cat /var/lib/private/ziti-controller/config.yml
v: 3

#trace:

path: "ztna.xxxxxxxxxxxx.com.trace"

#profile:

memory:

path: ctrl.memprof

db: "/var/lib/private/ziti-controller/bbolt.db"

uncomment and configure to enable HA

cluster:

dataDir: "/var/lib/private/ziti-controller/raft"

identity:
cert: "pki/intermediate/certs/client.chain.pem"
server_cert: "pki/intermediate/certs/server.chain.pem"
key: "pki/intermediate/keys/server.key"
ca: "pki/root/certs/root.cert"
#alt_server_certs:

- server_cert: ""

server_key: ""

trust domains may be overridden by SPIFFE ID as URI SAN

#trustDomain: ziti.example.com

additional trust domains allow for migrating to a new trust domain

#additionalTrustDomains:

Network Configuration

Configure how the controller will establish and manage the overlay network, and routing operations on top of

the network.

#network:

routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed.

#routeTimeoutSeconds: 10

createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it)

for new circuits.

#createCircuitRetries: 2

pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where

there isn't an established link, but a link request has been sent

#pendingLinkTimeoutSeconds: 10

Defines the period that the controller re-evaluates the performance of all of the circuits

running on the network.

#cycleSeconds: 15

Sets router minimum cost. Defaults to 10

#minRouterCost: 10

Sets how often a new control channel connection can take over for a router with an existing control channel connection

Defaults to 1 minute

#routerConnectChurnLimit: 1m

Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually

reported from the routers. Defaults to 65 seconds.

#initialLinkLatency: 65s

#smart:

Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If

smart routing detects 100 circuits that are underperforming, and smart.rerouteFraction is set to 0.02,

then the upper limit of circuits that will be re-routed in this cycleSeconds period will be limited to

2 (2% of 100).

#rerouteFraction: 0.02

Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart

routing detects 100 circuits that are underperforming, and smart.rerouteCap is set to 1, and

smart.rerouteFraction is set to 0.02, then the upper limit of circuits that will be re-routed in this

cycleSeconds period will be limited to 1.

#rerouteCap: 4

the endpoint that routers will connect to the controller over.

ctrl:
options:
advertiseAddress: tls:ztna.xxxxxxxxxxxx.com:1280

(optional) settings

set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)

#maxQueuedConnects: 1

the maximum number of connects that have begun hello synchronization (1 to 1000, default 16)

#maxOutstandingConnects: 16

the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 5000ms)

#connectTimeoutMs: 5000
listener: tls:0.0.0.0:1280

#metrics:

influxdb:

url: http://localhost:8086

database: ziti

xctrl_example

#example:

enabled: false

delay: 5s

healthChecks:
boltCheck:

How often to try entering a bolt read tx. Defaults to 30 seconds

interval: 30s

When to time out the check. Defaults to 20 seconds

timeout: 20s

How long to wait before starting the check. Defaults to 30 seconds

initialDelay: 30s

By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this

section, commenting out, or altering the name of the section will cause the edge to not run.

edge:

This section represents the configuration of the Edge API that is served over HTTPS

api:
#(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted

activityUpdateInterval: 90s

#(optional, default 250) The number of API Sessions updated for last activity per transaction

activityUpdateBatchSize: 250

sessionTimeout - optional, default 30m

The number of minutes before an Edge API session will time out. Timeouts are reset by

API requests and connections that are maintained to Edge Routers

sessionTimeout: 30m

address - required

The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses

defined in this Controller.WebListener.'s bindPoints.

address: ztna.xxxxxxxxxxxx.com:1280

This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities.

enrollment:

signingCert - required

A Ziti Identity configuration section that specifically makes use of the cert and key fields to define

a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert

will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller.

signingCert:
cert: pki/intermediate/certs/intermediate.cert
key: pki/intermediate/keys/intermediate.key

edgeIdentity - optional

A section for identity enrollment specific settings

edgeIdentity:

duration - optional, default 180m

The length of time that a Ziti Edge Identity enrollment should remain valid. After

this duration, the enrollment will expire and no longer be usable.

duration: 180m

edgeRouter - Optional

A section for edge router enrollment specific settings.

edgeRouter:

duration - optional, default 180m

The length of time that a Ziti Edge Router enrollment should remain valid. After

this duration, the enrollment will expire and no longer be usable.

duration: 180m

web

Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many

bind points.

web:

name - required

Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.

