Hello,
I’m deploying OpenZiti in a small local network using virtual machines (VMs). My setup includes:
A Controller VM,
An Edge Router VM,
A Web Server VM (running Apache), and
A Client VM.
All identities for these components have been properly registered with the Controller. I’m now working on creating and testing a Ziti service. I followed the steps from this guide, but I decided to use the tunneler as a gateway for my service.
However, when I run the tunneler on the Web Server VM, I encounter the following error:
vbnet
CopyEdit
ERROR sdk-golang/ziti.(*listenerManager).createSessionWithBackoff: {error=[error for request JiuXcY-8u: NO_EDGE_ROUTERS_AVAILABLE: No edge routers are assigned and online to handle the requested connection]} failed to create bind session for service 0xc000cb7580
Here are my questions:
Do I need to create a specific identity for the tunneler, and should it be on a separate VM?because I only install the packages i can running but it's all
Does the Edge Router require additional configuration to support the tunneler or the service?
Are there any specific steps I need to follow to ensure the tunneler binds to my Apache service?
I want to note that everything is running locally on Ubuntu VMs, without Docker.
Hi @Rina111, NO_EDGE_ROUTERS_AVAILABLE is a pretty clear indicator that you either have an edge-router-policy wrong (or missing) or you have a service-edge-router-policy wrong/missing. By far the easiest step to remove this problem for now is to:
grant all identities access to all routers using an edge router policy:
This will almost certainly fix your problem. I expect you are missing one or maybe both policies. Policy-advisor is very helpful in these situations. It will tell you if an identity/service has access to routers:
ziti edge policy-advisor identities|services -q
As for the other questions - that aren't probably relevant to the issue...
This is a qualified "i guess it depends". It'll depend on how you do things. You certainly CAN do this entirely on one VM and that's how I do most of my stuff/demos/etc but sometimes it is more impactful to use separate VMs. I don't believe this is an issue for you at this time though
Yes and no... It requires that you have a route that is "edge-enabled", but that's generally not something I would consider "additional configuration". You just need to make sure your router has an edge listener section.
The hardest part about this imo is understanding that the OpenZiti bind configuration you create will refer to a location that is relative to the offloadind identity (your tunneler). If the tunneler runs on the same machine as the apache service, then i would usually use 127.0.0.1 as the offload address, for example.
