Ziti-router: no network interface found for 0.0.0.0

I would like to install a self-hosted instance of zrok. I follow the installation guide.
After I have started my ziti-router service and I see these errors.
It is unclear where I should look to fix the error.

{"addr":"tls:0.0.0.0:3022","error":"no network interface found for 0.0.0.0","file":"github.com/openziti/ziti/router/xlink_transport/config.go:76","func":"github.com/openziti/ziti/router/xlink_transport.loadListenerConfig","level":"warning","msg":"unable to get interface for address","time":"2025-04-15T15:13:01.179Z"}

{"action":"Create","entries":1,"error":"out of order event detected, currentIndex: 1, receivedIndex: 0, type :*common.ForgetfulEventCache","file":"github.com/openziti/ziti/common/router_data_model.go:444","func":"github.com/openziti/ziti/common.(*RouterDataModel).ApplyChangeSet","index":0,"level":"error","msg":"could not apply change set","synthetic":false,"time":"2025-04-15T15:13:01.254Z","type":"*edge_ctrl_pb.DataState_Event_PublicKey"}

{"action":"Create","entries":1,"error":"out of order event detected, currentIndex: 1, receivedIndex: 0, type :*common.ForgetfulEventCache","file":"github.com/openziti/ziti/common/router_data_model.go:444","func":"github.com/openziti/ziti/common.(*RouterDataModel).ApplyChangeSet","index":0,"level":"error","msg":"could not apply change set","synthetic":false,"time":"2025-04-15T15:13:01.255Z","type":"*edge_ctrl_pb.DataState_Event_PublicKey"}

/var/lib/private/ziti-router/config.yml:

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:3022
      advertise:        tls:fqdn:3022
      options:
        outQueueSize:   4

1 Like

Can you bind anything to 0.0.0.0 at all? for example:

nc -l 0.0.0.0 12345

Is it possible you don't have IPv4 enabled? I would expect 0.0.0.0 to bind both ipv4 and ipv6. Do you need to use sudo for some reason?

Are we diagnosing this error warning?

{
  "addr": "tls:0.0.0.0:3022",
  "error": "no network interface found for 0.0.0.0",
  "file": "github.com/openziti/ziti/router/xlink_transport/config.go:76",
  "func": "github.com/openziti/ziti/router/xlink_transport.loadListenerConfig",
  "level": "warning",
  "msg": "unable to get interface for address",
  "time": "2025-04-15T15:13:01.179Z"
}

Is the symptom that ziti-router.service continually fails to start?

If the service did start, is it listening on port 3022? I expect not, but we can use this command later to verify that the problem was fixed.

❯ sudo lsof -Pnp $(systemctl show -p MainPID --value ziti-router.service ) |& grep 'TCP.*LISTEN'
ziti-router    622312 user    7u     IPv4            6797524      0t0      TCP *:3022 (LISTEN)

EDIT: I later realized the log level of this message is "warning," not "error"

No. It is here, regardless the error that I don't understand.

netstat -tnlp | grep 3022
tcp6       0      0 :::3022                 :::*                    LISTEN      533304/ziti       

You are right. This is exactly this error. But the router seems to run. Might be I can continue with the installation of zrok.

I think it's safe to ignore this warning-level message if it's functioning as expected.

  "level": "warning",

thank you,

what happens with the network if for some reason the host ZROK API ENDPOINT becomes unavailable, unfortunately.

Should I deploy two controllers connected to the same postgres database? Probably the network will be dead.

The second question concerns the access side:
Does zrok access private need ZROK API ENDPOINT to function after the access has been created? The access side needs only edge routers, isn't it?

Well I see that it is used :frowning:

$systemctl --user restart zrok-agent.service

$ for i in  $(dig api-v1.zrok.io +short); do netstat -tn | grep $i; done
tcp        0      0 192.168.7.12:42716      34.200.133.147:443      ESTABLISHED
tcp        0      0 192.168.7.12:42714      34.200.133.147:443      ESTABLISHED

You'll be unable to manage shares and accesses or access the web console if the zrok controller isn't available.

An array of zrok controllers will behave as a single zrok instance if they share a PostgreSQL data source, which provides table locking.

You may scale out the zrok public frontends at will, optionally cloning a shared public frontend zrok environment since they always have the same authorizations.

The oauth frontend scales with the public frontend.

This PostgreSQL-specific locking configuration may be relevant if you're enforcing limits: Configuring Limits | zrok

This is great. Where I can read about it. It is doable to install two on two hosts.

Do you mean that I can repeat the installation of a controller on another host pointing to the same postgreSQL database in etc/ctrl.yml?

That's how I expect it to work. You may be the first to attempt it. I assume you will need a load balancer or DNS round robin for each array of controllers and frontends.

You will probably have only one, but each public frontend must scale independently behind a LB (or RR) where a wildcard DNS record resolves and wildcard certificate is bound, corresponding to that frontend's public share URL template.