Ziti-edge-tunnel stuck in OIDC Auth Loop - UNAUTHORIZED / invalid_grant

Tunneler Apps Ziti Edge Tunnel
1

Hi everyone,

I'm struggling with a ziti-edge-tunnel (v1.10.10) running inside a Docker container (Ubuntu image). The tunnel successfully reaches the controller and performs the OIDC handshake, but it gets stuck in an infinite loop of UNAUTHORIZED errors when trying to access the Edge API.

The Environment:

  • Controller (created with docker compose setup)

  • Tunnel Version: v1.10.10 (C SDK) (INFO ziti-sdk:utils.c:169 ziti_log_init() Ziti C SDK version 1.10.10 @g3ad8597(HEAD) starting at (2026-03-12T12:06:27.879))

  • Deployment of the openziti client: Docker (Ubuntu base)

  • Identity: Re-created and re-enrolled multiple times (Name: RAS1).

The Problem: The tunnel gets a 200 OK from the OIDC token endpoint, but subsequent calls to /current-api-session return a 401 Unauthorized. Then, the refresh token attempt returns invalid_grant.

Logs (Debug Level 4):

(1114) INFO ziti-sdk:oidc.c:262 request_token() oidc[internal] requesting token...
(1114) DEBUG ziti-sdk:oidc.c:246 token_cb() oidc[internal] 200 OK
(1114) DEBUG ziti-sdk:oidc.c:561 oidc_client_set_tokens() oidc[internal] using access_token={...}
(1114) ERROR ziti-sdk:ziti_ctrl.c:531 ctrl_body_cb() ctrl[...] API request[/current-api-session] failed code[UNAUTHORIZED] message[The request could not be completed. The session is not authorized or the credentials are invalid]
(1114) WARN ziti-sdk:oidc.c:603 refresh_cb() oidc[internal] response: { "error": "invalid_grant" }

What I've checked so far:

  1. Time Sync: System clocks on both the Tunnel and Controller are synchronized.

  2. Identity Status: The identity exists in the controller, is enabled, and shows as "Enrolled".but offline

  3. Re-enrollment: I have deleted the identity, recreated it, and performed a fresh ziti-edge-tunnel enroll. The .json file is correctly generated.

  4. Network: No proxy between them. The tunnel can reach the controller's OIDC and API ports.

I have confirmed that I am using the Default Auth Policy for my identity.

To troubleshoot further, I tried installing the Ziti Desktop Edge for Windows, but I am encountering a similar connectivity issue. While the Linux logs showed an OIDC loop, the Windows logs specifically report that the controller is unavailable due to an "unknown node or service" error.

It seems my clients (both Linux and Windows) are struggling to establish a stable connection to the controller.

Windows Service Logs:

[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443] request[/version] failed: -3008(unknown node or service)
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:336 internal_version_cb() CONTROLLER_UNAVAILABLE(unknown node or service)
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:604 ctrl_next_ep() no controllers are online

Full windows logs :

