Ziti Edge Tunnel: Failed to establish connection with terminator address

Support
1

Hi all,

I'm currently working on implementing OpenZiti in a project and I’ve encountered an issue with the communication between two components (from Inference Server to Message Queue). I'd really appreciate any help or insights you might have.

For the sake of testing, I have everything running on different computers within the same network, representing the IoT Client, Edge, and Cloud.

image
image3084×1232 223 KB

I’ve been able to configure host-based tunnellers for each platform and have successfully established communication between the following components:

  • IoT Client → Web Server
  • Web Server → Preprocessor
  • Preprocessor → Inference


The Problem

However, I'm facing issues with the communication between the Inference and the MQ, even though I configured it in the same exact way as the other components.

Configuration details:

#1
ziti edge create identity inference -a 'inference' -o inference.jwt

#2
ziti edge create identity rabbitmq -a 'rabbitmq' -o rabbitmq.jwt

#3
ziti edge create config inference-to-rabbitmq.intercept.v1 intercept.v1 \
'{"protocols":["tcp"],"addresses":["ziti.rabbitmq"], "portRanges":[{"low":5672, "high":5672}]}'

#4
ziti edge create config rabbitmq.host.v1 host.v1 \
'{"protocol":"tcp", "address":"rabbitmq", "port":5672}'

#5
ziti edge create service inference-to-rabbitmq.svc --configs inference-to-rabbitmq.intercept.v1,rabbitmq.host.v1

#6
ziti edge create service-policy inference-to-rabbitmq.dial Dial \
--service-roles "@inference-to-rabbitmq.svc" --identity-roles '#inference'

#7
ziti edge create service-policy inference-to-rabbitmq.bind Bind \
--service-roles '@inference-to-rabbitmq.svc' --identity-roles '@${rabbitmq-id}'

To test the communication, I used a simple script to send a message from the Inference to the MQ. The script is as follows:

#!/usr/bin/env python
import pika

connection = pika.BlockingConnection(
    pika.ConnectionParameters(host='ziti.rabbitmq'))
channel = connection.channel()

channel.queue_declare(queue='hello')

channel.basic_publish(exchange='', routing_key='hello', body='Hello World!')
print(" [x] Sent 'Hello World!'")
connection.close()


And here is the error I received during the test:

When running the above script:

Traceback (most recent call last):
  File "/inference/send.py", line 4, in <module>
    connection = pika.BlockingConnection(
  File "/usr/local/lib/python3.10/site-packages/pika/adapters/blocking_connection.py", line 360, in __init__
    self._impl = self._create_connection(parameters, _impl_class)
  File "/usr/local/lib/python3.10/site-packages/pika/adapters/blocking_connection.py", line 451, in _create_connection
    raise self._reap_last_connection_workflow_error(error)
pika.exceptions.AMQPConnectionError

From the ziti tunnel on the Inference:

(40)[     1052.272]    INFO tunnel-cbs:ziti_dns.c:566 format_resp() found record[100.64.0.3] for query[1:ziti.rabbitmq]
(40)[     1052.291]   ERROR ziti-sdk:connect.c:1069 connect_reply_cb() conn[0.162/05klez7l/Connecting] failed to connect, reason=exceeded maximum [2] retries creating circuit [c/BtuzjWTfD]: error creating route for [s/BtuzjWTfD] on [r/to2gAmN0.N] (error creating route for [c/BtuzjWTfD]: failed to establish connection with terminator address 3GzQ4Lw74XXEC1zHRZJb0K. error: (rejected by application))

From the ziti tunnel on the MQ:

(11917)[      807.418]    INFO tunnel-cbs:ziti_hosting.c:637 on_hosted_client_connect() hosted_service[inference-to-rabbitmq.svc] client[inference] client_src_addr[tcp:100.64.0.1:34592] dst_addr[tcp:rabbitmq:5672]: incoming connection
(11917)[      807.423]   ERROR tunnel-cbs:ziti_hosting.c:683 on_hosted_client_connect_resolved() hosted_service[inference-to-rabbitmq.svc] client[inference] client_src_addr[tcp:100.64.0.1:34592] getaddrinfo(tcp:rabbitmq:5672) failed: temporary failure


I’m not sure what could be causing the issue with this specific communication, as the other services work fine. I would appreciate your thoughts on what might be going wrong, or if there's anything I might have overlooked in the configuration.

Thanks for your time and help!

2

Thanks for all those details @nvc97!

error: (rejected by application) seems like a pretty specific error. That sounds to me like the inference server opened and completed an initial connection but the application rejected the connection for "reasons". Looking at the MQ tunneler, it states: failed: temporary failure in getaddrinfo which is the DNS lookup function. That sounds like the "host.v1" address is incorrect and unresolvable.

Looking at that host.v1 config:

ziti edge create config rabbitmq.host.v1 host.v1 \
'{"protocol":"tcp", "address":"rabbitmq", "port":5672}'

It looks like the ziti-edge-tunnel running in the cloud is expected to be able to offload traffic towards rabbitmq:5672.

Can you ssh to the cloud ziti edge tunnel and confirm that rabbitmq:5672 is resolvable?

:point_up: My suspicion, is that you actually wanted to use 127.0.0.1:5672 for that host.v1 offload addresss. I expect the cloud machine cannot resolve "rabbitmq"

3

Hi,

I really appreciate your quick response!

It is indeed that the rabbitmq:5672 is not resolvable from the cloud where the rabbitmq is running on.

So what do you suggest in this case?
Should I update the /etc/hosts file? or should I change the host.v1 config to use the 127.0.0.1 address instead of rabbitmq?

4

The beauty of OpenZiti in this case (in my opinion) is you can offload to "localhost" (or 127.0.0.1, or ::1 or 'whatever' IP you want). We call this "ZTHA" -- where your trust is restricted all the way to the host running the ziti-edge-tunnel.

That means you can update your MQ listener to bind to 127.0.0.1 as well, making it inaccessible by any other machines that happen to be one the same network. Binding to the loopback like this is safer for that reason...

So for me, when I run a ziti-edge-tunnel and use it to provide access to a service ON that machine i exclusively use 127.0.0.1... :slight_smile:

5

Thanks for the explanation! That makes a lot of sense.

So if I understand correctly, I just set the host.v1 to offload address to 127.0.0.1 instead of rabbitmq.

Then I ran the test script, and the message went through. However, I did notice there's a warning message as below. What does it mean really? And Should I be worried about it?

(11497)[     1691.902]    INFO tunnel-cbs:ziti_hosting.c:637 on_hosted_client_connect() hosted_service[inference-to-rabbitmq.svc] client[inference] client_src_addr[tcp:100.64.0.1:46672] dst_addr[tcp:127.0.0.1:5672]: incoming connection
(11497)[     1692.024]    WARN ziti-sdk:conn_bridge.c:422 on_input() br[0.2] err = -104
1 Like
6

(11497)[ 1692.024] WARN ziti-sdk:conn_bridge.c:422 on_input() br[0.2] err = -104
What does it mean really?

What a GREAT question!!! :slight_smile: i don't know! @ekoby, any idea what that means?

7

I am going to guess that you're running on Linux (different OSes have different error codes)
-104 on Linux maps to ECONNRESET 104 /* Connection reset by peer */

this would mean that rabbitmq forcefully terminated connection

I'll make a code change there to produce a better message to the log

2 Likes
8

Thank you for that clarification. I guess I don't need to worry about that then.