Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
215
Views
0
Helpful
3
Replies

Running a container in iox inbound connections drop return packets

drew-johnson
Level 1
Level 1

‎04-02-2025 01:47 PM

We make software that provides encryption keys to IPsec implementations that use the Postquantum Preshared Keys (ppk) capability RFC 8784 defines.  We are moving it to run in a docker container on a Cisco 8000v VM in AWS.  I've attached the relevant config.  According to devnet we need to use a virtualportgroup to provide networking support.  Outbound connections are routed properly.  Inbound connections are not.  The nat setup sends inbound syn packets to the container.  The container responds with a synack that is dropped somewhere.  Inbound connections can come via the internal ikev2 daemon (comes from 192.168.35.101) or from anywhere on port 8888.  In both cases the synack is dropped.  What am i missing?

Labels:
Preview file
4 KB
0 Helpful
3 Replies 3

ulineosan
Level 1
Level 1

‎04-02-2025 05:46 PM

Does it work without the vrf?

0 Helpful

drew-johnson
Level 1
Level 1
In response to ulineosan

‎04-03-2025 07:03 AM

Technically no.  If I remove all of the 'vrf' config lines then it's broken.  I'm only using it because for the few examples I was able to see posted regarding docker and virtualportgroup config says it's needed.  

0 Helpful

Torbjørn
VIP
VIP

‎04-03-2025 12:53 AM

I think you need to append "vrf GS match-in-vrf" to the static PAT line of config for this to work properly. 

If this doesn't work you can try to see what happens to the traffic with a FIA trace: Technote - Troubleshoot with the IOS-XE Datapath Packet Trace Feature 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful
Customers Also Viewed These Support Documents