search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
8.93k stars 788 forks source link

🐛 tunnel is not working as expected #1328

Open Vikranth-Subramanian opened 2 weeks ago

Vikranth-Subramanian commented 2 weeks ago

Describe the bug cloudflared 2024.1.6 and above is breaking the stability of the connection, including 2024 the latest release which is 2024.9.1

To Reproduce Steps to reproduce the behavior:

  1. Run the docker container with 2024.1.6.
  2. The tunnel is flapping up and down, and the connection is nearly unusable.

If it's an issue with Cloudflare Tunnel:

  1. Tunnel ID : 92e2eec4-4237-4b87-8764-1556d14b723c
  2. cloudflared config: tunnel --no-autoupdate run --token !!!REDACTED!!!

Expected behavior connection should be stable

Environment and versions

Logs and errors

2024-09-16T08:00:32Z ERR error="dial tcp <private-ip>:7680: i/o timeout" connIndex=3 destAddr=<private-ip>:7680 event=2 flowID=c8cfac7f-8dc3-4765-aa1d-3fb282a28e80 originService=warp-routing

2024-09-16T08:00:32Z ERR Request failed error="dial tcp <private-ip>:7680: i/o timeout" connIndex=3 dest=<private-ip>:7680 event=0 ip=198.41.200.43 type=tcp

Additional context This can be resolved by turning on the experimental ICMP feature flag on the Networks -> Proxy If the ICMP feature have not been turned on, Whenever the tunnel starts it starts with the error

WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID 0 is not between ping group 1 to 0"

2024-09-16T07:06:08Z WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID 0 is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied"

Tunnel shows healthy in the cloudflare console but the container has these error/io timeout logs

Setup: This is running in the container inside a vpc which has permissions to setup outbound tunnel

mattduguid commented 1 week ago

from the container, are both TCP & UDP for port 7680 allowed outbound as per https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/

Vikranth-Subramanian commented 1 week ago

I can confirm that it has been configured with right firewall rules

mattduguid commented 1 week ago

dial tcp and failure to connect looks like no network path, try loading a sidecar container into the same namespace with some network testing tools and confirm connectivity