• name: client-management

  bindPoints - required

  One or more bind points are required. A bind point specifies an interface (interface:port string) that defines

  where on the host machine the webListener will listen and the address (host:port) that should be used to

  publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for

  incoming address resolution as well as used in responses in the API.

  bindPoints:
  #interface - required

  A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces

  • interface: 0.0.0.0:1280

    address - required

    The public address that external incoming requests will be able to resolve. Used in request processing and

    response content that requires full host:port/path addresses.

    address: ztna.xxxxxxxxxxxx.com:1280

  identity - optional

  Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.

  identity:
  ca: "pki/root/certs/root.cert"
  key: "pki/intermediate/keys/server.key"
  server_cert: "pki/intermediate/certs/server.chain.pem"
  cert: "pki/intermediate/certs/client.chain.pem"
  #alt_server_certs:
  #- server_cert: ""

  server_key: ""

  options - optional

  Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are

  used for all http servers started by the current webListener.

  options:

  idleTimeoutMs - optional, default 5000ms

  The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high

  can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value

  will cause clients to reconnect on subsequent HTTPs requests.

  idleTimeout: 5000ms #http timeouts, new

  readTimeoutMs - optional, default 5000ms

  The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher

  value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency

  or packet loss. A lower value can risk losing connections to high latency/packet loss clients.

  readTimeout: 5000ms

  writeTimeoutMs - optional, default 100000ms

  The total maximum time in milliseconds that the http server will wait for a single requests to be received and

  responded too. A higher value can allow long-running requests to consume resources on the host. A lower value

  can risk ending requests before the server has a chance to respond.

  writeTimeout: 100000ms

  minTLSVersion - optional, default TLS1.2

  The minimum version of TSL to support

  minTLSVersion: TLS1.2

  maxTLSVersion - optional, default TLS1.3

  The maximum version of TSL to support

  maxTLSVersion: TLS1.3

  apis - required

  Allows one or more APIs to be bound to this webListener

  apis:

  binding - required

  Specifies an API to bind to this webListener. Built-in APIs are

  - edge-management

  - edge-client

  - fabric-management

  • binding: edge-management

    options - arg optional/required

    This section is used to define values that are specified by the API they are associated with.

    These settings are per API. The example below is for the 'edge-api' and contains both optional values and

    required values.

    options: { }

  • binding: zac
    options:
    location: /opt/openziti/share/console
    indexFile: index.html

  • binding: edge-client
    options: { }

  • binding: fabric
    options: { }

  • binding: edge-oidc
    options: { }

  • binding: zac
    options:
    location: /opt/openziti/share/console
    indexFile: index.html

I do see issues with /var/lib/private/ziti-router/config.yml .. Trying to correct that..

cat /var/lib/private/ziti-router/config.yml
v: 3

identity:
cert: "router.cert"
server_cert: "/var/lib/private/ziti-router/router.server.chain.cert"
key: "/var/lib/private/ziti-router/router.key"
ca: "/var/lib/private/ziti-router/router.cas"
#alt_server_certs:

- server_cert: ""

server_key: ""

ha:
enabled: false

ctrl:
endpoint: tls:ztna.xxxxxxxxxxxx.com:1280

link:
dialers:

• binding: transport
  listeners:
• binding: transport
  bind: tls:0.0.0.0:3022
  advertise: tls:localhost:3022
  options:
  outQueueSize: 4

listeners:

bindings of edge and tunnel requires an "edge" section below

• binding: edge
  address: tls:0.0.0.0:3022
  options:
  advertise: localhost:3022
  connectTimeoutMs: 5000
  getSessionTimeout: 60
• binding: tunnel
  options:
  mode: host #tproxy|host

edge:
csr:
country: US
province: NC
locality: Charlotte
organization: NetFoundry
organizationalUnit: Ziti
sans:
dns:

• localhost
• localhost
• debian12
  ip:
• "127.0.0.1"
• "::1"

#transport:

ws:

writeTimeout: 10

readTimeout: 5

idleTimeout: 120

pongTimeout: 60

pingInterval: 54

handshakeTimeout: 10

readBufferSize: 4096

writeBufferSize: 4096

enableCompression: true

forwarder:
latencyProbeInterval: 0
xgressDialQueueLength: 1000
xgressDialWorkerCount: 128
linkDialQueueLength: 1000
linkDialWorkerCount: 32

Based on that config, i'd say it wasn't setup with an advertised address that'll be usable by much (probably nothing really).

