Skip to content

Web app unreachable after JIT in Web UI while VNet is running #63980

New issue
New issue
Open
Bug
#63992
Open
Web app unreachable after JIT in Web UI while VNet is running#63980
Bug
#63992
Assignees
nklaassen
Labels
access-requestsc-aspInternal Customer Referencevnet
@oleksii-ovdak

Description

@oleksii-ovdak
oleksii-ovdak
opened on Feb 19, 2026

Expected behavior:

Running VNet must not interfere with accessing HTTP/HTTPS applications via the browser.

After a JIT access request is approved and the role is assumed in the Web UI, the http(s) application should open successfully without requiring the user to additionally assume the role in Teleport Connect.

For layer 7 applications, the hostname should resolve to the public proxy IP, or otherwise remain reachable while VNet is enabled.

Current behavior:

If VNet is running and the user did not have access to the application at the moment VNet was started, the application hostname resolves to a random VNet IP.

After the user receives JIT access and assumes the role in the Web UI:

• the browser continues to use the VNet IP
• Teleport does not match the request to the application
• the application is not reachable

If the same role is then assumed in Teleport Connect:

• the hostname still resolves to the same VNet IP
• the application immediately becomes accessible

Control case:
If the user already had access before VNet was started, the hostname resolves to the public proxy IP and the application opens in the browser as expected.

Bug details:

Teleport version:
18.6.4

Recreation steps:

  • Create an HTTPS web application
  • Create a user who can request a role via JIT
  • Create a role that grants access to this application

  1. Start Teleport Connect with VNet enabled using this user.

  2. Ensure the user does not have access to the application.

  3. Verify DNS resolution:

    dscacheutil -q host -a name <app-hostname>

    Returns a VNet IP (100.x.x.x / fdxx::).

  4. In the browser, create and approve a JIT access request.

  5. Assume the role in the Web UI.

  6. Open the application in the browser.

Result: the application is not reachable.

  1. Assume the same role in Teleport Connect.

Result: the application becomes accessible while DNS resolution still returns the VNet IP.

Impact:

From a usability perspective, this behavior is confusing and disruptive for users, as obtaining access via the Web UI does not allow them to open the application in the browser while VNet is running.

Metadata

Metadata

Assignees

Labels

access-requestsc-aspInternal Customer Referencevnet

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions