Mailing List Archive

tcp intercept on IOS-XE?
We are trying to implement tcp intercept on some brand new ASR1009x
running IOS-XE 16.12.5 yet nothing is seen (sometimes).

So I found:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo01450/?rfs=iqvred
which states:
It has been confirmed that the feature TCP intercept is not supported on
any IOS-XE routers due to architectural difference as compared to legacy
IOS routers.

I opened a ticket with Cisco TAC and they confirmed that tcp intercept
is not supported and will be removed from all IOS-XE documentation.

Yet upon rare occasion we do see some data.
Anyone have any update on that issue?

Thanks,
Hank
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: tcp intercept on IOS-XE? [ In reply to ]
Hello,

On Sun, 14 Mar 2021 at 08:05, <hank@interall.co.il> wrote:
>
> We are trying to implement tcp intercept on some brand new ASR1009x
> running IOS-XE 16.12.5 yet nothing is seen (sometimes).
>
> So I found:
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo01450/?rfs=iqvred
> which states:
> It has been confirmed that the feature TCP intercept is not supported on
> any IOS-XE routers due to architectural difference as compared to legacy
> IOS routers.
>
> I opened a ticket with Cisco TAC and they confirmed that tcp intercept
> is not supported and will be removed from all IOS-XE documentation.
>
> Yet upon rare occasion we do see some data.

I assume by "we see some data" you mean that the TCP requests are
actually intercepted (on those rare occasions). This is probably when
the traffic is punted to the RP (iosd) for some reason. I don't see
how this changes anything. Just because it works when the occasional
packet is punted doesn't make Cisco's statement wrong at all, actually
it just confirms what Cisco is telling you all along.


> Anyone have any update on that issue?

Not an update, just a reality check:
If it doesn't work reliably, Cisco says it's not supported, and they
are gonna remove it from the documentation, at some point you better
start believing it.

"If it looks like a duck, swims like a duck, and quacks like a duck,
then it probably is a duck."

If you made purchasing decisions based on the wrong CCO documentation,
that's not something a mailing-list or TAC will be able to help you
with. It's something that you need to clarify with your AM. Same thing
if you need this feature ... talk to your AM.


If your ASR1009 only needs to intercept a few mbit/s of TCP traffic
and doesn't do anything else, you can probably disable CEF and
transform it into a full software router. Maybe that makes it work,
for now, in a completely unsupported configuration and without help
from anyone, if you are interested to get this working in a lab
environment.


I'm not saying configuration knobs for defective features and wrong
documentation is normal or acceptable. I'm just explaining reality.


cheers,
lukas
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: tcp intercept on IOS-XE? [ In reply to ]
On Mar 14, 2021, at 14:10, hank@interall.co.il wrote:

We are trying to implement tcp intercept on some brand new ASR1009x running IOS-XE 16.12.5 yet nothing is seen (sometimes).

TCP Intercept is a self-DoS waiting to happen. Strongly suggest not doing this.


--------------------------------------------

Roland Dobbins <roland.dobbins@netscout.com>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: tcp intercept on IOS-XE? [ In reply to ]
On 3/15/21 7:18 AM, Dobbins, Roland wrote:
>
>
> On Mar 14, 2021, at 14:10, hank@interall.co.il wrote:
>
> We are trying to implement tcp intercept on some brand new ASR1009x running IOS-XE 16.12.5 yet nothing is seen (sometimes).
>
> TCP Intercept is a self-DoS waiting to happen. Strongly suggest not doing this.


Care to elaborate?
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: tcp intercept on IOS-XE? [ In reply to ]
> On 15 Mar 2021, at 14:08, Bryan Holloway <bryan@shout.net> wrote:
>
> Care to elaborate?

Under any kind of load, it tends to send the RP up through 100%, which causes routing adjacencies to be lost.

I tried to get this misfeature deprecated when I was at Cisco; sadly, marketing pressure kept it in the software, even though it’s iatrogenic in nature.

--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com>



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/