Ziti-edge-tunnel working, but tunnel_status reports Active: false

Tunneler Apps
1

I'm a little confused as to the purpose of the Active: false indicator.

I've followed the steps in Your First Service | OpenZiti, and all is working as expected, but I'm wondering what I am not understanding, given that during my troubleshooting, I assumed Active: false meant something was wrong.

Now that it's working, I still see the Active: false.

$ sudo ziti-edge-tunnel tunnel_status
{
"Success":true,
"Data":{
"Active":false,
"Duration":7227624,
"StartTime":"2025-02-16T18:28:53.219955Z",
"Identities":[
{
"Name":"oconor",
"Identifier":"/opt/openziti/etc/identities/oconor.json",
"FingerPrint":"oconor",
"Active":true,

2

I think this is just a small nuisance improvement/bug.... Did you perhaps start the ziti-edge-tunnel using a little -i to ziti-edge-tunnel, not a capital -I?

When starting the tunneler with -I mode, a directory of identities is required to be supplied and in that directory will be a config.json file that stores some state about each identity in the folder. This file from the config.json file informs the ziti-edge-tunnel if a given identity should, or should not be enabled. The Windows client for example, shows a user visually whether or not a given identity is enabled or disabled and the ziti-edge-tunnel uses this flag to control this behavior:

image
image424×147 23 KB

If you start the CLI-based ziti-edge-tunnel with -i, the identity is automatically enabled and there's no state file to read so the values returned aren't particularly meaningful.

Is that maybe what happened here?

3

I'm using the apt package; according to systemctl, the daemon was started with --identity-dir, which according to the --help output, is the equivalent of -I

         └─3589 /opt/openziti/bin/ziti-edge-tunnel run --verbose=2 --dns-ip-range=100.64.0.1/10 --identity-dir=/opt/openziti/etc/identities

I'm not all that concerned about it, but if it's a bug, then I suppose I've done my duty in reporting it.

4

Ok thanks for letting me know. I'd definitely have expected that to be accurate. I'll ask @qrkourier to investigate a bit tomorrow. He filed an issue a while back but I thought I'd fixed it... This issue if anyone is interested. ZET keeps trying to use disabled identity · Issue #644 · openziti/ziti-tunnel-sdk-c · GitHub

We'll check it out tomorrow/this week. Thanks for pointing it out.

1 Like
5

that Active flags is not at identity level -- tunnel_status.Active. It is actually never set in the code. The value can be safely ignored.

1 Like
6

Here's a one-liner to check all loaded identities' statuses.

ziti-edge-tunnel tunnel_status \
| jq '[.Data.Identities[]|{Identifier: .Identifier, Active: .Active}]'

[
  {
    "Identifier": "/opt/openziti/etc/identities/mira-tunnel.json",
    "Active": true
  },
  {
    "Identifier": "/opt/openziti/etc/identities/bastion1.json",
    "Active": true
  }
]