Ziti-tunneler unable to connect

Hello all, im trying to connect a ziti-tunneler from a debian13 linux, after a successful enroll i want to start the tunneler and im getting this messages

[ 2.052] INFO(ziti.(*contextImpl).Authenticate): attempting to authenticate
[ 2.615] DEBUG (ziti.(*contextImpl).Authenticate): {token=[5c41a6f2-ea05-4a40-8198-bc3f08e9bdbe] id=[d800bd6e-4f13-427e-8317-c5e161d8fd21]} Got api session: {d800bd6e-4f13-427e-8317-c5e161d8fd21 5c41a6f2-ea05-4a40-8198-bc3f08e9bdbe}
[ 2.615] DEBUG github.com/netfoundry/ziti-sdk-golang/ziti.(*contextImpl).getServices: using api session token

in an endless loop, i see no other log or message to check.

any clue will be appreciated. Thanks in advance, Regards.

what version of the ziti-tunnel are you using? Do you know the version of the ziti-controller it goes against? You can find the version by running ziti-tunnel version. Getting the version of the controller is a bit trickier but we could work through that.

alz@debiants:~$ ziti-tunnel version
v0.9.0

im trying to connect to a ziti bridge with a gateway in an aws vpc (im able to complete the same connection using the zitiPacketTunnel from my phone)

Do you know the version of the ziti bridge and ziti controller that are being attached to? In the phone I believe it will show you the controller you’re attaching to. can you curl/go to https://{host}:{port}/version ? You’ll get something that resembles this:

{"meta":{},"data":{"buildDate":"2020-02-11 16:09:08","revision":"ea556fc18740","runtimeVersion":"go1.14.2","version":"v0.9.0"}}

I’m checking to ensure the version of your controller is the same as the tunneler - and if not that might be what’s going on.

on the phone i see an url, if i curl this url/version i get

alz@alzw10:~ (master)$ curl -k https://52.4.203.27:1080/version
{“meta”:{},“data”:{“buildDate”:“Tue-12/03/2019-14:21:33-UTC”,“revision”:“7b19e87b”,“runtimeVersion”:“go1.13.4”,“version”:“0.5.27-14”}}

which is (i think, im not clear on this) a Hosted Ziti bridge gateway, bridged to aws private gateway which im seeing the dmesg logs but im see no version information on these logs

Ah. That’s what I thought. Try the tunneler from https://netfoundry.jfrog.io/artifactory/ziti-release/ziti-tunnel/amd64/linux/0.5.27-14/ziti-tunnel.tar.gz I suspect you got the link for it from our regular doc page. That page can be a bit ahead of the curve. I think this one is what you need

yes, downloaded from the docs page.
Using the ziti-tunnel 0.5.27-14 same effect, unable to authenticate.
I have 2 different linux, a debian13 and a centos8, both are virtual machines running in windows10 hyperv connected directly to my house wifi.
Question, do i need to turn of ipv6 or something like that? i do have valid ipv6 addresses beside the LAN ipv4 address (nat’ted on my ISP cablemodem)

Hrm… I’ve not tried to use the tunneler myself when I don’t have a legitimate IP address on the VM but I run a similar setup with Ubuntu inside Oracle Virtualbox. I always grant my VM a legit IP address. We don’t support ipv6 at this time so if you are ONLY getting an ipv6 that could possibly be a problem but i’ve not see ipv6 really get in the way like this yet (not ruling it out though). Can you try to give your VM an IP from your home router by using ‘bridged’ or some similar type of network?

I find running the tunneler in proxy mode produces some extra log messages that can be handy and there’s a version of the ziti-tunnel that runs on windows. If you’re ok with moving the enrolled.json file between machines you can rule the VM out of the picture. Pull the identity file into windows and just run the tunneler in proxy mode.

