A10 Thunder Series and AX Series -...

ACOS RELEASE NOTES

A10 Thunder Series and AX Series

ACOS 2.7.2-P7-SP3

22 December 2015

© 12/22/2015 A10 Networks, Inc. Confidential and Proprietary - All Rights Reserved

Information in this document is subject to change without notice.

Patent Protection

A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking.

Trademarks

The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, Affinity, aFleX, aFlow, aGalaxy, aGAPI, aVCS, aXAPI, IDsentrie, IP-to-ID, SSL Insight, SSLi, Thunder, Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners.

Confidentiality

This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.

A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-ware as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this document or available separately. Customer shall not:

1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means

2. sublicense, rent or lease the Software.

Disclaimer

This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest information available; however, specifications are sub-ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and conditions.

Environmental Considerations

Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-ponents in your area.

Further Information

For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-tion, which can be found by visiting www.a10networks.com.

http://www.a10networks.com

page 1 | Document No.:272-P7-SP3-REL-001 - 12/22/2015

Table of Contents

Enhancements in ACOS 2.7.2 Patch Releases ................................................................................... 7Enhancements in ACOS 2.7.2-P7................................................................................................................... 8

Show Run Command to Show all aFleX Scripts .................................................................................................................... 8Bandwidth Limit per SLB Server and SLB Server Port ......................................................................................................10

Example Topology ........................................................................................................................................................................10SLB Template Server Configuration Mode Commands ........................................................................................11SLB Template Port Configuration Mode Commands .............................................................................................12SNMP Trap Commands ..............................................................................................................................................................14

Global Server Load Balancing Sticky Persistence Sync ....................................................................................................14TACACS+ Specific Health Monitor ...............................................................................................................................................15OID for Gateway Health-check Failure .......................................................................................................................................17

axGateway Objects ......................................................................................................................................................................17Request Certificate Authorities ......................................................................................................................................................18

Enhancements in ACOS 2.7.2-P6.................................................................................................................20TCP::payload replace Support on Layer 4 Virtual Ports ...................................................................................................20axGlobalTotalThroughput Object Information ....................................................................................................................20Enhancements in the GUI for HA Sync Status ......................................................................................................................20

HA Sync Screenshots for Releases Earlier than 2.7.2-P5 ........................................................................................21HA Sync Screenshots for Release 2.7.2-P6 .....................................................................................................................22

Enhancements in ACOS 2.7.2-P5.................................................................................................................24aFleX ................................................................................................................................................................................................................24

Increased aFleX Session Table Entries ..............................................................................................................................24Enhancement to the aFleX HTTP::redirect Command ...........................................................................................25

L2/L3 Routing ............................................................................................................................................................................................25Management Interface Adds as an Interface option to "enable-management" Command ........26Resource Accounting for System Resources ................................................................................................................26Enhanced show Output for resource-usage Command ......................................................................................28Increased Awareness of OSPF Extra Cost for VRID ....................................................................................................32Shared Management Auto Partition Selection ...........................................................................................................33Rate Limit Neighbor Discovery Messages for IPv6 ...................................................................................................34

Layer 4-7 .......................................................................................................................................................................................................34Disabling SSL Renegotiation ..................................................................................................................................................35Support for PFS (DHE/ECDHE) in Server SSL Templates .......................................................................................36Hardware Support for DHE Ciphers ...................................................................................................................................36Database Health Monitor Supports the Integer Type ............................................................................................36Extended SSL/TLS Usage Statistics .....................................................................................................................................36Extended Cache Hit Statistics ................................................................................................................................................38

A10 Thunder Series and AX Series—ACOS Release Notes

Contents

Document No.:272-P7-SP3-REL-001 - 12/22/2015 | page 2

Enhancement to the IP NAT Translation Command ...............................................................................................40Enhancement to the SLB Template HTTP Command ............................................................................................40IP-in-IP Tunneling for Routed Traffic ..................................................................................................................................41Strict Load-Balancing for Weighted Round-Robin and Least Connection ................................................41CPU Load Balancing ....................................................................................................................................................................42

L47-Enterprise ...........................................................................................................................................................................................44Same GSLB Domain Configurations Across Partitions ...........................................................................................44

HA, VCS ..........................................................................................................................................................................................................46Hello Message Unicast Destination Address ................................................................................................................46VRRP-A Force-Self-Standby Configuration Generates Warning Message ..................................................46VRRP-A VRID Lead Switching Example .............................................................................................................................47Active Notifications for aVCS Config Sync Errors .......................................................................................................48Clarification of VRRP-A Support in Shared and L3V Partitions ...........................................................................50

SNMP, MIB ....................................................................................................................................................................................................51Configure Custom SNMP Community Strings per L3V Partition .....................................................................51New MIB Objects Added to axAppGlobalSystemResourceUsageTable and axAppGlobalStats ..52Config Sync Status for CLI and aXAPI ................................................................................................................................52SNMP Trap for aVCS State ........................................................................................................................................................55

Network Visibility ....................................................................................................................................................................................55Performance Improvement for AX Debug Save Operation ................................................................................55

Platform Software ...................................................................................................................................................................................55Immediate Hardware Fault Log Generation .................................................................................................................55

Additional Changes ...............................................................................................................................................................................57Maximum Number of Cookies in the Cookie Persistence Template .............................................................57

Enhancements in ACOS 2.7.2-P4.................................................................................................................58aFleX ................................................................................................................................................................................................................58

Increased aFleX Log Message Length ..............................................................................................................................58Enhancements to the RESOLVE::lookup Command ................................................................................................58Change in Behavior of LB_FAILED .......................................................................................................................................58Binding aFleX to FIX vPort ........................................................................................................................................................59

L2/L3 Routing ............................................................................................................................................................................................60Route-Map High Availability Extended for all Interior Gateway Protocols ................................................60

Layer 4-7 .......................................................................................................................................................................................................60SMTP Health Check ......................................................................................................................................................................61Increasing the Maximum Number of Health Checks .............................................................................................62L3V support for explicit proxy (allow DNS configuration per L3V partition) ............................................62DNS Cache Enhancement .......................................................................................................................................................63Simple Control Enrollment Protocol .................................................................................................................................64Rate Limit Resets for Unknown Sessions ........................................................................................................................69Service Group Status can be Determined by Minimum Number of Healthy Ports .............................69Bypassing Client Authentication Traffic ..........................................................................................................................72Log Generated When SSL Insight Fails ............................................................................................................................75SSL: Priority for ECDHE and DHE Cipher Support ......................................................................................................76

L47-Enterprise ...........................................................................................................................................................................................76



Contents

EDNS-Client-Subnet support for GSLB Geolocation metric ...............................................................................76Support STARTTLS for IMAP and POP ...............................................................................................................................78

System/Cloud Solutions .....................................................................................................................................................................78vThunder Support for “no dedicated management port mode” ....................................................................79Preventing dropped packets with ‘no ip anomaly-drop’ .....................................................................................80

Enhancements in ACOS 2.7.2-P3.................................................................................................................81aFleX and RAM Caching .....................................................................................................................................................................81

aFleX Log Message Enhancement .....................................................................................................................................81New aXAPI Methods Added for slb.class_list.string ..........................................................................................................83HA, VCS ..........................................................................................................................................................................................................84

Track the BGP State by Using VRRP-A ...............................................................................................................................84Layer 2/Layer 3 Routing ......................................................................................................................................................................87

Static ARP and v6 Neighbors Global Max Scaling .....................................................................................................87Adding Object-group Limits for Resource-usage Templates ............................................................................87

L47 ....................................................................................................................................................................................................................88Enhanced Browser Support for AAM ................................................................................................................................88Support for 128K Server Name Indication .....................................................................................................................88DNS Caching to Honor Server Response TTL ..............................................................................................................91Fast-http Support for url-hash-persist ..............................................................................................................................92Selecting a Back-End Server Even if Disabled ..............................................................................................................92Improved Output For “show slb server” Command To Reflect Disabled Servers .................................94SSL: ECDHE Support in TLS1.0/TLS1.1 ..............................................................................................................................94Enhancement to ECDHE Cipher Support - PFS Support ......................................................................................95Enhancement to the HTTP Template Command .....................................................................................................95Load Balancing with the “DNSSEC OK” (DO) Bit .........................................................................................................95Websocket Protocol Support .................................................................................................................................................97

Enhancements in ACOS 2.7.2-P2.................................................................................................................98Layer 4 Enhancements ........................................................................................................................................................................98

DNS Logging Enhancement for GSLB: Log to Remote Servers Only ............................................................98GSLB Server Mode Responding to DNS Request Packets With Extra Data ............................................101Selecting a Back-End Server Even if Disabled ...........................................................................................................102Improved Output For “show slb server” Command To Reflect Disabled Servers ..............................103ECDHE Cipher Support - PFS support ...........................................................................................................................104FTP Support for SLB Protocol Translation ....................................................................................................................106IMEI-Based Client-SSL Session Management ............................................................................................................108Support for Increased Number of SNI Entries ..........................................................................................................112

Layer 2/Layer 3/Routing Enhancements ...............................................................................................................................112Adding a Description Field to Object Groups ..........................................................................................................113Increased Number of Object Groups and Clauses ................................................................................................114

Web Application Firewall Enhancements ............................................................................................................................114Session Tracking ..........................................................................................................................................................................114Normalization Enhancements for URL Options ......................................................................................................117Increased Maximum Parameters in WAF Template ..............................................................................................118


Contents


Web Application Firewall Enhancements ...................................................................................................................118System Level Enhancements ........................................................................................................................................................119

SSL/TLS MITM Vulnerability (CVE-2014-0224) ...........................................................................................................119New SNMP Trap OID for Disabled Real Servers .......................................................................................................119SNMP Community Encryption ...........................................................................................................................................119

NMS/CLI/GUI Enhancements .......................................................................................................................................................119Configurable SSH Login Grace Period ...........................................................................................................................119vrrp_a.partition_stats Module ............................................................................................................................................121Increase CLI Login Banner Character Limit (2048) .................................................................................................124

Enhancements in ACOS 2.7.2-P1.............................................................................................................. 126Layer 4-7 Enhancements ................................................................................................................................................................126

Support for Dynamically Selected FTP Data Ports .................................................................................................126 Inserting HTTP Client Port Numbers in the HTTP Header ...............................................................................127Increasing the Number of HTTP Headers ...................................................................................................................128Support for HTTP Lines Up to 32 K Long .....................................................................................................................128 HTTP Explicit Proxy ...................................................................................................................................................................128Stateful Request-ID-based DNS Load Balancing ....................................................................................................139Support for the DER Format for CRLs .............................................................................................................................144Redistributing HTTP Traffic on Mobile Devices by using an ACOS Device ............................................144

Private Partition Session Limits ....................................................................................................................................................152Configuration Notes .................................................................................................................................................................153Configuring Partition Session Limits ..............................................................................................................................153

aFleX Enhancements .........................................................................................................................................................................153HTTP::disable Command .......................................................................................................................................................154RESOLVE::lookup Command ................................................................................................................................................155aFleX Commands for Message Load Balancing ......................................................................................................157

Logging for DDoS Attack Detection ........................................................................................................................................159Configuring DDoS Detection Logging .........................................................................................................................160

Additional Changes ............................................................................................................................................................................160Deprecated Syntax ....................................................................................................................................................................160HSM KEK Generation Command for HSM ...................................................................................................................160

Errata (Jumbo Frame Support) ....................................................................................................................................................161

Issues in Release 2.7.2 P7 .................................................................................................................... 163Known Issues .................................................................................................................................................. 163Documentation Errata ................................................................................................................................. 165

Fixes in Release 2.7.2 and its Patches ............................................................................................. 167Issues Fixed in Release 2.7.2-P7-SP3....................................................................................................... 168Issues Fixed in Release 2.7.2-P7................................................................................................................ 168Issues Fixed in Release 2.7.2-P6................................................................................................................ 176Issues Fixed in Release 2.7.2-P5................................................................................................................ 200Issues Fixed in Release 2.7.2-P4................................................................................................................ 240



Contents

Issues Fixed in Release 2.7.2 P3 ................................................................................................................ 263Issues Fixed in Release 2.7.2-P2................................................................................................................ 297Issues Fixed in Release 2.7.2-P1................................................................................................................ 303Issues Fixed in Release 2.7.2 ...................................................................................................................... 317

Upgrade Instructions ........................................................................................................................... 327Image File Names .......................................................................................................................................... 328Cautions............................................................................................................................................................ 329Boot Order—How ACOS Gets the Image To Boot ............................................................................. 331Upgrading Devices in GSLB Groups ....................................................................................................... 335Upgrading the Software Image (non-aVCS deployment) .............................................................. 336Upgrading the Software Image (aVCS Virtual Chassis).................................................................... 343

Using the GUI .........................................................................................................................................................................................343Backing Up the System ...........................................................................................................................................................343Full Chassis Upgrade (with or without VRRP-A) .......................................................................................................345Staggered Upgrade (with VRRP-A) ..................................................................................................................................345Staggered Upgrade (no VRRP-A) ......................................................................................................................................348

Using the CLI ..........................................................................................................................................................................................349Backing Up the System ...........................................................................................................................................................349Full Chassis Upgrade (with or without VRRP-A) .......................................................................................................350Staggered Upgrade (with VRRP-A) ..................................................................................................................................350

Staggered Upgrade (no VRRP-A) ................................................................................................................................................353Management GUI Requirements ............................................................................................................. 354

Disabling HTTP-to-HTTPS Redirection ....................................................................................................................................355Trunk and Layer 2/3 Virtualization Support......................................................................................... 355


Contents



Enhancements in ACOS 2.7.2 Patch Releases

This chapter contains descriptions for the enhancements in ACOS 2.7.2 patch releases:

• Enhancements in ACOS 2.7.2-P7








Enhancements in ACOS 2.7.2-P7


Enhancements in ACOS 2.7.2-P7This section describes the enhancements in ACOS 2.7.2-P7.

• Show Run Command to Show all aFleX Scripts

• Bandwidth Limit per SLB Server and SLB Server Port

• Global Server Load Balancing Sticky Persistence Sync

• TACACS+ Specific Health Monitor

• OID for Gateway Health-check Failure

• Request Certificate Authorities

Show Run Command to Show all aFleX ScriptsThe show running-config command is extended to show all aflex scripts in the partition configuration output. This is possible in conjunction with the new aflex-scripts option shown below in blue.

show running-config

Description Display the running-config.

This command is used to view the running-config in the partition where the command is issued. To view the running-config for a different partition, use the show partition-config command.

Syntax show running-config [all-partitions | partition partition-name] [aflex-scripts]

Usage The aflex-scripts is an optional parameter for use with all-partitions or parti-tion partition-name. Using the commands without the aflex-scripts parameter will display the same running-config as before.

Example This command displays the running config with all aflex scripts on all partitions:

ACOS(config)#show running-config all-partitions aflex-scripts!Current configuration: 1044 bytes!Configuration last updated at 17:36:35 IST Wed Oct 14 2015

Parameter Description

all-partitions Shows all resources in all partitions. In this case, the resources in the shared partition are listed first. Then the resources in each private par-tition are listed, organized by partition.

partition partition-name

Shows only the resources in the specified partition.

aflex-scripts Shows the aFleX scripts in the configuration.




!Configuration last saved at 17:35:40 IST Wed Oct 14 2015!version 2.7.2-P7, build 25 (Oct-14-2015,08:26)!...Name: logging_clientsSyntax: CheckVirtual port: No# This aFleX logs Client/Server IP/Port information for security when using Source NATwhen CLIENT_ACCEPTED {

set timestamp [TIME::clock seconds]set cip [IP::client_addr]set cport [TCP::client_port]set vip [IP::local_addr]set vport [TCP::local_port]

}

when SERVER_CONNECTED {set sip [IP::server_addr]set sport [TCP::server_port]set snat_ip [IP::local_addr]set snat_port [TCP::local_port]

log "\[$timestamp\] $cip:$cport -> $vip:$vport to $snat_ip:$snat_port -> $sip:$sport"}

--MORE--

Example This command displays the running config with all aflex scripts for a partition named p1:

ACOS(config)#show running-config partition p1 aflex-scripts!Current configuration: 1044 bytes!Configuration last updated at 17:36:35 IST Wed Oct 14 2015!Configuration last saved at 17:35:40 IST Wed Oct 14 2015!version 2.7.2-P7, build 25 (Oct-14-2015,08:26)!Name: logging_clientsSyntax: CheckVirtual port: No# This aFleX logs Client/Server IP/Port information for security when using Source NATwhen CLIENT_ACCEPTED {

set timestamp [TIME::clock seconds]set cip [IP::client_addr]set cport [TCP::client_port]set vip [IP::local_addr]set vport [TCP::local_port]

}

when SERVER_CONNECTED {set sip [IP::server_addr]set sport [TCP::server_port]set snat_ip [IP::local_addr]set snat_port [TCP::local_port]

log "\[$timestamp\] $cip:$cport -> $vip:$vport to $snat_ip:$snat_port -> $sip:$sport"}--MORE--




Bandwidth Limit per SLB Server and SLB Server PortIt is now possible to create templates for monitoring and limiting the overall traffic load being handled by a real server or port. Once the threshold is reached, ACOS can then avoid selecting such server/port for newer sessions until the traffic load has subsided. It is also possible to enable accounting of traffic to and from the server, and logging if the traffic limits are exceeded.

Example Topology

This feature can be deployed for either Server Load Balancing (SLB) or Transparent Cache Switching (TCS) topology. In the case of a TCS deployment being considered below, there is SLB and TCS traffic flow:

FIGURE 1 SLB and TCS Traffic Flow

To calculate the bandwidth for a real server or real port given both SLB traffic and TCS traffic flows through ACOS, the traffic rate is computed by counting the total bytes processed, corresponding to actual packets sent to and received from the real server (cache server) within a one second interval.

1. Client request packets are sent to the cache server (SLB session in orange).

2. Request packets are received from the cache server destined to the Internet (TCS session in blue).

3. Internet server response packets are sent to the cache server (TCS session in blue).

4. Response packets received from the cache server to be sent to the client (SLB session in orange).

Upon receiving a client request packet, ACOS will create an SLB session and then forward that packet to the cache server. The bytes in this request packet sent by ACOS to the cache server will count towards the traffic rate seen by the cache server.

Similarly when the cache server sends a request to the Internet server, ACOS will create a transparent session and subse-quently such packets will be counted for the bandwidth computation.

Next when the Internet server response is received, it will be transmitted to the cache server and this packet length will count towards the cache server bandwidth computation.

Lastly when the cache server sends a response, the packet length will be counted towards the cache server bandwidth com-putation.




When the load exceeds the configured limit and duration interval, that cache server will no longer be included as part of the server selection process for newer flows. However, existing sessions continue to be processed and forwarded to the cache server.

NOTE: If a persist template is configured with dont-honor-conn-rules, the real server/portwill continue to be selected for new sessions, regardless of the threshold limit.

SLB Template Server Configuration Mode Commands

The new SLB server template subcommands for bandwidth rate limits are shown below.

bw-rate-limit

Description Configure the bandwidth rate limit for servers that use this template.

Syntax [no] bw-rate-limit lim-num resume res-num duration dur-num no-log-ging

Mode SLB server template

Usage If the measured traffic rate is greater than the configured bw-rate-limit consistently for the specified duration, it will be considered in 'exceed' state. Once it is in 'exceed' state, the measured traffic rate needs to fall below the resume threshold consistently for the spec-ified duration to be considered in 'resume' state. Exceed and resume state transition is then logged (once per state change per real port or real server within a 60 second interval). Logging is enabled by default.

Limitation If this feature is enabled along with a feature such as system resource template,which tracks bandwidth usage on a given partition/resource and then takes action to drop packets that exceed the resource template threshold, it could cause inconsistent computation of the underlying bandwidth rate for traffic received from the real server.

Example The following example shows how to configure the bandwidth rate limit of 1000 Kbps to exclude a real server from receiving new traffic flows when the threshold is exceeded for a duration of 5 seconds. The server will resume accepting new traffic flows after the band-width drops below 800 Kbps for a duration of 5 seconds. The rate limit messages will not be logged.


lim-num Bandwidth rate limit number in Kbps <1-16777216>.

resume Resume server selection after bandwidth drops below this threshold.

res-num Bandwidth threshold resume number in Kbps <1-16777216>.

duration Time period that the rate limit needs to honor for both exceeding the bw-rate-limit number and dropping below the resume number.

dur-num Duration number in seconds <1-250>.

no-logging Do not log bandwidth rate limit related state transitions.




ACOS(config)#slb template server s1

ACOS(config-rserver)#bw-rate-limit 1000 resume 800 duration 5 no-logging

bw-rate-limit-acct

Description Configure the bandwidth rate limit accounting for servers that use this template.

Syntax [no] bw-rate-limit-acct {to-server-only | from-server-only | all}

Mode SLB server template

Usage For use with bw-rate-limit. This only available under slb server template. Upon binding such server template under the real server with this option, all real ports under such real server will automatically be subject to the same accounting method.

Example The following example shows how to configure the bandwidth rate limit accounting only for traffic received from the real server.

ACOS(config)#slb template server s1

ACOS(config-rserver)#bw-rate-limit-acct from-server-only

SLB Template Port Configuration Mode Commands

The new SLB port template subcommands for bandwidth rate limits are shown below.


to-server-only Only account for traffic sent to the real server.

from-server-only Only account for traffic received from the real server.

all Account for all traffic sent to/received from the real server (default).




bw-rate-limit

Description Configure the bandwidth rate limit for ports that use this template.

Syntax [no] bw-rate-limit lim-num resume res-num duration dur-num no-log-ging

Mode SLB port template

Usage If the measured traffic rate is greater than the configured bw-rate-limit consistently for the specified duration, it will be considered in 'exceed' state. Once it is in 'exceed' state, the measured traffic rate needs to fall below the resume threshold consistently for the spec-ified duration to be considered in 'resume' state. Exceed and resume state transition is then logged (once per state change per real port or real server within a 60 second interval). Logging is enabled by default.

Usage If this feature is enabled along with a feature such as system resource template, which tracks bandwidth usage on a given partition/resource and then takes action to drop packets that exceed the resource template threshold, it could cause inconsistent computation of the underlying bandwidth rate for traffic received from the real server.

Example The following example shows how to configure the bandwidth rate limit of 100 Kbps to exclude a real server from receiving new traffic flows when the threshold is exceeded for a duration of 4 seconds. The server will resume accepting new traffic flows after the band-width drops below 80 Kbps for a duration of 4 seconds. Bandwidth rate limit messages will be logged.

ACOS(config)#slb template port p1

ACOS(config-rport)#bw-rate-limit 100 resume 80 duration 4

Configuration Sample

Once the templates are configured, they can be bound to a real server or real port. The following sample shows a configura-tion for binding the server and port templates that were previously configured:

slb server serv2 192.168.1.2

template server s1

port 80 tcp

template port p1


lim-num Bandwidth rate limit number in Kbps <1-16777216>.

resume Resume server selection after bandwidth drops below this threshold.

res-num Bandwidth threshold resume number in Kbps <1-16777216>.

duration Time period that the rate limit needs to honor for both exceeding the bw-rate-limit number or dropping below the resume number.

dur-num Duration number in seconds <1-250>.

no-logging Do not log bandwidth rate limit related state transitions.




NOTE: This feature is supported when configured via server template or port template andbound under a real server or real port. It is not supported when bound under service-group or service-group member.

SNMP Trap Commands

The new SNMP traps for SLB bandwidth rate limits are shown below in blue.

snmp-server enable

Description Enable the ACOS device to accept SNMP MIB data queries and to send SNMP v1/v2c traps.

Syntax [no] snmp-server enable traps slb trap-name

Default The SNMP service is disabled by default and all traps are disabled by default.

Mode Configuration mode

Usage For security, SNMP and SNMP trap are disabled on all data interfaces. Use the enable-man-agement command to enable SNMP on data interfaces.

Example The following command enables trap notification when the bandwidth rate limit is exceeded:

ACOS(config)#snmp-server enable traps slb bw-rate-limit-exceed

Global Server Load Balancing Sticky Persistence SyncThe behavior for synchronizing Global Server Load Balancing (GSLB) sticky persistence is revised as shown below in blue. When GSLB sticky sessions are created or updated, they are now synchronized to the other group members in different geo-graphic locations.

• When connection update/creation happens on the master, it will broadcast the change to other members of the group.


traps Specify the traps you want to enable.

slb Enable the SLB group traps:

• bw-rate-limit-exceed – Indicates that the bw-rate-limit is exceeded by either a real server or a real port or both.

• bw-rate-limit-resume – Indicates that the bw-rate-limit has fallen below the resume threshold after transitioning from ‘exceed’ threshold state for either real server or real port or both.




• When connection update/creation happens on a group member, it will notify the master, which will broadcast the change to other members in the group (excluding the source member).

The master in a GSLB controller group synchronizes the following GSLB configuration items by updating the configurations on the other controllers:

• Service IPs

• Sites, including SLB-device parameters

• Zones, including services

• GSLB policies (only those that are used by services)

• SLB information for DNS proxy

• GSLB protocol settings

• Health monitors (if configured using the GSLB option)

• Sticky persistence

TACACS+ Specific Health MonitorThe health monitor command now includes a method parameter called tacplus, as shown below in blue. The parame-ter is used to check server availability by passing the TACACS+ parameters, with secret and password encrypted.If authenti-cation is correct, a success message is returned that keeps the server status marked as up.

method

Description Configure a health method.

Syntax [no] method method-options

Valid parameters for method-options are shown in the following table:


tacplus port port-numsecret string type inbound-ascii-login username stringpassword string

Configures a method to check server availability by passing the TACACS+ parameters, with secret and password encrypted.If authentication is correct, a success message is returned that keeps the server status marked as up.

• port port-num – Specify the TACACS+ port (1-65534, default 49).• secret string – Specify the shared secret for the TACACS+ server (1-31

characters).• type inbound-ascii-login –The TACACS+ type. The currently sup-

ported type is inbound-ascii-login, which is also the default.• username string – Specify the username to authenticate (1-31 charac-

ters).• password string – Specify the password to authenticate (0-31 charac-

ters). A password of '' means no password.




Default The configuration has a default “ping” health monitor that uses the icmp method. The ACOS device applies the ping monitor by default. The ACOS device also applies the TCP or UDP health monitor by default, depending on the port type. These default monitors are used even if you also apply configured monitors to a service port.

To use differently configured ping or TCP/UDP monitors, configure new monitors with the ICMP, TCP, or UDP method and apply those monitors instead.

When specifying a protocol port number, specify the port number on the real server, not the port number of the virtual port. By default, the well-known port number for the service type of the health monitor is used. For example, for LDAP, the default port is 389 (or 636 if the overssl option is used).

If you specify the protocol port number in the health monitor, the protocol port number configured in the health monitor is used if you send an on-demand health check to a server without specifying the protocol port. After you bind the health monitor to a real server port, health checks using the monitor are addressed to the real server port number instead of the port number specified in the health monitor’s configuration. In this case, you can override the IP address or port using the override commands described later in this chapter.

Mode Health monitor configuration

Usage To use a health method, you must do the following:

1. Configure a health monitor, by assigning a name to it and by assigning one of the health methods listed above to it. Use the health monitor command at the global Config level to create and name the monitor. Use the method command at the moni-tor configuration level to assign a health method to the monitor.

2. Apply the health monitor to a real server or real server port, using the health-check command at the configuration level for the server or the server port. Apply monitors that use the ICMP method to real servers. Apply monitors that use any of the other types of methods to individual server ports.

Example The following commands configure the method for a TACACS+ health monitor.

ACOS(config)#health monitor example_name

ACOS(config-health:monitor)#method tacplus secret example_secret port 44 type inbound-ascii-login username example_username password example_password

Example The following commands show the running config for the health monitor TACACS+ method.

ACOS(config)#sho run health-monitor

health monitor example_name

method tacplus port 44 secret secret-encrypted oRePnFnDFQhb12zJNmvSCDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn username example_username password encrypted R0HPaJW5CFY8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn

!




OID for Gateway Health-check FailureFor use along with the existing slb gateway-health-check command, an OID is added for sending an alert log and SNMP trap to identify a gateway that has failed a health-check. If two gateways are listed in the routing table for a particular network, an ARP request is sent to the first gateway. If there is no response from the gateway after maximum retries (default is 3), ACOS stops forwarding packet to that gateway and tries the next gateway configured.

For example, if there is more than one route specified in the routing table for the destination network of 192.0.2.0 /24:

ip route 192.0.2.0 /24 203.0.113.200ip route 192.0.2.0 /24 203.0.113.202

Then the debug mon command example below shows the ARP request and reply of the second gateway 203.0.113.202, after it has stopped trying the first gateway.

ACOS#debug mon

Wait for debug output, enter <ctrl c> to exit

@1439221 o( 2, 0, fe8)> arp who-has 203.0.113.202 tell 203.0.113.1

@1439221 i( 2, 1, 12077)> arp reply 203.0.113.202 is-at 00:0c:29:51:b4:d3 tell 203.0.113.1

NOTE: ACOS sends the ARP request health-check to only one of the gateways that is active andused for forwarding packets.

When ACOS determines that the first gateway has failed the health-check, it sends an alert log along with SNMP trap to SNMP manager. The axGateway objects are shown below.

axGateway Objects

This section provides descriptions of the new axGateway objects for reporting the gateways as down and up.

axGatewayDown

Description Gateway has failed the health-check.

OID .1.3.6.1.4.1.22610.2.4.3.12.2.2.36

Data Type Integer 32

axGatewayUp

Description Gateway has replied to the health-check.

OID .1.3.6.1.4.1.22610.2.4.3.12.2.2.35

Data Type Integer 32




Request Certificate AuthoritiesThe slb template client-ssl command now includes a client-certificate parameter called Request-CA, as shown below in blue. If this parameter is enabled, then a server includes its certificate authority information in a ServerHello message. The client can then choose a client certificate for the server’s CA.

slb template client-ssl

Description Names an SSL client template and enters the configuration mode where you can enable SSL client services, such as validation of SSL clients.

Syntax [no] slb template client-ssl template-name

Replace template-name with the name of the template, up to 31 characters long.

This command enters the SLB Client-SSL Template Configuration mode where the following commands are available.

Usage The Request-CA parameter is for use with client-certificate Request or client-certificate Require. A list of up to 10 CAs can be configured and sent. Taking into con-sideration that some clients or browsers may not be able to handle a larger SSL handshake message size, the limit has been set to 10.

It is possible to send more than 10 CAs by configuring chain certificates that will send multi-ple certs in a bundled request. You can use this method if you know that a larger SSL hand-shake is supported.

Example The following commands configure the ACOS device to request the client certificate and to send the list of ca1 and ca2 in the certificate request:

Command Description

[no] client-certificate{Ignore | Request | Require} [Request-CA]

Specifies the action that the ACOS device takes in response to a client’s con-nection request:

• Ignore – The ACOS device does not request the client to send its certifi-cate.

• Request – The ACOS device requests the client to send its certificate. With this action, the SSL handshake proceeds even if either of the following occurs:• The client sends a NULL certificate (one with zero length).• The certificate is invalid, causing client verification to fail.Use this option if you want the request to trigger an aFleX policy for further processing.

• Require – The ACOS device requires the client certificate. This action requests the client to send its certificate. However, the SSL handshake does not proceed (it fails) if the client sends a NULL certificate or the certificate is invalid.

• Request-CA – The ACOS device sends the certificate authority list in the certificate request.

The default action is Ignore.




ACOS(config)#slb template client-ssl client-ssl-example-name

ACOS(config-client ssl)#client-certificate Request

ACOS(config-client ssl)#client-certificate Request-CA ca1.crt


Example The following commands configure the ACOS device to request the client certificate and to send the list of more than 10 CAs in the certificate request. This is achieved by configuring a chain cert (named LargeExample.chain below) that contains multiple CA certificates:

ACOS(config)#slb template client-ssl client-ssl-example-name

ACOS(config-client ssl)#client-certificate Request










ACOS(config-client ssl)#client-certificate Request-CA LargeExam-ple.chain





• TCP::payload replace Support on Layer 4 Virtual Ports

• axGlobalTotalThroughput Object Information

• Enhancements in the GUI for HA Sync Status

TCP::payload replace Support on Layer 4 Virtual PortsThe TCP::payload replace command is enhanced to support TCP and FTP virtual ports.

In previous releases, only TCP-proxy virtual ports were supported.

axGlobalTotalThroughput Object InformationThe axGlobalTotalThroughput object (.1.3.6.1.4.1.22610.2.4.3.1.2.13.0) is the object for FR3209. This feature was imple-mented by A10 Issue #155623 in release 2.7.2-P1.

Enhancements in the GUI for HA Sync StatusIn 2.7.2-P5, the enhancements described in “Config Sync Status for CLI and aXAPI” on page 52 were made to the HA sync fea-ture. With this change, ACOS now uses the “Configuration last updated” time to determine sync status. In releases prior to 2.7.2-P5, the “Configuration last synchronized” time was used. The old method had a potential to report false-positives and show the status as “‘Sync” even if configuration changes were made after the last sync. The new enhancement prevents this issue.

Also, in releases earlier than 2.7.2-P5, the GUI status showed ‘Sync’ on both the source and target devices after the ha sync command was issued (see “HA Sync Screenshots for Releases Earlier than 2.7.2-P5” on page 21). Beginning with 2.7.2-P5, only the device that initiates the config-sync will show its status as ‘Sync’. The target device will continue to show ‘Not-Sync’ even after a successful sync operation. This is because, in a non-VCS setup, the configuration can be different on two devices. Con-fig-sync only confirms that the source device’s config has been synced to target and not vice-versa. Hence, the status is always reported from the local device’s perspective.

Starting in 2.7.2-P6, the sync status is removed from the top of the GUI and moved under Monitor –> System –> HA|VRRP-a –> Status (see “HA Sync Screenshots for Release 2.7.2-P6” on page 22).

This change is to support the additional information available with the new enhancement and to make it consistent with the output of new show config-sync output in the CLI.




HA Sync Screenshots for Releases Earlier than 2.7.2-P5

This section shows the screenshots for HA Sync for releases earlier than 2.7.2-P5.

Screenshots Prior to HA Sync

FIGURE 2 Older GUI Prior to HA Sync—Active (Source) Device

FIGURE 3 Older GUI Prior to HA Sync—Standby (Target) Device

Screenshots After HA Sync

FIGURE 4 Older GUI After to HA Sync—Active (Source) Device




FIGURE 5 Older GUI After to HA Sync—Standby (Target) Device

HA Sync Screenshots for Release 2.7.2-P6

This section shows the screenshots for HA Sync for release 2.7.2-P6.

Notice that the Sync status is removed from the top of the GUI and moved under Monitor –> System –> HA|VRRP-a –> Status. Also, after running ha sync, only the source device shows its status as “Sync”.

Screenshots Prior to HA Sync

FIGURE 6 2.7.2-P6 GUI Prior to HA Sync—Active (Source) Device




FIGURE 7 2.7.2-P6 GUI Prior to HA Sync—Standby (Target) Device

Screenshots After HA Sync

FIGURE 8 2.7.2-P6 GUI After to HA Sync—Active (Source) Device

FIGURE 9 2.7.2-P6 GUI After to HA Sync—Standby (Target) Device





• aFleX

• L2/L3 Routing

• Layer 4-7

• L47-Enterprise

• HA, VCS

• SNMP, MIB

• Network Visibility

• Platform Software

• Additional Changes

aFleXThis section describes the aFleX enhancements:

• Increased aFleX Session Table Entries

• Enhancement to the aFleX HTTP::redirect Command

Increased aFleX Session Table Entries

ACOS release 2.7.2-P5 introduces an increase in the maximum number of aFleX session table entries that can be created. The maximum number will vary based on the platform’s memory and CPU:

A new CLI resource-type has been added to the system resource-usage command. The new aflex-table-entry-count defines the total number of aFleX entries per table. It must be configured through the CLI, and it requires a reboot to take effect.

The number that you configure also represents the maximum number of entries that the system can support. The maximum number of empty entries is allocated when a table is created. You can create up to 32 tables. The maximum number equals the total sum of populated entries in each table. If there is only one table, chances are that you will populate the maximum

Number of Table Entries Memory Required

7.5 M 6 GB memory

10 M 8 GB memory

10 M 12 GB memory

12 M 16 GB memory

20 M 24 GB memory




number of entries in that one table. But if you create two tables and start to populate the entries, then the system will limit the total entries not to exceed the maximum.

Example Configuration

The following examples show how to verify the available range and how to configure the desired number:

ACOS(config)#system resource-usage aflex-table-entry-count ?

<102400-7864320> Total aFleX entry per table in the System

ACOS(config)#system resource-usage aflex-table-entry-count 200000

Changes will come into effect next time you reload the Software.

When using the show system resource-usage command, the resource is classified as aflex-table-entry-count:

ACOS#show system resource-usage

Resource Current Default Minimum Maximum

--------------------------------------------------------------------------

aflex-table-entry-count 200000 102400 102400 20971520

See the Command Line Reference for further information about System Resource Usage

Enhancement to the aFleX HTTP::redirect Command

ACOS release 2.7.2-P5 removes the 256-character limitation from the URI inspection of the aFleX HTTP::redirect com-mand. No configuration changes are required.

See the aFleX Reference for further information about HTTP:redirect.

L2/L3 RoutingThis section describes the L2/L3 routing enhancements:

• Management Interface Adds as an Interface option to "enable-management" Command

• Resource Accounting for System Resources

• Enhanced show Output for resource-usage Command

• Increased Awareness of OSPF Extra Cost for VRID

• Shared Management Auto Partition Selection

• Rate Limit Neighbor Discovery Messages for IPv6




Management Interface Adds as an Interface option to "enable-management" Command

The Management Interface has been added as an interface option to the enable-management command with an ACL. This gives users the ability to limit traffic from the Management Interface at the Layer 3 and Layer 4 levels. Prior to this release, service-based ACLs were only configurable for the data and VE ports.

The following example shows the new management configuration option, which allows you to apply a service based ACL to the Management Port.

ACOS(config)#enable-management service telnet acl 1 management

NOTE: The ACL added should be an IP-based ACL and not TCP, UDP, ICMP and object-groupbased ACLs.

NOTE: GUI support is not available in 2.7.2-P5.

Resource Accounting for System Resources

ACOS 2.7.2-P5 now provides Resource accounting and threshold limiting for all system resources in the L3V partition, along with logging and trap functionality for those resources.

When a template is applied to an L3V partition, the library is updated with the template configuration. The library is updated whenever a system per-sec resource is obtained and returned. ACOS maintains the below set of data in the resource library:

1. Current Value - Usage in the previous elapsed second.

2. Average Value - Average value of the per second usage, since the value was last reset.

3. Peak Value - Peak usage value since it was last reset.

4. Max-limit - Configured maximum limit for the resource.

5. Threshold-limit - Configured threshold limit for the resource.

The following example shows a sample configuration for the system resource thresholds.

ACOS(config)#system resource-usage template test1

ACOS(config-resource template)#system-resources

ACOS(config-resource template-node system)#system-resource-threshold 10

ACOS(config-resource template-node system)#bw-limit 123

ACOS(config-resource template-node system)#l4-session-limit 10.00 min-guarantee 5.00

ACOS(config-resource template-node system)#ssl-throughput-limit 777

ACOS(config-resource template-node system)#l4cps-limit 110

ACOS(config-resource template-node system)#natcps-limit 5606

ACOS(config-resource template-node system)#l7cps-limit 333

ACOS(config-resource template-node system)#sslcps-limit 1010

ACOS(config-resource template-node system)#concurrent-session-limit 276

ACOS(config-resource template-node system)#local-log-rate 55

ACOS(config-resource template-node system)#remote-log-rate 102




ACOS(config)#partition p1 network-partition id 1

ACOS(config-partition)#template test1

Viewing Resource Usage Data

The following example displays the show command output for the system resource threshold configured in the example above.

ACOS(config)#show resource-usage partition p1

Partition p1

Resource Current Min-Guaranteed Max-allowed Utilization(%) Max-exceeded Threshold-exceeded Peak Average

L4 Session Count 0.00% 5.00% 10.00% 0 0 0 0 0

Concurrent Sessions 0 0 276 0 0 0 0 0 0

Local LPS 0 0 55 0 0 0 0 0 0

Remote LPS 0 0 1025 0 0 0 0 0 0

L4 CPS 0 0 110 0 0 0 0 0 0

L7 CPS 0 0 333 0 0 0 0 0 0

NAT CPS 0 0 5606 0 0 0 0 0 0

SSL CPS 0 0 1010 0 0 0 0 0 0

SSL Throughput 0 0 814743552 0 0 0 0 0 0

Band-Width 0 0 128974848 0 0 0 0 0 0

Sample Log

The following gives an example of a Syslog message based on the configured system-resource thresholds.

Apr 04 2015 22:49:31 Alert [ACOS]:<p1> Resource L4 CPS is now above threshold limit (10%)

Clear Command

The clear command clears the following data for all system resources:

1. Max-exceeded

2. Threshold-exceeded

3. Peak

4. Average




NOTE: For per-second resources, Peak is set to 0. For other resources, Peak is set to the currentpeak value.

Enhanced show Output for resource-usage Command

ACOS 2.7.2-P5 introduces an enhancement to the show resource-usage command that allows you better customize the output you wish to see. Two new filtering parameters, resource-type and summary, have been added. They are high-lighted in blue below.

show resource-usage

Description Show resource usage information.

Syntax show resource-usage [all-partitions | global | partition {partition-name | shared}resource-type | summary {resource-name | current | peak | average}]

Mode All

The resource-type parameter will filter based on either the system, application, or network resources. For example; the command show resource usage all-partitions resource-type system-resources, would display the leg-acy output format for all partitions filtered only by system resources, as show in Figure 10.


all-partitions Lists resource usage counters for all partitions

global Lists global resource usage counters.

partition-name Lists the resource usage counters for the specified partition only.

shared Lists the resource usage counters for the shared partition only.

resource-type Lists resource usage counters filtered by the selected resource type, System, Network, or Appli-cation.

summary Lists resource usage counters displayed in the summary output format. you can filter by a spe-cific resource name and a usage value for that resource. The Current usage value is displayed by default if no value is specified.




FIGURE 10 show resource usage all-partitions resource-type system-resources output

The summary parameter will display the new Summary output format for the current partition, for all resources each sorted by their default resource name and Current resource usage value. The summary output format is highly customizable with the other parameters listed under the show resource-usage command. For example, by entering the command show resource-usage all-partitions resource-type system resources summary peak-usage, you would see an output for all partitions displaying the system resource types, each sorted by their resource name and peak usage. By entering the command show resource-usage partition shared resource-type network-resources sum-mary object-group-clause-count, you would see an output displaying the summary format for the shared partition filtered by network resources, sorted by the object-group-clause-count resource’s Current usage value.

Listed below are the sorting parameters for each resource type.

Network Resources

ACOS(config)#show resource-usage all-partitions resource-type network-resource summary ?

average-usage Average Usage

current-usage Current Usage

peak-usage Peak Usage

static-mac-count Sort by static-mac-count

static-arp-count Sort by static-arp-count

static-neighbor-count Sort by static-neighbor-count

static-ipv4-route-count Sort by static-ipv4-routes-count

static-ipv6-route-count Sort by static-ipv6-routes-count

pv4-acl-line-count Sort by IPv4-acl-lines-count

ipv6-acl-line-count Sort by IPv6-acl-lines-count

object-group-count Sort by object-group-count




object-group-clause-count Sort by object-group-clause-count

| Output modifiers

Application Resources

ACOS(config)#show resource-usage all-partitions resource-type app-resource summary ?




real-server-count Sort by real-server-count

real-port-count Sort by real-port-count

service-group-count Sort by service-group-count

virtual-server-count Sort by virtual-server-count

health-monitor-count Sort by health-monitor-count

gslb-site-count Sort by gslb-site-count

gslb-device-count Sort by gslb-device-count

gslb-service-ip-count Sort by gslb-service-ip-count

gslb-service-port-count Sort by gslb-service-port-count

gslb-zone-count Sort by gslb-zone-count

gslb-service-count Sort by gslb-service-count

gslb-policy-count Sort by gslb-policy-count

gslb-ip-list-count Sort by gslb-ip-list-count

gslb-geo-location-count Sort by gslb-geo-location-count

gslb-template-count Sort by gslb-template-count

gslb-svc-group-count Sort by gslb-svc-group-count

| Output modifiers

System Resources

ACOS(config)#show resource-usage all-partitions resource-type system-resource summary ?



l4-session-count Sort by l4-session-count

concurrent-session-count Sort by concurrent-session-count

local-lps-count Sort by local-lps-count


remote-lps-count Sort by remote-lps-count

l4-cps-count Sort by l4-cps-count

l7-cps-count Sort by l7-cps-count

nat-cps-count Sort by nat-cps-count

ssl-cps-count Sort by ssl-cps-count

ssl-tpt-count Sort by ssl-tpt-count

bw-count Sort by bandwidth-count

| Output modifiers

NOTE: There is a discrepancy between the CLI and GUI default sorting options for the systemresource summary.




Using the GUI

This feature adds three new pages under the Monitor Mode > System > Resource Usage section of the GUI. These are the Curr Part Summary, Global Summary, and All Parts Summary pages, and they are the reflection of the various summary out-puts in the 2.7.2-P5 GUI. All of these pages display the current, average, and peak usage values, along with the corresponding current, average, and peak utilization percentages for each resource. Each page also groups resources together into Network, Application, and System resource types. From the drop down menu at the top of the page, you can adjust the values dis-played based on the 1, 5, 10, or 30 minutes.

The Monitor Mode > System > Resource Usage > Curr Part Summary page displays resources usage values for the current partition selected in the Partition drop down menu found in the overhead banner, as shown in Figure 11.

FIGURE 11 Monitor Mode > System > Resource Usage > Curr Part Summary

The Monitor Mode > System > Resource Usage > Global Summary page is structured the same way as the Curr Parts Page shown in Figure 11, but displays the global resource usage and utilization values. Because this page shows global resource usage data, it is only viewable in the shared partition. Make sure that the shared partition is selected in the Partition drop down menu.

The Monitor Mode > System > Resource Usage > All Parts Summary page displays the Network, Application, and System resource usage data for all partitions, group by resources type, as show in Figure 12. Because the page shows data from all partitions, it is only viewable in the shared partition. Make sure that the shared partition is selected in the partition drop down menu.




FIGURE 12 Monitor Mode > System > Resource Usage > All Parts Summary

Increased Awareness of OSPF Extra Cost for VRID

This release introduces an enhancement that increases OSPF awareness of HA groups and VRRP-A VRID group IDs. Previously, the ha-standby-extra-cost command added extra cost to the default HA group if the HA status of one or more of the device’s HA groups was Standby. It now includes the ability to add extra cost to VRRP-A VRID groups.


The following example shows an OSPF global configuration that is applicable to all VRID groups:

ACOS(config)#router ospf

ACOS(config-router:)#ha-standby-extra-cost 12

The following example shows the new group configuration enhancement that defines the cost for VRRP/HA VRID 1:

ACOS(config)#router ospf

ACOS(config-router:)#ha-standby-extra-cost 12 group 1

Any groups that do not have a cost defined will inherent the global cost value. VRRP-A and HA are mutually exclusive, so you will only configure one or the other.

See the System Configuration and Administration Guide for further information about configuring OSPF-related HA parame-ters.




Shared Management Auto Partition Selection

Role based administration access has been revised. When logging into the ACOS device, the first partition now visible to the administrator is no longer the shared partition. The first partition visible to the administrator is now based on the partition to which the destination IP belongs and the list of partitions that the user can access. No configuration changes are required.

Configuration

Configure the shared management vlan in the shared partition. Map the ve interface and configure the destination ip address under the partition. Configure the shared ve interface in the l3v partition. Below is an example configuration.

Shared partition:

partition l3v1 network-partition

map-interface ve 100

allowable-ip-range 192.168.21.10

!

vlan 100

untagged ethernet 1

shared-vlan management

router-interface ve 100

!

interface ve 100

ip address 192.168.21.1 255.255.255.0

!

enable-management service ssh ve 100

enable-management service http ve 100

L3V partition:

interface ve 100

ip address 192.168.21.10 255.255.255.0

!

enable-management service ssh ve 100

enable-management service http ve 100

Example Scenarios

In the scenarios that follow, the ACOS device is configured with the following role based accounts:

• User admin has access to the shared partition and all other partitions.

• User cust1 has access to partitions p1 and p2.

• User cust2 has access to partition p2 only.

In the scenarios that follow, the ACOS device is configured with the following destination IP addresses:

• shared: 10.10.10.10

• p1: 10.10.10.11


• p2: 10.10.10.12

• management IP: 1.2.3.4

Scenario 1: User admin

• Logs into 10.10.10.12, authenticates successfully, and is automatically put into partition p2's context.


• Logs into 10.10.10.10 and authenticates successfully and is automatically put into the shared context.

• Logs into 1.2.3.4, authenticates successfully, and is automatically put into the shared context.

Scenario 2: User cust1



• Logs into 10.10.10.10 and is denied access.

• Logs into 1.2.3.4, authenticates successfully, and is automatically put into partition p1's context (the 1st partition in the privilege list for this user).

Scenario 3: User cust2

• Logs into 10.10.10.12 and authenticates successfully and is automatically put into partition p2's context.

• Logs into 10.10.10.11 and is denied access

• Logs into 10.10.10.10 and is denied access

• Logs into 1.2.3.4, authenticates successfully, and is automatically put into partition p2's context (1st partition in parti-tion privilege list for this user).

Rate Limit Neighbor Discovery Messages for IPv6

Similar to the rate limiting that is enabled for ARP in IPv4, this release now contains rate limiting of neighbor discovery mes-sages for iPv6. This is enabled by default, with no configuration necessary. On receipt of an IPv6 packet for which no MAC address exists in the neighbor table, the new behavior is that an ND message is sent for that packet, and a two-second timer is started. No further ND messages are sent for the unresolved packet for 20 ms. After five unresolved ND messages are sent for a given neighbor during the two-second timer, no additional messages are sent.

