COMMAND LINE INTERFACE REFERENCE FOR ADC
A10 Thunder Series and AX Series
ACOS 4.1.0-P3
24 June 2016
© 2016 A10 Networks, Inc. Confidential and Proprietary - All Rights Reserved
Information in this document is subject to change without notice.
Patent Protection
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking.
Trademarks
The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, Affinity, aFleX, aFlow, aGalaxy, aGAPI, aVCS, AX,
aXAPI, IDsentrie, IP-to-ID, SSL Insight, SSLi, Thunder, Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10
Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners.
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of
A10 Networks, Inc.
A10 Networks Inc. Software License and End User Agreement
Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2. sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can be found by visiting www.a10networks.com.
Table of Contents
Overview ........................................................................................................................................15
Config Commands: Server Load Balancing ........................................................................17
Global Configuration Mode SLB Commands .........................................................................................18
slb common ............................................................................................................................................................................18
slb resource-usage ..............................................................................................................................................................19
slb server ...................................................................................................................................................................................20
slb service-group ..................................................................................................................................................................21
slb ssl-expire-check email-address ............................................................................................................................22
slb ssl-expire-check exception .....................................................................................................................................22
slb ssl-module ........................................................................................................................................................................23
slb svm-source-nat pool ..................................................................................................................................................23
slb template ............................................................................................................................................................................24
slb transparent-acl-template ........................................................................................................................................24
slb transparent-tcp-template .......................................................................................................................................25
slb virtual-server ....................................................................................................................................................................26
SLB Common Configuration Mode Commands....................................................................................29
buff-thresh ...............................................................................................................................................................................30
compress-block-size ..........................................................................................................................................................31
conn-rate-limit src-ip .........................................................................................................................................................31
disable-adaptive-resource-check ..............................................................................................................................33
disable-server-auto-reselect ..........................................................................................................................................33
dns-cache-age .......................................................................................................................................................................33
dns-cache-enable ................................................................................................................................................................34
dns-cache-entry-size ..........................................................................................................................................................36
dns-vip-stateless ...................................................................................................................................................................36
drop-icmp-to-vip-when-vip-down ...........................................................................................................................36
dsr-health-check-enable .................................................................................................................................................37
enable-l7-req-acct ...............................................................................................................................................................37
extended-stats .......................................................................................................................................................................38
fast-path-disable ...................................................................................................................................................................38
gateway-health-check ......................................................................................................................................................39
graceful-shutdown .............................................................................................................................................................40
hw-compression ..................................................................................................................................................................40
hw-syn-rr ...................................................................................................................................................................................41
l2l3-trunk-lb-disable ...........................................................................................................................................................41
max-buff-queued-per-conn ..........................................................................................................................................42
max-http-header-count ...................................................................................................................................................42
msl-time .....................................................................................................................................................................................43
page 1 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
mss-table ...................................................................................................................................................................................44
no-auto-up-on-aflex ...........................................................................................................................................................44
rate-limit-logging .................................................................................................................................................................44
reset-stale-session ...............................................................................................................................................................45
scale-out ....................................................................................................................................................................................46
snat-gwy-for-l3 ......................................................................................................................................................................46
snat-on-vip ...............................................................................................................................................................................46
sort-res ........................................................................................................................................................................................47
stats-data-disable .................................................................................................................................................................48
use-mss-tab .............................................................................................................................................................................49
Config Commands: SLB Templates .......................................................................................51
slb template cache .............................................................................................................................................................52
slb template cipher .............................................................................................................................................................52
slb template client-ssl .......................................................................................................................................................55
slb template connection-reuse ...................................................................................................................................55
slb template dblb ................................................................................................................................................................56
slb template diameter ......................................................................................................................................................57
slb template dns ...................................................................................................................................................................59
slb template dynamic -service .....................................................................................................................................61
slb template external-service .......................................................................................................................................62
slb template fix ......................................................................................................................................................................63
slb template ftp .....................................................................................................................................................................64
slb template http .................................................................................................................................................................65
slb template http-policy ..................................................................................................................................................73
slb template imap-pop3 .................................................................................................................................................74
slb template logging .........................................................................................................................................................75
slb template monitor .........................................................................................................................................................76
slb template persist cookie ............................................................................................................................................78
slb template persist destination-ip ...........................................................................................................................81
slb template persist source-ip ......................................................................................................................................82
slb template persist ssl-sid .............................................................................................................................................86
slb template policy .............................................................................................................................................................87
slb template port .................................................................................................................................................................87
slb template reqmod-icap .............................................................................................................................................87
slb template respmod-icap ...........................................................................................................................................87
slb template server .............................................................................................................................................................87
slb template server-ssl ......................................................................................................................................................87
slb template sip (over UDP) ...........................................................................................................................................88
slb template sip (over TCP/TLS) ..................................................................................................................................88
slb template smpp ..............................................................................................................................................................88
slb template smtp ...............................................................................................................................................................88
slb template ssli ....................................................................................................................................................................88
slb template tcp ....................................................................................................................................................................88
slb template tcp-proxy .....................................................................................................................................................88
slb template udp ..................................................................................................................................................................88
slb template virtual-port ..................................................................................................................................................88
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 2
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
slb template virtual-server ..............................................................................................................................................88
Config Commands: SLB Cache Templates ..........................................................................89
Global Configuration Commands ..............................................................................................................89
slb template cache .............................................................................................................................................................89
SLB Cache Template Configuration Mode Commands ......................................................................91
accept-reload-req ................................................................................................................................................................91
age ................................................................................................................................................................................................92
default-policy-nocache ....................................................................................................................................................92
disable-insert-age ................................................................................................................................................................93
disable-insert-via ..................................................................................................................................................................93
max-cache-size ......................................................................................................................................................................93
max-content-size .................................................................................................................................................................94
min-content-size ..................................................................................................................................................................94
policy ...........................................................................................................................................................................................94
remove-cookies ....................................................................................................................................................................95
replacement-policy LFU ..................................................................................................................................................95
template logging .................................................................................................................................................................96
verify-host .................................................................................................................................................................................96
Config Commands: SLB Client SSL Templates ..................................................................99
Global Configuration Commands ..............................................................................................................99
slb template client-ssl .......................................................................................................................................................99
SLB Client SSL Template Configuration Mode Commands ............................................................ 101
auth-username ...................................................................................................................................................................103
auth-username-attribute .............................................................................................................................................104
authorization .......................................................................................................................................................................104
ca-cert ......................................................................................................................................................................................104
cert .............................................................................................................................................................................................105
chain-cert ...............................................................................................................................................................................106
cipher .......................................................................................................................................................................................106
client-certificate .................................................................................................................................................................107
close-notify ...........................................................................................................................................................................107
crl .................................................................................................................................................................................................108
dh-param ...............................................................................................................................................................................108
disable-sslv3 .........................................................................................................................................................................109
ec-name ..................................................................................................................................................................................109
enable-tls-alert-logging ................................................................................................................................................109
forward-proxy-alt-sign ...................................................................................................................................................110
forward-proxy-bypass ....................................................................................................................................................110
forward-proxy-ca-cert ....................................................................................................................................................112
forward-proxy-ca-key .....................................................................................................................................................112
forward-proxy-cache-persistence ..........................................................................................................................112
forward-proxy-cert-cache ............................................................................................................................................113
forward-proxy-cert-expiry ...........................................................................................................................................113
page 3 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
forward-proxy-cert-ext ..................................................................................................................................................114
forward-proxy-cert-revoke-action ..........................................................................................................................115
forward-proxy-cert-unknown-action ...................................................................................................................115
forward-proxy-crl-disable ............................................................................................................................................115
forward-proxy-enable ....................................................................................................................................................116
forward-proxy-failsafe-disable ..................................................................................................................................116
forward-proxy-inspect ...................................................................................................................................................116
forward-proxy-log-disable ..........................................................................................................................................117
forward-proxy-ocsp-disable .......................................................................................................................................118
forward-proxy-selfsign-redir ......................................................................................................................................118
forward-proxy-ssl-version ............................................................................................................................................118
forward-proxy-trusted-ca .............................................................................................................................................119
forward-proxy-verify-cert-fail-action .....................................................................................................................119
hsm-param ............................................................................................................................................................................120
key ..............................................................................................................................................................................................120
non-ssl-bypass ....................................................................................................................................................................121
ocsp-stapling .......................................................................................................................................................................121
server-name .........................................................................................................................................................................122
session-cache-size ............................................................................................................................................................122
session-cache-timeout ..................................................................................................................................................123
session-ticket-lifetime ....................................................................................................................................................123
ssl-false-start-disable .......................................................................................................................................................124
sslv2-bypass ..........................................................................................................................................................................124
template .................................................................................................................................................................................125
Config Commands: SLB Policy Templates ....................................................................... 127
Global Configuration Commands ........................................................................................................... 127
slb template policy ..........................................................................................................................................................127
SLB Policy Template Configuration Mode Commands.................................................................... 129
bw-list id .................................................................................................................................................................................130
bw-list name ........................................................................................................................................................................130
bw-list over-limit ...............................................................................................................................................................131
bw-list timeout ...................................................................................................................................................................132
bw-list use-destination-ip ............................................................................................................................................132
class-list ...................................................................................................................................................................................132
forward-policy .....................................................................................................................................................................134
geo-location full-domain-tree ..................................................................................................................................139
geo-location overlap ......................................................................................................................................................139
geo-location share ...........................................................................................................................................................140
SLB Policy Template Class-List LID Configuration Commands ..................................................... 140
bw-rate-limit ........................................................................................................................................................................141
conn-limit ..............................................................................................................................................................................141
conn-rate-limit ....................................................................................................................................................................142
over-limit-action ................................................................................................................................................................142
request-limit .........................................................................................................................................................................143
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 4
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
request-rate-limit ..............................................................................................................................................................143
response-code-rate-limit .............................................................................................................................................144
Config Commands: SLB Real Port Templates ................................................................. 145
Global Configuration Commands ........................................................................................................... 145
slb template port ..............................................................................................................................................................145
SLB Port Template Configuration Mode Commands ....................................................................... 146
conn-limit ..............................................................................................................................................................................147
conn-rate-limit ....................................................................................................................................................................148
dest-nat ...................................................................................................................................................................................148
down-grace-period .........................................................................................................................................................149
dscp ...........................................................................................................................................................................................149
dynamic-member-priority ...........................................................................................................................................150
extended-stats ....................................................................................................................................................................150
health-check ........................................................................................................................................................................151
health-check-disable ......................................................................................................................................................151
inband-health-check ......................................................................................................................................................152
no-ssl .........................................................................................................................................................................................152
request-rate-limit ..............................................................................................................................................................153
slow-start ................................................................................................................................................................................154
source-nat ..............................................................................................................................................................................155
stats-data-disable ..............................................................................................................................................................155
stats-data-enable ..............................................................................................................................................................155
weight ......................................................................................................................................................................................156
Config Commands: SLB REQMOD ICAP Templates ...................................................... 157
Global Configuration Commands ........................................................................................................... 157
slb template reqmod-icap ..........................................................................................................................................157
SLB REQMOD ICAP Template Configuration Mode Commands................................................... 158
allowed-http-methods ..................................................................................................................................................158
fail-close ..................................................................................................................................................................................159
include-protocol-in-uri ..................................................................................................................................................159
min-payload-size ...............................................................................................................................................................160
preview ....................................................................................................................................................................................160
service-group ......................................................................................................................................................................161
service-url ...............................................................................................................................................................................161
template .................................................................................................................................................................................162
Config Commands: SLB RESPMOD ICAP Templates .................................................... 163
Global Configuration Commands ........................................................................................................... 163
slb template respmod-icap ........................................................................................................................................163
SLB RESPMOD ICAP Template Configuration Mode Commands ................................................. 164
fail-close ..................................................................................................................................................................................165
page 5 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
include-protocol-in-uri ..................................................................................................................................................165
min-payload-size ...............................................................................................................................................................165
preview ....................................................................................................................................................................................166
service-group ......................................................................................................................................................................166
service-url ...............................................................................................................................................................................167
template .................................................................................................................................................................................167
Config Commands: SLB Server Templates ...................................................................... 169
Global Configuration Commands ........................................................................................................... 169
slb template server ..........................................................................................................................................................169
SLB Server Template Configuration Mode Commands ................................................................... 171
conn-limit ..............................................................................................................................................................................172
conn-rate-limit ....................................................................................................................................................................173
dns-query-interval ............................................................................................................................................................173
dynamic-server-prefix ....................................................................................................................................................174
extended-stats ....................................................................................................................................................................174
health-check ........................................................................................................................................................................175
health-check-disable ......................................................................................................................................................175
log-selection-failure ........................................................................................................................................................175
max-dynamic-server .......................................................................................................................................................176
min-ttl-ratio ..........................................................................................................................................................................176
slow-start ................................................................................................................................................................................176
spoofing-cache ..................................................................................................................................................................178
stats-data-enable ..............................................................................................................................................................178
stats-data-disable ..............................................................................................................................................................178
weight ......................................................................................................................................................................................179
Config Commands: SLB Server SSL Templates .............................................................. 181
Global Configuration Commands ........................................................................................................... 181
slb template server-ssl ...................................................................................................................................................181
SLB Server-SSL Template Configuration Mode Commands........................................................... 182
ca-cert ......................................................................................................................................................................................183
cert .............................................................................................................................................................................................183
cipher .......................................................................................................................................................................................184
close-notify ...........................................................................................................................................................................184
crl .................................................................................................................................................................................................185
dh-param ...............................................................................................................................................................................186
ec-name ..................................................................................................................................................................................186
enable-tls-alert-logging fatal .....................................................................................................................................187
forward-proxy-enable ....................................................................................................................................................187
key ..............................................................................................................................................................................................187
ocsp-stapling .......................................................................................................................................................................188
server-certificate-error ...................................................................................................................................................188
session-cache-size ............................................................................................................................................................189
session-cache-timeout ..................................................................................................................................................189
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 6
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
session-ticket-enable ......................................................................................................................................................190
template cipher .................................................................................................................................................................190
use-client-sni ........................................................................................................................................................................190
version .....................................................................................................................................................................................191
Config Commands: SLB SIP Templates ............................................................................. 193
Global Configuration Commands ........................................................................................................... 193
slb template sip (over UDP) ........................................................................................................................................193
slb template sip (over TCP/TLS) ...............................................................................................................................194
SLB SIP (Over UDP) Template Configuration Mode Commands .................................................. 195
alg-dest-nat ..........................................................................................................................................................................195
alg-source-nat .....................................................................................................................................................................196
client-request-header erase .......................................................................................................................................196
client-request-header insert .......................................................................................................................................196
client-response-header erase ....................................................................................................................................197
client-response-header insert ...................................................................................................................................198
