Ziti Edge Router API Session Connection Issue After Express Install on VPS

Support
1

Hi Guys,

I recently installed a controller instance on a standalone VPS using the Expressinstall method. By default, Expressinstall automatically deploys an edge router instance during the setup process. In the ZAC Router menu, all the installed edge instances show a normal connection status, as seen in the screenshot PIC 1.

However, under the Identity menu, the API sessions for all edge instances are showing as abnormal, screenshot PIC 2.

For comparison, I checked another instance’s installation environment, and under the Identity tab, all edge instances and operating system details are correctly recognized, , screenshot PIC 3.

Could you please help analyze what might be causing this issue?

Thank you!

openziti-api-issue
openziti-api-issue1374×1762 273 KB

2

Hi @nbsn, welcome to the community and to OpenZiti!

The "online-ness indicator" is a thing we continually strive to make better. Right now, I wouldn't use the identity indicator for router identities as a guide. I believe the router page is a better indicator of the router's status. If it's connected, the identity will be usable.

We are working through cluster-related changes at the moment, but this online indicator issue has been coming up with more and more users lately so, I'm sure in the future we'll get around to making that more representative of what people most likely mean it to be. Being transparent, I'm not exactly sure when or how it'll change, but I'm sure we'll do something with it in the near future.

Until then, use the router page as an idicator of the router and don't worry about the router identitiy is my advice. :slight_smile: Thanks for asking the forum and for checking out OpenZiti.

3

Note also that a related issue (Ensure identity online/offline statuses work correctly for ER/Ts · Issue #2889 · openziti/ziti · GitHub) was fixed in 1.5.0. If you're not already running it, you may wish to try the latest 1.5.x release.

Paul

4

I have deployed v1.1.18 controller compare for v1.5.4. Actually, the issue happened under v1.5.4.

See my v1.1.18 screen capture, Session --> Api sessions, it lists all necessary session and connection test all good, include controller local router:

Screenshot 2025-04-10 100416
Screenshot 2025-04-10 100416957×722 76.1 KB

5

The following screen capture shows under v1.5.4, the controller's local edge router did not establish an API session with the controller. I confirmed that I am using all default settings.
In the picture, I have added a Windows desktop client (Remote-PC) and authorized it.
You can see only the local admin and Remote-PC is shown under Session --> API-Session, NO controller local edge router API-session registered.

Based on my test, the configured connection with services and policies did not work in this situation, but the same config worked under v1.1.18.

Screenshot 2025-04-10 101151
Screenshot 2025-04-10 101151953×721 64.3 KB

6

can we start a new thread for this? It's best to keep a thread related to one topic. Would you mind ? thanks

7

Hi Bro, That's ok for me. I am currently focused on the same problem now I am facing. definitely, that's not a different question.

8

Ok. Perhaps there's a miscommunication then. I thought you were moving over to focusing on remote-pc now.

Can you explain what it is you're looking to confirm by looking at the API session and can you explain what kind of test you're performing and what you expect to see? My guess is that you bound a service to the edge router and then accessed that service, expecting to see an api session but didn't?

Is that correct? If not, can you elaborate a bit as to the test so I can have a look at my install?

9

My test is under v1.5.4.

Topology made simple: Remote-PC (Win) ----> zitictrl-edge-router (Controller embedded) ---> RTR-PRV-* (Private edge router) ---> Target web service.

The topo/identity/router/api-sessions status below:

openziti
openziti1414×1610 317 KB

Service Config:

{
  "name": "ZHH-TESTWEB",
  "roleAttributes": [],
  "configs": [
    "3SJt2aC7pbrFFcgekkHui0",
    "6dbXE9oACM16bxvAFRDVQ2"
  ],
  "encryptionRequired": true,
  "terminatorStrategy": "smartrouting",
  "tags": {}
}

{
  "name": "ZHH-TESTWEB-8443",
  "configTypeId": "NH5p4FpGR",
  "data": {
    "address": "10.1.3.250",
    "port": 8443,
    "forwardProtocol": true,
    "allowedProtocols": [
      "tcp"
    ],
    "httpChecks": [],
    "portChecks": []
  },
  "tags": {}
}

{
  "name": "ZHH-TESTWEB-INSP",
  "configTypeId": "g7cIWbcGg",
  "data": {
    "portRanges": [
      {
        "high": 8443,
        "low": 8443
      }
    ],
    "addresses": [
      "10.1.3.250"
    ],
    "protocols": [
      "tcp"
    ]
  },
  "tags": {}
}

Policies:

{
  "name": "PO-BIND",
  "appData": "",
  "serviceRoles": [
    "@45qYwT6hqKAacgmk0AeHUw"
  ],
  "identityRoles": [
    "@OO.2twREi6"
  ],
  "postureCheckRoles": [],
  "semantic": "AnyOf",
  "type": "Bind",
  "tags": {}
}

{
  "name": "PO-DIAL",
  "appData": "",
  "serviceRoles": [
    "@45qYwT6hqKAacgmk0AeHUw"
  ],
  "identityRoles": [
    "@OPS1ow0T56"
  ],
  "postureCheckRoles": [],
  "semantic": "AnyOf",
  "type": "Dial",
  "tags": {}
}