Layer 4-7 This section describes the layer 4-7 enhancements:

• Disabling SSL Renegotiation

• Support for PFS (DHE/ECDHE) in Server SSL Templates

• Hardware Support for DHE Ciphers




• Database Health Monitor Supports the Integer Type

• Extended SSL/TLS Usage Statistics

• Extended Cache Hit Statistics

• Enhancement to the IP NAT Translation Command

• Enhancement to the SLB Template HTTP Command

• IP-in-IP Tunneling for Routed Traffic

• Strict Load-Balancing for Weighted Round-Robin and Least Connection

• CPU Load Balancing

Disabling SSL Renegotiation

ACOS allows for renegotiation of SSL connections over previously secured channels. This speeds up reestablishment of previ-ous SSL connections with known clients. In ACOS 2.7.2-P5, there is an option to disable SSL and TLS renegotiations, using a Client SSL template. Disabling TLS/SSL renegotiations can help prevent vulnerabilities that may lead to SSL/TLS renegotiation Man-In-The-Middle Attacks.

By exploiting a vulnerability in the TLS/SSL handshake process, a third party may intercept communications between a client and server, as well as splice content into the client-server communications. This vulnerability affects the secure transport of protocols that rely on TLS/SSL. Although a patch has been issued for systems using SSL/TLS on the internet, the patch does not fully protect against the vulnerability. Using the ACOS renegotiation-disable command, you can optionally disable automatic TLS/SSL renegotiations which may be vulnerable to exploitation. By default, TLS/SSL renegotiations are currently enabled.

Configuration

To disable automatic TLS/SSL renegotiation, the following command has been added at the Client SSL Template configura-tion level:

[no] renegotiation-disable


Starting at the global configuration level, the example below creates a Client SSL template named “renegotiation,” and dis-ables TLS/SSL renegotiation within the template. When the template is applied to virtual port 443 under the virtual server, then the option takes effect and TLS/SSL renegotiations on that virtual port will be disabled.

slb template client-ssl renegotiationrenegotiation-disable

!

slb virtual-server vip 10.10.10.10port 443 https

template client-ssl renegotiation!




Support for PFS (DHE/ECDHE) in Server SSL Templates

In 2.7.2-P5, A10 adds hardware support for ECDHE/DHE key exchange in the server SSL template. Previously, this was only available for the client side. This enhances hardware performance for server side SSL as the traffic will not consume any hard-ware CPU.

Hardware Support for DHE Ciphers

In 2.7.2-P5, A10 adds hardware support for DHE ciphers for enhanced performance and processing. Previously, this was restricted to software only.

Database Health Monitor Supports the Integer Type

ACOS 2.7.2-P5 adds support for the integer type for database health monitors.

In the following example:

ACOS-Active(config)#health monitor hm1

ACOS-Active(config-health:monitor)#method database mssql db-name db1 username user1 pass-word examplepwd send "select * from db1" ?

receive Specify the response string

receive-integer Specify the response integer

<cr>

ACOS-Active(config-health:monitor)#

The receive-integer parameter is new in 2.7.2-P5. Sub-options for the receive-integer parameter are described below:

receive-integer integer [row row_num column column_num]

Extended SSL/TLS Usage Statistics

The SLB information for SSL has been extended to include more detailed information about the clients connecting to virtual servers and virtual ports. The information includes counts for ciphers used, key exchange methods, renegotiations, and ses-sion cache. To access the new statistics, an option for counters has been added to show slb ssl.


The following example shows an explanation of each counter.


integer Specify the expected integer in the query response (0-2147483647).

row row_num Specify the row number expected in the response (1-10).

column column_num Specify the column number expected in the response (1-10).




ACOS>sho slb ssl counters vip2 443

The cumulative sessions counter shows the total sessions created for this vport, incremented every time a session is created:

Virtual Server Name: vip2 Port: 443

--------------------------------------------------------------------------------

Cumulative sessions = 19

The list of each cipher used by a session is shown. The successes increment when a handshake using that cipher is success-ful, and the failures increment when the handshake fails:

ID Name Successes Failures

0x0300002f TLS1_RSA_AES_128_SHA 4 0

0x0300c014 TLS1_ECDHE_RSA_AES_256_SHA 5 0

0x03000067 TLS1_DHE_RSA_AES_128_SHA256 6 0

0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384 4 0

The key exchange method counters track the details of key exchanges. The successes increment when a key exchange using that method is successful, and the failures increment when the method fails:

Key Exchange Methods Successes Failures

RSA

2048 bits 4 0

ECDHE

secp384r1 9 0

DHE

1024 bits 6 0

The SSL/TLS counters track the TLS version. The successes increment when a session using that protocol version is successful, and the failures increment when a session fails:

SSL/TLS Version Successes Failures

TLS1.0 2 0

TLS1.2 12 0

The session cache counters track new, hit, miss, and expired sessions. The new counter increments for a new session. The hit counter increments when a client connects with a session ID that was found on the ACOS device and the session resumed. The miss counter increments when a client connects with a session ID that was not found on the ACOS device, so the session was not resumed. The expired counter increments when a client connects with a session ID that was found on the ACOS device, but it was after the session-cache-timeout expired, so the session was not resumed.

Session Cache Count

New 19

Hit 0

Miss 0




Expired 0

Average length of time for handshakes. Time measurement starts when the ACOS device receives the client_hello and ends when the ACOS device sends the server_finished message:

Handshake Average time = 30 ms

The renegotiation counter is the count of how many times clients have renegotiated:

Renegotiation Counters

Total renegotiations = 5

SSL/TLS Version Successes Failures

TLS1.0 3 0

TLS1.2 2 0

Use the clear command to clear the counters:

ACOS#clear slb ssl-counters vserver name vport number

Extended Cache Hit Statistics

This release introduces a url-name filter to the show slb cache entries command. The extended statistics can drill-down to details per cached entry under a particular virtual port. The command now displays more granular statistics for each cached entry/url maintained under a cache template that is bound to a virtual port.

If certain headers are present in the server response, such as Age, Via, Connection, they will be removed and the ACOS device will add a separate header for them before the response is stored in cache. Similarly if the cache template has the remove-cookies option set, any cookie header in the server response will be removed before saving the same in cache.

The following new attributes are displayed as part of these detailed statistics per cached entry:

• Response size: <in bytes, reflecting the attributes corresponding to the response saved in cache>

• Response header size <in bytes, reflecting the attributes corresponding to the response saved in cache>>

• Response status code: < 200, 203, 300, 301, 302, 410 >

• Response with Content-Length: Yes or No

• Response with Chunked Encoding: Yes or No

• ETag: <ETag header value extracted from Response>

• Last-Modified: <’Last-Modified’ header value extracted from Response, shown as date/time stamp>

• Cache-control: <’Cache-control’ header value extracted from Response, example ‘max-age=5’,etc>

• Date: <’Date’ header value extracted from Response, shown as date/time stamp>

• Host: <HOST header value extracted from Request>




• URL: <Request URI entry for which Response is being cached >

• Time elapsed since Cache Hit (in secs): <seen how many secs ago>

• Age (in secs): <age of cached entry>

• Expires (in secs):

• Concurrent readers: <Count reflecting how many clients are being served from this cached entry at this moment>

• Hits: <Count>

• Misses: <Count>

• Content-Encoding: <Derived from ‘Content-Encoding’ header in Response, such as gzip, deflate, etc.>

• HTTP version in response: <such as 1.1, extracted from server response >

• Weak ETag present in response: YES or NO

• Full response present in cache: YES or NO

• HTTP request method: <GET or other method that led to Response being cached>


The following example shows how to view the extended cache statistics:

# show slb cache entries vip-name vip-name port-number port-number URL-for-cached-entry URL-for-cached-entry

This will enable you to retrieve stats for a cached entry with the example URL of “/tours/images/purchaseflight.gif” main-tained under www.mywebsite.com. The site www.mywebsite.com would map to a particular virtual server/port configured on the ACOS device, for example to ‘vip1’ and port 80. Thus the example request will translate to:

# show slb cache entries vip1 80 /tours/images/purchaseflight.gif

Host: www.mywebsite.com

URL: /tours/images/purchaseflight.gif

Response Size (in bytes): 1647

Response Header Length (in bytes): 87

Response Status Code: 200

Entity Tag (ETag): None

Cache-Control: None

Date: None

Last-Modified: None

Time elapsed since Cache Hit (in secs): 1241

Age (in secs): 1440

Expires (in secs): 960

Hits: 12664

Misses: 0

Concurrent Readers: 0

Content-Encoding: None

Http version in Response: 1.1




Response with Content-Length: Yes

Response with Chunked-Encoding: No

Weak ETag in Response: None

Full Response present in Cache: Yes

Http Request Method: GET

If the URL name includes special characters such as a question mark, in order to specify this via the command line, '?' needs to be represented in its octal notation as \077 in the URL string.

Thus, a URL name such as “/testing?html” is specified as “/testing\077html” and it needs to be enclosed within double quotes to ensure that the correct interpretation of the special character occurs:

#show slb cache entries vip1 80 “/testing\077html”

Enhancement to the IP NAT Translation Command

This release introduces an enhancement to the ip nat translation command. Similar to its usage in SLB virtual-port templates, ignore-tcp-msl will immediately reuse TCP sockets after session termination, without waiting for the Maxi-mum Session Life (MSL) time to expire. This is disabled for by default.


The following example shows how to enable ignore-tcp-msl for IP NAT traffic:

ACOS(config)#ip nat translation ignore-tcp-msl

See the Command Line Reference for further information about configuring NAT timers.

Enhancement to the SLB Template HTTP Command

This release introduces an enhancement to the slb template http command. The persist-on-401 command is now available from the configuration level of the specified HTTP template. This allows for persistence to the same back-end server when the status code received from the server is 401, even if connection reuse or strict transaction switching is enabled.


The following example shows how to enable persist-on-401 and bind the HTTP header to a virtual port:

ACOS(config)#slb template http template-name

ACOS(config-http)#persist-on-401

ACOS(config)#slb virtual-server vip1

ACOS(config-slb vserver)#port 80 http

ACOS(config-slb vserver-vport)#template http template-name

If other service selections are configured for the same virtual port, such as cookie persistence or aFleX pool selection, persist-on-401 has higher priority than cookie persistence or aFleX.




IP-in-IP Tunneling for Routed Traffic

Previously, IP-in-IP tunneling was only available in L3 DSR mode. Now it is also available when using the ACOS device as the default gateway. This release makes use of the overlay tunnel framework and introduces a new keyword of ipinip to the encap command for indicating that traffic going through the VTEP tunnel requires encapsulation with IP-in-IP.

NOTES:

• The server to A10 interface needs to have ip nat inside configured to indicate that traffic is meant to be NAT.

• All the standard IP NAT configuration requirements still apply.

• The vni value 0xFFFFFFFF or 16777215 still indicates the IP in IP tunnel.

• Only IP NAT protocol TCP/UDP/ICMP are supported.

• Fragmentation traffic is not supported.

• VRRP-A is not supported.


The following example shows the usage for the ipinip keyword:

overlay-tunnel vtep 1

encap ipinip

source-ip-address 2.2.2.1

vni 16777215 partition shared lif 1

destination-ip-address 1.1.1.10

vni 16777215

Strict Load-Balancing for Weighted Round-Robin and Least Connection

ACOS load balancing methods optimize for high performance, but sometimes this creates an imbalance in server selection, and some servers may have more open connections than others. For the round-robin method of load balancing, the imbal-ances can be corrected when the option of “strict” is selected to ensure an exact round-robin distribution.

In release 2.7.2-P5, this behavior extends to the Weighted Round-Robin, Least Connection, and Service Least Connection load balancing methods, guaranteeing that new connections will be sent to the server with the fewest connections, or few-est service connections. While strict load balancing can be configured with other load balancing methods, there will be no effect. Strict load balancing is enabled within a service-group configuration. When strict load balancing is enabled, lower performance should be expected, especially when ACOS is running a heavy load of traffic.

Configuration

To configure strict server load balancing for stateful methods, enter the following command at the service-group configura-tion level:

[no] strict-select





The following example configures a TCP load balancing service-group named “strict.” Within the service-group, the example configures least connection load balancing, and then enables strict selection.

slb service-group strict tcpmethod weight-rrstrict-select

!

CPU Load Balancing

When the ACOS device detects that one CPU is oversubscribed (due to an attack), the packets destined to that CPU are dis-tributed to other CPUs for processing using the round robin algorithm. The typical way in which this is accomplished is described below:

1. When packets enter the ACOS device, they are processed by the data CPUs. For example, the AX5200 has 15 data CPUs that are available to process packets.

2. Next, the decision as to which data CPU will process the packet is determined.

In most cases, the number of packets are evenly divided and processed by the CPUs. However, if an attack targets one data CPU, it may receive an abundance of packets in comparison to others. This feature helps offload the attacked CPU and dis-tributes incoming traffic amongst the CPUs.

The CPU load balancing feature is triggered when all of the following conditions happen:

1. If the utilization rate of the CPU being targeted exceeds the configured high CPU usage threshold (which has a default value of 75%), AND

2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum configured threshold (the default is 100,000 packets per second), AND

3. If the CPU being targeted is receiving 150% more packets-per-second than the median CPU packets-per-second rate on the ACOS device. If all CPUs are under a heavy load, there would be no advantage to using round robin to distribute the traffic.

The CPU load balancing feature stops when the following conditions are met:

1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND

2. Either of the following packets-per-second rates would apply to the targeted CPU if CPU round robin support was turned off:

a. If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-second threshold, OR

b. If the utilization rate of the targeted CPU is no longer 150% higher than the median of its neighboring CPUs.

system cpu-load-sharing

Description The CPU Round Robin feature can be used to mitigate the effects of Denial of Service (DoS) attacks that target a single CPU on the ACOS device. You can use this command to configure thresholds for CPU load sharing. If a threshold is exceeded, CPU load sharing is activated, and




additional CPUs are enlisted to help process traffic and relieve the burden on the targeted CPU. A round robin algorithm distributes packets across all of the other data CPUs on the device. Load sharing will remain in effect until traffic is no longer exceeding the thresholds that originally activated the feature. (See the “Usage” section below for details.)

Syntax [no] system cpu-load-sharing {cpu-usage low percent |cpu-usage high percent |disable |packets-per-second min num-pkts}

Default The CPU load sharing feature is enabled. The thresholds have the following default values:

• cpu-usage low – 60 percent

• cpu-usage high – 75 percent

• packets-per-second – 100000

Mode Configuration mode

If a hacker targets the ACOS device by repeatedly flooding the device with many packets that have the same source and des-tination ports, this could overwhelm the CPU that is being targeted. However, the CPU load sharing feature (which is enabled by default) protects the device by using a round robin algorithm to distribute the load across multiple CPUs when such an attack is detected.

ACOS will activate this round robin distribution across multiple CPUs if all of the following conditions occur:

1. If the utilization rate of the CPU being targeted exceeds the configured high threshold (which has a default value of 75%), AND

2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum configured threshold (the default is 100,000 packets per second), AND

3. If the CPU being targeted is receiving significantly more traffic than the other CPUs on the ACOS device. If all CPUs are under a heavy load, there would be no advantage to using round robin to distribute the traffic. Therefore, the CPU being targeted must have an elevated utilization rate that is at least 50% higher than the median utilization rate of its peer CPUs. (For example, this criterion would be met if the non-targeted CPUs have a median packet flow of 100,000 packets per second, but the targeted CPU is receiving packets at a rate exceeding 150,00 packets per second, in which case it would be 50% higher than the median of the rate of the other processors).


cpu-usage low percent

Lower CPU utilization threshold. Once the data CPU utilization rate drops below this thresh-old, then CPU round robin redistribution will stop. The default is 60, but you can specify 0-100 percent.

cpu-usage high percent

Upper CPU utilization threshold. Once the data CPU utilization rate exceeds this threshold, then CPU round robin redistribution will begin. The default is 75, but you can specify 0-100 percent.

disable Disables CPU load sharing. The CPU round robin feature is not used, even if a triggering threshold is breached.

packets-per-second min num-pkts

Maximum number of packets per second any CPU can receive, before CPU load sharing is used. You can specify 0-30000000 (30 million) packets per second.




ACOS will de-activate CPU round robin mode and return to normal mode when the first criterion, and either 2 or 3 above are no longer true.

For example, CPU round robin mode will cease:

1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND

• If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-second threshold, OR

• If the utilization rate of the targeted CPU is no longer 50% higher than the median of its neighboring CPUs.

NOTE: The CPU Load Sharing feature is not supported on the following FTA platforms: AX 5200and AX3200.

L47-EnterpriseThis section describes the L47-enterprise enhancements:

• Same GSLB Domain Configurations Across Partitions

Same GSLB Domain Configurations Across Partitions

In previous releases, GSLB zones on different L3V partitions had to be configured with different domains. ACOS 2.7.2-P5 allows users to configure GSLB zones with the same domain on multiple partitions so that the domains can have indepen-dent policies for internal and external services. This also allows the same domain to be configured on different partitions, regardless of whether each partition is running in GSLB Server Mode or GSLB Proxy Mode.

Furthermore, policy, service-group, and service-IP names, can be duplicated in different partitions, although the policies, ser-vice-groups, and service-IPs are configured separately in each partition. The default GSLB policy is still used globally, and can only be configured in the shared partition. GSLB site configurations remain unique and cannot be duplicated in different par-titions.

NOTE: Currently DNSSEC does not support configuring the same domain in different ADPs.

Configuration

There are no new CLI commands. You configure GSLB zones on individual partitions as usual, with the exception that domain, policy, and service-group names, as well as service-IPs, can be reused across different partitions.


The below simple example configures GSLB on two partitions - one labeled “External,” and one labeled “Internal.” Both con-figurations share service-IP, policy, and zone names, but different site names. The policy and zone configurations remain the same, but the site and zone configurations point to the service-IP and policy respective to the partition that the site and zone are configured in.

!

partition gslb-external

!




gslb service-ip vip1 192.168.10.10port 80 tcp

!!

gslb site external-1slb-dev external-site 192.168.100.100

no auto-mapvip-server vip1

!!!

gslb policy policy1dns selected-only 1dns server authoritative

!!

gslb zone a10networks.compolicy policy1service http www

dns-a-record vip1 static

!!!

--------------------------------------------------------------------------------

!

partition gslb-internal

!

gslb service-ip vip1 10.10.10.10port 80 tcp

!!

gslb site internal-1slb-dev internal-site 10.10.100.100

no auto-mapvip-server vip1

!!!

gslb policy policy1dns selected-only 1dns server authoritative

!!

gslb zone a10networks.compolicy policy1service http www

dns-a-record vip1 static

!!!




HA, VCSThis section describes the HA/VCS enhancements:

• Hello Message Unicast Destination Address

• VRRP-A Force-Self-Standby Configuration Generates Warning Message

• VRRP-A VRID Lead Switching Example

• Active Notifications for aVCS Config Sync Errors

• Clarification of VRRP-A Support in Shared and L3V Partitions

Hello Message Unicast Destination Address

By default, VRRP-A uses an IP multicast address as the destination for VRRP-A heartbeat messages to peers. You can configure VRRP-A to use unicast heartbeats instead for layer 3 redundancy across subnets using VRRP-A.

Configure a VRRP-A peer group on each device in the VRRP-A set. For redundancy in the peer group on each ACOS device, you can configure multiple IP addresses for multiple data interfaces. You can configure a maximum of 16 IP addresses on the peer group.

NOTE: At least one unicast address must be configured on a data interface per peer ACOSdevice.

For reliability and redundancy, configure at least four IP Addresses in a peer-group, with each IP address belonging to a differ-ent interface. This will enable you to allocate at least two interfaces per ACOS device. The peer group configuration on each VRRP-A device in the set should be the same, including the device’s own IP address. When a device sends VRRP-A heartbeats to the members of a peer group, that device skips any IP addresses that belong to itself.

Peer Group Configuration Example

The following commands configure a VRRP-A peer group on an ACOS device:

ACOS-Pri(config)#vrrp-a peer-group

ACOS-Pri(config-peer-grp)#peer 10.20.10.3

ACOS-Pri(config-peer-grp)#peer 30.20.10.6

ACOS-Pri(config-peer-grp)#peer 2607:f0d0:1002:51::4

VRRP-A Force-Self-Standby Configuration Generates Warning Message

In a VRRP-A cluster with two devices, issuing the vrrp-a force-self-standby command on the vMaster and active device causes the device to transition to a standby state. This feature adds a warning message to confirm that you want to perform this action. The warning message will appear if ACOS detects that there is no peer device eligible to become active.

In previous releases, no warning message was given; the vrrp-a force-self-standby command could have been exe-cuted on both devices in the VRID, this causing the VRID to become inactive.




Below is an example of the warning message:

Device-A(config)#vrrp-a force-self-standby vrid default

WARNING: Please confirm that you want to perform this operation.

Doing so may cause some of the VRID(s) to become inactive in the whole vrrp-a set;

make sure you verify that an active device will be available after performing this

operation.[yes/no].

VRRP-A VRID Lead Switching Example

This section describes how to switch lead VRIDs in a VRRP-A configuration without affecting traffic when doing so.

The example in this section utilizes the topology shown in Figure 13:

FIGURE 13 VRRP-A VRID Lead Switching Example Topology

Suppose you want to change the default VRID on partition p1 to follow AX2. Using the vrrp-a vrid default follow vrid-lead-AX2 command could accomplish this, however there may be a disruption of the traffic on partition p1’s VRID because of the time interval required for manual configuration on both sides.

This section provides alternative solutions that do not affect traffic:

• “Manual VRID Lead Switching Using Manual Configuration” on page 47

• “Automatic VRID Lead Switching Using aVCS” on page 48

Manual VRID Lead Switching Using Manual Configuration

To manually configure VRID lead switching without affecting traffic:




1. 1. Use either an existing VRID whose up or down status is the same as the VRID you are configuring, or create a new VRID.

2. 2. Ensure that the new VRID’s active device is the same as the current VIRD (in this example, the active device is ACOS-1). You can accomplish this by manually setting the dynamic priority of the new VRID on ACOS-2 to a lower number than on AOCS-1, or by using the vrrp-a force-self-standby command for the new VRID on ACOS-2.

3. 3. In partition p1 on both devices, use the vrrp-a vrid default follow vrid-lead new_vrid command to make the traffic in the partition follow the new VRID. Since the new VRID has the same VRRP-A status as the existing lead VRID, traffic is not impacted during this step.

4. 4. Change the dynamic priority of the new VRID on ACOS-1, or the no vrrp-a force-self-standby command for the new VRID on ACOS-2, thus causing the new VRID to become active on ACOS-2. This switch is done my message negotiation among peer devices, so no traffic is lost in this step.

Automatic VRID Lead Switching Using aVCS

aVCS uses an almost-real-time config sync across devices in the same virtual cluster. This means when the VRID lead is switched the configurations on both devices are updated almost simultaneously so that traffic is preserved.

Active Notifications for aVCS Config Sync Errors

The output of the show vcs summary command can be updated to show the status of whether or not the running config-uration of devices in a virtual chassis is synchronized. To enable this feature, use the vcs monitor-cfgsync command in the CLI:

vcs monitor-cfgsync {disable | keepalives}

Enabling Active Monitoring for Config Sync

To enable the feature, specify a number of keepalives (each keepalive is 3 seconds); for example, if you specify 20, the vMaster will check the vBlades for a duration of 20 keepalives (60 seconds) to see if the configurations are synchronized. Specify the disable parameter to disable configuration synchronization checking in the chassis.

NOTE: This feature is only available on the vMaster device in the virtual chassis.

Below is an example of the show vcs summary output without this feature disabled (this feature is disabled by default):

ACOS-01-vMaster[15/7](config)#show vcs summary

VCS Chassis:

VCS Enabled: Yes

Chassis ID: 10

Multicast IP: 224.0.0.210

Multicast Port: 41217

Version: 2.7.2-P5.b114

VCS Monitor Sync: DISABLE




Members(* means local device):

ID State Priority IP:Port Location Sync-State

---------------------------------------------------------------------------------------------

2 vBlade 0 1.1.1.2:41216 Remote N/A

3 vMaster(*) 0 1.1.1.3:41216 Local

Total: 2

The “DISABLE” in the VCS Monitor Sync field and the “N/A” in the Sync-State column both indicate that the configuration between the two devices in this chassis is not actively monitored.

These fields are updated after running the vcs monitor-cfgsync command:

ACOS-01-vMaster[15/7](config)#vcs monitor-cfgsync

ACOS-01-vMaster[15/7](config)#show vcs summary

VCS Chassis:

VCS Enabled: Yes

Chassis ID: 10

Multicast IP: 224.0.0.210

Multicast Port: 41217

Version: 2.7.2-P5.b114

VCS Monitor Sync: ENABLE

Members(* means local device):

ID State Priority IP:Port Location Sync-State

---------------------------------------------------------------------------------------------

2 vBlade 0 1.1.1.2:41216 Remote SYNC

3 vMaster(*) 0 1.1.1.3:41216 Local

Total: 2

The “ENABLE” in the VCS Monitor Sync field indicates that the configuration between the two devices in this chassis is actively monitored; the “SYNC” in the Sync-State column indicates that the configurations on both devices are synchronized. If there is an error in the configuration; for example, someone deletes an object on the vBlade, thus causing the running con-figurations to be out of sync, the Sync-State column will show a status of “UNSYNC”.

NOTE: Generally the configurations of vMaster and vBlade(s) should be consistent at any time,as the aVCS synchronization mechanism is in charge of synchronizing configurationchanges from vMaster to vBlade(s) in a real-time manner. When there is an inconsistencyamong the configurations of the vMaster and vBlade(s), it may mean that there is anissue with the aVCS synchronization mechanism. You should contact A10 Support insuch situations.

If the Sync-State column shows a status of “UNSYNC” you can use the show vcs-monitor-cfglog to view the difference between the vBlade and vMaster. For example:




ACOS#show vcs-monitor-cfglog

2015-05-18-14:24:36 master is inconsistent with blade 3(device id of vblade), the diff is

16a17

> enable-jumbo

38d38

< monitor buffer-usage 91750

...

The “>” marker indicates a configuration that exists in the vMaster, but not in the vBlade. The “<“ marker denotes a configura-tion that exists in the vBlade, but not the vMaster.

After the discrepancies are listed, the running configuration of the vMaster is also displayed (not shown in this example).

Config Sync in HA or VRRP-A Environments

The show config-sync command shows the status of config-sync in an HA or VRRP-A environment:

ACOS#show config-sync

Running-config:indicate that sync local box's running-config to peer

Startup-config:indicate that sync local box's startup-config to peer

Partition Name Running-config Startup-config

----------------------------------------------------

shared Not-Sync Not-Sync

In this example, neither the running-config nor the startup-config are being synchronized with the device’s HA or VRRP-A peer.

In the GUI, you can view the HA or VRRP-A config-sync status in the Monitor Mode->system->HA->Status or Monitor Mode->system->VRRP-A->Status page:

Clarification of VRRP-A Support in Shared and L3V Partitions

VRRP-A is supported in the shared partition and in L3V partitions only. VRRP-A is not supported in RBA partitions.




Layer 3 virtualization allows each L3V partition to have its own VRID, independent from the VRIDs belonging to other L3V par-titions or the shared partition. By default, each L3V has a single, independent VRID (VRID 0); L3V partitions can have one VRID per partition. The shared partition also has a single VRID by default, but up to 32 VRIDs are supported in the shared partition.

SNMP, MIBThis section describes the SNMP and MIB enhancements.

• Configure Custom SNMP Community Strings per L3V Partition

• New MIB Objects Added to axAppGlobalSystemResourceUsageTable and axAppGlobalStats

• Config Sync Status for CLI and aXAPI

• SNMP Trap for aVCS State

Configure Custom SNMP Community Strings per L3V Partition

This release enables you to configure an SNMP community string for a private partition in conjunction with shared manage-ment VLAN configuration (for more information, see “Shared Management VLAN in L3V Private Partitions” in the System Con-figuration and Administration Guide.

Configuration in the Shared Partition

In this example, VLAN 4094 is configured as the shared management VLAN and is made accessible to all partitions:

vlan 4094

untagged ethernet 1

shared-vlan management

router-interface ve 4094

interface ve 4094

ip address 172.17.3.254 255.255.255.0

snmp-server enable

snmp-server community read public remote 172.17.3.100

enable-management service snmp ethernet 1 ve 4094

partition 1 network-partition id 1

template p1

map-interface ve 4094

allowable-ip-range 172.17.3.1




Configuration in L3V Partition p1

In partition p1, complete the shared management VLAN configuration and also configure the custom SNMP community string for this partition:

interface ve 4094ip address 172.17.3.1 255.255.255.0

snmp-server community read mystringenable-management service snmp ve 4094

New MIB Objects Added to axAppGlobalSystemResourceUsageTable and axAppGlobalStats

ACOS 2.7.2-P5 adds the following objects to table axAppGlobalSystemResourceUsageTable:

axAppGlobalUtilization .1.3.6.1.4.1.22610.2.4.3.1.1.1.1.7

axAppGlobalMaxExceeded .1.3.6.1.4.1.22610.2.4.3.1.1.1.1.8

axAppGlobalThresholdExceeded .1.3.6.1.4.1.22610.2.4.3.1.1.1.1.9

axAppGlobalAverage .1.3.6.1.4.1.22610.2.4.3.1.1.1.1.10

axAppGlobalPeak .1.3.6.1.4.1.22610.2.4.3.1.1.1.1.11

The following objects have been added to axAppGlobalStats

axGlobalTotalThroughput .1.3.6.1.4.1.22610.2.4.3.1.2.13.0

axGlobalTotalBandWidth .1.3.6.1.4.1.22610.2.4.3.1.2.14.0

axGlobalTotalSslThroughput .1.3.6.1.4.1.22610.2.4.3.1.2.15

axGlobalTotalL4Cps .1.3.6.1.4.1.22610.2.4.3.1.2.16

axGlobalTotalL7Cps .1.3.6.1.4.1.22610.2.4.3.1.2.17

axGlobalTotalSslCps .1.3.6.1.4.1.22610.2.4.3.1.2.18

Config Sync Status for CLI and aXAPI

Previously in an HA or VRRP environment, configuration synchronization status could only be seen in the GUI. Now it is possi-ble to see the status with the CLI and the aXAPI. This enhancement includes:

• The ability to see a summary of all partitions when in the shared partition. The summary lists a count of out of sync partitions and a list of unsynchronized partitions.

• The ability to see an individual partition’s sync status when inside the partition or when in the shared partition.

There are two show commands for use in the shared partition. The show config-sync all-partitions command will list config sync status for all partitions (including sync and not sync). The show config-sync command will list the shared partition’s status.

There is one show command for use in the private partition. The show config-sync command will list the private parti-tion’s status.




When you use the commands, the ACOS device compares the config sync time (ha sync) and the update time for the config-uration. If the config sync time is smaller than the update time, the status is Not-Sync, otherwise the status is Sync. If the devices are in the VCS environment, they are always in Sync status.

CLI Example

The commands for show config-sync all-partitions and show config-sync both have the same available out-put modifiers:

ACOS-Active# sho config-sync | ? begin Begin with the line that matches include Include lines that match exclude Exclude lines that match section Filter a section of output

To view the sync status of all partitions from within the shared partition, where Partition A exists:

ACOS-Active> show config-sync all-partitionsRunning-config:indicate that sync local box's running-config to peerStartup-config:indicate that sync local box's startup-config to peerPartition Name Running-config Startup-config----------------------------------------------------shared Not-Sync Not-Synca Not-Sync Not-Syncl3v1 Not-Sync Not-Syncl3v2 Not-Sync Not-Sync

To view the shared partition’s status:

ACOS-Active> show config-sync

Running-config:indicate that sync local box's running-config to peer

Startup-config:indicate that sync local box's startup-config to peer

Partition Name Running-config Startup-config

----------------------------------------------------

shared Not-Sync Not-Sync

To view the sync status from within Partition A:

ACOS-Active[a]> show config-syncRunning-config:indicate that sync local box's running-config to peerStartup-config:indicate that sync local box's startup-config to peerPartition Name Running-config Startup-config----------------------------------------------------a Not-Sync Not-Sync

From within the private partition, show config-sync all-partitions is not supported.

If you configure ha sync xx to xx and then check the status, the shared and Partition A should be in Sync.




aXAPI Example

Use the methods for config_sync.get_partitions or config_sync.get based on your requirements.

To view the sync status of all partitions:

https://192.168.99.51:443/services/rest/V2.1/?session_id=b121c16aa0c0361e9be-be5bd67e60a&format=json&method=config_sync.get_partitions

The response body:

{

"config_sync_partition_list": [

{

"partition_name": "shared",

"configsync_status": "running-config is Not-Sync,startup-config is Not-Sync "

},

{

"partition_name": "a",

"configsync_status": "running-config is Not-Sync, startup-config is Not-Sync"

},

{

"partition_name": "l3v1",


},

{

"partition_name": "l3v2",


}

]

}

To view the sync status of a private partition that the login account has privileges to access:

https://192.168.99.51:443/services/rest/V2.1/?session_id=b121c16aa0c0361e9be-be5bd67e60a&format=json&method=config_sync.get

The response body:

{

"config_sync": {

"partition_name": "a",

"configsync_status": "running-config is Not-Sync,startup-config is Not-Sync "

}

}

In the private partition, config_sync.get_partitions is not supported and returns an error:

{




"response": {

"status": "fail",

"err": {

"code": 1186,

"msg": "not support this command in private partition."

}

}

}

SNMP Trap for aVCS State

The snmp-server enable traps ha command now includes an option for sending an SNMP trap when the aVCS state changes. For example, when the aVCS status changes from a vMaster-candidate to a vBlade, an SNMP trap message is sent regarding this status change.

CLI Example

ACOS(config)# snmp-server enable traps ha vcs-state-change

Network VisibilityThis section describes the Network Visibility enhancements.

• Performance Improvement for AX Debug Save Operation

Performance Improvement for AX Debug Save Operation

Previously when using the command for (axdebug)#capture non-display save filename [max-packets] [incoming [portnum]] [outgoing [portnum], the save operation would capture and write out packet-by-packet.

To improve performance in 2.7.2-P5, the axdebug will now use stream IO and file caching for its capture and write opera-tions.

Platform SoftwareThis section describes the Platform Software enhancements.

• Immediate Hardware Fault Log Generation

Immediate Hardware Fault Log Generation

Previously, log generation occurred 20 to 30 seconds after a hardware fault was detected or corrected. In addition, the log generation for system high temperatures only occurred when warning or shutdown state was reached. Lag time between the logging and the show environment output lead to a discrepancy in viewing the hardware status.




Two new commands and enhancements to existing commands have been made to improve the synchronization between detecting, reporting, and viewing the hardware status and temperatures.

environment update-interval

The new environment update-interval <1-60> command makes it possible to set the polling interval for detecting hardware faults. The lower the update interval number, the faster the messages will be seen in the sylog and the status reflected in the show environment output. The default update interval is 30 seconds.

The following example shows how to set the interval to 5 seconds:

ACOS(config)# environment update-interval 5

environment temperature threshold

The new environment temperature threshold low <1-60> medium <1-60> high <1-68> command allows for three levels of temperature alarms in degrees Celsius. The defaults are 25 for low, 45 for medium, and 68 for high.

The following example shows how to set the low, medium, and high thresholds to 20, 40, and 55 degrees respectively:

ACOS(config)# environment temperature threshold low 20 medium 40 high 55

show environment

The show environment command is enhanced so that the output is now in sync with the hardware fault syslog genera-tion in less than two seconds.

The following example shows the output of the new commands highlighted in blue:

ACOS>show environment

Updated information every 5 Seconds

Physical System temperature: 39C / 102F : OK-low/med

Thresholds: Low 20 / Medium 40 / High 55

Fan1A : OK-med/high Fan1B : OK-med/high


Fan3A : OK-low/med Fan3B : OK-low/med


Fan5A : OK-low/med Fan5B : OK-low/med


System Voltage 12V : OK

System Voltage 5V : OK

System Voltage CPU1 DDR3 1.5V : OK

System Voltage CPU0 DDR3 1.5V : OK

System Voltage IOH 1.1V : OK

System Voltage SB 5V : OK

Right Power Unit(Rear view) State: On

Left Power Unit(Rear view) State: Off




show log

The show log command is enhanced so that the hardware fault syslog generation is now in sync with the environment output in less than two seconds.

The following example shows that the Left Power Unit matches the same state as in the show environment example:

ACOS>show log

Log Buffer: 30000

Jun 29 2006 17:33:41 Critica [SYSTEM]:System Left Power Unit (Rear view) Off.

Current value is 2

Additional ChangesThis section describes additional enhancements.

• Maximum Number of Cookies in the Cookie Persistence Template

Maximum Number of Cookies in the Cookie Persistence Template

In 2.7.2-P5, the maximum number of cookies allowed in a persistence template is increased to 128. Starting in the 2.7.2 release, the maximum number was set to 63, and was enforced such that parse errors could be observed when the number of cookies exceeded the limit.





• aFleX

• L2/L3 Routing

• Layer 4-7

• L47-Enterprise

• System/Cloud Solutions

aFleXThis section describes the aFleX enhancements.

• Increased aFleX Log Message Length

• Enhancements to the RESOLVE::lookup Command

• Change in Behavior of LB_FAILED

• Binding aFleX to FIX vPort

Increased aFleX Log Message Length

ACOS 2.7.2-P4 increases the length for log messages generated by aFleX events from 512 bytes to 1024 bytes. No configura-tion changes are required.

Enhancements to the RESOLVE::lookup Command

ACOS release 2.7.2-P4 introduces support for the RESOLVE::lookup command with the CLIENT_ACCEPTED and CLIENT_DATA events in aFleX scripts applied to TCP-Proxy virtual ports.

The RESOLVE::lookup command is not supported with the CLIENT_ACCEPTED event in aFleX scripts applied to HTTP virtual ports. To use this command on an HTTP virtual port, use the HTTP_REQUEST event instead.

Change in Behavior of LB_FAILED

For aFleX scripts bound to TCP virtual ports on which no health monitors are enabled, the LB_FAILED event will be triggered by the following conditions:

• The selected server is unreachable (no route host).

• The selected server is non-responsive (fails to respond to a connection request)

• The selected server sent a TCP Reset. In order to enable this trigger, configure inband-health-check resel-on-reset on a port template attached to the service group or real server port associated with the virtual port.




Example

The following CLI configuration will trigger the LB_FAILED event whenever the selected server sends a TCP Reset:

ACOS(config)#slb template port port

ACOS(config-rport)#inband-health-check resel-on-reset

ACOS(config)#slb service-group http tcp

ACOS(config-slb svc group)#template port port

ACOS(config-slb svc group)#member s1:80



ACOS(config)#aflex create lb

Type in your aFleX script (type . on a line by itself when done)

when LB_FAILED {

log "load-balancing failed"

}

.

aFleX lb created; syntax check passed.

ACOS(config)#slb virtual-server vip 100.100.100.100

ACOS(config-slb vserver)#port 80 tcp

ACOS(config-slb vserver-vport)#service-group http

ACOS(config-slb vserver-vport)#aflex lb

Binding aFleX to FIX vPort

ACOS 2.7.2 P4 features an enhancement allowing aFleX scripts that contain FIX protocol events or commands to be bound to FIX protocol vPorts. Previously, FIX protocol events and commands in aFleX could only be bound to a TCP-proxy vPort.

Example

The following example illustrates a CLI configuration where an aFleX script file named “fix_test” containing FIX protocols is bound to a FIX vPort.

interface management

ip address 192.168.20.58 255.255.255.0

ip default-gateway 192.168.20.1

!

ip route 192.168.42.0 /24 192.168.20.1

interface ethernet 1

ip address 20.20.25.1 255.255.255.0

ipv6 address 2001::20:20:25:1/112

!


ip address 20.20.125.1 255.255.255.0

ipv6 address 2001::20:20:125:1/112

!

slb server rs-125-50 20.20.125.50




no health-check

port 5001 fix

no health-check

!

slb service-group sg-FIX-125-g1 tcp

member rs-125-50:5001

!

slb virtual-server vip-L7-25-130 20.20.25.130

port 5001 fix

service-group sg-FIX-125-g1

aflex fix_test

L2/L3 RoutingThis section describes the L2/L3 routing enhancements.

• Route-Map High Availability Extended for all Interior Gateway Protocols

Route-Map High Availability Extended for all Interior Gateway Protocols

In previous releases, route-map high availability support was available for BGP only.

This release extends this functionality to support all interior gateway protocols, such as OSPFv2, OSPFv3, ISISv4/6, RIP and RIPng.

For more information about this feature, see “BGP VRRP-HA or HA Support” in the System Configuration and Administra-tion Guide.

Layer 4-7 This section describes the Layer 4-7 enhancements.

• SMTP Health Check

• Increasing the Maximum Number of Health Checks

• L3V support for explicit proxy (allow DNS configuration per L3V partition)

• DNS Cache Enhancement

• Simple Control Enrollment Protocol

• Rate Limit Resets for Unknown Sessions

• Service Group Status can be Determined by Minimum Number of Healthy Ports

• Bypassing Client Authentication Traffic

• Log Generated When SSL Insight Fails




• SSL: Priority for ECDHE and DHE Cipher Support

SMTP Health Check

This release introduces an enhancement for SMTP health checks where the ACOS device generates an SMTP message after establishing a TCP connection with the server. The message is sent only after the ACOS device sends the “HELO” message and receives the expected response.

To configure the name of the SMTP sender for this message, use the mail-from parameter from health monitor configura-tion mode in the CLI. For example:

ACOS(config)#health monitor hm1

ACOS(config-health:monitor)#method smtp domain A10 mail-from [email protected]

To configure the name of the recipient for this message, use the rcpt-to parameter from health monitor configuration mode in the CLI. This is an optional parameter available after the mail-from parameter is specified. For example:

ACOS(config-health:monitor)#method smtp domain A10 mail-from [email protected] rcpt-to [email protected]

To configure this feature using the GUI, navigate to Config Mode > Health Monitor and select a specific health monitor. You can specify the sender and receiver information at the bottom of the Method panel:




Increasing the Maximum Number of Health Checks

This feature increases the maximum number of configurable health checks from 1024 to 8192 on all 64-bit platforms. Plat-forms will vary on different maximum number of health checks depending on memory. Platforms with memory above 24G, such as AX5200 and AX5430, can reach a maximum of 8192.

Below shows a table of maximums configurable for different platform memories:

To configure the maximum number of health checks, use the new health-monitor-count parameter under the sys-tem-resource usage command at the global configuration mode in the CLI. For example:

ACOS(config)#system resource-usage health-monitor-count 8192

Any changes made will come into effect when the device is reloaded. The output for the corresponding show commands will read as follows:

ACOS(config)#show run | section system

system resource-usage health-monitor-count 8192

ACOS(config)#reload

Reload AX....Done.

ACOS(config)#show system resource-usage | section health

health-monitor-count 8192 1023 512 8192

To configure this feature using the GUI, navigate to Config Mode > System > Settings > General > Resource Usage > Global. The Health Monitor parameter is located at the bottom of the SLB Usage Limitation section.

L3V support for explicit proxy (allow DNS configuration per L3V partition)

Prior to this release, explicit DNS proxies were not fully L3V aware. Shared and L3V partitions would use the shared partition's IP DNS server & Cache to resolve and cache entries. Therefore, in order for the explicit proxy to work in L3V partitions, the L3V partition must be connected to the IP DNS server configured in the shared partition.

To address this, a new “Dynamic Service” SLB template has been added to make the explicit proxy use the DNS server config-ured under that template. L3V partitions are now independent of the shared partition's IP DNS server and cache.

Using the CLI

The new template type parameter, dynamic-service, has been added under the slb template command. In the fol-lowing example, dynamic service template “ds1” is configured with the DNS server IP address 88.88.88.20. It is then bound to the virtual port of virtual server “vip1”.

ACOS(config)#slb template dynamic-service ds1

ACOS(config-dynamic-service)#dns server 88.88.88.20

Memory Maximum Number of Health Checks

2G-8G 1024

12G 2048

16G 4096

24G 8192




ACOS(config-dynamic-service)#exit

ACOS(config)#slb virtual-server vip1 11.11.11.15


ACOS(config-slb vserver-vport)#template dynamic-service ds1

Using the GUI

To configure a dynamic service template using the GUI, navigating to Config Mode > SLB > Template > Application > Dynamic Service. Enter the DNS server information in the DNS Server field and click the Add button.

NOTES:

• Currently, you can only configure a maximum of 2 DNS servers in a template.

• If the DNS servers in the configured template are down, ACOS only tries those servers once instead of the three times as when configuring normal IP DNS servers.

• Under the shared partition, if the dynamic service template is configured and bound to a virtual port, and a standard IP DNS server is also configured, the dynamic service template takes precedence.

DNS Cache Enhancement

This feature is an enhancement to the DNS cache module to display the details of DNS cache entries. The new output will include the DNS head, question section, answer section, authority section and additional sections if applicable. The new detail has been added and can be included at the end of the show dns cache entry command. The following exam-ple shows the changes to the CLI, which are highlighted in blue.

AX3030#show dns cache entry

S = DNSSEC, T = Type, C = Class, W = weight

Qlen = Query length, Rlen = Response length

Domain S T C Qlen Rlen TTL Age W Hit

-----------------------------------+---+---+-----+-----+-------+-------+--+-------

www1.example.com 0 1 1 22 157 60000 420 1 0

www2.example.com 0 1 1 22 157 60000 0 1 0

Total: 2




ACOS#show dns cache entry detail ?

WORD The name of the resource record that is to be looked up

ACOS#show dns cache entry detail www1.example.com ?

A Address record

AAAA IPv6 address record

CNAME Canonical name record

NS Name server record

SOA Start of a zone of authority record

TXT Text record

MX Mail exchange record

DNAME Delegation Name

PTR Pointer record

<1-65535> indicates what type of query is required, A type is by default

| Output modifiers

<cr>

The example continues below and shows the detailed output of the address record for “www1.example.com”

ACOS#show dns cache entry detail www1.example.com A

;; ->>HEADER<<- opcode: QUERY, status: NOERROR

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:

www1.example.com. IN A

;; ANSWER SECTION:

www1.example.com. 50 IN A 10.105.2.103



;; AUTHORITY SECTION:

example.com. 7200 IN NS nl.example.com.

example.com. 7200 IN NS ie.example.com.

example.com. 7200 IN NS us.example.com.

;; ADDITIONAL SECTION:

ie.example.com. 7200 IN A 80.93.25.175

nl.example.com. 7200 IN A 83.96.156.169

us.example.com. 7200 IN A 67.202.99.74

Simple Control Enrollment Protocol

ACOS 2.7.2-P4 adds support for Simple Certificate Enrollment Protocol (SCEP). SCEP is a part of the Public key infrastructure (PKI). SCEP simplifies management of security certificates, by providing simplified installation and automated renewal of




x.509 certificates. You can use SCEP certificates with the same ACOS features that support manually imported certificates. For example, SCEP certificates are supported with SSL Insight (SSLi). Note that this feature will not be supported for HSM plat-forms, including Thunder 5630.

To configure a SCEP certificate, you need to specify the certificate name, a password, and the location (URL) of the ES. ACOS handles the rest. Then, to use the certificate, add it to an SSL template and bind the template to the virtual port in your appli-cation. There is no GUI support for configuring this feature.

SCEP Certificate Enrollment and Renewal Process

After you configure a SCEP certificate for enrollment, ACOS performs the following steps:

1. Generate a private key. In this step, an RSA key with the specified key length is generated for the certificate.

2. Fetch CA certificates. ACOS queries the ES for its certificates. In this step, three certificates are returned: 1 CA certificate and 2 ES certificates, and ES-encryption certificate and an ES-signature certificate.

3. Generate Certificate Signing Request (CSR). The CSR includes the SCEP password you assign to the SCEP certificate, and other parameters needed for the certificate.

4. Fetch the certificate. The CSR is encrypted using the public key of the ES-encryption certificate, and forwarded to the ES.

The ES validates the CSR and forwards the request to the CA. The CA then returns the signed certificate. The certificate is signed using the ES-signature certificate.

5. Store the certificate. After successful verification of the response from the CA, ACOS accepts the certificate and stores it in the following locations:

/a10data/cert/

/a10data/key/

SCEP certificates are stored in DER format. SCEP keys are stored in PEM format.

6. Schedule renewal. ACOS handles automatic renewal of the certificate when its about to expire. ACOS checks the expira-tion dates of both the enrolled certificate and the issuing CA’s certificate. ACOS then schedules renewal of the certifi-cate, to occur at a specific time or periodically, depending on configuration. ACOS bases the new expiration date on the later of the expiration dates of the enrolled certificate and the CA certificate.

7. Rotate and store files. After certificate renewal, the old certificate and key files are still stored for any future reference. Old files are rotated and the new file replace the existing files. For example, a certificate named “acos-cert” initially is stored in the following location: /a10data/cert/acos-cert. After the certificate is renewed, it is moved to the following location: /a10data/cert/acos-cert#1.

The newly renewed certificate is moved to /a10data/cert/acos-cert. This step ensures that there is no need to change the configuration for applications that use the SCEP certificates, because a valid certificate with the correct name is always stored in the same location. The same applies for private keys as well. ACOS stores up to 4 old certificate and key files for each SCEP certificate.

Configuration Using the CLI

To configure SCEP using the CLI:

1. Use the following command to create the certificate and change the CLI to the configuration level for it:




[no] pki scep-cert cert-name

2. Use the following command to specify the location of the ES. The user is the admin name required by the ES to accept the request.

[no] url {

http://[user@]host/file |https://[user@]host/file |sftp://[user@]host/file}

Use this command to specify the location of the ES. The user is the admin name required by the ES to accept the request. The host is the ES IP address or hostname. The file is the path and filename for the SCEP process on the ES. Example:

url http://192.168.230.101/certsrv/mscep/mscep.dll

3. Specify the password for the certificate. ACOS includes this password in enrollment and renewal requests for the certif-icate.

[no] password string

4. (Optional) Configure additional parameters.

[no] dn "cn=string, dc=string, dc=string"

[no] interval seconds

[no] key-length {1024 | 2048 | 4096}

[no] max-polltime seconds

[no] method {GET | POST}

[no] renew-before {day | hour | month | week} num

[no] renew-every {day | hour | minute | month | week} num

[no] subject-alternate-name

dns hostname |email email-address |ip ipaddr}

SCEP certificates have the following default settings:

• Interval – 5 seconds

• Log level – 1

• Maximum poll time – 180 seconds

• Method – GET

The other parameters are not set by default.

5. Use the following command to begin the enrollment process for the certificate.

[no] enroll

Copying SCEP Files

You can copy SCEP certificates and keys, use the following commands:




[no] pki copy-cert old-cert-name [rotation num] new-cert-name [overwrite]

[no] pki copy-key old-key-name [rotation num] new-key-name [overwrite]

Displaying SCEP Information

To display SCEP information, use the following commands:

show pki scep-cert status

show pki scep-cert log cert-name

[follow | from-start | num-lines num]

Configuration Example

The following commands configure an ACOS device as the inside device in an SSLi deployment. The wildcard VIP on this device receives SSL-encrypted traffic from inside users, and decrypts the traffic before sending it to the traffic inspector.

The deployment uses a certificate administered by an SCEP ES. Based on the configuration, ACOS automatically renews the certificate on a monthly basis.

NOTE: For brevity, this example shows only the inside device, where the SCEP configurationoccurs, and uses only one certificate. The certificate is used both as the root certificateand as a forward-proxy certificate, which uses SNI support.

On the outside device, the only required command related to SSLi is forward-proxy-enable, to enable support for the SSLi feature on the device.

The following command enroll the certificate. You need to enroll each certificate only once. After a certificates is enrolled, ACOS uses SCEP to administer the certificate. This includes renewing the certificate before it expires <<or upon user or admin demand; i.e., early key roll?>>. You do not need to spend more of your time administering the certificates after you enroll them.

pki scep-cert mycert

url http://192.168.230.101/certsrv/mscep/mscep.dll

password encrypted ftwQbZLE+Pfi9D3NiKZISXnzbhgN0x4dT4BmmHjcOaaOtxBuHxdzhjwQjLjV2wDn

renew-every month 1

!

The following commands configure the client-SSL template:

slb template client-ssl ssl_int

cert mycert

key mycert

forward-proxy-enable

forward-proxy-ca-cert mycert

forward-proxy-ca-key mycert

!




The following commands configure the wildcard VIP. This includes configuration of the other resources, in addition to the cli-ent-SSL template, that are required by the wildcard VIP: an ACL that matches on the inside clients, the real server configura-tion, and the service group.

access-list 101 permit ip any 10.2.2.0 0.0.0.255 log

!

slb server rs1 10.3.3.1

no health-check

port 443 tcp

no health-check

!

slb service-group sg1-tcp tcp

member rs1:443

!

slb virtual-server vs1-v4 0.0.0.0 acl 101

extended-stats

port 8080 http

service-group sg1-tcp

template client-ssl ssl_int

no-dest-nat port-translation

!

The following commands show information about the certificate:

ACOS(config)#show slb ssl cert

Name: mycert Type: certificate/key Expiration: Dec 8 22:23:48 2014 GMT [Expired, Bound] SCEP Enrolled

ACOS(config)#show slb ssl cert mycert

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

1d:5b:42:30:00:00:00:00:24:8f

Signature Algorithm: sha1WithRSAEncryption

Issuer: DC=com, DC=a10lab, CN=AD03-CA

Validity

Not Before: Dec 8 18:23:48 2014 GMT

Not After : Dec 8 22:23:48 2014 GMT

Subject: C=CH, O=Linux strongSwan, CN=AX1030

X509v3 extensions:

X509v3 Subject Key Identifier:

DA:53:59:9C:EC:52:E3:58:6C:E5:84:11:E7:5C:F4:C9:FC:59:6B:A3

X509v3 Authority Key Identifier:

keyid:06:18:97:1C:58:B4:E4:95:5F:61:61:5D:DB:9C:1B:85:39:48:87:37




X509v3 CRL Distribution Points:

URI:ldap:///CN=AD03-CA,CN=AD03,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=a10lab,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Authority Information Access:

CA Issuers - URI:ldap:///CN=AD03-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=a10lab,DC=com?cACertificate?base?objectClass=certificationAuthority

OCSP - URI:http://ad03.a10lab.com/ocsp

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

1.3.6.1.4.1.311.21.7:

0-.%+.....7.....E......+.......Ks...M......d...

X509v3 Extended Key Usage:

1.3.6.1.5.5.8.2.2

1.3.6.1.4.1.311.21.10:

0.0

Rate Limit Resets for Unknown Sessions

When reset-unknown-con command in virtual port template is enabled, the ACOS device will send a TCP reset packet to the client if the client's non-SYN TCP packet doesn't match any existing session. It is possible under certain failover situations for the CPU to reach a very high utilization due to a flooding of TCP reset packets.

In the 2.7.2 P4 release, to avoid the possibility of high CPU utilization due to TCP reset flood, the TCP resets sent out by ACOS device as a result of reset-unknown-con command can be rate limited.

Configuration

This following show the CLI configuration for setting up a rate limit and a connection log.

slb rate-limit-for-reset-unknown-conn pkr-rate 5000

slb rate-limit-for-reset-unknown-conn log

Statistic Counter:

show slb rate-limit-for-reset-unknown-conn

Rate Limit: 5000

Current Rate: 1000Rate Limit Drops: 13687

Service Group Status can be Determined by Minimum Number of Healthy Ports

The min-active-member command at the service group CLI configuration level is used to configure the minimum num-ber of primary servers that can still be active (available) before the backup servers are used.




This release extends this command to mark the status of the entire service group as DOWN if the minimum number of active members is not met and there are no designated backup servers. The status is available in the output of the show slb service-group command.

Sample Output

The following illustrates the output for a show slb service-group command when the service group is down due to not meeting a threshold of minimum number of active members. Note that this is called out within the generated show out-put.

ACOS(config-slb svc group)#sh slb service-group sg1

Service group name: sg1 State: Down

Down by min-active-member Yes

Service selection fail drop: 0

Service selection fail reset: 0

Service peak connection: 0

Service: s1:80 UP

Forward packets: 0 Reverse packets: 0

Forward bytes: 0 Reverse bytes: 0

Current connections: 0 Persistent connections: 0

Current requests: 0 Total requests: 0

Total connections: 0 Response time: 0 (usec)

Fastest Rsp time: 0 Slowest Rsp time: 0 (10usec)

Total requests succ: 0

Peak conn: 0

Health-check:

--------------------------------------------------------

Up reason: TCP Verify Connection OK

Monitor Name: default

--------------------------------------------------------

Service: s2:80 UP








Peak conn: 0

Health-check:

--------------------------------------------------------






--------------------------------------------------------

Service: s3:80 UP








Peak conn: 0

Health-check:

--------------------------------------------------------



--------------------------------------------------------

Service: s4:80 UP








Peak conn: 0

Health-check:

--------------------------------------------------------



--------------------------------------------------------

Service: s5:80 UP








Peak conn: 0

Health-check:

--------------------------------------------------------






--------------------------------------------------------

Bypassing Client Authentication Traffic

Some HTTPS servers might require client certificate authentication (CAC/PKI) when the server authenticates incoming requests based on the certificate in the client’s certificate store. Because SSL Insight (previously known as SSL Intercept) lacked the necessary client certificate and key information, CAC failed when it was requested by the server.

In previous releases, the front end ACOS device intercepted all of the traffic that traveled through port 443. The ACOS device also bypassed SSL traffic based on the server name in the client-hello message, and all of the other traffic was intercepted. Staring in release 2.7.2 P4, you can configure a list of server names that can be bypassed by using the class-list or by using the CLI. Client authentication traffic is dynamically detected and automatically bypassed, based on general server name indica-tion (SNI) matches.

For example, after the ACOS device receives the client hello message from the client, the device checks whether this server’s certificate is saved in the cache. If the certificate has not been saved, ACOS1 starts a server SSL connection to the backend server to retrieve the certificate. ACOS1 also detects whether the backend server requires client certificate authentication. If the server requires backend authentication, ACOS1 stops retrieving certificate and checks whether the server name matches the configuration condition to bypass this traffic.

NOTE: To bypass the traffic, ACOS1 stops SSL Insight processing and switches from HTTPS pro-cessing to generic TCP proxy processing.

Sample Deployment

Figure 1 illustrates an example where the SSL forward proxy is deployed. There are two ACOS devices, and both devices are configured with wild card virtual ports.

Traffic Flow

The following steps provide a high-level overview of the traffic flow:

1. ACOS1 intercepts all the traffic that goes to HTTPS port 443.

2. ACOS1 decrypts the traffic, translates the port from 443 to 8080, and forwards the traffic.

3. ACOS2 intercepts the traffic at port 8080.

4. ACOS2 decrypts the traffic, translates the port from 8080 to 443, and forwards the traffic.

NOTE: The traffic between ACOS1 and ACOS2 is displayed in clear text where the firewall isdeployed.




FIGURE 14 Sample Deployment of SSL Insight

The ACOS devices do not have the private key of the real servers such as mail.google.com and mail.yahoo.com. Instead of the real server’s certificate, ACOS1 uses its own public key/private key pairs. Because the certificates on ACOS1 is CA cert file, and is trusted by the client, the client’s browser will not display warning about the “fake” certificate.

Use the GUI to Configure the Bypassing of SSL Insight for Client Authentication Traffic

This feature cannot be configured by using the GUI.

Use the CLI to Configure the Bypassing of SSL Insight for Client Authentication Traffic

Enter the following commands on each of the servers for which you want to bypass the traffic:

slb template client-ssl clientssl

forward-proxy-bypass client-auth case-insensitive

forward-proxy-bypass client-auth class-list testclass

forward-proxy-bypass client-auth contains jsmith

forward-proxy-bypass client-auth ends-with abc

forward-proxy-bypass client-auth equals test.hello.com

forward-proxy-bypass client-auth starts-with efg

The following list provides additional information about the options:

• case-insensitive means that a case insensitive forward proxy bypass occurs.

• class-list means that forward proxy bypass occurs when the SNI string matches the class-list.

• client-auth means that forward proxy bypass occurs when the client cert auth is requested.

• contains means that forward proxy bypass occurs when the SNI string contains another string.

• ends-with means that forward proxy bypass occurs when the SNI string ends with another string.

• equals means that the forward proxy bypass occurs when the SNI string equals another string.

• starts-with means that forward proxy bypass occurs when the SNI string starts with another string.

CLI Example

To configure this feature, complete the following tasks:

• Configuring the Inside ACOS Device

• Configuring the Outside ACOS Device




Configuring the Inside ACOS Device

The following output shows how to configure the inside ACOS device:

class-list bypass ac

starts-with a10a10

equals ssl-i

contains hello.com

!

access-list 101 permit ip 2.2.2.0 0.0.0.255 any


ip address 2.2.2.2 255.255.255.0

ip allow-promiscuous-vip

slb server s1 3.3.3.1

port 8080 tcp

no health-check

!

slb service-group sg1 tcp

!

!

slb service-group sg1-8080 tcp

member s1:8080

!

!

slb template client-ssl ssl_int

cert new_self.crt

key new_self.key


forward-proxy-ca-cert new_self.crt

forward-proxy-ca-key new_self.key

forward-proxy-bypass client-auth contains abc.com

forward-proxy-bypass client-auth equals a10a10

forward-proxy-bypass client-auth class-list bypass

!

slb virtual-server vs1 0.0.0.0 acl 101

extended-stats

port 443 https

service-group sg1-8080

template client-ssl ssl_int


Configuring the Outside ACOS Device

The following CLI output shows how to configure the outside ACOS device:

access-list 101 permit tcp any any eq 8080





ip address 3.3.3.2 255.255.255.0

ip allow-promiscuous-vip

slb template server-ssl ssl_int


!

!

slb server s2 3.3.3.1

port 443 tcp

no health-check

!

slb service-group sg1-443 tcp

member s2:443

!

!

slb virtual-server vs2 0.0.0.0 acl 101

port 8080 http

service-group sg1-443

template server-ssl ssl_int


Log Generated When SSL Insight Fails

SSL Insight (previously known as SSL Intercept) might fail for one of the following reasons:

• In a configured client SSL template, the ACOS device cannot retrieve the server certificate during the SSL handshake, could be because configuration of client authentication on server side, but missing configuration on client side.

• SSL Insight could fail in any other generic case such as such as abrupt connection closed by server FIN due to mal-formed packet, etc.

Starting in release 2.7.2-P4, when SSL Insight fails, a log is now generated that includes the following information:

• The server name indication (SNI)

• The IP address of the server.

When the connection is successful, no logs are generated.

NOTE: The log messages are only seen by the inside ACOS device.

Example of a Failure

When "SSLVerifyClient require" and "SSLVerifyDepth 10" is set up on APACHE ssl.conf, on the server, there is a failure when retrieving the certificate because no client side authentication has been configured.

As a result, the following log is generated:

AX2500#show log




Log Buffer: 30000

Nov 30 2014 09:03:19 Info [SYSTEM]:SSL intercept failed, server amogh-server (ip 20.20.101.50)

AX2500#

No CLI configurations are required to turn this logging on or off.

SSL: Priority for ECDHE and DHE Cipher Support

ACOS 2.7.2 P4 features enhanced selection of cipher support based on priorities assigned to ECDHE and DHE cipher tem-plates configured on the ACOS Device:

• When processing an SSL handshake, if the user has configured a template for both ECDHE and DHE with the same priority levels, the priority is given to ECDHE over DHE to optimize CPU usage on the ACOS Device. DHE ciphers will be considered as the lowest priority if there are other supported ciphers in the client-hello message. But if the user configured the highest priority for a DHE cipher, the ACOS Device will honor that.

• If the customer has a cipher template where no priority is specified, the ACOS Device will give ECDHE a higher priority by default. However, it is strongly recommended the customer does not leave the priority unspecified.

• In release 2.7.2 P4, only two ec-names (secp256r1 and secp384r1) will be supported. If the user upgrades from 2.7.2 P3 and a different ec-name is configured other than these two, it will be wiped out.

• In release 2.7.2 P4, PFS ciphers on FIPS platform will not be supported. Currently PFS ciphers for server-side SSL are only supported in software.

• The HSM platform only supports SSLv3 and TLS1.0.

L47-EnterpriseThis section describes the L47-Enterprise enhancements.

• EDNS-Client-Subnet support for GSLB Geolocation metric

• Support STARTTLS for IMAP and POP

EDNS-Client-Subnet support for GSLB Geolocation metric

For DNS queries, not all requests use a third-party resolver that is in close topographical proximity to themselves. Some recur-sive resolvers use an extra EDNS field in DNS messages to forward details about the network a query is coming from. ACOS can read the extra EDNS-Client-Subnet field and provide more specific topological geo-location features for DNS queries in GSLB. When configuring a GSLB policy, simply enable ACOS to read the extra field in DNS messages.

If EDNS-Client-Subnet reading is enabled, then the information in the field will be checked against the configured geo-loca-tion database first. If the extra field contains no information, then ACOS will check the source IP of the recursive DNS server against the configured geo-location database in order to perform GSLB geo-location metric. As back-end servers can also generate an OPT resource record, ACOS can read EDNS-Client-Subnet fields from responses as well.




NOTE: ACOS uses the ENDS-Client-Subnet in GSLB server mode. Proxy mode is not supported.

Configuring EDNS-Client-Subnet Support for GSLB Geo-location Metric

To use the EDNS-Client-Subnet field for GSLB geo-location metric, enter the following command at the GSLB policy configu-ration level:

edns client-subnet geographic

CLI Example

The following example shows an ACOS device configured to read the EDNS-Client-Subnet field in DNS queries.

The following commands show an example configuration of two user-defined geo-locations.

ACOS(config)#gslb geo-location site1

ACOS(config-gslb geo-location)#ip 10.10.10.10 mask /24

ACOS(config-gslb geo-location)#exit

ACOS(config)#gslb geo-location site2

ACOS(config-gslb geo-location)#ip 11.11.11.11 mask /32

ACOS(config-gslb geo-location)#exit

The following commands configure example GSLB sites and their respective geo-locations and SLB servers with virtual serv-ers.

ACOS(config)#gslb site usa

ACOS(config-gslb site)#geo-location site1

ACOS(config-gslb site)#slb-dev acos1 100.10.10.10

ACOS(config-gslb site-slb dev)#vip-server vs1

ACOS(config-gslb site-slb dev)#exit

ACOS(config-gslb site)#exit

ACOS(config)#gslb site china

ACOS(config-gslb site)#geo-location site2

ACOS(config-gslb site)#slb-dev acos2 200.20.20.20

ACOS(config-gslb site-slb dev)#vip-server vs2

ACOS(config-gslb site-slb dev)#exit

ACOS(config-gslb site)#exit

The following commands configure an example GSLB policy related to DNS traffic.

ACOS(config)#gslb policy dns

ACOS(config-gslb policy)#dns selected-only

ACOS(config-gslb policy)#dns server authoritative

ACOS(config-gslb policy)#edns client-subnet geographic

ACOS(config-gslb policy)#exit

The following commands configure an example GSLB zone for a10networks.com.

ACOS(config)#gslb zone a10networks.com




ACOS(config-gslb zone)#policy dns

ACOS(config-gslb zone)#service http www

ACOS(config-gslb zone-gslb service)#dns-a-record vs1 static

ACOS(config-gslb zone-gslb service)#dns-a-record vs2 static

In the example above, if client traffic comes in with a source IP of 11.11.11.11, but the EDNS-Client-Subnet is 10.10.10.10, then the DNS A record vs1 will be selected because the client’s EDNS-Client-Subnet corresponds to the geo-location of site1. The EDNS-Client-Subnet 10.10.10.10 will be used for all geo-location metric features.

Support STARTTLS for IMAP and POP

This release offers the ability to offload IMAP and POP3 STARTTLS extension from the servers, as specified in RFC 2595. The ACOS device will take care of STARTTLS and the associated SSL handshakes. After this, communication between the client and ACOS device will be encrypted and device to server communication will be clear text.

The current IMAP specification allows for the Login command to come in clear text. With the STARTTLS support, the servers have the ability to specify whether the Login is supported in clear text or not. The LOGINDISABLED has to be sent as part of the capability response by server to indicate that the server expects the Login to be supported only in encrypted format. Within the ACOS device, this can be enabled/disabled by configuring an IMAP template. If the ACOS device sends the LOG-INDISABLED command, then it expects the Login to come only after the STARTTLS is done. If the login is issued by the client before STARTTLS, the ACOS device will send no response.

As per the RFC, STARTTLS is valid only in the non-authenticated state. In this version of the release, since the ACOS device is only supporting offload and there is no requirement yet to conform to the protocol (most of the protocol compliance is han-dled by the server), the device will not track when the STARTTLS is sent. From the point of view of the ACOS device, when the client sends STARTTLS, it expects the SSL handshake to occur.

Configuration

The user can enable IMAP for STARTTLS by assigning it to a virtual port and including this port within an SLB virtual server. The following shows the suggested CLI configuration for enabling this. Note that there is no GUI support for this feature.

slb template imap-pop3 imap-template

logindisabled

starttls optional

slb virtual-server A 1.1.1.1

port 143 imap

template imap-pop3 A

port 110 pop3

template imap-pop3 A

System/Cloud SolutionsThis section describes the system/cloud solution enhancements.

• vThunder Support for “no dedicated management port mode”

• Preventing dropped packets with ‘no ip anomaly-drop’




vThunder Support for “no dedicated management port mode”

This release offers the capability to run vThunder for VMware in “no dedicated management port mode”. When a vThunder for VMware instance is in this mode, only one network adapter (VMXNET3 device driver) is used for all interfaces (both data and management). This ability is in contrast to previous releases, in which the E1000 device driver was typically used as the driver for a dedicated management interface and a different driver was used for the data ports.

This enhancement will help customers who are running vThunder for VMware in an environment where they do not want to have a dedicated management port.

Background

In previous releases, it was typical for a regular vThunder for VMware instance to have drivers assigned to ports as shown in Table 1 below. The interfaces could have different drivers assigned to the different interfaces.

This release continues to support this prior ability to have a different driver (e.g., E1000) for a dedicated management inter-face, but also offers the ability to have all interfaces use the VMXNET3 driver.

This “before and after” snapshot shows that when the vThunder for VMware instance is in “no dedicated management port mode,” all interfaces use the VMXNET3 driver. In such a configuration, there is no dedicated management interface, and any random port can be used to provide management access.

Configuration

This enhancement, “no dedicated management port mode” cannot be enabled or disabled through the CLI or GUI. Instead, the feature is enabled automatically by a new algorithm in the code. This algorithm runs a check when a new vThunder for VMware instance is booting, and the algorithm checks for the presence of a dedicated management interface (“eth0”). If no such “eth0” port exists, then ACOS automatically enables the “no dedicated management port mode”, with no intervention from the user.

When ACOS is performing this check while the vThunder instance is booting, it also checks the startup config file. If the startup config file is empty, then ACOS populates the config file with the following configuration to define the interface and allow it to receive an IP address from a DHCP server. (The following is a hypothetical example of what would appear in the config file if the admin had created a vThunder instance with 3 interfaces. The number of interfaces in the config file could vary accordingly.)


enable

ip address dhcp

!


TABLE 1 Drivers assigned to ports (previous releases vs. new release)

Previous releases (Mgmt port uses E1000) New release (all ports use VMXNET3 driver) Eth1 – E1000

Eth2 – VMXNET3

Eth3 – VMXNET3

Eth1 – VMXNET3

Eth2 – VMXNET3

Eth3 – VMXNET3




enable

ip address dhcp

!


enable

ip address dhcp

!

enable-management service ssh ethernet 1 to 3

enable-management service http ethernet 1 to 3

enable-management service https ethernet 1 to 3

enable-management service snmp ethernet 1 to 3

Notes:

• The auto-populated contents of the config file that is automatically created when the “no dedicated management port mode” is enabled (i.e., the sample shown above) should not be deleted or modified, or this may cause the fea-ture to stop working correctly.

• You can determine whether or not this feature will be enabled when adding an Ethernet interface to the vThunder instance. (See “Add Additional Ethernet Data Interfaces” in the vThunder for VMware Installation Guide.)

• When the Add Hardware dialog appears, and you select the Ethernet Adapter, you are prompted to select an "Adapter Type". At this point, select "vmxnet3" from the Type drop-down list. Repeat this for every interface, and most importantly, ensure that the management interface type is set to "vmxnet3" and not "e1000".

• This feature applies to vThunder for VMware and does not apply to any other hypervisor flavors upon which vThunder can run.

• At present, this feature is only supported in ACOS 2.7.2-P4, and is not supported in any other releases.

Preventing dropped packets with ‘no ip anomaly-drop’

The ip anomaly-drop CLI command is used to offer protection against distributed denial-of-service (DDoS) attacks. In prior releases, the ip-option sub-option sometimes did not behave as expected, and the default behavior was to drop all IPv4 packets that have IP options (i.e, IP headers greater than 20 bytes in length). However, in some load balancing situations, it would be preferable to allow these packets to pass through the ACOS device.

To achieve this desired goal, the no ip anomaly-drop ip-option command should be used.

Notes:

• This command should not be used on the AX 5200 model.

• Packets with IP fragments should not be subject to this behavior.





• aFleX and RAM Caching

• New aXAPI Methods Added for slb.class_list.string

• HA, VCS

• Layer 2/Layer 3 Routing

• L47

aFleX and RAM CachingThis section describes the aFleX and RAM Caching enhancements.

• aFleX Log Message Enhancement

aFleX Log Message Enhancement

In ACOS 2.7.2-P3, aFleX log entries have been enhanced such that log messages for aFleX events will be associated with the aFleX script in which they occurred. For further details, see the example below.

Example

An SLB virtual server is configured with three aFleX scripts applied to its virtual port (80 HTTP), as shown in the following show output:

slb server serv1 44.44.44.44

port 80 tcp

!

slb service-group sg1 tcp

member serv1:80

!

!

slb virtual-server vip1 44.44.44.101

port 80 http

service-group sg1

aflex af1

aflex af2

aflex af3

The content of three aFleX scripts is shown in the following show commands:

1. This show command displays the contents of the aFleX script named af1:

ACOS(config)#show aflex af1

Name: af1




Syntax: Check

Virtual port: Bind

vip1: 80

Statistics:

Event HTTP_REQUEST execute 5 times (0 failures, 0 aborts)

Content:

when HTTP_REQUEST {

log "This is http_request_1"

}

2. This show command displays the contents of the afleX Script named af2:


Name: af2

Syntax: Check

Virtual port: Bind

vip1: 80

Statistics:

Event HTTP_REQUEST execute 5 times (0 failures, 0 aborts)

Content:

when HTTP_REQUEST {

log "Another http request cmd!"

}

3. This show command displays the contents of the aFleX script named af3:


Name: af3

Syntax: Check

Virtual port: Bind

vip1: 80

Statistics:

Event HTTP_RESPONSE execute 5 times (0 failures, 0 aborts)

Content:

when HTTP_RESPONSE {

log "HTTP_RESPONSE event"

log "HTTP status : [HTTP::status]"

}

In ACOS 2.7.2-P3 and higher, the show log output for the three aFleX scripts will appear as follows:

ACOS(config)#show log

Aug 05 2014 11:58:14 Info [AFLEX]:af3:HTTP status : 200

Aug 05 2014 11:58:14 Info [AFLEX]:af3:HTTP_RESPONSE event

Aug 05 2014 11:58:14 Info [AFLEX]:af2:Another http request cmd!

Aug 05 2014 11:58:14 Info [AFLEX]:af1:This is http_request_1

Prior to ACOS 2.7.2-P3, the show log output for these three aFleX scripts would have appeared as follows:

ACOS(config)#show log

Aug 14 2014 10:11:07 Info [AFLEX]:af1+af2+af3:HTTP status : 200




Aug 14 2014 10:11:07 Info [AFLEX]:af1+af2+af3:HTTP_RESPONSE event

Aug 14 2014 10:11:07 Info [AFLEX]:af1+af2+af3:Another http request cmd!

Aug 14 2014 10:11:07 Info [AFLEX]:af1+af2+af3:This is http_request_1

New aXAPI Methods Added for slb.class_list.string In previous releases, the aXAPI method “slb.class_list.entry.delete” did not support type = string, and could therefore not be used to remove such entries.

For example, if the following class-list was configured:

class-list list1 string

str abc def

Prior releases offered no aXAPI method that could be used to create, modify or remove “str abc def”.

In order to provide a way to delete, create, or update SLB class-list entries with string type, ACOS 2.7.1-GR1 adds the following new aXAPI methods:

• slb.class_list.string.create

• slb.class_list.string.update

• slb.class_list.string.delete

These methods have the following input parameters:

• name - the name that identifies the entry.

• string_list - an entry list that is composed of string-type entries, each of which will contain the string, and either an lid (with flag and lid_index) or a string_value.

These methods require Read Write privilege and support JSON format. The following URLs are used for these methods:

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=slb.class_list.string.create

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=slb.class_list.string.update

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=slb.class_list.string.delete

Example

The HTTP POST body below shows an example of the JSON data for this method:

{

"name": "c2",

"string_list": [

{

"string": "name00",

"lid": {




"flag": 1,

"lid_index": 100

}

},

{

"string": "name01",

"lid": {

"flag": 0,

"lid_index": 1

}

},

{

"string": "name02",

"string_value": "dddd"

}

]

}

HA, VCSThis section describes the HA and VCS enhancements.

• Track the BGP State by Using VRRP-A

Track the BGP State by Using VRRP-A

In a typical working mode, for example, you have two VRRP-A devices, Device 1 and Device 2. Device 1 announces its prefixes to the border gateway protocol (BGP) peer, and Device 2 does not announce anything.

If Device 1 fails, the virtual IP address (VIP) route stays in the routing table until Device 2 announces the VIP by using BGP or until the router times out the Device 1 peer and deletes all of the relevant prefixes. If the VIP route stays in the routing table, Device 2 becomes the VRRP-A master.

When Device 1 is active again, and becomes the VRRP-A owner, the following situations might occur:

• Device 1 takes VRRP-A ownership before BGP is in the Established mode and announces the prefixes.

• Device 2 becomes the VRRP-A slave and sends a BGP Update message to withdraw the VIP route.

To resolve this issue, starting in this release, you can complete the following tasks:

• Track the BGP state by using VRRP-A.

• Set a time that the device waits until it sends the BGP Withdraw message when VRRP-A fails back to the main device.

• Announce the prefixes even when the device is a VRRP-A slave.




NOTE: To determine which device is active, the ACOS devices will first compare the weight ofthe devices. If the weight is same, then the priority of the devices is compared. Thesecomparisons determine which device will be the active device. The weight, which isconfigured under vrrp-a fail-over template, is like priority-cost. If you apply a fail-overtemplate to a VRID, the weight of the VRID drops the configured value when trackingfails.

You can configure the same weight and tracking value for both devices. The weight is the priority value for tracking options. The priority-cost value means that when tracking fails, the priority of the virtual router identifier (VRID) will drop the config-ured value.

Using the GUI

This feature cannot be configured by using the GUI.

Using the CLI

To add tracking options for the BGP status, enter the following command in VRID, complete one of the following tasks:

• Enter the following command in the VRID:

tracking-options bgp

• Enter the following command in the fail-over-policy template:

bgp

CLI Examples

The following text is an example of configuring the fail-over-policy template:

ACOS(config)#vrrp-a fail-over-policy-template A

ACOS (config-failover-policy)#bgp?

bgp BGP tracking

ACOS (config-failover-policy)#bgp ?

A.B.C.D IP Address

A:B:C:D:E:F:G:H IPV6 address

ACOS(config-failover-policy)#bgp 1.1.1.2 ?

weight The failover event weight

ACOS(config-failover-policy)#bgp 1.1.1.2 weight ?

<1-255> weight

ACOS(config-failover-policy)#bgp 1.1.1.2 weight 200

ACOS(config-failover-policy)#exit

The following text is an example of configuring the tracking-option under VRID:

ACOS(config)#vrrp-a vrid default

ACOS(config-vrid-default)#priority 200

ACOS(config-vrid-default)#fail-over-policy-template A




ACOS(config-vrid-default)#tracking-options

ACOS(config-vrid-tracking)#bgp?

bgp BGP tracking

ACOS(config-vrid-tracking)#bgp ?

A.B.C.D IP Address

A:B:C:D:E:F:G:H IPV6 address

ACOS(config-vrid-tracking)#bgp 1.1.1.2 ?

priority-cost The amount the priority will decrease

ACOS(config-vrid-tracking)#bgp 1.1.1.2 priority-cost ?

<1-255> Priority

ACOS(config-vrid-tracking)#bgp 1.1.1.2 priority-cost 100

ACOS(config-vrid-tracking)#

To compare with the VRID weight:

Device 1 (Active):

vrrp-a device-id 1

vrrp-a set-id 1

vrrp-a enable

vrrp-a vrid default

priority 200

tracking-options

bgp 1.1.1.2 priority-cost 100

Device 2 (Standby):

vrrp-a device-id 2

vrrp-a set-id 1

vrrp-a enable

vrrp-a vrid default

priority 180

To compare with the VRID priority:

Device 1 (Active):

vrrp-a device-id 1

vrrp-a set-id 1

vrrp-a enable

vrrp-a vrid default

priority 200

Device 2 (Standby):

vrrp-a device-id 2

vrrp-a set-id 1




vrrp-a enable

vrrp-a vrid default

priority 180

Layer 2/Layer 3 RoutingThis section describes the Layer 2/Layer 3 Routing enhancements.

• Static ARP and v6 Neighbors Global Max Scaling

• Adding Object-group Limits for Resource-usage Templates

Static ARP and v6 Neighbors Global Max Scaling

This feature expands the system wide limit for Static ARP and v6 Neighbors, enabling you to configure up to 4096 on all plat-form except SoftAX®. On SoftAX® the limit is set at 1024. Individual partitions still have a limit of 128, for both default and non-default partitions.

Adding Object-group Limits for Resource-usage Templates

This feature allows you to limit a given partition to a maximum number of object groups and object group clauses. You can configure the maximum number of object groups and object group clauses for a partition using the resource usage tem-plate.

Configuration

The following configurable parameters have been added to the system resource-usage template command, under the net-work-resources subcommand:

object-group-clause-count

This parameter allows you to enter the number of allowed object group clauses.

object-group-count

This parameter allows you to enter the number of allowed object groups.

The configurable limit of the object-group-count parameter is 2,000 both globally and per partition. The limit for the object-group-clause-count parameter is 8,000 both globally and per partition.

Example

In the following example, the user configures system resource usage template “t1” to be limited to 2 object groups and object group clauses. The user then applies template “t1” to the network partition “p1”.

ACOS(config)#system resource-usage template t1

ACOS(config-resource template)#network-resources

ACOS(config-resource template-node network)#object-group-count 2 min-guarantee 1

ACOS(config-resource template-node network)#object-group-clause-count 2 min-guarantee 1




ACOS(config)#partition p1 network-partition

ACOS(config-partition)#template t1

L47This section describes the L47 enhancements.

• Enhanced Browser Support for AAM

• Support for 128K Server Name Indication

• DNS Caching to Honor Server Response TTL

• Fast-http Support for url-hash-persist

• Selecting a Back-End Server Even if Disabled

• Improved Output For “show slb server” Command To Reflect Disabled Servers

• SSL: ECDHE Support in TLS1.0/TLS1.1

• Enhancement to ECDHE Cipher Support - PFS Support

• Enhancement to the HTTP Template Command

• Load Balancing with the “DNSSEC OK” (DO) Bit

• Websocket Protocol Support

Enhanced Browser Support for AAM

AAM has been enhanced to support the following browsers and applications:

• Android 4.4.2 supports Google Chrome and all default email applications

• Apple iOS 8.0 supports Apple Safari and all default email applications

• Microsoft Windows supports Chrome 37.0.2, Mozilla Firefox 32.0.2, and Microsoft Internet Explorer 11.0.9600

Support for 128K Server Name Indication

The Number of Server Name Indication (SNIs) entries in each client-ssl template that can be distributed over multiple parti-tions has increased to a maximum of 131,072 entries.

The output of the show slb ssl stats command was changed, 2 lines were added to the output. You can now display lines for the following values:

• Maximum SSL contexts

• Current SSL contexts




NOTE: Regardless of the platform, each client-ssl template can have a maximum of 8192 SNIentries. The numbers in Table 2 refer to the maximum entries that can exist on the entiresystem.

Table 2 displays information about the additional SNI entries that are now supported.

Example

The following text is an example of the output for this feature:

ACOS#sho slb ssl stat

SSL module: Hardware

Number of SSL modules: 5

SSL module 1

number of enabled crypto engines: 8

number of available crypto engines: 8

number of requests handled: 126

number of requests with errors: 0

TABLE 2 Support for Additional SNI Entries

Device Previous SNI Support Current SNI SupportAX2500 2,048 entries 8,192 entriesAX2600AX3000-11-GCFAX1000-11AX1030AX3030AX3530TH1030STH3030STH930AX5200-11 16,384 entries 128, 000 entriesAX5630TH6430S/TH6435STH5430S/TH5435STH5430-11TH4430TH5630TH6630AX3200-12 16,384 entries 128,000 entries if there is at least 24GB of memory and at least 1

SSL chip; otherwise 32,000 entriesAX3400 16,384 entries 128,00 entries if at least 32 GB memory and at least 1 SSL chip;

otherwise 32,000 entries




SSL module 2





SSL module 3





SSL module 4





SSL module 5





Current clientside SSL connections: 0

Total clientside SSL connections: 0

Current serverside SSL connections: 0

Total serverside SSL connections: 0

Total times of reusing SSL sessions(IDs) in client ssl 0

Total times of reusing SSL sessions(IDs) in server ssl 0

Failed SSL handshakes: 0

Failed crypto operations: 0

Dropped serverside SSL connections: 0

SSL memory usage: 13856 bytes

SSL server certificate errors: 0

SSL fail CA verification 0

HW Context Memory Total Count 248550

HW Context Memory in Use 0




HW Context Memory alloc failed 0

HW ring full 0

Record too big 0

Total client ssl context malloc failures: 0

Maximum SSL contexts 8256

Current SSL contexts in use 63

DNS Caching to Honor Server Response TTL

This release introduces support to use the server response TTL for DNS caching. The slb dns-cache-age command is expanded to include the new parameter honor-server-response-ttl.

With this new implementation, the DNS cache TTL is calculated as follows:

1. If only the TTL is specified, then the specified TTL will be used as DNS cache TTL.

2. If only the honor-server-response-ttl is enabled, then the TTL in server response will be used as dnsDNS cache TTL.

3. If the TTL is specified and honor-server-response-ttl is enabled, the minimum TTL between the specified TTL and server response TTL will be used as DNS cache TTL.

4. If the TTL is not specified and honor-server-response-ttl is not enabled, the default value (300 seconds) will be used as DNS cache TTL.

NOTE: The server response TTL is the minimum TTL of all resource records in that response.

Examples for the Global DNS Cache

The following examples show the extension for global DNS cache.

This example configures the age of global DNS cache to be the minimum value between 600 seconds and the server response TTL:

ACOS(config)#slb dns-cache-age ?

<1-1000000> 1-1000000 seconds, default is 300 seconds

honor-server-response-ttl honor server response TTL

ACOS(config)#slb dns-cache-age 600 ?


<cr>

ACOS(config)#slb dns-cache-age 600 honor-server-response-ttl

The following example configures the age of the global DNS cache to be 600 seconds:

ACOS(config)#slb dns-cache-age 600

The following command configures the server response TTL to be used as the global DNS cache TTL:

ACOS(config)#slb dns-cache-age honor-server-response-ttl




Examples for the Virtual Port DNS Cache

The following examples show the extension for virtual port DNS cache.

The following example configures the age of virtual port DNS cache using DNS template dns1 will be the minimum value between 600 seconds and server response TTL:

ACOS(config)#show running-config | section class-list

class-list cl1 dns

dns contains example.com lid 1

ACOS(config)#slb template dns dns1

ACOS(config-dns)#class-list name cl1

ACOS(config-dns)#class-list lid 1

ACOS(config-dns-lid)#dns ttl ?

<1-65535> TTL in seconds


ACOS(config-dns-lid)#dns ttl 600 ?


<cr>

ACOS(config-dns-lid)#dns ttl 600 honor-server-response-ttl

The following command means the age of the virtual port DNS cache using DNS template dns1 will be 600 seconds:

ACOS(config-dns-lid)#dns ttl 600

The following command means the server response TTL will be used as the virtual port’s DNS cache TTL using DNS template dns1:

ACOS(config-dns-lid)#dns ttl honor-server-response-ttl

Fast-http Support for url-hash-persist

Starting in release 2.7.2 P3, in an HTTP template, you can now use the url_hash_persist parameter with http-vport and fast-http-vport commands.

Selecting a Back-End Server Even if Disabled

You can disable a server that is a member of a service-group from normal server selection but still maintain the health of the server. As part of the server selection, if the persistent cookie exists, as long as the service-group member’s health is up, the disabled service-pool member can be selected.

For example, you might want to periodically take active servers out of a service-pool for maintenance. If this maintenance is done by using remote clients, you can access the servers by using the same front-end VIP. The requests are required to persist to the same servers even though the service-pool member is disabled.

NOTE: New connections that do not have a sto-cookie in the request header would not con-sider this service-pool member for selection.




Configuration

To disable a configured a real server, real server port, hostname server, and/or service-group member, but still maintain its health, enable the following command at the respective configuration level:

disable-with-health-check

NOTE: This configuration can be applied at any of the defined levels. For example when thedisable-with-health-check command is entered at the server level, the port and ser-vice-group member are also implicitly configured.

Example

The following commands configure health monitor “hm1” to use the ICMP transparent health method and apply the moni-tor to a TCP port on real server “test272”.


ACOS(config-health:monitor)#method icmp transparent 1.0.0.1

ACOS(config-health:monitor)#exit

ACOS(config)#slb server test272 10.1.1.2

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#health-check hm1

ACOS(config-real server-node port)#slb service-group sg1 tcp

ACOS(config-slb svc group)#member test272:80 disable-with-health-check

ACOS(config-slb svc group)#slb template persist cookie cookie272

Support for aFLEX reselect Command Under the HTTP vport

When an aFLEX script with the reselect command is enabled under a vport, if the member’s health-check is up and the request has a cookie that indicates which server IP address to select, the server selection considers a service pool member with the disabled-with-health-check indicator turned on.

The following text is an example of the aFleX script:

when LB_SELECTED {

# Debug off (0), On(1)

set debug 1

set myhost [HTTP::cookie EdgeLayerOverride]

set poolhost [LB::server addr]

if { $myhost ne "" } {

if {$debug} {log "Edge Cookie: $myhost"}

if { $myhost ne $poolhost} {

set mypool [LB::server pool]

LB::reselect pool $mypool member $myhost

if {$debug} {log "Cookie overriding from $poolhost to $myhost"}




}

}

}

To trigger the LB_SELECTED event, the first server selection must be successful.

NOTE: The server selection will fail if the disabled-with-health-check indicator is enabled forall of the nodes under the pool.

Improved Output For “show slb server” Command To Reflect Disabled Servers

It conjunction with the “Selecting a Back-end Server Even if it’s Disabled” feature described above, the “show slb server” com-mand has been updated to reflex the new commands in its output.

The default output (without the “disable-with-health-check” option configured) shows the statuses of “Up”, “Down”, Disb” (Disabled) and “Maintenance”. This feature adds the following new statuses:

Disb/Up

Disb/Down

Disb/Maintenance

Example

The following example is the “show slb server” output from the configuration displayed in the example for the “Selecting a Back-end Server Even if it’s Disabled” feature above.

ACOS(config-cookie persist)#show slb server

Total Number of Servers configured: 1

Total Number of Services configured: 1

Current = Current Connections, Total = Total Connections

Fwd-pkt = Forward packets, Rev-pkt = Reverse packets

Service Current Total Fwd-pkt Rev-pkt Peak-conn State

---------------------------------------------------------------------------------------

test272:80/tcp 0 0 0 0 0 Disb/Down

test272: Total 0 0 0 0 0 Disb/Down

SSL: ECDHE Support in TLS1.0/TLS1.1

For Elliptic curve Diffie–Hellman (ECDH) in Transport Layer Security (TLS) Version 1.0 or Version 1.1, ACOS supports the follow-ing elliptic curves:

• secp256k1

• secp256r1

• secp384r1




If you customize an elliptic curve (ec)-list, to support TLS1.0 or TLS1.1, you must put secp256k1, secp256r1, or secp384r1 into the customized ec-list.

NOTE: The following elliptic curves are supported with hardware acceleration:

• secp256r1

• secp384r1

Enhancement to ECDHE Cipher Support - PFS Support

In release 2.7.2 P3, the following enhancements were made to this feature:

• DHE/ECDHE ciphers are only supported in Nitrox III platforms.

• The configurable ec-names under the client SSL templates have changed and now look like this:

ACOS(config-client ssl)#ec-name ?

sect571k1

sect571r1

secp192k1

secp192r1 X9_62_prime192v1

secp256k1


secp384r1

For more information about this feature, see ECDHE Cipher Support - PFS support.

Enhancement to the HTTP Template Command

Starting in release 2.7.2 P3, in an HTTP template, you can now use the url_hash_persist parameter with http-vport and fast-http-vport commands.

NOTE: For the following requests, the current release does not support the header insertion infast-http mode:

• POST method

• GET with data

• Pipeline requests across 2 packets

In the above cases, the request is properly handled with the HTTP mode.

Load Balancing with the “DNSSEC OK” (DO) Bit

This feature enables the ACOS device to load balance DNS requests from clients supporting DNS Security Extensions (DNS-SEC) to servers supporting the same (Figure 15).

Previously, this feature was only supported using aFleX scripts (DNS::header).




FIGURE 15 Load Balancing with the “DNSSEC OK” (DO) Bit

The ACOS device checks the header of the UDP or TCP packet for an OPT field, and checks the OPT field for the “DNSSEC OK” or DO bit. If not found, the DNS request is load-balanced to a service group for DNS servers not supporting DNSSEC. If found, the request is sent to a service group for servers providing DNSSEC support.

To configure this feature, using the example topology in Figure 15 as the example:

NOTE: This example uses UDP, but TCP can also be used.

1. Configure the SG-DNSSEC service group for servers supporting DNSSEC:

!

slb service group SG-DNSSEC udp

member RS1:53001

member RS2:53001

2. Configure the SG-NON-DNSSEC service group for servers not supporting DNSSEC:

!

slb service group SG-NON-DNSSEC udp

member RS11:53001

member RS12:53001

3. Create the DNS SLB template TMP-DNSSEC and apply it to the SG-DNSSEC service group.

!

slb template dns TMP-DNSSEC

dnssec-service-group SG-DNSSEC




4. Configure the virtual server and port on the ACOS device, and associate them with the proper service group and tem-plate.

!

slb virtual-server VS-DNS 10.10.10.10

port 53 dns-udp

service-group SG-NON-DNSSEC

template dns TMP-DNSSEC

5. View the new Layer 4 statistics counter related to this feature:

ACOS#show slb l4

...

DNSSEC switch 2

The “DNSSEC switch” field shows the number of DNSSEC packets switch to the service group supporting DNSSEC.

Websocket Protocol Support

ACOS 2.7.2 P3 supports the Websocket Protocol, which provides bi-directional HTTP-like services over one TCP connection. Websocket support is automatically enabled for HTTP, fast-HTTP, and HTTPS virtual ports and no additional configuration is required.

For more information about the protocol, see RFC 6455, The Websocket Protocol.

NOTE: The following Websocket traffic features are not supported:

• HTTP Compression

• RAM Caching

• HA/VRRP-A synchronization of Websocket sessions is supported only for Fast-HTTPsession.

https://tools.ietf.org/html/rfc6455





• Layer 4 Enhancements

• Layer 2/Layer 3/Routing Enhancements

• Web Application Firewall Enhancements

• System Level Enhancements

• NMS/CLI/GUI Enhancements

Layer 4 EnhancementsThis section describes the Layer 4 enhancements.

• DNS Logging Enhancement for GSLB: Log to Remote Servers Only

• GSLB Server Mode Responding to DNS Request Packets With Extra Data

• Selecting a Back-End Server Even if Disabled

• Improved Output For “show slb server” Command To Reflect Disabled Servers

• ECDHE Cipher Support - PFS support

• FTP Support for SLB Protocol Translation

• IMEI-Based Client-SSL Session Management

• Support for Increased Number of SNI Entries

DNS Logging Enhancement for GSLB: Log to Remote Servers Only

ACOS 2.7.2-P2 enhances GSLB logging with a new option to send GSLB DNS logs to remote logging servers, instead of the ACOS device’s log buffer. This new option is useful for deployments that experience high volumes of GSLB DNS traffic. Send-ing the logs for this activity to a group of remote servers prevents these messages from flooding the ACOS device’s log.

Beginning in this release, the following output options for GSLB logging are supported:

• Log only to the ACOS device’s local logging buffer.

• Log only to remote log servers. (New in ACOS 2.7.2-P2.)

Notes

• This enhancement applies specifically to GSLB DNS logging, configurable globally and in individual GSLB policies.

• Logging templates are included in HA or VRRP-A configuration synchronization. They are not included in GSLB syn-chronization among GSLB groups.




Configuration

To enable DNS logging for a GSLB policy:

1. Configure a logging group and logging template, if not already configured. Logging groups also are supported in pre-vious releases. Beginning in ACOS 2.7.2-P2, you also can use logging groups for GSLB. You can configure the logging group to receive log traffic over TCP or UDP, depending on which Layer 4 protocol the servers use to receive log traffic.

2. In the GSLB policy, enable DNS logging and specify the SLB logging group to use. By specifying a logging group, you enable remote logging and disable local logging, for GSLB DNS events.

Example

The following commands create a simple GSLB configuration that uses remote logging for DNS events handled by GSLB. In this simple deployment, client DNS requests for the IP address of “www.example.com” always receive the same IP address (192.1.1.190) in the DNS response from GSLB.

The policy in this example is set to run GSLB in DNS server mode. Logging of GSLB DNS events to remote logging servers also is supported for proxy mode. The syntax for the logging portion of the configuration is the same.

Logging Group Configuration

The following commands configure the logging group, which consist of the logging server, service group, and logging tem-plate.

slb server log-s1 10.1.1.10

port 1514 tcp

!

slb service-group log tcp

member log-s1:1514

!

!

slb template logging log

service-group log

!

GSLB Configuration

The following commands configure GSLB.

To begin, these commands configure the DNS VIP that will intercept UDP DNS requests from clients:

slb virtual-server vip 10.1.1.190

port 53 udp

gslb-enable

!




The following commands configure the service-IP and the site. This is the site that GSLB is helping clients to reach. The site SLB device that is load-balancing the server (192.1.1.190) is a Thunder device (192.1.1.100). The site SLB device’s configuration is not shown.

gslb service-ip gs3 192.1.1.190

port 80 tcp

!

gslb site ss1

slb-dev thunder 192.1.1.100

vip-server gs3

!

The following commands configure the GSLB policy. The dns logging both template log command enables logging of DNS events to remote logging servers, and also disables logging of the events to the local buffer.

gslb policy p1

dns server

dns logging both template log

!

The following commands configure the zone, “example.com” and service, “www”. For this service, a static DNS Address (A) record is configured. Based on this configuration, GSLB responds to client queries for www.example.com with the IP address of service-IP “gs3”.

gslb zone example.com

policy p1

service http www

dns-a-record gs3 static

!

GSLB DNS Log Messages Sent to Remote Log Server

The following messages are sent to the remote logging server to indicate a DSN query from a client for www.example.com, and the response sent to the client:

May 30 17:22:16 10.1.1.180 QUERY Fwd 10.1.1.190 10.1.1.68 www.example.com A 43617

May 30 17:22:16 10.1.1.180 RESP Server 10.1.1.190 10.1.1.68 www.example.com A 43617 0 0 1 [A,1,10,4,192.1.1.190]

Query

The first message logs the DNS query message intercepted by ACOS and forwarded to the GSLB DNS server. The message provides the following details:

• May 30 17:22:16 10.1.1.180 – Timestamp indicating the system time on the ACOS device when GSLB generated the message.

• QUERY – Type of DNS message.

• Fwd 10.1.1.190 – VIP address of the GSLB DNS server to which ACOS forwarded the request.




• If GSLB is running in DNS server mode, this is the GSBL DNS VIP configured on the same device.

• If GSLB is running in DNS proxy mode, this is the IP address of the external DNS server bound to by the DNS VIP.

• 10.1.1.68 – Client IP address (local DNS).

• www.example.com – The host for which the client is requesting the IP address.

• A – The type of query. In this example, this is a query for an IPv6 address (A).

• 43617 – DNS transaction ID.