[2026-03-12T00:00:23.435Z] INFO ziti-sdk:utils.c:197 ziti_log_set_level() set log level: root=3/INFO
[2026-03-12T00:00:23.435Z] INFO ziti-sdk:utils.c:166 ziti_log_init() Ziti C SDK version 1.9.17 @g12ffdab(HEAD) starting at (2026-03-12T00:00:23.435)
[2026-03-12T00:00:23.449Z] INFO ziti-edge-tunnel:windows-scripts.c:326 remove_all_nrpt_rules() removing NRPT rules matching filter: $_.Comment.StartsWith('Added by ziti-edge-tunnel')
[2026-03-12T00:00:40.548Z] INFO ziti-edge-tunnel:instance-config.c:72 load_tunnel_status_from_file() Loading config file from c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\config.json
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1500 run() ============================ service begins ================================
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1501 run() Logger initialization
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1503 run() - config file : c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\config.json
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1505 run() - initialized at : Thu Mar 12 2026, 01:00:40 AM (local time), 2026-03-12T00:00:40 (UTC)
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1506 run() - log file location: C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log.202603120000.log
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1508 run() - C SDK Version : 1.9.17:HEAD@g12ffdab
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1509 run() - Tunneler SDK : v1.9.6
[2026-03-12T00:00:40.556Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1513 run() ============================================================================
[2026-03-12T00:00:40.556Z] INFO ziti-sdk:utils.c:197 ziti_log_set_level() set log level: root=3/INFO
[2026-03-12T00:00:40.572Z] INFO ziti-edge-tunnel:tun.c:194 tun_open() Wintun v0.14 loaded
[2026-03-12T00:00:40.572Z] INFO ziti-edge-tunnel:tun.c:165 flush_dns() DnsFlushResolverCache succeeded
[2026-03-12T00:00:41.526Z] INFO ziti-edge-tunnel:tun.c:97 WintunLogger() Using existing driver 0.14
[2026-03-12T00:00:41.562Z] INFO ziti-edge-tunnel:tun.c:97 WintunLogger() Creating adapter
[2026-03-12T00:00:49.725Z] INFO ziti-edge-tunnel:tun.c:469 update_default_route() default route is now via if_idx[11], metric=0
[2026-03-12T00:00:49.725Z] INFO ziti-edge-tunnel:tun.c:488 if_change_cb() updating excluded routes
[2026-03-12T00:01:04.117Z] INFO ziti-edge-tunnel:windows-scripts.c:491 is_nrpt_policies_effective() NRPT policies are effective in this system
[2026-03-12T00:01:08.956Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:885 run_tunnel() Setting interface metric to 255
[2026-03-12T00:01:08.972Z] INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v1.9.6)
[2026-03-12T00:01:09.003Z] INFO tunnel-cbs:ziti_dns.c:173 seed_dns() DNS configured with range 100.64.0.0 - 100.127.255.255 (4194302 ips)
[2026-03-12T00:01:09.003Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1067 run_tunneler_loop() Loading identity files from C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\NetFoundry
[2026-03-12T00:01:09.008Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:407 load_identities() loading identity file: mypc1.json
[2026-03-12T00:01:09.008Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:407 load_identities() loading identity file: test-id-2.json
[2026-03-12T00:01:09.015Z] INFO ziti-edge-tunnel:log_utils.c:336 delete_older_logs() Deleting old log file C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log.202603030000.log
[2026-03-12T00:01:09.062Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1192 load_ziti_async() attempting to load ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\test-id-2.json]
[2026-03-12T00:01:09.062Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1199 load_ziti_async() loading ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\test-id-2.json]
[2026-03-12T00:01:09.062Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:424 load_id_cb() identity[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\test-id-2.json] loaded
[2026-03-12T00:01:09.082Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1192 load_ziti_async() attempting to load ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\mypc1.json]
[2026-03-12T00:01:09.082Z] INFO tunnel-cbs:ziti_tunnel_ctrl.c:1199 load_ziti_async() loading ziti instance[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\mypc1.json]
[2026-03-12T00:01:09.082Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:424 load_id_cb() identity[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\mypc1.json] loaded
[2026-03-12T00:01:09.082Z] INFO ziti-sdk:ziti.c:526 ziti_start_internal() ztx[2] enabling Ziti Context
[2026-03-12T00:01:09.101Z] INFO ziti-sdk:ziti.c:542 ziti_start_internal() ztx[2] using tlsuv[v0.39.7/OpenSSL 3.6.0 1 Oct 2025]
