Ziti tunneler not able to dial the service

1

Ziti tunneler and ziti edge router both are enrolled with controller. Now i set up a service named RDP which is correctly set. Now i am trying to RDP to the RDP server but it is not initiate the rdp session. Then i checked the tunneler service logs.

[2024-08-28T18:31:32.584Z]   ERROR ziti-sdk:channel.c:903 on_channel_connect_internal() ch[0] failed to connect to ER[ubuntu-edge-router] [-4078/connection refused]
[2024-08-28T18:31:32.584Z]    INFO ziti-sdk:channel.c:775 reconnect_channel() ch[0] reconnecting in 122984ms (attempt = 170)
[2024-08-28T18:31:33.084Z]   ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -4039(connection timed out)
[2024-08-28T18:31:33.084Z]   ERROR ziti-sdk:ziti.c:1317 edge_routers_cb() ztx[0] failed to get current edge routers: code[0] CONTROLLER_UNAVAILABLE/connection timed out
[2024-08-28T18:31:33.084Z]   ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[ubuntu] request failed: -4039(connection timed out)
[2024-08-28T18:31:33.084Z]    WARN ziti-sdk:ziti.c:1262 check_service_update() ztx[0] failed to poll service updates: code[0] err[-16/connection timed out]

Here is controller configs for the service .

root@ubuntu:~/.ziti/quickstart/ubuntu/ziti-bin/ziti-v1.1.8# ziti edge list configs -j
{
    "data": [
        {
            "_links": {
                "self": {
                    "href": "./configs/6AZBGVliuJIHxTv8JQZgER"
                }
            },
            "createdAt": "2024-08-28T17:58:21.191Z",
            "id": "6AZBGVliuJIHxTv8JQZgER",
            "tags": {},
            "updatedAt": "2024-08-28T18:28:15.676Z",
            "configType": {
                "_links": {
                    "self": {
                        "href": "./config-types/g7cIWbcGg"
                    }
                },
                "entity": "config-types",
                "id": "g7cIWbcGg",
                "name": "intercept.v1"
            },
            "configTypeId": "g7cIWbcGg",
            "data": {
                "addresses": [
                    "my.simple.rdp"
                ],
                "portRanges": [
                    {
                        "high": 3389,
                        "low": 3389
                    }
                ],
                "protocols": [
                    "tcp"
                ]
            },
            "name": "rdp_intercept.v1"
        },
        {
            "_links": {
                "self": {
                    "href": "./configs/l0RbtXxjCOaNAjgcOYr6M"
                }
            },
            "createdAt": "2024-08-28T17:57:38.570Z",
            "id": "l0RbtXxjCOaNAjgcOYr6M",
            "tags": {},
            "updatedAt": "2024-08-28T18:29:01.204Z",
            "configType": {
                "_links": {
                    "self": {
                        "href": "./config-types/NH5p4FpGR"
                    }
                },
                "entity": "config-types",
                "id": "NH5p4FpGR",
                "name": "host.v1"
            },
            "configTypeId": "NH5p4FpGR",
            "data": {
                "address": "172.17.17.30",
                "port": 3389,
                "protocol": "tcp"
            },
            "name": "rdp_host.v1"
        }
    ],
    "meta": {
        "filterableFields": [
            "isSystem",
            "name",
            "type",
            "id",
            "createdAt",
            "updatedAt",
            "tags"
        ],
        "pagination": {
            "limit": 10,
            "offset": 0,
            "totalCount": 2
        }
    }
}


root@ubuntu:~/.ziti/quickstart/ubuntu/ziti-bin/ziti-v1.1.8# ziti edge list service-edge-router-policies
╭────────────────────────┬──────────────────┬───────────────┬───────────────────╮
│ ID                     │ NAME             │ SERVICE ROLES │ EDGE ROUTER ROLES │
├────────────────────────┼──────────────────┼───────────────┼───────────────────┤
│ 4C8JzZQKd7Tiu5wIPEEGUS │ rdp-serp         │ #RDP          │ #all              │
│ 5l2xmBx1fuhcRH98OGrM9t │ allSvcAllRouters │ #all          │ #all              │
╰────────────────────────┴──────────────────┴───────────────┴───────────────────╯

``

root@ubuntu:~/.ziti/quickstart/ubuntu/ziti-bin/ziti-v1.1.8# ziti edge list services
╭───────────────────────┬─────────────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├───────────────────────┼─────────────┼────────────┼─────────────────────┼────────────┤
│ DduKOZaEOGznY1lbi7eZo │ RDP-service │ true │ smartrouting │ RDP │
╰───────────────────────┴─────────────┴────────────┴─────────────────────┴────────────╯

2

based on these logs, i would say that your tunneler cannot contact the controller.

3 
root@ubuntu:~/.ziti/quickstart/ubuntu/ziti-bin/ziti-v1.1.8# ziti edge list services
╭───────────────────────┬─────────────┬────────────┬─────────────────────┬────────────╮
│ ID                    │ NAME        │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│                       │             │  REQUIRED  │                     │            │
├───────────────────────┼─────────────┼────────────┼─────────────────────┼────────────┤
│ DduKOZaEOGznY1lbi7eZo │ RDP-service │ true       │ smartrouting        │ RDP        │
╰───────────────────────┴─────────────┴────────────┴─────────────────────┴────────────╯


root@ubuntu:~/.ziti/quickstart/ubuntu/ziti-bin/ziti-v1.1.8# ziti edge list terminators
╭───────────────────────┬─────────────┬───────────┬─────────┬───────────────────────┬──────────┬──────┬────────────┬──────────────╮
│ ID                    │ SERVICE     │ ROUTER    │ BINDING │ ADDRESS               │ IDENTITY │ COST │ PRECEDENCE │ DYNAMIC COST │
├───────────────────────┼─────────────┼───────────┼─────────┼───────────────────────┼──────────┼──────┼────────────┼──────────────┤
│ MXJitu12GoHIQxHIiDhM8 │ RDP-service │ dc-router │ tunnel  │ MXJitu12GoHIQxHIiDhM8 │          │    0 │ default    │            0 │
╰───────────────────────┴─────────────┴───────────┴─────────┴───────────────────────┴──────────┴──────┴────────────┴──────────────╯
4

Yeah that's what i understood too. but it is able to connect when i tried to add the identity on tunneler. What i did on router side to enable the static NAT.

ip nat inside source static tcp 172.17.17.10 8441 10.200.2.21 8441

So controller IP address is 172.17.17.10 which is inside network. So any one from outside wants to access controller then it will need to dial 10.200.2.21 which is WAN IP.
Is that making an issue?

5

I don't know what you're trying to show me, but one of the tunnelers cannot contact the controller. if it can't contact the controller, it won't be able to dial the remote service.

There are four logs you can look at, generally in this order:

  • the local tunneler
  • the remote tunneler (are you using a router as the tunneler?)
  • the router
  • the controller

it looks to me that the dialing tunneler can no longer access the controller in general. It's possible you've changed something along the way after enrolling the identity.

I can't help you troubleshoot the nat'ing - that's outside of the scope of the support forum.

Turn the local tunneler off then on and then dial the service and share the logs from the dialing tunneler here pls

6

Hello Clint,
you were absolutely right that tunneler was not able to connect with controller. It was because WAN IP was not stable. Now what i did, i changed the WAN IP address and now it looks stable and i am able to connect tunneler with controller and also able to test RDP and ssh service
Thank you for the supoort.
Waqar