I would do a full delete/reinstall of that router (or deploy another whatever you choose) and make sure the advertised address after you install it doesn't use the hostname of the machine. Key fields to check are this:

advertise: tls:localhost:3022

and this block:

dns:
  localhost
  localhost
  debian12
ip:
  "127.0.0.1"
  "::1"

both of those NEED to have an address in them that any device can connect to from 'anywhere'.

Sorry about the delay to reply.. I did multiple re-installs and here’s where I am now:

The client does not seem to be able to connect to Edge Router. The identity will show a green(online) on zac only if the identity is marked as ‘IsAdmin’. Not able to RDP from the client still. Able to ping, not RDP.

Here are the Service Logs on the client:

[2026-02-10T06:50:44.173Z] INFO ziti-sdk:utils.c:197 ziti_log_set_level() set log level: root=3/INFO
[2026-02-10T06:50:44.173Z] INFO ziti-sdk:utils.c:166 ziti_log_init() Ziti C SDK version 1.9.17 @g12ffdab(HEAD) starting at (2026-02-10T06:50:44.173)
[2026-02-10T06:50:44.173Z] INFO ziti-edge-tunnel:windows-scripts.c:326 remove_all_nrpt_rules() removing NRPT rules matching filter: $_.Comment.StartsWith('Added by ziti-edge-tunnel')
[2026-02-10T06:50:45.352Z] INFO ziti-edge-tunnel:instance-config.c:72 load_tunnel_status_from_file() Loading config file from c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\config.json
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1500 run() ============================ service begins ================================
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1501 run() Logger initialization
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1503 run() - config file : c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\config.json
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1505 run() - initialized at : Tue Feb 10 2026, 01:50:45 AM (local time), 2026-02-10T06:50:45 (UTC)
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1506 run() - log file location: C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log.202602100000.log
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1508 run() - C SDK Version : 1.9.17:HEAD@g12ffdab
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1509 run() - Tunneler SDK : v1.9.6
[2026-02-10T06:50:45.355Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1513 run() ============================================================================
[2026-02-10T06:50:45.356Z] INFO ziti-sdk:utils.c:197 ziti_log_set_level() set log level: root=3/INFO
[2026-02-10T06:50:45.360Z] INFO ziti-edge-tunnel:tun.c:194 tun_open() Wintun v0.0 loaded
[2026-02-10T06:50:45.361Z] INFO ziti-edge-tunnel:tun.c:165 flush_dns() DnsFlushResolverCache succeeded
[2026-02-10T06:50:46.109Z] INFO ziti-edge-tunnel:tun.c:97 WintunLogger() Using existing driver 0.14
[2026-02-10T06:50:46.118Z] INFO ziti-edge-tunnel:tun.c:97 WintunLogger() Creating adapter
[2026-02-10T06:50:46.936Z] INFO ziti-edge-tunnel:tun.c:469 update_default_route() default route is now via if_idx[18], metric=0
[2026-02-10T06:50:46.937Z] INFO ziti-edge-tunnel:tun.c:488 if_change_cb() updating excluded routes
[2026-02-10T06:50:51.082Z] INFO ziti-edge-tunnel:windows-scripts.c:491 is_nrpt_policies_effective() NRPT policies are effective in this system
[2026-02-10T06:50:52.880Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:885 run_tunnel() Setting interface metric to 255
[2026-02-10T06:50:52.949Z] INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v1.9.6)
[2026-02-10T06:50:52.956Z] INFO tunnel-cbs:ziti_dns.c:173 seed_dns() DNS configured with range 100.64.0.0 - 100.127.255.255 (4194302 ips)
[2026-02-10T06:50:52.956Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1067 run_tunneler_loop() Loading identity files from C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\NetFoundry
[2026-02-10T06:50:52.957Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:407 load_identities() loading identity file: antolaptopitroom.json
[2026-02-10T06:50:53.060Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1192 load_ziti_async() attempting to load ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antolaptopitroom.json]
[2026-02-10T06:50:53.060Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1199 load_ziti_async() loading ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antolaptopitroom.json]
[2026-02-10T06:50:53.060Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:424 load_id_cb() identity[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antolaptopitroom.json] loaded
[2026-02-10T06:50:53.063Z] INFO ziti-sdk:ziti.c:526 ziti_start_internal() ztx[1] enabling Ziti Context
[2026-02-10T06:50:53.079Z] INFO ziti-sdk:ziti.c:542 ziti_start_internal() ztx[1] using tlsuv[v0.39.7/OpenSSL 3.6.0 1 Oct 2025]