keep-server-ip-if-match-acl ........................................................................................................................................198
registrar service-group ..................................................................................................................................................199
server-request-header erase ......................................................................................................................................199
server-request-header insert .....................................................................................................................................200
server-response-header erase ...................................................................................................................................201
server-response-header insert ..................................................................................................................................201
timeout ....................................................................................................................................................................................202
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands........................................... 202
alg-dest-nat ..........................................................................................................................................................................203
alg-source-nat .....................................................................................................................................................................203
call-id-persist-disable ......................................................................................................................................................204
client-keepalive ..................................................................................................................................................................204
dialog-aware ........................................................................................................................................................................204
exclude-translation ..........................................................................................................................................................205
insert-client-ip .....................................................................................................................................................................205
failed-client-selection .....................................................................................................................................................205
failed-server-selection ....................................................................................................................................................206
keep-server-ip-if-match-acl ........................................................................................................................................207
server-keep-alive ...............................................................................................................................................................207
server-selection-per-request ......................................................................................................................................207
smp-call-id-rtp-session ..................................................................................................................................................208
timeout ....................................................................................................................................................................................209
Config Commands: SLB SMPP Templates ........................................................................ 211
Global Configuration Commands ........................................................................................................... 211
slb template smpp ...........................................................................................................................................................211
SLB SMPP Template Configuration Mode Commands .................................................................... 212
client-enquire-link ............................................................................................................................................................212
page 7 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
server-enquire-link ...........................................................................................................................................................212
server-selection-per-request ......................................................................................................................................213
user ............................................................................................................................................................................................213
Config Commands: SLB SMTP Templates ........................................................................ 215
Global Configuration Commands ........................................................................................................... 215
slb template smtp ............................................................................................................................................................215
SLB SMTP Template Configuration Mode Commands..................................................................... 216
client-domain-switching ..............................................................................................................................................217
command-disable ............................................................................................................................................................218
server-domain .....................................................................................................................................................................218
service-ready-msg ............................................................................................................................................................219
starttls .......................................................................................................................................................................................219
Config Commands: SLB SSLi Templates ........................................................................... 221
Global Configuration Commands ........................................................................................................... 222
slb template ssli .................................................................................................................................................................222
SLB SSLi Template Configuration Mode Commands........................................................................ 223
type ............................................................................................................................................................................................223
Config Commands: SLB TCP Templates ............................................................................ 225
Global Configuration Commands ........................................................................................................... 225
slb template tcp .................................................................................................................................................................225
SLB TCP Template Configuration Mode Commands ........................................................................ 226
force-delete-timeout ......................................................................................................................................................227
force-delete-timeout-100ms .....................................................................................................................................228
half-close-idle-timeout ..................................................................................................................................................228
half-open-idle-timeout ..................................................................................................................................................229
idle-timeout ..........................................................................................................................................................................229
initial-window-size ...........................................................................................................................................................229
insert-client-ip .....................................................................................................................................................................230
lan-fast-ack ............................................................................................................................................................................231
qos ..............................................................................................................................................................................................231
reset-fwd ................................................................................................................................................................................231
reset-rev ..................................................................................................................................................................................232
Config Commands: SLB TCP Proxy Templates ............................................................... 233
Global Configuration Commands ........................................................................................................... 233
slb template tcp-proxy ..................................................................................................................................................233
SLB TCP Proxy Template Configuration Mode Commands ............................................................ 234
ack-aggressiveness ..........................................................................................................................................................235
backend-wscale .................................................................................................................................................................235
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 8
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
dynamic-buffer-allocation ...........................................................................................................................................236
fin-timeout ............................................................................................................................................................................237
force-delete-timeout ......................................................................................................................................................237
force-delete-timeout-100ms .....................................................................................................................................238
half-close-idle-timeout ..................................................................................................................................................238
half-open-idle-timeout ..................................................................................................................................................239
idle-timeout ..........................................................................................................................................................................239
init-cwnd ................................................................................................................................................................................239
initial-window-size ...........................................................................................................................................................240
insert-client-ip .....................................................................................................................................................................241
keepalive-interval ..............................................................................................................................................................242
keepalive-probes ...............................................................................................................................................................243
mss .............................................................................................................................................................................................244
nagle .........................................................................................................................................................................................244
qos ..............................................................................................................................................................................................245
receive-buffer ......................................................................................................................................................................245
reno ...........................................................................................................................................................................................246
reset-fwd ................................................................................................................................................................................246
reset-rev ..................................................................................................................................................................................246
retransmit-retries ...............................................................................................................................................................247
syn-retries ..............................................................................................................................................................................247
timewait ..................................................................................................................................................................................248
transmit-buffer ....................................................................................................................................................................248
Config Commands: SLB UDP Templates .......................................................................... 249
Global Configuration Commands ........................................................................................................... 249
slb template udp ...............................................................................................................................................................249
SLB UDP Template Configuration Mode Commands....................................................................... 250
aging .........................................................................................................................................................................................251
idle-timeout ..........................................................................................................................................................................251
qos ..............................................................................................................................................................................................252
re-select-if-server-down ................................................................................................................................................252
stateless-conn-timeout .................................................................................................................................................253
Config Commands: SLB Virtual Port Templates ............................................................. 255
Global Configuration Commands ........................................................................................................... 255
slb template virtual-port ...............................................................................................................................................255
SLB Virtual Port Template Configuration Mode Commands ......................................................... 257
aflow .........................................................................................................................................................................................258
allow-syn-otherflags ........................................................................................................................................................259
allow-vip-to-rport-mapping .......................................................................................................................................259
conn-limit ..............................................................................................................................................................................260
conn-rate-limit ....................................................................................................................................................................261
drop-unknown-conn ......................................................................................................................................................261
dscp ...........................................................................................................................................................................................262
page 9 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
ignore-tcp-msl ....................................................................................................................................................................262
reset-l7-on-failover ...........................................................................................................................................................262
reset-unknown-conn ......................................................................................................................................................263
snat-msl ...................................................................................................................................................................................263
snat-port-preserve ............................................................................................................................................................264
Config Commands: SLB Virtual Server Templates ........................................................ 265
Global Configuration Mode Commands............................................................................................... 265
slb template virtual-server ...........................................................................................................................................265
SLB Virtual Server Template Configuration Mode Commands..................................................... 266
conn-limit ..............................................................................................................................................................................267
conn-rate-limit ....................................................................................................................................................................268
icmp-rate-limit ....................................................................................................................................................................269
icmpv6-rate-limit ...............................................................................................................................................................270
subnet-gratuitous-arp ....................................................................................................................................................270
Config Commands: SLB Servers .......................................................................................... 273
alternate ..................................................................................................................................................................................274
conn-limit ..............................................................................................................................................................................274
conn-resume .......................................................................................................................................................................275
disable ......................................................................................................................................................................................275
disable-with-health-check ..........................................................................................................................................275
enable ......................................................................................................................................................................................276
extended-stats ....................................................................................................................................................................277
external-ip .............................................................................................................................................................................277
health-check ........................................................................................................................................................................277
health-check-disable ......................................................................................................................................................278
ipv6 ............................................................................................................................................................................................278
port ............................................................................................................................................................................................279
slow-start ................................................................................................................................................................................282
spoofing-cache ..................................................................................................................................................................283
stats-data-disable ..............................................................................................................................................................283
stats-data-enable ..............................................................................................................................................................284
template server ..................................................................................................................................................................284
weight ......................................................................................................................................................................................284
Config Commands: SLB Service Groups ........................................................................... 287
backup-server-event-log ..............................................................................................................................................288
extended-stats ....................................................................................................................................................................289
health-check ........................................................................................................................................................................289
health-check-disable ......................................................................................................................................................290
member ..................................................................................................................................................................................291
method ...................................................................................................................................................................................293
min-active-member ........................................................................................................................................................298
priority ......................................................................................................................................................................................299
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 10
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
priority-affinity .....................................................................................................................................................................301
reset auto-switch ..............................................................................................................................................................302
reset-on-server-selection-fail .....................................................................................................................................302
sample-rsp-time ................................................................................................................................................................302
stats-data-disable ..............................................................................................................................................................303
stats-data-enable ..............................................................................................................................................................303
template .................................................................................................................................................................................303
traffic-replication-type ...................................................................................................................................................304
Config Commands: SLB Virtual Servers ............................................................................ 307
arp-disable .............................................................................................................................................................................308
description ............................................................................................................................................................................308
disable ......................................................................................................................................................................................308
disable-when-all-ports-down ...................................................................................................................................309
disable-when-any-port-down ..................................................................................................................................309
enable ......................................................................................................................................................................................309
extended-stats ....................................................................................................................................................................310
port ............................................................................................................................................................................................311
redistribution-flagged ....................................................................................................................................................313
stats-data-disable ..............................................................................................................................................................313
stats-data-enable ..............................................................................................................................................................313
template logging ..............................................................................................................................................................313
template policy ..................................................................................................................................................................314
template scaleout .............................................................................................................................................................314
template virtual-server ..................................................................................................................................................314
vrid .............................................................................................................................................................................................315
Config Commands: SLB Virtual Server Ports ................................................................... 317
aaa-policy ...............................................................................................................................................................................318
access-list ...............................................................................................................................................................................318
aflex ...........................................................................................................................................................................................320
alternate ..................................................................................................................................................................................320
bucket-count .......................................................................................................................................................................321
clientip-sticky-nat .............................................................................................................................................................321
conn-limit ..............................................................................................................................................................................321
def-selection-if-pref-failed ...........................................................................................................................................322
def-selection-if-pref-failed-disable .........................................................................................................................323
disable ......................................................................................................................................................................................323
enable ......................................................................................................................................................................................324
extended-stats ....................................................................................................................................................................324
force-routing-mode ........................................................................................................................................................324
ha-conn-mirror ...................................................................................................................................................................325
ipinip .........................................................................................................................................................................................325
message-switching ..........................................................................................................................................................325
name .........................................................................................................................................................................................326
no-auto-up-on-aflex ........................................................................................................................................................326
no-dest-nat ...........................................................................................................................................................................326
page 11 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
redirect-to-https ................................................................................................................................................................328
reset-on-server-selection-fail .....................................................................................................................................328
rtp-sip-call-id-match .......................................................................................................................................................328
service-group ......................................................................................................................................................................329
skip-rev-hash ........................................................................................................................................................................329
snat-on-vip ............................................................................................................................................................................330
source-nat auto ..................................................................................................................................................................330
source-nat pool ..................................................................................................................................................................331
stats-data-disable ..............................................................................................................................................................332
stats-data-enable ..............................................................................................................................................................332
syn-cookie .............................................................................................................................................................................332
template .................................................................................................................................................................................333
template virtual-port ......................................................................................................................................................334
use-default-if-no-server .................................................................................................................................................334
use-rcv-hop-for-resp .......................................................................................................................................................335
Config Commands: Health Monitors ................................................................................. 337
disable-after-down ...........................................................................................................................................................338
interval .....................................................................................................................................................................................338
method ...................................................................................................................................................................................339
override-ipv4 ........................................................................................................................................................................347
override-ipv6 ........................................................................................................................................................................348
override-port ........................................................................................................................................................................348
passive .....................................................................................................................................................................................349
retry ...........................................................................................................................................................................................350
ssl-ciphers ..............................................................................................................................................................................350
strictly-retry-on-server-error-response ................................................................................................................351
up-retry ....................................................................................................................................................................................352
Config Commands: Web Category ..................................................................................... 353
web-category ......................................................................................................................................................................353
SLB Show Commands ............................................................................................................. 355
show slb aflow ....................................................................................................................................................................357
show slb attack-prevention ........................................................................................................................................357
show slb cache ...................................................................................................................................................................358
show slb compression ...................................................................................................................................................363
show slb connection-reuse ........................................................................................................................................363
show slb conn-rate-limit ..............................................................................................................................................365
show slb diameter ............................................................................................................................................................366
show slb fast-http-proxy ..............................................................................................................................................368
show slb fix ...........................................................................................................................................................................370
show slb ftp ..........................................................................................................................................................................371
show slb ftp-proxy ...........................................................................................................................................................372
show slb generic-proxy .................................................................................................................................................372
show slb geo-location ...................................................................................................................................................372
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 12
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
show slb http-proxy ........................................................................................................................................................373
show slb hw-compression ..........................................................................................................................................375
show slb icap .......................................................................................................................................................................376
show slb l4 ............................................................................................................................................................................379
show slb mssql ...................................................................................................................................................................387
show slb mysql ...................................................................................................................................................................388
show slb passthrough ....................................................................................................................................................390
show slb performance ...................................................................................................................................................390
show slb persist ..................................................................................................................................................................391
show slb pop3-proxy ......................................................................................................................................................393
show slb rate-limit-logging ........................................................................................................................................394
show slb resource-usage .............................................................................................................................................395
show slb server ...................................................................................................................................................................396
show slb service-group .................................................................................................................................................407
show slb sip ..........................................................................................................................................................................411
show slb smpp ...................................................................................................................................................................412
show slb smtp .....................................................................................................................................................................416
show slb spdy-proxy .......................................................................................................................................................419
show slb ssl ...........................................................................................................................................................................421
show slb ssl-cert-revoke-stats ...................................................................................................................................424
show slb ssl-counters .....................................................................................................................................................426
show slb ssl-crl ....................................................................................................................................................................427
show slb ssl-expire-check ............................................................................................................................................428
show slb ssl-forward-proxy-cert ..............................................................................................................................428
show slb ssl-ocsp cache ...............................................................................................................................................431
show slb ssl-ocsp cache detail ..................................................................................................................................432
show slb switch ..................................................................................................................................................................433
show slb syn-cookie ........................................................................................................................................................437
show slb syn-cookie-buffer .........................................................................................................................................437
show slb tcp stack ............................................................................................................................................................438
show slb template ............................................................................................................................................................439
show slb template policy forward-policy-stats ..............................................................................................440
show slb virtual-server ...................................................................................................................................................441
page 13 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Contents
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 14
Overview
This reference lists the ACOS CLI commands that apply specifically to ADC features.