Response

The second message logs the response to the client’s DNS query.

• May 30 17:22:16 10.1.1.180 – Message timestamp.

• RESP – Type of message, in this case a DNS Response.

• Server – GSLB DNS mode, Proxy or Server.

• 10.1.1.190 – VIP address of the GSLB DNS server from which the response is sent.

• 10.1.1.68 – Client IP address (local DNS).

• www.example.com – The host for which the client is requesting the IP address.

• A – Type of record in the response. In this case, the response includes an IPv4 address record.

• 43617 – DNS transaction ID.

• 0 0 1 – Shows the following information:

• GSLB error code (Code 0 indicates success.)

• DNS reply code in header

• Answer count

• [A,1,10,4,192.1.1.190] – Content of the answer:

• A – Record type

• 1 – Class type

• 10 – TTL

• 4 – Data length

• 192.1.1.190 – DNS VIP address of the GSLB DNS server (or proxy, if proxy mode is used)

GSLB Server Mode Responding to DNS Request Packets With Extra Data

In previous releases, If DNS requests that had extra HEX data, following a normal DNS packet, then GLSB would not respond to the DNS request and would proxy out the request.

The following new syntax has been added to address the issue, and can be access from the global configuration level, under the “gslb system” command options:




gslb system disable-strict-parsing

With “disable-strict-parsing” enabled, GSLB will process packets with extra data as normal DNS packets. An additional column name “Extra Data” has been added in the “show gslb state” output to track these. You can find a sample output below with the “Extra Data” column highlighted in blue.

show gslb state

Type Query Response

--------------------------------------------------------------------------------

Bad Packet 0 0

Bad Header 0 0

Bad Format 0 0

Bad Service 0 0

Bad Class 0 0

Bad Type 0 0

Extra Data 0 0

Total 0 0

Selecting a Back-End Server Even if Disabled

With this enhancement, you can disable a service-group member from normal server selection, but still maintain the health of the server. ACOS persists a request to a server based on the incoming STO-cookie that the client then appends to the request header. As part of the server selection in presence of a cookie, a disabled service pool member is chosen only if the persist cookie configuration has the allow-disabled-sg-member option enabled, and the disabled service pool member has a health check enabled. However, new connections without a STO-cookie in the request header would not consider this ser-vice pool member for selection.

This feature is ideal if you periodically need to take active servers out of service pools for maintenance, but this maintenance is done through a remote client. The feature allows you to access these servers using the same front-end VIP.

Configuration

To disable a configured a real server, real server port, hostname server, and/or service-group member, but still maintain its health, enable the following command at the respective configuration level:

disable-with-health-check

NOTE: This configuration can be applied at any of the levels defined above. For example whendisable-with-health-check is applied at server level, the port/service-group memberalso gets configured with the same implicitly

To allow sessions to persist to a disabled service group member, enable the following command as part of a configured per-sist-cookie template:

allow-disabled-sg-member




Example

The following commands configure health monitor “hm1” to use the ICMP transparent health method, and apply the moni-tor to a TCP port on real server “test272”. Then, the “disabled-with-health-check” option is enabled at the service group mem-ber configuration level. The “allow-disabled-sg-member” option is enabled on the SLB persist cookie template “cookie272” to allow sessions to persist to the disabled service group member.


ACOS(config-health:monitor)#method icmp transparent 1.0.0.1

ACOS(config-health:monitor)#exit

ACOS(config)#slb server test272 10.1.1.2

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#health-check hm1

ACOS(config-real server-node port)#slb service-group sg1 tcp

ACOS(config-slb svc group)#member test272:80 disable-with-health-check

ACOS(config-slb svc group)#slb template persist cookie cookie272

ACOS(config-cookie persist)#allow-disabled-sg-member

Improved Output For “show slb server” Command To Reflect Disabled Servers

It conjunction with the “Selecting a Back-end Server Even if it’s Disabled” feature described above, the “show slb server” com-mand has been updated to reflex the new commands in its output.

The default output (without the “disable-with-health-check” option configured) shows the statuses of “Up”, “Down”, Disb” (Disabled) and “Maintenance”. This feature adds the following new statuses:

Disb/Up

Disb/Down

Disb/Maintenance

Example

The following example is the “show slb server” output from the configuration displayed in the example for the “Selecting a Back-end Server Even if it’s Disabled” feature above.

ACOS(config-cookie persist)#show slb server

Total Number of Servers configured: 1

Total Number of Services configured: 1

Current = Current Connections, Total = Total Connections

Fwd-pkt = Forward packets, Rev-pkt = Reverse packets

Service Current Total Fwd-pkt Rev-pkt Peak-conn State

---------------------------------------------------------------------------------------

test272:80/tcp 0 0 0 0 0 Disb/Down

test272: Total 0 0 0 0 0 Disb/Down




ECDHE Cipher Support - PFS support

ACOS release 2.7.2 P2 adds support for new ECDHE/DHE ciphers. This feature adds support for EDCHE-RSA ciphers, DHE-RSA ciphers, ECDHE-ECDSA ciphers, and GCM & SHA384 in 1, 2, and 3. This feature also allows for the configuration of EC and DH parameters, EC Curve selection, the importing/verification of EC Keys for ECDSA ciphers, and support for TLS1.0/TLS1.1(phase 2) in 1, 2, and 3.

The ECDHE CPS performance limitation is a known issue in this release.

Using the CLI

New cipher suites have been added and are configurable in Client SSL templates, Server SSL templates and Cipher tem-plates. They are highlighted in blue below:

ACOS(config-client ssl)#cipher ?

SSL3_RSA_DES_192_CBC3_SHA

SSL3_RSA_DES_40_CBC_SHA

SSL3_RSA_DES_64_CBC_SHA

SSL3_RSA_RC4_128_MD5

SSL3_RSA_RC4_128_SHA

SSL3_RSA_RC4_40_MD5

TLS1_DHE_RSA_AES_128_GCM_SHA256

TLS1_DHE_RSA_AES_128_SHA

TLS1_DHE_RSA_AES_128_SHA256

TLS1_DHE_RSA_AES_256_GCM_SHA384

TLS1_DHE_RSA_AES_256_SHA

TLS1_DHE_RSA_AES_256_SHA256

TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256

TLS1_ECDHE_ECDSA_AES_128_SHA

TLS1_ECDHE_ECDSA_AES_128_SHA256

TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384

TLS1_ECDHE_ECDSA_AES_256_SHA

TLS1_ECDHE_RSA_AES_128_GCM_SHA256

TLS1_ECDHE_RSA_AES_128_SHA

TLS1_ECDHE_RSA_AES_128_SHA256

TLS1_ECDHE_RSA_AES_256_GCM_SHA384

TLS1_ECDHE_RSA_AES_256_SHA

TLS1_RSA_AES_128_GCM_SHA256

TLS1_RSA_AES_128_SHA

TLS1_RSA_AES_128_SHA256

TLS1_RSA_AES_256_GCM_SHA384

TLS1_RSA_AES_256_SHA

TLS1_RSA_AES_256_SHA256

TLS1_RSA_EXPORT1024_RC4_56_MD5

TLS1_RSA_EXPORT1024_RC4_56_SHA




ECDHE/DHE ciphers can be supported in TLS1.0/TLS1.1, and will be supported in phase 2. SHA384/GCM ciphers are only supported in TLS1.2

To use ECDHE/SHA2/GCM ciphers in Server SSL templates, you will need to specify TLS version 1.2:

ACOS(config-server ssl)#version ?

<30-33> TLS/SSL version: 30-SSLv3.0, 31-TLSv1.0, 32-TLSv1.1 and 33-TLSv1.2

You can now specify the Elliptic Curve Name in Client SSL templates:

ACOS(config-client ssl)#ec-name ?

sect163k1

sect163r1

sect163r2

sect193r1

sect193r2

sect233k1

sect233r1

sect239k1

sect283k1

sect283r1

sect409k1

sect409r1

sect571k1

sect571r1

secp160k1

secp160r1

secp160r2

secp192k1


secp224k1

secp224r1

secp256k1


secp384r1

secp521r1

If no EC name is specified, ACOS will pick the first one that can be supported in ACOS from the client EC list. If an EC name(s) is specified, ACOS will pick the first one that can be supported by the client.

You can now specify DH parameters in Client SSL templates:

ACOS(config-client ssl)#dh-param ?

1024

1024-dsa

2048

512




The command shown above allows you to specify the DH key length. By default, the length is 1024. ACOS does not have configurable DH parameters in Server SSL templates as the client will use the server’s DH parameters.

You can now specify the EC name in Server SSL templates. The command is the same as when you specify the EC name in Client SSL templates:

ACOS(config-server ssl)#ec-name ?

sect163k1

sect163r1

sect163r2

sect193r1

sect193r2

sect233k1

sect233r1

sect239k1

sect283k1

sect283r1

sect409k1

sect409r1

sect571k1

sect571r1

secp160k1

secp160r1

secp160r2

secp192k1


secp224k1

secp224r1

secp256k1


secp384r1

secp521r1

If no EC name is specified, ACOS will send all supported EC names to the server. If an EC name(s) is selected, ACOS send the specified EC name(s) to the server.

FTP Support for SLB Protocol Translation

SLB Protocol Translation (SLB-PT) is now supported for use on FTP virtual ports in a virtual server configuration. Protocol translation allows you to forward IPv6 client traffic to IPv4 servers, and IPv4 client traffic to IPv6 servers. ACOS translates the FTP packets and commands between their IPv4 and IPv6 versions, as applicable. This process is transparent to the FTP clients and servers. For example, an IPv4 client connecting to an IPv6 server over SLB-PT receives responses over IPv4, as though they are from an IPv4 server. Likewise, the server receives the client’s requests over IPv6, as though they originate from an IPv6 client.




Source NAT Requirement

SLB-PT requires source NAT. ACOS uses source NAT to connect IPv4 clients with IPv6 servers or IPv6 clients with IPv4 servers. For example, to connect an IPv4 client with an IPv6 server, ACOS needs an IPv6 pool. In this case, ACOS translates the client’s IPv4 address into an IPv6 address from the pool. ACOS then sends the client’s request to the server, using the address from the pool as the source address for the request. When ACOS receives the server response, the destination address of the response is the NAT address from the pool. ACOS translates the NAT address back into the client’s IPv4 address and forwards the content from the IPv6 server to the client over IPv4.

NOTE: There is no new syntax for this feature. For more information on configuring SLB Proto-col Translation, see the Application Deliver and Server Load Balancing Guide.

Examples

The following examples show VIP configurations for IPv6-to-IPv4 protocol translation, and for IPv4-to-IPv6 protocol transla-tion.

Example: IPv6-to-IPv4 Protocol Translation

The commands in this section provide IPv4 clients with access to IPv6 servers. ACOS uses the IPv4 pool to assign IPv6 NAT addresses to IPv4 clients.

The following command configures the IPv4 pool for source NAT:

ACOS(config)#ip nat pool natpool1 4.30.0.150 4.30.0.180 netmask /24

The following commands configure the IPv6 virtual server with an FTP virtual port. The IPv4 source NAT pool is then applied to the virtual port to enable protocol translation:

ACOS(config)#slb virtual-server vs4 3001::3:30:0:151

ACOS(config-slb vserver)#port 21 ftp

ACOS(config-slb vserver-vport)#source-nat pool natpool1

ACOS(config-slb vserver-vport)#service-group sg2

Example: IPv4-to-IPv6 Protocol Translation

The commands in this section provide IPv6 clients with access to IPv4 servers. ACOS uses the IPv6 pool to assign IPv4 NAT addresses to IPv6 clients.

The following command configures the IPv6 pool for source NAT:

ACOS(config)#ipv6 nat pool natpool2 2001::4:30:0:150 2001::4:30:0:152 netmask 64

The following commands configure the IPv4 virtual server with an FTP virtual port. The IPv6 source NAT pool is then applied to the virtual port to enable protocol translation:

ACOS(config)#slb virtual-server vs5 3.30.0.151

ACOS(config-slb vserver)#port 21 ftp

ACOS(config-slb vserver-vport)#source-nat pool natpool2

ACOS(config-slb vserver-vport)#service-group sg5




IMEI-Based Client-SSL Session Management

ACOS 2.7.2-P2 provides the ability to display and clear client-SSL sessions based on the client International Mobile Equip-ment Identity (IMEI) number, a unique 15-digit decimal number assigned to mobile devices on some types of networks (for example, GSM).

This feature can be useful for managing client sessions on an HTTPS virtual port based on client mobile number. For exam-ple, if a client’s IMEI number is associated with a mobile device used by the client, this feature enables you to manage the device’s SSL sessions. You can view the IMEI numbers (mobile devices) that are active on a given VIP, as well as handshake and session statistics for the devices. You also can clear individual device sessions by IMEI number, or clear related statistics.

If Server Name Indication (SNI) extension support is enabled, the same IMEI can have multiple sessions, each with a different SNI (server name). In this case, you can specify the SNI in addition to the IMEI to identify individual sessions to display or clear.

When support for viewing and clearing sessions based on IMEI number is enabled, ACOS reads the IMEI numbers from client HTTP POST requests received on the HTTPS virtual port.

This feature is disabled by default. You can enable it on individual HTTPS virtual ports.

NOTE: The feature applies only to HTTPS virtual ports.

Configuration

To enable IMEI-based client-SSL session management, enable the following options in a client-SSL template and bind to the template to the HTTPS virtual port:

imei-support

session-cache-size num

Client-SSL session caching is required. The num option of the session-cache-size command specifies the maximum number of SSL sessions that can be cached for the HTTPS VIP bound to the template. Make sure to specify a number that allows enough concurrent HTTPS sessions for your application.

Displaying Sessions by IMEI Number

To display client SSL sessions based on IMEI number, use the following command:

show slb ssl-client-imei vserver-name vport-num [sni server-name] {all | imei string}

The vserver-name vport-num options specify the virtual server name and the HTTPS port number.

The sni server-name option is applicable if the template includes SNI support, and displays only the sessions for the specified server name.

The all option displays all the client-SSL sessions that have IMEI numbers. The imei string value displays information for a spe-cific IMEI number.




Clearing Sessions or Session Counters by IMEI Number

To clear client mobile device sessions based on IMEI number, use the following command:

clear slb ssl-client-imei vserver-name vport-num [sni server-name] {all | imei string}

The options are the same as those for the show slb ssl-client-imei command.

To clear only the session counters but not the sessions themselves, use the counters option at the end of the command:

clear slb ssl-client-imei vserver-name vport-num [sni server-name] {all | imei string} counters

If you use the sni option, sessions are cleared only for that server name. None of the sessions for any other server names in the client-SSL template are cleared. Likewise, sessions for the default server name are not cleared.

The counters option clears only the session counters, but not the sessions themselves.

Example

The commands in this example enable IMEI-based client-SSL session management on an HTTPS virtual port, then display and clear some IMEI sessions and related counters.

NOTE: This example does not show how the client-SSL certificates and keys are placed ontothe ACOS device. The certificates and keys can be generated on the ACOS device orimported onto the device. If self-signed certificates meet your deployment needs, gen-erate the certificates and keys on the ACOS device. To use certificates signed by a third-party Certificate Authority (CA), which is more secure, import the CA-signed certificatesand their keys onto the device. (See the Application Delivery and Server Load BalancingGuide.)

A virtual port in a production deployment will have additional options, such as thename of the service group bound to the real servers.

Client-SSL Template Configuration

The following commands configure a client-SSL template that enables IMEI-based client-SSL session management:

slb template client-ssl cssl

cert acos-validID

key acos-validID-key

session-cache-timeout 600

session-cache-size 2048

imei-support

!




HTTPS Virtual Port Configuration

The following commands bind the client-SSL template to an HTTPS virtual port:

slb virtual-server imei-vip 10.10.10.22

port 443 https

template client-ssl css1

!

Displaying and Clearing Sessions by IMEI

The following command lists all currently active client-SSL IMEI-based sessions on VIP imei-vip:

ACOS#show slb ssl-client-imei imei-vip 443 all

IMEI list for Virtual Server: imei-vip Port: 443

Total IMEIs: 2

IMEI Session Created Last Resume Handshakes Resumes

--------------------------------------------------------------------------------

123456789012345 May 08 2014 11:53:45 none 1 0

351926040144538 May 08 2014 11:30:16 May 08 2014 11:30:46 1 1

The following command s clear the first session, then verifies the change by redisplaying the session list:

ACOS#clear slb ssl-client-imei imei-vip 443 imei 123456789012345



Total IMEIs: 2


--------------------------------------------------------------------------------

351926040144538 May 08 2014 11:30:16 May 08 2014 11:30:46 1 1

The following command clears only the counters, without clearing the remaining session:

ACOS#clear slb ssl-client-imei imei-vip 443 all counters

The following command verifies that the session is still present and its counters have been reset:



Total IMEIs: 2


--------------------------------------------------------------------------------

351926040144538 May 08 2014 11:30:16 May 08 2014 11:30:46 0 0




Example: SNI Support

This example builds on the previous one, adding SNI support.

In the client-SSL template, the server-name command adds server name “abc”, along with its unique certificate and key:

ACOS#configure

ACOS(config)#slb template client-ssl css1

ACOS(config-client ssl)#server-name abc cert abc-cert key abc-key

ACOS(config-client ssl)#end

The following command displays all client-SSL IMEI sessions on vip2:

ACOS#show slb ssl-client-imei vip2 443 all

IMEI list for Virtual Server: vip2 Port: 443

Total IMEIs: 2


--------------------------------------------------------------------------------

351926040144538 Jun 02 2014 10:59:36 none 1 0

361926040155649 Jun 02 2014 11:01:31 none 1 0

371926040288064 Jun 02 2014 11:02:32 none 1 0

The following command filters the output to show the sessions only for server name “abc”:

ACOS#show slb ssl-client-imei vip2 443 sni abc all


Total IMEIs: 1


--------------------------------------------------------------------------------

361926040155649 Jun 02 2014 11:01:31 none 1 0

The following command clears the session on server name “abc”:

ACOS#clear slb ssl-client-imei vip2 443 sni abc all

This command does not clear any sessions that the same IMEI has with other server names on the same VIP. For example, the following command still shows a session for IMEI 361926040155649. However, this session is with the default server name of the client-SSL template.

ACOS#show slb ssl-client-imei vip2 443 all


Total IMEIs: 1


--------------------------------------------------------------------------------

351926040144538 Jun 02 2014 10:59:36 none 1 0

361926040155649 Jun 02 2014 11:01:31 none 1 0

371926040288064 Jun 02 2014 11:02:32 none 1 0




Support for Increased Number of SNI Entries

ACOS 2.7.2-P2 supports up to 8192 Server Name Indication (SNI) entries, whereas previous releases supported only 1024 SNI entries. ACOS has supported the use of the SNI extension to the TLS protocol for several releases. This support allows web servers to host content for multiple domains at the same IP address by issuing a separate server certificate for each domain.

By increasing the maximum number of SNI entries per IP, customers can host more domains per VIP. This enhancement can be helpful for web-hosting companies that have many websites but a relatively limited number of IP addresses.

ACOS has a maximum limit of 8192 SSL contexts available to the whole system, meaning that one SNI entry bound to a vir-tual port uses up one SSL context. Therefore, you could reach that limit by configuring one client-SSL template (with 8192 SNI entries) and binding it to one virtual port (8192 x 1 = 8192), or the limit could be reached by configuring a client-SSL tem-plate that has 2048 SNI entries and binding it to four virtual ports (2048 x 4 = 8192).

Using the GUI

Although the maximum number of SNI entries supported within a client-SSL template has increased, the GUI behavior for this feature has not changed.

To create an SNI entry within a client-SSL template using the ACOS GUI:

1. Navigate to Config Mode > SLB > Template > SSL > Client SSL.

2. Click “Add” or select the name of an existing template.

3. Scroll down to the Server Name Indication (SNI) section.

4. Enter the Server Name, Server Certificate, Server Private Key and Pass Phrase as you normally would. (See the “Server Name Extension Support” section in the Application Access Management and DDoS Mitigation Guide for details on configuring SNI.)

5. Click “Add”.

6. Click “OK” to store your changes.

Using the CLI

Although the maximum number of SNI entries supported within a client-SSL template has increased, the CLI commands used to configure this feature have not changed.

To create an SNI entry within a client-SSL template using the ACOS CLI, use the following CLI command at the client-SSL tem-plate configuration level:

[no] server-name domain-name cert certificate-name key private-key-name [pass-phrase pass-phrase-string] [partition shared]

Layer 2/Layer 3/Routing EnhancementsThis section describes the Layer 2, Layer 3, and routing enhancements.

• Adding a Description Field to Object Groups

• Increased Number of Object Groups and Clauses




Adding a Description Field to Object Groups

Starting in release 2.7.2-P2, you can add a Description field for network or service object groups. In this field, you can provide additional information about the object group instance that you created. In an object group, there can be multiple clauses, but the description is common for an object group.

Here is an example of an object group description:

object-group network s616844shsql01

description IP Address space for s616844shsql01 Resource Group

You can add a maximum length of 128 characters in a description.

The description string can be composed of any set of letters or numbers, and you can save the description name with the same name as the string. Using the example above, you can use the following text as the description string and the descrip-tion name:

s616844shsql01

NOTE: You must enter at least one letter or number for the description name. Do not leave itempty.

The following types of object groups are supported in this release:

• Network – Contains IP address match criteria. The options are the same as those supported for source and destina-tion addresses in IPv4 and IPv6 ACLs.

• Service – Contains protocol match criteria. The options are the same as those supported in IPv4 and IPv6 ACLs.

Using the GUI

This release does not support configuring this feature by using the GUI.

Using the CLI

You can configure this feature by using the CLI.

Configuring the Description

You can configure the Description by using the CLI.

1. Create a network or service group object group by entering the following command at the configuration level of the CLI:

object-group network network_name

The network_name specifies the name of the network that you created.

2. Display the description option by entering the following command:

description ?

WORD<length:1-128> Description of the object-group instance




3. Enter the description by entering the following command:

[no] description description_field

Displaying the Object Group

You can display the object group by using the CLI.

1. To display the object group, enter the following command at the network configuration level in the CLI:

sh object-group

object-group network network_name

description description_field

Increased Number of Object Groups and Clauses

Starting in release 2.7.2-P2, the number of accepted object group instances and clauses in the object groups has increased. You can now configure up to 2000 object groups and clauses.

Web Application Firewall EnhancementsACOS 2.7.2-P2 introduces the following WAF enhancements:

• Session Tracking

• Normalization Enhancements for URL Options

• Increased Maximum Parameters in WAF Template

• Web Application Firewall Enhancements

Session Tracking

To increase the security of the session between the ACOS device and the client-side devices, ACOS offers cookies-based ses-sion tracking for WAF sessions.

TABLE 3 Options and Variables used to Configure Description

Variable or Option Descriptiondescription_field Specifies the name of the description that you are configuring.no Allows you to remove the description that you configured.

TABLE 4 Variables to Display the Object Group

Variable Descriptionnetwork_name Specifies the name that you specified for the network you created.description_field Specifies the description that you configured.




With this option enabled, the WAF uses a cookie to track user sessions. When a request is received from a client for the first time, ACOS creates a unique ID for the session, stores it in a table, and inserts the ID into a cookie that is returned to the client.

Subsequent requests from this client are validated against the session ID. If the session ID does not match the saved ID, or if the ID is coming from a different IP address than that of the original client, then the request is rejected.

Details:

• Session Tracking for WAF sessions is disabled by default.

• When enabled, you must specify the Session Lifetime to determine the amount of time the session ID will remain valid. By default, the session lifetime is 600 seconds (10 minutes), but you can enter a range from 1–86400 seconds (24 hours).

• The session cookie is named “awaf-sid”, and it is inserted into the header of the response sent by the server.

• The header appears in the following format: Set-Cookie: awaf-sid=<session-id>; path=/' max-age=<session-lifetime>

Configuring WAF Session Tracking

To configure WAF session tracking:

1. Create a WAF template.

2. Enter the session-check CLI command in the WAF template.

3. Bind the WAF template to an HTTP virtual port of a virtual server.

Using the GUI

To enable session tracking through the ACOS GUI:

1. Navigate to Config Mode > Security > WAF > Template > WAF.

2. Click Add or select the name of an existing WAF template.

3. Scroll down to the Session Check section, as shown in the figure below:

FIGURE 16 Config Mode > Security > WAF > Template > WAF

4. By default, WAF session checking is disabled. Select the Enabled radio button to enable session checking.

5. Accept the default value for the Session Lifetime (600 seconds), or enter a new value ranging from 1–86400 seconds.




6. When finished updating the WAF template, click OK.

Using the CLI

To enable the WAF session tracking feature using the CLI, use the following command at the global configuration level to create a WAF template:

[no] slb template waf template-name

Within the WAF template, enter the following command to enable session tracking:

[no] session-check session-lifetime

The session-lifetime specifies the amount of time for which the session ID will remain valid. The default value is 600 seconds (10 minutes), but you can enter a range from 1 - 86400 seconds (24 hours).

For details on binding the WAF template to the virtual port of a virtual server, see the CLI example below.

CLI Example

The following example creates a WAF template called “test1”, which has a session lifetime of 300 seconds, and binds it to the virtual server called “waf1”.

ACOS(config)#slb template waf test1

ACOS(config-waf)#session-check 300

ACOS(config-waf)#exit

The following commands bind the WAF template “test1” to HTTP port 80 of the virtual server “waf1” at IP 4.3.2.1

ACOS(config)#slb virtual-server waf1 4.3.2.1


ACOS(config-slb vserver-vport)#template waf test1

ACOS(config-slb vserver-vport)#exit

The following command can be used to display statistics for the WAF session tracking feature:

ACOS(config)#show slb waf

Total

---------------------------------------------------------------

Requests 4

Requests allowed 3

Requests denied 1

Session Check

- Success 1

- Failed 1

- None 1

...




Normalization Enhancements for URL Options

ACOS 2.7.2 introduces support for several new URL normalization options. URL normalization is a process of standardizing the appearance of URLs to remove inconsistencies from one URL to another.

For example, one URL might use lower-case characters, while another URL could use a mix of upper-case and lower-case characters.

A simple corrective normalization scheme could be used to convert the URL with the mixed set of upper-case and lower-case characters to use only lower-case characters, as shown below.

• Before normalization: HTTP://www.Example.com/

• After normalization: http://www.example.com/

This process of normalizing URLs is sometimes used by search engines to make comparisons of several URLs easier. By stan-dardizing the appearance of URLs and reducing them down to the canonical form, it is easier to ensure the same URL is not cataloged twice by a web crawler. Perhaps more relevant to its functionality in the WAF, URL normalization offers a way to protect web servers from certain types of attacks, which can hide in the non-normalized, recursive encoding of the data.

One example of such an attack is the so-called directory traversal attack, which exploits non-sanitized file names in order to gain access to sensitive directories or files that were supposed to remain off limits.

URL Options

In addition to normalizing upper-case and lower-case, the WAF can also make the following changes to internal URLs sent from backend servers:

• Decode Entities – Decode entities, such as < &#xx; &#ddd; &xXX

• Decode Escaped Characters – Decode escape characters, such as \r \n \" \xXX

• Decode HEX Characters – Decode hexadecimal characters, such as \%xx and \%u00yy

• Remove Comments – Remove comments from an internal URL

• Remove Self References – Remove self-references, such as /./ and /path/../

• Remove Spaces – Remove spaces from an internal URL.

Configuring Normalization of URLs

To configure the Normalization of URLs feature:

1. Create a WAF template.

2. Enter the url-options CLI command in the WAF template.

3. Bind the WAF template to a virtual port of a virtual server.

Using the GUI

To configure the URL normalization options within a WAF template:

1. Navigate to Config Mode > Security > WAF > Template > WAF.




2. Click “Add” or click the name of an existing WAF template.

3. Scroll down to the URL Options section, as shown below:

FIGURE 17 Config Mode > Security > WAF > Template > WAF

4. Select the desired checkboxes to enable the various URL Options.

5. Click OK.

Using the CLI

To configure the URL normalization options, use the following CLI command from within a WAF template:

[no] url-options {decode-entities | decode-escaped-chars | decode-hex-chars | remove-com-ments | remove-selfref | remove-spaces}

• decode-entities – This option is used to decode entities, such as < &#xx; &#ddd; &xXX; from an internal URL.

• decode-escaped-chars – This option is used to decode escaped characters such as \r \n \" \xXX \u00YY from an internal URL.

• decode-hex-chars – This option is used to decode hexadecimal chars such as \%xx and \%u00yy in an internal URL.

• remove-comments – This option is used to remove comments from an internal URL.

• remove-selfref – This option is used to remove self-references such as /./ and /path/../ from an internal URL.

• remove-spaces – This option is used to remove spaces from an internal URL.

Increased Maximum Parameters in WAF Template

When configuring WAF templates in previous releases, you could configure the maximum number of HTML parameters allow in requests as 64. This has been extended to all ow 1024 as the maximum configurable value.

Web Application Firewall Enhancements

ACOS 2.7.2-P1 includes the following Web Access Firewall (WAF) enhancements:

• XML format check – Scrubs requests that contain eXtensible Markup Language (XML) code for anomalies.




• SOAP format check – Scrubs requests that use Simple Object Access Protocol (SOAP) format for SOAP-related anoma-lies. While SOAP is based on XML, SOAP checking can be enabled independently of XML checking.

SOAP format checking is disabled by default. Some XML checks have default values. XML and SOAP checking can be config-ured in WAF templates. (More information to be provided in a subsequent edition of the documentation.)

System Level EnhancementsThis section describes the system level enhancements.

• SSL/TLS MITM Vulnerability (CVE-2014-0224)

• New SNMP Trap OID for Disabled Real Servers

• SNMP Community Encryption

SSL/TLS MITM Vulnerability (CVE-2014-0224)

This patch addresses the SSL/TLS MITM vulnerability (CVE-2014-0224).

New SNMP Trap OID for Disabled Real Servers

ACOS release 2.7.2-P2 adds the following new SNMP Object: axServerDisabled. This notifies you when an SLB server is dis-abled. The OID for this object is 1.3.6.1.4.1.22610.2.4.3.12.2.2.29

SNMP Community Encryption

The default behavior of the SNMP community string has been changed with ACOS release 2.7.2-P2. In previous releases, the string was readable in the “show running-config” command. Now, the string is encrypted and is no longer readable.

NMS/CLI/GUI EnhancementsThis section describes the NMS/GUI enhancements.

• Configurable SSH Login Grace Period

• vrrp_a.partition_stats Module

• Increase CLI Login Banner Character Limit (2048)

Configurable SSH Login Grace Period

ACOS 2.7.2-P2 enhances security by adding a configurable grace period for SSH login attempts. ACOS devices offer a CLI management interface that uses either Telnet or Secure Shell (SSH) version 2 to establish a connection. The SSH login grace time is the period of time after a user connects to the ACOS device, but before he or she has been authenticated. With this lat-est enhancement, you can now configure an SSH login grace period of your choice, giving CLI users from one second to ten minutes to get authenticated.




Configuring a shorter grace period reduces the chance that a malicious user could successfully execute a brute force attack against the SSH server. Such an attack could compromise the device, allowing miscreants to gain root access, install malware, or perhaps even remove the ACOS device from service.

However, the grace period should be set to give users a reasonable amount of time to enter a password, become authenti-cated, and to establish a secure connection before the ACOS device terminates the connection.

Prior releases did not have a grace period for SSH connection requests, and this meant that hackers had an unlimited amount of time to throw thousands of username/password combinations at the ACOS device to try to guess the password.

Details:

• This configurable login grace period only applies to SSH connections and does not apply to Telnet.

• The feature is enabled by default, with a default login grace period of 120 seconds.

• You can enter a time ranging from 0–600 seconds (10 minutes).

• Entering 0 disables the grace period, and is not recommended because it makes the ACOS device less secure.

Using the GUI

The current release does not support configuration of a grace period for SSH sessions using the GUI.

Using the CLI

You can configure the grace period for SSH sessions using the following CLI command at the global configuration level:

[no] terminal ssh-grace-time seconds

The option specifies the number of seconds a user has to establish an SSH session. If no SSH password is entered within the designated period, then the session times out and is terminated. The default value is 120 seconds, but you can configure a range from 0–600 seconds. Enter 0 to disable the SSH grace period (meaning there is no time limit to enter the SSH pass-word). Keep in mind that using this command will terminate all CLI sessions, and you will have to login again.

Limitations

• The configurable SSH login grace time feature is not supported in L3V partitions.

• If ACOS is configured to use the management port for control applications, such as with the following command:

interface management

ip address 13.13.13.1 /24

ip control-apps-use-mgmt-port

Then this would force all management applications (including SSH) to use the management port.

After configuring the SSH login grace period with the “terminal ssh-grace-time” command and restarting the SSH service, from the ACOS device to connect to the localhost or "::", it must use the management port IP address specified, such as:

ACOS#ssh localhost admin

In the above example, this would be changed to the following:

ACOS#ssh 13.13.13.1 admin




NOTE: If the data interface is configured to act as a management service port, and if the ip con-trol-apps-use-mgmt-port option is also enabled, then the data interface managementservice will not work.

vrrp_a.partition_stats Module

This module provides VRRP-A information for a private partition.

Object

Some methods in this module use the following object(s). Where applicable, the description for a method element that con-tains a data object refers to the corresponding table in this section.




partition_stats

partition

Name Type Required Description

local_device_id Integer NO Local device ID

Scope: 1 - 8

Default: 0

partition Link NO “partition” has sub elements.

Click on the hyperlink for details.

Array of partition

Capacity:


partition_name String NO Show partition name

Length: 1 - 14

Default: (Empty string).

vrid Integer NO Virtual router ID (VRID).

0: Default VRID

Scope: 0 - 31.

Default: 0

active_device_id Integer NO Device ID that is active for the VRID.

0: No active device.

Scope: 0 - 8.

Default: 0.

active_priority Integer NO Current VRRP-A priority of this VRID.

Scope: 1 - 255,

Default: 0.

active_weight Integer NO First level priority for this VRID.

Scope: 0 - 65534,

Default: 0.

standby_device_id Integer NO Device ID that is active for the standby VRID.

0: No standby device.

Scope: 0 - 8,

Default: 0.




Method

vrrp_a.partition_stats.getAllActive

This section describes vrrp_a.partition_stats.getAllActive in detail.

Request URL:http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=vrrp_a.partition_stats.getAllActive

Input/output object:

Input: none

Output: partition_stats list

Example

CLI configuration:

Request URL:

HTTP Post body:

standby_priority Integer NO Standby VRRP-A priority for this VRID

Scope: 1 - 255,

Default: 0

standby_weight Integer NO First level priority for this standby VRID.

Default: 0

"show vrrp-a all-partitions active”

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=vrrp_a.partition_stats.getAllActive

(None)





HTTP Response body:

Corresponding GUI Page:None

Increase CLI Login Banner Character Limit (2048)

The CLI displays a banner message when you log onto the CLI. By default, the message shown in bold-face type in the fol-lowing example is displayed:

login as: adminWelcome to ACOSUsing keyboard-interactive authentication.Password:

The banner text can be formated as a single line or as multiple lines. In ACOS 272-P2, the banner character limit is increased from 1024 characters to 2048 characters. This allows you to display longer disclosure notices, system use agreements, warn-ings, or messages as necessary before the user logs into the system. This banner character limit increase also applies to the CLI Exec banner.

For longer banners that span multiple lines, you must specify the end marker that indicates the end of the last line. The end marker is a simple string up to 2-characters long, each of which must be an ASCII character from the following range: 0x21-0x7e. The end marker is not included in the banner. The multi-line banner text starts from the first line and ends at the marker. If the end marker is on a new line by itself, the last line of the banner text will be empty. If you do no want the last line to be empty, put the end marker at the end of the last non-empty line.

{"partition_stats": {

"local_device_id": 7,"partition_list": [{

"partition_name": "l3v","vrid": 23,"active_device_id": 6,"active_priority": 15,"active_weight": 103,"standby_device_id": 0,"standby_priority": 32,"standby_weight": 418

},{

"partition_name": "share","vrid": 2,"active_device_id": 3,"active_priority": 40,"active_weight": 98,"standby_device_id": 0,"standby_priority": 18,"standby_weight": 12

}]

}}




NOTE: Carriage returns and line breaks are included as characters within the character count.

Using the GUI to Set the CLI Banners

1. Select Config Mode > System > Settings > Terminal > Banner.

2. To configure a banner:

a. Select the banner type, single-line or multi-line.

b. If you selected multi-line, enter the delimiter value in the End Marker field.

c. Enter the message in the Login Banner or Exec Banner field.

If the message is a multi-line message, press Enter / Return at the end of every line. Do not type the end marker at the end of the message. The GUI automatically places the end marker at the end of the message text in the config-uration.

3. If you are configuring both messages, repeat step 2 for the other message.

4. Click OK.

Using the CLI to Set the CLI Banners

To change one or both banners, use the following command:

[no] banner {exec | login} [multi-line end-marker] line

The login option changes the first banner, which is displayed after you enter the admin username. The exec option changes the second banner, which is displayed after you enter the admin password.

To use blank spaces within a single-line banner, enclose the entire banner string with double quotation marks.

CLI Example

The following example shows the configuration of a multi-line login banner. The initial lines indicate a multi-line login ban-ner, with the end marker indicated by “^^” marks.

ACOS(config)#banner login multi-line ^^

Enter text message, end with string ‘^^’.

Access to this system is provided for private use only.Configuration of this device can freely be used, modified, and shared only within the com-pany.The configuration of this device is complicit with corporate security standards.Changes in the configuration should only be made and saved by IT professionals.^^

The next time a user logs onto the CLI, the message above will be displayed as such:

login as: admin

Access to this system is provided for private use only.Configuration of this device can freely be used, modified, and shared only within the com-pany.The configuration of this device is complicit with corporate security standards.Changes in the configuration should only be made and saved by IT professionals.

Password:




Enhancements in ACOS 2.7.2-P1This chapter describes the enhancements in ACOS 2.7.2-P1.

• Layer 4-7 Enhancements

• Private Partition Session Limits

• aFleX Enhancements

• Logging for DDoS Attack Detection

• Additional Changes

• Errata (Jumbo Frame Support)

Layer 4-7 EnhancementsThis section describes the Layer 4-7 enhancements.

• Support for Dynamically Selected FTP Data Ports

• Inserting HTTP Client Port Numbers in the HTTP Header

• Increasing the Number of HTTP Headers

• Support for HTTP Lines Up to 32 K Long

• HTTP Explicit Proxy

• Stateful Request-ID-based DNS Load Balancing

• Support for the DER Format for CRLs

• Redistributing HTTP Traffic on Mobile Devices by using an ACOS Device

Support for Dynamically Selected FTP Data Ports

In active File Transfer Protocol (FTP) mode, the server typically responds to a client’s request from the server’s local data port, port 20. ACOS allows the user to specify a port range that can be used to initiate the data connection. A randomly selected data port is a port that is dynamically selected by an FTP server running in active FTP mode to use as a server’s source port for the data connection.

You can configure support for dynamically assigned FTP data ports within the FTP template. You can choose to support all valid ports, or you can specify the range of ports the server can choose from to send to the client. Each template only sup-ports one range of data ports.

The template can be bound to any FTP virtual port; it does not need to be the port the FTP server is listening on. When the template is bound to a port, it immediately takes effect. It is not advisable to bind a template to a virtual port when there is live traffic.




Using the GUI

The current release does not support configuration of FTP templates using the GUI.

Using the CLI

To enable support for dynamically assigned FTP data ports, use the following command at the configuration level for the FTP template:

[no] active-mode-port {any | portnum [to portnum]}

To allow active data connections to any available port number (1-65534), use the any option. To allow only a specific range instead, specify it as follows: starting-portnum to ending-portnum.

CLI Example

The following command enables use of protocol ports 1024-2024 for active data connections to load balanced FTP servers:

ACOS(config-ftp template)#active-mode-port 1024 to 2024

The following command enables use of protocol-ports 1-65534 for active data connections to load balanced FTP servers:

ACOS(config-ftp template)#active-mode-port any

Inserting HTTP Client Port Numbers in the HTTP Header

Starting in this release, when an ACOS device forwards an HTTP packet to the server, you can add the client port number to the HTTP header by adding the following command in an HTTP template and binding the template to the HTTP virtual port:

insert-client-port [http-header-name] [replace]

The replace option allows you to replace the content of an existing header that matches the configured name with the cli-ent’s port number. If no header name is specified, X-ClientPort is used as the default header name.

If the replace option is not specified, and there is a header that matches the configured name, the client’s port number is added to the end of the specified header.

CLI example

The following example configures the HTTP template:

ACOS(config)#slb template http insertclientport

ACOS(config-HTTP template)#insert-client-port MY_HEADER_NAME

ACOS(config-HTTP template)#exit

The following example binds the HTTP template to virtual port 80:

ACOS(config)#slb virtual-server vs1 1.1.1.1

ACOS(config-slb virtual server)#port 80 http

ACOS(config-slb virtual server-slb virtua...)#template http insertclientport




Increasing the Number of HTTP Headers

Starting in 2.7.2-P1, the number of HTTP headers that ACOS can process can be increased up to 256 by entering the slb max-http-header-count command.

The default value is 90, and a value between 90 and 256 can be entered.

CLI Example

ACOS(config)#show version | include ACOS

64-bit Advanced Core OS (ACOS) version 2.7.2-P1, build 58 (May-05-2014,23:37)

ACOS(config)#slb max-http-header-count ?

<90-255> Maximum number of HTTP headers. Default is 90

ACOS(config)#slb max-http-header-count 255

Support for HTTP Lines Up to 32 K Long

HTTP header lengths are dependent on the information included in the header. In the previous releases, ACOS only sup-ported up to 16 kilobytes for the header, inclusive of the header name, but excluding the trailing carriage return line feed.

Strictly for HTTP virtual ports, ACOS now supports double the header size. ACOS load balancing accepts HTTP headers up to 32 kilobytes. Any header field or value, such as cookie or accept-encoding, can be longer. No additional configuration is needed.

HTTP Explicit Proxy

You can use the ACOS device as an explicit HTTP proxy to control client access to hosts based on lists of allowed traffic sources (clients) and destinations (hosts).

When this feature is enabled, an HTTP virtual port on the ACOS device intercepts HTTP requests from clients, validates both the sources and the destinations, and forwards only those requests that come from valid sources and that are sent to permit-ted destinations. Destinations are validated based on URL or hostname strings. For approved destinations, DNS is used to obtain the IP addresses.

The destinations requested by clients can be filtered based on the URL of the request or the hostname in the Host header of the request.

• If both the source and destination are allowed, ACOS translates the client address into a NAT address, if applicable, and forwards the request to the destination.

• If the source or destination is not explicitly allowed by the applicable source or destination list, the request is dropped.

Source NAT

For clients that require Network Address Translation (NAT), you also can use a list to assign the clients to an IP address pool.




Fail-back Service Group

Optionally, you can assign an SLB service group to use to locally serve requests that are permitted but that cannot be sent to their destinations because ACOS cannot resolve the destination IP address using DNS.

Configuration Resources

To provide precise control, class lists and a policy template are used to define the sources, destinations, and actions for matching traffic. Table 5 describes these resources and how they are related. For further clarification, see the configuration examples.

TABLE 5 Configuration Resources for Explicit HTTP Proxy

Resource Purpose DescriptionPolicy template

Applies actions to cli-ent-to-server traffic based on source and destina-tion

Set of rules that define the permitted traffic sources and destinations, and the actions to apply to the permitted traffic.

For the explicit HTTP proxy feature, the following actions are applicable:

• forward-to-internet – ACOS forwards the client’s request to the destination. • class-list-group – Refers to a class-list group (defined below).

Class-list group

Specifies permitted traffic destinations

Set of rules that match on the destination URL or host name of the client’s request. Each entry in the list matches on all or part of the destination URL or host name. The following comparison options are supported:

• equals string – Matches only if the URL or hostname completely matches a string in the specified class list.

• starts-with string – Matches only if the URL or hostname starts with a string in the speci-fied class list.

• contains string – Matches if the URL or hostname contains any string in the specified class list.

• ends-with string – Matches only if the URL or hostname ends with a string in the speci-fied class list.

IPv4/IPv6 class list

Specifies permitted traffic sources

Matches on the inside sources (clients) that are allowed to access the allowed destinations.

Each entry in the class list maps to a Limit ID (LID) in the policy template. The LID in the policy template applies the forward-to-internet action to matching traffic.

String class list

Specifies permitted destinations

Specifies the URL or hostname strings that clients are allowed to access. The rules in the class-list group compare the URLs or host names of client requests against the strings in this class list.

Each entry in the class list maps to a LID. You can specify the LID or use leave the LID unspecified. If you leave the LID unspecified, the LID referred to by the class-list group entry is used.




Basic network resources, including network interface connections to the sources and destinations, and a DNS server, also are required.

Logging

HTTP requests handled by this feature can be logged based on the outcome of the request:

• Permitted

HTTP-proxy port

Intercepts HTTP requests from clients

Virtual port that receives HTTP requests from traffic sources.

This configuration resource consists of a real server configuration (although the server itself is not real), a service group, a virtual server, and an HTTP virtual port.

Note: A dummy (fake) real server and service-group configuration are required, for the fea-ture to operate and to provide statistics for permitted traffic (whose LID action is forward-to-internet).

Optionally, you also can add a fail-back service group, which is a group of actual servers used for requests that ACOS is unable to forward to their destinations (described below).

Fail-back Service Group

The following resources are required only if you plan to locally serve approved requests that cannot be sent to their desti-nations. For example, if ACOS is unable to obtain the IP address of a destination, then ACOS sends the request to the SLB service group instead. Real Server(s) and ser-vice group

Locally serves con-tent if destination cannot be reached

Standard SLB configuration with real servers, service group, and virtual server.

VIP with HTTP port

Receives requests to be locally served

NAT Resources

The following resources are required only if sources (clients) require source NAT. IPv4/IPv6 class list

Specifies source NATclients

Matches on the sources for which to provide source NAT.

Each entry in the class list maps to a GLID, which maps to the pool of outside addresses to assign to inside clients.

GLID Maps to a source NAT pool

Assigns traffic to a NAT pool.

NAT pool Assigns out-side addresses to inside clients

Range of public (externally routable) IP addresses to assign to clients before forwarding the client traffic to the Internet.

TABLE 5 Configuration Resources for Explicit HTTP Proxy (Continued)

Resource Purpose Description




• Denied (dropped)

• DNS failure or SNAT failure

Message Examples

Here are some examples of log messages for the explicit HTTP-proxy feature. Each of them shows information about an HTTP request intercepted by the HTTP virtual port.

The following requests all come from source (client) 10.50.12.184. The client’s IP address is translated into NAT address 192.168.231.1. ACOS replaces the source IP address of the requests with this NAT address before forwarding them to the des-tinations.

The destination host of the first 3 requests (“news”) is permitted by the HTTP-proxy configuration, so these requests are for-warded to the Internet.

Apr 30 2014 03:43:04 Info [ACOS]:Proxy Request[internet(clg-match-hosts seq#1)]:tools.goo-gle.com url http://tools.news.com/service/update2w=6:gUEcnBFiC0prVIbXwL4HJEN5pEHLlalv2yUP-9HChgr2Ah2-DKEbPQKS7fAoobIcs24DQNflENgtGtw-KDyn9_JsALDeMp2XwH-Lf7LYMerSMpugc8zWc_BP2xHz9AgTGiAlkXYacDXg08mXjGPkZxLc0rIAcdyRZyzF78yyuJyJ7BaoF35cttx5RnQtFZJa6oDaWhSgyjNJy-lKWVnoO4U0rRsYo2Du3QAj_3zKroXhgRH5ozrjwsUqzLvdqKQ1OZm12fGwqhqonkTb9_YK4LcZo9f1BllwfmWcLmYr1JFm2SXzVADKYqULIob5mZqpYZfhZCZs6vjfmwPvqmlA from 10.50.12.184:1352, snat 192.168.231.1:2052 to 74.125.224.35:80

Apr 30 2014 03:42:51 Info [ACOS]:Proxy Request[internet(clg-match-hosts seq#1)]:tools.goo-gle.com url http://tools.news.com/service/update2?cup2key=4:1526539233&cup2hreq=7c7d69dc833d43a84c589c1ce93620a52c792a625cf67e2bbd6672b4ea1a3ae0 from 10.50.12.184:1351, snat 192.168.231.1:2056 to 74.125.224.35:9185

Apr 30 2014 01:17:03 Info [ACOS]:Proxy Request[internet(clg-match-hosts seq#1)]:google.com url http://news.com/ from 10.50.12.184:1316, snat 192.168.231.1:2051 to 74.125.224.238:80

The following request is dropped instead of being forwarded, because the destination URL did not match any of the HTTP-proxy rules:

Apr 30 2014 01:16:49 Info [ACOS]:Proxy Request[drop(no match)]:sa.windows.com url http://sa.windows.com/sasearch/inetsrch.xml from 10.50.12.184:1314, snat 0.0.0.0:0 to 0.0.0.0:0

Log Message Format

Log messages for the explicit HTTP-proxy feature show the following fields:

timestamp severity module:feature [action(filter)]:host url url_text from source_ip:source_port snat snat_ip:snat_port to destination_ip:destination_port

These fields provide the following information:

• timestamp – System time on the ACOS device when the message was generated.

• severity – Message severity level.

• module:feature – System module and feature.

• action – Action performed on the request: internet (forward to Internet), or drop.




• filter – Class-list group name and sequence (rule) number within that group that matched the request.

• host – Destination host or domain name of the request.

• url url_text – URL of the request.

• from source_ip:source_port – Source IP address and protocol port of the request.

• snat snat_ip:snat_port – If source NAT was provided, the NAT IP address and pool that ACOS assigned to the source before forwarding the request. (If no source NAT was provided, this field shows “snat 0.0.0.0:0 to 0.0.0.0:0”.)

• to destination_ip:destination_port – Destination IP address and protocol port of the request.

Configuration

To configure explicit HTTP-proxy:

1. Configure Ethernet data interfaces connected to the sources and destinations.

2. Specify the DNS server to use for resolving destination IP addresses.

3. Create the class lists:

• Destinations – String class list that contains the URL or hostname strings for destinations that clients are allowed to access.

• Sources – IPv4 or IPv6 class list that specifies the client hosts or subnets that are allowed to access the destinations.