[2026-02-10T06:50:53.079Z] INFO ziti-sdk:ziti_ctrl.c:639 ziti_ctrl_init() ctrl[https://ztna.xxxxxx.com:1280] controller initialized
[2026-02-10T06:50:53.079Z] INFO ziti-sdk:ziti.c:620 ztx_init_controller() ztx[1] Loading ziti context with controller[https://ztna.xxxxxx.com:1280]
[2026-02-10T06:50:53.171Z] INFO ziti-sdk:ziti.c:2040 version_pre_auth_cb() ztx[1] connected to controller https://ztna.xxxxxx.com:1280 version v1.6.12(5afd4d7837fc 2025-12-04T23:23:51Z)
[2026-02-10T06:50:53.171Z] INFO ziti-sdk:ziti.c:2042 version_pre_auth_cb() ztx[1] using OIDC authentication method
[2026-02-10T06:50:53.171Z] INFO ziti-sdk:oidc.c:90 oidc_client_init() oidc[internal] initializing with provider[https://ztna.xxxxxx.com:1280/oidc\]
[2026-02-10T06:50:53.340Z] INFO ziti-sdk:oidc.c:269 request_token() oidc[internal] requesting token path[https://ztna.xxxxxx.com:1280/oidc/oauth/token\] auth[52a1VIPcfyEKsglSJbnLYptDUhNvdEEIDgO7by_0TidMEjIsLk8yfQWt7qfJ3DhKHkoC1A&state=MTpfVhaOu6sM_SQ5pekTyrEvyvAWinYW6ed5If82]
[2026-02-10T06:50:53.465Z] INFO ziti-sdk:posture.c:206 ziti_send_posture_data() ztx[1] first run or potential controller restart detected
[2026-02-10T06:50:53.545Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1004 on_ziti_event() ziti_ctx[AntoLaptopITRoom] connected to controller
[2026-02-10T06:50:53.583Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\antolaptopitroom.json] context event : status is OK
[2026-02-10T06:50:53.602Z] INFO ziti-sdk:channel.c:265 new_ziti_channel() ch[0] (MainRouter1) new channel for ztx[1] identity[AntoLaptopITRoom]
[2026-02-10T06:50:53.602Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1080 on_ziti_event() ztx[AntoLaptopITRoom] added edge router MainRouter1@ztna.xxxxxx.com
[2026-02-10T06:50:53.710Z] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:824 on_event() unhandled event received: 6
[2026-02-10T06:50:53.710Z] INFO ziti-sdk:channel.c:836 reconnect_channel() ch[0] reconnecting NOW
[2026-02-10T06:50:53.751Z] INFO tunnel-cbs:ziti_tunnel_cbs.c:414 new_ziti_intercept() creating intercept for service[fil01] with intercept.v1 = { "addresses": [ "fil01.ziti" ], "portRanges": [ { "high": 3389, "low": 3389 } ], "protocols": [ "tcp", "udp" ] }
[2026-02-10T06:50:53.751Z] INFO tunnel-cbs:ziti_dns.c:349 new_ipv4_entry() registered DNS entry fil01.ziti -> 100.64.0.3
[2026-02-10T06:50:53.752Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:961 on_service() starting intercepting for service[fil01]
[2026-02-10T06:50:53.752Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:976 on_service() hosting server_address[?:10.196.12.211:3389] service[fil01]
[2026-02-10T06:50:53.752Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:586 on_event() =============== service event (added) - fil01:7DF7AzBKWMbGggvNNAxa1G ===============
[2026-02-10T06:50:53.778Z] INFO ziti-sdk:channel.c:734 hello_reply_cb() ch[0] connected. EdgeRouter version: v1.6.12|5afd4d7837fc|2025-12-04T23:23:51Z|linux|amd64
[2026-02-10T06:50:53.778Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1085 on_ziti_event() ztx[AntoLaptopITRoom] router MainRouter1 connected
[2026-02-10T06:50:53.778Z] WARN ziti-edge-tunnel:ziti-edge-tunnel.c:824 on_event() unhandled event received: 6
[2026-02-10T06:50:53.782Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:50:53.782Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:50:54.124Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:50:54.124Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:50:54.649Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:50:54.649Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:50:58.116Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:50:58.116Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:51:03.196Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:51:03.196Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:51:10.414Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:51:10.414Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:51:27.262Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:51:27.262Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:51:28.800Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:51:28.800Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:51:54.713Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:51:54.713Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE
[2026-02-10T06:51:54.948Z] ERROR ziti-sdk:ziti_ctrl.c:526 ctrl_body_cb() ctrl[https://ztna.xxxxxx.com:1280] API request[/sessions] failed code[NO_EDGE_ROUTERS_AVAILABLE] message[No edge routers are assigned and online to handle the requested connection]
[2026-02-10T06:51:54.948Z] WARN ziti-sdk:bind.c:252 session_cb() server1.0 failed to get session for service[fil01]: -17/NO_EDGE_ROUTERS_AVAILABLE