NOTE:
For information about system-level commands or about using the CLI, see the main
Command Line Interface Reference guide.
page 15 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 16
Config Commands: Server Load Balancing
The commands in this chapter configure SLB parameters. In some cases, the commands create an SLB configuration item
and change the CLI to the configuration level for that item.
This chapter contains the following topics:
• Global Configuration Mode SLB Commands
• SLB Common Configuration Mode Commands
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
page 17 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
Global Configuration Mode SLB Commands
This section describes the SLB CLI commands that are available from global configuration mode:
• slb common
• slb resource-usage
• slb server
• slb service-group
• slb ssl-expire-check email-address
• slb ssl-expire-check exception
• slb ssl-module
• slb svm-source-nat pool
• slb template
• slb transparent-acl-template
• slb transparent-tcp-template
• slb virtual-server
slb common
Description
Access the SLB configuration level for system-wide SLB parameters.
Syntax
slb common
This command changes the CLI to the SLB common configuration level for system-wide SLB
parameters, where the commands in “SLB Common Configuration Mode Commands” on
page 29 are available.
NOTE:
Commands in SLB common configuration mode are only available in the shared
partition.
Mode
Configuration mode
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 18
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
slb resource-usage
Description
Change the capacity of an SLB resource.
Syntax
[no] slb resource-usage resource-type
The following table lists the valid resource types and values.
Resource Type
Description and Acceptable Values
client-ssl-template-count
Maximum number of configurable client SSL templates (32-1024).
conn-reuse-template-count
Maximum number of connection reuse templates (32-512).
fast-tcp-template-count
Maximum number of configuration Fast TCP templates (32-512).
fast-udp-template-count
Maximum number of configuration Fast UDP templates (32-512).
http-template-count
Maximum number of configurable HTTP templates (32-512).
nat-pool-addr-count
Maximum number of source IP NAT pools (10-250).
persist-cookie-template-count
Maximum number of persistent cookie templates (32-512).
persist-srcip-template-count
Maximum number of persistent source IP templates (32-512).
proxy-template-count
Maximum number of configurable proxy templates (32-512).
real-port-count
Maximum number of real server ports (64-2048).
real-server-count
Maximum number of real servers (32-1024).
server-ssl-template-count
Maximum number of server SSL templates (32-1024).
service-group-count
Maximum number of service groups (32-1024).
stream-template-count
Maximum number of configurable streaming media templates (32-512).
virtual-port-count
Maximum number of virtual ports (32-1024).
virtual-server-count
Maximum number of virtual servers (16-512).
Default
The default maximum number for each type of system resource depends on the specific
device model. To display the defaults and current values for your device, enter the show
system resource-usage command.
Mode
Configuration mode
Usage
The maximum number you can configure depends on the resource type and the specific
ACOS device. To display the range of values that are valid for a resource, enter a question
mark instead of a quantity.
• For all the following types of SLB templates, the total number allowed is 256 each, and
is not configurable in the current release:
• SIP
• SMTP
• Policy (PBSLB)
• For RAM caching templates, the total number allowed is 128 each.
• The total number of health monitors allowed is 1024 and is not configurable.
• The total number of wildcard VIPs allowed is 200 and is not configurable.
page 19 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
• For every type of system resource that has a default, the ACOS device reserves one
instance of the resource.
For example, the device allows a total of 256 RAM caching templates. However, the
device reserves one RAM caching template for the default template, which leaves a
maximum of 255 additional RAM caching templates that can be configured.
slb server
Description
Configure a real server. Use the first command shown below to create or a delete a server.
Use the second command to edit a server.
Syntax
[no] slb server server-name
{ipaddr | hostname}
Parameter
Description
server-name
Server name, 1-63 characters.
After you have created a real server, you can use this command to
rename the real server.
hostname
Fully-qualified hostname, for dynamic real server creation.
ipaddr
IP address of the server in either IPv4 or IPv6 format. The address is
required only if you are creating a new server.
Default
N/A
Mode
Configuration mode
Usage
The normal form of this command creates a new or edits an existing real server. The CLI
changes to the configuration level for the server. See “Config Commands: SLB Servers” on
page 273.
The IP address of the server can be in either IPv4 or IPv6 format. ACOS devices support both
address formats.
The “no” form of this command removes an existing real server.
The maximum number of real servers is configurable. See “slb resource-usage” on page 19.
NOTE:
Real-servers are automatically created when added to a service group, so it is not
necessary to manually create real servers prior to adding them to a service group.
Example
The following example creates a new real server with an IPv4 address:
ACOS(config)# slb server rs1 10.10.10.99
ACOS(config-real server)#
Example
The following example creates a new real server with an IPv6 address:
ACOS(config)# slb server rs2 2020:3e8::3
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 20
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
ACOS(config-real server)#
Example
The following commands configure a hostname server for dynamic server creation using
DNS, add a port to it, and bind the server template to it:
ACOS(config)# slb server s-test1 s1.test.com
ACOS(config-real server)# template server temp-server
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)#exit
slb service-group
Description
Configure an SLB service group.
Syntax
[no] slb service-group group-name {tcp | udp}
Parameter
Description
group-name
Name of the group, 1-31 characters.
tcp | udp
Application type of the group.
Default
There are no service groups configured by default.
Mode
Configuration mode
Usage
The normal form of this command creates a new or edits an existing service group. The CLI
changes to the configuration level for the service group. See “Config Commands: SLB Service
Groups” on page 287.
Example
The following example adds TCP service group “my-service-group”:
ACOS(config)# slb service-group my-service-group tcp
ACOS(config-slb svc group)#
page 21 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
slb ssl-expire-check email-address
Description
Configure email notification for certificate expiration.
Syntax
[no] slb ssl-expire-check
email-address address [...]
[before days] [interval days]
Parameter
Description
address
Specifies the email addresses to which to send the notifications. You
can specify up to 2 email addresses. Use a space between them.
before days
Specifies how many days before expiration to begin sending notification emails. You can specify 1-60. The default is 5 days.
interval days
Specifies how many days after expiration to continue sending notification emails. You can specify 1-5. The default is 2 days.
Default
Not set
Mode
Configuration mode
Usage
One notification is sent per day. If a certificate is updated before expiration or at least before
the configured interval, no more notification emails are sent for that certificate.
Example
The following command enables certificate notifications to be sent to email address
“admin1@example.com”. Expiration notifications are sent beginning 4 days before expiration
and continue for 3 days after expiration.
ACOS(config)# slb ssl-expire-check email-address admin1@example.com before 4 interval 3
slb ssl-expire-check exception
Description
Exclude specific certificates from expiration notification emails.
Syntax
[no] slb ssl-expire-check exception
{add cert-name | delete cert-name | clean}
Parameter
Description
add cert-name
Adds a certificate to the exception list.
delete cert-name
Removes a certificate from the exception list.
clean
Removes all certificates from the exception list.
Default
Not set
Mode
Configuration mode
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 22
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
slb ssl-module
Description
Disable the SSL acceleration module.
NOTE:
This command only applies to virtual appliances and not to hardware-based models.
Syntax
[no] slb ssl-module software
Default
SSL acceleration modules are enabled.
Mode
Configuration mode
Usage
This command applies only to add-on SSL acceleration modules, not to the on-board SSL
processors.
slb svm-source-nat pool
Description
Configure the source-NAT pool used in OCSP verification of server certificates. SVM stands for
Server Verification Module.
Syntax
[no] slb svm-source-nat pool svm-pool-name
Default
None
Mode
Global Configuration Mode
page 23 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
slb template
Description
Configure an SLB template.
Syntax
[no] slb template template-type template-name
Parameter
template-type
Description
Type of template. For a list, enter the following command: slb
template ?
(For information about SLB templates, see “Config Commands: SLB
Templates” on page 51.)
template-name
Name of the template.
Default
The templates have default settings, and some template types are automatically added to a
virtual port depending on its service type. For information, see the Application Delivery and
Server Load Balancing Guide.
Mode
Configuration mode
Usage
The normal form of this command creates a new or edits an existing template. The CLI
changes to the configuration level for the template. See “Config Commands: SLB Templates”
on page 51.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See “slb resource-usage” on page 19.
Example
The following command creates a TCP-proxy template named “proxy1”:
ACOS(config)# slb template tcp-proxy proxy1
ACOS(config-tcp proxy)#
slb transparent-acl-template
Description
Set the idle timeout value for ACL-related pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS device (for example, a
session for which the ACOS device is not serving as a proxy for SLB).
Syntax
[no] slb transparent-acl-template template-name
Replace template-name with the name of an existing TCP template (1-63 characters).
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 24
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
To create a TCP template, use the slb template tcp command.
Default
The default idle timeout for pass-through TCP sessions is 30 minutes. The default idle timeout in TCP templates is 120 seconds.
Mode
Configuration mode
Usage
Only the idle timeout setting in the specified TCP template is applicable to pass-through TCP
sessions. None of the other options in TCP templates affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300 seconds. This is true
even if the idle timeout in the TCP template itself is set to a higher value. Higher idle timeout
values apply only to SLB sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example
The following command configures the default TCP template, setting the idle timeout value
to 15000 seconds. This template (and thus, idle timeout value) are then applied to ACLrelated pass-through TCP sessions:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# idle-timeout 15000
ACOS(config-l4 tcp)# exit
ACOS(config)# slb transparent-acl-template default
Related Commands
slb template tcp, slb transparent-tcp-template
slb transparent-tcp-template
Description
Set the idle timeout value for pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS device (for example, a
session for which the ACOS device is not serving as a proxy for SLB).
