🐛 tunnel is not working as expected

[Vikranth-Subramanian]

Describe the bug
cloudflared 2024.1.6 and above is breaking the stability of the connection, including 2024 the latest release which is 2024.9.1

To Reproduce
Steps to reproduce the behavior:

1. Run the docker container with 2024.1.6.
2. The tunnel is flapping up and down, and the connection is nearly unusable.

If it's an issue with Cloudflare Tunnel:
4. Tunnel ID : 92e2eec4-4237-4b87-8764-1556d14b723c
5. cloudflared config: tunnel --no-autoupdate run --token !!!REDACTED!!!

Expected behavior
connection should be stable

Environment and versions

• OS_ARCH: linux_amd64

Logs and errors

2024-09-16T08:00:32Z ERR error="dial tcp <private-ip>:7680: i/o timeout" connIndex=3 destAddr=<private-ip>:7680 event=2 flowID=c8cfac7f-8dc3-4765-aa1d-3fb282a28e80 originService=warp-routing

	
2024-09-16T08:00:32Z ERR Request failed error="dial tcp <private-ip>:7680: i/o timeout" connIndex=3 dest=<private-ip>:7680 event=0 ip=198.41.200.43 type=tcp

Additional context This can be resolved by turning on the experimental ICMP feature flag on the Networks -> Proxy
If the ICMP feature have not been turned on, Whenever the tunnel starts it starts with the error

WRN The user running cloudflared process has a GID (group ID) that is not within ping_group_range. You might need to add that user to a group within that range, or instead update the range to encompass a group the user is already in by modifying /proc/sys/net/ipv4/ping_group_range. Otherwise cloudflared will not be able to ping this network error="Group ID 0 is not between ping group 1 to 0"
	
	
2024-09-16T07:06:08Z WRN ICMP proxy feature is disabled error="cannot create ICMPv4 proxy: Group ID 0 is not between ping group 1 to 0 nor ICMPv6 proxy: socket: permission denied"

Tunnel shows healthy in the cloudflare console but the container has these error/io timeout logs

Setup: This is running in the container inside a vpc which has permissions to setup outbound tunnel

[mattduguid]

from the container, are both TCP & UDP for port 7680 allowed outbound as per https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/tunnel-with-firewall/

[Vikranth-Subramanian]

I can confirm that it has been configured with right firewall rules

[mattduguid]

dial tcp and failure to connect looks like no network path, try loading a sidecar container into the same namespace with some network testing tools and confirm connectivity

[flpydsk]

I would think the container permissions/networking is broken, can you repro this issue outside of a container?