ziti ops verify network --controller-config-file /var/lib/private/ziti-controller/config.yml
INFO Verifying controller config: /var/lib/private/ziti-controller/config.yml
INFO controller advertise address at ztna.xxxx.com:1280 is available.
INFO verifying 1 web entries
INFO verifying 1 web bindPoints
INFO web entry[client-management], bindPoint[0] address at ztna.xxxx.com:1280 is available.
INFO web entry[client-management], bindPoint[0] is valid

INFO All requested checks passed.

ziti ops verify network --router-config-file /var/lib/private/ziti-router/config.yml
INFO Verifying router config: /var/lib/private/ziti-router/config.yml
INFO ctrl endpoint at ztna.xxxx.com:1280 is available.
INFO verifying 1 web link listeners
INFO link listener[0] at ztna.xxxx.com:3022 is available.
INFO link listener[0] is valid
INFO verifying 2 web edge listeners
INFO listener binding[0] at ztna.xxxx.com:3022 is available.
INFO listener binding[0] is valid
INFO listener binding[1] has binding tunnel and doesn't need to be verified
INFO listener binding[1] is valid

INFO All requested checks passed.

@TheLumberjack Can you help please???

Hi @ageorge, let me set expectations here if I may. If you require urgent support, please consider using the NetFoundry NaaS offering.That offers 24x7 support and can get someone like me or another NetFoundry employee looking at problems urgently as you would imagine. OpenZiti support is on a community basis. I replied to your original thread 14 days ago and you replied here yesterday and then bumped the thread today. That's fine, but I have commitments to the company and we all need to balance our support of the community against those commitments.

I haven't had time to go back through your post. I see you still haven't run the verify traffic command, that's what i recommended 16 days ago here URGENT!... Unable to access RDP service - #9 by TheLumberjack

Could you please ensure verify traffic works now. I'll follow up as I can, thanks

Apologies.. Really sorry for the trouble.

I was trying to figure out whats wrong.. I re-created 7 VMs with Openziti during the last few days to try and find the issue..

I understand that we can go for a support package.. and the intention is to do that too.. if things work well. We intend to move from our VPN system to ziti.. Only once I can make this work, we can get to the subscription model..

