IP-in-SCION tunneling
This guide explains how to troubleshoot problems related to IP-in-SCION tunneling.
Current configuration and state
Retrieve the current IP-in-SCION tunneling configuration:
appliance-cli get config -f body.config.scion_tunneling
Get the current SCION state of the appliance:
appliance-cli inspect scion-tunneling summary
This lists all the active tunneling domains where prefixes are currently received from a remote SCION ISD-AS.
appliance-cli inspect scion-tunneling summary
DOMAIN: domain-name
PREFIXES: 192.0.2.0/24
198.51.100.48/28
TRAFFIC MATCHER: default
PATH FILTER: default
REMOTE: 1-ff00:1:1,10.10.0.1:30856
STATE LATENCY JITTER DROPS EXPIRY PATH
--> alive 2.73ms 0.37ms 0.00% 5h51m30s 1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1
[more paths available, use the --all-paths flag to display them]
REMOTE: 1-ff00:1:1,10.10.0.2:30856
STATE LATENCY JITTER DROPS EXPIRY PATH
> alive 2.81ms 0.10ms 0.00% 5h51m31s 1-ff00:1:100 2>45 1-ff00:2:11 6>3 1-ff00:1:1
[more paths available, use the --all-paths flag to display them]
--> Indicates the active path for a traffic matcher within its domain.
> Indicates the candidate path for a currently unused remote.
Determine the current active path
If multiple paths are available, determine which path is currently active for a domain:
appliance-cli inspect tunneling summary | grep -e 'DOMAIN' -e '-->'
Are local prefixes advertised?
Check whether the local prefixes are advertised:
appliance-cli get debug/scion-tunneling/sgrp/local/announce
{
bgp: {
prefixes: []
}
static: {
prefixes: []
}
static-probed: [
{
last-success: "..."
next-hop: "10.0.0.4"
prefixes: ["203.0.113.96/27"]
reachable: true
}
]
}
Case 1: You have BGP session to your LAN
The BGP prefixes received from the LAN must appear in the bgp section. Otherwise, refer to the
BGP troubleshooting guide.
Case 2: You don't have BGP session to your LAN
You must announce your prefixes statically. If the prefixes do not appear in the static section,
then the static
announcements are
not configured correctly.
Are remote SCION ASes discovered?
Check whether remote SCION ASes are discovered:
appliance-cli get debug/scion-tunneling/discovery
{
"sessions": [
{
"last-success:": "...",
"local-isd-as": "1-ff00:1:100",
"path": "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1",
"peers": [
{
"control": "10.10.0.1:30256",
"data": "10.10.0.1:30056",
"interfaces": [1, 2],
"probe": "10.10.0.1:30856",
}
{
"control": "10.10.0.1:30256",
"data": "10.10.0.1:30056",
"interfaces": [3, 4],
"probe": "10.10.0.2:30856"
}
],
"remote-isd-as": "1-ff00:1:1"
}
]
}
If the remote ISD-AS is not discovered, the remote ISD-AS might be missing from the remotes config
or the domains[].remote_isd_ases does not list it.
Are prefixes received from remotes?
Check whether prefixes are received:
appliance-cli get debug/scion-tunneling/sgrp/peers
{
"peers": [
{
"announced": ["203.0.113.96/27"],
"last-received": "...",
"local-isd-as": "1-ff00:1:100",
"path": "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1",
"received": ["192.0.2.0/24", "198.51.100.48/28"],
"remote-address": "10.10.0.1:30056",
"remote-isd-as": "1-ff00:1:1"
}
{
"announced": ["203.0.113.96/27"],
"last-received": "...",
"local-isd-as": "1-ff00:1:100",
"path": "1-ff00:1:100 3>41 1-ff00:56:1 5>1 1-ff00:1:2",
"received": ["192.0.4.0/24", "198.51.100.48/28"],
"remote-address": "10.10.0.2:30056",
"remote-isd-as": "1-ff00:1:2"
}
]
}
If the expected peers are present and last-received is recent, but the expected prefixes are missing, then the remote SCION ISD-AS is not announcing the expected prefixes. In this case reach out to your communication partner to check their configuration.
If the expected peers are missing, then the remote ISD-AS is not discovered. Check Are remote SCION ASes discovered? for more information.
Are prefixes received as part of the domain?
appliance-cli get debug/scion-tunneling/sgrp/remote/receive
{
1-ff00:1:100,1-ff00:1:1,10.10.0.1:30056: {
accepted: {
domain-1: ["192.0.2.0/24"]
}
candidates: ["192.0.2.0/24", "198.51.100.48/28"]
last_received: "..."
local_isd_as: "1-ff00:1:100"
remote_address: "10.10.0.1:30056"
remote_isd_as: "1-ff00:1:1"
}
1-ff00:1:100,1-ff00:1:2,10.10.0.2:30056: {
accepted: {
domain-2: ["192.0.4.0/24", "198.51.100.48/28"]
}
candidates: ["192.0.4.0/24", "198.51.100.48/28"]
last_received: "..."
local_isd_as: "1-ff00:1:100"
remote_address: "10.10.0.2:30056"
remote_isd_as: "1-ff00:1:2"
}
}
- If the expected prefixes are missing in
candidates, the remote SCION ISD-AS is not announcing them. Reach out to your communication partner to check their configuration. - If the expected prefixes are present in
candidatesbut missing inaccepted, the domain'saccept_filtermight be misconfigured.
Are prefixes announced as part of the domain?
Check whether the local prefixes are announced to remote peers:
appliance-cli get debug/scion-tunneling/sgrp/remote/announce
- If the announced prefix is missing but it is present in Are local prefixes
advertised?, the domain's
announce_filtermight be misconfigured. Compare theannouncedandcandidatesprefixes for the peer and review theannounce_filterconfiguration.
Common troubleshooting scenarios
No end-to-end connectivity
Go through the following steps to find out why end-to-end connectivity does not work:
- Verify the source and destination of the traffic that should be tunneled.
- Check whether your appliance has routes to the destination via the SCION network. See Are prefixes received as part of the domain?.
- Check whether your appliance announces the expected prefixes to the remote. See Are prefixes announced as part of the domain?.
- Verify that the communication partner is receiving your traffic (check for dropped traffic on network devices and firewalls).