• NAT clients (if applicable) – IPv4 or IPv6 class list that matches on the inside host or subnet addresses that will need to be NATted.

4. Create a class-list group that matches on the URLs or host names of client requests.

5. If using source NAT, configure the pool and the GLID that refers to it.

6. Create a dummy real server and add it to a service group.

7. If you plan to use a fail-back service group, create the server configurations and service group.

8. Create a policy template.

9. Configure an HTTP virtual port, and bind the following resources to it:

• Policy template

• Class list of NAT clients

• Service group

NOTE: A dummy (fake) real server and service-group configuration are required, for the featureto operate and to provide statistics for permitted traffic (whose LID action is forward-to-internet).

Displaying HTTP Explicit Proxy Statistics

To display statistics for HHTP explicit proxy, use the following command:




show slb http-proxy

The statistics are shown in the following fields:

• DNS unresolved

• Policy dropped

Displaying or Clearing Learned Cache Entries

To display learned DNS cache entries, use the following command:

show dns-cache

To clear learned cache entries, use the following command:

clear dns-cache

CLI Example – Matches on all Destinations

This simple example uses a single source list and a single destination list, and applies a very liberal access policy. An individ-ual source host is allowed to access destination hosts of any name. The source host requires a NAT address for accessing the destination hosts. While your security needs may be more stringent, this example does illustrate how the feature is config-ured.

Ethernet Interfaces and DNS

To begin, the following commands configure the interfaces connected to the clients and hosts:


ip address 192.168.52.10 255.255.255.0

!


ip address 203.0.113.1 255.255.255.0

!

The following command specifies the DNS server:

ip dns primary 192.168.52.90

!

Destination List

The following commands configure the string class list to use for matching on destinations. This class list will match on alphabetic strings that contain any of the 26 letters of the English alphabet. All matches are mapped to LID 1, which will be configured in the policy template.

class-list cl-allowed-destinations string

str a lid 1

str b lid 1

str c lid 1




str d lid 1

str e lid 1

str f lid 1

str g lid 1

str h lid 1

str i lid 1

str j lid 1

str k lid 1

str l lid 1

str m lid 1

str n lid 1

str o lid 1

str p lid 1

str q lid 1

str r lid 1

str s lid 1

str t lid 1

str u lid 1

str v lid 1

str w lid 1

str x lid 1

str y lid 1

str z lid 1

!

The following commands configure the class-list group, which contains the rules for matching on destinations. This class-list group contains a single rule that matches on host names that contain any string in the string class list. In this example, any host name that contains at least one English letter will match.

class-list-group clg-match-hosts

sequence-number 1 HOST contains cl-allowed-destinations lid 1

!

Source List

The following commands configure the class list that defines the traffic sources (inside clients). In this example, the source is single host. The host is mapped to LID 2 in the policy template.

class-list cl-allowed-sources ipv4

203.0.113.118 /32 lid 2

!

Source NAT

The following commands configure the sources that will require source NAT. Generally, this is the same set of IP addresses as the allowed sources.

class-list cl-natted-sources ipv4




203.0.113.118 /32 glid 1

!

The following commands configure the NAT pool and the GLID that refers to it. The source IP address in each request packet from the client will be translated into an address from this pool, before the request is forwarded to the Internet to reach the destination host.

ip nat pool snat 192.168.83.74 192.168.83.74 netmask /32

!

glid 1

use-nat-pool snat

!

Dummy Real Server and Service Group

The following commands configure the dummy (fake) real server and configuration and add it to a TCP service group. TCP ports for HTTP (80) and HTTPS/SS (443) are added. The HTTP-proxy virtual port to which the service group is bound will inter-cept client requests sent to destination ports 80 and 443.

slb server rs-fake 203.0.113.86

port 80 tcp

port 443 tcp

!

slb service-group sg-fake tcp

member rs-fake:80

member rs-fake:443

!

Policy Template

The following commands configure the policy template. The class-list name command refers to the class list that defines the traffic sources. The class-list lid commands define the LIDs. LID 1 applies the forward-to-internet action, and logs related events. The class-list group action refers matching traffic to the class-list group that defines the allowed destinations.

slb template policy explicit-proxy-policy

class-list name cl-allowed-sources

class-list lid 1

action forward-to-internet sg-fake log

class-list lid 2


!

HTTP-proxy Virtual Port

The following commands configure the HTTP-proxy port that will intercept HTTP requests from inside clients.


port 8080 http

source-nat class-list cl-natted-sources




service-group sg-fake

template policy explicit-proxy-policy

!

CLI Example – Fail-back Service Group

The following commands supplement the configuration above, by providing a local group of servers as a backup for serving requests if ACOS cannot reach the destination. Generally, the fail-back group is used if ACOS cannot resolve the destination IP address of the destination host. In this example, a single server is used in the fail-back group. Multiple servers are supported. This is a standard SLB service group.

slb server real-srvr1 203.0.113.69

port 80 tcp

port 443 tcp

!

slb service-group sg-real-for-failback tcp

member rs-srvr1:80

member rs-srvr1:443

!

In addition to the server configurations and service group, use of a fail-back service group requires the fail-back option to be included in the LID configured in the policy template. Here is the policy template shown above, with this addition:



class-list lid 1

action forward-to-internet sg-fake fail-back sg-real-for-failback log

class-list lid 2


!

NOTE: Unlike the fake server configuration required for the HTTP-proxy virtual port, the fail-back server must be an actual server.

CLI Example – Default LID Use for Destinations

The following string class list contains some entries that do not specify a LID. These entries instead will use the LID in the class-list group entry that refers to the string class list. In this example, HTTP requests to hostnames that contain the string “example1” are mapped to LID 5 in the policy template. However, hostnames that match strings “example2” or “example3” are instead mapped to the LID used by the class-list group, LID 1. The action is the same in both LIDs (forward-to-internet), but logging is enabled only in LID 5, so applies only to traffic proxied to hosts that include “example1” in the name.

class-list cl-allowed-destinations string

str example1 lid 5 <--mapped to LID 5 in policy template (logging enabled)

str example2 <--mapped to LID 1 in policy template (logging disabled)

str example3 <--mapped to LID 1 in policy template (logging disabled)

!





10.50.12.0 /24 lid 2

!

class-list-group clg-match-hosts proxcl-grp

sequence-number 1 HOST contains cl-allowed-destinations lid 1

!


port 80 tcp

port 443 tcp

!


member rs-fake:80

member rs-fake:443

!



class-list lid 1

action forward-to-internet sg-fake

class-list lid 2


class-list lid 5


!


port 8080 http

template policy explicit-proxy-policy


!

CLI Example – Multiple Destination Lists

This example uses multiple destination lists and multiple NAT lists. The lists are used to allow access to different sets of desti-nations based on source, and also to select a NAT pool based on source.

• Sources in subnet 10.50.12.x/24 are allowed to access only the following destination hosts: news, images, webmail. These sources are mapped to NAT address 192.168.83.72.

• Sources in subnet 10.50.13.x/24 are allowed to access only the following destination hosts: jobface, saleshelper. These sources are mapped to NAT address 192.168.83.73.

Source List

The following commands configure the source list.


10.50.12.0 /24 lid 2

10.50.13.0 /24 lid 3

!




Destination Lists

The following commands configure the destination lists.

class-list dst-host string

str news lid 1

str images lid 1

str webmail lid 1

!

class-list dst-host-2 string

str jobface lid 1

str saleshelper lid 1

!

The following commands configure the class-list groups.

class-list-group dst-1

sequence-number 1 HOST contains dst-host lid 1

!


sequence-number 1 HOST contains dst-host-2 lid 1

!

Source NAT

The following commands configure the source lists that identify NAT clients. Each set of clients is mapped to a separate GLID, and each GLID is mapped to a separate pool.

class-list cl-natted-sources ipv4

10.50.12.0 /24 glid 1

10.50.13.0 /24 glid 2

!

The following commands configure the NAT pools and the GLIDs that refer to them. Sources in the 10.50.12.x/24 subnet are mapped to the address in pool snat-12. Sources in the 10.50.13.x/24 subnet are mapped to the address in pool snat-13.

ip nat pool snat-12 192.168.83.72 192.168.83.72 netmask /32

!

glid 1

use-nat-pool snat-12

!

ip nat pool snat-13 192.168.83.73 192.168.83.73 netmask /32

!

glid 2

use-nat-pool snat-13

!




Dummy Real Server and Service Group

The following commands configure the dummy (fake) real server and configuration and add it to a TCP service group.


port 80 tcp

port 443 tcp

!


member rs-fake:80

member rs-fake:443

!

Policy Template

The following commands configure the policy template. LID 1 is the LID used by the class-list groups, and has the forward-to-internet action. LID 2 applies to the destinations in the dst-host list. LID 3 applies to the destinations in the dst-host-2 list.

slb template policy http-proxy


class-list lid 1


class-list lid 2


class-list lid 3


!

HTTP-proxy Virtual Port

The following commands configure the HTTP-proxy port that will intercept HTTP requests from inside clients.

slb virtual-server vip 10.50.12.2

port 8080 http

source-nat class-list cl-natted-sources


template policy http-proxy

Stateful Request-ID-based DNS Load Balancing

ACOS 2.7.2-P1 enhances DNS load balancing, with support for stateful request-ID-based load balancing. Request-ID-based load balancing distributes DNS queries on a request-ID basis. This helps provide even distribution of DNS query traffic behind a DNS proxy.

Without the query-ID-based load balancing option, multiple requests received by a DNS virtual port appear to be from the same source, if the source IP address and Layer 4 port are the same. For example, without query-ID-based load balancing, if




ACOS receives multiple requests from a DNS proxy, the requests can appear to be from the same end-user, if they all have the same source IP address and Layer 4 port.

NOTE: This feature applies only to DNS port 53. For other load-balanced DNS virtual ports,requests are load balanced based on the following:

• – Source IP address and Layer 4 port

• – Destination IP address and Layer 4 port

• – Protocol (virtual port type: DNS, DNS-TCP, or DNS-UDP)

This is the same as DNS load balancing without request-ID-based load balancing.

The feature is “stateful” because ACOS session resources are used, and the sessions canbe viewed in the session table.

Configuration

To configure stateful request-ID-based load balancing:

1. Create a real server configuration for each DNS server.

2. Bind the server configurations to a service group. Use separate service groups for IPv4 and for IPv6.

3. Create a DNS template. Within the template, enable the query-id-switch option. The same template can be bound to both IPv4 and IPv6 VIPs.

4. Create a VIP and bind the service group and template to the VIP. Create separate VIPs for IPv4 and IPv6.

This section shows the syntax for enabling the query-id-switch option. The syntax for the configuring the other options is the same as in previous releases.

NOTE: If a real server will support both IPv4 and IPv6 DNS, create separate real server configura-tions for IPv4 and for IPv6. Likewise, use separate service groups for the IPv4 servers andfor the IPv6 servers. (Shown in “CLI Example” on page 141.)

Enabling the query-id-switch Option

To enable stateful request-ID-based load balancing, use the following command at the configuration level for the DNS tem-plate:

query-id-switch

Displaying DNS Sessions and Their Request IDs

To display DNS sessions, including their request IDs, use the following command:

show session dns-id-switch

For each stateful DNS session for a load-balanced DNS request, the DNS-ID field lists the query ID.

To display the total count of DNS queries that were load balanced based on query ID, use the following command:




show slb l4

The count is shown in the following field: DNS query id switch

CLI Example

The following commands configure query-ID-based DNS load balancing. This sample deployment provides load balancing for an IPv4 DNS VIP and an IPv6 DNS VIP:

• VIP “v4dns” - 70.70.70.70

• VIP “v6dns” - 2001:70:70:70::70

Each VIP receives DNS requests on UDP port 53. The requests all come from the same proxying local DNS resolver, but actu-ally are not all from the same end-user.

The following commands add the configurations for the IPv4 DNS servers:

slb server dns1 70.70.70.71

port 53 udp

!


port 53 udp

!


port 53 udp

!


port 53 udp

!


port 53 udp

The following commands add the configurations for the IPv6 DNS servers:

slb server dns1v6 2001:70:70:70::71

port 53 udp

!

slb server dns2v6 2001:70:70:70::72

port 53 udp

!

slb server dns3v6 2001:70:70:70::73

port 53 udp

!

slb server dns4v6 2001:70:70:70::74

port 53 udp

!




slb server dns5v6 2001:70:70:70::75

port 53 udp

The following commands configure the service groups:

slb service-group dnsv4 udp

member dns1:53

member dns2:53

member dns3:53

member dns4:53

member dns5:53

!

slb service-group dnsv6 udp

member dns1v6:53

member dns2v6:53

member dns3v6:53

member dns4v6:53

member dns5v6:53

The following commands configure the DNS template:

slb template dns dns

malformed-query drop

query-id-switch

The query-id-switch command is used to enable stateful query-ID-based load balancing.

The following commands configure the VIPs:

slb virtual-server v4dns 70.70.70.69

port 53 udp

service-group dnsv4

template dns dns

!

slb virtual-server v6dns 2001:70:70:70::69

port 53 udp

service-group dnsv6

template dns dns

After the ACOS device receives some DNS requests and load balances them to the DNS servers, the following command is used to show statistics and session details for stateful query-ID-based DNS load balancing:

ACOS#show session dns-id-switchTraffic Type Total--------------------------------------------




TCP Established 0TCP Half Open 0UDP 0Non TCP/UDP IP sessions 0Other 0Reverse NAT TCP 0Reverse NAT UDP 0Curr Free Conn 16719856Conn Count 0Conn Freed 0TCP SYN Half Open 0Conn SMP Alloc 10Conn SMP Free 0Conn SMP Aged 0Conn Type 0 Available 33095680Conn Type 1 Available 16711675Conn Type 2 Available 8273920Conn Type 3 Available 4136960Conn Type 4 Available 2068480Conn SMP Type 0 Available 33095680Conn SMP Type 1 Available 16547840Conn SMP Type 2 Available 8273920Conn SMP Type 3 Available 4145141Conn SMP Type 4 Available 2068480

Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags DNS-ID---------------------------------------------------------------------------------------------------------Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53 60.60.60.60:12345 120 18 NFe0 15376Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53 60.60.60.60:12345 120 18 NFe0 63804Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53 60.60.60.60:12345 120 18 NFe0 45116Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.74:53 60.60.60.60:12345 120 18 NFe0 41047Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.73:53 60.60.60.60:12345 120 18 NFe0 57688Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53 60.60.60.60:12345 120 18 NFe0 48444

The following command shows the total count of DNS requests that were load balanced based on query ID:

ACOS#show slb l4

Total

------------------------------------------------------------------

IP out noroute 0

TCP out RST 0

TCP out RST no SYN 0

...

DNS query id switch 596597




Support for the DER Format for CRLs

Starting in this release, in addition to the Privacy Enhanced Mail (PEM) format certificate revocation list (CRL), ACOS now sup-ports the Distinguished Encoding Rules (DER) format for CRLs.

Redistributing HTTP Traffic on Mobile Devices by using an ACOS Device

When you try to access the Internet by using a mobile device, instead of using WAP 2.0, you can now use an ACOS device to filter HTTP traffic. When the HTTP request is received by the ACOS device, the host field or the URL is checked against the dis-tributing policy, and an appropriate action is taken.

If there is no match with a policy, the HTTP request is not dropped but is forwarded to the default service group that is bound to the virtual port.

Prerequisites

You must create and configure the following class lists and policies:

Class List

This document is used to match by a domain or a URL.

Examples of a Class List

The following text is an example of matching by domain:

class-list d1 string

str example1

str example2

str example3

The following text is an example of matching by URL:

class-list url1 string

str http://www.example1.com/index.html



class-list url2 string

str http://www.a10.com/index.html



NOTE: You can have at least 10,000 entries in the class list.




Class-list Group

This document defines the sequence in which incoming requests are verified and completed. The action on the HTTP request is determined by the sequence.

Class-list group matches are completed by using the following comparison methods:

• Contains

• Equals

• Starts-with

• Ends-with

The clauses are matched with the defined domain or URL class list.

Class-list groups must include the following components:

• Priority

Every policy has a unique priority, and every request must be checked against policies by priority until the first match (or no match) is found. This is the sequence number that is defined in the class-list group.

• Comparing content

The “HOST” or “complete URL” is checked to determine whether there is a match.

• Comparing method

The check for a match looks for terms such as “equals” or “contains” or “starts-with” or “ends-with”.

• List name

The hosts or URLs are defined in this list. At least 10,000 entries should be supported in each list.

NOTE: You can create 8192 sequences per class-list group.

Example of a Class-list Group

The following text is an example of a class-list group (g1):

sequence-number 1 HOST contains d1 lid 1

sequence-number 2 URL equals url1 lid 2

sequence-number 3 URL starts-with url2 lid 3

Policy

NOTE: You can create up to 255 policy templates.

A policy comprises the following components:

• class-list group




One class-list group is binded per policy template. If a sequence is matched inside the class-list group, we will use that sequence number’s LID to perform our action item.

NOTE: The LID inside the class list has precedence over the LID of the class-list group.

If you configure the LID in the class-list, this LID is used as the action item. If you do notconfigure the LID in the class-list, by default the class-list group’s LID is used as the actionitem.

Here is an example of the configuration for a class-list group:

class-list d1 string

str example1 lid 5 (This will go to LID 5 of policy temp)

str example2 (This will go to LID 1 of policy temp)

str example3 (This will go to LID 1 of policy temp)

!

class-list-group g1


slb template policy p1

class-list-group g1

class-list lid 1

action forward-to-internet log

class-list lid 5

action drop log

The class-list group g1 sequence 1 has LID 1. However, if a match for example1 is made, the process goes to LID 5 of the policy template as the action. This step occurs because a LID has been configured in the class list.

• Action

After a policy match is attempted, one of the following actions occurs:

• Forward

If there is a match, the request is forwarded to the Internet or to a specified service group.

• Drop

If there is no match, the request is dropped.

If the domain name system (DNS) cannot be resolved, and the action is to forward the request to the Internet, you can instead forward to a specified fail-back service-group.

The DNS server is defined as unresolved in the following conditions:

• The IP address of the hostname that is being queried cannot be retrieved.

• The DNS server can be reached by using Internet Control Message Protocol (ICMP), but the DNS service is down.

• The DNS server cannot be reached by using ICMP.

NOTE: Actions are configured under the class list LID in a policy template.

Example of a Policy Template




The following text is an example of a policy template:

class-list-group g1



sequence-number 3 URL starts-with url2 lid 3


class-list-group g1

class-list lid 1

action forward-to-internet log

class-list lid 2

action forward-to-service-group sg-http log

class-list lid 3

action drop log

If there is a match with sequence 1 in class-list group g1, the process goes to policy template LID 1. The action for this match is forward-to-internet, so the HTTP request is forwarded to the internet. There can be up to 63 class-list groups, and each class-list group can have up to 8192 sequences.

Logging

You can determine whether you want to log information.

Logging information consists of the following parts:

• Date of request

• Time of request

• Proxy’s action item

• Class-list group and the class-list group’s rule (identified by sequence number) that was executed

• Destination host

• Destination URL

• Source IP and port

If SNAT is configured, the following parts are included:

• SNAT IP and port

• Destination IP and port

NOTE: Local logging and Syslog are supported for this feature.

Example of Log Messages

The following text is an example of the log:




May 01 2014 22:53:22 Info [ACOS]:Proxy Request[drop ]:data.cnn.com url http://data.exam-ple.com/jsonp/video/nowPlayingSchedule.json?callback=parseNowPlayingJSON_nowplay-ing_1_0_2&cachebuster=23316352 from 10.50.12.184:2501, snat 0.0.0.0:0 to 0.0.0.0:0

May 01 2014 22:53:21 Info [ACOS]:Proxy Request[internet(g1 seq#1)]:www.example.com url http://www.example.com/video/data/3.0/video/cvptve/cvpstream1/index.xml?caller=http%3A%2F%2Fz.cdn.turner.com%2Fcnn%2F.element%2Fwidget%2Fnowplaying%2F1.0.2&pollInterval=300000&referrer=http%3A%2F%2Fwww.cnn.com%2F from 10.50.12.184:2500, snat 192.168.231.1:2200 to 157.166.238.48:80

Creating Class Lists, Class-list Groups, and Policy Templates

You can create the documents by using the CLI or the GUI.

Using the CLI

You can use the CLI to create the necessary documents.

Creating a Class List

Enter the following commands to create the class list:

ACOS(config)#class-list domain1 string

ACOS(config-string class list)#str www.example.com

ACOS(config-string class list)#exit

ACOS(config)#class-list url1 string

ACOS(config-string class list)#str http://www.example.com/index.html

ACOS(config-string class list)#exit

ACOS(config)#show class-list domain1

Name: domain1

Total String: 1

Content: str www.example.com

ACOS(config)#show class-list url1

Name: url1

Total String: 1

Content: str http://www.example.com/index.html

Creating A Class-List Group

Enter the following commands to create the class-list group:

ACOS(config)#class-list-group g1

ACOS(config-class list group)#sequence-number 1 HOST contains domain1 lid 1

ACOS(config-class list group)#sequence-number 2 URL equals url1 lid 1

Use the show class-list group command to view the class-list groups.

ACOS(config)#show class-list-group

Name Ref_Cnt Entries




g1 3 2

Total: 1

Specify a specific group to view more details about that group:

ACOS(config)#show class-list-group g1

class-list-group g1

sequence-number 1 HOST contains domain1 lid 1


The following shows the available options for the sequence-number command:

ACOS(config-class list group)#sequence-number ?

<1-8192> sequence-number

After specifying a sequence number, additional options are available:

ACOS(config-class list group)#sequence-number 1 ?

HOST Host matching class-list entry

URL URL matching class-list entry

The output below shows additional sub-options after specifying a host:

ACOS(config-class list group)#sequence-number 1 HOST ?

contains String contains another string

ends-with String ends with another string

equals String equals another string

starts-with String starts with another string

Creating the Policy Template

The running config excerpt below creates the policy template:


class-list-group g1

class-list lid 1

action forward-to-internet fail-back sg-fail log

class-list lid 2

action forward-to-service-group sg-http log

class-list lid 3

action drop log

class-list lid 4

action forward-to-internet fail-back sg-fail log


vrid 1

port 8080 http

service-group sg-http

template policy p1

The sub-options of the action command are shown below:




ACOS(config)#slb template policy p1

ACOS(config-policy)# class-list lid 1

ACOS(config-policy-policy lid)#

ACOS(config-policy-policy lid)#action ?

drop drop the request

forward-to-internet forward request to internet

forward-to-service-group forward request to service group

ACOS(config-policy-policy lid)#action drop ?

log Log a message

<cr>

ACOS(config-policy-policy lid)#action forward-to-internet ?

fail-back Set service group for fail to

log Log a message

<cr>

ACOS(config-policy-policy lid)#action forward-to-internet fail-back ?

NAME<length:1-63> Set service group

ACOS(config-policy-policy lid)#action forward-to-service-group ?

NAME<length:1-63> Set service group

ACOS(config)#slb virtual-server vip1


ACOS(config-slb vserver-vport)#template policy p1

Using the GUI

You can create the documents by using the GUI.

Creating a Class List

To create a class list:

1. Click Config Mode > SLB > Service > Class List > Class List.

2. Click Add.

3. Enter a name.

4. Select a location.

5. Select Explicit and then String.

6. Enter the class list string.

• For the domain, you can enter, for example, example.

• For the URL, you can enter, for example http://www.example.com/index.html.

7. Select a LID and enter a value.

You do not have to enter a LID. However, if a LID is not entered, you can use the class-list group’s LID as the action item.




8. Click Add and then OK.

Creating a Class-list Group

To create a class group:

1. Click Config Mode > SLB > Service > Class List > Class List Group.

2. Click Add.

3. Enter a name.

4. Enter a sequence number.

5. Select a host.

6. Select the class list.

7. Select a LID.

8. Click Add and then OK.

Creating a Policy Template

To create a policy template:

1. Click Config Mode > Security > Template > Policy.

2. Click Add.

3. Enter a name.

4. From the Class List Group Name drop-down list, select a name.

5. Select a class list.

6. Click OK.

Sample Workflow

This sample work flow shows you how the ACOS device is used to filter HTTP traffic.

Prerequisites

You have created and configured the following documents on your ACOS device:

• A class list (c1)

• A class-list group (g1)

• A policy template (p1)

For more information about creating the class list, the class group, and the policy template, see “Creating Class Lists, Class-list Groups, and Policy Templates” on page 148.




Procedure

1. The client tries to access a web site on a mobile device (for example, www.example.com).

2. This request is received by the ACOS device.

3. The ACOS device extracts the host header and URL.

4. A policy match is initiated.

5. Depending on whether a match is found, the appropriate action is taken:

Forward to the Internet

a. The ACOS device sends a DNS query for that hostname.

b. The DNS server responds with the IP address of the hostname example.com.

c. The ACOS device caches the first IP address that is returned.

DNS responses might contain multiple IP addresses.

d. The ACOS device changes the destination IP address to the IP address that is returned by the DNS response.

Forward to a service-group

The destination IP address is changed to one of the service-group members. The service- group can be a real server or the WAP 2.0 gateway.

If you configure SNAT, the outbound packet should use SNAT.

Private Partition Session LimitsWith a resource-usage template, you can adjust the Layer 4 session limits for individual partitions. The template allows you to define a guaranteed minimum number of sessions for a partition, as well as a maximum number of sessions allowed. This keeps parity among the partitions. One partition user will no longer be able to consume all supported sessions by increasing the session timeout value.

To apply a minimum guarantee and maximum allowable sessions, configure the limits on an SLB resource-usage template. Bind the template to the partition to which the limits should be applied. The limits will take effect the next time the ACOS device is reloaded or rebooted.

A resource-usage template specifying a minimum guaranteed number of sessions can only be bound to partitions when the minimum resource guarantee can be met. If the total minimum guaranteed values across partitions will exceed 100%, then the template cannot be applied.

If a session limit is configured on a partition, and you want to change the limit, then the new limit must be higher than the current session utilization. The maximum allowed value can still be lower, as long as the number of currently active sessions is lower than the new maximum value. If the number of currently active sessions is higher, then the change will be rejected.

To completely disable the feature, the Layer 4 session limit configurations should be deleted from all templates that are bound to any private partition. The limits will be removed the next time the ACOS device is reloaded or rebooted.




Configuration Notes

Configuration notes for this feature:

• This feature only provides a minimum guaranteed or a maximum allowed number of sessions per partition. It does not limit other resources, such as the number of connections allowed per second.

• All partitions are pre-allocated a small amount of session memory that will not be freed, even if all the sessions in a partition are closed. Because of this, the show command “show resource-usage” will never be 0% for the “l4-session-count” value, even when there is no traffic.

Configuring Partition Session Limits

To set a guaranteed minimum number of connections and/or a maximum allowed number of connections per partition, do the following:

1. Configure a system resource-usage template.

2. Apply the template to a partition.

Using the GUI

This feature is not supported in the GUI currently.

Using the CLI

To configure partition session limits in the CLI, create or modify a system resource-usage template by using the following command at the global configuration level:

system resource-usage template template-name

Within the resource-usage template, enter the system-resources level by entering the following command:

system-resources

To configure the limits, enter the following command at the system-resources level of the resource-usage template:

l4-session-limit max [min-guarantee min]

Within the Layer 4 session limit command, the “max” specifies the maximum number of sessions allowed, as a percentage of the total number of sessions supported on the ACOS device. The “min” specifies the minimum number of sessions that are guaranteed, as a percentage of the total number of sessions supported on the ACOS device. Both values allow up to 2 digits precision.

NOTE: The minimum guaranteed value cannot be more than the maximum allowed.

aFleX EnhancementsACOS 2.7.2-P1 introduces the following aFleX enhancements.




• HTTP::disable Command

• RESOLVE::lookup Command

• aFleX Commands for Message Load Balancing

HTTP::disable Command

HTTP::disable

Description This aFleX command changes an HTTP proxy from full parsing to pass-through mode.

If the command is used in the HTTP_REQUEST event, it will disable the HTTP/HTTPS proxy, and traffic after that point will be processed by generic TCP proxy, or generic SSL proxy.

If the command is used in HTTP_RESPONSE event, it will bypass any HTTP related processes for response traffic.

Syntax HTTP::disable

Example

when CLIENT_ACCEPTED {

TCP::collect 7

}

when CLIENT_DATA {

if {[TCP::payload 7] equals "CONNECT"} {

SSL::disable

}

TCP::release

}

when HTTP_REQUEST {

if {[HTTP::method] equals "CONNECT"} {

log "process HTTP CONNECT!"

HTTP::respond 200 content OK

HTTP::disable

SSL::enable

SSL::collect

}

}

Example

when HTTP_REQUEST {

HTTP::disable

log "process with generic tcp/ssl proxy"

node 112.1.1.100 80




}

Example


HTTP::disable

log "bypass any HTTP process afterward"

}

Usage Valid Events: HTTP_REQUEST, HTTP_RESPONSE, HTTP_RESPONSE_-DATA,SERVER_CONNECTED

RESOLVE::lookup Command

RESOLVE::lookup

Description This aFleX command sends a DNS request to the DNS server, returning the list of IP addresses associated with the specified domain name. This command works when the DNS server is in asynchronous mode.

Notes about this command:

• Only supported on HTTP and HTTPS virtual ports.

• Only supported for use with IPv4 addresses.

• Not supported in L3V partitions.

Syntax RESOLVE::lookup <server> <domain_name>

The command above performs a DNS lookup for the specified domain name using the specified DNS server:

RESOLVE::lookup <domain_name>

The command above performs a DNS lookup for the specified domain name using the default DNS server:

NOTE: In order for this command to use the default DNS server, you must first configure aprimary DNS server with the following CLI command: ip dns primary ip_ad-dress. If the primary server fails, the RESOLVE::lookup command will insteaduse the secondary DNS server, if one has been configured using the following CLIcommand: ip dns secondary ip_address.

Example The following script uses the default DNS server to perform a DNS lookup

when HTTP_REQUEST {

set client_ip [IP::client_addr]

set method [HTTP::method]

set uri [HTTP::uri]

log "client ip = $client_ip"




set ips [RESOLVE::lookup "www.google.com"]

log "ips = '$ips'"

log "HTTP method = '$method' uri = '$uri'"

}


log "Response: HTTP method = '$method' uri = '$uri'"

}

Example The following script performs a DNS lookup using the specified DNS server.

when HTTP_REQUEST {



set uri [HTTP::uri]


set ips [RESOLVE::lookup @112.1.1.118 "www.google.com"]

log "ips = '$ips'"


}



}

Example The following script dynamically selects which DNS server to use for DNS lookup, and then performs the DNS lookup.

when RULE_INIT {

set ::cnt 0

set ::s1 "112.1.1.111"

set ::s2 "112.1.1.118"

}

when HTTP_REQUEST {



set uri [HTTP::uri]


if {[expr $::cnt % 2]} {

set server "$::s1"

} else {

set server "$::s2"

}

set ips [RESOLVE::lookup @$server "www.google.com"]

log "cnt = $::cnt server = '$server' ips = '$ips'"


incr ::cnt

}






}

Usage Valid Events: HTTP_REQUEST, HTTP_REQUEST_DATA

aFleX Commands for Message Load Balancing

ACOS Release 2.7.2-P1 introduces aFleX support for message load balancing using the following new commands:

• TCP::notify

• TCP::release

NOTE: Message load balancing aFleX scripts also require use of the TCP::collect andTCP::payload commands, as demonstrated in the examples below. For furtherinformation about these two commands, see the aFleX Scripting Language Reference.

NOTE: Message load balancing aFleX scripts must be attached to an MLB-TCP virtual port. Notethat an MLB-TCP virtual port cannot load balance messages unless an appropriate aFleXscript is bound to it. For further information about create virtual ports, see the Applica-tion Delivery and Server Load Balancing Guide. For further information about bindingaFleX scripts to virtual ports, see the aFleX Scripting Language Reference.

TCP::notify

Description Notifies the system that the end of a message has been reached, and that the message is ready for load balancing.

Syntax TCP::notify eom

Example The following script load balances messages through TCP.


TCP::collect

}

when CLIENT_DATA {

log "payload is [TCP::payload] "

TCP::release 1

TCP::notify eom

log "payload after release is [TCP::payload]"

TCP::collect




}

Usage Valid Events: CLIENT_DATA

TCP::release

Description Causes TCP to resume processing the connection and flush collected data.

Syntax TCP::release

Releases the collected TCP payload.

TCP::release <size>

Releases the specified amount of the TCP payload.

NOTE: The command TCP::release <size> is only supported for use on MLB-TCPvirtual ports.

NOTE: Once TCP data has been released using the TCP::release command, it will nolonger be part of the TCP data payload, and so will not be returned with theTCP::payload command.

Example The following script retains the first 1000 units of data on any packets equal to or greater than 1500 units in length. This might be useful if you are attempting to collect a specific type of packet which is 1500 units in length or greater.


TCP::collect 1500

}

when CLIENT_DATA {

if {[TCP::offset] > 1000} {

TCP::release

}

}

Example The following script can be used for message load balancing. The size indicates how much of the payload should be released.


TCP::collect

}

when CLIENT_DATA {

log "payload is [TCP::payload] "

TCP::release 20

TCP::notify eom

log "payload after release is [TCP::payload]"

TCP::collect




}

Usage Valid Events: CLIENT_DATA

Example Script for Message Load Balancing

The following script uses the aforementioned aFleX commands to load balance messages.

when CLIENT_DATA {

log " Entering CLIENT_DATA. payload length = [TCP::payload length]"

while { [TCP::payload length] > 14 } {

log " ... more than 14 bytes remain in stream"

binary scan [TCP::payload] "S1c3Wc" message_length ilp_version ssa ssb

set message_length [expr { $message_length & 0xffff }]

if {$message_length > 10 } {

set message_length 10

}

log " ... ... extracted message_length = $message_length"

if { [TCP::payload length] < $message_length } {

log " ... ... more data must be collected to reach message_length"

TCP::collect

return

}

set sessionID [expr { (($ssa << 2) >> 32) & 0xffffffff }]

set ssc [expr { (($ssa << 8) | $ssb) << 26 }]

set slcIP [expr { (($ssc << 3) >> 32) & 0xffffffff }]

set slcSessionID "$sessionID:$slcIP"

log " ... ... slc_session = $slcSessionID [format {%08x:%08x} $sessionID $slcIP]"

persist uie $slcSessionID

TCP::release $message_length

TCP::notify eom

}

TCP::collect

}

Logging for DDoS Attack DetectionACOS 2.7.2 introduces three new log commands to help identify potential DDoS attacks. When enabled, ACOS monitors and logs possible system attacks. You can monitor IP anomalies, SYN/ACK, or sock stress attacks.

When logging is enabled, ACOS checks the packet counters every 30 seconds. If the counters change, then the correspond-ing log will be printed under the show log command.




Configuring DDoS Detection Logging

To configure DDoS detection logs, enable the system log commands from the global configuration level.

NOTE: These logs currently are not supported in the GUI.

To enable IP anomaly logs, enter the following command:

system anomaly log

To enable SYN/ACK attack logs, enter the following command:

system attack log

To enable sock stress attack logs, enter the following command:

system pbslb log

Additional ChangesThis section describes the following additional changes:

• Deprecated Syntax

• HSM KEK Generation Command for HSM

Deprecated Syntax

Table 6 lists the syntax that is deprecated in this release, and the new syntax that replaces it.

HSM KEK Generation Command for HSM

ACOS 2.7.2-P1 includes a command for generating the Key Encryption Key (KEK) for the Hardware Security Module (HSM), if applicable to your device. The command allows you to perform this operation without the need for shell access to system software. This command is needed only for new HSMs or after zeroizing HSMs.

The new command (hsm generateKEK) applies to devices that contain an HSM. The HSM provides HSM FIPS140-2 Level 3 security to protect keys and SSL functionalities.

CAUTION: This command is needed only for new HSMs or after zeroizing HSMs. Generally, thiscommand is used only by A10 Networks when setting up a new device. If you do needto use this command, wait at least 15 minutes following the last reboot.

TABLE 6 Deprecated Syntax in 2.7.2-P1

Previous Syntax New Syntax in 272-P1skyfire-icap

(SLB external-service template option)

icap-traffic-steering




The following example shows how to generate the KEK on a device:

1. The following command zeroizes the HSMs:

ACOS(config)#hsm zeroize

This will erase the contents of the HSM cards, and

put them into factory default state.

Please confirm: Do you want to proceed (N/Y)?: y

This process is going to take about fifteen minutes

(depending on the number of cards in the system)

Please let the command run to completion, DO NOT

INTERRUPT the process. Once finished, you must

reboot the system. Reboot one more time if the

system does not come up after reboot.

Do you still want to proceed (N/Y)?: y

2. The following command reboots the device:

ACOS(config)#do reboot

3. After the reboot is completed, login to global configuration mode and enter the hsm generateKEK command:

login as: admin

Using keyboard-interactive authentication.

Password: ********

ACOS system is ready now.

[type ? for help]

ACOS>enable

Password:********

ACOS#configure

ACOS(config)#hsm generateKEK

Wait as the process is performed on your module. Following completion, the CLI prompt will return.

Errata (Jumbo Frame Support)The table in the ACOS 2.7.2 Release Notes that lists the models on which jumbo frames are supported is inaccurate. Instead, see the correct version of the table, located in the System Configuration and Administration Guide (page 198, 5/15/2014 edi-tion).





Issues in Release 2.7.2 P7

Known IssuesAccess Control Lists

• When using a wildcard VIP with ACL, the session sync fails and a standby ACOS device can’t process traffic after failover. [A10 issue 231158]. This issue only happens when a user configures a mismatched interface setup over active/standby ACOS devices. For example, if an active ACOS device uses ethernet 3 to reach the real server while a standby ACOS device uses ethernet 2, the traffic cannot be processed and the session sync fails.

• If both active/standby ACOS devices use the same ethernet number to connect to a real server, the session sync will work. If using the wildcard VIP feature, it is suggested that a symmetric L3 setup over an active/standby ACOS device is configured. For example, both devices use ethernet 2 to reach the server.

Auto-Negotiate for 10G Ports

• AX 5630 platform and Thunder Series FTA platforms do not support auto-negotiate for 10G ports, even if the port speed is changed to 1G. Other systems connecting to the 10G ports must have auto-negotiate disabled. [A10 issues 253156]

aXAPI

• When using the parameter format=xml or format=json while issuing cli.deploy AXAPI, the output is the same for 2.7.2-P3 and 2.7.2-P4 unless no format is specified. [A10 issue 229348]. The default behavior for each is as fol-lows:

• In 2.7.2-P3, it returns XML format.

• In 2.7.2-P4, it returns plain text.

DNS Cache Round Robin

When using the dns-cache-enable round-robin command, the DNS transaction ID (which is random) is used to assist in the round-robin. This behavior is better for heavy traffic, but the side effect is that it will not strictly follow the round-robin. This is introduced in 272-P6 and above. [A10 issue 287092]

IP-in-IP Tunneling for Routed Traffic

• GUI support is not available for IP-in-IP tunneling for routed traffic. [A10 issue 249248]

Management Interface

• When configuring the management interface of the ACOS device, using an IPv6 address with a /127 subnet mask is not supported.


Known Issues


• No GUI support for adding a management interface as an interface option to "enable-management" with an ACL. [A10 issue 249133]

Online Help

• Online Help has been updated to reflect the 2.7.2-P5 GUI. Customers using earlier versions of 2.7.2 will see this update as well.

OSPF Issue

• With distribute-internal vip-only-flagged area configured, OSFP routes are not advertised to the router. [A10 issue 260587]

SFP Interface

• ACOS does not support the use of a copper adapter on a fiber port in the current release across all AX platforms. [A10 issue 248521]

• Inserting a 1 G optical (SFP) transceiver into to a 10 G port can cause the port driver to stop working and may result in report of an incorrect MAC address (0000.0000.0000) and erroneous statistics for the port. If this occurs, the ACOS device must be rebooted to return it to operational state. [A10 issues 80746, 92686]

SLB-NAT

• In this release, the IP-in-IP feature does not support the respond-to-user-mac option under the ip nat inside statement. [A10 issues 251942,246068]

Staggered Upgrade (with VRRP-A)

• vBlade handshake will fail if using staggered-upgrade from 2.7.2-P5 to 2.7.1-P6. [A10 issue 258728]

System Resource Summary

• There is a discrepancy between the CLI and GUI for the sorting options of the system resources. [A10 issues 254440, 254218]

WAF

• When setting a WAF template, A10 recommends to have session-check value of 60 seconds or more. Note that the exact time the session gets cleared will be about 40 seconds more than the configured value. [A10 issue 231415]

slb template waf tempwaf

buf-ovf disable

session-check 30

template logging syslog

Virtual Appliance

• ISIS and LACP L2 multicast packets sent by vThunder are not being received by the peer. Hyper-V host is unable to for-ward the packets. [A10 issues 258140, 231419]



Documentation Errata

vThunder

• vThunder for Hyper-V does not support jumbo frames in ACOS 2.7.2-P4. [A10 issue 231641]

Documentation ErrataThe following known issues exist in the release 2.7.2 documentation:

• Several documents in the ACOS 2.7.2 documentation set erroneously indicated support for the AX 5100 model. The AX 5100 model is not supported in ACOS 2.7.1 or later.

• In the Command Line Interface Reference, the neighbor maximum-prefix BGP command lists a specific number of pre-fixes allowed. However, the actual number varies depending on the platform. The maximum value listed in the CLI help is 65536 but this may not be valid for some devices.

• The Command Line Interface Reference in the ACOS 2.7.2 documentation erroneously indicates that the mtu command applies to the management interface and Ethernet data interfaces. This command only applies to the Ethernet data interfaces.

• In the Command Line Interface Reference, the syn-cookie global configuration command erroneously states that hard-ware-based SYN cookies apply to all partition and that they are partition-aware. Hardware-based SYN cookies are NOT partition aware and must be enabled on a per-partition basis.

• In the aFleX Reference Guide, the TCP::payload command is missing the TCP::payload replace option. In addi-tion, there is a note indicating that all TCP::payload commands apply only to TCP-proxy virtual ports, when in fact only the TCP::payload replace command has this limitation. (See “TCP::payload replace Support on Layer 4 Vir-tual Ports” on page 20 for more information about this command being enhanced in release 2.7.2-P6.)

• In the aFleX Reference Guide, the snat command shows an example that contains snat automap. The snat auto-map option is not supported.


Documentation Errata



Fixes in Release 2.7.2 and its Patches

These release notes describe the fixes in this ACOS Release and its patch releases.

For each issue, the following information is provided:

• System area – Part of the system that had the issue (IP NAT, SLB, aFleX, and so on).

• Description – Description of the issue.

• Trigger – System condition that caused the issue, or steps taken by A10 Networks to recreate the issue for diagnosis.

• Version – Software version(s) in which the issue is present. Later versions (including the version documented by this release note) are not affected by the issue.

• Reproducibility – Indicates how consistently the issue could be reproduced: 100%, High, Medium, or Low.

• Severity – Indicates the impact the issue had or could potentially have:

• P1 – Major issue that caused or could cause a major service outage or a reload of the ACOS device.

• P2 – Minor issue that caused or could cause a minor service outage.

• P3 – Minor issue.

• P4 – Cosmetic issue.

• Reported by customer – Indicates whether the issue was reported by a customer (Yes) or was discovered internally (No).

• Workaround – Indicates how to compensate for the issue, if applicable. Not all issues have a workaround.


Issues Fixed in Release 2.7.2-P7-SP3


Issues Fixed in Release 2.7.2-P7-SP3ACOS Release 2.7.2-P7-SP3 contains fixes for issues in all previous 2.7.2 patch releases. The fixes are listed in Table 7. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).

Security Advisory Fixes

2.7.2-P7 resolves the following Security Advisories:

CVE-2015-5600 (A10 Tracking ID291955

Issues Fixed in Release 2.7.2-P7ACOS Release 2.7.2-P7 contains fixes for issues in all previous 2.7.2 patch releases. The fixes are listed in Table 8. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).



• CVE-2015-5366 (A10 Tracking ID 279412)

TABLE 7 Fixes in ACOS Release 2.7.2-P7-SP3

A10 Tracking ID Issue Description291955 System area: System Management

Description: This patch addresses the following Security Advisories:

• CVE-2015-5600

Trigger: N/A

Version: 2.7.2-P7 and earlier

Reproducibility: N/A

Severity: N/A

Reported by customer: No284350 System area: Web

Description: The fix for Tracking ID 284350 was incomplete in 2.7.2-P7. Additional fixes applied.

Trigger: See description.

Version: 2.7.2-P7

Reproducibility: 100%

Severity: P2

Reported by customer: Yes



Issues Fixed in Release 2.7.2-P7

TABLE 8 Fixes in ACOS Release 2.7.2-P7

A10 Tracking ID Issue Description227266 System area: SLB, HTTP, Compression

Description: Sessions with pipelined requests failed when compression was enabled for that service.




Severity: P1

Reported by customer: Yes254306 System area: vThunder in XenServer

Description: Experienced a kernel panic when the driver's receive buffers were exhausted.

Trigger: High/spike traffic caused buffer exhaustion.


Reproducibility: Medium

Severity: High


Workaround: Increase the vThunder memory configuration to 8GB.259666 System area: PBSLB

Description: With L7 request-rate-limit configured, the first requests always got dropped.

Trigger: Client sent the http request to a vip that had pbslb request-rate-limit configured.



Severity: High

Reported by customer: Yes270568 Enhancement Bug: The following bug addresses an issue reported by multiple customers. The change is

an additional option in the health monitor configuration to use a non-ECDHE cipher.

System area: Health Monitor

Description: ACOS health check was causing high CPU when the backend servers used ECDHE for L7 SSL health check.



Reproducibility: High

Severity: P1


Workaround: A higher health check-rate can reduce the CPU usage.




275840 System area: Web

Description: aXAPI experienced an upload issue while doing concurrent aflex.upload calls.




Severity: Critical

Reported by customer: Yes276736 System area: L2/L3, Trunk

Description: The show run vlan command displayed an incorrect trunk id if the trunk id was greater than or equal to 16.

Trigger: Configure a trunk greater than 16. Check the show run vlan command.



Severity: Normal


Workaround: Use the show running-config | sec trunk command.276856 System area: SLB

Description: In the case of an SLB config with the no-dest-nat option configured under a virtual port, ACOS sometimes did not send out packets destined to a server on the desired interface or sometimes dropped the packets due to inconsistent route lookup.




Severity: P2

Reported by customer: No

Workaround: Add a default route to the server’s IP address to allow ACOS to choose the desired interface for sending the server-bound packets.


A10 Tracking ID Issue Description




276955 System area: WAF

Description: The a10lb process crashed when using a WAF template with xss-check sanitize and sqlia-check sanitize.

Trigger: Sanitize arguments contained SQL or Javascript


Reproducibility: 1%

Severity: Moderate


Workaround: Reject instead of sanitize.276979 System area: aFlex

Description: The aflex HTTP::collect command didn’t work if a client posted with chunk-encoded enabled.

Trigger: A client sent the HTTP post with chunk-encoded packets.



Severity: High

Reported by customer: No277138 System area: aXAPI, SLB - HTTP

Description: Failures occurred when using the DELETE method with Transfer-Encoding: chunked in the header.

Trigger: When the DELETE method was used and transfer-encoding was chunked, the message body of the request was not inspected or forwarded, only the headers were forwarded.



Severity: P3


Workaround: Change the transfer type to Transfer-Encoding: content-length or remove the type from the header.






277507 System area: Routing

Description: BGP timers were not working when using the vrrp-a force-self-standby command.




Severity: P1


Workaround: Reduce the BGP scan timer settings.277549 System area: SNMP

Description: The snmp-server group for SNMPv3 could be deleted even though it was bound to an snmp-server user.

Trigger: The code did not compare to the right variable.



Severity: P

Reported by customer: No278119 System area: WAF

Description: If HTTP pipeline was used with WAF xml-validation, it cause delays in handling HTTP requests.

Trigger: Pipelined requests with WAF response checking enabled.



Severity: Moderate


Workaround: Disable xml-validation on resp-val in the WAF template.279412 System area: System

Description: The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.

CVE-2015-5366



Reproducibility: No

Severity: P2







280192 System area: GUI

Description: The WAF max-data-parse values in the GUI were not consistent with the values in the CLI.




Severity: Normal

Reported by customer: No280225 System area: HA, GRE

Description: GRE sessions did not get synchronized.

Trigger: Configure HA and run GRE traffic through it. Check standby for sessions.



Severity: P2

Reported by customer: Yes280715 System area: Health Monitor

Description: The health monitor did not allow "&" to be configured as part of the query string.




Severity: P2

Reported by customer: Yes280777 System area: GUI

Description: When exporting showtech from the "Showtech File" menu, the clicked options stayed cached.




Severity: Normal







281657 System area: SSL

Description: SSL handshake failed if client cert was null and ssl protocol was sslv3.




Severity: P2

Reported by customer: Yes281677 System area: aFlex

Description: Extra spaces and characters appeared in the output when a long serial number was used in the aFleX script to insert data extracted from X509::serial_number.

Trigger: X509::serial_number



Severity: Medium

Reported by customer: Yes281719 System area: SLB HTTP, aFlex

Description: ACOS restarted when aFlex was used to parse an HTTP::cookie, and the cookie in the packets was a mix of MSNS and RFC2109.




Severity: P1

Reported by customer: Yes281740, 282118

System area: aFlex

Description: When using the aFleX resolve::lookup command, the memory usage kept increasing and eventually ran out of memory.

Trigger: When ACOS didn’t get a response for resolve::lookup and the session timed out, the memory leak occurred.



Severity: High







282916 System area: SLB, SMTP

Description: ACOS reloaded when processing client SMTP STARTTLS command due to reuse of the invalid buffer that had already been consumed.



Reproducibility: P1

Severity: Medium

Reported by customer: Yes283735 System area: SLB, HTTP

Description: When dest-nat was configured at the server port level, it was not being considered for VPORT HTTP. The change enables this configuration only for HTTP type VPORTs. It will not be applicable for other L7 VPORTs.




Severity: P2

Reported by customer: Yes284350 System area: Web

Description: ACOS accepted a password if the password was set to the maximum number of characters, but the user entered all the valid characters up to the maximum plus a few extra characters. ACOS verified just the valid length and ignored rest.




