Hi,
Trying to figure out what is my problem 
I have two Proxmox Backup Server (pbs1 and pbs2) and pbs2 pulling backups from pbs1 over ziti. Now when sync jobs start on pbs2 I see following errors on syslog. On pbs1 there nothing on logs.
Wondering why ip 100.64.0.1 and not .3 where pbs1 is?
I have ZET v1.5.12 installed on both backup servers and controller/routers are v1.5.4.
May 15 11:00:44 pbs2 ziti-edge-tunnel[1035]: (1035)[ 235.630] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44700 err=-14, terminating connection
May 15 11:00:45 pbs2 ziti-edge-tunnel[1035]: (1035)[ 236.017] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44716 err=-14, terminating connection
May 15 11:00:45 pbs2 ziti-edge-tunnel[1035]: (1035)[ 236.460] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44732 err=-14, terminating connection
May 15 11:00:45 pbs2 ziti-edge-tunnel[1035]: (1035)[ 236.789] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44742 err=-14, terminating connection
May 15 11:00:46 pbs2 ziti-edge-tunnel[1035]: (1035)[ 237.188] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44748 err=-14, terminating connection
May 15 11:00:46 pbs2 ziti-edge-tunnel[1035]: (1035)[ 237.487] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44754 err=-14, terminating connection
May 15 11:00:46 pbs2 ziti-edge-tunnel[1035]: (1035)[ 237.845] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44764 err=-14, terminating connection
May 15 11:00:47 pbs2 ziti-edge-tunnel[1035]: (1035)[ 238.155] ERROR tunnel-sdk:tunnel_tcp.c:191 on_tcp_client_err() client=tcp:100.64.0.1:44768 err=-14, terminating connection
I think the -14 means you are receiving a TCP RST packet. Are these coming very quickly? You could have a loop in your configs/policies, where the device you are dialing from is also hosting the service, and the process is looping on itself.
The easiest way to look is the policy-advisor. On the controller, use"
ziti edge policy-advisor <identities OR services> <elementID>
The will output a list of the identities, services, and permissions for each combination. You want to look for an identity that has both dial and bind permissions for the same service. If you see that, youre are most likely looping. Often, this happens when someone sets an attribute, and uses it in both dial and bind policies accidentally.
If that's not it, drop in the configs and policies so they can be reviewed.
Hi, just checked and if I understand correctly there are no loop.
What is easiest way to get config and policies?
timo@TIMO-P14s:~$ ziti edge policy-advisor services pbs2-pbs1-api
Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
OKAY : srv-pbs2 (2) -> pbs2-pbs1-api (4) Common Routers: (2/2) Dial: Y Bind: N
OKAY : srv-pbs1 (4) -> pbs2-pbs1-api (4) Common Routers: (4/4) Dial: N Bind: Y
....
timo@TIMO-P14s:~$ ziti edge policy-advisor identities srv-pbs1
Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
OKAY : srv-pbs1 (4) -> pbs2-pbs1-api (4) Common Routers: (4/4) Dial: N Bind: Y
....
timo@TIMO-P14s:~$ ziti edge policy-advisor identities srv-pbs2
Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST
-------------------------------------------------------------------------------
OKAY : srv-pbs2 (2) -> pbs2-portal (4) Common Routers: (2/2) Dial: N Bind: Y
OKAY : srv-pbs2 (2) -> pbs2-pbs1-api (4) Common Routers: (2/2) Dial: Y Bind: N
Thanks @mike.gorman this may have been resolved, I will monitoring couple of days.
The problem wasn't OpenZiti it was on underlaying Proxmox VE host ethernet card driver...
1 Like