Multi-router setup dropping circuits under load (original) (raw)

October 24, 2025, 4:11pm 4

Let's look at each side individually:

Server
If you have a router running on the server already and you don't need any ZET specific features, then we generally recommend using the tunneler functionality built into the router. It simplifies the deployment architecture and usually providers better performance as well. Usually servers are only hosting services, so you don't need use tproxy on the server.

Steps to enable:

  1. Ensure the router is configured as tunneler enabled in the model: ziti edge update edge-router <edge router name or id> -t
  2. Ensure the tunnel binding is enabled in the router configuration:
listeners:
  - binding: tunnel
    options:
      mode: host
  1. Routers which are tunneler enable have an associated identity. If you give that identity the same role attributes as you have for the ZET identity, it should start hosting the services.

You can check that it's working by checking the terminators for the services in question. They should have a terminator on that router with a binding of tunnel.

ziti fabric list terminators

Client
We generally don't recommend running the edge router/tunneler (ER/T) combo on clients, unless it's acting as a gateway/proxy for other systems, in which cases it's more of a server than an end client.

What I was hoping you'd try is the Go tunneler. The ZET uses the C sdk and is our recommended tunneler. We do have a second tunneler, which is Go based and works only on linux using tproxy. It's what the ER/T uses as its tunneling component, since the router is also Go based.

Currently the Go tunneler has a couple of features that are still under development in the C sdk, namely SDK based flow-control and a separated control channels. If the Go tunneler doesn't show the same issues, that will put some additional pressure on getting those features into the C sdk.

The Go tunneler is CLI only and is run using the ziti command.

ziti tunnel tproxy -i <path to identity json file>

Alternatively you could try and run the router in proxy mode to see if that resolves the issue. That would also help narrow down the problem space.

If the problem still happens when the ZET is removed from data path, then my hypothesis is incorrect and we'll need to dig further.

Let me know if that clarifies things.
Paul