Skip to main content

SCION/CP-PKI

This guide explains how to troubleshoot SCION and CP-PKI related aspects of the Anapaya appliances.

Quick reference commands

Retrieve the current SCION configuration:

appliance-cli get config -f body.config.scion

Get the current SCION state, including crypto material and interface status for all configured ASes:

appliance-cli info scion

Crypto and certificate issues

TRC missing for local ISD

appliance-cli info scion
SCION ASes
- 1-ff00:1:1
  Crypto:
    - TRC for local ISD ❌
    ...

Without a TRC for the local ISD, the appliance cannot receive and validate topology information and therefore there will be no SCION connectivity.

Get the list of configured TRCs:

appliance-cli get cppki/trcs

If no TRC is configured, the output is:

{
  "trcs": []
}

A missing TRC is usually caused by forgetting to configure one, or accidentally deleting it.

Refer to TRC handling for details on installing a TRC.

AS certificate missing or expired

appliance-cli info scion
SCION ASes
- 1-ff00:1:1
  Crypto:
    ...
    - AS certificate ❌

Without a valid AS certificate, the appliance cannot sign path segments from beacons, so no paths will be available and there will be no SCION connectivity.

Get the list of configured AS certificates:

appliance-cli get cppki/certificates

If no certificate is configured, the output is:

{
  "certificate_chains": []
}

A missing AS certificate can be caused by forgetting to configure one, accidentally deleting it, or a failed automatic renewal after a prolonged connectivity outage.

Refer to Certificate handling for details on listing, generating, and installing AS certificates. If the appliance is part of a cluster and a sibling appliance already has a valid AS certificate, you can request an AS certificate via sibling appliance.

Uploading AS certificate fails

If the AS certificate is in PEM format, make sure that the certificate chain has exactly two certificates: the AS certificate and the issuer certificate. Also, make sure that there is no trailing line in the certificate chain.

SCION interface issues

Interface is down

The appliance cannot send or receive SCION traffic on a SCION interface which is down.

Refer to SCIONInterfaceStateDown for steps to investigate the issue.

Interface is constantly flapping

The appliance cannot reliably send or receive SCION traffic on a SCION interface in an unstable state. Check the dataplane logs:

docker logs dataplane

If you see repeated Rejecting large frequency change messages, this indicates a dataplane synchronization problem. Restore connectivity by restarting the dataplane, dataplane-control, and router containers:

docker restart dataplane dataplane-control router

Troubleshooting SCION paths

No paths available

If the appliance has no SCION paths available, check the following. This issue may be indicated by these alerts:

Run scion showpaths to confirm that no paths are available. If no path is found, the output looks like:

Available paths to 1-ff00:1:2
Error: no path found

Check the following:

  1. Interface state: check if any interfaces are down or constantly flapping.
  2. AS certificate and TRC: ensure the local ISD TRC and a valid AS certificate are configured.
  3. Time synchronization: a skewed system clock prevents SCION from correctly validating crypto material and path segments.
  4. Interface details — the link details on both sides of the SCION link must match (ISD-AS, interface ID, and underlay addresses). Verify with appliance-cli info scion on both appliances.

Path with timeout

Run showpaths to inspect the available paths to a destination AS. The --refresh flag forces the tool to fetch fresh paths from the control plane:

scion showpaths --refresh <destination-ISD-AS>

Paths in the timeout state indicate that the SCION control plane can see the path but data-plane probes are not getting through.

If some paths are missing or in the timeout state instead of alive, check the following:

  1. Check the interface status in the output of appliance-cli info scion and investigate any interfaces that are down or constantly flapping.
  2. In case you can pinpoint the issue to a specific local SCION interface, run an IP ping to the corresponding router address in the neighbor AS. If ping fails or shows high/variable latency, the problem is likely in the IP underlay. Contact the network team for the affected link.