Update policy advisor to look for cases where tunneler identity has access to a service but service doesn't have access to router

[plorenz]

You could have a case where a service could have access to an edge router, and the tunneler edge router identity has access to the same edge router, but it won't be able to host because the service doesn't have access to it. The policy advisor won't find this though, b/c they have access to a common edge router.

Alternately we could ignore identities of type router in edge router policies except for the system generate policy.

Should potentially take this into account when creating edge session as well.

[qrkourier]

I also encountered this issue with a tunneler edge router identity (ER/T) acting as a dialing client. The client identity got "failed to dial fabric" because it must use its attached parent router, ignoring the ERP with #all identities.

ERP: #all/#all SERP: #all/#public

The attached, parent router did not match the SERP (lacking #public), so its child client tunneler could not dial the service.

[Apaid]

@qrkourier Hello, I seem to have encountered the same problem as you. The error is as follows. Can you tell me your specific solution? Thank you [ 101.018] INFO ziti/tunnel/intercept/tproxy.(tProxy).acceptTCP: received connection: 100.64.0.1:5000 --> 100.64.0.0:60886 [ 101.018] WARNING ziti/router/xgress_edge_tunnel. (fabricProvider).tunnelServiceV1: {ctrlId=[www.ziti-test-ctrl.com] error=[context deadline exceeded] service=[zftest]} failed to dial fabric [ 101.019] ERROR ziti/tunnel.DialAndRun: {error=[context deadline exceeded] service=[zftest]} tunnel failed [ 120.010] DEBUG ziti/router/forwarder.(Scanner).scan: scanning [0] circuits [ 120.093] DEBUG ziti/router/state.(ManagerImpl). StartRouterModelSave.func1.(*RouterDataModel). Save.1: could not save router data model, no index

[qrkourier]

I set a permissive SERP #all/#all and do this routinely now. @Apaid