tailscale up, but no connectivity

[markmartirosian]

ssh-ed into the runner, tailscale is up but it can't ping anything initially. After a few restarts or just plain waiting for about 10 min it starts working. I think it's correlated with trying to go through DERP, when it discovers(?) that it can do peer to peer it starts working.

tailscale ping 100.x.x.134
ping "100.x.x.134" timed out
ping "100.x.x.134" timed out

Every other device on the tailnet can ping each other.

BUG-9e9d4a3a74a7a31032c1f4f0fcc434fc9141cfd3abd1b3121ae62545424332cd-20220626090751Z-24b8257c56cb547

[markmartirosian]

I think I figured this out. This issue seems to be triggered by device authorization. When it is turned off it all works as expected, even though the auth key was pre-authorized.

[justin-pierce]

Think I'm running into same issue -- github action worked great in past, broke sometime between now and June 9th. Noticed the log for the tailscale step no longer says "success" even though it finishes marked as a success. Got it to work once by having it attempt to load a hosted site from a device on the tailscale network with an extra long timeout (finally completed curl after 57 seconds), but it wasn't a consistent fix.

I think I figured this out. This issue seems to be triggered by device authorization. When it is turned off it all works as expected, even though the auth key was pre-authorized.

Yeah disabling manual auth (even though the key is marked as pre-authed) fixes it for me.

[paulpet]

I think I figured this out. This issue seems to be triggered by device authorization. When it is turned off it all works as expected, even though the auth key was pre-authorized.

Thank you @markmartirosian this worked for me too as a work-around after I encountered the issue. Hopefully it gets resolved soon as I'd prefer not to have manual authorization disabled.

[MrGrinst]

I was seeing the same issue running the tailscale Docker image for Gitlab shared runners. The container looked connected and when I ran tailscale status from the container it showed the other devices on the tailnet, but pinging them would fail. Also running tailscale status from the other devices would not show the newly-connected container. The connection was showing up in the admin console though.

Disabling manual auth fixed it!

[jwhited]

Thanks for reporting, this was fixed in our coordination server. I've tested the github action and other nodes are now reachable in the tailnet.

[andy-careplanner]

@jwhited we have started experiencing this issue again, and the workaround of disabling device authorization discussed above still seems to work. We aren't using the github-action, we are using Tailscale with CircleCI, but the issue is otherwise identical. One of your customer engineers pointed us in the direction of this ticket as he thought it was the same issue.

[DentonGentry]

We fixed an issue a few hours ago which could result in these symptoms. Does the problem still happen?

[andy-careplanner]

@DentonGentry thanks for letting me know, it's working again.