Syntax
[no] slb transparent-tcp-template template-name
Replace template-name with the name of an existing TCP template (1-63 characters).
To create a TCP template, use the slb template tcp command.
Default
The default idle timeout for pass-through TCP sessions is 30 minutes. The default idle timeout in TCP templates is 120 seconds.
Mode
Configuration mode
Usage
Only the idle timeout setting in the specified TCP template is applicable to pass-through TCP
sessions. None of the other options in TCP templates affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300 seconds. This is true
even if the idle timeout in the TCP template itself is set to a higher value. Higher idle timeout
page 25 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
values apply only to SLB sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example
The following command configures the default TCP template, setting the idle timeout value
to 15000 seconds. This template (and thus, idle timeout value) are then applied to passthrough TCP sessions:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# idle-timeout 15000
ACOS(config-l4 tcp)# exit
ACOS(config)# slb transparent-tcp-template default
Related Commands
slb template tcp, slb transparent-acl-template
slb virtual-server
Description
Configure a virtual server.
Syntax
[no] slb virtual-server name
[use-if-ip {ethernet num | loopback num}] |
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 26
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
[ipv6-addr [ipv6-acl acl-name]] |
[ipv4-addr [/mask-length | subnet-mask] acl acl-name]
Parameter
Description
name
Virtual server name, 1-31 characters.
After you have created a virtual server, you can use this command to rename the virtual server in order
to associate this IP with a different name.
use-if-ip
Use the IP address of the specified interface.
This option is used on vThunder systems only.
ipv6-addr
IPv6 address of the virtual server.
If you are configuring an IPv6 wildcard VIP, enter :: as the IP address.
Use the acl acl-id option to specify the IP addresses to be handled as wildcard VIPs. (For more information, see the “Wildcard VIPs” chapter in the Application Delivery and Server Load Balancing Guide.)
After you have created a virtual server, you can use this command to change the IP address associated
with this name.
ipv4-addr
IPv4 address of the virtual server.
If you are configuring a wildcard VIP, enter 0.0.0.0 as the IP address.
You can use the acl acl-id option to specify the IP addresses to be handled as wildcard VIPs. (For
more information, see the “Wildcard VIPs” chapter in the Application Delivery and Server Load Balancing
Guide.)
After you have created a virtual server, you can use this command to change the IP address associated
with this name.
To configure a contiguous set of IPv4 VIPs, specify the subnet mask or mask length. The specified
ipv4-addr will be the starting IP address of this set of VIPs.
Default
N/A
Mode
Configuration mode
Usage
The normal form of this command creates a new or edits an existing virtual server. The CLI
changes to the configuration level for the virtual server. See “Config Commands: SLB Virtual
Servers” on page 307.
The “no” form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See “slb resource-usage” on
page 19.
Notes on VIP Ranges
• The IP addresses in the specified subnet range can not belong to an IP interface, real
server, or other virtual server configured on the ACOS device.
• The largest supported IPv4 subnet length is /16.
• Statistics are aggregated for all VIPs in the subnet virtual server.
page 27 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Mode SLB Commands
• The current release supports this feature only for DNS ports on the default DNS port
number (TCP port 53 or UDP port 53).
Example
The following command configures a new virtual server named “vs1”:
ACOS(config)# slb virtual-server vs1 10.10.2.1
ACOS(config-slb vserver)#
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 28
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
SLB Common Configuration Mode Commands
This section describes the CLI commands that are available from SLB common configuration mode.
To access this mode, use the slb common command from global configuration mode:
ACOS(config)# slb common
ACOS(config-common)#
NOTE:
Some commands in SLB common configuration mode are only available in the shared
partition; commands that are not available in L3V partitions are noted below.
The following commands are available:
• buff-thresh (not available in L3V partitions)
• compress-block-size
• conn-rate-limit src-ip
• disable-adaptive-resource-check (not available in L3V partitions)
• disable-server-auto-reselect (not available in L3V partitions)
• dns-cache-age
• dns-cache-enable
• dns-cache-entry-size
• dns-vip-stateless (not available in L3V partitions)
• drop-icmp-to-vip-when-vip-down (not available in L3V partitions)
• dsr-health-check-enable (not available in L3V partitions)
• enable-l7-req-acct
• extended-stats
• fast-path-disable (not available in L3V partitions)
• gateway-health-check (not available in L3V partitions)
• graceful-shutdown
• hw-compression
• hw-syn-rr (not available in L3V partitions)
• l2l3-trunk-lb-disable (not available in L3V partitions)
• max-buff-queued-per-conn (not available in L3V partitions)
• max-http-header-count (not available in L3V partitions)
page 29 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
• msl-time (not available in L3V partitions)
• mss-table (not available in L3V partitions)
• no-auto-up-on-aflex
• rate-limit-logging
• reset-stale-session
• scale-out
• snat-gwy-for-l3
• snat-on-vip
• sort-res
• stats-data-disable (not available in L3V partitions)
• use-mss-tab
buff-thresh
Description
Fine-tune thresholds for SLB buffer queues.
CAUTION:
Do not use this command except under advisement from A10 Networks.
Syntax
[no] buff-thresh
hw-buff num
relieve-thresh num
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 30
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
sys-buff-low num
sys-buff-high num
Parameter
Description
hw-buff num
IO buffer threshold. For each CPU, if the number of queued
entries in the IO buffer reaches this threshold, fast aging is
enabled and no more IO buffer entries are allowed to be
queued on the CPU’s IO buffer.
relieve-thresh num
Threshold at which fast aging is disabled, to allow IO buffer
entries to be queued again.
sys-buff-low num
Threshold of queued system buffer entries at which ACOS
begins refusing new incoming connections.
sys-buff-high num
Threshold of queued system buffer entries at which the
ACOS device drops a connection whenever a packet is
received for that connection.
Default
N/A
Mode
SLB common configuration mode
compress-block-size
Description
Change the default compression block size used for SLB.
Syntax
[no] compress-block-size bytes
The bytes option specifies the default compression block size, 6000-32000 bytes.
Description
The default is 16000.
Default
16000
Mode
SLB common configuration mode
Example
The following example sets the compression block size to 16000 bytes:
ACOS(config)# slb common
ACOS(config-common)# compress-block-size 16000
conn-rate-limit src-ip
Description
Configure source-IP based connection rate limiting.
All connection requests in excess of the connection limit that are received from a client
within the limit period are dropped. This action is enabled by default when you enable the
feature, and can not be disabled.
page 31 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
NOTE:
For configuring connection rate limits on IPv6 traffic, use class lists. For more information, see “class-list” in the Command Line Interface Reference and “Understanding Class Lists” in the DDoS Mitigation Guide for ADC.
Syntax
[no] conn-rate-limit src-ip {tcp | udp} conn-limit per {100 | 1000}
[shared]
[exceed-action [log] [lock-out lockout-period]]
Parameter
Description
tcp | udp
Specifies the Layer 4 protocol for which the filter applies.
conn-limit
Specifies the connection limit. The connection limit is the maximum number of connection
requests allowed from a client, within the limit period. You can specify 1-1000000 (one million).
per {100 | 1000}
Specifies the limit period, The limit period is the interval to which the connection limit is
applied. A client is conforming to the rate limit if the number of new connection requests
within the limit period does not exceed the connection limit. You can specify 100 milliseconds or 1000 milliseconds.
shared
Specifies that the connection limit applies in aggregate to all virtual ports. If you omit this
option, the limit applies separately to each virtual port.
exceed-action
Enables optional exceed actions:
• log - Enables logging. Logging generates a log message when a client exceeds the connection limit.
• lock-out lockout-period - Locks out the client for a specified number of seconds.
During the lockout period, all connection requests from the cli­ent are dropped. The lockout period can be 1-3600 seconds (1 hour). There is no default.
Mode
SLB common configuration mode
Example
The following commands allow up to 1000 connection requests per one-second interval
from any individual client. If a client sends more than 1000 requests within a given limit
period, the client is locked out for 3 seconds. The limit applies separately to each individual
virtual port. Logging is not enabled.
ACOS(config)# slb common
ACOS(config-common)# conn-rate-limit src-ip 1000 per 1000 exceed-action lock-out 3
Example
The following commands allow up to 2000 connection requests per 100-millisecond interval.
The limit applies to all virtual ports together. Logging is enabled but lockout is not enabled.
ACOS(config)# slb common
ACOS(config-common)# conn-rate-limit src-ip 2000 per 100 shared exceed-action log
Example
The following commands allow up to 2000 connection requests per 100-millisecond interval.
The limit applies to all virtual ports together. Logging is enabled and lockout is enabled. If a
client sends a total of more than 2000 requests within a given limit period, to one or more
virtual ports, the client is locked out for 3 seconds.
ACOS(config)# slb common
ACOS(config-common)# conn-rate-limit src-ip 2000 per 100 shared exceed-action log lock-out
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 32
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
3
disable-adaptive-resource-check
Description
In cases where data packets smaller than a pre-configured size limit are received, HTTP sessions may be deleted when the number of such packets received exceeds a pre-defined
threshold. This is the default behavior on an ACOS device.
Use the disable-adaptive-resource-check command to disable this default
behavior.
Syntax
[no] disable-adaptive-resource-check
Default
Adaptive resource checking is enabled by default.
Mode
SLB common configuration mode
disable-server-auto-reselect
Description
Stop the ACOS device from automatically reselecting a lower priority server until a server
with a higher priority is marked as Down or Disabled.
This is commonly used with inband health monitors.
Syntax
[no] disable-server-auto-reselect
Default
Server auto-reselection is enabled by default.
Mode
SLB common configuration mode
Usage
When server priority is configured, the ACOS device sends all traffic to the highest priority
server, until that server starts responding slowly or meets other negative conditions. This feature stops the ACOS device from automatically reselecting a lower priority server until a
server with a higher priority is marked as Down or Disabled.
NOTE:
When a Data CPU reaches 70%, slb disable-server-auto-reselect will
automatically activate and can be seen in the running config. When the Data CPU
goes back down below 50% it will remove itself.
Example
Enable the feature.
ACOS(config)# slb common
ACOS(config-common)# disable-server-auto-reselect
dns-cache-age
Description
Configure the amount of time the ACOS device locally caches DNS replies.
page 33 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
DNS cache aging is applicable only when DNS caching is enabled, using the dns-cacheenable command.
Syntax
[no] dns-cache-age seconds
The seconds option specifies the maximum number of seconds the ACOS device caches
DNS replies. You can specify 1-1000000 seconds.
NOTE:
A DNS reply begins aging as soon as it is cached and continues aging even if the
cached reply is used after aging starts. Use of a cached reply does not reset the age
of that reply.
Default
300
Mode
SLB common configuration mode
Example
The following example configures the ACOS device to cache DNS replies for 300 seconds.
ACOS(config)# slb common
ACOS(config-common)# dns-cache-age 300
dns-cache-enable
Description
Globally enable caching of replies to DNS queries.
Syntax
[no] dns-cache-enable
[
round-robin [ttl-threshold seconds] |
single-answer [ttl-threshold seconds] |
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 34
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
ttl-threshold seconds
]
Parameter
Description
round-robin
For DNS replies that contain multiple IP addresses in the ANSWER
section, the ACOS device rotates the addresses when replying to
cli­ent requests. The DNS transaction ID (which is random) is used
to assist in the round-robin. This behavior is better for heavy traffic,
but the side effect is that it will not strictly follow the round-robin.
single-answer
Caches only replies that have a single IP address in the ANSWER
section.
ttl-threshold
second
Specifies the minimum Time-To-Live (TTL) a reply from the DNS
server must have, in order for the ACOS device to cache the reply.
You can specify 1-10000000 seconds.
Default
DNS caching is disabled by default. Disabled. When you globally enable DNS caching, the
round-robin and single-answer options are disabled by default. The default TTL
threshold is 0 (unset).
Mode
SLB common configuration mode
Usage
When DNS caching is enabled, the ACOS device sends the first request for a given name
(hostname, fully-qualified domain name, URL, and so on) to the DNS server. The ACOS device
caches the reply from the DNS server, and sends the cached reply in response to the next
request for the same name.
The ACOS device continues to use the cached DNS reply until the reply times out. After the
reply times out, the ACOS device sends the next request for that URL to the DNS server, and
caches the reply, and so on.
Enabling the single-answer option prevents the caching of DNS replies that have multiple IP
addresses. For example, if a DNS response to a query for “www.example1.com” and the DNS
reply has only one IP address (1.1.1.1), then the reply will be cached on the ACOS device.
