-01-31T13:30:00.942Z]   ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout
[2025-01-31T13:30:00.942Z]    INFO ziti-sdk:channel.c:812 reconnect_channel() ch[0] reconnecting in 667ms (attempt = 2)
[2025-01-31T13:30:02.540Z]   ERROR tunnel-sdk:tunnel_tcp.c:190 on_tcp_client_err() client=tcp:100.64.0.1:50677 err=-13, terminating connection

I can see the problem from your config:

      advertise: 127.0.0.1:3022

When a router starts up, based on the configuration file, it will inform the controller (and other identities) how identities are to connect to the router through this field.

So, you have a computer that is somewhere else trying to connect to your router, but the router told that identity "you can connect to me on 127.0.0.1:3022", which is exceptionally unlikely -- UNLESS you're on the computer running the router...

You do not. Correct. But you DO need to make sure that the controller and the routers "advertise" an addrss that is routable by all clients. Generally, this is a public DNS entry (or public IP if you must, but DNS is better).

Ok thank you i understand !
basic I had put the LAN address hosting the controller and the router but following a certificate problem I had put back the localhost 127.0.0.1

I have just given the LAN network address of the machine (I am in a single LAN and my goal is to provide access to the services found in this LAN so we start from the principle that the machine knows the others via IP addresses)

I just re-tested and it gave me a terminator problem now... I have the impression that with each problem resolution a new one is created!!! lol

yet Ziti have created ifslef a Terminator

and when i look service i view all :

edge router :

and edge router policy :

I have a domain and I can host a DNS without worries for later with machine names but for now I would just like to ensure a connection to a service and all work fine before set DNS and reverse Proxy. At the beginning I was greedy with Traefik and added certificate problems even before OpenZiti worked on its PKI with a classic service

>
janv. 31 17:23:20 openziti ziti[1747]: {"createDuration":3052086,"error":"invalid terminator: not found","file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:496","func":"github.com/openziti>
janv. 31 17:23:20 openziti ziti[1747]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:397","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).establishTermin>
janv. 31 17:23:23 openziti ziti[1747]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:397","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).establishTermin>
janv. 31 17:23:25 openziti ziti[1747]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:397","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).establishTermin>
janv. 31 17:23:25 openziti ziti[1747]: {"file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:397","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*fabricProvider).establishTermin>
janv. 31 17:23:25 openziti ziti[1747]: {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:158","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":">
janv. 31 17:23:25 openziti ziti[1747]: {"error":"invalid terminator: not found","file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:650","func":"github.com/openziti/ziti/router/xgress_edge_>
janv. 31 17:23:25 openziti ziti[1747]: {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:158","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":">
janv. 31 17:23:25 openziti ziti[1747]: {"error":"invalid terminator: not found","file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:650","func":"github.com/openziti/ziti/router/xgress_edge_>
janv. 31 17:23:25 openziti ziti[1747]: {"file":"github.com/openziti/ziti/tunnel/intercept/svcpoll.go:158","func":"github.com/openziti/ziti/tunnel/intercept.(*ServiceListener).HandleServicesChange","level":">
janv. 31 17:23:25 openziti ziti[1747]: {"error":"invalid terminator: not found","file":"github.com/openziti/ziti/router/xgress_edge_tunnel/fabric.go:650","func":"github.com/openziti/ziti/router/xgress_edge_>
janv. 31 17:23:33 openziti ziti[1747]: {"error":"timeout waiting for response to create terminator request for terminator zNHAUWdb13CEeRVY70STs on service Ziti-1280","file":"github.com/openziti/ziti/router/>
janv. 31 17:23:35 openziti ziti[1747]: {"error":"timeout waiting for response to create terminator request for terminator 1NHSDPDSTuwdg34X2XTphJ on service Ziti-10080","file":"github.com/openziti/ziti/route>
janv. 31 17:23:35 openziti ziti[1747]: {"error":"timeout waiting for response to create terminator request for terminator 13R1bOYZ9zbNzAkBrdSHMH on service Ziti-3022","file":"github.com/openziti/ziti/router>
~

and router config yaml :

v: 3

identity:
  cert:             "router.cert"
  server_cert:      "/var/lib/private/ziti-router/router.server.chain.cert"
  key:              "/var/lib/private/ziti-router/router.key"
  ca:               "/var/lib/private/ziti-router/router.cas"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

ha:
  enabled: false

ctrl:
  endpoint:             tls:ziti.DOMAINE:1280

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:3022
      advertise:        tls:192.168.1.36:3022
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: 192.168.1.36:3022
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host



edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - localhost

        - openziti
      ip:
        - "127.0.0.1"
        - "::1"



#transport:
#  ws:
#    writeTimeout: 10
#    readTimeout: 5
#    idleTimeout: 120
#    pongTimeout: 60
#    pingInterval: 54
#    handshakeTimeout: 10
#    readBufferSize: 4096
#    writeBufferSize: 4096
#    enableCompression: true

forwarder:
  latencyProbeInterval: 0
  xgressDialQueueLength: 1000
  xgressDialWorkerCount: 128
  linkDialQueueLength: 1000
  linkDialWorkerCount: 32

logging:
  level: info
  file: /var/log/openziti-router.log

Understandable. I'm sorry you're having a hard time. The ideas behind zero trust and OpenZiti are new to most people and OpenZiti has new/different terminology. Often, people try to apply the same techniques they are familiar with but doing that can end up causing problems as they learn how OpenZiti operates. Something you wrote is along these lines -- "before set DNS and reverse Proxy". Be aware that OpenZiti will not tolerate operating behind a web/http proxy that terminates TLS. You MUST allow TLS passthrough to the OpenZiti controller and router as OpenZiti is based on mutual TLS. You cannot terminate TLS or you'll end up with a differnet problem! :slight_smile:

Now as for "timeout waiting for response to create terminator request for terminator". This is one I have never seen. Can you simply stop the controller and stop the router and bring both up cleanly and reproduce this problem then share the logs with me? You can send them here via discourse with a DM if youlike.

Above all, thank you for actually teaching me the concept of ZTN is new, I am used to WireGuard or IPSEC usually, but I love going further in security and openZiti seems really excellent to me! Itโ€™s true that itโ€™s quite a different vision but one that I like and makes me want to continue and succeed!!!

I put all the complete logs in a file:

Thanks for the logs. I see they are truncated at 200 characters wide but a few things.

'ping'

I see from your logs you tried to ping an IP you are trying to intercept. Note that OpenZiti doesn't actually support ping in the way you're used to. That can be a whole separate forum post though, so I won't dwell on that.

router logs don't have terminator issue

I no longer see issues with the odd error you reported before:

"timeout waiting for response to create terminator request for terminator

Because I don't see that, it appears that things are operating properly.

client logs

In these logs I see:

[2025-01-31T17:07:05.320Z] ERROR ziti-sdk:channel.c:750 ch_connect_timeout() ch[0] connect timeout

You updated your router configuration file? Are you able to run the ziti ops verify-traffic command from a different machine than the one where the router runs?