The following is the output of the command you gave. I ran the command from the same VM where the ziti is installed since the clients I am using are using Windows Edge client:

ziti ops verify traffic -- node both
WARNING no prefix and mode is not 'both'. default prefix of 2026-02-11-1055 will be used
Using controller url: https://ztna.xxxxxx.com:1280/edge/management/v1 from identity 'default' in config file: /root/.config/ziti/ziti-cli.json
Using username: admin from identity 'default' in config file: /root/.config/ziti/ziti-cli.json
Enter password:
Token: bd3f78c5-0930-4956-9772-ee4cacbf354f
Saving identity 'default' to /root/.config/ziti/ziti-cli.json
INFO generating P-384 EC key
INFO generating P-384 EC key
INFO waiting 10s for terminator for service: 2026-02-11-1055.traffic
INFO successfully bound service: 2026-02-11-1055.traffic.

INFO Server is listening for a connection and will exit when one is received.
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request OfoxlFpFq: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request BCh1yFFF5: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request gtY1yppF5: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
ERROR failed to create bind session for service 0xc000aced80 serviceName=2026-02-11-1055.traffic error="error for request gtY1yppF5: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request dtYxlFpF5: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request ZJlxyppFq: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic errorType="*rest_util.APIFormattedError" error="error for request JbjxlpFF5: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request yY3xlFppq: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
ERROR failed to create bind session for service 0xc000aced80 error="error for request yY3xlFppq: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" serviceName=2026-02-11-1055.traffic
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request r431lFpF5: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request UVk1lppFq: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
WARNING failure creating Bind session to service 2026-02-11-1055.traffic error="error for request tZzxlFFFq: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection" errorType="*rest_util.APIFormattedError"
FATAL terminator not found for service: 2026-02-11-1055.traffic

on your remote workstation using the Edge client, try to ensure that PC can reach your Edge router by telnet to it’s public ip and port 3022. If there’s firewall blocking this port you will also going to have issues.

in Zac , I always ensure service correctly establish the router as terminator as well

My issue happens even from the system within the network. I have opened the port in firewall as well. I have already tested using telnet and that has been successful too from within network and outside.

Alrighty, I can give this some more time!

NO_EDGE_ROUTERS_AVAILABLE is a pretty clear indicator that "something is still wrong" (which is hopefully obvious).

That can be caused by connectivity issues between the router and the controller or it can be caused through policy.

The first way I would start debugging this is with these two ziti cli commands:

ziti edge list ers

and

ziti edge policy-advisor identities

These two commands will output stuff like:

cdaws:ubuntu@ip-172-31-47-200:~$ ziti edge list ers
╭────────────┬──────────────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME                         │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼──────────────────────────────┼────────┼───────────────┼──────┼────────────┤
│ eM0NBWcsdI │ ip-172-31-47-200-edge-router │ true   │ true          │    0 │ public     │
╰────────────┴──────────────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-1 of 1

ziti edge policy-advisor identities  exampleprefix.server -q
OKAY : exampleprefix.server (1) -> normal-user-01.svc.0.ziti (1) Common Routers: (1/1) Dial: Y Bind: N

Looking at this output you can see the one edge router i have is deemed "online" by the controller. The router was able to and succeeded to connect to the controller.

Looking at policy advisor it says that one identity in question has "common routers" 1 out of 1. Meaning of the common routers 1 is online - good!

Now if i stop my router and rerun policy advisor you'll see:

 ziti edge policy-advisor identities  exampleprefix.server -q
ERROR: exampleprefix.server (1) -> normal-user-01.svc.0.ziti (1) Common Routers: (0/1) Dial: Y Bind: N
  - Common edge routers are all off-line. Bring routers back on-line or adjust edge router policies and/or service edge router policies to increase common router pool.

That's obviously bad. Can you list your routers and run policy advisor on an identity (or on a service if you prefer)? Hopefully you'll be able to find what's wrong.

The only other option would be that the router is online and authorized but your client can't conenct to the edge router. that I think would show up with a different error

Thank You for the respnse @TheLumberjack ..