However, if the DNS response to a query for “www.example2.com” has two IP addresses
(2.2.2.2 and 3.3.3.3), then the entry would not be cached on the ACOS device.
If the ttl-threshold option is configured on the ACOS device, then DNS replies will only be
cached if they have a TTL value that is larger than the TTL threshold configured on the ACOS
device. This prevents the ACOS device from caching DNS entries that will expire shortly
thereafter.
For example, if the ACOS device’s TTL threshold is set to 7200 seconds and the ACOS device
receives a DNS response for a domain with a TTL of only 10 seconds, there would be little
benefit in caching that DNS reply, since it will soon expire. Despite the cached information,
subsequent client requests for that same domain would bypass the “stale” information
cached on the ACOS device to perform another DNS lookup just 10 seconds later.
DNS caching applies only to DNS requests sent to a UDP virtual port in a DNS SLB
configuration. DNS caching is not supported for DNS requests sent over TCP.
Example
The following example enables DNS caching on the ACOS device with all the default values.
page 35 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
ACOS(config)# slb common
ACOS(config-common)# dns-cache-enable
dns-cache-entry-size
Description
Set the maximum size in bytes for DNS cache entries.
Syntax
[no] dns-cache-entry-size num
Replace num with the desired DNS cache entry size, in bytes (1 - 4096).
Default
256
Mode
SLB common configuration mode
Example
The following example sets the DNS cache entry size to 3600 bytes:
ACOS(config)# slb common
ACOS(config-common)# dns-cache-entry-size 3600
dns-vip-stateless
Description
This command causes the ACOS device to use round-robin to load balance DNS stateless
traffic to CPU threads.
NOTE:
This command is only available on FTA-enabled platforms.
Syntax
[no] dns-vip-stateless
Mode
SLB common configuration mode
Example
Enable this feature:
ACOS(config)# slb common
ACOS(config-common)# dns-vip-stateless
drop-icmp-to-vip-when-vip-down
Description
When a virtual IP is down it can still respond to ping (ICMP_ECHO) requests.
With this enabled, a virtual IP that is down will not respond to ping requests.
Syntax
[no] drop-icmp-to-vip-when-vip-down
Mode
SLB common configuration mode
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 36
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
dsr-health-check-enable
Description
Enable health checking of the virtual server IP addresses instead of the real server IP
addresses in Direct server Return (DSR) configurations.
This feature also requires configuration of a Layer 3 health method (ICMP), with the
transparent option enabled, and with the alias address set to the virtual IP address. (See
method.) The health monitor must be applied to the real server ports.
Syntax
[no] dsr-health-check-enable
Default
Health checking is disabled by default.
Mode
SLB common configuration mode
Example
The following commands configure a Layer 3 health monitor for DSR health checking, apply
it to the real server ports, and enable DSR health checking:
ACOS(config)# health monitor dsr-hm
ACOS(config-health:monitor)# method icmp transparent 10.10.10.99
ACOS(config-health:monitor)# exit
ACOS(config)# slb common
ACOS(config-common)# dsr-health-check-enable
enable-l7-req-acct
Description
Globally enable Layer 7 request accounting.
If you use the least-request load-balancing method in a service group, Layer 7 request
accounting is automatically enabled for the service group’s members, and for the virtual
service ports that are bound to the service group’s members.
To display Layer 7 request statistics, use the show slb service-group group-name
command. See show slb server, show slb service-group, and show slb virtual-server.
Syntax
[no] enable-l7-req-acct
Default
Disabled by default.
Mode
SLB common configuration mode
Example
The example below shows how to enable Layer 7 request accounting.
ACOS(config)# slb common
ACOS(config-common)# enable-l7-rreq-acct
page 37 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
extended-stats
Description
Globally enable collection of extended SLB statistics, including peak connection statistics.
Syntax
[no] extended-stats
Default
Disabled by default.
Mode
SLB common configuration mode
Example
The example below shows how to enable the collection of extended SLB statistics.
ACOS(config)# slb common
ACOS(config-common)# extended-stats
fast-path-disable
Description
Disable fast-path packet inspection.
Fast processing of packets maximizes performance by using all the underlying hardware
assist facilities. Typically, the feature should remain enabled. The option to disable it is
provided only for troubleshooting, in case it is suspected that the fast processing logic is
causing an issue. If you disable fast-path pro­cessing, ACOS does not perform a deep
inspection of every field within a packet.
Syntax
[no] fast-path-disable
Default
Enabled by default.
Mode
SLB common configuration mode.
Example
The example below shows how to disable fast-path packet inspection.
ACOS(config)# slb common
ACOS(config-common)# fast-path-disable
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 38
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
gateway-health-check
Description
Enables gateway health monitoring.
Syntax
[no] gateway-health-check [interval seconds [timeout seconds]]
Parameter
Description
interval second
Specifies the amount of time between health check attempts, 1180 seconds.
The default interval is 5 seconds.
timeout seconds
Specifies how long the ACOS device waits for a reply to any of
the ARP requests, 1-60 seconds.
The default timeout is 15 seconds.
Default
See descriptions.
Mode
SLB common configuration mode.
Usage
Gateway health monitoring uses ARP to test the availability of nexthop gate­ways. When the
ACOS device needs to send a packet through a gateway, the ACOS device begins sending
ARP requests to the gateway.
• If the gateway replies to any ARP request within a configurable timeout, the ACOS
device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS device waits for a configurable timeout for a reply to any request. If the gateway does not respond to any
request before the timeout expires, the ACOS device selects another gateway and
begins the health monitoring process again.
Example
The following example enables gateway health monitoring. Health check attempts will be
made every 10 seconds, with a reply timeout of 20 seconds.
ACOS(config)# slb common
ACOS(config-common)# gateway-health-check interval 10 timeout 20
page 39 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
graceful-shutdown
Description
Allow currently active sessions time to terminate normally before shutting down a service
when you delete or disable the real or virtual server or port providing the service.
Syntax
[no] graceful-shutdown grace-period
[server | virtual-server] [after-disable]
Parameter
Description
grace-period
Number of seconds existing connections on a disabled or deleted
server or port are allowed to remain up before being terminated.
You can specify 1-65535 seconds.
server
Limits the graceful shutdown to real servers only.
virtual-server
Limits the graceful shutdown to virtual servers only.
after-disable
Applies graceful shutdown to disabled servers and ser­vice ports,
as well as deleted servers. Without this option, graceful shutdown
applies only to deleted servers.
Default
Graceful shutdown is disabled by default. When you delete a real or virtual service port, the
ACOS device places all the port’s sessions in the delete queue, and stops accepting new sessions on the port.
Mode
SLB common configuration mode.
Usage
When graceful shutdown is enabled, the ACOS device stops accepting new sessions on a
disabled or deleted port, but waits for the specified grace period before moving active sessions to the delete queue.
Example
The following commands enable graceful shutdown and sets the grace period to one hour:
ACOS(config)# slb common
ACOS(config-common)# graceful-shutdown 3600
hw-compression
Description
Enable hardware-based HTTP compression.
Syntax
[no] hw-compression
Default
Disabled by default.
Mode
SLB common configuration mode.
Usage
Hardware-based compression is available using an optional hardware module on select platforms. For more information, see “Hardware-Based Compression” in the Application Delivery
and Server Load Balancing Guide.
Example
The following example enables hardware-based HTTP compression.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 40
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
ACOS(config)# slb common
ACOS(config-common)# hw-compression
hw-syn-rr
Description
Enable distribution of client SYNs across multiple CPUs. This feature protects against CPU
overload due to SYN floods, a common symptom of DDoS attacks.
Syntax
[no] hw-syn-rr conn-num
The conn-num option specifies the maximum number of connection requests (TCP SYNs)
allowed from the same client (1-500000). If this threshold is exceeded, ACOS begins using all
the CPUs for processing the SYNs.
Default
Disabled by default.
Mode
SLB common configuration mode.
Usage
Only the control CPU is used for SYN processing.
When the conn-num threshold is exceeded, ACOS begins distributing the SYNs to the CPUs
in round-robin fashion. The control CPU and all data CPUs are used.
Example
The following example enables distribution of client SYNs across multiple CPUs, using
250,000 TCP SYNs as the threshold.
ACOS(config)# slb common
ACOS(config-common)# hw-syn-rr 250000
l2l3-trunk-lb-disable
Description
Disable or re-enable trunk load balancing.
Syntax
[no] l2l3-trunk-lb-disable
Default
Enabled by default.
Mode
SLB common configuration mode.
Usage
When trunk load balancing is enabled, the ACOS device load balances out­bound Layer 2/3
traffic among all the ports in a trunk. The round-robin method is used to load balance the
traffic. For example, in a trunk containing ports 1-4, the first Layer 2/3 packet is sent on port 1.
The second packet is sent on port 2. The third packet is sent on port 3, and so on.
If you disable trunk load balancing, the lead port will always used for outbound traffic, and
the other ports will act as standby ports in case the lead port goes down.
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by default. However, the
CLI provides a command to disable trunk load balancing, in case there is a need to do so.
page 41 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
Disabling trunk load balancing causes the ACOS device to use only the lead port for
outbound traffic.
NOTE:
Note: Trunk load balancing does not apply to Layer 4-7 traffic.
Example
The following commands disable trunk load balancing.
ACOS(config)# slb common
ACOS(config-common)# l2l3-trunk-lb-disable
max-buff-queued-per-conn
Description
Set the maximum buffer threshold per connection.
Syntax
[no] max-buff-queued-per-conn buffer-value
Specify the desired buffer-value (128-4096).
Mode
SLB common configuration mode.
Example
The following commands set the maximum buffer value per connection to 1024:
ACOS(config)# slb common
ACOS(config-common)# max-buff-queued-per-conn 1024
max-http-header-count
Description
Configure the number of headers supported in an HTTP request.
Syntax
[no] max-http-header-count num
Replace num with the maximum number of HTTP headers supported within a request (90255).
Default
90
Mode
SLB common configuration mode
Example
The following commands configure 90 as the number of headers supported in an HTTP
request.
ACOS(config)# slb common
ACOS(config-common)# max-http-header-count 90
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 42
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
msl-time
Description
Configure the maximum session life for client sessions. The maximum session life controls
how long the ACOS device maintains a session table entry for a cli­ent-server session after
the session ends.
Syntax
[no] msl-time seconds
The seconds option specifies the number of seconds a client session can remain in the
session table following completion of the session. You can specify 1-40 seconds.
Default
2 seconds
Mode
SLB common configuration mode
Usage
The maximum session life allows time for retransmissions from clients or serv­ers, which can
occur if there is an error in a transmission. If a retransmission occurs while the ACOS device
still has a session entry for the session, the ACOS device is able to forward the retransmission.
However, if the session table entry has already aged out, the ACOS device drops the retransmission instead.
The maximum session life begins aging out a session table entry when the ses­sion ends:
• TCP – The session ends when the ACOS device receives a TCP FIN from the client or
server.
• UDP – The session ends after the ACOS device receives a server response to the client’s
request. If the reply is fragmented, the maximum session life begins only after the last
fragment is received.
NOTE:
For UDP sessions, the maximum session life is used only if UDP aging is set to short,
instead of immediate. UDP aging is set in the UDP template bound to the UDP virtual port. The default setting is short.
Example
The following commands configure a maximum session life of 10 seconds.
ACOS(config)# slb common
ACOS(config-common)# msl-time 10
page 43 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
mss-table
Description
Configure the TCP Maximum Segment Size (MSS) allowed for client traffic.
Syntax
[no] mss-table num
Replace num with the maximum MSS allowed in traffic from clients. You can specify 128-750.
Default
538
Mode
SLB common configuration mode
Usage
Clients who can only transmit TCP segments that are smaller than the MSS are unable to
reach servers.
This command globally changes the MSS. You also can change the MSS in individual TCPproxy templates. (See slb template tcp-proxy.)
Example
The following commands configure a TCP MSS of 256.
ACOS(config)# slb common
ACOS(config-common)# mss-table 256
no-auto-up-on-aflex
Description
Prevent the health status of virtual ports that are bound to aFleX scripts from being automatically marked Up.
Syntax
[no] no-auto-up-on-aflex
Default
This option is disabled by default. Virtual ports that are bound to aFleX scripts are automatically marked Up.
Mode
SLB common configuration mode
Example
The following commands prevent the health status of virtual ports that are bound to aFleX
scripts from being automatically marked Up.
ACOS(config)# slb common
ACOS(config-common)# no-auto-up-on-aflex
rate-limit-logging
Description
Configure rate limiting settings for system logging.