Severity: P2







Issues Fixed in Release 2.7.2-P6ACOS Release 2.7.2-P6 contains fixes for issues in all previous 2.7.2 patch releases. The fixes are listed in Table 9. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).



• CVE-2015-5621 (A10 Tracking ID 274882)

• CVE-2014-0076 (A10 Tracking ID 263386)

285088 System area: SLB DNS

Description: ACOS restarted when configured with slb dns-cache-enable round-robin while pro-cessing DNS requests with a query-type that did not match any within the Answer section of the cached response.




Severity: P1


Workaround: Replace "slb dns-cache-enable round-robin" with "slb dns-cache-enable" to continue using the DNS caching functionality without round-robin.

285640 System area: aFleX

Description: When using the DNS::return command in aFlex, the answer that it generated followed the routing table and not the use-rcv-hop-for-resp configuration to send replies to clients.




Severity: P1








A10 Tracking ID Issue Description275605 System area: sFlow

Description: Under certain circumstances, the ACOS device may restart while processing HTTP requests for sending out sFlow records.




Severity: P1


Workaround: Remove all sFlow configuration from the device, then reload.275419 System area: aFleX

Description: Using global variables in aFleX scripts may cause the system to crash.




Severity: P2

Reported by customer: Yes274936 System area: Session-filter

Description: All of the configured session-filters may not be displayed or saved correctly under the running and start-up configuration or within the show session filter config output.

Trigger: When the session filter counter exceeded 19, then the session-filters were not displayed correctly.



Severity: P2

Reported by customer: Yes274690 System area: System

Description: When the Thunder 4400 devices boots up, the interface status is occasionally shown as down. (This issue is seen approximately 3 or 4 times per 100 reboots.)



Reproducibility: Low

Severity: P3





274021 System area: System

Description: The template monitor configuration to monitor an interface status may not work.




Severity: P2

Reported by customer: Yes273829 System area: HA/VRRP-A

Description: The HA sync status is incorrect in the GUI and CLI, even when the sync is successful.




Severity: P1

Reported by customer: Yes273316 System area: ICMP

Description: A10 FPGA devices may restart when processing ICMP error packets containing a mangled. encapsulated IP header with incorrect L4 protocol information.


Version: 2.7.2-P5


Severity: P1


Workaround: As a temporary workaround until you can upgrade the boxes, block the ICMP Destination Unreachable messages at the interface level.

You can block it by setting up an ACL and applying it at the interfaces. For example (modify it per your VLANs):

access-list 100 deny icmp type dest-unreachable any any vlan 2300 access-list 100 permit ip any any vlan 2300 !interface ve 1/2300 name 10-41-0-10_24 access-list 100 in ip address 10.41.0.10 255.255.255.0






273151 System area: AAM

Description: The ACOS device crashes when attempting to bind with a very large authentication portal.




Severity: P1

Reported by customer: Yes272968 System area: Health monitor

Description: The allowable length for a health-test monitor name is shorter than the allowable length for a health monitor name.




Severity: P2

Reported by customer: Yes272581 System area: SSL

Description: The software may reload during TCP receive buffer space calculation when a very low MSS value is configured.

Trigger: Described above.



Severity: P1


Description: In SSL-offload setup, large SSL record spanning across several TCP segments may cause buffer-overflow and system reset.




Severity: P1








Description: The received packet could be freed after HTTP::payload replace, so the logic following the HTTP::payload replace command should not reference the packet.




Severity: P1

Reported by customer: Yes271913 System area: aXAPI

Description: When using the slb.template.http.update method to update an HTTP template, the system will crash.




Severity: P1

Reported by customer: No271708 System area: SSL

Description: During ECDHE key exchange, the ADC might perform a system reset.

Trigger: While clients negotiated the ECDHE cipher and the crypto operation was in process, an error occurred such as crypto failure or connection abort.



Severity: P1


Workaround: Disable ECDHE cipher from the SSL-client template.271321 System area: aFleX

Description: aFleX selects the wrong backend server.




Severity: P1


Workaround: Save the configuration, then reload.







Description: New feature to support TCP::payload replace for Layer 4 TCP and FTP virtual ports. For more information, see “TCP::payload replace Support on Layer 4 Virtual Ports” on page 20.




Severity: P1

Reported by customer: Yes269944 System area: VRRP-A/HA

Description: When using a logging template on a virtual port, the ACOS device may reload when trying to send session sync data during fast aging.




Severity: P1

Reported by customer: Yes269719 System area: NAT, aFleX

Description: When the lwnode command is used for port translation on a virtual port, NAT resource leak occurs.




Severity: P1







269506 System area: SLB DNS Cache

Description: Cannot specify default TTL for per-VIP DNS cache entries. The global DNS cache TTL configura-tion (via slb dns-cache-age) will take effect for non-class-list DNS traffic which is not covered by the class-list of DNS template.

Trigger: To reproduce:

• No global DNS caching; use only VIP based DNS caching.• Use a class-list to define the traffic that needs to be cached.• Use a LID within class-list to define a custom TTL under the DNS template. (For all traffic that does not

match the class-list, ACOS automatically uses 300 as TTL.)



Severity: P3

Reported by customer: No267610 System area: sFlow

Description: Configuring an sFlow collector to gather records for HTTP requests and responses for SLB may cause the device to restart during traffic processing.




Severity: P2


Workaround: Do not configure an sFlow collector on the device.267814 System area: CLI

Description: A typographical error was fixed in the output of the show lldp stat command: “packets droped” was change to “packets dropped”.




Severity: P3







267556 System area: System (vThunder)

Description: Users are not able to log in to vThunder on AWS after the logging facility is changed to local3 and the device is reloaded. The syslog.conf process redirects error logs from local3 to /dev/console; this causes syslog to get a permission error when trying to write logs to /dev/console, thus causing the login process to hang while waiting for syslog.



Reproducibility: 100% on AWS

Severity: P1


Workaround: Do not log error logs to /dev/console from local3.267373 System area: WAF

Description: XML validation does not work in L3V partitions.

Trigger: Set xml-validation in a WAF template.



Severity: P2

Reported by customer: No 267370 System area: GSLB in vThunder

Description: When the vThunder is in single IP mode, a GSLB UDP causes kernel panic.




Severity: P1

Reported by customer: No 267349 System area: Fast HTTP SLB

Description: When a second request comes as a pipelined request to a Fast HTTP virtual port, it does not get handled properly.




Severity: P2








Description: After adding support for using a comma as the HTTP cookie delimiter, the HTTP cookie parser has to make the corresponding changes.

Trigger: HTTP cookie contains “expires”.



Severity: P2

Reported by customer: No 266761 System area: Web

Description: Perfdata: Interface CSV file should be "byte" not "bit".




Severity: P4

Reported by customer: No 266749 System area: Health monitor/SLB

Description: The health monitor statistics of service groups and virtual servers is delayed in the log; the down or up status is not immediately logged.




Severity: P1

Reported by customer: Yes266539 System area: Fast HTTP SLB

Description: When a request comes as a pipelined request to a Fast HTTP virtual port, it does not get han-dled properly.




Severity: P2








Description: The system may experience high CPU usage while processing large multi-part messages with WAF enabled and buf-ovf disabled.




Severity: P2


Workaround: Leave buf-ovf enabled on templates where large multi-part messages may be received.265753 System area: L7 authentication (AAM)

Description: After base64 encode, the URI becomes longer, and the original buffer size allocated is not enough, causing memory corruption.




Severity: P1

Reported by customer: Yes265618 System area: SLB

Description: In non-HA configurations, the incoming packet destination MAC address does not match the outgoing packet source MAC address.




Severity: P1

Reported by customer: Yes265528 System area: L2

Description: The TTL may not be decremented properly for fragmented packets.




Severity: P1








Description: Then the input parameter for the b64encode, md5, and sha1 commands is not a printable string, it is not read properly by aFleX.

Trigger: Use a non-printable string as a parameter for one of the specified commands.



Severity: P2

Reported by customer: Yes 265255 System area: aFleX

Description: This fix adds a runtime check of the class-list type. In cases where the class-list name was a vari-able, the aFleX compiler was not able to check the class-list type.




Severity: P1

Reported by customer: Yes 265165 System area: System

Description: The high control CPU messages are logged too often in 1 second intervals instead of 10 sec-ond intervals.




Severity: P2

Reported by customer: Yes 264949 System area: WAF

Description: XML response schema check fails.




Severity: P2


Workaround: Disable XML response schema checking







Description: The system may be reset when an aFleX global array is used.




Severity: P1

Reported by customer: Yes 264754 System area: HA

Description: The system reloads when UDP traffic received on the device contains UDP ports that match the ports being used for HA session sync.




Severity: P1

Reported by customer: Yes 264514 System area: Health monitor CLI

Description: If a health monitor includes key-pass-phrase in its configuration, the health monitor con-figuration is lost after the device is rebooted or reloaded.




Severity: P1

Reported by customer: Yes 264418 System area: AFleX

Description: The CLASS::match command strips out the last character of the string.




Severity: P2








Description: When using ECDHE ciphers, the ACOS device will ACK the server response and then hang during the SSL handshake.




Severity: P2


Workaround: Do not use ECDHE ciphers264265 System area: aXAPI

Description: “Object Not Found” error is returned when the slb.class_list.upload method is used.




Severity: P1

Reported by customer: No 264091 System area: SLB L4

Description: When use-rcv-hop-for-resp is configured on the ACOS device, traffic from the real server can be forwarded incorrectly using the default gateway instead of use-rcv-hop-for-rsp, thus resulting in application failure.




Severity: P1

Reported by customer: Yes 263902 System area: L2/L3

Description: The ACOS device stops DHCP broadcasts from flooding to other VLANs when the IP helper address is configured.




Severity: P2


Workaround: Do not use the ACOS device for the IP helper function.







Description: The ACOS device uses TLS 1.0 on a server-side SSL connection by default, irrespective of which ciphers are configured.




Severity: P1

Reported by customer: Yes 263872 System area: SSLi

Description: When forging certificates, the SHA1 algorithm is always used. This is fixed so that certificated are now signed using the original certificates' signing algorithm (for example, SHA2).




Severity: P1


Description: The ACOS device does not handle block cipher messages that extend beyond two buffers.




Severity: P1


Description: aXAPI v2.1 does not provide the ability to check the HA state (active or standby) of an ACOS device. The ha.group.fetchStatistics method is added to provide this functionality.




Severity: P1







263188 System area: AAM

Description: When using form-based logon and accessing a virtual server, an authenticated client may be asked to re-enter their credentials.




Severity: P1

Reported by customer: Yes263164 System area: SLB and HTTP template

Description: The ACOS device may restart when an SLB HTTP template contains either url-switching url-hits-enable or host-switching host-hits-enable configuration, and one of the rules for url-switching or host-switching is deleted from the HTTP template when traffic is hitting those rules.




Severity: P2


Workaround: Avoid deleting url-switching or host-switching rules when traffic is hitting those rules OR do not have url-switching url-hits-enable or host-switching host-hits-enable configured under the HTTP template.

263101 System area: SLB L7

Description: The ACOS device may expedite the deletion of an SLB L7 session upon seeing a FIN from either the server or client without waiting for the FIN from other side. For example, if the server initiated a close via FIN, the ACOS device could delete the L7 session upon seeing the subsequent ACK from client (without FIN bit set), thus not forwarding the client FIN to the server-side later on when it arrives. This was causing back-end servers to hold on to socket resources as TCP remained in FIN-WAIT state.




Severity: P1


Workaround: Configuring a template (for example, a TCP-proxy template) under the L7 virtual port might avoid this issue.







Description: HTTP requests with more than 64 MIME entities were not being processed. To fix this issue, the maximum limit for MIME entities allowed in an HTTP request was increased from 64 to 512.




Severity: P3

Reported by customer: Yes263059 System area: SLB SIP

Description: When a SIP real server changes and the SIP session is updated, this causes the TCP connection to reset.




Severity: P1

Reported by customer: Yes262297 System area: SLB DNS Cache

Description: Using the dns-cache.-enable command with the round-robin option may corrupt cached DNS responses.




Severity: P1

Reported by customer: Yes262121 System area: VRRP-A/HA

Description: Using the aXAPI method ha.sync_config to fails to synchronize the configurations.




Severity: P1







261961 System area: L2/L3

Description: The default route on DHCP overwrites the static default route configured on the ACOS device.

Trigger: When the data interface gets its IP address from the DHCP server, it overwrites the static route con-figured on the ACOS device.



Severity: P1


Description: A memory leak occurs with 64-byte SSL memory objects when using “Extension: next_proto-col_negotiation” in the client/server hello.




Severity: P2

Reported by customer: Yes261781 System area: SNMP

Description: The axServiceGroupMemberDown SNMP object uses the same OID as the axService-GroupMemberUp object.




Severity: P1

Reported by customer: Yes261415 System area: DNS Load Balancing

Description: When query-id-switch is configures in a DNS template, processing IPv6 DNS packets may cause the system to reload.




Severity: P1


Workaround: Remove the query-id-switch configuration from the DNS template.






261259 System area: L2/L3

Description: The name in the internet Etherface disappears after a private partition is deleted.

Trigger: This issue happens when a private partition is deleted from the configuration.



Severity: P1

Reported by customer: Yes261184 System area: L2/L3

Description: The default route in the configuration “ip route 0.0.0.0 /0 <ip-address>” cannot be deleted.

Trigger: If there is a VIP configured with the same IP address as ip-address in the IP route configuration, then the default route in the configuration cannot be deleted.



Severity: P1


Workaround: Delete the VIP first, and the delete the configuration from the web UI.261181 System area: Health monitor

Description: Half-open health checks are flapping when a large number of health checks are configured.




Severity: P1

Reported by customer: Yes260795 System area: SLB and authentication

Description: Under certain circumstances, when using an authentication template under an HTTPS virtual port, unexpected restart could occur during the server selection process. This behavior was observed when client requests were being split across multiple SSL records.




Severity: P2








Description: A memory leak occurs when using the DNS::answer insert command many times in the same packet.




Severity: P2


Workaround: Insert only one DNS answer in each packet.260185 System area: GSLB

Description: GSLB does not answer the PTR query when it receives a request with the OPT record and the “DO” bit set.




Severity: P1


Workaround: Specify PTR record and zones instead of using auto-ptr.259891 System area: WAF

Description: Configuring multiple referer domains in the WAF template has no effect.




Severity: P2

Reported by customer: Yes259817 System area: SLB with RAM Caching

Description: Server responses with headers spanning multiple packets were not consistently being cached via RAM caching. This was seen when any aFleX script was bound to an L7 virtual port.




Severity: P2


Workaround: Remove any aFleX scripts configured under L7 virtual ports.






259696 System area: HTTP

Description: Clients may receive an HTTP status 504 connection timeout due to an error in server selection.




Severity: P1

Reported by customer: Yes259684 System area: SSLi

Description: The ACOS device may reset if the ECDHE_RSA cipher is negotiated on the server-side SSL con-nection and if the server is using large certificate.




Severity: P1

Reported by customer: Yes259522 System area: NAT

Description: Port numbers that are configured as a server port or as a virtual port may be used for SNAT.

Trigger: This behavior happens while there is active traffic running, and then multiple server ports and/or virtual ports are added and removed.



Severity: P3







259333 System area: aXAPI

Description: The system.write.action_memory command for a partition-write user does not work.

Trigger: {"response": {"status": "fail", "err": {"code": 1076, "msg": "Invalid partition

parameter."}}}

Request:

curl -k --tlsv1.0

https://$server/services/rest/V2/\?session_id=$json\&method=sys-tem.action.write_memory\&enable_password=\&format=json



Severity: P1

Reported by customer: No259288 System area: Full Proxy TCP Stack

Description: The ACOS device would unexpectedly reload when Jumbo Frames was configured.

Trigger: Overlapping TCP Segments with Jumbo Frames required a recalculation of the internal receive window.



Severity: P1

Reported by customer: No259204 System area: SNMP

Description: The SNMP Clear Trap MIB files for some system MIBs were missing.

Trigger: N/A



Severity: P1








Description: The slb.server.search command receives a response with a non-existent "conn-resume 1".




Severity: P1

Reported by customer: No258013 System area: Graceful shutdown

Description: If source-ip persist is configured with graceful shutdown, the ACOS device will continue sending new connections to the disabled server. This behavior may break certain customer applications.




Severity: P12


Workaround: A new parameter no-persist-conn is added under the slb graceful-shutdown com-mand, which causes the ACOS device to send new connections to one of the UP devices in the service group.


Description: Some high-end AX Series devices with a large number of L3V partitions were loading up the startup-config before all other processes were initialized.




Severity: P1

Reported by customer: No254473 System area: SLB - HTTP

Description: In some instances, the HTTP PUT method was treated as non-idempotent, although it is idem-potent.




Severity: P2







251977 System area: Cookie persistence

Description: The ACOS device may reload when processing invalid cookies whose value starts with "=".




Severity: P1


Description: The aFleX HTTP::payload replace command fails if the payload is chunked and encoded with a trailer header.




Severity: P1


Workaround: Do not use a trailer header in the HTTP server.245923 System area: UDP SIP packet processing

Description: Processing UDP packets containing a valid SIP request with extra training CR/LF destined for a virtual ethernet interface or virtual server may cause the system to restart.




Severity: P2

Reported by customer: Yes 238429 System area: Explicit Proxy

Description: When the ACOS device acted as proxy server, it was not converting absolute URLs to relative URLs before forwarding them to the client. Some web servers were not handling this correctly.




Severity: P2







235784 System area: aFLeX

Description: System may experience a crash if a global variable is being used.




Severity: P1

Reported by customer: Yes 230017 System area: HTTP

Description: When jumbo frame is enabled, the ACOS device may reload during re-transmission of a partial data frame.




Severity: P1

Reported by customer: Yes 227590 System area: aXAPI

Description: Use the aXAPI to create a wildcard VIP, then add an HTTP virtual port, then configure no-dest-nat under the virtual port. The show output in the CLI does not show the no-dest-nat under the virtual port.




Severity: P1







Issues Fixed in Release 2.7.2-P5ACOS Release 2.7.2 P5 contains fixes for issues in ACOS 2.7.2 P1, 2.7.2 P2, 2.7.2 P3, and 2.7.2 P4. The fixes are listed in Table 10. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).



• CVE-2014-9293 (A10 Tracking ID 231859)

• CVE-2014-9294 (A10 Tracking ID 231859)

• CVE-2014-9295 (A10 Tracking ID 231859)

• CVE-2014-9296 (A10 Tracking ID 231859)

• CVE-2015-0235 (A10 Tracking ID 236371)

• CVE-2014-3572 (A10 Tracking ID 239113)

• CVE-2015-0204 (A10 Tracking ID 239113)

• CVE-2014-8275 (A10 Tracking ID 239113)

• CVE-2014-3570 (A10 Tracking ID 239113)

• CVE-2014-9297 (A10 Tracking ID 241171)

• CVE-2014-9298 (A10 Tracking ID 241171)

• CVE-2015-0286 (A10 Tracking ID 247822)

• CVE-2015-0292 (A10 Tracking ID 247822)

• CVE-2015-0209 (A10 Tracking ID 247822)

NOTE: This document may be updated with additional fix information




.


A10 Tracking ID Issue140914 System area: aXAPI

Description: aXAPI failed to create the cipher list when a new client-ssl template was created.




Severity: P2

Reported by customer: Yes 157399 System area: SLB

Description: With graceful-shutdown and persist cookie configured in an L3v partition, subsequent requests went to the new server instead of the same disabled server in the service-group.




Severity: P2

Reported by customer: Yes 165616 /

225155

System area: SLB

Description: When issuing a traceroute operation via the ICMP method (IP SLB or IP NAT config) on certain FTA platforms, the intermediate host situated between the ACOS device and the destination server was not being reflected.




Severity: P2

Reported by customer: Yes 168232 System area: SLB/aFleX

Description: The aFleX method (HTTP::method) logic failed to recognize “TRACK”.




Severity: P2





179653 System area: LACP Trunk and VRRP

Description: With preemption disabled for VRRP with LACP Trunk, a reloaded/rebooted box occasionally came back up as active.




Severity: P2

Reported by customer: Yes 181366 System area: AXDebug

Description: When AXDebug tried to capture packets at a high rate, some packets were dropped because AXDebug could not write to HDD fast enough. This fix improved the rate at which axdebug could write to HDD & decreased packet drops, as well as added a counter in “show axdebug status” to signal if packets dropped from the capture.




Severity: P2

Reported by customer: Yes 186886 System area: GUI

Description: Web GUI was not showing IMEI statistics for an SSL template configured via the GUI. Only the CLI was showing the statistics.




Severity: P2



A10 Tracking ID Issue





Description: The ACOS device terminated session with the client and server upon receiving a “Hello request” from the backend server upon completion of the SSL handshake. ACOS sent “FIN” packets to the client and server. This issue was occurring because ACOS was erroneously including TLS_EMPTY_ RENEGO-TIATION_INFO_SCSV in the cipher list, even though ACOS does not support renegotiation with server-SSL templates.




Severity: P3


Workaround: Disable renegotiation on the backend server.199987 System area: SLB and reset-unknown-conn

Description: Under certain situations, upon receiving a packet from a client with no corresponding session on the ACOS device with 'reset-unknown-conn' configured under SLB L4/L7 virtual port, the ACOS device was performing a Layer 2 lookup. The ACOS device should have instead checked for route/ARP information before sending a RST to the client.




Severity: P2


Description: The ha sync all to-startup-config all-partitions command could not sync partition (RBA) to the standby device, even though a log was generated.

Trigger: Issue the command on the ACOS device where the RBA partitions are configured.



Severity: P2







202372 System area: SLB

Description: Uneven connection distribution between service-group members if certain members had a config such as conn-limit/conn-rate-limit/slow-start applied to them and the rest of the members did not have such a config. This was found to occur when data CPU usage was high.




Severity: P2


Workaround: There are a few workarounds that can be deployed

• Have conn-limit applied under all real servers/ports that are part of the service-group

• Do not have conn-limit under any real server/port that is a service-group member

• Specify method round-robin-strict as the SLB algorithm under service-group204469 System area: CLI (Transparent Mode)

Description: The error message displayed when attempting to configure a broadcast/network address provided the generic “communication error” message. Now, if the user attempts to configure a bad gate-way address, the error message has been changed to the more meaningful “invalid gateway address”.




Severity: P2

Reported by customer: Yes 205966 System area: Routing

Description: The show ip v6 neighbor command with L2 deployment showed the atenX interface name instead of interface X.




Severity: P3








Description: Running the system-reset CLI command sometimes did not delete the Export Store Infor-mation.




Severity: P2


Description: The a10logd process received an abort signal.

Trigger: Race condition in freeing the ssl template memory between the data plane and the control plane.



Severity: P1

Reported by customer: No221149 System area: System

Description: Upgraded the ACOS device and saw an immediate rise in the Control CPU.




Severity: P3


Description: When making changes to ACLs on the vMaster in VSC/VRRP-A standby/active state, the changes were not correctly reflected on the vBlade device.

Trigger: Reorder standard and extended ACL rule in the GUI.



Severity: P2


Workaround: Save the ACL rule before LB communication and the saved ACL rule is transferred to vBlade.






224182 System area: Explicit Proxy

Description: HTTP-Explicit Proxy failed with error code 404 if the browser reused the same connection with proxy enabled.

Trigger: Browse the Internet when proxy and keep alive are both used.



Severity: P2


Workaround: Turn off keep alive from the browser.225247 System area: Web

Description: Error in the GUI when configuring a GSLB Resource Usage template.




Severity: P3

Reported by customer: No226558 System area: LACP trunk

Description: UP/DOWN log messages related to LACP trunk were not accurately depicting the trunk num-ber. This has been resolved.

Trigger: Workflow involving LACP trunk creation.



Severity: P2

Reported by customer: Yes226561 System area: AAA

Description: LDAP - group/base feature was limited to 63 characters.




Severity: P2








Description: The ACOS device restarted while processing traffic from a real server (corresponding to https vport) and encrypting the same before sending it to the client. This was typically seen when the backend server was sending fragmented packets as part of the response and not honoring the MSS advertised by the ACOS device.




Severity: P2


Description: VTEP packets on non-FTA platforms.

Trigger: A VTEP packet is fed back into the ACOS device to a partition without a VTEP configuration.



Severity: P2

Reported by customer: No229036 /

240211

System area: SSL

Description: There were multiple issues of this bug. 1) Microcode from Cavium needed an upgrade to sup-port some features; 2) If an older version of OPENSSL/Safari was used, the connection dropped; and 3) 127 bytes pre-master-secret was rejected by the ContextWrite API layer.




Severity: High


Description: When adding members to a server group via aXAPI, the timing was not fast enough.




Severity: P3


Workaround: Use slb.service_group.update() to update multiple members in one call.







Description: Unable to change health monitor in the rport template via Web GUI.




Severity: P3

Reported by customer: Yes 229807 System area: PSU

Description: Power Supply Unit appeared to be flapping while it really was not.

Trigger: Extremely frequent show tech.



Severity: P3

Reported by customer: Yes 230017 System area: SSL

Description: With fragmented SSL traffic, ACOS reloaded due to buffer memory corruption. This was a tim-ing situation.

Trigger: Run fragmented SSL traffic with large CPS.



Severity: P1

Reported by customer: Yes 230062 System area: VLAN flooding limit

Description: System vlan flooding limit did not work after upgrading/rebooting/reloading.




Severity: P3








Description: The priority configured in the cipher template was not honored.

Trigger: Configure DHE ciphers and ECDHE ciphers in client SSL. This bug was caused by enabling new hardware DHE support and the cipher priority was broken.

Version: 2.7.2-P5


Severity: P4

Reported by customer: No230560 System area: RBA

Description: High control CPU caused by the 10stat and a10switch processes when multiple RBA parti-tions were configured.




Severity: P2


Description: aXAPI slb.ssl.upload could not handle long name certificates. Changed the maximum length to 232 characters.




Severity: P3


Description: TH6630 wrongly displayed "IPMI not present" when it was actually present.




Severity: P2







231025 System area: ACL

Description: When importing a class-list (string) type, the value was truncated after the first " " (space) character in the value.




Severity: P3


Workaround: Configure the class-list directly on the ACOS device.231199 System area: Health Monitor

Description: The HM database only supported strings for the built-in database health check. Added a new option, receive-integer, to support integers.




Severity: P2

Reported by customer: No231850 System area: HTTP Cookie Persistence

Description: HTTP Cookie persistence did not work for Cookies with a comma as the cookie delimiter.




Severity: Low


Workaround: Use a semicolon as the delimiter.






231859 System area: NTP


CVE-2014-9293

CVE-2014-9294

CVE-2014-9295

CVE-2014-9296

Trigger: N/A



Severity: P1

Reported by customer: No231871 System area: HTTP Cookie Persistence

Description: HTTP Cookie persistence did not work for cookies having no value.




Severity: Low


Workaround: Append "=" symbol for cookies with no values.232090 System area: aXAPI

Description: The slb.service_group.replace method did not remove members from the service-group.




Severity: P2







232408 System area: Security

Description: This patch adds "X-Frame-Options: Deny" to the HTTP header for all responses from the ACOS device.




Severity: P1

Reported by Customer: No232489 System area: Platform

Description: There was coding in the port mirroring handler that was only valid for one platform.




Severity: P2

Reported by Customer: No232504 System area: CLI

Description: Memory leak occurred with the rimacli process and hibernate. The rimacli process continued to run, though its parent process had exited, and the admin sessions did not time out as expected.

Trigger: From the CLI, run repeat 1 show slb service-group before sleep/hibernate.



Severity: P2

Reported by Customer: Yes232513 System area: System

Description: When upgrading the ACOS device using FTP, if the default filename was used, intermittent failures occurred with warning log messages such as: "Non-supported special characters detected by FTP Utility."




Severity: P3

Reported by Customer: No

Workaround: Use a filename other than the default, or use a different file transfer method.






232618 System area: SLB-NAT

Description: Under certain circumstances TCP sessions (for SLB) were found to be incorrectly synced to standby with no such session alive on active. This caused NAT resources to be held on standby leading to NAT resource allocation failures on standby.




Severity: P2

Reported by customer: Yes232789 System area: NAT-DSLite

Description: AX 3400 model was seeing unexpected restarts upon processing ICMP packets of a certain size. This had to do with inconsistency within Broadcom switch ASIC configuration.




Severity: P2Reported by customer: Yes

232801 System area: Health Monitor

Description: In Direct Server Return mode, the SIP health monitor sent the payload inconsistent with the source port.

Trigger: Configure SIP DSR HM.





Description: System reset

Trigger: Send large multi-part/form-data body




Workaround: Disable WAF






234518 System area: AAA

Description: 00053869 Radius role wasn’t shown in show admin session when the "." character was in the username.





234818 System area: Web GUI

Description: Health monitor could not be deleted after it was bound and unbound to a server via GUI.




Severity: P3

Reported by customer: Yes234883 System area:

Description: The ACOS device set an ECN of 0x02 in the Differentiated Services Field of the IPv4 header and set the CWR bit as TCP 0x01. In the case of using browsers such as IE, Firefox, and Chrome to access a vip on the ACOS device, this caused the firewall to drop packets.




Severity: P2

Reported by customer: Yes234937 System area: Protocol OSPF

Description: OSPF process caused 100% CPU.

Trigger: Configuration " area 33 range 192.168.10.0/24”



Severity: P2


Workaround: Remove the configuration to summarize the prefixes.







Description: VCS vMaster took 93 seconds to send out VCS probe while applying cipher TLS1_ECDHE_R-SA_AES_128_GCM_SHA256. The long time delay caused vBlade device flaps on the VCS.

Trigger: Apply a cipher that is bound to a client SSL template while the template has hundreds of certs and keys to be bound to multiple vports.



Severity: P2

Reported by customer: Yes235570 System area: VLAN tagging

Description: Any packet transmitted from the ACOS device had some random CoS values set, if VLAN tag-ging was enabled.





235617 System area: L7-Authentication

Description: AAM removed the WWW-Authentication header from the server's response.

Trigger: AAM 1.0 does not support NTLM relay, so customer accepts to do authentication twice: one for AAM, the other for Sharepoint NTLM authentication. The problem is that when the ACOS device receives the NTLM type 2 CHALLENGE message, it removes the WWW-Authentication header and forwards it to the client. This causes NTLM negotiation process termination.



Severity: P2

Reported by customer: Yes235642 System area: OSPF

Description: OSPF Process was leaking memory with specific configuration and SPF triggers.




Severity: P2







235708 System area: Web GUI

Description: Web GUI crashed when too many users logged in at the same time.




Severity: P2


Description: The nitrox_cchk script does not have to run on systems that do not have cavium SSL cards. When there were no chips, this script printed unnecessary error messages.

Trigger: When there are no SSL chips, the addresses setpci is trying to use are invalid, resulting in error messages.


Reproducibility: 100% on boxes without cavium ssl chips.

Severity: P4Reported by customer: No


Description: The output of X509::subject and X509::issuer did not follow RFC2253 format.




Severity: P3

Reported by customer: Yes236344 System area: SMTP

Description: The ACOS device reloaded due to memory corruption of TCP socket structure from being incorrectly accessed by the SMTP application in FINWAIT_2 state.




Severity: P1







236362 System area: HVA

Description: The SYN packets for the logging sessions of the logging template showed as sent in the axde-bug capture, but were not visible in the tcpdump shell.




Severity: P2

Reported by customer: Yes236371 System area: Security

Description: This patch addresses the CVE-2015-0235 Security Advisories regarding GHOST vulnerability.

Trigger: N/A



Severity: P1


Description: The big-buff-pool command was not included with 272p4 on TH6430 but it was enabled by default.





237259 System area: Management interface

Description: Applying a named access class-list to a management interface sometimes dropped SSH con-nectivity.




Severity: P2








Description: When LB::reselect logic retried the next service group member after the last member failed to respond, the old SNAT resource was released, but one flag was not cleared, which caused Source NAT to fail.





238285 System area: HA

Description: The gARP was not sent if there were large number of VIPs (3000) configured.




Severity: P1

Reported by customer: Yes238429 System area: Explicit Proxy

Description: When the ACOS device acted as proxy server, it was not converting absolute URLs to relative URLs before forwarding them to the client. Some web servers were not handling this correctly.




Severity: P2

Reported by customer: Yes239113 System area: Security


CVE-2014-3572

CVE-2015-0204

CVE-2014-8275

CVE-2014-3570

Trigger: N/A



Severity: P1







239428 System area: FPGA

Description: On FTA based platforms, there was no mechanism in place to detect/recover from a bad XAUI link from FPGA to Broadcom.





Workaround: System reboot240184 System area: Health Monitor

Description: When when the same server was bound to different service-groups/VIPs, the ACOS device sent DSR HM packets to the incorrect backend server.




Severity: P2

Reported by customer: Yes240409 System area: System Log

Description: 'IPMI is NOT Present in the system' notification messages were printed every 15 minutes.




Severity: P3


Description: The ACOS device crashed when sending a particular GET request with sflow enabled.










240847 System area: VRRP

Description: When the service-group bound to an http template based on url-switching was removed and added back, rport->psmart_nat_inst->vrid was not initialized properly.




Severity: P2

Reported by customer: >Yes

Workaround: Remove source-nat-auto.241171 System area: NTP


CVE-2014-9297

CVE-2014-9298

Trigger: N/A



Severity: P1

Reported by customer: No241120 System area: IMAP, POP3

Description: The ACOS device was rejecting the IMAP/POP3 non-STARTTLS login even if STARTTLS was configured as optional via template.

Trigger: STARTTLS, when used without logindisabled, was causing the ACOS device to append a NULL trailing byte as part of server response for IMAP/POP3.



Severity: P2







241201 System area: AAA

Description: DNS request was not send out the management interface even though the ip control-apps-use-mgmt-port was configured.




Severity: P2


Workaround: Configure a static route to the DNS server. 241357 System area: Health Monitor

Description: The health monitor would not accept a file name that contained more than 31 characters and would not import it.




Severity: P2

Reported by customer: No241462 System area: SSLi

Description: With SSLi deployment, large POST result transfer was terminated.

Trigger: High latency in SYN/ACK handshake caused the buffer queue to reach the limit and the connec-tion to terminate.



Severity: P2


Description: The health monitor could not be deleted when the follow port was entered twice.




Severity: P2







241594 System area: IP Access List

Description: Duplication of ACL Rules were not checked before re-ordering from the GUI. After adding the ACL, the sequence of ACL rules could be changed from the GUI and it did not check if the reordering was allowed. Duplicate ACL rules were created which were lost after reload.




Severity: P2


Workaround: Reorder the ACLs from the CLI.241975 System area: CLI

Description: Terminal idle-timeout 0 is added (even when it is not configured) if web-service timeout-pol-icy exists in the startup-config




Severity: P3


Workaround: Configure a long idle-timeout.242029 System area: System-platform

Description: The MAC learning was not occurring correctly for traffic seen on 100Gbps ports supported on the AX 6630 model. This was causing ping to the ACOS VIP to stop responding after fail-over operations.





242059 System area: aXAPI v2

Description: The slb.service_group.fetchStatistics call yielded unexpected response codes.




Severity: P2








Description: Even after issuing the slb disable-server-auto-reselect command, the system could re-enable this feature subject to data CPU load/usage.




Severity: P2


Description: When Session-ID reuse was configured, it was not working with software SSL.

Trigger: Configuring Session-ID reuse with SSL traffic.




243160 System area: GSLB

Description: Allowed for identical slb-dev IP addresses to be created under a given GSLB site.




Severity: P2

Reported by customer: Yes243412 System area: SLB-SIP

Description: The ACOS device experienced a data CPU spike when a SIP request was s received for which aFleX was configured to insert a Record-Route header.




Severity: P2







243496 System area: HTTP/TCP

Description: When system memory was used for buffers, the system would crash.

Trigger: Too many buffers being used.



Severity: P1


Description: When Session-ID reuse was configured, the ACOS device closed the connection during the SSL handshake on software SSL only.

Trigger: Configuring Session-ID reuse with SSL traffic on software SSL.



Severity: P2

Reported by customer: Yes243568 System area: GSLB

Description: GSLB bw-cost value was incorrect when the snmp OID was a 64bitcounter.




Severity: P2

Reported by customer: Yes243574 System area: Explicit Proxy

Description: For clients using HTTP 1.0, sometimes there was no HOST header in the HTTP request. The ACOS device was dropping all such requests if there was no HOST header and the HTTP method was CON-NECT.

Trigger: HTTP 1.0 request with explicit proxy configured and no HOST header.



Severity: P3








Description: SSL connection failed while using gnutls with block ciphers (AES, DES, etc.).

Trigger: With Ubuntu and Subversion, the SSL connection between the client and the ACOS device failed after the ACOS device received Application data.



Severity: P2


Workaround: Select a stream cipher.244642 System area: aXAPI

Description: aXAPI created client-ssl templates with unexpected forward-proxy-cert parameters.




Severity: P3

Reported by customer: No244645 System area: aXAPI

Description: aXAPI creates client-ssl template with unexpected ssl-false-start-disable parameters




Severity: P3

Reported by customer: No244648 System area: SLB-HTTP

Description: The equals matching option was not available in HTTP template host-switching.




Severity: P3








Description: The ACOS device crashed after using "expr" in logging.




Severity: P1


Workaround: Replaced set request_count [expr 5] with set request_count 5 and the ACOS device did not reload.


Description: Delayed output of power supply unit status in show environment in comparison to syslog message.




Severity: P3

Reported by customer: Yes245002 System area: SLB-NAT

Description: The first request was failing because we were waiting for the timer to set the psmart_nat_inst->start_address.

Trigger: Source-nat auto with url-switching



Severity: P2


Workaround: Remove source-nat auto .245356 System area: axAPI

Description: The clideploy for show running-config with a large config gives an “Internal I/O err” error.




Severity: P2







245386 System area: OSPF6

Description: High Control CPU caused by OSPF6D process.

Trigger: Specific Configuration

• area-range command, for example: area 0 range 3001::/64• redistribute routes in to OSPF6 with prefixes matching the subnet configured under area-range com-

mand, for example: vip routes 30001::1



Severity: P2


Workaround: Remove the area range command permanently or disable it then re-enable it.245479 System area: SLB

Description: When the query-id-switch feature was enabled, IP NAT failed.




Severity: P2

Reported by customer: Yes245950 System area: SLB-HTTP

Description: Processing of jumbo packets carrying a single HTTP header greater than 4K in length, such that it was split across multiple packets, caused an unexpected restart.




Severity: P1

Reported by customer: Yes246154 System area: LB-SIP

Description: The ACOS device crashed when connection-reuse was enabled with server-keep-alive on the sip-tcp vport.



Reproducibility:

Severity: P2







246178 System area: SLB-SIP

Description: The ACOS device sent an RST when a server initiated a SIP request with a new Call-ID within an already established connection.




Severity: P2

Reported by customer: Yes246208 System area: HVA

Description: Changing the system resource-usage l4-session count to 262144 caused the ACOS device not to have any available connections and traffic did not pass.




Severity: P2


Workaround: Revert the l4 session count back to default.246250 System area: SSL

Description: On a non-fta platform, the ACOS device reloaded when processing a big server response with jumbo enabled.




Severity: P1

Reported by customer: Yes246262 System area: aFleX

Description: If the connection-reuse template was enabled, aFleX server selection failed.




Severity: P2


Workaround: Enable cookie-persistence.






246382 System area: VCS/SSL

Description: When binding a cert/key to a template that was already bound with VCS enabled, the vBlade did not update the cert/key properly and there was a mismatch.




Severity: P3


Workaround: Bind the key first, and then the cert.246865 System area: SNMP

Description: CLI command to avoid using index 0 for interface table.




Severity: P2


Description: NAT connection in MSL state could not be re-used.




Severity: P2


Description: When using Next Protocol Negotiation with Session-ID reuse over SSL, the ACOS device was terminating the connection.

Trigger: Configuring Session-ID reuse and initiating an SSL handshake with Next Protocol Negotiation set.



Severity: P2








Description: When LDAP response entry was not full, it caused the health-check to show the port as down.




Severity: P2

Reported by customer: No247822 System area: Security


CVE-2015-0286

CVE-2015-0292

CVE-2015-0209.

Trigger: N/A



Severity: P1

Reported by customer: No248248 System area: Class-list

Description: The ACOS device reloaded when importing or editing a class-list file that contained and invalid format string line.




Severity: P1

Reported by customer: Yes248272 System area: HA Sync

Description: Allowable-ip-range was synced to standby device's configuration by the ha sync com-mand.




Severity: P2







248509 System area: SSLi

Description: Certain website certificates that were signed using SHA256 produced error messages with all browsers.




Severity: P2

Reported by customer: Yes248803 System area: Web GUI

Description: Due to a JavaScript issue, unable to select all servers though the GUI when clicking the but-ton to "Select All."




Severity: P3


Description: SNMP was not supported on temperature range, but only on temperature integer.




Severity: P2


Description: The ACOS device experienced a crash due to buffer exhaustion when a burst of SSL traffic was received.

Trigger: During ECDHE negotiation.



Severity: P1


Workaround: Add an SSL cipher template rather than ECDHE.






249370 System area: TCS

Description: With TCS and http/fast-http, the traffic did not go through for pipelined requests.

Trigger: Described above



Severity: P2

Reported by customer: No249473 System area: SNMP

Description: The SLB traps were sent out when slb-change enable was configure.d

Trigger: The traps were set to the wrong flag.



Severity: P2


Workaround: Enable slb-change traps instead.249727 System area: SLB

Description: Performance issues were experienced when using the IP-in-IP L3 Direct Server Return solution along with the slb scale-out option.




Severity: P3


Description: Using OpenSSL, the TLS_FALLBACK_SCSV failed with TLS1.




Severity: P2








Description: Firefox37 could not access the GUI and reported an SSL error.

Trigger: Firefox 37



Severity: P2

Reported by customer: Yes250240 System area: WAF

Description: WAF form hashes for csrf-check and form-consistency-check were not thread safe.




Severity: P2

Reported by customer: No250267 System area: GSLB

Description: In GSLB server mode, the RA flag was set in the DNS response.




Severity: P2


Description: After receiving a 401 response, the ACOS device stopped processing the rules for both cookie persist and persist uie in aflex.

Trigger: Upstream proxy that pipelines client requests.



Severity: P2








Description: The AD flag was set in the DNS response from the ACOS GSLB server when there was an AD flag in the DNS query.

Trigger: In GSLB server mode, the AD flag was set in the DNS query.



Severity: P2


Description: Duplicated table entries were created by using aFleX command table replace.


Version: 2.7.2-P4


Severity: P3

Reported by customer: Yes 250556 System area: SSL

Description: show slb ssl cert caused control cpu of 100% when lots of cert/key and vips were con-figured.




Severity: P2

Reported by customer: Yes 251014 System area: Web GUI

Description: GUI always displayed one more server down in Health Check Summary.




Severity: P3








Description: When a WAF template was enabled, the ACOS device could reload the a10lb process if it received an HTTP request with a large URI length.

Trigger: WAF receiving a request with "=" before the "?" in the URL.



Severity: P1


Description: The cert upload aXAPI call failed with the Venafi tool.




Severity: P2

Reported by customer: No 251602 System area: aFleX

Description: With the software SSL module, if client-certificate Require was configured, but the client certificate failed in verification, error processing occurred immediately and the aFleX event CLI-ENTSSL_CLIENTCERT could not be triggered.




Severity: P2


Description: The ACOS device did not send a 414 response code when sending HTTP headers that were larger than the 32k limit.




Severity: P2








Description: Memory was not allocated dynamically for the GUI, so the GUI would crash if there was not enough free memory.

Trigger: Configure a lot of SSL client templates and list certs on the GUI.



Severity: P1

Reported by customer: No252562 System area: SLB

Description: The reset-fw and reset-rev options did not work on the default tcp template.




Severity: P2


Workaround: Use a user created non-default tcp template wherever required.252602 System area: L3V

Description: Output of show run and show vlans in L3V did not match the shared partition.




Severity: P3

Reported by customer: Yes 252683 System area: Web GUI

Description: “Referred” value of cert/key used for SNI was shown as "0" on GUI.




Severity: P3







252781 System area: RAM Cache

Description: As per RFC, when the server sends must-revalidate in the Cache-control header, the revalidation must happen only after the cache entry has become stale and not immediately.




Severity: P3

Reported by customer: Yes 253540 System area: FTP

Description: FTP active mode was not working when an ACL with a permit any any statement was bound to inbound and outbound interfaces in the L3V partition.



Reproducibility:100%

Severity: P2


Description: The interface speed showed different values in Web GUI and CLI.




Severity: normal


Description: Web GUI performance page was not supported in l3v partitions.




Severity: normal







254947 System area: aFLEX

Description: TCP::respond command did not trigger in the CLIENT_ACCEPTED event.




Severity: P2

Reported by customer: Yes255283 System area: Routing

Description: BGP sent a malformed packet.

Trigger: BGP in certain conditions with default-originate ON.



Severity: P2

Reported by customer: Yes257251 System area: SSL/Boot

Description: An FTA ACOS device with <= 24GB RAM and >= 8 SSL chips did not boot.




Severity: P1


Workaround: Remove SSL cards to have less than 8 SSL chips.







Description: There was a parse error when executing the command: admin-dn CN=qb_a10,CN=Ser-vice Accounts,CN=Qbranch,DC=lfn,DC=se.

Trigger: The value of the admin-dn command was not between double quotes when write memory was executed, thus the value contained spaces, and the command could not be applied after reload/reboot.



Severity: P2


Description: The a10hm process can cause high control CPU when the sub-monitor of a compound health monitor is modified.




Severity: P2


Workaround: Unbind the compound HM before modifying the sub-monitor.






Issues Fixed in Release 2.7.2-P4ACOS Release 2.7.2 P4 contains fixes for issues in ACOS 2.7.2 P1 and ACOS 2.7.2 P2, and 2.7.2 P3. The fixes are listed in Table 11. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).

NOTE: This document may be updated with additional fix information.


A10 Tracking ID Issue230326 System area: SSL

Description: TLS 1.2 handshake failed when client connected to A10 ADC using gnutls.


Version: 2.7.2-P3


Severity: P2


Workaround: Use Open-SSL for the connection to pass through.229321 System area: SLB FTP

Description: When creating an FTP-proxy VIP, the VIP failed to send the point working directory (PWD) command to the backend server. As a result, the client timed out and no FTP data transfer was possible.


Version: 2.7.2-P3


Severity: P2


Description: When configuring a maximum number of connections through an SLB virtual server tem-plate with TCP reset option enabled, the current connections counter of the virtual server was being decre-mented when the limit was hit and a TCP reset was sent. As a result, the next TCP connection attempted would be accepted, when the actual number of concurrent connections exceeded the maximum connec-tions limit.




Severity: P2


Workaround: Turn off the “TCP reset” option.




228562 System area: SLB HTTP

Description: When the server sent a 401 HTTP response, the subsequent request did not go to the same server.


Version: 2.7.2 P3 and earlier


Severity: P1


Description: For FWLB health checks, ACOS needed to check if the source IP address is equal to the local IP address. If the addresses matched, ACOS did not send a response to the ICMP request.




Severity: P2


Description: ACOS failed to edit and export a certificate that had special characters in the name.




Severity: P2

Reported by customer: Yes228013 System area: SLB HTTP

Description: On a Thunder 3030S, when a common Layer-7 SNAT function was created, it resulted in high memory consumption and the configuration could not be completed.




Severity: P2


Workaround: None







Description: The multi-ctrl-cpu command was not available on all Thunder platforms.

Trigger: Try to configure the command on a TH3030 model.



Severity: P3


Description: The GUI returned blank content when a virtual server was created with a name length that was greater than 80 characters.

Trigger: Go to the Config Mode > SLB > Service > Virtual Server > Virtual Port page. Configure the virtual server name to be greater than 80 characters. The virtual port is configured with the service group.



Severity: P2

Reported by customer: No227236 System area: vThunder

Description: On vThunder platforms, the prompt message shown when executing system-reset com-mands was incorrect. The message included “AX” which did not accurately reflect the vThunder platform. “AX” has now been changed to “System”




Severity: P4


Description: ACOS experienced an intermittent health check failure with FPA flags on responses from serv-ers. TCP responses were received separately in two packets that caused a TCP health monitor failure.




Severity: P2








Description: The GUI allowed for an invalid maximum value to be entered for the buf-ovf max-data-parse option. The value now matches the correct maximum value of 1048575, which matches the maxi-mum value which is enforced in the CLI.




Severity: P2

Reported by customer: No226664 System area: VCS

Description: The MGMT route could not be removed from the show run command output in a VCS sce-nario.




Severity: P2

Reported by customer: Yes226627 System area: SLB, aFleX

Description: ACOS did not honor configured connection limits when the server selection was done using the aFleX persist uie command.




Severity: P2


Description: Some SSL expiration email addresses configured in the CLI failed to pass sanity checks on the GUI.




Severity: P1







226516 System area: VRRP

Description: ACOS was unable to remove an Ethernet interface from a VRRP failover policy template after configuring a trunk and adding it to the tracking interface.




Severity: P2

Reported by customer: Yes226450 System area: Fast HTTP

Description: When Fast-HTTP was configured in conjunction with URL-Hash-Persist, when two requests were received in quick succession of one another, the response packet for the second pipeline request was inaccurately assigned the same sequence number as the first pipeline response.




Severity: P4


Workaround: None226069 System area: CLI

Description: ACOS was unable to export an SLB SSL Certificate Signing Request (CSR).




Severity: P2


Description: Cookie persistence was being overridden when aFleX server port selection was done under the HTTP_REQUEST command.




Severity: P1







225938 System area: VCS

Description: When the ACOS device joined a VCS chassis, a “communication error with LB process” error log was received.




Severity: P2

Reported by customer: No225913 System area: aFleX

Description: The aFleX “table set” may have created duplicate table entries.




Severity: P2


Description: When using a Firefox browser with TLS1.2 and Software SSL with a required client certificate option configured, the Firefox client browser connection could not be established.

Trigger: Software SSL did not send the supported signature algorithm which is required by the Firefox cli-ent.

Version: 2.7.2-P3 or earlier


Severity: P1


Workaround: If using Firefox, use TLS 1.1 or earlier. 225790 System area: aFleX

Description: Multiple aFleX scripts were not allowed to be bound to a virtual port if the script name con-tained a space.




