Agent Tunnel: installer reports success on enrollment, not on tunnel connectivity#1835
Conversation
Let maintainers know that an action is required on their side
|
The MSI EnrollAgentTunnel step reported success once enrollment (HTTPS, 7171) completed, even when the QUIC data tunnel (UDP, 4433) could not be established, leaving the agent silently offline. The installer now runs `devolutions-agent probe-tunnel`, which opens the mTLS/QUIC tunnel and performs a Heartbeat round-trip, and fails the step with an actionable message when connectivity can't be established.
1 participant
Split out of #1831 (draft tracker — the
TODO(agent-tunnel)marker is placed at the exact code site; not fixed yet).Installer reports success on enrollment, not on tunnel connectivity
Symptom: MSI install shows the Agent Tunnel step as success, but the agent never appears online in the Gateway / DVLS agent list.
Root cause:
EnrollAgentTunnelrunsdevolutions-agent up→enroll_agent()(devolutions-agent/src/enrollment.rs). Its success criteria is only:POST https://<gw>:7171/jet/tunnel/enroll(HTTPS management port) returns 2xx and issues the client cert, andTunnelsection are persisted toagent.json.The actual data path — the QUIC tunnel over UDP (
quic_endpoint, 4433) — is established later by the agent service (devolutions_agent::tunnel, with auto-reconnect) and is never probed at install time. Enrollment uses 7171; the tunnel uses 4433. So when 4433 is blocked (e.g. firewall) the install is green while the agent silently fails to connect.Reproduced: Gateway host firewall had no inbound
UDP 4433rule → agent log:Tunnel connection lost error=QUIC handshake: timed out→ agent absent fromGET /jet/tunnel/agents, yet the installer said success.Suggested fix: after
enroll_agent, do a short QUIC connectivity probe toenroll_response.quic_endpointand surface a clear warning/failure when it can't connect (so admins get actionable feedback at install time).TODO(agent-tunnel)marker inenrollment.rs.