Hello all, im trying to connect a ziti-tunneler from a debian13 linux, after a successful enroll i want to start the tunneler and im getting this messages
[ 2.052] INFO(ziti.(*contextImpl).Authenticate): attempting to authenticate
[ 2.615] DEBUG (ziti.(*contextImpl).Authenticate): {token=[5c41a6f2-ea05-4a40-8198-bc3f08e9bdbe] id=[d800bd6e-4f13-427e-8317-c5e161d8fd21]} Got api session: {d800bd6e-4f13-427e-8317-c5e161d8fd21 5c41a6f2-ea05-4a40-8198-bc3f08e9bdbe}
[ 2.615] DEBUG github.com/netfoundry/ziti-sdk-golang/ziti.(*contextImpl).getServices: using api session token
in an endless loop, i see no other log or message to check.
any clue will be appreciated. Thanks in advance, Regards.
what version of the ziti-tunnel are you using? Do you know the version of the ziti-controller it goes against? You can find the version by running ziti-tunnel version. Getting the version of the controller is a bit trickier but we could work through that.
Do you know the version of the ziti bridge and ziti controller that are being attached to? In the phone I believe it will show you the controller youâre attaching to. can you curl/go to https://{host}:{port}/version ? Youâll get something that resembles this:
which is (i think, im not clear on this) a Hosted Ziti bridge gateway, bridged to aws private gateway which im seeing the dmesg logs but im see no version information on these logs
yes, downloaded from the docs page.
Using the ziti-tunnel 0.5.27-14 same effect, unable to authenticate.
I have 2 different linux, a debian13 and a centos8, both are virtual machines running in windows10 hyperv connected directly to my house wifi.
Question, do i need to turn of ipv6 or something like that? i do have valid ipv6 addresses beside the LAN ipv4 address (natâted on my ISP cablemodem)
Hrm⌠Iâve not tried to use the tunneler myself when I donât have a legitimate IP address on the VM but I run a similar setup with Ubuntu inside Oracle Virtualbox. I always grant my VM a legit IP address. We donât support ipv6 at this time so if you are ONLY getting an ipv6 that could possibly be a problem but iâve not see ipv6 really get in the way like this yet (not ruling it out though). Can you try to give your VM an IP from your home router by using âbridgedâ or some similar type of network?
I find running the tunneler in proxy mode produces some extra log messages that can be handy and thereâs a version of the ziti-tunnel that runs on windows. If youâre ok with moving the enrolled.json file between machines you can rule the VM out of the picture. Pull the identity file into windows and just run the tunneler in proxy mode.
ziti-tunnel proxy -v -i C:\temp\id.json this_service_does_not_exist:1111
[ 0.019] INFO ziti-edge/tunnel/intercept/proxy.(*interceptor).Start: starting proxy interceptor
[ 0.024] INFO ziti-sdk-golang/ziti.(*contextImpl).Authenticate: attempting to authenticate
[ 0.068] DEBUG ziti-sdk-golang/ziti.(*contextImpl).Authenticate: {session=[502abe58-25f2-499e-8409-c027fb756cbe]} logged in as UserMay-04-0855/6c8f0842-97e5-4320-9672-0281c1d6e2a0
[ 0.068] DEBUG ziti-sdk-golang/ziti.(*contextImpl).getServices: using api session token 6f1ba8c4-0f85-4801-b769-052a2bb09491
[ 0.069] DEBUG ziti-sdk-golang/ziti.(*contextImpl).runSessionRefresh: sleeping 29m50.366861045s before refreshing session
[ 0.069] INFO ziti-foundation/metrics.(*eventControllerImpl).run: started
[ 0.123] DEBUG ziti-sdk-golang/ziti.(*contextImpl).getServices: using api session token 6f1ba8c4-0f85-4801-b769-052a2bb09491
[ 0.180] INFO ziti-edge/tunnel/intercept.updateServices: starting tunnel for newly available service netcatsvc
[ 0.180] DEBUG ziti-edge/tunnel/intercept/proxy.interceptor.Intercept: {service=[netcatsvc]} service netcatsvc was not specified at initialization. not intercepting
[ 0.181] INFO ziti-edge/tunnel/intercept.updateServices: starting tunnel for newly available service zcatsvc
[ 0.181] DEBUG ziti-edge/tunnel/intercept/proxy.interceptor.Intercept: {service=[zcatsvc]} service zcatsvc was not specified at initialization. not intercepting
[ 0.182] INFO ziti-edge/tunnel/intercept.updateServices: starting tunnel for newly available service httpbinsvc
[ 0.182] DEBUG ziti-edge/tunnel/intercept/proxy.interceptor.Intercept: {service=[httpbinsvc]} service httpbinsvc was not specified at initialization. not intercepting
What this is doing is telling the tunneler to run in âproxyâ mode meaning itâll listen on âlocalhostâ on whatever port you tell it to listen on⌠here though, iâm telling the tunneler to listen on port 1111 for a service that doesnât exist just as a diagnostic. The tunneler tells me that it has access to three services but none of them were specified to be proxied. (netcatsvc, zcatsvc, httpbinsvc). This tells me things are working properlyâŚ
If you try that - and things look similar and you see the service names you expect - try that same process but using the linux machine. After this - if things still look ok weâll probably have to dig in more.
Can you also share how youâre starting the tunneler? Is it as a service or are you just running it directly at the moment?
Ok, ill give it a try. Note: i do have a valid IPv4 from my Local Lan (VM Network is bridged with my wifi so my host computer and all my vmâs are in the same LAN). Also i have valid IPv6 since the router has a /64 for prefix delegation. So, both are correct and available. I will force v6 down to complete the tests.
Finally got it working. As the last mentioned test didnt work it sounded strange to me. So as we had a previous running ziti schema (with a different ziti bridge to a different aws private gateway) moved my linux as client of this previous config and worked perfect. Meaning with this, something was wrong with my new config (aws gw + ziti bridge + service + appwan) which iâll review later, now im sure that linux client works without any problem.
Thanks for your help again.
One last extra question, in this scenario
AWS VPC 1: LAN 172.29.253.0/24 (the default)
AWS VPC 2: Same LAN
each VPC has itâs own AWS Private Gateway.
on each VPC i have a service using the same IP/Port
Whatâs the correct way to distinguish if im connected to both VPCâs? the intercept address?
Just so I understand, youâre looking for a test to perform to verify which/how many gateways youâre connected to? Generally speaking I would say that probing the intercept address would be the way to do it. I donât think thereâs really a better way than that at this time but if I think of something or someone else does Iâll reach back out
Not exactly, what im asking is, if i have 2 different AWS VPCâs and both uses the same LAN Subnet, which is the way to distinguish for example between VPC1 172.29.253.60 and VPC2 172.29.253.60 from user perspective (how to connect one or another)