Use a Router as a local gateway, Not able to test ssh/http

1

I followed the Openziti document to implement the Router as a local gateway by using the same IP scheme. Everything performed perfect without any error but when i tried to do test on ssh and http, it always gave me an error on page. I did tcpdump on ziti edge router. following are the logs.

21:18:09.138320 ARP, Request who-has ubuntu (50:00:00:01:00:00 (oui Unknown)) tell 172.16.31.174, length 46
21:18:10.383282 IP 172.16.31.174.54517 > 172.16.240.129.8000: Flags [S], seq 3407223356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:10.383284 IP 172.16.31.174.54518 > 172.16.240.129.8000: Flags [S], seq 3512227317, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:10.638191 IP 172.16.31.174.54519 > 172.16.240.129.8000: Flags [S], seq 3631545649, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:18.395179 IP 172.16.31.174.54517 > 172.16.240.129.8000: Flags [S], seq 3407223356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:18.395180 IP 172.16.31.174.54518 > 172.16.240.129.8000: Flags [S], seq 3512227317, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:18.418852 IP 172.16.31.174.63248 > ubuntu.domain: 65220+ A? g.live.com. (28)
21:18:18.650400 IP 172.16.31.174.54519 > 172.16.240.129.8000: Flags [S], seq 3631545649, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:24.418257 IP 172.16.31.174.61704 > ubuntu.domain: 14472+ A? edge.microsoft.com. (36)
21:18:28.443688 IP 172.16.31.174.59197 > ubuntu.domain: 1641+ A? g.live.com. (28)
21:18:32.025653 IP 172.16.31.174.64881 > ubuntu.domain: 11554+ A? v10.events.data.microsoft.com. (47)
21:18:33.144547 ARP, Request who-has ubuntu (50:00:00:01:00:00 (oui Unknown)) tell 172.16.31.174, length 46
21:18:38.445401 IP 172.16.31.174.53707 > ubuntu.domain: 46628+ A? g.live.com. (28)
21:18:48.604356 IP 172.16.31.174.54520 > 172.16.240.129.8000: Flags [S], seq 3358404323, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:48.604358 IP 172.16.31.174.54521 > 172.16.240.129.8000: Flags [S], seq 4091495054, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:48.626714 IP 172.16.31.174.61839 > ubuntu.domain: 3483+ A? nav.smartscreen.microsoft.com. (47)
21:18:48.870946 IP 172.16.31.174.54522 > 172.16.240.129.8000: Flags [S], seq 1436686974, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:49.605234 IP 172.16.31.174.54520 > 172.16.240.129.8000: Flags [S], seq 3358404323, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:49.605235 IP 172.16.31.174.54521 > 172.16.240.129.8000: Flags [S], seq 4091495054, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:49.877369 IP 172.16.31.174.54522 > 172.16.240.129.8000: Flags [S], seq 1436686974, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:51.616259 IP 172.16.31.174.54520 > 172.16.240.129.8000: Flags [S], seq 3358404323, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:51.616261 IP 172.16.31.174.54521 > 172.16.240.129.8000: Flags [S], seq 4091495054, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:51.888212 IP 172.16.31.174.54522 > 172.16.240.129.8000: Flags [S], seq 1436686974, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:53.845117 ARP, Reply 172.16.31.174 is-at 50:00:00:03:00:00 (oui Unknown), length 46
21:18:54.143244 ARP, Request who-has ubuntu (50:00:00:01:00:00 (oui Unknown)) tell 172.16.31.174, length 46
21:18:55.630287 IP 172.16.31.174.54520 > 172.16.240.129.8000: Flags [S], seq 3358404323, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:55.630288 IP 172.16.31.174.54521 > 172.16.240.129.8000: Flags [S], seq 4091495054, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:18:55.901931 IP 172.16.31.174.54522 > 172.16.240.129.8000: Flags [S], seq 1436686974, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:19:03.640972 IP 172.16.31.174.54520 > 172.16.240.129.8000: Flags [S], seq 3358404323, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:19:03.641628 IP 172.16.31.174.54521 > 172.16.240.129.8000: Flags [S], seq 4091495054, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:19:03.913099 IP 172.16.31.174.54522 > 172.16.240.129.8000: Flags [S], seq 1436686974, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Can someone help me to find out the solution, i followed the exact document. Here is the topology which i draw in my LAB.

image
image1291×603 57.3 KB

.

2

hi wahmad,

I am looking at your diagram and tcpdump. I do not see 172.16.31.174 on diagram. I am assuming that is the client you try to test from?

so, to debug the issue. few things you can do:

  1. you can try to initiate the service from your edge router host. see if it works.
  2. make sure ziti-router is running on both side.
  3. then we need to look at ziti-router logs from both side.
  4. also make sure ziti-router status on the controller is online.
3

Hi Jammin,
Thanks for the response.
You are absolutley right, It is windows client machine.
I tried it from server ziti edge-router to initiate the http traffic which was working and reaching to the server. But it wasn't work from client ziti edge-router, and from windows machine.

Ziti-router is running both sides and online on controller as well.
I will share the logs from both zite-edge-router here in a while.

4

Here you can see both routers are online on controller.

![image|690x306](upload://d2Wxw1Ank6gEUm80iX46tAmEqPd.png)

Following message received on windows client while ssh
![image|430x259](upload://7d1b9c4bL4xUKXX2HoI9jBoI2HD.png)

Following is the message while trying to ssh from client ziti edge router.

root@ubuntu:/opt/openziti/ziti-router# ssh admin@mysimpleservice.ziti
kex_exchange_identification: read: Connection reset by peer
Connection reset by 100.64.0.1 port 22

Here are the logs on client ziti edge-router while accessing the ssh.

root@ubuntu:/opt/openziti/ziti-router# tcpdump -i ens3 src 172.16.31.174
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:28:59.885631 IP 172.16.31.174.58664 > ubuntu.domain: 43485+ A? mysimpleservice.ziti. (38)
16:28:59.894236 IP 172.16.31.174.55815 > 100.64.0.1.ssh: Flags [S], seq 746801195, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:28:59.898525 IP 172.16.31.174.55815 > 100.64.0.1.ssh: Flags [.], ack 786883121, win 1026, length 0
16:28:59.903537 IP 172.16.31.174.55815 > 100.64.0.1.ssh: Flags [P.], seq 0:33, ack 1, win 1026, length 33: SSH: SSH-2.0-OpenSSH_for_Windows_8.1
16:29:03.233213 IP 172.16.31.174.55816 > 100.64.0.1.ssh: Flags [S], seq 2402472421, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
16:29:03.237282 IP 172.16.31.174.55816 > 100.64.0.1.ssh: Flags [.], ack 316480126, win 1026, length 0
16:29:03.240978 IP 172.16.31.174.55816 > 100.64.0.1.ssh: Flags [P.], seq 0:33, ack 1, win 1026, length 33: SSH: SSH-2.0-OpenSSH_for_Windows_8.1

When i tried to ssh same service from server ziti edge-router.

root@ubuntu:/opt/openziti/ziti-router# ssh admin@mysimpleservice.ziti
ssh: Could not resolve hostname mysimpleservice.ziti: Name or service not known
root@ubuntu:/opt/openziti/ziti-router# resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 172.16.240.128
       DNS Servers: 172.16.240.128

Link 2 (ens3)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
       DNS Servers: 8.8.8.8

Link 3 (ens4)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
5

The following information will also help debugging.

From your controller:
ziti fabric list routers
ziti edge list configs -j
ziti edge list terminators
ziti edge list services -j
ziti edge list service-policies
ziti edge list service-edge-router-policies