Leaf cluster in status offline #52961

Anastasia-kolp · 2025-03-11T13:27:01Z

Anastasia-kolp
Mar 11, 2025

I have two clusters: root and leaf, a both version 16.3.0. I want to test trusted clusters, but when I try to connect leaf cluster to root, I have leaf cluster in status offline.

$ tsh clusters
Cluster Name          Status  Cluster Type Labels Selected 
--------------------- ------- ------------ ------ -------- 
teleport-cluster      online  root                *        
teleport-cluster-leaf offline leaf

And in logs of proxy in leaf cluster I have this errors:

2025-03-11T12:21:20Z INFO  ALPN connection upgrade test failed. address:<ip-address root>:3024 error:[
ERROR REPORT:
Original Error: errors.errorString EOF
Stack Trace:
    github.com/gravitational/teleport/[email protected]/utils/tlsutils/tlsutils.go:81 github.com/gravitational/teleport/api/utils/tlsutils.TLSDial
    github.com/gravitational/teleport/[email protected]/client/alpn_conn_upgrade.go:73 github.com/gravitational/teleport/api/client.IsALPNConnUpgradeRequired
    github.com/gravitational/teleport/lib/reversetunnel/agentpool.go:770 github.com/gravitational/teleport/lib/reversetunnel.(agentPoolRuntimeConfig).updateRemote
    github.com/gravitational/teleport/lib/reversetunnel/agentpool.go:445 github.com/gravitational/teleport/lib/reversetunnel.(AgentPool).newAgent
    github.com/gravitational/teleport/lib/reversetunnel/agentpool.go:316 github.com/gravitational/teleport/lib/reversetunnel.(AgentPool).connectAgent
    github.com/gravitational/teleport/lib/reversetunnel/agentpool.go:270 github.com/gravitational/teleport/lib/reversetunnel.(AgentPool).run
    github.com/gravitational/teleport/lib/reversetunnel/agentpool.go:257 github.com/gravitational/teleport/lib/reversetunnel.(AgentPool).Start.func1
    runtime/asm_amd64.s:1695 runtime.goexit
User Message: EOF] client/alpn_conn_upgrade.go:88

Config of root/leaf auth service:

teleport:
  nodename: teleport-auth
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: yes
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport-cluster
  proxy_listener_mode: multiplex
proxy_service:
  enabled: no
ssh_service:
  enabled: no

teleport:
  nodename: teleport-auth
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: yes
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport-cluster-leaf
  proxy_listener_mode: multiplex
proxy_service:
  enabled: no
ssh_service:
  enabled: no

Config of root/leaf proxy service:

version: v3
teleport:
  nodename: teleport-proxy
  data_dir: /var/lib/teleport
  auth_server: :3025
  auth_token: "super-secret-token"
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: no
proxy_service:
  enabled: yes
  web_listen_addr: 0.0.0.0:443
  tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
  enabled: no

version: v3
teleport:
  nodename: teleport-proxy
  data_dir: /var/lib/teleport
  auth_server: :3025
  auth_token: "super-secret-token"
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: no
proxy_service:
  enabled: yes
  web_listen_addr: 0.0.0.0:443
  tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
  enabled: no

In Web UI I have this errors:

Answered by webvictim

Mar 11, 2025

You shouldn't need to set tunnel_listen_addr in either your root or leaf's proxy service configs. Try removing that.

You should also set a public address for your cluster - it will need to be a DNS name (with an A record pointing to your root cluster's IP address):

version: v3
teleport:
  nodename: teleport-proxy
  data_dir: /var/lib/teleport
  auth_server: :3025
  auth_token: "super-secret-token"
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: no
proxy_service:
  enabled: yes
  web_listen_addr: 0.0.0.0:443
+ public_addr: teleport.example.com:443
- tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
  enabled: no

You will also need a valid TLS certificate for teleport.exam…

View full answer

Anastasia-kolp · 2025-03-11T13:46:55Z

Anastasia-kolp
Mar 11, 2025
Author

Also config of trusted_cluster:

kind: trusted_cluster
metadata:
  name: teleport-cluster
  revision: 0bf2c449-79af-4458-9de4-5fa191d4e91d
spec:
  enabled: true
  role_map:
  - local:
    - access
    remote: auditor
  token: super-secret-token
  tunnel_addr: <ip-address root>:443
  web_proxy_addr: <ip-address root>:443
version: v2

0 replies

webvictim · 2025-03-11T20:34:33Z

webvictim
Mar 11, 2025
Collaborator

You shouldn't need to set tunnel_listen_addr in either your root or leaf's proxy service configs. Try removing that.

You should also set a public address for your cluster - it will need to be a DNS name (with an A record pointing to your root cluster's IP address):

version: v3
teleport:
  nodename: teleport-proxy
  data_dir: /var/lib/teleport
  auth_server: :3025
  auth_token: "super-secret-token"
  log:
    output: stderr
    severity: INFO
auth_service:
  enabled: no
proxy_service:
  enabled: yes
  web_listen_addr: 0.0.0.0:443
+ public_addr: teleport.example.com:443
- tunnel_listen_addr: 0.0.0.0:3024
ssh_service:
  enabled: no

You will also need a valid TLS certificate for teleport.example.com (or whatever public address you actually use) configured on the root cluster.

Once this is all set, restart Teleport on your root cluster.

Then, delete the trusted cluster config from your leaf cluster (either via tctl rm tc/teleport-cluster, or the "Manage Clusters" section of web UI) and re-add it again with the same configuration as you currently have.

1 reply

Anastasia-kolp Mar 12, 2025
Author

Thanks! It's working for me

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Leaf cluster in status offline #52961

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Leaf cluster in status offline #52961

Anastasia-kolp Mar 11, 2025

Replies: 2 comments · 1 reply

Anastasia-kolp Mar 11, 2025 Author

webvictim Mar 11, 2025 Collaborator

Anastasia-kolp Mar 12, 2025 Author

Anastasia-kolp
Mar 11, 2025

Replies: 2 comments 1 reply

Anastasia-kolp
Mar 11, 2025
Author

webvictim
Mar 11, 2025
Collaborator

Anastasia-kolp Mar 12, 2025
Author