[c-nsp] tcp intercept on IOS-XE?

Lukas Tribus lukas at ltri.eu
Sun Mar 14 07:04:40 EDT 2021 

Hello,

On Sun, 14 Mar 2021 at 08:05, <hank at interall.co.il> wrote:
>
> We are trying to implement tcp intercept on some brand new ASR1009x
> running IOS-XE 16.12.5 yet nothing is seen (sometimes).
>
> So I found:
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo01450/?rfs=iqvred
> which states:
> It has been confirmed that the feature TCP intercept is not supported on
> any IOS-XE routers due to architectural difference as compared to legacy
> IOS routers.
>
> I opened a ticket with Cisco TAC and they confirmed that tcp intercept
> is not supported and will be removed from all IOS-XE documentation.
>
> Yet upon rare occasion we do see some data.

I assume by "we see some data" you mean that the TCP requests are
actually intercepted (on those rare occasions). This is probably when
the traffic is punted to the RP (iosd) for some reason. I don't see
how this changes anything. Just because it works when the occasional
packet is punted doesn't make Cisco's statement wrong at all, actually
it just confirms what Cisco is telling you all along.


> Anyone have any update on that issue?

Not an update, just a reality check:
If it doesn't work reliably, Cisco says it's not supported, and they
are gonna remove it from the documentation, at some point you better
start believing it.

"If it looks like a duck, swims like a duck, and quacks like a duck,
then it probably is a duck."

If you made purchasing decisions based on the wrong CCO documentation,
that's not something a mailing-list or TAC will be able to help you
with. It's something that you need to clarify with your AM. Same thing
if you need this feature ... talk to your AM.


If your ASR1009 only needs to intercept a few mbit/s of TCP traffic
and doesn't do anything else, you can probably disable CEF and
transform it into a full software router. Maybe that makes it work,
for now, in a completely unsupported configuration and without help
from anyone, if you are interested to get this working in a lab
environment.


I'm not saying configuration knobs for defective features and wrong
documentation is normal or acceptable. I'm just explaining reality.


cheers,
lukas

More information about the cisco-nsp mailing list