IP-in-SCION tunneling

This guide explains how to troubleshoot problems related to IP-in-SCION tunneling.

Current configuration and state

Retrieve the current IP-in-SCION tunneling configuration:

appliance-cli get config -f body.config.scion_tunneling

Get the current SCION state of the appliance:

appliance-cli inspect scion-tunneling summary

This lists all the active tunneling domains where prefixes are currently received from a remote SCION ISD-AS.

Example

appliance-cli inspect scion-tunneling summary
DOMAIN: domain-name
  PREFIXES: 192.0.2.0/24
            198.51.100.48/28
    TRAFFIC MATCHER: default
      PATH FILTER: default
        REMOTE: 1-ff00:1:1,10.10.0.1:30856
              STATE LATENCY JITTER DROPS EXPIRY   PATH
          --> alive 2.73ms  0.37ms 0.00% 5h51m30s 1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1
          [more paths available, use the --all-paths flag to display them]
        REMOTE: 1-ff00:1:1,10.10.0.2:30856
              STATE LATENCY JITTER DROPS EXPIRY   PATH
            > alive 2.81ms  0.10ms 0.00% 5h51m31s 1-ff00:1:100 2>45 1-ff00:2:11 6>3 1-ff00:1:1
          [more paths available, use the --all-paths flag to display them]

--> Indicates the active path for a traffic matcher within its domain.
  > Indicates the candidate path for a currently unused remote.

Determine the current active path

If multiple paths are available, determine which path is currently active for a domain:

appliance-cli inspect tunneling summary | grep -e 'DOMAIN' -e '-->'

Are local prefixes advertised?

Check whether the local prefixes are advertised:

appliance-cli get debug/scion-tunneling/sgrp/local-prefixes

{
  "local-prefixes": {
    "bgp": {
      "prefixes": null
    },
    "static": {
      "prefixes": ["203.0.113.96/27"]
    },
    "static-probed": null
  }
}

Case 1: You have BGP session to your LAN

The BGP prefixes received from the LAN must appear in the bgp section. Otherwise, refer to the BGP troubleshooting guide.

Case 2: You have BGP session to your LAN

You must announce your prefixes statically. If the prefixes do not appear in the static section, then the static announcements are not configured correctly.

Are remote SCION ASes discovered?

Check whether remote SCION ASes are discovered:

appliance-cli get debug/scion-tunneling/discovery

{
  "sessions": [
    {
      "last-success:": "2024-02-13T13:41:33Z",
      "local-isd-as": "1-ff00:1:100",
      "path": "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1",
      "peers": [
        {
          "control": "10.10.0.1:30256",
          "data": "10.10.0.1:30056",
          "interfaces": [1, 2],
          "probe": "10.10.0.1:30856",
        }
        {
          "control": "10.10.0.1:30256",
          "data": "10.10.0.1:30056",
          "interfaces": [3, 4],
          "probe": "10.10.0.2:30856"
        }
      ],
      "remote-isd-as": "1-ff00:1:1"
    }
  ]
}

If the remote ISD-AS is not discovered, the remote ISD-AS might be missing from the remotes config or the domains[].remote_isd_ases does not list it.

Are prefixes received from remotes?

Check whether prefixes are received:

appliance-cli get debug/scion-tunneling/sgrp/peers

{
  "peers": [
    {
      "announced": ["203.0.113.96/27"],
      "last-received": "2024-02-13T13:41:33Z",
      "local-isd-as": "1-ff00:1:100",
      "path": "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1",
      "received": ["192.0.2.0/24", "198.51.100.48/28"],
      "remote-address": "10.10.0.1:30056",
      "remote-isd-as": "1-ff00:1:1"
    }
    {
      "announced": ["203.0.113.96/27"],
      "last-received": "2024-02-13T13:41:33Z",
      "local-isd-as": "1-ff00:1:100",
      "path": "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1",
      "received": ["192.0.2.0/24", "198.51.100.48/28"],
      "remote-address": "10.10.0.2:30056",
      "remote-isd-as": "1-ff00:1:1"
    }
  ]
}

If the expected peers are present and last-received is recent, but the expected prefixes are missing, then the remote SCION ISD-AS is not announcing the expected prefixes. In this case reach out to your communication partner to check their configuration.

If the expected peers are missing, then the remote ISD-AS is not discovered. Check Are remote SCION ASes discovered? for more information.

Are prefixes received as part of the domain?

appliance-cli get debug/scion-tunneling/sgrp/domains

{
  "domains": {
    "domain-name": {
      "announced": ["203.0.113.96/27"],
      "received": ["192.0.2.0/24", "198.51.100.48/28"]
    }
  }
}

This shows the prefixes that are announced and received in a specific domain.

• If the announced prefix is missing but it is present in Are local prefixes advertised? then the domain's announce_filter might be misconfigured.
• If the received prefix is missing but it is present in Are prefixes received from remotes?, then the domain's accept_filter might be misconfigured.

Common problems

No end-to-end connectivity

Go through the following steps to find out why end to end connectivity does not work:

• Check your tunneling configuration

  • Is there a domain configured for the remote ISD-AS?
  • Does the domain have accept_filter (or is configured as default) and announce_filter configured?

• Check your SCION connectivity.

• Check whether prefixes are received and announced as part of the domain.

• Check whether the communication partner receives your traffic.