Here are how my commands went:

ziti edge list ers
error: error listing https://ztna.xxxxxx.com:1280/edge/management/v1/edge-routers in Ziti Edge Controller. Status code: 401 Unauthorized, Server returned: {
"error": {
"code": "UNAUTHORIZED",
"message": "The request could not be completed. The session is not authorized or the credentials are invalid",
"requestId": "lTqJiRFp5"
},
"meta": {
"apiEnrollmentVersion": "0.0.1",
"apiVersion": "0.0.1"
}

ziti edge policy-advisor identities

Policy General Guidelines
In order for an identity to dial or bind a service, the following must be true:

• The identity must have access to the service via a service policy of the correct type (dial or bind)
• The identity must have access to at least one on-line edge router via an edge router policy
• The service must have access to at least one on-line edge router via a service edge router policy
• There must be at least one on-line edge router that both the identity and service have access to.

Policy Advisor Output Guide:
STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR.
ID = identity name
ID ROUTERS = number of routers accessible to the identity via edge router policies.

• See edge router polices for an identity: ziti edge controller list identity edge-router-policies
  SVC = service name
  SVC ROUTERS = number of routers accessible to the service via service edge router policies.
• See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies
  ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
  COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
  DIAL_OK = indicates if the identity has permission to dial the service.
• See service polices for a service : ziti edge controller list service service-policies
• See service polices for an identity: ziti edge controller list identity service-policies
  BIND_OK = indicates if the identity has permission to bind the service.
  ERROR_LIST = if the status is ERROR, error details will be listed on the following lines

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST

error: error listing https://ztna.xxxxxx.com:1280/edge/management/v1/identities?filter=true+skip+0+limit+2 in Ziti Edge Controller. Status code: 401 Unauthorized, Server returned: {
"error": {
"code": "UNAUTHORIZED",
"message": "The request could not be completed. The session is not authorized or the credentials are invalid",
"requestId": "YcJPiRppq"
},
"meta": {
"apiEnrollmentVersion": "0.0.1",
"apiVersion": "0.0.1"
}
}

You need to authorize the ziti CLI. You gotta "login"

Oh! Here are the results now..

ziti edge list ers
╭───────────┬─────────────┬────────┬───────────────┬──────┬────────────╮
│ ID        │ NAME        │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├───────────┼─────────────┼────────┼───────────────┼──────┼────────────┤
│ Kxwq8PQfB │ MainRouter1 │ true   │ true          │    0 │ edge       │
╰───────────┴─────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-1 of 1

ziti edge policy-advisor identities dummy

Policy General Guidelines
In order for an identity to dial or bind a service, the following must be true:

• The identity must have access to the service via a service policy of the correct type (dial or bind)
• The identity must have access to at least one on-line edge router via an edge router policy
• The service must have access to at least one on-line edge router via a service edge router policy
• There must be at least one on-line edge router that both the identity and service have access to.

Policy Advisor Output Guide:
STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR.
ID = identity name
ID ROUTERS = number of routers accessible to the identity via edge router policies.

• See edge router polices for an identity: ziti edge controller list identity edge-router-policies
  SVC = service name
  SVC ROUTERS = number of routers accessible to the service via service edge router policies.
• See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies
  ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
  COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
  DIAL_OK = indicates if the identity has permission to dial the service.
• See service polices for a service : ziti edge controller list service service-policies
• See service polices for an identity: ziti edge controller list identity service-policies
  BIND_OK = indicates if the identity has permission to bind the service.
  ERROR_LIST = if the status is ERROR, error details will be listed on the following lines

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST

ERROR: dummy (0) -> dummy (1) Common Routers: (0/0) Dial: N Bind: Y

• Identity has no edge routers assigned. Adjust edge router policies.

ziti edge policy-advisor identities

Policy General Guidelines
In order for an identity to dial or bind a service, the following must be true:

• The identity must have access to the service via a service policy of the correct type (dial or bind)
• The identity must have access to at least one on-line edge router via an edge router policy
• The service must have access to at least one on-line edge router via a service edge router policy
• There must be at least one on-line edge router that both the identity and service have access to.

Policy Advisor Output Guide:
STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR.
ID = identity name
ID ROUTERS = number of routers accessible to the identity via edge router policies.