Syntax
[no] rate-limit-logging
[max-local-rate msgs-per-second]
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 44
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
[max-remote-rate msgs-per-second]
[exclude-destination {local | remote}]
Parameter
Description
max-local-rate
msgs-per-second
Specifies the maximum number of messages per second that can be sent to the local log
buffer. You can specify 1-100. The default is 32 messages per second.
max-remote-rate
msgs-per-second
Specifies the maximum number of messages per second that can be sent to remote log
servers. You can specify 1-1,000,000. The default is 15000 messages per second.
exclude-destination
Excludes logging to the specified destination, local or remote. By default, logging to both
destinations is enabled.
Default
See descriptions.
Mode
SLB common configuration mode.
Usage
Log rate limiting is enabled by default and can not be disabled. The configu­rable settings
have the default values as described in the table above.
The log rate limiting mechanism works as follows:
• If the number of new messages within a one-second interval exceeds the internal maximum (32 by default), then during the next one-second interval, ACOS sends log messages only to the external log servers.
• If the number of new messages generated within the new one-second inter­val is the
internal maximum or less, then during the following one-second interval, ACOS will
again send messages to the local logging buffer as well as the external log server.
• In any case, all messages (up to the external maximum) are sent to the exter­nal log
servers.
Example
The following commands increase the maximum number of log messages per second sent
to remote log servers:
ACOS(config)# slb common
ACOS(config-common)# rate-limit-logging max-remote-rate 30000
reset-stale-session
Description
Send reset if a session in the delete queue receives a SYN packet.
Syntax
[no] reset-stale-session
Mode
SLB common configuration mode.
Example
The following command enables this feature.
ACOS(config)# slb common
ACOS(config-common)# reset-stale-session
page 45 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
scale-out
Description
Enable the Scaleout feature for SLB.
For more information, see the Configuring Scaleout guide.
Syntax
[no] scale-out
Default
Not enabled.
Mode
SLB common configuration mode.
snat-gwy-for-l3
Description
Use an IP pool’s default gateway to forward traffic from a real server.
When this feature is enabled, ACOS checks the server IP subnet against the IP NAT pool
subnet. If they are on the same subnet, then ACOS uses the gateway as defined in the IP NAT
pool for Layer 2 / Layer 3 forwarding. This feature is use­ful if the server does not have its own
upstream router and ACOS can leverage the same upstream router for Layer 2 / Layer 3.
Syntax
[no] snat-gwy-for-l3
Default
Disabled by default.
Mode
SLB common configuration mode.
Example
The following commands enable traffic forwarding using an IP pool’s default gateway.
ACOS(config)# slb common
ACOS(config-common)# snat-for-gwy-l3
snat-on-vip
Description
Globally enable IP NAT support for VIPs.
Syntax
[no] snat-on-vip
Default
Disabled by default.
Mode
SLB common configuration mode
Usage
Source IP NAT can be configured on a virtual port in the following ways:
• ACL-based source NAT (access-list command at virtual port level)
• VIP source NAT (slb snat-on-vip command at Configuration mode level)
• aFleX policy (aflex command at virtual port level)
• Non-ACL source NAT (source-nat command at virtual port level)
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 46
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
These methods are used in the order shown above. For example, if IP source NAT is
configured using an ACL on the virtual port, and the slb snat-on-vip command is also used,
then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that
is not permitted by the ACL, VIP source NAT can be used instead.
NOTE:
The current release does not support source IP NAT on FTP or RTSP virtual ports.
Example
The following commands enable IP NAT support for VIPs.
ACOS(config)# slb common
ACOS(config-common)# snat-on-vip
sort-res
Description
Enable the sort display option for SLB configuration. When this option is enabled, SLB
resources in the configuration are listed in alphabetical order.
The sort feature takes effect only after you configure at least one SLB resource, after you
enable the sort feature. Before you configure at least one new SLB resource, the SLB
resources still appear in the order they were configured.
Syntax
[no] sort-res
Default
This option is disabled by default. With this default behavior, SLB resources of a specific type
appear in the order they are configured.
Mode
SLB common configuration mode
Example
The following command displays the configured SLB servers, before the sort option is
enabled and activated:
ACOS(config-common)# show running-config | include slb server
slb server ee 5.5.5.5
slb server rs20_10 20.20.20.10
slb server Server07 110.20.20.20
slb server Server08 110.13.13.20
slb server MSSQLServer02 110.13.13.21
slb server srv266 10.10.100.10
slb server srv238 2.1.1.238
slb server rs_http 10.1.2.10
slb server ldap-sr 172.16.2.10
slb server s1 20.20.20.30
slb server woo 10.10.99.99
slb server o1 10.10.10.5
slb server http1 20.20.25.10
slb server http2 20.20.25.11
page 47 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
The following commands enable the sort option, configure a new SLB server, and redisplay
the configured SLB servers. The slb server commands are now alphabetically sorted.
ACOS(config)# slb common
ACOS(config-common)# sort-res
ACOS(config-common)# exit
ACOS(config)# slb server s88 4.3.3.3
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# show running-config | include
slb server
slb server MSSQLServer02 110.13.13.21
slb server Server07 110.20.20.20
slb server Server08 110.13.13.20
slb server ee 5.5.5.5
slb server fsort2 4.3.9.58
slb server fsort88 4.3.9.55
slb server http1 20.20.25.10
slb server http2 20.20.25.11
slb server ldap-sr 172.16.2.10
slb server o1 10.10.10.5
slb server rs20_10 20.20.20.10
slb server rs_http 10.1.2.10
slb server s1 20.20.20.30
slb server s88 4.3.3.3
slb server srv238 2.1.1.238
slb server srv266 10.10.100.10
slb server woo 10.10.99.99
slb server zsort2 4.3.3.9
ACOS(config-real server-node port)#
stats-data-disable
Description
Globally disables periodic collection of statistical data for system resources, including CPU,
memory, disks and interfaces.
Syntax
[no] stats-data-disable
Default
Disabled (statistics collection is enabled)
Mode
SLB common configuration mode
Example
The following commands globally disable statistics collection for system resources.
ACOS(config)# slb common
ACOS(config-common)# stats-data-disable
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 48
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
use-mss-tab
Description
Configure ACOS to base the MSS in replies from VIPs to clients on the interface MTU and MSS
value received from clients in SYNs.
Syntax
[no] use-mss-tab
Default
Disabled by default.
Mode
SLB common configuration mode
page 49 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Common Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 50
Config Commands: SLB Templates
This chapter describes the commands and subcommands for configuring SLB configuration templates.
The following SLB template commands are available:
• slb template cache
• slb template cipher
• slb template client-ssl
• slb template connection-reuse
• slb template dblb
• slb template diameter
• slb template dns
• slb template dynamic -service
• slb template external-service
• slb template fix
• slb template ftp
• slb template http
• slb template http-policy
• slb template imap-pop3
• slb template logging
• slb template monitor
• slb template persist cookie
• slb template persist destination-ip
• slb template persist source-ip
• slb template persist ssl-sid
• slb template policy
• slb template port
• slb template reqmod-icap
• slb template respmod-icap
page 51 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
• slb template server
• slb template server-ssl
• slb template sip (over UDP)
• slb template sip (over TCP/TLS)
• slb template smpp
• slb template smtp
• slb template ssli
• slb template tcp
• slb template tcp-proxy
• slb template udp
• slb template virtual-port
• slb template virtual-server
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
slb template cache
Description
See “Config Commands: SLB Cache Templates” on page 89.
slb template cipher
Description
Configure a template of SSL cipher settings for binding to Client-SSL and Server-SSL templates.
Syntax
[no] slb template cipher template-name
Parameter
Description
template-name
Name of the template (1-31 characters).
Replace template-name with the name of the template, up to 31 characters long.
This command enters the SLB Cipher Template configuration mode where the following
commands are available.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 52
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
[no] cipher [priority num]
NOTE:
Parameter
Description
cipher
The cipher can be one of the names listed in the “Common Cipher
Suite Name in ACOS” column of Table 1 on page 53. You can remove
(or re-add) one cipher in the template with a single command. Enter
separate commands for each cipher to remove or re-add.
priority
The cipher priority value can be 1-100. The highest priority (most
favored) is 100. More than one cipher can have the same priority. In
this case, the strongest (most secure) cipher is used.
If your platform contains a Nitrox III card, all ciphers are supported; however, ECDHE
and DHE ciphers on the server side are processed by CPU, resulting in high CPU
usage.
If your platform contains a Nitrox PX card, only RSA ciphers are supported.
With 4.1.0, software SSL supports the following ciphers:
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_DHE_RSA_AES_128_SHA256
TLS1_DHE_RSA_AES_256_SHA256
Use the show hardware command to see your platform’s specifications. For more
information, refer to Technical Support Advisory: Recommend SSL Templates for
PFS (Perfect Forward Secrecy) Ciphers on the A10 Networks website.
TABLE 1
Supported Ciphers
Common Cipher Suite Name (IANA/RFCs)
Hex Value
Cipher Suite Name in ACOS
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
0x00,0x03
0x00,0x04
0x00,0x05
0x00,0x08
0x00,0x09
0x00,0x0A
0x00,0x2F
0x00,0x35
0x00,0x39
0x00,0x3C
0x00,0x3D
0x00,0x60
0x00,0x64
SSL3_RSA_RC4_40_MD5
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_DHE_RSA_AES_256_SHA
TLS1_RSA_AES_128_SHA256
TLS1_RSA_AES_256_SHA256
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
page 53 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
TABLE 1
Supported Ciphers
Common Cipher Suite Name (IANA/RFCs)
Hex Value
Cipher Suite Name in ACOS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CCM
TLS_DHE_RSA_WITH_AES_256_CCM
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
0x00,0x67
0x00,0x6B
0x00,0x9C
0x00,0x9D
0x00,0x9E
0x00,0x9F
0xC0,0x13
0xC0,0x14
0xC0,0x23
0xC0,0x24
0xC0,0x27
0xC0,0x2B
0xC0,0x2C
0xC0,0x2F
0xC0,0x30
TLS1_DHE_RSA_AES_128_SHA256
TLS1_DHE_RSA_AES_256_SHA256
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_128_GCM_SHA256
TLS1_DHE_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_ECDSA_AES_128_SHA256
TLS1_ECDHE_ECDSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256
TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
TLS1_ECDHE_RSA_AES_256_GCM_SHA384
Default
The default priority is 1, and all ciphers within a template are enabled by default.
Mode
Configuration mode
Usage
A cipher template contains a list of ciphers. A client who connects to a virtual port that uses
the cipher template can use only the ciphers that are listed in the template.
Optionally, you can assign a priority value to each cipher in the template, however it is
strongly recommended that users do not leave this blank. The ACOS device tries to use the
ciphers based on priority. If the client supports the cipher that has the highest priority, that
cipher is used. If the client does not support the highest-priority cipher, the ACOS device
attempts to use the cipher that has the second-highest priority, and so on.
Notes
• An SSL cipher template takes effect only when you apply it to a client-SSL template or
server-SSL template.
• When you apply (bind) a cipher template to a client-SSL or server-SSL template, the settings in the cipher template override any cipher settings in that client-SSL or server-SSL
template.
• Priority values are supported only for client-SSL templates. If a cipher template is used
by a server-SSL template, the priority values in the cipher template are ignored.
Example
The following commands configure a cipher template:
ACOS(config)# slb template cipher cipher_tmplt1
ACOS(config-cipher)# SSL3_RSA_DES_64_CBC_SHA priority 5
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA priority 10
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# end
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 54
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This template contains 3 ciphers. The ACOS device attempts to use TLS1_RSA_AES_128_SHA
first. If the client does not support this cipher, the ACOS device attempts to use
SSL3_RSA_DES_64_CBC_SHA. If the client does not support this cipher either, the ACOS
device tries to use TLS1_RSA_AES_256_SHA.
Example
The following command binds the cipher template, cipher_tmplt1, to the client-SSL template, SSLInsight_ClientSide.
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS(config-client ssl)# forward-proxy-ca-cert enterpiseABC-selfsignd
ACOS(config-client ssl)# forward-proxy-ca-key enterpiseABC-key
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# template cipher cipher_tmplt1
ACOS(config-client ssl)# end
slb template client-ssl
Description
See “Config Commands: SLB Client SSL Templates” on page 99.
slb template connection-reuse
Description
Configure re-use of established connections.
Syntax
[no] slb template connection-reuse template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB Connection-Reuse Template Configuration mode where the
following commands are available.
Command
Description
[no] keep-alive-conn number
Specifies the number of new reusable connections to open before beginning to
reuse existing connections. You can specify 1-1024 connections.
This option is applicable for both HTTP and SIP-over-TCP sessions.
