New Devices/peers immediately disconnected after pairing

[ketchupCoding43]

Describe the problem

I setup netbird using authentik and treafik in self-hosted while im trying to add new devices/peers it gets added but instantly disconnected.

when i always trying to add new devices its shows offline status. I tried with different devices like android, linux, windows systems to check but its same for all devices. The device only just listed in the peer tab in idle with offline status.

Expected behavior

New devices appeared as active with green symbol when newly paired.

Are you using NetBird Cloud?

No, selfhosted

NetBird version
0.37.1

Authentik version
2024.12.3

NetBird status -dA output:

Screenshots

Additional context

As you can see i added my device and successfully authenticated but my peer dose not have an active status it gets discoonected immediately.

#version: "3"
services:
#Traefik
  traefik:
    image: traefik:v2.5
    restart: unless-stopped
    ports:
      - "10.150.1.202:8081:80"
      - "10.150.1.202:8082:8080"
      - "10.150.1.202:3478:3478"
      - "10.150.1.202:5349:5349"
      - "10.150.1.202:33080:33080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - netbird-network
      - coturn-network
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.https.address=:443"
      - "--log.level=DEBUG"

#UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    environment:
      - NETBIRD_MGMT_API_ENDPOINT=https://<netbirddomain>
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://<netbirddomain>
      - AUTH_AUDIENCE=lq9VTCymiayxVnhOVevhJAMFw9eJP5csvBcxiBez
      - AUTH_CLIENT_ID=lq9VTCymiayxVnhOVevhJAMFw9eJP5csvBcxiBez
      - AUTH_AUTHORITY=https://<authentikdomain>/application/o/netbird/
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
      - NETBIRD_TOKEN_SOURCE=accessToken
    networks:
      - netbird-network
      - coturn-network
    labels:
      - traefik.enable=true
      - traefik.http.routers.netbird-dashboard.entrypoints=http
      - traefik.http.routers.netbird-dashboard.rule=Host(`<netbirddomain>`)
      - traefik.http.routers.netbird-dashboard.service=netbird-dashboard
      - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
      - traefik.docker.network=netbird-network

#Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    volumes:
      - netbird-signal:/var/lib/netbird
    networks:
      - netbird-network
      - coturn-network
    labels:
      - traefik.enable=true
      - traefik.http.routers.netbird-signal.entrypoints=http
      - traefik.http.routers.netbird-signal.rule=Host(`<netbirddomain>`) && PathPrefix(`/signalexchange.SignalExchange/`)
      - traefik.http.routers.netbird-signal.service=netbird-signal
      - traefik.http.services.netbird-signal.loadbalancer.server.port=80
      - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
      - traefik.docker.network=netbird-network

#Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
      - /etc/ssl/certs/test_bundle.crt:/usr/local/share/ca-certificates/test_bundle.crt:ro
    entrypoint: ["/bin/sh", "-c", "update-ca-certificates && exec /go/bin/netbird-mgmt management"]
    extra_hosts:
      - "<authentikdomain>:10.150.1.201"
    networks:
      - netbird-network
      - coturn-network
    command:
      - "--log-file"
      - "console"
      - "--log-level"
      - "info"
      - "--disable-anonymous-metrics=false"
      - "--single-account-mode-domain=<netbirddomain>"
      - "--dns-domain=<netbirddomain>"
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    labels:
      - traefik.enable=true
      - traefik.http.routers.netbird-api.entrypoints=http
      - traefik.http.routers.netbird-api.rule=Host(`<netbirddomain>`) && PathPrefix(`/api`)
      - traefik.http.routers.netbird-api.service=netbird-api
      - traefik.http.services.netbird-api.loadbalancer.server.port=80
      - traefik.http.routers.netbird-management.entrypoints=http
      - traefik.http.routers.netbird-management.rule=Host(`<netbirddomain>`) && PathPrefix(`/management.ManagementService/`)
      - traefik.http.routers.netbird-management.service=netbird-management
      - traefik.http.services.netbird-management.loadbalancer.server.port=80
      - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
      - traefik.docker.network=netbird-network

#Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: <netbirddomain>
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
      - /etc/ssl/private/testsrv__.key:/etc/coturn/private/testsrv.key:ro
      - /etc/ssl/certs/test__bundle.crt:/etc/coturn/certs/test_bundle.crt:ro
    command:
      - -c /etc/turnserver.conf
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"
    networks:
      - netbird-network
      - coturn-network
    labels:
      - traefik.enable=true
      - traefik.http.routers.coturn.rule=Host(`<netbirddomain>`)
      - traefik.http.routers.coturn.entrypoints=http,https
      - traefik.http.routers.coturn.tls=true
      - traefik.http.routers.coturn.service=coturn
      - traefik.http.services.coturn.loadbalancer.server.port=3478
      - traefik.docker.network=coturn-network

#Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
      - NB_LOG_LEVEL=info
      - NB_LISTEN_ADDRESS=:33080
      - NB_EXPOSED_ADDRESS=rel://relay.<netbirddomain>:33080
      - NB_AUTH_SECRET=AJ71uF9MKIzAjQRkQjx22YEpMjlvymPiTyvlRwUdZiM
    networks:
      - netbird-network
      - coturn-network
    labels:
      - traefik.enable=true
      - traefik.http.routers.relay.rule=Host(`relay.<netbirddomain>`) && PathPrefix(`/relay`)
      - traefik.http.routers.relay.entrypoints=http,https
      - traefik.http.routers.relay.tls=true
      - traefik.http.routers.relay.service=relay
      - traefik.http.services.relay.loadbalancer.server.port=33080
      - traefik.docker.network=netbird-network

volumes:
  netbird-mgmt:
  netbird-signal:

networks:
  netbird-network:
    driver: bridge
#    external: true
  coturn-network:
    driver: bridge
#    external: true

[mlsmaycon]

@ketchupCoding43 can you share the output from netbird status -d after you authenticate the peer and it becomes disconnected?

[boopzz]

im guessing this is a firewall issue on the controller host as ive had similar

[ketchupCoding43]

__

This command does not show any status of netbird as well as of my peer when I connected.

But when I enter netbird down command

As you can see the netbird status is visible and showing my peer is disconnected.

[ketchupCoding43]

im guessing this is a firewall issue on the controller host as ive had similar

I never used firewall also the status of the firewall shows inactive.

[Aurel004]

I had this issue with the latest traefik update (3.3.4), rolled back to 3.3.3 and everything was back. It couldn't connect to management, signal etc

But I see you're using traefik 2.5 so should not be an issue