Cannot install ZTNA connector successfully in docker environment
search cancel

Cannot install ZTNA connector successfully in docker environment

book

Article ID: 280500

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

ZTNA admin trying to install a new ZTNA connector in a locked down lab.

ZTNA connector will be installed on a Linux host.

Firewall rules in connector environment setup as per the ZTNA Cloud Connector: Required Ports, Addresses, and Services.

After creating the connector in the ZTNA Portal and executing the generated install command with appropriate parameters on the Linux host, the connector failed to install with the following message reported:

"docker: error pulling image configuration: download failed after attempts=6: read tcp:#.#.#.#:xxxxx -> #.#.#.#:443: connection reset by peer."

Looking at the ZTNA docker logs at install time, we clearly see the connector trying and failing to connect to docker sites as shown below:

WARN[0001] Failed, retrying in 1s ... (1/3). Error: parsing image configuration: Get "https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/60/XXXXXXXXX/data?verify=YYYYYYY": read tcp #.#.#.#:58322->#.#.#.#:443: read: connection reset by peer

Environment

ZTNA Connector installed into locked down environment with minimal access.

 

Cause

Firewall ports now allowing download of docker images.

Resolution

Added an allow rule to access production.cloudflare.docker.com from this Linux host.

Although the ZTNA firewall doc above outlines the TCP ports needed, it failed to include a reference to docker sites that would successfully allow download of the images.

According to docker hub documentation (https://docs.docker.com/desktop/allow-list/) the required addresses for docker pulling are also added:

  • https://hub.docker.com
  • https://registry-1.docker.io
  • https://production.cloudflare.docker.com

Additional Information

PCAPs showed that an intermediate device (Firewall!) is resetting the TCP connections during the connector install.

Every session to production.cloudflare.docker.com has it’s connection reset, as shown below. You can see the TTL in the IP header is 62; the TTL in the IP header for packet 142 (the original TCP SYN from cloudflare to connector) has a TTL of 54, so it is a different host resetting it.

Looking at the firewall logs confirmed that the device was resetting the connection.

Powered by Wolken Software