Error fetching connection to send session teardown request to worker: Session credentials were not accepted, or session

Hi there,

I am always getting this error in boundary.

boundary connect ssh -target-id $TARGET_ID
Session credentials were not accepted, or session is unauthorized
kex_exchange_identification: read: Connection reset by peer
error fetching connection to send session teardown request to worker: Session credentials were not accepted, or session is unauthorized

I’m running Boundary server in non dev mode with systemd in the cloud. and I’m running Boundary client on my laptop to run the CLI commands.

I can confirm that port 9202, 9201, 9200 are running and listening on the server pulic IP.

I can authenticate with the controller successfuly. However can’t connect to targets.

boundary targets read -id $TARGET_ID

Target information:
  Created Time:               Mon, 23 May 2022 15:28:01 +01
  Description:                Provides an initial target in Boundary
  ID:                         ttcp_ZNW6aFHixz
  Name:                       Generated target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       tcp
  Updated Time:               Mon, 23 May 2022 15:28:01 +01
  Version:                    2

  Scope:
    ID:                       p_gawL69Aqxm
    Name:                     Generated project scope
    Parent Scope ID:          o_N7UlEgvpj6
    Type:                     project

  Authorized Actions:
    no-op
    read
    update
    delete
    add-host-sets
    set-host-sets
    remove-host-sets
    add-host-sources
    set-host-sources
    remove-host-sources
    add-credential-libraries
    set-credential-libraries
    remove-credential-libraries
    add-credential-sources
    set-credential-sources
    remove-credential-sources
    authorize-session

  Host Sources:
    Host Catalog ID:          hcst_3pisgUSp7P
    ID:                       hsst_fP5LfqN3Aa

  Attributes:
    Default Port:             22

My controller hcl:

# Controller configuration block
controller {
  # This name attr must be unique!
  name = "demo-controller-1"
  # Description of this controller
  description = "A controller for a demo!"
  database {
    url = "postgresql://boundary:boundary@127.0.0.1:5432/boundary"
  }
}

# API listener configuration block
listener "tcp" {
  # Should be the address of the NIC that the controller server will be reached on
  address = "Public_IP"
  # The purpose of this listener block
    purpose = "api"
    tls_cert_file = "/etc/boundary/cert.pem"
    tls_key_file = "/etc/boundary/key.pem"
}

# Data-plane listener configuration block (used for worker coordination)
listener "tcp" {
  # Should be the IP of the NIC that the worker will connect on
  address = "Public_IP"
  # The purpose of this listener
    purpose = "cluster"
}

# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production installs
kms "aead" {
    purpose = "root"
    aead_type = "aes-gcm"
    key = "sP1fnF5Xz85RrXyELHFeZg9Ad2qt4Z4bgNHVGtD6ung="
    key_id = "global_root"
}

# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}

# Recovery KMS block: configures the recovery key for Boundary
# Use a production KMS such as AWS KMS for production installs
kms "aead" {
    purpose = "recovery"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_recovery"
}


My worker hcl:

listener "tcp" {
    purpose = "proxy"
    address = "Public_IP"
}

worker {
  # Name attr must be unique
    name = "demo-worker-1"
    description = "A default worker created demonstration"
    public_addr = "Public_IP"
    controllers = [
    "Public_IP"
  ]
}

# must be same key as used on controller config
kms "aead" {
    purpose = "worker-auth"
    aead_type = "aes-gcm"
    key = "8fZBjCUfN0TzjEGLQldGY4+iE9AkOvCfjh7+p0GtRBQ="
    key_id = "global_worker-auth"
}

Systemd status:

sudo systemctl status boundary-controller.service 
[sudo] password for wdahhane: 
● boundary-controller.service - boundary controller
     Loaded: loaded (/etc/systemd/system/boundary-controller.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-05-23 14:45:05 UTC; 1h 38min ago
   Main PID: 7463 (boundary)
      Tasks: 23 (limit: 2274)
     Memory: 332.7M
     CGroup: /system.slice/boundary-controller.service
             ├─7463 /usr/bin/boundary server -config /etc/boundary-controller.hcl
             ├─7487 /tmp/2963995187/boundary-plugin-host-aws
             └─7495 /tmp/2802775466/boundary-plugin-host-azure