Severity: P2


Workaround: Modify the aFleX script names to not include any spaces.







Description: The ACOS GUI could sometimes reload due to a suspected memory issue. This could be because the amount of data exceeded the range of the parameter type.

Trigger: Navigate to Monitor Mode > SLB > Service > Virtual Server, and from the Virtual Server GUI page, select the time range and click export. This will cause the device to reload.



Severity: P1


Description: When the SSL::sessionid command was in an aFleX script, the return was “0”.




Severity: P2

Reported by customer: No225533 System area: L7-Authentication

Description: A 404 error message was returned when a modify password request received a successful result code from the server.

Trigger: 1. Set the VIP using form-based log in.

2. Log in using the expired password, then complete the modify password page and send the request.



Severity: P2

Reported by customer: No225409 System area: Health Monitor

Description: ACOS may have experienced an issue when configuring an SMTP health monitor in the CLI.




Severity: P2








Description: For hardware base ACOS platforms, OpenSSL clients and servers could be forced, via a spe-cially crafted handshake packet, to use weak keying materials for communications (This issue still impacts software version of ACOS).




Severity: p2

Reported by customer: No224896 System area: Fast-HTTP

Description: For Fast-HTTP type virtual ports, pipeline requests coming from clients may not have been handled correctly.




Severity: P2

Reported by customer: Yes224383 System area: IPv6 and SLB DNS

Description: The ACOS device could sometimes restart when processing anIPv6 DNS response packet with fragmentation extension header for virtual port 53 UDP.




Severity: P2

Reported by customer: Yes224272 System area: HA

Description: The ha sync command may have improperly synced the shared VLAN management inter-face. HA sync may have synced the active device’s allowable IP range under the partition using shared VLAN management.




Severity: P2








Description: For HVA platforms, the start up configuration may have been loaded before the system was ready.

Trigger: Boot sequence in HVA is out of sync.



Severity: P1


Description: The recently-discovered POODLE attack has been widely described as only affecting SSLv3. This assumption was based on the fact that SSLv3 uses “random padding.” However, it was found that TLS could use the same CBC decoding function as SSLv3, thus making TLS vulnerable to the same types of POODLE attacks as SSLv3. By identifying the lack of CBC padding checks that could occur in TLS, this issue has been addressed in this latest ACOS release, mitigating the risk of POODLE attacks in TLS. This patch addresses Security Advisory: CVE-2014-8730.

Trigger: This issue could be replicated by attack the ACOS device with packets containing incorrect CBC padding.



Severity: P1

Reported by customer: No223081 System area: SLB Fast HTTP

Description: Creation of a Fast HTTP session resulted in a very large connection count. This caused the ses-sion to disappear.


Version: 2.7.2-P3 and earlier.


Severity: P2


Workaround: None.






222982 System area: aFleX (SSL)

Description: If aFleX was used to configure SSL, the ACOS device could sometimes reload when attempt-ing to read an uninitialized or NULL SSL context block before completing the client SSL handshake. The SSL context block was initialized after the client SSL handshake had been completed.

Trigger: Use of specific aFleX configuration



Severity: P1

Reported by customer: Yes222922 System area: SSL (FIPs Platforms)

Description: On FIPs platforms, ACOS was able to support non-FIPs compliant ciphers.




Severity: P4

Reported by customer: No222850 System area: BGP

Description: The ACOS device dropped BGP connections if another BGP speaker sent a next-hop field while no NLRI was present in the multi-protocol situation.

Trigger: This issue could occur if another BGP speaker was not in full RFC compliance.



Severity: P2

Reported by customer: No222832 System area: SLB-Layer 4

Description: When a wildcard VIP was used., ignore-tcp-msl did not work.

Trigger: SSLi client auth bypass appeared to not be functional when one ACOS device initiated a TCP Layer-4 session to another ACOS device. After resetting the previous connection. it sent a new connection with the same IP and port number. The SYN packet was dropped by the second ACOS device.

Version: 2.7.2-P4

Reproducibility:

Severity: P1

Reported by customer: No.

Workaround: None.






222505 System area: VRRP-A

Description: On a special platform without the management port, the VRRP-A floating IP address may have been lost after reloading or rebooting the device.




Severity: P2

Reported by customer: No221914 System area: aFleX/SLB

Description: URL switching may not have been triggered for valid requests in the same connection if aFleX was applied to the virtual port.




Severity: P2


Description: In version 2.7.2 checking for SNI bindings was added for when the client-SSL template is bound to the virtual port. This check may have caused the whole template to not be bound, resulting in an outage. The fix does a cert/key pair check when the cert/key is bound in the client-SSL template.

Trigger: Having a corrupt cert/key configured as an SNI configuration, then bindign it to the virtual port.



Severity: P1


Workaround: Find the corrupt cert/key and re-import them, then rebind.







Description: With TLSv1.2 and 50-100 CPS, SSL connections intermittently failed if the cipher negotiated was any of the GCM ciphers. The issue was seen on both SSL card versions (NITROX III and PX).

On PX cards only the following two GCM ciphers were available:

• cipher TLS1_RSA_AES_256_GCM_SHA384

• cipher TLS1_RSA_AES_128_GCM_SHA256


Version: 2.7.2-P3 and earlier.

Reproducibility:

Severity: P1


Workaround: None220840 System area: Health Monitor

Description: ACOS may not have been parsing HTTPS health check responses that were greater than 2048 bytes.




Severity: P2


Description: The cipher template did not take effect when bound to a server-SSL template.




Severity: P2


Workaround: None






219976 System area: RTSP

Description: The ACOS device could sometimes reload if an early response was received on the Real Time Streaming Protocol (RTSP) virtual port.




Severity: P1


Description: The no proto-aging-fast and proto-aging-time options for a GSLB site were being dis-played multiple times under that site in the running configuration.




Severity: P2

Reported by customer: Yes219737 System area: VRRP

Description: Sessions created for DNS-UDP virtual ports were being synced from active to standby HA/VRRP peer.




Severity: P2


Description: An OpenSSL failed session ticket integrity check resulted in a memory leak. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid ses-sion tickets to the server.


Version: 2.7.2-P4


Severity: P3

Reported by customer:

Workaround: None







Description: On a TH1030S running Firefox, issues were seen when accessing Google using HTTPS (with SSL-Intercept). While accessing the Google profile and attempting to upload big files using Gmail, error messages were displayed.


Version: 2.7.2-P3.


Severity: P3


Workaround: None218713 System area: SSL

Description: An ACOS device with an additional N3 card was unable to support PFS ciphers.

Trigger: None



Severity: P2

Reported by customer: No218260 System area: aFleX

Description: ACOS may have reloaded when connection reuse configured along with aFleX and an HTTP template to a virtual port, used for server selection over a session with multiple requests.




Severity: P1

Reported by customer: Yes218161 System area: SLB-Policy

Description: When system PBSLB lockup was configured, and the existing session was terminated using Control-C, this occasionally caused the ACOS device to go down.


Version: 2.7.2-P3


Severity: P1


Workaround: None.






218059 System area: SLB-Fast HTTP

Description: When Fast-HTTP was configured in conjunction with URL hash-persist, this created some pipeline requests that caused the conn-depth limit. to be exceeded. After the session timed out, some buf-fers were not freed.


Version: 2.7.2-P3


Severity: P1


Workaround: None218050 System area: Fast-HTTP

Description: For a fast-HTTP virtual ports, if the max-buff-queued-per-conn value was set for 1023 or more, the configuration was not restricting a session with the specified value.




Severity: P2


Workaround: Keep the default value (1000).217720 System area: System

Description: The backup periodically system command was not removed following a system reset.




Severity: P2


Description: For HVA platforms, IP interface configuration may not have come up when the system was booting up.




Severity: P2







216886 System area: AXAPI

Description: Issuing the AXAPI call for system.backup may not have worked.




Severity: P2


Workaround: Use the CLI or GUI.216832 System area: System

Description: Occasionally, ACOS may have restarted while performing periodic house keeping functions.




Severity: P1

Reported by customer: Yes216367 System area: AXAPI

Description: ACOS may have reloaded if an AXAPI script was used to add an IP address to a string type Class List.




Severity: P2

Reported by customer: Yes216295 System area: SLB NAT

Description: If a NAT pool was configured with more than 254 addresses, only 254 addresses were used.




Severity: P2


Workaround: Use multiple pools in a pool group.







Description: When an http(s)://<management ip>/image or http(s)://<management ip>/css was made through Internet Explorer or Firefox, it appear as though a file was being downloaded.




Severity: P2

Reported by customer: Yes215179 System area: VRRP-A

Description: For VIPs in a private partitions, VRRP-A did not send a gratuitous ARP for the VIP when the sta-tus switched to “active.”




Severity: P2


Description: When a member in a pool group was deleted, all members were deleted.




Severity: P2


Description: A memory leak occurred with the web server process when exporting statistics.




Severity: P2








Description: Packet drops at the interface level were not being shown in the show statistics output.

Trigger: No support available. It has since been implemented.



Severity: P2

Reported by customer: Yes212593 System area: ACL

Description: If an ACL existed with a higher number and user configured another ACL with a lower number (for example, an existing ACL with the number 150 was configured with another ACL with value 140), the higher valued ACL was evaluated first instead of the lower valued ACL. The expected behavior is that the lower valued ACL should be given priority.




Severity: P2


Workaround: Save configuration and reload.211787 System area: ICMP (error handling)

Description: The ACOS device sometimes failed to fragment excessively large outbound “ICMPv6 type=2” packets while processing SLB Layer 7 sessions. This issue occurred more frequently when the connection-reuse option was enabled under the Layer 7 virtual port.




Severity: P2

Reported by customer: Yes211282 System area: HA (session sync)

Description: A CPU mismatch sometimes occurred while performing an HA session sync. The standby unit mistakenly created the session on a different data CPU that the active unit.




Severity: P2







211066 System area: VCS (Trunk Interface)

Description: If a Trunk interface had the “name” option configured, then VCS could not be enabled.




Severity: P2

Reported by customer: Yes208576 System area: L2/L3 Routes

Description: Some connected and static routes were not getting installed in FIB.

Trigger: Adding multiple instances of interface or route configuration in short duration via script or copy and paste, may have caused a failure to install the associated connected or static route.



Severity: P2


Workaround: Delete the configuration and then add it back.207313 System area: HA (session sync)

Description: If the active ACOS device in an HA pair had more than several million sessions, and standby unit was reloaded or rebooted, not all of the existing sessions were correctly synced to the standby device.




Severity: P2







205588 System area: DNS SLB

Description: Responses from the DNS cache on the ACOS device intermittently swapped IP addresses for answers and additional records of the name server IPs. Upon enabling DNS cache with 'roundrobin' for dns-udp or dns-tcp virtual port, under certain circumstances, the responses from a DNS cache on the ACOS device were found to intermittently swap IPs for Type A Host IP address entries from the 'Answers' section. The Type A host IP address entry from the “Additional records” corresponded to the name server IPs.




Severity: P2


Workaround: Avoid enabling 'round-robin' for DNS cache.205369 System area: SSL-proxy virtual port (idle-timeout)

Description: The idle-timeout value was not being correctly applied to sessions if the ssl-proxy virtual port was configured with an idle-timeout value less than 30 seconds.




Severity: P2

Reported by customer: No204520 System area: Platform

Description: A link connection failure occurred on the 10G ports after it was used as a 1G port.

Trigger: This issue could be recreated by plugging in the SFP, and then the SFP+ transceivers on the 10G ports of the ACOS 6430 or ACOS 5430 models.



Severity: P2


Workaround: Reload the ACOS device.







Description: The ACOS device could reload upon receiving a large GSLB-proxied response to type ANY DNSSEC requests.

Trigger: This issue could occur if the packet size was greater than the MTU.



Severity: P1

Reported by customer: Yes200033 System area: VCS

Description: VCS did not sync the cert/key for Client-SSL templates when they were configured using the GUI.




Severity: P2

Reported by customer: Yes199636 System area: HA / Routing

Description: ACOS may not have passed RIP routes when deployed in HA L3 inline mode.




Severity: P2


Description: The ACOS device terminated session with the client and server upon receiving a “Hello request” from the backend server upon completion of the SSL handshake. ACOS sent “FIN” packets to the client and server. This issue was occurring because ACOS was erroneously including TLS_EMPTY_ RENEGO-TIATION_INFO_SCSV in the cipher list, even though ACOS does not support renegotiation with server-SSL templates.




Severity: P3


Workaround: Disable renegotiation on the backend server.






194473 System area: SLB-SPDY

Description: ACOS device crashed when the data traffic hit a SPDY rule and the traffic type was HTTP, corrupting the memory of the ACOS device.

Trigger: Traffic was sent using a Google Chrome browser.

Version: 2.7.2, 4.0


Severity: P1

Reported by customer: No190084 System area: GUI

Description: A memory leak occurred when using the GUI to edit the GSLB zone service.

Trigger: This issue can be replicated by doing the following:

1. Login to the GUI.

2. Navigate as follows: Config Mode > GSLB > Zone and select any zone, such as aastockstest.hk

3. Select any service, such as www, and then click Edit.

4. Memory will increase about 0.1

5. Repeat these steps to see a gradual increase in the memory usage.



Severity: P1

Reported by customer: No172849 System area: Health Monitor

Description: If the override-port option was removed from a configuration, the L2 DSR health checks stopped working.




Severity: P2







164200 System area: CLI

Description: If a NAT pool name contained a space, it was not maintained in the port template configura-tion after the device rebooted.




Severity: P2

Reported by customer: Yes161671 System area: TCP-proxy

Description: If an idle-timeout value of less than 30 seconds was configured in a tcp-proxy virtual port, then the idle-timeout failed to be correctly applied to sessions.




Severity: P2






Issues Fixed in Release 2.7.2 P3

Issues Fixed in Release 2.7.2 P3ACOS Release 2.7.2 P3 contains fixes for issues in ACOS 2.7.2 P1 and ACOS 2.7.2 P2. The fixes are listed in Table 12. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).



A10 Tracking ID Issue213895 System area: Security

Description: This patch addressed CVE-2014-6271.

Trigger: N/A

Version: 2.7.2 P2 and earlier.


Severity: P1


Workaround: Restrict management access to the device.


Description: The system crashed when the client reset the connection during an aFleX RESOLV::lookup. If the data pointer is not treated as a buffer only at a TCP data event, the data pointer was saved as an error code.

Trigger: The client sends a reset when aFleX is completing a DNS query for the RESOLVE::lookup com-mand.

Version: 2.7.2


Severity: High





213433 System area: Health monitor

Description: The DSR health-check failed when there are more than 645 DSR TCP health-checks that are using the same source IP with the default interval value.




Severity: P1

Reported by customer: 45346

Workaround: Increase the health-check interval value by using the formula that the DSR TCP health-check number should be less than 64511/(500/interval).


Description: DSR stopped working when the stateless SLB method was configured.

Trigger: Configuring a stateless SLB method in a service group and binding the service group to a vport, but there is no-dest-nat for the vport.



Severity: P1


Workaround: N/A211945 System area: System, OSPF

Description: While completing a configuration and then undoing the configuration, the used system memory was not freed.

Trigger: Configure OSPF and make an interface flap.



Severity: P2


Workaround: N/A






211426 System area: Fast-http and connection-reuse

Description: Under certain circumstances, the RST that is received from a client for fast-http vport with connection-reuse was unexpectedly being forwarded to the server. As a result, the persistent connec-tion with the back-end server was terminated.


Version: 272 P2 and earlier


Severity: P2

Reported by customer: Yes211420 System area: Fast-http and connection-reuse

Description: Under certain circumstances, the FIN-ACK that was received from a client for fast-http vport with connection-reuse was unexpectedly being forwarded to the server. As a result, the per-sistent connection with the back-end server was terminated.




Severity: P2

Reported by customer: Yes210878 System area: DNS cache

Description: This issue comprised the following customer requirements:

• DNS caching to honor server response TTL.• Round robin for other resource records type besides A and AAAA.

Trigger: Here are the triggers for this issue:

• Without this feature, DNS cache TTL is specified by the user., but with this feature, the DNS cache honors the minimum TTL from server response.

• Without this feature, only A and AAAA resource records can be in round-robin mode, but with this feature, all other types can also complete round-robin.



Severity: 100%








Description: Added support for SHA2 digests when a CSR was generated.

Trigger: N/A

Version: Added in 2.7.2 P3


Severity: N/A


Workaround: N/A

208999 System area: Explicit proxy

Description: The Explicit_Proxy feature did not work when the Internet HTTPS traffic and the client needed to use the CONNECT method instead.

Trigger: When you configure normal explicit proxy, in the proxy virtual port configuration, the real server that was used does not have 443 port configured. As a result, the HTTPS traffic goes to port 443 cannot pass through because port 443 is not correct for this traffic.

Version: 2.7.2 P2


Severity: P1


Workaround: N/A208906 System area: SSL

Description: The ACOS device can now be used to sign certificate signing requests (CSR) as an inter-mediate CA by using a CA certificate and key on the ACOS device.

Trigger: N/A

Version: 272 P3


Severity: N/A

Reported by customer: Feature request from a customer

Workaround: N/A






208792 System area: SLB-FAST-HTTP

Description: "Client IP/Port insert" into HTTP header was not supported in Fast-HTTP path and could only be done in HTTP full-proxy path.

Trigger: Enhancement.



Severity: N/A


Workaround: N/A207535 System area: Smart-NAT

Description: With multiple requests in a session, the smart-NAT resource was not released.

Trigger: On an L7 vport, when you configure a strict transaction switch and have sessions with multiple requests in one session.



Severity: P2


Workaround: Do not use a strict transaction switch.207442 System area: GUI

Description: The system priority could not be configured in the GUI in transparent mode to match the CLI.

Trigger: In transparent mode, to configure LACP system priority, click Config Mode > Network > LACP > LACP.



Severity: P1







206413 System area: Platform Level

Description: The FPGA_STAT offset 0x8 bits [23:16] value was wrong when this status register was peri-odically polled.


Version: 2.7.2 P3

Reproducibility: Yes

Severity: P1

Reported by customer: Yes/Tech Support

Workaround: N/A205687 System area: SLB, Smart-NAT

Description: After a service group that was bound to a vport and had the source-nat auto configured was removed and later bound again, the source-nat auto did not work. It remained invalid.




Severity: P2


Workaround: Create the service group again.205213 System area: VCS, sflow configuration

Description: The sFlow configuration was not synchronized to the slave device.

Trigger: Configuring sFlow on the master device.



Severity: P2


Workaround: Configure manually







Description: When using SSL Intercept, the A10 “inside” device selectively dropped individual HTTP requests.

Trigger: None

Version: 2.7.2 P3


Severity: P1



Description: The ACOS device did not respond when a close_notify is sent without a TCP FIN.




Severity: P3


Workaround: Ensure that the client software sends a FIN after sending a close_notify.204415 System area: Routing

Description: A 64-bit ACOS device sent a malformed SNMP trap.

Trigger: SNMP traps

Version: All


Severity: P1

Reported by customer: Yes204082 System area: SIP-TCP

Description: Unable to process a server response that is associated with the SIP-TCP vport with a con-tent length of a maximum of 12K bytes.




Severity: P3







204031 System area: Health check

Description: When a new server was added to a service-group, the IpinIP health monitor did not work correctly on the new server.




Severity: P1


Description: Sending an SSL connection by using ECDHE/ECDSA ciphers to a SSL VIP resulted in high CPU usage and in a system reboot. This is because platforms without the Nitrox N3 chip do not have hardware support for ECDHE/ECDSA ciphers. With this limitation, the software-based SSL for these ciphers caused high CPU usage.

Starting in 2.7.2 P3, ECDHE/ECDSA ciphers will not be supported for these platforms, and the ACOS device will respond to these SSL requests with non-ECDHE/non-ECDSA ciphers.

Trigger: Client connection uses ECDHE/ECDSA ciphers that are not supported on the Nitrox PX SSL cards.

Version: 2.7.2 P2


Severity: P1


Workaround: Explicitly configure only required ciphers under the client-SSL and server-SSL template as applicable and then reboot the device.


Description: The ACOS device reloaded because of an issue with AES Dycrypt operations that caused a watchdog timeout.


Version: 2.7.2 P2


Severity: P1








Description: All limitations, except sanity checks for length, must be removed from the GUI for Organi-zation and Locality.

Trigger: Configuring special characters, such as & and ‘ on the Create using the GUI page. To access this page, click Config Mode > SLB > SSL Management > Certificate > Create using the GUI.



Severity: P1

Reported by customer: No202789 System area: Fast-http and connection-reuse

Description: When connection-reuse is enabled for fast-http vport, and if a client transmits a FIN to the VIP again on the ACOS device, the ACOS device kept closing the server-side persistent connection.


Version: 272 P2 and earlier.


Severity: P2

Reported by customer: Yes202759 System area: Fast-http

Description: The description comprises the following issues:

• Reserved bits and an urgent pointer in the TCP header corresponded to packets from the ACOS device to a client/server might be accidentally set for a fast-http session.

• The RST from the ACOS device to a back-end server (when using connection-reuse) might have a zero sequence number if the server initiates a session-close by using a FIN message.


Version: 272 P2 and earlier.


Severity: P2








Description: When you created a key string under the key chain that has a symbol, for example, % fol-lowed by a letter, for example, s the ACOS device reloaded.

Trigger: Creating a key string.

Version: All


Severity: P1


Description: A bug in the OpenSSL server code was triggered if the ClientHello message is heavily frag-mented.

Trigger: None, a separate bug causes the ACOS device to drop fragments after the first fragment, so the vulnerability cannot be triggered.


Reproducibility: None

Severity: None



Description: In the one of the underlying OpenSSL functions, OBJ_obj2txt(), information sometimes leaked. An issue occurred when some of CLI commands eventually called this function.

Trigger: None


Reproducibility: None

Severity: NA


Workaround: N/A






202354 System area: Trunk group port usage

Description: Client-side trunk port usage could be unbalanced when you ran SLB fast-http traffic with use-rcv-hop-for-resp under vport fast-http, and the default route that was configured on the ACOS device was selecting a different trunk to the reach the client.




Severity: P2


Workaround: Do not configure a default route on the ACOS device. This route might cause a different trunk group to be selected to reach the client when compared to the rout that is used for use-rcv-hop-for-resp.


Description: The configuration sync to the running configuration was not working as expected.

Trigger: When you use sync to start the configuration without reloading, the configuration reloads the box, but the configuration is only synced to the running configuration and not the start-up configura-tion.

Version: 2.7.1 P5


Severity: P1

Reported by customer: No201922 System area: HA

Description: The ha sync all to-startup-config all-partitions command could not sync partition (RBA) to the standby device, even though a log was generated.




Severity: P2


Workaround: N/A






201755 System area: Radius SLB and aFleX

Description: Unable to dynamically select a service group for a RADIUS vport by using aFleX. You must first bind the service group to the RADIUS vport so that aFleX can dynamically select another service group.




Severity: P2


Description: The OSPF message digest key was missing.

Trigger: Adding an OSPF message digest key under the trunk or loopback.

Version: All


Severity: P1


Description: ACOS crashed when using an external health monitor with a “health multi-process”.


Version: 2.7.2. P2 and earlier


Severity: P1

Reported by customer: RT#55898

Workaround: Do not use an external health monitor with a “health multi-process”.

201466 System area: SNMP

Description: There was a memory leak in the GSLB library.

Trigger: The memory leak occurs when the GSLB is configured but did not actually have the real data.

Version: 261


Severity: P1








Description: An active sync on an HTC Android phone did not correctly handle the authentication 302 redirect response, which caused AAM to fail.


Version: 2.7.2 P3


Severity: P1

Reported by customer: Yes 201136 System area: SLB

Description: By default, for an explicit proxy that is supported by a class-list-group, the default service group under a vport should be used when there is no match. In this issue, instead of using the default service group, the packet was dropped.


Version: 2.7.2


Severity: Normal

Reported by customer: No200929 System area: aFleX logging

Description: While logging a syslog message by using the aflex log command, the ACOS device sometimes reloaded if the message was really long. This issue was observed while logging an HTTP URI by using the aFleX log from a network partition.




Severity: P1







200482 System area: CLI

Description: The repeat x show slb service-group | include 7778 command caused a memory leak in the rimacli process.


Version: 2.7.2 P2


Severity: P1


Workaround: Do not use the repeat option.


Description: cli.deploy sometimes failed with a No Such Template message.

Trigger: When you run the CLI deploy, the following error might be displayed:

ACOS(config-vserver)#slb template virtual-port vsp-templateACOS(config-vport)#conn-limit 800001No such TemplateACOS(config-vport)#conn-rate-limit 101No such TemplateACOS(config-vport)#reset-l7-on-failoverNo such TemplateACOS(config-vport)#reset-unknown-connNo such TemplateACOS(config-vport)#drop-unknown-connNo such TemplateACOS(config-vport)#snat-msl 101No such TemplateACOS(config-vport)#allow-syn-otherflagsNo such TemplateACOS(config-vport)#ignore-tcp-mslNo such TemplateACOS(config-vport)#nat-port-preserveNo such TemplateACOS(config-vport)#allow-vip-to-rport-mapNo such TemplateACOS(config-vport)#dscp 21No such TemplateACOS(config-vport)#aflowNo such Template

Version: 2.7.2 P3


Severity: P1








Description: Packets with a bad TCP check-sum were not dropped by the non-FTA platform.




Severity: P2


Workaround: N/A199763 System area: GUI

Description: Before a new capture occurs, a check was added to determine whether the number of debug files have already reached the maximum limit in the web API.

Trigger: Starting a new capture on the web GUI after the number of debug file has reached the maxi-mum value.



Severity: P1

Reported by customer: Yes199760 System area: HA/VRRP

Description: Tracks the bgp state and adjusts the VRID’s priority dynamically based on the state change event.

Trigger: N/A

Version: N/A


Severity: N/A

Reported by customer: N/A

Workaround: N/A






199531 System area: HTTP proxy with a WAF template

Description: When you bound a WAF template with features, such as csrf-check, under the vport HTTP and the real server responded with HTTP version 1.0. The forwarding server responded to the cli-ent with a chunk encoding header with HTTP version 1.0.

This caused an issue when this response was processed on the client. The server response reflects the HTTP version as 1.1.




Severity: P2


Workaround: Use aFleX to set the HTTP version in the server response to 1.1.199201 System area: Radius SLB

Description: On a RADIUS server, when a new member was added to a service-group that was already bound to a vport, the RADIUS response packets were not processed correctly for SLB.

Trigger: This issue was triggered when the source NAT was not enabled under the vport on the RADIUS server.



Severity: P2


Workaround: On the RADIUS server, add a new service-group member and unbind and bind the ser-vice-group again under the vport.


Description: On the Create WAF Template or Update WAF Template pages, when you selected the Referer Check check box but did not enter a value in the Allowed Referer Domains field, the config-uration for the referer appeared empty.


Version: 272


Severity: P1








Description: The global health monitor and GSLB health monitor shared a URL, and privilege access in the GUI is implemented based on the URL.

Trigger: The Health Monitor page is not accessible with a role for which the privilege of the global health monitor is read or write, but privilege of GSLB health monitor is hidden. To access this page, click Config Mode > SLB > Health Monitor.



Severity: P1


Workaround: Set a new URL for the GSLB health monitor.198461 System area: Active FTP with Static NAT

Description: With a static NAT, the active FTP sessions that were created in L3V partitions did not have the proper vnp_id set.

Trigger: Static NAT in an L3V partition.



Severity: P1


Description: When using SecurID, you cannot use secure copy (SCP) to upgrade because the SCP server displayed an Enter PASSCODE: message.


Version: 2.7.2


Severity: P1







198365 System area: FTP

Description: As part of creating a symmetric multiprocessing (SMP) system, the smp_conn_id file is stored in the control_conn directory. The file is used to verify and promote the SMP system.

If direct server return (DSR) is used when creating an SMP system, the control_conn directory was not updated with the smp_conn_id file. As a result, the check failed during promotion, and the connection was not created.

Trigger: A DSR session for FTP.



Severity: P2


Workaround: N/A197638 System area: SSL Cipher Template

Description: The SSL cipher template that is located under a shared partition could not be associated with client SSL or server SSL templates that were defined under the network (L3V) or role-based-access (RBA) partitions.




Severity: P3


Workaround: Complete one of the following tasks:

• Manually specify ciphers under the client SSL or server SSL templates.

• Define another cipher template under the L3V or RBA partition and bind the template to the client SSL or server SSL templates.


Description: The sh slb virtual-server bind command did not correctly display the state of the dis-abled-with-health-check members.

Trigger: Show commands.



Severity: P2








Description: The Buffer Overflow checks that were introduced in release 2.7.2 were too low, which pre-vented the customer from using the Buffer Overflow protection for their site and online trading ser-vices.

Trigger: The customer wanted to configure a large value under the buf-ovf max-parameter-value-len.

Version: 2.7.2 P2 and earlier.


Severity: P2


Workaround: N/A197419 System area: Web

Description: The web GUI did not support the max-entities field for the WAF template.


Version: 2.7.2 P2


Severity: Normal


Description: To get an accurate count of the total number of SSL certificate references, all client and server SSL templates in all partitions were not checked to determine whether the specified SSL certifi-cate has been referred.




Severity: P1


Description: Creating multiple aXAPI entries multiple times caused the health monitor resource usage to be extremely high.

Trigger: Creating or deleting aXAPI multiple times causes the health monitor count to increase to a large number.



Severity: P1








Description: Added support for 128,000 (128*1024) SNI entries on the entire system.

Trigger: N/A

Version: 2.7.2 P3


Severity: N/A


Workaround: N/A197245 System area: GUI

Description: When you log into the GUI by using Internet Explorer versions 6-9, on the pages to create (or update) a service group, in the Server section, you could not use the drop-down list to select a real server.




Severity: P1

Reported by customer: yes197236 System area: GUI

Description: In the GUI, when you try to modify the value of the TCP SYN cookies threshold in transpar-ent mode, the Failed to set TCP SYN cookies. Cannot perform requested operation. Device is in Transparent mode. error message was displayed. This fix hides the l3-vlan-fwd-disable option in the transparent mode on GUI.

Trigger: Same as above.



Severity: P3

Reported by customer: Yes197194 System area: WAF

Description: A cookie name can have a maximum of 64 bytes.


Version: 2.7.2


Severity: Normal








Description: This enhancement added the following aXAPI methods:

• slb.class_list.string.create

• slb.class_list.string.update

• slb.class_list.string.delete

Trigger: N/A

Version: N/A


Severity: P1


Workaround: Use the call slb.class_list.* methods instead.196225 System area: Health Monitor

Description: Unable to enter a health monitor name that was 63 characters long.

Trigger: N/A

Version: N/A


Severity: P3


Workaround: N/A195940 System area: Access-list and CLI

Description: When an access list was created with a host address 0.0.0.0, but the mask is not zero, the ACOS device interpreted this configuration as any.




Severity: P2


Workaround: N/A







Description: Unable to enter a health monitor name that was longer than 31 characters.

Trigger: N/A

Version: N/A


Severity: P3


Workaround: N/A195730 System area: SLB

Description: If the status of the health of a service group member is up, you could not use aFLEX to persist to a service group member for which the disabled-with-health-check command was entered.

Trigger: None


Reproducibility: Feature

Severity: P2

Reported by customer: No195481 System area: SLB-SIP

Description: SIP traffic to a real server was dropped when the SIP vport is configured.


Version: 2.7.2 P3


Severity: P1


Workaround: Do not configure a SIP vport if SIP packet routing is required.

195064 System area: SLB, aFleX

Description: If a persist uie session existed, and the real server goes down, the next session request con-tinued to use the same downed server.




Severity: P2


Workaround: Clear the persist uie session.







Description: When the content of a WAF policy had more than 512 characters, the WAF definition web page did not correctly display the policy.




Severity: P1


Workaround: No194401 System area: SSL

Description: If an ACOS device that is configured with an HTTPS vport is low on memory, the device sometimes reloaded when sending the server certificate to a client during an SSL handshake.




Severity: P2

Reported by customer: Yes194284 System area: HTTP Proxy and aFleX

Description: Because of duplicate buffer processing, the combination of HTTP::disable and RESOLVE::lookup in an HTTP request event handler in aFleX caused an unexpected reload.




Severity: P3


Workaround: Do not use HTTP::disable with RESOLVE::lookup in an aFleX event.194233 System area: GUI

Description: After creating an client SSL template, the TLS1_ECDHE_RSA_AES_256_SHA384 and TLS1_-ECDHE_ECDSA_AES_256_SHA384 SSL ciphers are available, but displayed as unavailable to the client.


Version: 2.7.2


Severity: P1







194021 System area: Access-list and HA

Description: When the access-list was modified, the list was not synced to the HA/VRRP-A peer when the ha sync all to-running-config all-partition command was issued.




Severity: P2


Description: When the snmpd agent was started, too many restarts of a10snmpd occurred until a10mon no longer started a10snmpd.

Trigger: The start up of the smnpd agent is not optimized.

Version: None


Severity: P1


Description: Unsupported cipher connections did not close.

Trigger: Unsupported ciphers.



Severity: Moderate


Description: Cipher Suite TLS_RSA_WITH_RC4_128_MD5 (0x0004) did not work when the ssl-false-start-disable was configured.

Trigger: Configuring the ssl-false-start-disable in a client SSL template causes the SSL handshakes to fail.

Version: 2.7.2 P2


Severity: Minor. SSL false starts was only supported by a few versions of Google Chrome and has not been supported since 2012.


Workaround: Do not configure the ssl-false-start-disable in the template.







Description: The L3V partition name cannot have a random character added to the virtual server’s name.




Severity: P1


Description: The axInterfaceStatTable was implemented with the 60-second data refresh interval, which is not consistent with the ifTable and ifXTable implementation that has a 1-second refresh inter-val.

Trigger: The timeout value is set to 1 minute.



Severity: P1


Workaround: Retrieve the statistics data through the ifTable that has a 1-second timeout value.192388 System area: Platform

Description: The memory requirement to enable big buffer support for all platforms is 93G. This requirement is too high for the Thunder 5430 device. The requirement for this device should be reduced to 46.5G.

Trigger: Trying to enable big buffer support on the Thunder 5430 device.

Version: 2.7.2


Severity: Normal

Reported by customer: No192181 System area: HTTP/WAF

Description: Large posts with a WAF template in learning mode might fail.

Trigger: Posts in excess of the maximum HTTP queue depth will fail.



Severity: Severe


Workaround: Do not use the WAF learning mode on VIPs that accept large posts.







Description: When you added a service-group level trap to detect a server member in the service-group, the status changed for up and down events.


Version: 2.7.2 P3


Severity: P1


Workaround: N/A191614 System area: SLB L7 Connection Reuse

Description: When the traffic is composed of a Fast-HTTP vport and connection reuse, there was an uneven trunk distribution. This occurred because the connection was not set up when receiving SYN, and the trunk member selection was completed twice.

Trigger: Connection reuse.



Severity: P2


Description: The A10 platform sometimes reloaded under heavy traffic load and with a traffic pattern that consumed additional CPU cycles and caused a burst of packets to traverse from the CPU to the FTA.

This defect affected the following platforms:

• TH5430S

• TH6430(S)

• TH6435(S)

• TH5435(S)




Severity: P1


Workaround: N/A






191257 System area: Compression and keep-client-alive

Description: An AOCS device might return a partial server response when the compression and keep-client-alive options were enabled for an L7 vport such as HTTP, HTTPs, and so on.




Severity: P2


Workaround: Do not configure the keep-client-alive option when compression is enabled on an L7 vport.

190765 System area: aFleX clock command

Description: There is an issue with the aflex clock scan and clock format commands when you try to convert the date to seconds.




Severity: P2

Reported by customer: Yes190732 System area: Layer 2/3

Description: When connected routes and an A10 special IP address, such as IP-nat, had the same IP prefix and a redistribute configuration in OSPF, OSPF sometimes stopped advertising the routes.




Severity: P1







190357 System area: SSL driver

Description: When the PCI config space read from the Cavium driver code, a memory corruption occurred, which resulted in reading 0xffff and caused the ACOS device to reboot.

Trigger: The Cavium driver PCI reads coinciding with reads from other places.

Version: 2.7.1 P6

Reproducibility: Tough to reproduce. In the lab, reproduced it by increasing the number of reads and frequency of the reads.

Severity: P2


Workaround: Disable PCI reads from driver code.189904 System area: L2 and the use-rcv-hop-for-resp command

Description: In a TCP time-wait state, during the four-way handshake, when the use-rcv-hop-for-resp command was configured, the final ACK message from the ACOS device to the client was sent to the incorrect port.


Version: 2.7.2 P2


Severity: P1


Description: The ip-in-ip command could not be added under the vport by using aXAPI.




Severity: P1

Reported by customer: No189673 System area: Radius SLB

Description: The RADIUS return packet from the server was processed by using a wildcard VIP instead of the VIP that was specified for the server.




Severity: P1







189613 System area: Connection reuse and session age

Description: The age value for a connection-reuse session that was associated with vport HTTP and Fast-HTTP was computed incorrectly.




Severity: P2


Description: SCP failed when the /home/user directory was not available on a Linux computer.

Trigger: This issue occurs when you create a user on a Linux computer, but you do not create the user’s home directory and scp a file uses the user’s username and password.



Severity: P1


Workaround: Create a home directory on the Linux computer.188183 System area: Health Monitor

Description: When the run-search option was configured for an LDAP health monitor, and you run a search query and review the statistics, the LDAP server was down.




Severity: P2


Workaround: N/A187774 System area: TCP/IP

Description: When an ACOS device sent an RST packet because of the reset-unknown-conn configura-tion, the source MAC address that was used by the ACOS device might be incorrect.




Severity: P2


Workaround: N/A






186760 System area: CLI/Web Authentication

Description: When the ACOS device was configured with ip control-apps-use-mgmt-port on the management interface, but the external authentication server, such as TACACS+, RADIUS, or LDAP, is only reachable from the ACOS data interface, the ACOS external authentication fails because the authentication server cannot be reached.




Severity: Major

Reported by customer: Yes186523 System area: Multicast packet processing

Description: When the ACOS data interface was flooded with IP multicast packets, legitimate TCP-based management traffic to the ACOS device on this data interface might be impacted or dropped.




Severity: P2


Workaround: Configure the ACOS data interfaces so that the interfaces cannot view these types of unwanted multicast packets.


Description: While configuring trunk, control CPU sometimes spiked.

Trigger: Configure trunk with multiple ports.



Severity: P2


Workaround: N/A







Description: Additional debugging logs and fail-safe code were added to help you troubleshoot SSL chips that hang.


Version: 2.7.2


Severity: P1


Workaround: Manual reboot184030 System area: DSR and MSL

Description: The ACOS device does not honor the maximum segment lifetime (MSL) time for a dynamic source routing (DSR) session that you configured by entering the slb msl-time command.




Severity: P2

Reported by customer: Yes183878 System area: SSL for jumbo packet

Description: SSL was unable to transfer large files.

Trigger: When you configure an end-to-end SSL (client SSL and server SSL) and enable jumbo, a trans-fer of over 10MB files cannot go through. The problem happens in the internal buffer handling. With a jumbo packet, some internal buffers will run out of space and cause a buffer overrun.

Version: 2.7.2 P2


Severity: P1


Workaround: N/A183001 System area: HTTP and WAF

Description: Large posts to a VIP with a WAF template in learning mode were failing.

Trigger: Posts that are larger than the maximum HTTP queue depth.



Severity: Severe


Workaround: Do not use a WAF template in learning mode on VIPs with large posts.






182635 System area: L7 and Graceful-shutdown

Description: After you entered the slb graceful-shutdown num after-disable command, the ACOS device did not complete the close, four-way handshake (FA/A) with the client. The ACOS device did not send the final ACK message in response to the client’s FA.


Version: 2.7.2 P2


Severity: P1


Description: The health monitor only supports a maximum of 128 characters in a GET URL. If you enter more than 129 characters, the method http url GET URL command is not recognized as a valid com-mand.

Trigger: Supporting up to 500 characters in a URL when you configure a health monitor by using the GET method.

Version: 2.7.2 P3


Severity: N/A


Workaround: N/A182233 System area: SLB CLI

Description: When you entered the show slb virtual-sever command, the Curr-conn counter is higher than Peak-conn.

Trigger: Enable extended-stats while traffic is running on the VIP.



Severity: P1







181789 System area: Router BGP

Description: The BGP prefix was reduced by 2 when soft-reconfiguration inbound was enabled.


Version: All


Severity: P1


Workaround: Do not enable soft-reconfiguration.180970 System area: OSPF and route display

Description: Even after you removed the OSPF route, show ip route continued to display an OSPF null route that no longer exists.




Severity: P2

Reported by customer: Yes179158 System area: TCP Logging

Description: TCP session logging created persistent connections to handle logging messages. These sessions should only be created on an active ACOS device and not on the standby device.

Trigger: Enabling TCP logging.



Severity: P2


Workaround: Disable TCP logging.178939 System area: SLB Dynamic Member

Description: The fully-qualified domain name (FQDN) was always assigned priority 16 and was selected over other service group members.




Severity: P1







178613 System area: Traceroute and wildcard VIP/VPORT

Description: Unable to use traceroute to work for TCP and UDP methods when a wildcard VIP with a vport that has no-dest-nat enabled was used. The earlier traceroute was working only when the ICMP method was used.




Severity: P2


Workaround: Use ICMP for traceroute.177751 System area: aXAPI

Description: The slb.ssl.upload/download method caused a memory leak.

Trigger: When you run the slb.ssl.upload/download method for some time, the memory usage con-stantly increases.

Version: All


Severity: P1


Description: The generate name is not able to retrieved.




Severity: P1

Reported by customer: Yes171523 System area: VCS and vMaster/vBlade reload

Description: In VCS, when you issued reload device <n> from the vMaster to reload the correspond-ing vBlade device, the vMaster and vBlade were reloaded, instead of just the vBlade.




Severity: P2







Issues Fixed in Release 2.7.2-P2ACOS Release 2.7.2-P2 contains fixes for issues in ACOS 2.7.2-P1 and ACOS 2.7.2. The fixes are listed in Table 13. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).


169147 System area: System software

Description: Interface utilization was reported to be over 100%

Trigger: Invalid bucket pickup occurred during interface statistics calculation from the hardware and software.

Version: 2.6.1 GR1 P13


Severity: P1

Reported by customer: Yes168499 System area: System management port

Description: Unable to access the new IP via SSH if the IP address on the management interface was changed dynamically.

Trigger: Changing the management IP address.

Version: All


Severity: P1


Workaround: Change the IP address again or reload.







A10 Tracking ID Issue190915 System area: System

Description: An SSD monitoring mechanism put forth to detect a bad SSD may have caused

ACOS to reboot when the /tmp file system was full.




Severity: P1


Workaround: None186829 System area: AXAPI

Description: The AXAPI call “system.write_memory” was not working properly while in the secondary boot image.




Severity: P2


Workaround: None186688 System area: FTP ALG

Description: If an ACL was configured to permit FTP to control port 21 and deny the rest of the control ports, ALG protocols like FTP failed when they were applied to client interfaces.




Severity: P1


Workaround: None





Description: When a health monitor was created using aXAPI, a segmentation fault occurred when exercising the “show run” command.




Severity: P1


Workaround: The valid post should be: "health_monitor": {

"name": "sarasa5",

"type": 3,

"http": {

"port": 8080,

"url": "GET /ping",

"expect_pattern": "pong"186226 System area: aFleX

Description: When “switch”, “clientside/serverside” is used in an aFleX script, ACOS may have crashed.

Trigger: Use “switch”, “clientside/serverside” commands in aFleX.



Severity: P1


Workaround: Don’t use “switch”. “clientside/serverside” commands in aFleX.186187 System area: Layer 7 and Cookie Persistence Template

Description: When a cookie persistence template was configured with the option “expire 0” and bound to a layer 7 (HTTP) virtual port, it caused an expired time stamp to be inserted into the cookie.




Severity: P2


Workaround: None







Description: When an admin account was created with a customized role, it caused a GUI display issue.


Version: 2.7.2-P1 and earlier,


Severity: P2


Workaround: None185293 System area: GUI

Description: Adding / editing the GSLB zone parameters from the browser caused a the GUI to reboot.


Version: 2.7.2-P1 and earlier, 2.7.1-P5


Severity: P1


Workaround: No185164 System area: DNS fast-path and policy template

Description: ACOS may have rebooted when the SLB DNS (port 53 UDP) flows were being processed via fast-path and the policy template enforcing connection rate limiting through PBSLB/class-list/GLID was bound to the virtual port.




Severity: P1


Workaround: None183535 System area: aVCS

Description: In a two device configuration, reloading VCS caused device 2 to join the chassis with a disabled interface.




Severity: P2


Workaround: None






182473 System area: System Management

Description: When email logging was configured on 2.7.1-P4, ACOS sent emails without line breaks between two successive messages.


Version: 2.7.2-P1 and earlier, 2.7.1-P5 and earlier


Severity: P3


Workaround: None181270 System area: ICMP for SLB

Description: ICMP error packets were being dropped for DSR SLB, causing both IPv4 and IPv6 traffic flows to fail.




Severity: P2


Workaround: None







Description: When trying to SSH from another device to ACOS, the known_hosts file cannot be changed to allow connection if the key was changed at some point.




Severity: P2


Workaround: None172465 System area: aFleX

Description: The TCL internal command “clock scan” was disabled because is may have caused ACOS to reload when used in aFleX.




Severity: P1


Workaround: None






Issues Fixed in Release 2.7.2-P1ACOS Release 2.7.2-P1 contains fixes for issues in ACOS 2.7.2. The fixes are listed in Table 14. The issues are listed by A10 track-ing ID, beginning with the highest issue ID (the most recently logged issue).



A10 Tracking ID Issue184912 System area: SLB (Layer 7 full proxy)

Description: The ACOS TCP stack, when avoiding the TCP “Silly window syndrome”, could cause a reload if the internal buffering size was equivalent to the required transmission size calculated by the TCP state machine.


Version: 2.7.2


Severity: P2

Reported by customer: Yes 181378 System area: WAF

Description: If ACOS was unable to parse a form in a response from a server, the form was removed from the reply before the reply was forwarded to the client.

Trigger:

Get a form from a site that uses HTML-5 and does not have an action field in it. The form parser fails to parse the form, and removes the form data.

Version: 2.7.2


Severity: P2


Workaround: Change the site (backend servers) to use a form that contains an action field.180667 System area: SLB TCS

Description: If a real server port was configured with dest-nat but the TCS had the regular 'no-dest-nat' configuration, the 'dest-nat' did not happen if the real server port was selected.


Version: 2.7.2 and earlier


Severity: P2






Description: If a health check was flapping for a dynamic GSLB object, ACOS did not add back the internal counter properly.




Severity: P2


Description: The MIB object axNotificationTacacsServerHost was incorrectly named "axTacacsServer-Host". This error appeared in the following files:

• A10-AX-TRAPS-V1.txt • A10-AX-NOTIFICATION-V2C.txt

The name has been corrected to "axNotificationTacacsServerHost" in both files. To download a .tar of the updated ACOS MIB files from within the GUI:

1. Upgrade to ACOS 2.7.2-P1.

2. Log in through the management GUI and navigate to Config Mode > System > SNMP.

3. Select SNMP Download to display the download link.

4. Select the download link.




Severity: P2


Description: Even though ACOS does not support the ability to perform recursive lookups for clients, the Recursion Available (RA) flag was not turned off in the responses ACOS was sending back to the cli-ents. The correct behavior is for the GSLB controller to disabled the RA flag if the DNS server does not contain the resource record that the client requested.




Severity: P2







178405 System area: SLB (HTTP compression)

Description: An HTTP VIP did not work correctly if an aFleX script bound to the virtual port used the http::collect command, and hardware-based HTTP compression was enabled.


Version: 2.7.2


Severity: P2


Workaround: Use the http::stream command instead of the http::collect command in the aFleX script. 177913 System area: vThunder

Description: On a vThunder device with 2 GB memory and an SSL card (PCI pass-through), Layer 4 fast aging could be engaged with very few sessions.


Version: 2.7.2


Severity: P2


Workaround: Increase vThunder memory to more than 3 GB.177470 System area: SLB (HTTPS) / jumbo frames

Description: An HTTPS POST request containing a large payload failed if jumbo frame support was enabled on the ACOS device.


Version: 2.7.2


Severity: P2


Description: Re-transmitted packets in a SSL connection could be corrupted.


Version: 2.7.2


Severity: P2








Description: HTTP log messages generated using CEF format could be missing some information for requests sent to very long URL strings. For these requests, the req='<url>' and msg='..' fields in CEF for-mat caused the overall log message to exceed 512 bytes, and cut off complete parts of the message.


Version: 2.7.2


Severity: P3

Reported by customer: Yes 177292 System area: SLB (client-SSL)

Description: In a deployment using the client-SSL option to require client certificates, a client request to use TLS v1.2 caused ACOS to reload.


Version: 2.7.2


Severity: P1

Reported by customer: Yes 177094 System area: SLB (Diameter)

Description: If source-NAT was enabled on a Diameter virtual port and the service group was bound to the port, ACOS could reload.


Version: 2.7.2


Severity: P1

Reported by customer: No 176989 System area: SLB (HTTP template)

Description: The ACOS device could reload when a host-switching or URL-switching line was removed from an HTTP template.


Version: 2.7.2


Severity: P1







176908 System area: CLI/System

Description: An aFleX script with the POLICY::bwlist command could be unbound from the virtual port following a reload or reboot.


Version: 2.7.2


Severity: P2

Reported by Customer: No176654 System area: WAF

Description: In a configuration with both an HTTP-policy template and a WAF template bound to the same HTTP virtual port, the WAF policy was used to process an SQLIA check even though the traffic matched the HTTP-policy.


Version: 2.7.2


Severity: P2

Reported by customer: No176407 System area: GUI

Description: The VRRP-A status was not updated correctly after configuration synchronization was per-formed manually using the GUI.


Version: 2.7.2


Severity: P2


Description: The aFleX pool command was not supported under the DNS_REQUEST event type.


Version: 2.7.2


Severity: P2







175966 System area: SLB (TCP-proxy on Layer 7)

Description: If the keepalive interval and probes were set in a TCP-proxy template bound to a Layer 7 virtual port, ACOS mistakenly sent a second RST to a client who did not respond to a keepalive before the timeout expired.


