boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Error during authorize-session against a host in dynamic host set

Open japneet-sahni opened this issue 1 year ago • 1 comments
trafficstars

Describe the bug Getting error from controller when performing authorize-session action against given target

To Reproduce Steps to reproduce the behavior:

  1. Create couple of Azure machines with a tag (has a public IP address). image

  2. Created a dynamic catalog in Boundary with provider as Azure

  3. Created a dynamic host set plugin using filter : tagName eq 'tier' and tagValue eq 'app-server'

  4. The hosts in the host set are populated correctly image

  5. Created a target with host-source as dynamic host-set. image

  6. But when I try to connect to this target, I get below error:

boundary connect ssh -target-id=ttcp_zEm6TWgBtq
Error from controller when performing authorize-session action against given target

Error information:
  Kind:                FailedPrecondition
  Message:             No egress workers can handle this session, as they have all been filtered out.
  Status:              400
  context:             Error from controller when performing authorize-session action against given target

Expected behavior The target should be connected. If I create a target with a static host set using same host, it works fine.

Additional context Somehow, I feel that the Boundary worker is trying to connect to the private IP address of the host instead of public IP address. I understand that this can be solved using egress/ingress workers when there is required network configurations between worker, target, and clients. But for demo purposes, this should work without any errors. Unfortunately, even the tutorials, don't cover the connection part.

image

I am using HCP Boundary

japneet-sahni avatar Apr 22 '24 02:04 japneet-sahni

Hi @japneet-sahni the dynamic host catalog returns 2 IP addresses (as you can see in your screenshot) and what is most likely happening is that the HCP worker is attempting to use the private IP and it does not have access to it. With self-managed workers running on the same network this won't be an issue.

To resolve this and to use HCP managed workers, you need to enter a preferred endpoint with a subnet mask of the public address (example screenshot below).

image

If this still doesn't fix your issue, please log a support ticket and one of our support engineers should be able to walk you through this.

anando-chatterjee avatar May 13 '24 19:05 anando-chatterjee