May 23 16:05:32 hashicorp-boundary boundary[7463]: {"id":"mXOXn0grn6","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:05:58 hashicorp-boundary boundary[7463]: {"id":"G1I9gt9XIN","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:07:14 hashicorp-boundary boundary[7463]: {"id":"Lkjbe3d3D5","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:07:22 hashicorp-boundary boundary[7463]: {"id":"mIfotiVOkf","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:07:33 hashicorp-boundary boundary[7463]: {"id":"2OOwFgdAsB","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:07:51 hashicorp-boundary boundary[7463]: {"id":"mQgulV8Kmg","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:07:53 hashicorp-boundary boundary[7463]: {"id":"8je7hjUkvh","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:07:58 hashicorp-boundary boundary[7463]: {"id":"XYNWGaw26z","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:08:16 hashicorp-boundary boundary[7463]: {"id":"tfcSubeubf","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa>
May 23 16:08:19 hashicorp-boundary boundary[7463]: {"id":"IyaiJkd5XJ","source":"https://hashicorp.com/boundary/demo-controller-1","specversion":"1.0","type":"observa

sudo systemctl status boundary-worker.service 
● boundary-worker.service - boundary worker
     Loaded: loaded (/etc/systemd/system/boundary-worker.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-05-23 14:45:10 UTC; 1h 39min ago
   Main PID: 7514 (boundary)
      Tasks: 8 (limit: 2274)
     Memory: 52.2M
     CGroup: /system.slice/boundary-worker.service
             └─7514 /usr/bin/boundary server -config /etc/boundary-worker.hcl

May 23 15:57:56 hashicorp-boundary boundary[7514]: {"id":"Oo6cjz1TRI","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:05:58 hashicorp-boundary boundary[7514]: {"id":"8vhNFsB041","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:07:14 hashicorp-boundary boundary[7514]: {"id":"apHJgr0lq5","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:07:22 hashicorp-boundary boundary[7514]: {"id":"Ern1FckaBk","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:07:33 hashicorp-boundary boundary[7514]: {"id":"c5T7rceuuW","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:07:51 hashicorp-boundary boundary[7514]: {"id":"Jz0RAhODQs","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:07:53 hashicorp-boundary boundary[7514]: {"id":"TTCzmoSFLx","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:07:58 hashicorp-boundary boundary[7514]: {"id":"9tJn6oOrD0","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:08:16 hashicorp-boundary boundary[7514]: {"id":"OtVZg1Sygb","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da>
May 23 16:08:19 hashicorp-boundary boundary[7514]: {"id":"ZRBOMOs4Hm","source":"https://hashicorp.com/boundary/demo-worker-1","specversion":"1.0","type":"system","da

Are you still having this issue? If you add a target that points to a public web host over HTTP (like whatismyip.akamai.com), connect to it with boundary connect and browse to the Boundary proxy URL in your web browser, do you get output or an error?

Hi @omkensey

Thanks for your response. here what i got when trying to connect to the target with boundary connect

boundary connect http -target-id $TARGET_ID
Session credentials were not accepted, or session is unauthorized
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to whatismyip.akamai.com:40657 
error fetching connection to send session teardown request to worker: Session credentials were not accepted, or session is unauthorized

the target is well defined

boundary targets read -id $TARGET_ID

Target information:
  Created Time:               Tue, 24 May 2022 11:44:48 +01
  Description:                Provides an initial target in Boundary
  ID:                         ttcp_NgWLNI7cKv
  Name:                       Generated target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       tcp
  Updated Time:               Fri, 10 Jun 2022 09:33:47 +01
  Version:                    4

  Scope:
    ID:                       p_mPj6xaFIF9
    Name:                     Generated project scope
    Parent Scope ID:          o_bNglPl05Sa
    Type:                     project

  Authorized Actions:
    no-op
    read
    update
    delete
    add-host-sets
    set-host-sets
    remove-host-sets
    add-host-sources
    set-host-sources
    remove-host-sources
    add-credential-libraries
    set-credential-libraries
    remove-credential-libraries
    add-credential-sources
    set-credential-sources
    remove-credential-sources
    authorize-session

  Host Sources:
    Host Catalog ID:          hcst_qWLJkvqHmM
    ID:                       hsst_maEVc7rfzo

  Attributes:
    Default Port:             80

when I tried to connect to the target with the Desktop app, I got a Boundary Proxy URL. but it always don’t work.

curl http://127.0.0.1:37147
curl: (56) Recv failure: Connection reset by peer

Hello,

For me downgrading the version of boundary client to 0.7.6 fix the problem.