TCP fallback ... doesn't

ztdc230131 · February 11, 2023, 5:25pm

I’ve got a network that absolutely blocks all UDP traffic, but does not restrict TCP in any way.

When I put an otherwise working ZeroTier client on that network, it never connects. Client 1.10.2. Happens with MacOS or Linux.

Mac:

200 listpeers <ztaddr> <path> <latency> <version> <role>
200 listpeers 62f865ae71 - -1 - PLANET
200 listpeers 778cde7190 - -1 - PLANET
200 listpeers [redacted net prefix] - -1 1.10.2 LEAF
200 listpeers cafe04eba9 - -1 - PLANET
200 listpeers cafe9efeb9 - -1 - PLANET

Linux:

200 listpeers <ztaddr> <path> <latency> <version> <role>
200 listpeers 62f865ae71 - -1 - PLANET
200 listpeers 778cde7190 - -1 - PLANET
200 listpeers [redacted net prefix] - -1 1.10.2 LEAF
200 listpeers cafe04eba9 - -1 - PLANET
200 listpeers cafe9efeb9 - -1 - PLANET

From either:

$ sudo zerotier-cli status -j|grep -i tcp
   "allowTcpFallbackRelay": true,
 "tcpFallbackActive": false,

How do I go about troubleshooting why it’s not falling back to TCP?

adekker · February 28, 2023, 2:35pm

Might be worth updating, there are some TCP relay changes in 1.10.3.

github.com

zerotier/ZeroTierOne/blob/dev/RELEASE-NOTES.md

ZeroTier Release Notes
======

# 2023-02-15 -- Version 1.10.3

 * Fix for duplicate paths in client. Could cause connectivity issues. Affects all platforms.
 * Fix for Ethernet Tap MTU setting, would not properly apply on Linux.
 * Fix default route bugs (macOS.)
 * Enable Ping automatically for ZeroTier Adapters (Windows.)
 * SSO updates and minor bugfixes.
 * Add low-bandwidth mode.
 * Add forceTcpRelay mode (optionally enabled.)
 * Fix bug that prevented setting of custom TCP relay address.
 * Build script improvements and bug fixes.

# 2022-11-01 -- Version 1.10.2

 * Fix another SSO "stuck client" issue in zeroidc.
 * Expose root-reported external IP/port information via the local JSON API for better diagnostics.
 * Multipath: CLI output improvement for inspecting bonds

This file has been truncated. show original

zt-travis · February 28, 2023, 3:43pm

Yeah, please upgrade. There’s also a forceTcpRelay property in local.conf you can set to true.

{
  "settings": {
    "forceTcpRelay": true
  }
}

You can also run your own relay though this is a little DIY at the moment:

ztdc230131 · March 9, 2023, 2:53pm

It looks like 1.10.4 on Linux, forceTcpRelay set to true, with a private relay as suggested does work, but takes literal minutes to fully connect. It talks with the proxy immediately, exchanges some UDP packets, and then sits for over a minute like this with no network traffic -

200 listpeers <ztaddr> <path> <latency> <version> <role>
200 listpeers 62f865ae71 - -1 - PLANET
200 listpeers 778cde7190 - -1 - PLANET
200 listpeers cafe04eba9 - -1 - PLANET
200 listpeers cafe9efeb9 - -1 - PLANET

… but does eventually start communicating properly.

Thanks for the pointer.

toadzhou · March 31, 2023, 7:43am

When I force to use TCP mode, the network is unreachable, but if I use UDP he is normal.

root@localhost:/var/lib/zerotier-one# ping 11.2.0.11
PING 11.2.0.11 (11.2.0.11) 56(84) bytes of data.
From 11.2.0.12 icmp_seq=1 Destination Host Unreachable
From 11.2.0.12 icmp_seq=2 Destination Host Unreachable
From 11.2.0.12 icmp_seq=3 Destination Host Unreachable
^C
— 11.2.0.11 ping statistics —
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3050ms
pipe 3
root@localhost:/var/lib/zerotier-one# mv local.conf local.conf.bak
root@localhost:/var/lib/zerotier-one# systemctl restart zerotier-one.service
root@localhost:/var/lib/zerotier-one# ping 11.2.0.11
PING 11.2.0.11 (11.2.0.11) 56(84) bytes of data.
64 bytes from 11.2.0.11: icmp_seq=1 ttl=64 time=665 ms
64 bytes from 11.2.0.11: icmp_seq=3 ttl=64 time=324 ms
^C
— 11.2.0.11 ping statistics —
4 packets transmitted, 2 received, 50% packet loss, time 3029ms
rtt min/avg/max/mdev = 324.275/494.548/664.821/170.273 ms
root@localhost:/var/lib/zerotier-one# cat local.conf.bak
{
  "settings": {
    "forceTcpRelay": true
  }
}

Because ISP will block UDP from time to time, I need to let him work in TCP mode for a long time.

system · April 30, 2023, 7:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.