By default, this option is not enabled in the template, but when activated, the
default value is 100.
[no] limit-per-server number
Maximum number of reusable connections per server port. You can specify 065535. 0 means unlimited.
The default is 1000 connections.
Maximum number of seconds a connection can remain idle before it times out.
You can specify 60-3600 seconds; the value specified must be divisible by 60.
[no] timeout seconds
The default is 2400 seconds (40 minutes).
Default
The “default” connection reuse template has the defaults described in the table above.
page 55 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
To display the default template settings, use the show slb template connectionreuse default command (see “show slb template” on page 439 for more information).
Mode
Configuration mode
Usage
The normal form of this command creates a connection reuse template. The no form of this
command removes the template.
You can bind only one connection-reuse template to a virtual port. However, you can bind
the same connection-reuse template to multiple ports.
Due to the way the connection-reuse feature operates, backend sessions with servers will
not be reused in either of the following cases:
• The limit-per-server option is set to a very low value, lower than the number of
data CPUs on the ACOS device.
• The keep-alive-conn option is set to a lower value than the limit-per-server
option.
Example
The following commands configure a connection reuse template named “conn-reuse1” and
set the limit per server to 2000 re-used connections:
ACOS(config)#slb template connection-reuse conn-reuse1
ACOS(config-conn reuse)#limit-per-server 2000
slb template dblb
Description
Create a template for database load-balancing (DBLB).
Syntax
[no] slb template dblb template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB DBLB Template Configuration mode where the following
commands are available.
Command
Description
[no] calc-sha1 password
Displays the SHA1-encrypted version of a clear text string.
[no] class-list list-name
Applies a class list of username-password pairs for DBLB client authentication to
access the database server.
[no] server-version type
Specifies the type of database system for the DBLB server that processes database
requests. For type you can specify one of the following:
• MSSQL2008 – MS-SQL server (version 2008 or 2008 R2)
• MSSQL2012 – MS-SQL server (version 2012)
• MySQL – Any version of MySQL
Default
The configuration does not have a default DBLB template.
Mode
Configuration mode
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 56
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb template diameter
Description
Configure Diameter load balancing.
Syntax
[no] slb template diameter template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB Diameter Template Configuration mode where the following
commands are available.
Command
Description
[no]
avp avp-num
{int32 | int64 | string}
value [mandatory]
Specifies a custom AVP value to insert into Capabilities-Exchange-Request messages sent by the ACOS device to Diameter servers.
For each custom AVP value to insert, you must specify the following information:
•
•
•
•
avp-num – Diameter AVP number.
int32 | int64 | string – Specifies the data format of the value to insert.
value – Specifies the value to insert.
mandatory – Sets the AVP mandatory flag on. By default, this flag is off (not set).
You can configure up to 6 custom AVP values for insertion. Enter the command separately for each AVP value.
[no] customize-cea
Replaces the AVPs in Capabilities-Exchange-Answer (CEA) messages with the custom AVP values you configure before forwarding the messages.
[no] duplicate avp-num
pattern service-group
Duplicates Accounting-Request messages and sends them to a separate service
group. This option is useful for logging, accounting, and so on.
To configure message duplication, configure real servers and the service group, and
use the duplicate command to configure the following parameters:
• avp-num – Diameter AVP number.
• pattern – String pattern within the message.
• service-group – The duplication service group, which is the service group to
which to send the duplicate messages.
NOTE: To place the message duplication configuration into effect, you must
unbind the Diameter template from the Diameter virtual port, then rebind it.
A Diameter template in which message duplication is configured can be bound to
only a single virtual port.
[no] dwr-time ms
Specifies the maximum number of seconds the ACOS device will wait for the reply
to a device-watch-dog message sent to a Diameter server before marking the
server Down. You can specify 0-2147483647 milliseconds (ms), in 100-ms increments.
The default is 10000 ms (10 seconds).
[no]
idle-timeout minutes
Specifies the number of minutes a Diameter session can remain idle before the session is deleted. You can specify 1-65535 minutes.
The default is 5 minutes.
page 57 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no]
message-code num
Enables load balancing of Diameter message codes, in addition to those already
load balanced by default. You can enable load balancing of up to 10 additional
message codes:
•
•
•
•
•
•
•
•
•
•
•
Accounting-Request (code 271)
Accounting-Answer (code 271)
Capabilities-Exchange-Request (code 257)
Capabilities-Exchange-Answer (code 257)
Device-Watchdog-Request (code 280)
Device-Watchdog-Answer (code 280)
Session-Termination-Request (code 275)
Session-Termination-Answer (code 275)
Abort-Session-Request (code 274)
Abort-Session-Answer (code 274)
Disconnect-Peer-Request/Disconnect-Peer-Answer (code 282)
The ACOS device drops all other Diameter message codes by default.
[no] multiple-origin-host
Prepends the CPU ID onto the origin-host string to identify the CPU used for a given
Diameter peer connection.
The ACOS device establishes a separate peer connection with each Diameter server
on each CPU. The multiple-origin-host option does not enable or disable this
behavior. The option simply shows or hides the CPU ID in the origin-host string.
[no]
origin-host host.realm
Sets the value of Diameter AVP 264. This AVP can be a character string and specifies
the identity of the originating host for Diameter messages. Since the ACOS device
acts as a proxy for Diameter, this AVP refers to the ACOS device itself, not to the
actual clients. From the Diameter server’s standpoint, the ACOS device is the Diameter client.
Specify the origin-host in the following format: host.realm
The host is a string unique to the client (ACOS device). The realm is the Diameter
realm, specified by the origin-realm option (described below).
[no] origin-realm string
Sets the value of Diameter AVP 296. This AVP can be a character string and specifies
the Diameter realm from which Diameter messages, including requests, are originated.
[no] product-name string
Sets the value of Diameter AVP 269. This AVP can be a character string and specifies
the product; for example, “a10dra”.
[no] session-age minutes
Specifies the absolute limit for Diameter sessions. Any Diameter session that is still in
effect when the session age is reached is removed from the ACOS session table. You
can specify 1-65535 minutes.
The default is 10 minutes.
[no] vendor-id num
Sets the value of Diameter AVP 266. This AVP can be a numeric value and specifies
the vendor; for example, “156”. Make sure to use a non-zero value. Zero is reserved
by the Diameter protocol.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 58
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Default
The configuration does not have a default Diameter template. If you configure one, the template has the default values described in the table above.
Mode
Configure
Usage
The normal form of this command creates a Diameter template. The no form of this command removes the template.
You can bind only one Diameter template to a virtual port. However, you can bind the same
Diameter template to multiple ports.
Example
For configuration examples, see the “Diameter Load Balancing” chapter in the Application
Delivery and Server Load Balancing Guide.
slb template dns
Description
Configure DNS caching.
Syntax
[no] slb template dns template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB DNS Template Configuration mode where the following
commands are available.
Command
Description
[no] class-list name
Applies a class list to the template.
[no] default-policy
[cache | nocache]
Specifies the default action to take when a query does not match any class-list
entries.
The default is nocache.
[no] disable-dns-template
Disables the template. The template stops taking effect but remains in the configuration.
By default, the template is enabled and takes effect when you bind it to a DNS
port.
[no] dns-log-enable period
minutes
page 59 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
Enables logging for DNS caching. The period option specifies how often log
messages are generated. You can specify 1-10000 minutes.
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] dns64 options
Enable DNS64. Specify one of the following available options:
•
•
•
•
•
•
•
answer-only-disable - Disable only translate the answer section.
auth-data - Set AA flag in the DNS response.
cache - Generate response by DNS cache.
change-query - Always change incoming AAAA DNS Query to A.
compress-disable - DNS compression is disabled.
deep-check-rr-disable - Disable the checking of DNS response records.
enable - Enable DNS64.
This option must be enabled before any other DNS64 options are enabled.
• ignore-rcode3-disable - Disable Ignore DNS error response with rcode 3.
• max-qr-length - Maximum question record (QR) length (1-1023); default is
128.
• parallel-query - Forward AAAA queries and generate an A query in parallel.
• passive-query-disable - Disable generation of a query upon an empty
or error response.
• retry - retry count (0-15); default is 3.
• single-response-disable - Disable single response which is used to
avoid ambiguity.
• timeout seconds - Timeout to send additional queries (0-15 seconds);
default is 1 second.
• trans-ptr - Translate DNS PTR records.
• ttl seconds - Specify maximum TTL in DNS responses in seconds (11000000000)., unit: second
[no] enable-cache-sharing
Enables caching of TCP-based DNS queries along with UDP-based queries.
NOTE: If DNS authentication also is enabled, the initial request is not only redirected to TCP, but is then cached so that a second request is not made to the
DNS server.
[no] malformed-query
{drop |
forward service-group-name}
Specifies the action to take for malformed DNS queries:
• drop – Drops malformed queries.
• forward – Sends the queries to the specified service group.
With either option, the malformed queries are not sent to the DNS virtual port.
[no] max-cache-entry-size
num
Specifies the maximum number of bytes each cache entry can have, 1-4096.
[no] max-cache-size num
Specifies the maximum number of entries that can be cached per VIP. The maximum configurable amount depends on the amount of RAM installed on the
ACOS device.
[no] max-query-length num
Specifies the maximum length for DNS queries, 1-4095.
The default is 256.
By default, there is no limit on the length.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 60
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] query-id-switch
Enables stateful query-ID-based load balancing.
NOTE: This feature is only supported on virtual port 53, and will not work on any
other port.
This is disabled by default.
[no] redirect-to-tcp-port
Enables authentication for DNS requests received over UDP. When this feature is
enabled, ACOS drops the UDP DNS request from a client, and sends the client a
DNS Truncate message. To pass DNS authentication, the client must resend the
DNS request over TCP.
By default, this feature is disabled.
Default
DNS template options have the default settings described in the table above.
Mode
Configure
Usage
The normal form of this command creates a DNS template. The no form of this command
removes the template.
You can bind only one DNS template to a virtual port. However, you can bind the same DNS
template to multiple ports.
For DNS caching, bind the template to virtual port type dns-udp. Virtual port type dns
applies only to DNS security.
DNS templates are not supported with stateless load-balancing methods.
slb template dynamic -service
Description
Creates a template that you can bind to virtual ports to access the DNS servers specified by
the dns server sub-command.
Syntax
[no] slb template dynamic-service template-name
This command changes the CLI mode to dynamic service configuration mode, where the
following command is available:
dns server dns-ip-address
A maximum of four dns-ip-addresses can be specified.
Default
ACOS does not have a default SLB dynamic-service template.
Mode
Global Configuration mode
Example
The following example creates the dtynamic-service template with the name DNS_service1, and then binds it to the HTTPs vPort of Inside_VIP virtual server.
ACOS(config)# slb template dynamic-service DNS_service1
ACOS(config-dynamic-service)# dns server 10.10.1.253
ACOS(config-dynamic-service)# dns server 2001:db8::1521:31ac
page 61 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-dynamic-service)# exit
ACOS-Inside(config)# slb virtual-server Inside_VIP 10.10.1.30
ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# service-group FW1_Inspect_SG
ACOS-Inside(config-slb vserver-vport)# template client-ssl SSLInsight_ClientSide
ACOS-Inside(config-slb vserver-vport)# template policy Explicit_Proxy
ACOS-Inside(config-slb vserver-vport)# template dynamic-service DNS_service1
slb template external-service
Description
Configure an External Service template to steer traffic to external servers for additional processing, based on application.
Syntax
[no] slb template external-service
template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB External-Service Template Configuration mode where the
following commands are available.
Command
Description
[no] bypass-ip IPv4-address
{/nn | netmask}
If configuring for ICAP-based Traffic Steering, specifies the controller IP address.
[no] failure-action
{continue | drop | reset}
Specifies the action performed by ACOS when any of the following types of
events occurs:
• ACOS fails to select an external-service server.
• Failure occurs during creation of a new connection to the external-service
server.
• The response from the external-service server does not contain HTTP status
code 200 or 403.
• Exhaustion of memory when creating a request to the external-service server.
The failure action can be one of the following:
• continue – Allows the client’s request to go to the content server.
• drop – Silently drops the connection and does not send a reset to the client.
• reset – Sends a connection reset to the client.
NOTE: If a TCP error occurs while ACOS is waiting for a response, ACOS resets the
connection. For example, this occurs in the case of a connection reset by a URL filtering server.
The default is continue.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 62
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] service-group
group-name
Binds the service group that contains the external-service servers to this template. Specify the service group that contains the external-service servers (for
example, ICAP-based Traffic Steering servers or URL-filtering servers). Do not specify the service group containing the content servers (HTTP servers).
