Cloudflared.exe rdp

Hi

we are using a cloudflared as a argo tunnel in bastion mode to access some pcs internally for specific purposes

suddently we can experince dropouts in the tunnel:

{“level”:“info”,“connIndex”:1,“time”:“2021-12-10T01:42:39Z”,“message”:“Lost connection with the edge”}
{“level”:“info”,“connIndex”:1,“time”:“2021-12-10T01:42:39Z”,“message”:“Unregistered tunnel connection”}
{“level”:“error”,“connIndex”:1,“error”:“connection with edge closed”,“time”:“2021-12-10T01:42:39Z”,“message”:“Serve tunnel error”}

And we get a reconnection to the rdp sessin with a random internval of 7-10 seconds - which is kind of very annoying

is there a way to stabilize this? we are runnning both a legacy tunnel and a named tunnel - issue reomains tthe same ? is this not build for rdp session?

Would a connectTimeout setting help?

Screen Shot 2021-12-10 at 7.04.30 AM

Hello sir,

is that placed under the ingress or just high above?

Since the documentation is lacking heavy im not even sure we done it correctly -but i really like it so we want it to get stable

Our config looks like this:
tunnel: 9c4137bf-3537-408e-9906-65fa1c621631
credentials-file: C:/cloudflare/9c4137bf-3537-408e-9906-65fa1c621631.json
logfile: C:/cloudflare/logs/tunnel.log

ingress:
- hostname: url
service: bastion
- service: http_status:404

It’s under Ingress. In your example, it would go right under the service: bastion line.

Hello

Tried and implementing the other timeout limit aswell - still gives me a short interrupt like the tunnel reboots … and still cant seem to figoure it out and other enable deeper logging

i like the idea of cloudflared.* but seems awfull documented for a potential like this

tunnel: 9c4137bf-3537-408e-9906-65fa1c621631
credentials-file: C:/cloudflare/9c4137bf-3537-408e-9906-65fa1c621631.json
logfile: C:/cloudflare/logs/tunnel.log
originRequest: # Root-level configuration
connectTimeout: 1m
keepAliveTimeout: 8h
​tlsTimeout: 45s

ingress:
- hostname: urk
service: bastion
originRequest: # Root-level configuration
connectTimeout: 1h
keepAliveTimeout: 8h
​tlsTimeout: 2m
- service: http_status:404

i know its potential for double but just trying some more aggressive configs

Hello

Managed to get the debug working

But, the logs doesn’t really makes sense to other outside cloudflare i think:

{“level”:“debug”,“time”:“2021-12-14T06:11:07Z”,“message”:“origin to tunnel copy: read tcp 172.20.230.152:63145->172.20.230.161:3389: use of closed network connection”}
{“level”:“debug”,“time”:“2021-12-14T06:11:07Z”,“message”:“tunnel to origin copy: readfrom tcp 172.20.230.152:63145->172.20.230.161:3389: stream error: stream ID 13; CANCEL”}
{“level”:“debug”,“time”:“2021-12-14T06:11:07Z”,“message”:“CF-RAY: 6bd545e5d8c51d06-CPH GET / HTTP/2.0”}
{“level”:“debug”,“CF-RAY”:“6bd545e5d8c51d06-CPH”,“Header”:“map[Accept-Encoding:[gzip] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jump-Destination:[172.20.230.161:3389] Cf-Access-Jwt-Assertion:[eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiOTYyOGY3ZjBjYTgzZTc2MTI3OGEzYTVmZDBiZGM2MjA4NTFhMGQ4ODkxZDM2ZWZlMDdiNmUyMTA2M2E1NGMifQ.eyJhdWQiOlsiMDk0ZTU4NmY3ODU3MWYxOGFjY2NkMWUyOThiNTJkMmQ5YjJkOWZiNTcyMjZlZTdjOThhN2UyZWFiYzBlNDk1NyJdLCJlbWFpbCI6ImxrbkBmbGV4Zm9uZS5kayIsImV4cCI6MTY0MDY2OTcwNCwiaWF0IjoxNjM5NDYwMTA0LCJuYmYiOjE2Mzk0NjAxMDQsImlzcyI6Imh0dHBzOi8vZmxleGZvbmUuY2xvdWRmbGFyZWFjY2Vzcy5jb20iLCJ0eXBlIjoiYXBwIiwiaWRlbnRpdHlfbm9uY2UiOiJRbFJGd2Z4bWgzRjlzeXdmIiwic3ViIjoiYzQwNjY2MGItMmNmOS00MGQyLWJmMDgtZmQwN2M1ZTQ4MzY2IiwiY291bnRyeSI6IkRLIn0.NwA-h8a7QsRvY–F9Dff8XxFNsKaf4WHczwZgwTmHsvr9a98R0b2bFzbd266DkB4eBTPUPy_qrvZsxYIoOly1q3qbdifsoZ73I4j7dLpgrSaz5mySEls2iRzF3LkrZZnNzFPUaBekMt5ZhHiaNJtWlw33nutknJhs1fsgx_gM8VsoG3_JGWLruB1cBIGeDL9-U8otvkOcyJbinMPGzJAL-1_IYW-CJyHq5s-xvgJjdkRMzvEg2JLn4AYgf_0oOnX_mF_K__KmL_OsiUHPOHsc37dOjpqUxA_xo7f32CgzG0O_dr0YC9ekmYSyGa9P82og1RqL669_XM25DX_EQj1fg] Cf-Access-Token:[eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiOTYyOGY3ZjBjYTgzZTc2MTI3OGEzYTVmZDBiZGM2MjA4NTFhMGQ4ODkxZDM2ZWZlMDdiNmUyMTA2M2E1NGMifQ.eyJhdWQiOlsiMDk0ZTU4NmY3ODU3MWYxOGFjY2NkMWUyOThiNTJkMmQ5YjJkOWZiNTcyMjZlZTdjOThhN2UyZWFiYzBlNDk1NyJdLCJlbWFpbCI6ImxrbkBmbGV4Zm9uZS5kayIsImV4cCI6MTY0MDY2OTcwNCwiaWF0IjoxNjM5NDYwMTA0LCJuYmYiOjE2Mzk0NjAxMDQsImlzcyI6Imh0dHBzOi8vZmxleGZvbmUuY2xvdWRmbGFyZWFjY2Vzcy5jb20iLCJ0eXBlIjoiYXBwIiwiaWRlbnRpdHlfbm9uY2UiOiJRbFJGd2Z4bWgzRjlzeXdmIiwic3ViIjoiYzQwNjY2MGItMmNmOS00MGQyLWJmMDgtZmQwN2M1ZTQ4MzY2IiwiY291bnRyeSI6IkRLIn0.NwA-h8a7QsRvY–F9Dff8XxFNsKaf4WHczwZgwTmHsvr9a98R0b2bFzbd266DkB4eBTPUPy_qrvZsxYIoOly1q3qbdifsoZ73I4j7dLpgrSaz5mySEls2iRzF3LkrZZnNzFPUaBekMt5ZhHiaNJtWlw33nutknJhs1fsgx_gM8VsoG3_JGWLruB1cBIGeDL9-U8otvkOcyJbinMPGzJAL-1_IYW-CJyHq5s-xvgJjdkRMzvEg2JLn4AYgf_0oOnX_mF_K__KmL_OsiUHPOHsc37dOjpqUxA_xo7f32CgzG0O_dr0YC9ekmYSyGa9P82og1RqL669_XM25DX_EQj1fg] Cf-Connecting-Ip:[87.104.85.183] Cf-Ipcountry:[DK] Cf-Ray:[6bd545e5d8c51d06-CPH] Cf-Visitor:[{“scheme”:“https”}] Cf-Warp-Tag-Id:[bc1fde19-89d3-4d9c-9c48-e57bec5d015d] Sec-Websocket-Key:[dLmj6uyYoF8zOyhxnpv6DQ==] Sec-Websocket-Version:[13] User-Agent:[Go-http-client/1.1] X-Forwarded-For:[87.104.85.183] X-Forwarded-Proto:[https]]”,“host”:“gateway.flexgateway.io”,“path”:"/",“rule”:0,“time”:“2021-12-14T06:11:07Z”,“message”:“Inbound request”}
{“level”:“debug”,“time”:“2021-12-14T06:11:07Z”,“message”:“CF-RAY: 6bd545e5d8c51d06-CPH Request Content length unknown”}

