Dynamic Disabling Of Tcp Proxy - Cisco ASR 5000 Series Administration Manual

▀ Enhanced Features and Functionality
Since TCP state and previous-state rules are now matched based on state on Gi side connection, ECS will not
be able to support all the existing use-cases with the existing configuration. New ruledefs based on the new
rules (tcp proxy-state and tcp proxy-prev-state) need to be configured to support existing use cases. Note that
even by configuring using new rules; all use-cases may not be supported. For example, detection of transition
from TIME-WAIT to CLOSED state is not possible now.
 TCP MSS: TCP IP Stack always inserts MSS Field in the header. This causes difference in MSS insertion
behavior with and without TCP Proxy.
 TCP CFG MSS limit-if-present: If incoming SYN has MSS option present, in outgoing SYN and SYN-
 TCP CFG MSS add-if-not-present: If incoming SYN does not have MSS option present, in outgoing
 TCP CFG MSS limit-if-present add-if-not-present: If incoming SYN has MSS option present, in
 Flow Discard: Flow discard occurring on ingress/egress path of TCP Proxy would be relying on TCP-based
retransmissions. Any discard by payload domain applications would result in data integrity issues as this might
be charged already and it may not be possible to exclude packet. So it is recommended that applications in
payload domain (like dynamic CF, CAE readdressing) should not be configured to drop packets. For example,
dynamic content filtering should not be configured with drop action. If drop is absolutely necessary, it is better
to use terminate action.
 DSCP/IP TOS Marking: Without TCP Proxy DSCP/IP TOS marking is supported per packet, that is IP TOS can
be changed for each and every packet of the flow separately based on the configuration. With TCP Proxy flow-
level DSCP/IP TOS marking is supported. So, once the IP TOS value is changed for any packet of the flow, it
will remain same for the complete flow.
 Redundancy Support (Session Recovery and ICSR): Without TCP Proxy after recovery, non-syn flows are not
reset. With TCP Proxy session recovery checkpointing is bypassing any proxied flows (currently on NAT
flows support recovery of flows). If any flow is proxied for a subscriber, after recovery (session recovery or
ICSR), if any non-syn packet is received for that subscriber, ECS sends a RESET to the sender. So, all the old
flows will be RESET after recovery.
 Charging Function: Application of charging function would occur on two separate TCP connections (non proxy
processed packets on Gn/Gi). Only external packets (the ones received from Radio and Internet) shall be
subject to Policy enforcement at the box. Offline charging records generated at charging function would pertain
to different connections hence.

Dynamic Disabling of TCP Proxy

TCP proxy can be dynamically disabled to reduce the performance overhead on CPU and memory resources. This
enables applications to use proxy only when required.
Dynamic disabling is achieved by merging the TCP connections. Before dynamic disabling occurs, the packets are
added to a TCP stack with a full proxy connection. Once proxy is disabled dynamically, the TCP stack and proxy are
removed from the data processing path and the packets are forwarded without buffering.
Disabling of TCP proxy dynamically occurs only after the following conditions are met:
 There is no data to be delivered by ECS to the peer.
 The flow control buffers do no contain any data.
 There is no data to be read by ECS.
▄ Cisco ASR 5x00 Enhanced Charging Services Administration Guide
58
ACK MSS value is limited to configured MSS value (CFG MSS)
SYN and SYN-ACK MSS configured MSS value is inserted (CFG MSS)
outgoing SYN and SYN-ACK MSS value is limited to configured MSS value (CFG MSS), OR if
incoming SYN does not have MSS option present, in outgoing SYN and SYN-ACK MSS configured
MSS value is inserted (CFG MSS).
Enhanced Charging Service Overview