Version: 2.7.2


Severity: P2


Description: On a device running a large number of health checks, the control CPU could experience a high utilization rate following an authentication failure.


Version: 2.7.2


Severity: P2

Reported by customer: Yes 175876 System area: CLI

Description: If a space “ ” is used in a server-name cert/key associated to SNI, this could result in a parse error when ACOS reads the startup-config file.


Version: 2.7.2


Severity: P2


Workaround: Do not use a space " " in server-name cert/key.







Description: The slb.service_group.search method returned value 0 for the following SLB load balanc-ing methods ((lb_methods):

• 14:Source IP Only Hash • 15:Source IP Hash • 16:Destination Only IP Hash• 17:Destination IP Hash


Version: 2.7.2


Severity: P2

Reported by customer: Yes175078 System area: SLB (Layer 7 proxy) / jumbo frames

Description: ACOS might not advertise the correct MSS to a backend server in its SYN TCP segment when a jumbo client advertised a jumbo-sized MSS to a Layer 7 VIP.


Version: 2.7.2


Severity: P2

Reported by customer: Yes174637 System area: Routing (BGP)

Description: BGP peer connection failed if the peer sent a SAFI(128) request as part of negotiation.


Version: 2.7.2


Severity: P2


Description: Importing certificates in P7B format did not work.


Version: 2.7.2


Severity: P2







173731 System area: SLB (L3V)

Description: The snat-on-vip option did not work for a Layer 7 virtual port in an L3V ADP partition.


Version: 2.7.2


Severity: P2


Workaround: Use the snat-on-vip option at the virtual port level instead. 173248 System area: Health Monitoring

Description: If a backend server used HTTP 1.0 and its response to a health check did not contain a Content-Length header, ACOS marked the server Down.


Version: 2.7.2


Severity: P2


Description: ACOS could reload when an aFleX script containing the global virtual name command in its RULE_INIT was bound to a virtual port.


Version: 2.7.2


Severity: P2

Reported by customer: Yes 172930 System area: aVCS (BGP)

Description: In an aVCS deployment with BGP, if a device was booted or reloaded from its startup-con-fig, the exit-address-family command was omitted from the BGP section of the configuration. If the configuration was then saved without re-adding the command, parsing errors occurred due to the missing command the next time the startup-config was loaded.


Version: 2.7.2


Severity: P2


Workaround: Re-add the exit-address-family command and save the configuration.







Description: Remote AAA using LDAP did not work for GUI access.


Version: 2.7.2


Severity: P2


Workaround: Configure a static route to the LDAP server that uses the management interface to reach the default gateway. This works with or without use of the ip control-apps-use-mgmt-port com-mand.


Description: The raid-install command did not work in ACOS 2.7.1-P4.


Version: 2.7.1-P4


Severity: P1


Description: Use of the Tcl internal command “clock scan” to retrieve the current time could cause the ACOS device to reload.

To prevent this issue from recurring in the current release, the “clock scan” command is disabled. To get the time from within an aFleX script, use the TIME::clock command instead.


Version: 2.7.2


Severity: P1


Workaround: Use the TIME::clock command instead.







Description: Custom XSS policy that included an empty (wildcard) PCRE match could cause the ACOS device to reload.

Trigger:

1. In a WAF policy, set a rule to have an empty match either in the beginning or in the middle of the match list. For example:

rule1,|bgsound||applet

instead of:

rule1,bgsound|applet

In this example, either of the following character combinations results in empty matches:

,|

||

2. Bind the WAF policy to an HTTP virtual port.

3. Send a request to the port.

Version: 2.7.2


Severity: P1


Workaround: Edit the WAF policy file to avoid empty matches.171970 System area: WAF

Description: XSS checks were performed on the URL/URI of requests. XSS checks should apply only to the body and to HTML parameters in the URL, in case the URL is a form (contains '?').




Severity: P2








Description: Including the version attribute ($Version=0 or 2) could cause a failure to parse cookie.


Version: 2.7.2


Severity: P3

Reported by customer: No 170812 System area: Health Monitoring

Description: When using the built-in SNMP health-check, ACOS sent the wrong OID. This issue occurred because the built-in SNMP health monitor OID automatically prefixes the OID with the first set of digits: 1.3.6.1.2.1. However, if these first few digits are eliminated from the command, then ACOS sends out the correct configuration.


Version: 2.7.2


Severity: P2


Workaround: When using the built-in SNMP health monitor, do not “double-input” the OID prefix value of “1.3.6.1.2.1” because this prefix already exists.

170506 System area: TCS (Hardware SYN-cookie)

Description: When hardware SYN-cookies were enabled within a TCS setup, the ACOS device could sometimes use the incorrect source MAC when sending the packet back to the client.


Version: 2.7.2


Severity: P2







170056 System area: Hardware Syn-cookie (FPGA platforms)

Description: In a configuration where hardware-based SYN cookies were disabled, the MAC address for the HA floating IP address for a VLAN was not programmed into the MAC table following certain VLAN and VE configuration changes. This prevented clients from being able to ping the floating IP address.


Version: 2.7.2


Severity: P2


Workaround: Enable/disable hardware-based SYN cookies. This results in reprogramming of all virtual MAC addresses (including HA MAC) for all VLANs.

169159 System area: L3 DSR (IP-in-IP)

Description: ACOS did not allow an MTU value of greater than 1460 bytes, even though the ICMP unreachable message sent to clients was advertising an MTU of 1480 bytes.


Version: 2.7.2


Severity: P2

Reported by customer: Yes 168062 System area: L3V (HA/VRRP-A)

Description: The ACOS device dropped the SYN-ACK packets instead of forwarding to the client. This could happen if an L3V partition used a non-default VRID, because the HA status was incorrectly seen as Standby.


Version: 2.7.2


Severity: P2


Workaround: Use the default VRID when configuring HA/VRRP-A in a network partition.






167833 System area: HA

Description: If ha conn-mirror ip was removed from the config file, this could cause “flapping”, in which the active ACOS device erroneously changed to standby mode based on the HA priority of the pair.


Version: 2.7.2


Severity: P2


Description: In an HA deployment, if session synchronization occurred at the same time the running-config was being saved to the startup-config file, then ACOS did not save the configuration using the correct date.


Version: 2.7.2


Severity: P3


Workaround: Issue the write memory command to save the date changes. 159667 System area: SNMP

Description: Certain SNMP OIDs that were defined as “Counter 32” were not able to “decrease”. These OIDs have been redefined.


Version: 2.7.2


Severity: P3

Reported by customer: Yes 152740 System area: SLB (TCP-proxy template)

Description: SYN-retry configuration in TCP-proxy template did not take effect if auto server re-selec-tion was enabled.




Severity: P2







139189 System area: SLB (HTTP)

Description: When HTTP received FIN-ACK from a server, ACOS responded with a FIN-ACK even if there was data from the client that needed to be sent to the server.




Severity: P2

Reported by customer: Yes131869 System area: SLB (HTTP)

Description: The WWW-Authenticate header was removed if the header value was 9 characters or more.




Severity: P2


Description: If the ‘snmpwalk’ command was sent to the shared and private partitions simultaneously, then the resulting output could be mixed.




Severity: P2

Reported by customer: Yes111817 System area: CLI

Description: The priority of disabled service-group members could not be lowered.




Severity: P2


Workaround: Enable the service-group member, then change the priority.





Issues Fixed in Release 2.7.2

Issues Fixed in Release 2.7.2ACOS Release 2.7.2 contains fixes for issues in ACOS 2.7.1-P3 and later. The fixes are listed in Table 15. The issues are listed by A10 tracking ID, beginning with the highest issue ID (the most recently logged issue).


TABLE 15 Fixes in ACOS Release 2.7.2

A10 Tracking ID Issue157528 System area: System

Description: Intermittently, the Absent/On/Off status of the power supply unit did not reflect the sta-tus of the PSU accurately.




Severity: P4


Workaround: None155516 System area: aFleX

Description: When the lwnode aFleX command is used, session synchronization does not work.




Severity: P2


Workaround: None155183 System area: Web

Description: When using the GUI, editing the GSLB Geo-location option specified under the Zone from Config>GSLB>Zone>Zone-Name>Service>Geo-Location experienced two errors. Once you attempted to save your zone configuration, an error message would be logged indicating a failure. Also, the ser-vice IP configured under the zone or service would be missing.


Version: 2.6.1-GR1-P11 and earlier


Severity: P3


Workaround: None




155143 System area: DHCP

Description: When the broadcast flag is set to 1, the DHCP “discover” packet will be sent to the server, but the “offer” response will not be forwarded in return to the client.




Severity: P2


Workaround: None152890 System area: Routing

Description: Previously, there was an issue with propagating Loopback IP addresses and NAT pools into routing protocols. For example, this issue was encountered when a partition was deleted and added back as shown in the following steps:

• Configure the IP address on the loopback or NAT pool in a private partition.

• Remove the private partition that contains the IP addresses.

• Configure the private partition again and configure the same IP addresses in the private parti-tion. The IP addresses are not recognized by the dynamic routing protocols, and cannot be dis-played using the show ip route CLI command.




Severity: P1


Workaround: Remove the IP addresses explicitly in the private partitions.150617 System area: SLB

Description: The automatically created real-server was deleted when you deleted the service-group, especially if the real server belonged to the deleted service group only.




Severity: P2


Workaround: None






149299 System area: HTTP

Description: When a POST request contained content length and also an “Expect: 100 Continue” field, the client would not send data until the server responded back with a “100 Continue” response. Even if the server responded with “401 Unauthorized” message, the AX device still waited for data from the cli-ent for the POST and hence the next request was considered as a body for the previous POST request.


Version: All


Severity: P3


Workaround: None144805 System area: SLB and ICMP error handling

Description: ICMP error handling capability for SLB sessions needed to be improved.




Severity: P2


Workaround: None141835 System area: GSLB

Description: A new option server-mode-only has been added for GSLB server mode. If you do not choose to configure GSLB in server-mode-only, the ACOS device will forward the query to the backend DNS server when the list is empty.

When “server-mode-only” is configured, the ACOS device will respond with the NXDOMAIN or the con-figured list of back-up servers.


Version: 2.7.1-Px or earlier.


Severity: P4


Workaround: None







Description: When you configured a service using the GUI, the administrative IP was automatically configured. This issue has been resolved.


Version: 261-GR1-P11 and earlier


Severity: P2


Workaround: None140134 System area: Routing (BGP)

Description: The bgp nexthop-trigger option, which is sometimes used to learn the default route from the BGP neighbors, could cause a forwarding loop.




Severity: P2


Workaround: Remove the bgp nexthop-trigger configuration.







Description: The following interface tables in the MIB did not support some types of AX interfaces:

ifTable, ifXTable, ipAddrTable, and ipv6AddrTable. These tables did not support management or loop-back

interfaces.

Notes:

• The tables support trunk interfaces based on their lead (primary) port.• The tables are not partition-aware. (L3V is not supported.)

The ifTable and ifXTable tables are updated as follows:

• The management interface has ifIndex value 0.• Loopback interfaces begin at ifIndex 5100. For example, loopback interface 1 is 500, loopback interface2 is 5001, and so on.• The statistics fields for loopback interfaces and VE interfaces in these tables always have value zero(0).• The ipAddrTable and ipv6AddrTable tables are updated so that the ifIndex value points to the properifTable or ifXTable for the management and loopback interfaces.




Severity: P2

Reported by customer: Yes137167 System area: Routing (BGP)

Description: Soft re-configuration of the BGP session with a neighbor did not work if the update included an AS path change for the default gateway.




Severity: P2


Workaround: Clear the BGP session with the neighbor, without a soft re-configuration.







Description: There is a data CPU discrepancy of 50% between the shared and the L3V private partition.


Version: and earlier


Severity: P1

Reported by customer: No136051 System area: HA

Description: Though the HA configuration on the Active and the Standby device was in sync,

the HA status reported that both of the devices were not in sync.




Severity: P2

Reported by customer: Yes135757 System area: HA

Description: A change to the configuration for a health method was not synchronized correctly

to the standby device.




Severity: P2

Reported by customer: No135076 System area: GSLB (Health Monitor)

Description: In a GSLB group deployment, even if a health monitor was unbound from a service-IP fol-lowing GSLB configuration synchronization, the health monitor could not be deleted from the GSLB members.




Severity: P2







135055 System area: Health Monitor, SLB

Description: A new command called slb dsr-strict-config has been added to prevent the misconfig-uration in DSR deployment. Without the slb dsr-strict-config command, there will be a warning mes-sage to let you decide to proceed or not. When the same service group is used by two different VIPs, the newly configured VIP will be used in the DSR health-check. If the slb dsr-strict-config command is configured, you will not be allowed to bind the same service-group to two different VIPs.




Severity: P1

Reported by customer: Yes134023 System area: L3V

Description: If you had configured multiple partitions, when you issued the write memory all-partition command, there was no way to track the progress of the write operation.




Severity: P4


Description: An underlying issue with SNMP caused a delayed response for the show ip route com-mand.




Severity: P4








Description: Certain ACOS devices support a maximum of 4000 static IPv6 routes. If this number is exceeded, previously, it would cause the device to shutdown. This issue has been resolved. If you try to configure a number greater than 4000 static IPv6 routes, the configuration will be rejected and an error message will be displayed.




Severity: P1


Description: A discrepancy in the configuration file size between the startup and running configura-tion when you executed the write mem primary all-partitions command caused a problem This issue has been resolved.




Severity: P2

Reported by customer: No131263 System area: Routing

Description: Press Control-C multiple times when the ACOS device is in a locked state.


Version: 261-GR and earlier


Severity: P4

Reported by customer: Yes129946 System area: Port mirroring

Description: On some AX models (AX5100/5200/5630/6430), an egress mirrored packet always had a VLAN tag, even if the original packet was untagged.




Severity: P2








Description: When the DNS server was on the management subnet, and if the NTP server name was resolved by the DNS server, the ACOS device failed to resolve the NTP server’s name. This issue occurred even if the “ip control-apps-use-mgmt-port” option was configured on the management interface.




Severity: P2

Reported by customer: No116668 System area: Web

Description: After you issue the clear command to delete key words, the next time you initiate a search, the descriptions will not be displayed.

Version: 2.7.0-p3, 2.7.1 and earlier


Severity: P4


Workaround: None115447 System area: L3V

Description: Shared partition objects in an L3V private partition were shown even when the parti-tion no-sharing command was configured.




Severity: P2


Workaround: Create a private user for the partition.






115045 System area: Email logging (Layer 3 Virtualization)

Description: Email logging did not work in L3V if the trigger option of the logging email filter com-mand was used in the private partition.




Severity: P2


Workaround: Use the trigger option in the shared partition.107668 System area: VRRP-A HA

Description: Since tracking-options are device specific for VRRP-A, after manual configuration synchro-nization, the Standby ACOS device does not retain the route tracking options.




Severity: P3


Workaround: After the synchronization completes, configure route tracking options again.




Upgrade Instructions

This chapter describes how to upgrade the software image on your ACOS device.

Notes

• If you are configuring a new ACOS device, see the Installation Guide for your model.

• If you are upgrading from a release older than 2.6.0-P4, upgrade to 2.6.0-P4 first and then upgrade to the 2.6.1-GR1-Patch release.

• If you are upgrading an aVCS virtual chassis from 2.6.0, you must use the CLI.

• This chapter may contain references to “AX release” versions. The term “AX release” is an older term for “ACOS”, which now also runs on A10 Thunder devices, beginning in ACOS 2.7.1.


Image File Names


Image File NamesMake sure to use the correct image file for your A10 Thunder or AX model. The image files are named as follows:

TABLE 16 ACOS Image File Names

Flexible Traffic ASIC Model? Model Image NameYes.

These models feature the Flexible Traffic ASIC (FTA).

Thunder 6630S

Thunder 6630

Thunder 6430

Thunder 6430S

Thunder 5630S

Thunder 5630

Thunder 5430S

Thunder 5430S-11

Thunder 5430-11

Thunder 4430S

Thunder 4430

AX 5630

AX 5200-11

AX 3400

AX 3200-12

ACOS_FTA_version.tgz

No.

These models do not use FTAs.

Thunder 3030S

Thunder 1030S

Thunder 930

AX 3530

AX 3030

AX 3000-11-GCF

AX 3000

AX 2600

AX 2500

AX 1030

ACOS_non_FTA_version.tgz

Virtual Devices:

vThunder

Thunder 3030S HVA

Thunder 3530S HVA



Cautions

CautionsBefore you upgrade, ensure that you carefully read the following cautions. Some cautions also apply to downgrade.

As a best practice, save the configuration, then copy the startup-config to a remote server, before you upgrade.

While command name changes between releases are not common, saving a backup avoids the need to re-enter the older syntax following a downgrade.

NOTE: If you are upgrading ACOS devices that run aVCS, also see “Upgrading the SoftwareImage (aVCS Virtual Chassis)” on page 343.

HTTP Compression Modules

If you are upgrading an ACOS device that contains an HTTP compression module, the module will not work after you upgrade to the 2.6.1-GR1-Patch release. Likewise, an HTTP compression module installed in an ACOS device configured at the factory with 2.6.1-GR1-Patch release or later will not work with earlier software versions. If this affects your ACOS device, contact A10 Networks.

ADP (L3V / RBA)

If ADP is configured on the ACOS device and you plan to upgrade or downgrade to an ACOS release that does not support it, A10 Networks recommends that you first delete all the private partitions before installing the new software. Otherwise, resources such as aFleX policies, SSL certificates and keys, or external health monitoring programs in the private partitions will be visible and therefore can pose a security risk.

RADIUS Server Commands in Startup-Config

If the startup-config on the ACOS device you are planning to upgrade contains a radius server or radius port command, these commands are automatically converted to their new formats after you upgrade and save the configuration.

RADIUS / TACACS+ Shared Secret Strings Longer than 15 Characters

The maximum shared-secret length for RADIUS and TACACS+ from 15 characters to 128 characters. If you configure a shared secret longer than 15 characters in this release or later, then downgrade to an earlier release where the longer string length is not supported, the shared secret string will be incorrect and will need to be reconfigured.

NAT Pool-Group Commands in Startup-Config

In AX release 2.4.3, if the startup-config on the ACOS device you are planning to upgrade contains pool groups for IP NAT, the commands for the pool groups are automatically converted to the new syntax after you upgrade. However, if you later downgrade the ACOS device to a release earlier than 2.4.3, the software will not recognize pool groups that contain more than 5 pools.

HA Interfaces

Beginning in AX release 2.7.0, in deployments that use the older implementation of High Availability (HA), if an HA interface is a tagged member of a VLAN, it is required to specify the VLAN ID when configuring the interface be an HA interface.


Cautions


GSLB Groups

It is possible for GSLB configuration items to be lost on GSLB group members following upgrade. To avoid this issue, see “Upgrading Devices in GSLB Groups” on page 335.

HA Session Synchronization

When you upgrade ACOS devices that are deployed in High Availability (HA) mode, the ACOS version running on the active device briefly differs from the version running on the standby device.

Notes

• If the configuration on a device you are upgrading from 2.6.1-GR1 (or any of its patches) to 2.7.1 P1 contains the no-dest-nat option, session synchronization between the devices does not work.

• Session synchronization applies only to TCP and UDP Layer 4 virtual ports. Session synchronization does not apply to other types of virtual ports, such as HTTP/HTTPS VIPs.

• Depending on the versions you are upgrading from and to, session synchronization may not work until all devices are running the same version. For example, if you are upgrading from 2.6.1-GR1 to 2.7.0, session synchronization does not work while one of the ACOS devices is running 2.7.0 but the other device is still running 2.6.1-GR1.

Due to the behavior summarized in the table, existing sessions that would normally be mirrored may be lost. Typically, this means clients will need to retransmit or re-establish their connections. This should occur only one time. Once both ACOS devices are running the same software version, session synchronization will operate normally again.

NOTE: On each ACOS device, enable SSH on the HA interface used for configuration synchroni-zation.

• Using the GUI – Config Mode > System > Access Control

TABLE 17 HA Session Synchronization Support During Upgrade

Version Running on Standby ACOS Device

Version Running on Active ACOS

Device 2.7.2 2.7.1 2.7.02.6.1-GR1-Patch 2.4.3 2.2.5

2.7.2 Supported Supported Supported No session sync

No session sync

No session sync


No session sync

No session sync


No session sync

No session sync

2.6.1-GR1-Patch

No session sync

No session sync

No session sync

Supported No session sync

No session sync

2.4.3 No session sync

No session sync

No session sync

No session sync

Supported No session sync

2.2.5 No session sync

No session sync

No session sync

No session sync

No session sync

Supported



Boot Order—How ACOS Gets the Image To Boot

• Using the CLI – enable-management service ssh command at global configura-tion level

Save the change to the startup-config.

HA Upgrade Example

Here is an example of a typical upgrade scenario:

1. Both ACOS devices are running AX Release 2.7.0

2. Upgrade the HA standby ACOS device to 2.7.1 and reboot.

NOTE: As part of the upgrade process, make sure to copy the configuration to the image area(primary or secondary) where you plan to install the upgrade, before uploading theupgrade. Each image area has its own separate startup configuration.

3. After rebooting, the HA standby ACOS device resumes HA standby operation.

4. The HA active ACOS device sends session synchronization packets to the HA standby ACOS device.

5. If you are upgrading from 2.6.x to 2.7.x, The HA standby ACOS device will detect a synchronization version mismatch and ignore the synchronization packets. As a result, existing connections are not mirrored.

Refer to Table 17 for supported session synchronization upgrade paths between different ACOS versions.

6. Upgrade the HA active ACOS device to ACOS 2.7.1 (optionally triggering HA failover first) and reboot. Since existing connections were not mirrored, clients will need to retransmit or re-establish their connections.

7. After the HA active ACOS device reboots, both devices are now running ACOS 2.7.1. HA session synchronization oper-ates normally.


NOTE: If you are upgrading ACOS devices that run aVCS, skip this section and go to Upgradingthe Software Image (aVCS Virtual Chassis)“Upgrading the Software Image (aVCS VirtualChassis)” on page 343.

Each ACOS device has four locations in which software images can be placed:

• Disk (hard disk or Solid State Drive), in the primary image area

• Disk, in the secondary image area

• Compact flash (CF), in the primary image area

• CF, in the secondary image area




FIGURE 18 Software Image Locations on the ACOS device

At the factory, the current generally available release is loaded into all four areas before the device is shipped. When you upload a new image onto the ACOS device, you can select the image device (disk or CF) and the area (primary or secondary) on the device.

When you power on or reboot the ACOS device, it always attempts to boot from the disk, using the image area specified in the configuration (disk primary, by default). If a disk failure occurs, the device attempts to boot from the same image area on the backup disk (if applicable to the A10 Thunder Series or AX Series model).

CAUTION: A10 Networks recommends that you install the new image into only one disk imagearea (primary or secondary) and leave the image you are upgrading from in the otherarea. If you need to downgrade or an issue occurs when rebooting with the new image,leaving the old image on the device will make it easier to restore the system.

In ACOS 2.7.1, when you save the configuration in the current image area, ACOS displaysa prompt asking whether you also want to save the configuration to the other area. Syn-tax that is new or changed in ACOS 2.7.1 may not be compatible with your older ACOSversion.

NOTE: Allow up to five minutes for the reboot to complete. (The typical reboot time is 2-3 min-utes.) During the reboot, the system performs a full reset and will be offline. The actualtime may vary depending on system parameters.

NOTE: Copying the configuration does not provide a complete system backup. For example,copying the configuration does not include aFleX policies, SSL certificates and keys, orclass lists. For a complete system backup, use the backup option as described in the pro-cedure later in this section.

Recommendations (for non-aVCS deployments)

You can upload a new image into any of the areas listed above and you can configure the boot profile to try booting from those areas in any order you choose. However, to simplify the upgrade process and ensure that the system always has a backup image in case a problem occurs, A10 Networks recommends that you use the following process to upgrade.




NOTE: the ACOS device always tries to boot using the disk first. The CF is used only if the disk isunavailable.

NOTE: If the ACOS devices are running AX Virtual Chassis System (aVCS), this recommendationis not applicable. Instead, see “Upgrading the Software Image (aVCS Virtual Chassis)” onpage 343.

Alternate Loading of the New Image into the Primary and Secondary HD Areas

1. Save the configuration to the current image area (the area from which the device was most recently booted).

2. Back up the system. (A complete system backup is needed, so that all files, in addition to the configuration files, are included.)

3. Leave the factory-installed images in the CF and never replace them.

4. The first time you upgrade, upload the new image into the primary disk area. Leave the current image (the image you are upgrading from) in the secondary disk area.

5. The next time you upgrade, save the startup-config in the image area you upgraded last time. Also save the same startup-config to the other image area, where you plan to install the upgrade. You must save the startup-config that is in the image area you booted from into the image area you will upgrade, so that the system will be running the correct configuration following the upgrade.

6. Leave the current image (the image to which you upgraded previously) in the primary disk area, and upload the new image into the secondary disk area.

7. For each subsequent upgrade, alternate by saving the startup-config into, and uploading the new image into, the disk area that has the oldest image. Generally, the oldest image will be two images back.

For example, if your system is shipped with 2.7.0 installed and you upgrade to 2.71, 2.7.1 will go into the primary image area and 2.7.0 will stay in the secondary image area. When you upgrade again, 2.7.1 will stay in the primary image area and the newer image will go into the secondary image area.

NOTE: Make sure to copy the configuration to the image area where you plan to install theupgrade, before uploading the upgrade. Each image area has its own separate startupconfiguration.

8. Modify the boot profile to first attempt to boot from the disk area that has the newest image.

NOTE: If you plan to reboot immediately following the upgrade (an option you can selectwhen you upgrade), modify the boot profile before you upgrade.




FIGURE 19 Upgrade Process (non-aVCS only)



Upgrading Devices in GSLB Groups

Upgrading Devices in GSLB GroupsIf you use GSLB groups, GSLB configuration items can be lost following upgrade, unless you use the following procedure.

NOTE: For group members that are members of an aVCS virtual chassis, perform these steps onthe vMaster.

1. On each member device of the GSLB group, save the configuration.

2. On each member device in the group, disable the GSLB group and save the configuration.

3. Use the procedures in this chapter to upgrade the GSLB group members, one group at a time.

For example, if there are 2 GSLB groups, 1 and 2, upgrade all the member devices in group 1 first, then upgrade all the member devices in group 2. After all members come up in the GSLB group 1, upgrade each member of GSLB group 2.

4. After all members in the last group finish booting with the new software version, enable the GSLB group on each device. Make sure all members join the group successfully.

5. On each member device of the GSLB group, again save the configuration.

CLI Example

The following commands perform step 1 through step 4:

ACOS-gslb:Member(config)#write memory

ACOS-gslb:Member(config)#gslb group shared

ACOS-gslb:Member(config-gslb group)#no enable

ACOS-gslb:Member(config-gslb group)#exit

ACOS-gslb:Member(config)#write memory

The following commands perform step 5:

ACOS-gslb:Member(config)#gslb group shared

ACOS-gslb:Member(config-gslb group)#enable


Upgrading the Software Image (non-aVCS deployment)


Upgrading the Software Image (non-aVCS deployment)To upgrade the software image, use either of the following methods.

NOTE: Use this procedure only to upgrade an ACOS device that is running standalone (not inan aVCS virtual chassis). To upgrade ACOS devices in a virtual chassis, see the followingsection instead: “Upgrading the Software Image (aVCS Virtual Chassis)” on page 343.

Using the GUI

To upgrade your older software image to the latest software, follow the steps listed in this section. Note, since you are upgrading from an earlier version of the software, the GUI images shown in this section may not match the current GUI.

Set the Default Save Settings

From the GUI, navigate to Config Mode > System > Settings > Web. In the Preference section, select All Partitions in the Default Save To field. This will preserve your private partitions configurations.

Save the Configuration

Click on the Save button.




FIGURE 20 Save the Configuration

Save the Configuration to the Image Area Where You Plan to Install the Upgrade

NOTE: This step requires the CLI. You cannot perform this step using the GUI.

1. Log onto the CLI.

2. Access the global configuration level:

a. Enter the enable command. If prompted for the enable password, enter the password. The command prompt changes from hostname> to hostname#

b. Enter the configure command. The command prompt changes from hostname# to hostname(config)#

3. Use the following command:

write memory {primary | secondary}[all-partitions | partition partition-name]

If you plan to install the upgrade into the primary image area, specify primary. Otherwise, specify secondary.

The all-partitions and partition partition-name options apply only if you are upgrading an ACOS device with RBA/L3V configured. These options do not appear unless you are logged on with root or super user (global read-write) privi-leges.




4. Exit the configuration mode, by entering the following command:

exit

5. End the CLI session, by entering the following command:

exit

Create a Full System Backup

A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys.

1. Select Config Mode > System > Maintenance.

2. Select Backup > Config on the menu bar.

3. Select the backup location:

• Local – Saves the backup on the PC or workstation where you are using the GUI.

• Remote – Saves the backup onto another PC or workstation.

4. If you selected Local:

a. Click Apply.

b. Click Save and navigate to the save location. Optionally, you can edit the filename.

c. Click Save.

5. If you selected Remote:

a. In the Protocol drop-down list, select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.

b. If using FTP and the remote device does not use the default FTP port, change the port.

c. In the Host field, enter the hostname or IP address of the remote device.

d. In the Location field, enter the pathname. To change the backup file from the default (“backup_system.tar”), specify the new name at the end of the path.

e. In the User and Password fields, enter the username and password required for write access to the remote device.

f. Click OK.

6. To also back up the system log files (and core files, if any):

a. Select Backup > Syslog on the menu bar.

b. Select the backup location: Local or Remote. (See above for descriptions.)




FIGURE 21 Config > System > Maintenance > Backup > System

Change the Boot Order

1. Select Config > System > Settings.

2. Select Boot on the menu bar. The boot settings are displayed.

3. If the Hard Disk image area where you plan to install the new image is not selected, select it and click OK. For example, if Primary is selected but you plan to install the image into the secondary image area, select Secondary.

FIGURE 22 Config > System > Settings > Boot

NOTE: Although the Boot Image tab allows selection of an image area in the compact flash, theACOS device always tries to boot using the hard disk first. The compact flash is used onlyif the hard disk is unavailable.

Upload the New Image

1. Select Config Mode > System > Maintenance > Upgrade.

2. For Media, leave Hard Disk selected.

3. For destination, select the area that contains the oldest image. If both areas contain the same image version, select Pri-mary.

NOTE: The image area you select here needs to be the same area selected above, in the"Change the Boot Order" section.

4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later. The new image takes affect only after a reboot.

5. For Upgrade from, select the location where you saved the upgrade image:




• Local – Uploads the image from the PC or workstation where you are using the GUI.

• Remote – Uploads the image from another PC or workstation.


a. Click Browse and navigate to the image location.

b. Click Open.

c. Click Apply.





d. In the Location field, enter the pathname and image file name.

e. In the User and Password fields, enter the username and password required for access to the remote device.

f. Click Apply.

FIGURE 23 Config > System > Maintenance

Using the CLI

All the commands described in this section are available at the global Config level of the CLI.

1. To save the configuration, enter the following command:

write memory

This command saves the configuration to the current image area, from which the device was most recently booted.

2. To save the configuration to the other image area, where you plan to install the upgrade, use the following command:

write memory {primary | secondary}[all-partitions | partition partition-name]

If you plan to install the upgrade into the primary image area, specify primary. Otherwise, specify secondary.

The all-partitions and partition partition-name options apply only if you are upgrading an ACOS device with ADP configured. These options do not appear unless you are logged on with root or super user (global read-write) privi-leges.




3. To create a full system backup, use the following command:

backup system [use-mgmt-port] url

The url specifies the file transfer protocol, username (if required), directory path, and filename. The following types of URLs are supported:

• tftp://host/file

• ftp://[user@]host[:port]/file

• scp://[user@]host/file

• rcp://[user@]host/file

• sftp://[user@]host/file

You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password.

The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data inter-face is used.

A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys. To also back up system log files (and core files, if any), use the following command:

backup log [use-mgmt-port] url

4. To verify and change the boot order (if required), use the following commands:

show bootimage

bootimage hd {pri | sec}

The {pri | sec} option specifies whether the ACOS device first tries to boot using the image in the primary image area or the secondary image area.

NOTE: You only need to change the boot order if you plan to upload the new image into animage area that is not the first image area the ACOS device uses when it boots.

NOTE: The bootimage command also allows selection of an image area in the compact flash;however, this syntax is not shown above. The ACOS device always tries to boot using thehard disk first. The compact flash is used only if the hard disk is unavailable.

5. To upload the new image onto the ACOS device and reboot, use the following command:

upgrade hd {pri | sec} [use-mgmt-port] url

The url specifies the file transfer protocol, username and password (if required), directory path, and filename. (See above in the description for the url option of the backup system command.)

The CLI displays a prompt asking you whether to reboot. Enter yes to reboot now, or no if you prefer to reboot later. The new image takes affect only after a reboot.

To verify the upgrade after the ACOS device reboots, use the following command:

show version




Upgrade Example

The following commands upgrade an AX 5200 from AX Release 2.7.0 to ACOS 2.7.1:

AOCS(config)#write memory

Building configuration...

[OK]

ACOS(config)#write memory secondary


[OK]

ACOS(config)#backup system tftp:

Address or name of remote host []?192.168.1.144

Destination file name [/]?ax5200-backup

System files backup successful

ACOS(config)#show bootimage

(* = Default)

Version

-----------------------------------------------

Hard disk primary 2.7.0 (*)

Hard disk secondary 2.6.1

Compact flash primary 2.4.3 (*)

Compact flash secondary 2.4.3

AX(config)#bootimage hd sec

Secondary image will be used if the system is booted from hard disk

AX(config)#upgrade hd sec tftp://192.168.1.144/ACOS_FTA_2_7_1-P1_57.64.tgz

Do you want to reboot the system after the upgrade?[yes/no]:yes

After the ACOS device finishes rebooting, verify the upgrade:

ACOS>show bootimage

(* = Default)

Version

-----------------------------------------------

Hard disk primary 2.7.0

Hard disk secondary 2.7.1 (*)





Upgrading the Software Image (aVCS Virtual Chassis)

ACOS>show version

AX Series Advanced Traffic Manager AX2500

Copyright 2007-2013 by A10 Networks, Inc. All A10 Networks products are

protected by one or more of the following US patents and patents pending:

7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,

20070283429, 20070271598, 20070180101

64-bit Advanced Core OS (ACOS) version 2.7.1-P1, build 57 (May-31-2013,01:17)

Booted from Hard Disk primary image

...

Upgrading the Software Image (aVCS Virtual Chassis)The following upgrade procedures are provided. Use the procedure that is most applicable to your deployment.

• Full chassis upgrade – This procedure upgrades the software on the vMaster. The vMaster loads the upgrade image onto each of the vBlades, then reboots the vBlades to place the new software into effect. Service is briefly interrupted during the reboot.

The procedure for full chassis upgrade applies to VRRP-A deployments and to deployments that do not use VRRP-A. See “Full Chassis Upgrade (with or without VRRP-A)” on page 350.

• Staggered upgrade in VRRP-A deployment – This procedure avoids service disruption but has more steps than full chassis upgrade. “Staggered Upgrade (with VRRP-A)” on page 350.

• Staggered upgrade with no VRRP-A – This procedure is the same as the staggered upgrade with VRRP-A, except there are no steps related to VRRP-A. “Staggered Upgrade (with VRRP-A)” on page 350.

NOTE: Allow up to five minutes for a reboot to complete. (The typical reboot time is 2-3 min-utes.) During a reboot, the system performs a full reset and will be offline. The actualtime may vary depending on system parameters.

Using the GUIThis section describes how to upgrade an aVCS chassis using the GUI.

Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys.

1. Select Config Mode > System > Maintenance.

2. Select Backup > Config on the menu bar.




3. Select the backup location:

• Local – Saves the backup on the PC or workstation where you are using the GUI.

• Remote – Saves the backup onto another PC or workstation.


a. Click Apply.

b. Click Save and navigate to the save location. Optionally, you can edit the filename.

c. Click Save.





d. In the Location field, enter the pathname. To change the backup file from the default (“backup_system.tar”), specify the new name at the end of the path.

e. In the User and Password fields, enter the username and password required for write access to the remote device.

f. Click OK.

6. To also back up the system log files (and core files, if any):

a. Select Backup > Syslog on the menu bar.

b. Select the backup location: Local or Remote. (See above for descriptions.)

FIGURE 24 Config > System > Maintenance > Backup > System




Full Chassis Upgrade (with or without VRRP-A)

NOTE: This procedure requires a reboot of each ACOS device in the virtual chassis. In this case,the vMaster sends the new image to all vBlades and reboots all devices in the virtualchassis, including itself. This can take several minutes, during which a service outage willoccur.

Perform the following steps on the vMaster.



3. For destination, leave it unchanged.

4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later. The new image takes affect only after a reboot.






b. Click Open.

c. Click Apply.







f. Click Apply.

8. Leave Staggered Upgrade Mode unselected.

9. Click OK.


NOTE: Staggered upgrade using the GUI is supported only in AX Release 2.7.0 and later. Thissection is inapplicable to performing staggered upgrade from 2.6.1 using the GUI.






3. Next to Destination, select the image area.

NOTE: All devices in the virtual chassis use the same image area (primary or secondary). Forexample, if the software running on the vMaster is in the primary image area, all thevBlades also are running their software from their own primary image areas.

4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you prefer to reboot later. The new image takes affect only after a reboot.



• Remote – Uploads the image from another PC or workstation. Local should be used in most cases to avoid compat-ibility issues.



b. Click Open.

c. Click Apply.







f. Click Apply.

8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the device to reboot.

9. Click OK.

10. After the ACOS device reboots, set the priority value of each VRID on the device to a lower value than on the backup ACOS device:

NOTE: Do not use the Force Self Standby option.

a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.

b. Next to Preempt Mode, select Enabled, if not already selected.

c. Select all the VRIDs.

d. Edit the value in the Priority field to a value that is lower than the priority value(s) for the VRIDs on the backup ACOS device.




e. Click Edit.

f. Click OK.

11. Go to the vBlade device and force failover in order to take over the vMaster role:

a. Select Config Mode > System > aVCS > General.

b. In the vmaster-take-over field, enter 255.

c. Click OK.

During failover, the vBlade becomes the vMaster. vMaster becomes a vBlade device. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of the upgrade, the vMaster will reboot the vBlade.

12. Optionally, force failover back to the original vMaster.

13. Take over the vMaster role:



14. Click OK.

15. For each VRID, reset the VRRP-A priority to its previous value:

a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.

b. Next to Preempt Mode, select Enabled, if not already selected.

c. Select all the VRIDs.

d. Edit the value in the Priority field to a value that is lower than the priority value(s) for the VRIDs on the backup ACOS device.

e. Click Edit.

f. Click OK.




Staggered Upgrade (no VRRP-A)

NOTE: Staggered upgrade using the GUI is supported only in AX Release 2.7.0 and later. Thissection is inapplicable to performing staggered upgrade from 2.6.1 using the GUI.



3. Next to Destination, select the image area.

NOTE: All devices in the virtual chassis use the same image area (primary or secondary). Forexample, if the software running on the vMaster is in the primary image area, all thevBlades also are running their software from their own primary image areas.

4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you prefer to reboot later. The new image takes affect only after a reboot.






b. Click Open.

c. Click Apply.







f. Click Apply.

8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the device to reboot.

9. Click OK.




10. Go to the vBlade device and force failover in order to take over the vMaster role:



c. Click OK.

During failover, the vBlade becomes the vMaster. vMaster becomes a vBlade device. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of the upgrade, the vMaster will reboot the vBlade.


12. Take over the vMaster role:



13. Click OK.

Using the CLIThis section describes how to upgrade an aVCS chassis using the CLI.

Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys.

To do so, use the following command:


The url specifies the file transfer protocol, username (if required), directory path, and filename. The following types of URLs are supported:

• tftp://host/file

• ftp://[user@]host[:port]/file

• scp://[user@]host/file

• rcp://[user@]host/file

• sftp://[user@]host/file

You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password.

The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data interface is used.




Full Chassis Upgrade (with or without VRRP-A)

NOTE: This procedure requires a reboot of each ACOS device in the virtual chassis. In this case,the vMaster sends the new image to all vBlades and reboots all devices in the virtualchassis, including itself. This can take several minutes, during which a service outage willoccur.

Perform the following steps on the vMaster.

1. Save the startup-config to a new configuration profile:

write memory all-partitions

2. Upload the new image onto the vMaster and reboot:

upgrade hd {pri | sec} [use-mgmt-port] url

The CLI displays a prompt asking you whether to reboot. Enter yes to reboot now, or no if you prefer to reboot later. The new image takes affect only after a reboot.

3. To verify the upgrade after the ACOS device reboots, use the following command:

show version


In this procedure, the vBlades are upgraded first, followed by the vMaster.

NOTE: These steps assume that when you begin the procedure, the vMaster is also the activeVRRP-A device for all VRIDs.

Perform step 1 through step 5 on the vMaster:

1. On the vMaster, verify the currently running software version and the image area currently in use.

show bootimage

show version

All devices in the virtual chassis use the same image area (primary or secondary). For example, if the software running on the vMaster is in the primary image area, all the vBlades also are running their software from the primary image areas on those devices.

2. Save the configuration to the other image area:

write memory {primary | secondary}[all-partitions]

NOTE: Make sure to use the all-partitions option, if RBA/L3V private partitions are configured.




3. Upgrade the vBlade, by loading the new software image into the image area currently in use by the vBlade:

upgrade hd {pri | sec} [use-mgmt-port] url staggered-upgrade-mode device DeviceID

• The device DeviceID specifies the vBlade’s aVCS device ID.

• The url specifies the file transfer protocol, username and password (if required), directory path, and filename.

• The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data interface is used.

This step reboots the vBlade. The vMaster continues to operate.

4. For each VRID that is active on the device, force failover from the vMaster to the vBlade:

vrrp-a vrid {num | default}

This command changes to the configuration level for the VRID. At this level, use the following command:

priority 255 device DeviceID

NOTE: Do not use the vrrp-a force-self-standby command.

5. Validate that the load-balanced services are working. (The show commands or other techniques depend on your deployment. The show slb virtual-server command is useful in almost any deployment.)

Perform step 6 on the vBlade, to take over vMaster role:

6. On the vBlade that is running the new software image, enter the following command:

a. At the Privileged EXEC level (AX#), use the following command to force the vBlade to take over the vMaster role:

vcs vmaster-take-over 255

During failover, the vBlade becomes the vMaster, and the vMaster becomes a vBlade. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of this upgrade, the vMaster will reboot the vBlade.

(Optional) Perform step 7 on the new vBlade (former vMaster), to resume the vMaster role and again become the active device for the VRID:


a. At the Privileged EXEC level (AX#), use the following command to take over the vMaster role:


b. For each VRID, use the following commands to reset the VRRP-A priority to its previous value.

vrrp-a vrid {num | default}

priority previous-value device DeviceID




CLI Example

The commands in this example perform a staggered upgrade of a virtual chassis containing 2 devices (ACOS1 and ACOS2). Before the procedure begins, and after it is completed, ACOS1 is the vMaster and ACOS2 is the vBlade. The devices are run-ning the software image located in the primary image area.

The following commands are entered on ACOS1 (the vMaster):

ACOS1-vMaster-Active(config)#show bootimage

(* = Default)

Version

-----------------------------------------------

Hard disk primary 2.7.1-P1 (*)

Hard disk secondary 2.6.1-GR-P2



ACOS1-vMaster-Active(config)#show version

AX Series Advanced Traffic Manager AX2500

Copyright 2007-2012 by A10 Networks, Inc. All A10 Networks products are

protected by one or more of the following US patents and patents pending:

7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,

20070283429, 20070271598, 20070180101

64-bit Advanced Core OS (ACOS) version 2.6.1-GR1-P2, build 57 (May-07-2012,02:04)

Booted from Hard Disk primary image

Serial Number: AXxxxxxxxxxxxxxx

aFleX version: 2.0.0

aXAPI version: 2.0

Hard Disk primary image (default) version 2.6.1-GR1-P2, build 57

...

ACOS1-vMaster-Active(config)#write memory primary all-partitions


Write configuration to default startup-config

[OK]

ACOS1-vMaster-Active(config)#upgrade hd pri use-mgmt-port ftp://[email protected]/Ax52_upg_2_7_1-P1_57.64.tgz staggered-upgrade-mode device 2

Password []?********

ACOS1-vMaster-Active(config)#vrrp-a vrid default

ACOS1-vMaster-Active(conf-vrid)#priority 255 device 2

ACOS1-vMaster-Standby(conf-vrid)#exit




On ACOS2 (the upgraded vBlade), the following commands access the Privileged EXEC level of the CLI, and take over the vMaster role:

ACOS2-vBlade-Active>enable

Password:enable-password

ACOS2-vBlade-Active#vcs vmaster-take-over 255ACOS2-vMaster-Active#

Optionally, the following commands on ACOS1 return that device to the vMaster role, and reset the the VRID priority so that ACOS1 is again the active VRRP-A device for the VRID.

ACOS1-vBlade-Standby(config)#vcs vmaster-take-over 255ACOS1-vMaster-Standby(config)#vrrp-a vrid default

ACOS1-vMaster-Standby(conf-vrid)#priority 100 device 2

ACOS1-vMaster-Active(conf-vrid)#

After this final set of commands, device 1 is again the aVCS vMaster, as well as the active VRRP-A device for the VRID. Device 2 is again the vBlade, as well as the standby device for the VRID.

Staggered Upgrade (no VRRP-A)In this procedure, the vBlades are upgraded first, followed by the vMaster.

Perform step 1 through step 4 on the vMaster:

1. On the vMaster, verify the currently running software version and the image area currently in use.

show bootimage

show version

All devices in the virtual chassis use the same image area (primary or secondary). For example, if the software running on the vMaster is in the primary image area, all the vBlades also are running their software from the primary image areas on those devices.

2. Save the configuration to the other image area:

write memory {primary | secondary} [all-partitions]

NOTE: Make sure to use the all-partitions option, if RBA/L3V private partitions are configured.

3. Upgrade the vBlade, by loading the new software image into the image area currently in use by the vBlade:

upgrade hd {pri | sec} [use-mgmt-port] url staggered-upgrade-mode device DeviceID

• The device DeviceID specifies the vBlade’s aVCS device ID.

• The url specifies the file transfer protocol, username and password (if required), directory path, and filename.

• The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data interface is used.

This step reboots the vBlade. The vMaster continues to operate.


Management GUI Requirements


4. Validate that the load-balanced services are working. (The show commands or other techniques depend on your deployment. The show slb virtual-server command is useful in almost any deployment.)

Perform step 5 on the vBlade, to take over vMaster role:

5. On the vBlade that is running the new software image, enter the following command:



During failover, the vBlade becomes the vMaster and the vMaster becomes a vBlade. The new vMaster will detect that a vBlade device is running old software and it will upgrade that vBlade. As part of the upgrade, the vMaster will reboot the vBlade.

(Optional) Perform step 6 on the new vBlade (former vMaster), to resume the vMaster role and again become the active device for the VRID:




Management GUI RequirementsTable 18 lists the browser versions supported by the ACOS management GUI in this release.

The browser used to access the GUI must support encryption keys of 128 bits or longer. Beginning in Release 2.4.2, shorter encryption keys (for example, 40 bits) are not supported. The browser also must support TLS 1.0. Beginning in Release 2.6.1-P1, browsers that support only SSL are not supported.

A screen resolution of at least 1024x768 is required for the GUI to be displayed correctly.

After you upgrade the ACOS device, clear the browser cache to ensure proper display of the GUI.

TABLE 18 GUI Browser Support

Browser Windows Linux MACIE 10 and higher(applies to 2.7.2-P5 and higher)

Supported N/A N/A

Firefox 3.5 and higher Supported Supported N/ASafari 3.0 and above Not Supported N/A SupportedChrome 5.0 and above Supported Supported Supported



Trunk and Layer 2/3 Virtualization Support

Disabling HTTP-to-HTTPS RedirectionBy default, redirection of HTTP to HTTPS is enabled for access to the management GUI. As a result, even if both HTTP and HTTPS Web access are enabled on an AX interface, HTTP requests sent to the interface will be redirected to HTTPS.

To disable redirection of HTTP to HTTPS for Web management access, enter the following command at the global configura-tion level of the CLI:

no web-service auto-redir

If you are already logged into the GUI and want to change the setting for the next login, you can disable redirection from within the GUI:

1. Select Config > System > Settings.

2. On the Web tab, click on the Re-direct HTTP to HTTPS checkbox to deselect the option.

3. Click Apply.

Trunk and Layer 2/3 Virtualization SupportIf you are upgrading from a release earlier than 2.6.1, the trunk configuration enhancements in this release are not automati-cally supported. Likewise, the startup-config is not automatically modified to match VE numbers to VLAN IDs, which is required for Layer 2/3 virtualization.

• By default, ACOS does not automatically change VE numbers to match their VLAN IDs following an upgrade from a release earlier than 2.6.1. Matching of VE number to VLAN ID is not enforced by default.

• If you attempt to enable Layer 2/3 virtualization on a private partition, the device prompts you to back up the system, then use the write memory upgrade-startup-config-l3v command to change VE numbers in the startup-config to match the VLAN IDs. After this, matching of VE number to VLAN ID is enforced.

• For new ACOS devices (no pre-existing config running on earlier software version), matching of VE number to VLAN ID is enforced by default. The write memory upgrade-startup-config-l3v command is not required.

To enable the trunk enhancements and modify the startup-config to make sure VE numbers match their VLANs:

1. Upgrade the image to 2.6.1. See the section in this chapter that is applicable to your deployment:

• “Upgrading the Software Image (non-aVCS deployment)” on page 336

• “Upgrading the Software Image (aVCS Virtual Chassis)” on page 343

2. Back up the startup-config and system files. To do so, use the following command:



Trunk and Layer 2/3 Virtualization Support


3. Use the following command:

write memory upgrade-startup-config-l3v

The upgrade-startup-config-l3v option is not listed in the CLI help and is not supported by command completion. You must type the entire option name as shown.



Document No.:272-P7-SP3-REL-001 | 12/22/2015

3

Date post:	15-Mar-2018
Category:	Documents
Upload:	lykhanh
View:	473 times
Download:	20 times

A10 Thunder Series and AX Series -...

Documents