Connection is severed after inactivity, but only 1 side can re initiate the connection

Hi there, I am having an issue with ZeroTier where everything works fine but after a while of inactivity a server is no longer reachable until that server tries to ping the other servers.

The setup:

  • every node has a static IP
  • my server should be reachable by all nodes, it has IP
  • the server runs in a DC, with a firewall
  • the firewall allows all outbound traffic, and allows UDP 9993 incoming from any IP
  • within the Zerotier network a flow is applied to prevent other nodes from connecting with anything other than the server, see below
  • all other clients are behind a same remote network, so they share the same WAN IP
  • all nodes and the server use Linux
  • all nodes and the server use version 1.14.0

Flow rule:

	not ethertype ipv4
	and not ethertype arp
	and not ethertype ipv6

# only allow traffic from and to the proxy (mapped on zerotier address so ip does not matter)
	not ztsrc <server-id>
	and not ztdest <server-id>

# This is required because the default action is 'drop'.

The problem
Everything works fine if the clients often connect with the server. An issue arises when clients stop connecting with the server, then it looks like something times out eventually. When that happens, the clients can no longer reach the server, when you try to ping you will get “no route to host”.
Then, when on the server, you ping each client it has a delay of a few seconds and then you will get ping replies. When that is done, every client can reach the server again.

Before doing the ping in the server I checked the peers list, and the WAN IP of the clients is not in the list. After doing the ping from the server to all the clients, the WAN IP is shown in the peers.

So it seems that after a while of inactivity the connection between the clients in the WAN IP and the server is severed. And the clients don’t seem to be allowed to re initiate the connection. The server however is allowed to, as the pings show. That makes me think there is some configuration issue on the server side (perhaps firewall, or it is the flow rule?) but I am not sure what the issue could be.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.