{“level”:“debug”,“time”:“2021-12-14T06:31:49Z”,“message”:“origin to tunnel copy: short write”}
{“level”:“debug”,“error”:“short write”,“time”:“2021-12-14T06:31:49Z”,“message”:“failed to write ping message”}
{“level”:“debug”,“time”:“2021-12-14T06:31:49Z”,“message”:“tunnel to origin copy: readfrom tcp 172.20.230.152:63146->172.20.230.161:3389: stream error: stream ID 15; NO_ERROR”}
{“level”:“debug”,“time”:“2021-12-14T06:32:00Z”,“message”:“CF-RAY: 6bd564798a63d895-CPH GET / HTTP/2.0”}
{“level”:“debug”,“CF-RAY”:“6bd564798a63d895-CPH”,“Header”:“map[Accept-Encoding:[gzip] Cdn-Loop:[cloudflare] Cf-Access-Authenticated-User-Email:[[email protected]] Cf-Access-Jump-Destination:[172.20.230.161:3389] Cf-Access-Jwt-Assertion:[eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiOTYyOGY3ZjBjYTgzZTc2MTI3OGEzYTVmZDBiZGM2MjA4NTFhMGQ4ODkxZDM2ZWZlMDdiNmUyMTA2M2E1NGMifQ.eyJhdWQiOlsiMDk0ZTU4NmY3ODU3MWYxOGFjY2NkMWUyOThiNTJkMmQ5YjJkOWZiNTcyMjZlZTdjOThhN2UyZWFiYzBlNDk1NyJdLCJlbWFpbCI6ImxrbkBmbGV4Zm9uZS5kayIsImV4cCI6MTY0MDY2OTcwNCwiaWF0IjoxNjM5NDYwMTA0LCJuYmYiOjE2Mzk0NjAxMDQsImlzcyI6Imh0dHBzOi8vZmxleGZvbmUuY2xvdWRmbGFyZWFjY2Vzcy5jb20iLCJ0eXBlIjoiYXBwIiwiaWRlbnRpdHlfbm9uY2UiOiJRbFJGd2Z4bWgzRjlzeXdmIiwic3ViIjoiYzQwNjY2MGItMmNmOS00MGQyLWJmMDgtZmQwN2M1ZTQ4MzY2IiwiY291bnRyeSI6IkRLIn0.NwA-h8a7QsRvY–F9Dff8XxFNsKaf4WHczwZgwTmHsvr9a98R0b2bFzbd266DkB4eBTPUPy_qrvZsxYIoOly1q3qbdifsoZ73I4j7dLpgrSaz5mySEls2iRzF3LkrZZnNzFPUaBekMt5ZhHiaNJtWlw33nutknJhs1fsgx_gM8VsoG3_JGWLruB1cBIGeDL9-U8otvkOcyJbinMPGzJAL-1_IYW-CJyHq5s-xvgJjdkRMzvEg2JLn4AYgf_0oOnX_mF_K__KmL_OsiUHPOHsc37dOjpqUxA_xo7f32CgzG0O_dr0YC9ekmYSyGa9P82og1RqL669_XM25DX_EQj1fg] Cf-Access-Token:[eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiOTYyOGY3ZjBjYTgzZTc2MTI3OGEzYTVmZDBiZGM2MjA4NTFhMGQ4ODkxZDM2ZWZlMDdiNmUyMTA2M2E1NGMifQ.eyJhdWQiOlsiMDk0ZTU4NmY3ODU3MWYxOGFjY2NkMWUyOThiNTJkMmQ5YjJkOWZiNTcyMjZlZTdjOThhN2UyZWFiYzBlNDk1NyJdLCJlbWFpbCI6ImxrbkBmbGV4Zm9uZS5kayIsImV4cCI6MTY0MDY2OTcwNCwiaWF0IjoxNjM5NDYwMTA0LCJuYmYiOjE2Mzk0NjAxMDQsImlzcyI6Imh0dHBzOi8vZmxleGZvbmUuY2xvdWRmbGFyZWFjY2Vzcy5jb20iLCJ0eXBlIjoiYXBwIiwiaWRlbnRpdHlfbm9uY2UiOiJRbFJGd2Z4bWgzRjlzeXdmIiwic3ViIjoiYzQwNjY2MGItMmNmOS00MGQyLWJmMDgtZmQwN2M1ZTQ4MzY2IiwiY291bnRyeSI6IkRLIn0.NwA-h8a7QsRvY–F9Dff8XxFNsKaf4WHczwZgwTmHsvr9a98R0b2bFzbd266DkB4eBTPUPy_qrvZsxYIoOly1q3qbdifsoZ73I4j7dLpgrSaz5mySEls2iRzF3LkrZZnNzFPUaBekMt5ZhHiaNJtWlw33nutknJhs1fsgx_gM8VsoG3_JGWLruB1cBIGeDL9-U8otvkOcyJbinMPGzJAL-1_IYW-CJyHq5s-xvgJjdkRMzvEg2JLn4AYgf_0oOnX_mF_K__KmL_OsiUHPOHsc37dOjpqUxA_xo7f32CgzG0O_dr0YC9ekmYSyGa9P82og1RqL669_XM25DX_EQj1fg] Cf-Connecting-Ip:[87.104.85.183] Cf-Ipcountry:[DK] Cf-Ray:[6bd564798a63d895-CPH] Cf-Visitor:[{“scheme”:“https”}] Cf-Warp-Tag-Id:[bc1fde19-89d3-4d9c-9c48-e57bec5d015d] Sec-Websocket-Key:[nu0ow3g1Gf7+7CUZmQn7aA==] Sec-Websocket-Version:[13] User-Agent:[Go-http-client/1.1] X-Forwarded-For:[87.104.85.183] X-Forwarded-Proto:[https]]”,“host”:“gateway.flexgateway.io”,“path”:"/",“rule”:0,“time”:“2021-12-14T06:32:00Z”,“message”:“Inbound request”}
{“level”:“debug”,“time”:“2021-12-14T06:32:00Z”,“message”:“CF-RAY: 6bd564798a63d895-CPH Request Content length unknown”}

