Open plorenz opened 1 year ago
I also encountered this issue with a tunneler edge router identity (ER/T) acting as a dialing client. The client identity got "failed to dial fabric" because it must use its attached parent router, ignoring the ERP with #all
identities.
ERP: #all/#all
SERP: #all/#public
The attached, parent router did not match the SERP (lacking #public
), so its child client tunneler could not dial the service.
You could have a case where a service could have access to an edge router, and the tunneler edge router identity has access to the same edge router, but it won't be able to host because the service doesn't have access to it. The policy advisor won't find this though, b/c they have access to a common edge router.
Alternately we could ignore identities of type router in edge router policies except for the system generate policy.
Should potentially take this into account when creating edge session as well.