Troubleshooting SCIONLab setup as a user (some points)

[Leopold Ryll]

Hello,

I wanted to share some points as a start for troubleshooting the SCIONLab setup. In most cases when having trouble with SCIONLab there are problems with the network on the user side (e.g. firewall policies that filter traffic or block certain connections).

Thanks again to Juan and the SCIONLab team overall for the help.

When you have problems connecting to SCIONLab, verify that:

• the AS is active in the coordinator.

• the system clock is correct (+-5s is okay, +-1min is not).

• the vpn tunnel is established via `ip a`.

If there is no tunnel interface e.g. `tun0` then there is a problem.
This might be due to firewall policies in your network. One possibility is to switch the Openvpn protocol from UDP to TCP.

Do this by opening the config file in `/etc/openvpn/client.conf`.

Change the line `proto udp` to `proto tcp`.

Then restart the openvpn service: `sudo systemctl restart openvpn@client`.

The tunnel should be established now.

(Note: ISD17 does not support tcp as openvpn protocol if I recall correctly.)

A restart of SCION might be necessary. See last step in SCION Tutorials.

Best regards
Leo R.

[Juan A. Garcia Pardo]

Hi Leo,

Thank you very much for your notes. We are in the process of creating a troubleshooting guide; hopefully it will be ready soon.

You are correct in that we run a TCP version of the VPN in all attachment points but ETH. It is not yet official as we have run only limited testing, but any user can try to fix their problems by following your advice.

We have not come up with a nice way to verify the synchronicity of the user virtual machine's internal clock. The "manual hack" is to verify it against one's cellular phone, for instance, or another computer we know has a synchronized clock. If the VM is not synchronized, there might be a firewall preventing NTP traffic.

Please don't hesitate to comment or add more posts as questions arise.

Many thanks and best regards,

Juan A.