[2026-03-12T00:01:09.101Z] INFO ziti-sdk:ziti_ctrl.c:639 ziti_ctrl_init() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] controller initialized
[2026-03-12T00:01:09.101Z] INFO ziti-sdk:ziti.c:620 ztx_init_controller() ztx[2] Loading ziti context with controller[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``]
[2026-03-12T00:01:09.101Z] WARN tunnel-cbs:ziti_tunnel_ctrl.c:1018 on_ziti_event() ziti_ctx controller connections failed: ziti context is disabled
[2026-03-12T00:01:09.101Z] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:460 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\test-id-2.json] context event : status is ziti context is disabled
[2026-03-12T00:01:09.101Z] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:514 on_event() ztx[c:\windows\system32\config\systemprofile\appdata\roaming\netfoundry\test-id-2.json] failed to connect to controller due to ziti context is disabled
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] request[/version] failed: -3008(unknown node or service)
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:336 internal_version_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] CONTROLLER_UNAVAILABLE(unknown node or service)
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti.c:2036 version_pre_auth_cb() ztx[2] failed to get controller version: CONTROLLER_UNAVAILABLE/unknown node or service
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] request[/external-jwt-signers?limit=25&offset=0] failed: -3008(unknown node or service)
[2026-03-12T00:01:09.150Z] INFO ziti-sdk:ziti_ctrl.c:180 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] attempting to switch endpoint
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti_ctrl.c:604 ctrl_next_ep() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] no controllers are online
[2026-03-12T00:01:09.150Z] WARN ziti-sdk:ziti.c:652 ext_jwt_singers_cb() ztx[2] failed to get external auth providers: unknown node or service
[2026-03-12T00:01:14.159Z] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] request[/external-jwt-signers?limit=25&offset=0] failed: -3008(unknown node or service)
[2026-03-12T00:01:14.159Z] WARN ziti-sdk:ziti.c:652 ext_jwt_singers_cb() ztx[2] failed to get external auth providers: unknown node or service
[2026-03-12T00:01:14.159Z] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] request[/version] failed: -3008(unknown node or service)
[2026-03-12T00:01:14.159Z] INFO ziti-sdk:ziti_ctrl.c:180 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] attempting to switch endpoint
[2026-03-12T00:01:14.159Z] WARN ziti-sdk:ziti_ctrl.c:604 ctrl_next_ep() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] no controllers are online
[2026-03-12T00:01:14.159Z] WARN ziti-sdk:ziti_ctrl.c:336 internal_version_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] CONTROLLER_UNAVAILABLE(unknown node or service)
[2026-03-12T00:01:14.159Z] WARN ziti-sdk:ziti.c:2036 version_pre_auth_cb() ztx[2] failed to get controller version: CONTROLLER_UNAVAILABLE/unknown node or service
[2026-03-12T00:01:19.173Z] WARN ziti-sdk:ziti_ctrl.c:177 ctrl_resp_cb() ctrl[``https://11f9d9ca-7067-49a2-bf40-5d3eba0c1a06.production.netfoundry.io:443``] request[/external-jwt-signers?limit=25&offset=0] failed: -3008(unknown node or service)
[2026-03-12T00:01:19.173Z] WARN ziti-sdk:ziti.c:652 ext_jwt_singers_cb() ztx[2] failed to get external auth providers: unknown node or

The fact that OIDC succeeds but the API rejects the token is confusing. Does this look like a Posture Check issue, or perhaps something related to how Docker handles the identity hostname?

Any help would be greatly appreciated!

2

Hi @stalow, welcome to the community and to OpenZiti!

Sorry for the delay - it's been a busy time in the OpenZiti project / NetFoundry! Thanks for bearing with us...

What version of the controller are you running? There have been a fair number of issues found and fixed between the 1.6.x stream (the current stable version of the overlay) and the upcoming 2.0.x stream. Based on your logs it looks like your controller doesn't exist any more. That might be a bigger problem. It also seems like you might be a NetFoundry customer - have you gone through our actual support portal?

Thanks

3

We are closing this issue as we have moved away from the Quickstart script.

We switched to a public instance deployment using the latest Docker images instead of the automated Quickstart Compose file. This resolved our connectivity issues immediately.

We suspect some underlying configuration conflicts within the Quickstart environment, but we did not investigate further as the standard deployment is now working perfectly.

Thanks for the support!