Files
claudetools/.claude/memory/reference_tailscale_subnet_key_expiry.md
Mike Swanson e61b39b5c8 sync: auto-sync from GURU-5070 at 2026-06-25 12:35:22
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-25 12:35:22
2026-06-25 12:37:54 -07:00

1.8 KiB

name: reference_tailscale_subnet_key_expiry description: "Internet OK but all of 172.16.3.x dead" = Tailscale infra-node key expiry, not a LAN outage. How to diagnose + the fallback path. metadata: type: reference

The ACG internal subnet 172.16.3.x is reached over Tailscale, not a local LAN — pfsense-2 (the pfSense node) is the subnet router advertising 172.16.0.0/22. Key hosts on it: Gitea/Jupiter 172.16.3.20:3000, GuruRMM + coord 172.16.3.30:3001/:8001.

Symptom → cause: if sync.sh fetch fails and the WHOLE 172.16.3.x subnet is unreachable (both .20 and .30) while general internet is fine, the cause is almost always a Tailscale node KEY EXPIRY on an infra node (the subnet router or a server) — an expired key drops that node off the tailnet, killing the route. It is NOT a "transient blip" and NOT a real LAN outage (logged as a correction 2026-06-25 after I mis-called it). Mike disabled key expiration on the infra node(s) 2026-06-25 so it shouldn't recur; if it does, re-auth the node + confirm expiry is off in the Tailscale admin console.

Diagnose (Windows tailscale.exe at C:\Program Files\Tailscale\):

  • tailscale status — look for peers marked offline/key-expired, esp. pfsense-2 and gururmm-server.
  • tailscale debug prefs | grep RouteAll — must be true (this machine accepts subnet routes).
  • tailscale status --json — confirm a peer advertises 172.16.0.0/22 (PrimaryRoutes) and is Online.
  • tailscale ping <tailnet-100.x> — tests tailnet path independent of the subnet route.

Fallback: gururmm-server is directly reachable at its tailnet IP 100.86.12.15:3001 — usable in place of 172.16.3.30:3001 if the subnet route is down but the node itself is up. See feedback_tmp_path_windows.