Zerotierone: Weird routing problem, solved by killing ZT

Created on 18 Nov 2019 · 13Comments · Source: zerotier/ZeroTierOne

I seem to get all the weird ZT problems ;)

I have a specific Windows 2012 R2 server that behaves oddly. After a couple of days or weeks running Zerotier just fine, its internet connection drops. It will not connect anywhere outside its local network (not directly, not via ZT) until I log in and kill zerotier-one_x64.exe.
Then everything works again and if I start ZT-one again I get a ZT connection and everything is fine until the next time.

It looks like it uses the ZT network as its default gateway somehow and once that happens it (obviously) cannot reach the ZT servers anymore and then everything is broken :(

Updating the server to 1.4.6 has not helped.

If you tell me what additional information might help to resolve or at least find the problem, please let me know. I'll try and gather that the next time it happens.

Windows bug

Source

StrikerTwo

All 13 comments

i have a similar issue where my device, also running Windows server 2012 R2, will stop responing to pings, RDP, or anything coming from outside of the LAN on it's zerotier interface and other things until i kill the process then restart it.
except, this happen after aproximately 5 minutes of uptime...

CPSconcept on 20 Feb 2020

Same issue,
No idea what happened but starting last week, approx 3 min after W2012 server restart, connectivity through ZT stop working, both outbound and inbound
tried but didn't help:

restarting ZT service either reinstalling
disabling FW
My conf
SITE A:(192.168.195.10) - windows 2012 server standard
SITE B:(192.168.195.97) synology NAS
SITE C:(192.168.195.192) windows10
SITE D:(192.168.195.193) windows10
....
connections between ZT sites works flawlessly except from and to SITE A

Ping show strange ip adress:
from SITE C:(192.168.195.192) to SITE A:(192.168.195.192)
Pinging 192.168.195.10 with 32 bytes of data:
Reply from 10.3.249.251: TTL expired in transit.

from SITE A:(192.168.195.10) to from SITE B:(192.168.195.192)
Pinging 192.168.195.192 with 32 bytes of data:
Reply from 10.3.249.251: TTL expired in transit.

MP-MPA on 23 Apr 2020

do you recognize that 10.3.249.251 address, @MP-MPA ?

laduke on 23 Apr 2020

do you recognize that 10.3.249.251 address, @MP-MPA ?

No idea, not any from internal or external address

MP-MPA on 23 Apr 2020

Is it possible for you to go into the chat? https://my.zerotier.com/community
Then we can look up your network.

laduke on 23 Apr 2020

@StrikerTwo @MP-MPA @CPSconcept

I'm going over our GitHub issues in preparation for our pending 1.6.0 release; that should hopefully take care of a few things. If you're still having this issue ATM, can you please check the following & let us know otherwise so we can try to catch it? Thanks!

https://zerotier.atlassian.net/wiki/spaces/SD/pages/521011201/Windows+Troubleshooting -> Walkthrough of common Windows issues.
https://www.reddit.com/r/zerotier/?f=flair_name%3A%22Gaming%22 -> A lot of gamers & Windows users have figured out some stuff.
https://discuss.zerotier.com/ -> Official Discuss forum

unquietwiki on 15 Sep 2020

I guess this is related or even the same as #779, at least they are both gone since I blocked all ZT networks in local.conf.

I still think it should be a default behaviour for ZT to ignore its own interfaces for peer connections.

StrikerTwo on 15 Sep 2020

@StrikerTwo pondering the situation, I found https://social.technet.microsoft.com/wiki/contents/articles/26175.list-of-network-related-hotfixes-post-rtm-for-windows-8-1-and-windows-server-2012-r2.aspx & https://support.microsoft.com/en-us/help/2975719/august-2014-update-rollup-for-windows-rt-8-1-windows-8-1-and-windows-s : they might be of some use. Please advise if they don't help. Thanks!

unquietwiki on 15 Sep 2020

I appreciate your input, but the only thing even remotely relevant in that link is https://support.microsoft.com/en-us/help/2955808/a-vpn-connection-through-a-third-party-vpn-server-disconnects-after-an and that is strictly an IPsec problem.

No. This is ZeroTier sending ZeroTier packets over a ZeroTier connection in order to reach ZeroTier peers - which can and will never work. I don't see what Windows could do about it. And I don't see why this should be so difficult to avoid, either.

(There MIGHT be remote use cases where you have layered ZT connections and need to connect to ZT peers of another ZT network over a separate ZT tunnel. Fine. Make it an option, just not the default.)

StrikerTwo on 15 Sep 2020

😕1

Okay, I mixed up two issues here, but I think #779 is the root cause and I got confused by the symptoms, so I created this issue here as well.

StrikerTwo on 15 Sep 2020

👍1

Issue persist on Windows Server 2012 Standard acting as PDC:
After reboot/fresh start si IP assigned to Zerotier NIC pingable from outside. Other IP in Zerotier network are reachable from this server too - up to several days, till first user log on and opens file explorer.
From that moment is zerotier IP of server unaccesible from outside and other IP in zerotier network are unreachable from server side
ZeroTierOneService is running whole time, and zerotier IP is pingable from server self. Restart of ZeroTierOneService didnt hel

MP-MPA on 15 Sep 2020

Thanks, @StrikerTwo @MP-MPA for the feedback. I let the rest of the team know. Will report back anything of note, else push for 1.6 continues (days/weeks on that).

unquietwiki on 15 Sep 2020

https://discuss.zerotier.com/t/asymmetric-routing-problem-with-site-to-site/176 Hey, this landed on our discussion board today. Might be of interest?

unquietwiki on 16 Sep 2020

Was this page helpful?

0 / 5 - 0 ratings