Grab the windows tunneler here https://netfoundry.jfrog.io/netfoundry/ziti-release/ziti-tunnel/amd64/windows/0.5.27-14/ziti-tunnel.tar.gz and try running it with:

ziti-tunnel proxy -v -i your_identity_file.json this_service_does_not_exist:1111

You’ll see output similar to mine here:

ziti-tunnel proxy -v -i C:\temp\id.json this_service_does_not_exist:1111
    [   0.019]    INFO ziti-edge/tunnel/intercept/proxy.(*interceptor).Start: starting proxy interceptor
    [   0.024]    INFO ziti-sdk-golang/ziti.(*contextImpl).Authenticate: attempting to authenticate
    [   0.068]   DEBUG ziti-sdk-golang/ziti.(*contextImpl).Authenticate: {session=[502abe58-25f2-499e-8409-c027fb756cbe]} logged in as UserMay-04-0855/6c8f0842-97e5-4320-9672-0281c1d6e2a0
    [   0.068]   DEBUG ziti-sdk-golang/ziti.(*contextImpl).getServices: using api session token 6f1ba8c4-0f85-4801-b769-052a2bb09491
    [   0.069]   DEBUG ziti-sdk-golang/ziti.(*contextImpl).runSessionRefresh: sleeping 29m50.366861045s before refreshing session
    [   0.069]    INFO ziti-foundation/metrics.(*eventControllerImpl).run: started
    [   0.123]   DEBUG ziti-sdk-golang/ziti.(*contextImpl).getServices: using api session token 6f1ba8c4-0f85-4801-b769-052a2bb09491
    [   0.180]    INFO ziti-edge/tunnel/intercept.updateServices: starting tunnel for newly available service netcatsvc
    [   0.180]   DEBUG ziti-edge/tunnel/intercept/proxy.interceptor.Intercept: {service=[netcatsvc]} service netcatsvc was not specified at initialization. not intercepting
    [   0.181]    INFO ziti-edge/tunnel/intercept.updateServices: starting tunnel for newly available service zcatsvc
    [   0.181]   DEBUG ziti-edge/tunnel/intercept/proxy.interceptor.Intercept: {service=[zcatsvc]} service zcatsvc was not specified at initialization. not intercepting
    [   0.182]    INFO ziti-edge/tunnel/intercept.updateServices: starting tunnel for newly available service httpbinsvc
    [   0.182]   DEBUG ziti-edge/tunnel/intercept/proxy.interceptor.Intercept: {service=[httpbinsvc]} service httpbinsvc was not specified at initialization. not intercepting

What this is doing is telling the tunneler to run in ‘proxy’ mode meaning it’ll listen on ‘localhost’ on whatever port you tell it to listen on… here though, i’m telling the tunneler to listen on port 1111 for a service that doesn’t exist just as a diagnostic. The tunneler tells me that it has access to three services but none of them were specified to be proxied. (netcatsvc, zcatsvc, httpbinsvc). This tells me things are working properly…

If you try that - and things look similar and you see the service names you expect - try that same process but using the linux machine. After this - if things still look ok we’ll probably have to dig in more.

Can you also share how you’re starting the tunneler? Is it as a service or are you just running it directly at the moment?

Ok, ill give it a try. Note: i do have a valid IPv4 from my Local Lan (VM Network is bridged with my wifi so my host computer and all my vm’s are in the same LAN). Also i have valid IPv6 since the router has a /64 for prefix delegation. So, both are correct and available. I will force v6 down to complete the tests.

Finally got it working. As the last mentioned test didnt work it sounded strange to me. So as we had a previous running ziti schema (with a different ziti bridge to a different aws private gateway) moved my linux as client of this previous config and worked perfect. Meaning with this, something was wrong with my new config (aws gw + ziti bridge + service + appwan) which i’ll review later, now im sure that linux client works without any problem.
Thanks for your help again.

One last extra question, in this scenario
AWS VPC 1: LAN 172.29.253.0/24 (the default)
AWS VPC 2: Same LAN
each VPC has it’s own AWS Private Gateway.
on each VPC i have a service using the same IP/Port

What’s the correct way to distinguish if im connected to both VPC’s? the intercept address?

Just so I understand, you’re looking for a test to perform to verify which/how many gateways you’re connected to? Generally speaking I would say that probing the intercept address would be the way to do it. I don’t think there’s really a better way than that at this time but if I think of something or someone else does I’ll reach back out

Not exactly, what im asking is, if i have 2 different AWS VPC’s and both uses the same LAN Subnet, which is the way to distinguish for example between VPC1 172.29.253.60 and VPC2 172.29.253.60 from user perspective (how to connect one or another)

If it were me I would just different intercepts for each… Vpc1 and vpc2… I might choose more descriptive names though. :slight_smile:

1 Like

Perfect! thanks again