Tunneler Identity Removal from AppWan Issue

We came across an issue with tunneler. This is deployed on minimop - Cloud Engineering Platform. The iptable rules don’t get cleaned up when the tunnneler identity is removed from appwan. Also, UDP rules get created automatically and they don’t get cleaned up at all unless the tunneler app is restarted.

Thanks @dariuszSki - do you have steps to reproduce this problem? Do you know exactly how it’s getting triggered?

ziti version 0.5.6-2510

  1. enroll tunneler
  2. start tunneler
  3. create a service
  4. add tunneler identity and service to appwan
  5. forwarding rules are configured as expected.
  6. remove tunneler identity from appwan
  7. forwarding rules are not removed
  8. remove service from appwan
  9. tcp forwarding rule is removed except for udp rule
  10. restart tunneler app
  11. udp forwarding rule is removed

how long are you waiting? I think the tunneler takes like 5 minutes before it notices a change like removing it from the appwan.

definitely not 5 min, will check again

still the same after more than 5 min. When the service is removed from AppWan, it takes less than 30 seconds to remove the forwarding rules

I don’t have a 0.5 test environment breathing at the moment, but I’m pretty sure that this issue was fixed with a recent PR that went into 0.7 (https://github.com/netfoundry/ziti-edge/pull/24).

I’ll double check the behavior in 0.7 to be sure. Standby,

The issue that you found here exists in 0.7 also. I’ll start a GH issue and fix, and we’ll figure out how to make a 0.5 build available. :slight_smile:

Sounds good. Thanks!

I spoke too soon. I was inadvertently running an old 0.7 build that existed before I made the above-mentioned fix. So this issue no longer exists in 0.7.

Of course it would be swell if you were willing to upgrade to 0.7 or could live with this issue until you do :)… But we can backport the fix into 0.5 if this is a blocker for you. Let me know.