Look, I wish you all the best. We’ve had this exact issue across multiple customers for over 3 months. CF ask for logs, try this, try that… then months without a response. We poke the ticket again, they ask for logs, try this, try late and the story continues. Their last communication with us was over 1 month ago, and we’re a paying customer!

Good product, when it works…

Hopefully you have better luck that we do. I’ll be keeping an eye on the outcome of this ticket

Hello sir,

well we tried 3 different setups on 3 different os (linux/windows) with the complete same result - which is kinda of sad because this product really fills a gap but if this dosent work …we might aswell just go back to ordinary vpn.

Did you manage to solve this? or still ongoing?

Still ongoing. Just implemented it at another customer in the hope that the issue was site-specific, but it still happens so not site-specific

So you guys utilizing it the same way in bastion mode? - ivem anaged by using linux to get the drops down alot but still at a point where our developers cant use it… and we dont wanna add another firewall to the site :frowning: … even ssh does the same. been running logs in debug mode which gives me a load of horse only cf personel can use i guess… we have considered upgrading package but cf personel keeps pushing for an enterprise upgrade… ^^

Yes both in bastion and non-bastion. Issue only occurred when transitioning to named tunnels. We still have a few older non-named tunnels that work perfectly… Should not have upgraded.

We are not an enterprise customer but we do pay for CF Teams. I may be a little sour, but getting a little tired of large publically-listed enterprises worth so much $$$ delivering great products yet failing on basic support.

HI

Which plan you buying to get the support? been asking various people to see - because i havent been able to get an answer :frowning:

We see it a bit in the legacy and also on the named tunnel with given config above - you mind sharing config? or send it to me (if possible here?)

I believe @SamRhea is pretty good with Cloudflared and might have some ideas.

2 Likes

Honestly speaking, unless you are an enterprise customer, it’s rather hard to get help or support from Cloudflare.
When I had some issues with Teams, it took a while until we got it solved; however, the live chat helped me connect the dots to pinpoint the problems we were facing.
If you can afford it, I’d try to upgrade your account, connect with live chat and see if that helps. You can downgrade your account once the problems are solved; that’s what I did.

@ddicello @user13958 Post your ticket # to escalate it; that should help get some faster responses.

1 Like

yeah we have chat support and have gone down that route.

@user13958 we’re on the Standard plan. Had to get a member from the computer to assist in enabling chat support as apparently although it’s included, you need to poke CF to get it enabled

Zero Trust Services Plans & Pricing | Cloudflare

Our config is simple, we haven’t tried any timeout settings etc so will be doing that

Hello sir,

you should - to be honest be result so far as been by moving it to a linux node

getting WAY more stable than ever.