• See edge router polices for an identity: ziti edge controller list identity edge-router-policies
  SVC = service name
  SVC ROUTERS = number of routers accessible to the service via service edge router policies.
• See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies
  ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
  COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
  DIAL_OK = indicates if the identity has permission to dial the service.
• See service polices for a service : ziti edge controller list service service-policies
• See service polices for an identity: ziti edge controller list identity service-policies
  BIND_OK = indicates if the identity has permission to bind the service.
  ERROR_LIST = if the status is ERROR, error details will be listed on the following lines

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST

ERROR: Default Admin

• Identity does not have access to any services. Adjust service policies.

ERROR: dummy (0) -> dummy (1) Common Routers: (0/0) Dial: N Bind: Y

• Identity has no edge routers assigned. Adjust edge router policies.

ERROR: MainRouter1

• Identity does not have access to any services. Adjust service policies.

ERROR: 2026-02-11-1055.client (0) -> 2026-02-11-1055.traffic (1) Common Routers: (0/0) Dial: Y Bind: N

• Identity has no edge routers assigned. Adjust edge router policies.

ERROR: 2026-02-11-1055.server (0) -> 2026-02-11-1055.traffic (1) Common Routers: (0/0) Dial: N Bind: Y

• Identity has no edge routers assigned. Adjust edge router policies.

ERROR: ITRoom (0) -> dummy (1) Common Routers: (0/0) Dial: Y Bind: Y

• Identity has no edge routers assigned. Adjust edge router policies.

I added router to one policy and it looks like this now:

ziti edge policy-advisor identities

Policy General Guidelines
In order for an identity to dial or bind a service, the following must be true:

• The identity must have access to the service via a service policy of the correct type (dial or bind)
• The identity must have access to at least one on-line edge router via an edge router policy
• The service must have access to at least one on-line edge router via a service edge router policy
• There must be at least one on-line edge router that both the identity and service have access to.

Policy Advisor Output Guide:
STATUS = The status of the identity -> service reachability. Will be OKAY or ERROR.
ID = identity name
ID ROUTERS = number of routers accessible to the identity via edge router policies.

• See edge router polices for an identity: ziti edge controller list identity edge-router-policies
  SVC = service name
  SVC ROUTERS = number of routers accessible to the service via service edge router policies.
• See service edge router policies for a service with: ziti edge controller list service service-edge-router-policies
  ONLINE COMMON ROUTERS = number of routers the identity and service have in common which are online.
  COMMON ROUTERS = number of routers (online or offline) the identity and service have in common.
  DIAL_OK = indicates if the identity has permission to dial the service.
• See service polices for a service : ziti edge controller list service service-policies
• See service polices for an identity: ziti edge controller list identity service-policies
  BIND_OK = indicates if the identity has permission to bind the service.
  ERROR_LIST = if the status is ERROR, error details will be listed on the following lines

Output format: STATUS: ID (ID ROUTERS) -> SVC (SVC ROUTERS) Common Routers: (ONLINE COMMON ROUTERS/COMMON ROUTERS) Dial: DIAL_OK Bind: BIND_OK. ERROR_LIST

ERROR: Default Admin

• Identity does not have access to any services. Adjust service policies.

OKAY : dummy (1) -> dummy (1) Common Routers: (1/1) Dial: N Bind: Y

ERROR: MainRouter1

• Identity does not have access to any services. Adjust service policies.

OKAY : 2026-02-11-1055.client (1) -> 2026-02-11-1055.traffic (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : 2026-02-11-1055.server (1) -> 2026-02-11-1055.traffic (1) Common Routers: (1/1) Dial: N Bind: Y

OKAY : ITRoom (1) -> dummy (1) Common Routers: (1/1) Dial: Y Bind: Y

--EDIT-- it seems like you have things working?

previous response i was typing here for posterity

Please use code blocks/fencing Posting code or preformatted text - Using Discourse - Discourse Meta

You have 0/0 edge routers. This is almost certainly because of edge router policies or service edge router policies. So it'll get NO_EDGE_ROUTERS_AVAILABLE.

run:

ziti edge list edge-router-policies
ziti edge list service-edge-router-policies

I'd also recommend you read up on how those work and add them accordingly: Policies | NetFoundry Documentation

Yes, it started working now.. I still see an error:

ERROR: MainRouter1

• Identity does not have access to any services. Adjust service policies.

Is that something to worry about? Does the router need any services to be assigned?