SCION / CPPKI¶
This guide explains how to troubleshoot SCION and CPPKI related aspects of the Anapaya appliances.
Current configuration and state¶
The current SCION configuration can be retrieved from the appliance using the following command:
appliance-cli get config -f body.config.scion
To get the current SCION state of the appliance, use the following command:
appliance-cli info scion
Note
This command is available starting with version v0.36.0.
This lists all the SCION ASes that are configured on the appliance and shows the state of crypto material and the state of the SCION interfaces.
Common problems¶
TRC for local ISD missing¶
appliance-cli info scion
SCION ASes
- 1-ff00:1:1
Crypto:
- TRC for local ISD ❌
...
If the TRC for the local ISD is missing, the appliance will not be able to receive and validate topology information and therefore there will be no SCION connectivity.
Refer to the TRC sections of the Crypto User Guide on how to provision the TRC.
AS certificate missing/expired¶
appliance-cli info scion
SCION ASes
- 1-ff00:1:1
Crypto:
...
- AS certificate ❌
If the AS certificate is missing or expired, the appliance will not be able to receive and validate topology information and therefore there will be no SCION connectivity.
Refer to the AS certificate sections of the Crypto User Guide on how to create a CSR and request a certificate.
Tip
Refer to Request AS Certificate via Sibling Appliance if the appliance is part of a cluster and a sibling appliance already has a valid AS certificate.
SCION Interface is down¶
If a SCION interface is down, the appliance will not be able to send or receive SCION traffic on that interface.
Refer to the corresponding alert to find out how to investigate the issue.
Uploading AS certificate fails¶
If the AS certificate is in PEM format, make sure that the certificate chain has exactly two certificates: the AS certificate and the issuer certificate. Also, make sure that there is no trailing line in the certificate chain.