Hello, On Sun, 14 Mar 2021 at 08:05, <[email protected]> wrote: > > We are trying to implement tcp intercept on some brand new ASR1009x > running IOS-XE 16.12.5 yet nothing is seen (sometimes). > > So I found: > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo01450/?rfs=iqvred > which states: > It has been confirmed that the feature TCP intercept is not supported on > any IOS-XE routers due to architectural difference as compared to legacy > IOS routers. > > I opened a ticket with Cisco TAC and they confirmed that tcp intercept > is not supported and will be removed from all IOS-XE documentation. > > Yet upon rare occasion we do see some data.
I assume by "we see some data" you mean that the TCP requests are actually intercepted (on those rare occasions). This is probably when the traffic is punted to the RP (iosd) for some reason. I don't see how this changes anything. Just because it works when the occasional packet is punted doesn't make Cisco's statement wrong at all, actually it just confirms what Cisco is telling you all along. > Anyone have any update on that issue? Not an update, just a reality check: If it doesn't work reliably, Cisco says it's not supported, and they are gonna remove it from the documentation, at some point you better start believing it. "If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck." If you made purchasing decisions based on the wrong CCO documentation, that's not something a mailing-list or TAC will be able to help you with. It's something that you need to clarify with your AM. Same thing if you need this feature ... talk to your AM. If your ASR1009 only needs to intercept a few mbit/s of TCP traffic and doesn't do anything else, you can probably disable CEF and transform it into a full software router. Maybe that makes it work, for now, in a completely unsupported configuration and without help from anyone, if you are interested to get this working in a lab environment. I'm not saying configuration knobs for defective features and wrong documentation is normal or acceptable. I'm just explaining reality. cheers, lukas _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