If configuring for ICAP-based Traffic Steering, specify the group of servers here,
but not the controller. Specify the controller using the bypass-ip command
(described below)
[no] template
template-type template-name
Applies a template to the external-service template. Specify one or both of the
following:
• persist source-ip template-name – Applies a source-IP persistence
template to the external-service template.
• tcp-proxy template-name – Applies a custom TCP-proxy template to use
for managing the TCP connections with the servers.
[no] timeout num action
[continue | drop | reset]
Sets the maximum number of seconds ACOS waits for a response from the server.
If the server does not reply before the timeout expires, ACOS takes the configured
action, which can be one of the following:
• continue – Allows the client’s request to go to the content server.
• drop – ACOS silently drops the connection and does not send a reset to the
client.
• reset – ACOS sends a connection reset to the client.
The default is 1000ms, continue.
[no] type
[icap-traffic-steering |
url-filter]
Specifies the traffic type to redirect:
• icap-traffic-steering – Steers Internet Content Adaptation Protocol
(ICAP) to external controllers.
• url-filter – Steers HTTP requests from clients to external URL-filtering servers.
The default is url-filter.
Default
The configuration does not have a default External Service template. If you configure one,
the template has the default values described in the table above.
Mode
Configuration mode
slb template fix
Description
Configure a template for Financial Information Exchange (FIX) load balancing.
Syntax
[no] slb template fix template-name
Replace template-name with the name of the template, up to 31 characters long.
This command enters the SLB FIX Template Configuration mode where the following
commands are available.
page 63 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] insert-client-ip
Inserts an AVP with the original client IP address to the tag 11447. For example, if the
client IP address is 40.40.40.20, this option will modify the tag to “11447=40.40.40.20”
when the server receives this client’s PUSH data.
[no] tag-switching
[sender-comp-id |
target-comp-id]
equals string
service-group name
Inspects the FIX message header for a SenderCompID or TargetCompID tag value and
uses a specific service group if the tag matches the Equals keyword. The ACOS device
can inspect FIX messages and perform service group switching with one of the following options:
• sender-comp-id – Selects a service group for FIX requests based on the value of
the SenderCompID tag. This tag identifies the financial institution that is sending
the request.
• target-comp-id – Selects a service group for FIX requests based on the value of
the TargetCompID tag. This tag identifies the financial institution to which the
request is being sent.
If you select the Sender Comp ID or Target Comp ID radio button, the following
options are displayed:
• equals string – Specifies a keyword which ACOS matches against the TargetCompID or SenderCompID tag of a FIX message header.
NOTE: The keyword is case sensitive and must match exactly with the SendCompID tag or TargetCompID tag. For example, “ABC” is different from “Abc”.
• service-group name – Selects the service-group to use for a client request
when the SenderCompID or TargetCompID tag in the FIX message header of the
request matches the specified keyword.
Default
The configuration does not have a default FIX template.
Mode
Configuration mode
slb template ftp
Description
Configure a template for FTP load balancing.
Syntax
[no] slb template ftp template-name
Replace template-name with the name of the template, up to 31 characters long.
This command enters the SLB FTP Template Configuration mode where the following
commands are available.
[no] active-mode-port
If you plan to use a non-standard FTP port number, use this option to specify the port
number, 1-65535.
Default
The configuration does not have a default FTP template.
Mode
Configuration mode
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 64
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb template http
Description
Configure HTTP modifications to server replies to clients and configure load balancing based
on HTTP information.
Syntax
[no] slb template http template-name
Replace template-name with the name of the template, up to 31 characters long.
page 65 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This command enters the SLB HTTP Template Configuration mode where the following
commands are available.
Command
Description
[no] compression option
Offloads Web servers from CPU-intensive HTTP compression operations. Options
for this command are:
• auto-disable-on-high-cpu percent
Configures an automatic disable of HTTP compression based on CPU utilization.
The percent option specifies the threshold. You can specify 1-100.
• content-type content-string
Specifies the type of content to compress, based on a string in the content-type
header of the HTTP response. The content-string can be 1-31 characters long.
The “text” and “application” types are included by default.
• enable
Enables compression.
• exclude-content-type content-string
Excludes the specified content type from being compressed. The content-string
can be 1-31 characters long.
• exclude-uri uri-string
Excludes an individual URI from being compressed. The URI string can be 1-31
characters. An HTTP template can exclude up to 10 URI strings.
• keep-accept-encoding enable
Configures the ACOS device to leave the Accept-Encoding header in HTTP
requests from clients instead of removing the header.
When keep-accept-encoding is enabled, compression is performed by the real
server instead of the ACOS device, if the server is configured to perform the
compression. The ACOS device compresses the content that the real server does
not compress. This option is disabled by default, which means the ACOS device
performs all the compression.
This is disabled by default.
• level number
Specifies the compression level. You can use compression level 1-9. Each level
provides a higher compression ratio, beginning with level 1, which provides the
lowest compression ratio. A higher compression ratio results in a smaller file size
after compression. However, higher compression levels also require more CPU
processing than lower compression levels, so performance can be affected.
Compression is supported only for HTTP and HTTPS virtual ports. Compression is
not supported for fast-HTTP virtual ports.
The default level is 1.
• minimum-content-length bytes
Specifies the minimum length (in bytes) a server response can be in order to be
compressed. The length applies to the content (payload) only and does not
include the headers. You can specify 0-2147483647 bytes.
The default is 120 bytes.
[no] failover-url
url-string
Specifies the fallback URL to send in an HTTP 302 response when all real servers are
down.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 66
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] host-switching
{starts-with |
contains |
ends-with}
host-string service-group
service-group-name
Selects a service group based on the value in the Host field of the HTTP header. The
selection overrides the service group configured on the virtual port.
[no] insert-client-ip
[http-header-name]
[replace]
[no] insert-client-port
[http-header-name]
[replace]
• For host-string, you can specify an IP address or a hostname. If the hoststring does not match, the service group configured on the virtual port is used.
• starts-with host-string – matches only if the hostname or IP address
starts with host-string.
• contains host-string – matches if the host-string appears anywhere
within the hostname or host IP address.
• ends-with host-string – matches only if the hostname or IP address ends
with host-string.
Inserts the client’s source IP address into HTTP headers. If you specify an HTTP
header name, the source address is inserted only into headers with that name.
The replace option replaces any client addresses that are already in the header.
Without this option, the client IP address is appended to the lists of client IP
addresses already in the header. For example, if the header already contains “X-Forwarded-For:1.1.1.1” and the current client’s IP address is 2.2.2.2, the replace
option changes the field:value pair to “X-Forwarded-For:2.2.2.2”. Without the
replace option, the field:value pair becomes “X-Forwarded-For:1.1.1.1, 2.2.2.2”.
Inserts the source protocol port of the client’s request into the HTTP header. If no
header name is specified, the X-ClientPort header is used.
The replace option allows you to replace the content of an existing header that
matches the configured name with the client’s port number. If no header name is
specified, the X-ClientPort header is used. If the replace option is not specified,
and there is a header that matches the configured name, the client’s port number
is added to the end of the specified header.
[no] keep-client-alive
Keeps the session between ACOS and the session up even after the part of the session between ACOS and the backend server is terminated.
[no] log-retry
Logs HTTP retries. An HTTP retry occurs when the ACOS device resends a client’s
HTTP request to a server because the server did not reply to the first request. (HTTP
retries are enabled using the retry-on-5xx or retry-on-5xx-per-req command in the HTTP template.)
[no] non-http-bypass
service-group group-name
Redirects non-HTTP traffic to a specific service group. By default, the ACOS device
will drop non-HTTP requests that are sent to an HTTP port.
page 67 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] redirect
[location location |
secure |
[secure] port portnum ]
[response-code
{301 | 302 | 303 | 307}]
Automatically sends a redirect response to HTTP client requests. You can optionally
specify the following:
• location location
A static location string to which the client will be redirected.
• port portnum
TCP port number to use for the redirect.
• response-code
The response code to apply. 302 Found is used by default. The following
response codes can be configured:
•
•
•
•
301 (Moved Permanently)
302 (Found)
303 (See Other)
307 (Temporary Redirect).
• secure
The client will be redirected using HTTPS.
[no] redirect-rewrite
match url-string
rewrite-to url-string
Modifies redirects sent by servers by rewriting the matching URL string to the specified value before sending the redirects to clients.
[no] redirect-rewrite
secure
{port tcp-portnum}
Changes HTTP redirects sent by servers into HTTPS redirects before sending the
redirects to clients.
To redirect clients to the default HTTPS port (443), enter the following command:
redirect-rewrite secure
To redirect clients to an HTTPS port other than the default, enter the following
command instead: redirect-rewrite secure port port-num
[no] req-hdr-wait-time
seconds
Sets a request header wait time to prevent Slowloris attacks. All portions of a client’s
request header must be received within the specified amount of time. Otherwise,
ACOS terminates the connection. You can specify 1-31 seconds. The default is 7.
[no] request-header-erase
field
Erases the specified header (field) from HTTP requests.
[no]
request-header-insert
field:value
[insert-always |
insert-if-not-exist]
Inserts the specified header into HTTP requests. The field:value pair indicates the
header field name and the value to insert.
If you use the insert-always option, the command always inserts the
field:value pair. If the request already contains a header with the same field
name, the new field:value pair is added after the existing field:value pair.
Existing headers are not replaced.
If you use the insert-if-not-exist option, the command inserts the header
only if the request does not already contain a header with the same field name.
Without either option, if a request already contains one or more headers with the
specified field name, the command replaces the last header.
[no]
request-line-case-insensitive
Parses HTTP request lines with no case sensitivity.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 68
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no]
response-content-replace
original-content
new-content
Replaces data in the HTTP response from the server. The original-content
specifies the content to look for in server responses. The new-content specifies
the content to use to replace the original content. For each value, you can specify a
string of 1-127 characters. If a string contains blank spaces, use double quotation
marks around the string.
NOTE: A maximum of 8 content-replacement rules are supported in a given HTTP
template.
[no]
response-header-erase
field
Erases the specified header (field) from HTTP responses.
[no] response-headerinsert field:value
[insert-always |
insert-if-not-exist]
Inserts the specified header into HTTP responses. The field:value pair indicates
the header field name and the value to insert.
If you use the insert-always option, the command always inserts the
field:value pair. If the response already contains a header with the same field
name, the new field:value pair is added after the existing field:value pair.
Existing headers are not replaced.
If you use the insert-if-not-exist option, the command inserts the header
only if the response does not already contain a header with the same field name.
Without either option, if a response already contains one or more headers with the
specified field name, the command replaces the first header.
[no] retry-on-5xx num
Configures the ACOS device to retry sending a client’s request to a service port that
replies with an HTTP 5xx status code, and reassign the request to another server if
the first server replies with a 5xx status code. The retry number specifies the number of times the ACOS device is allowed to reassign the request.
For example, assume that a service group has three members (s1, s2, and s3), and
the retry is set to 1. In this case, if s1 replies with a 5xx status code, the ACOS device
reassigns the request to s2. If s2 also responds with a 5xx status code, the ACOS
device will not reassign the request to s3, because the maximum number of retries
has already been used.
If you use this command, the ACOS device stops sending client requests to a service port for 30 seconds following reassignment. If you want the service port to
remain eligible for client requests, use the following command instead. An HTTP
template can contain one or the other of these commands, but not both.
NOTE: The 5xx options are supported only for virtual port types HTTP and HTTPS.
They are not supported for fast-HTTP or any other virtual port type.
[no] retry-on-5xx-per-req
num
This command provides the same function as the retry-on-5xx command
(described above). However, the retry-on-5xx-per-req command does not
briefly stop using a service port following reassignment. An HTTP template can
contain one or the other of these commands, but not both.
[no]
strict-transaction-switch
Forces the ACOS device to perform the server selection process anew for every
HTTP request. Without this option, the ACOS device reselects the same server for
subsequent requests (assuming the same server group is used), unless overridden
by other template options.
[no] template logging
template-name
Specifies a logging template to use for external logging of HTTP events over TCP.
page 69 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no]
term-11client-hdrconn-close
Enables the ACOS device to terminate HTTP 1.1 client connections when the “Connection: close” header exists in the HTTP request. This option is applicable to connection-reuse deployments that have HTTP 1.1 clients that are not compliant with
the HTTP 1.1 standard. Without this option, sessions for non-compliant HTTP 1.1.
clients are not terminated.
[no] url-hash-persist
[offset offset-bytes]
{first | last} bytes
[user-server-status]
Enables server stickiness based on hash values. If this feature is configured, for each
URL request, the ACOS device calculates a hash value based on part of the URL
string. The ACOS device then selects a real server based on the hash value. A given
hash value always results in selection of the same real server. Thus, requests for a
given URL always go to the same real server.
The offset option specifies how far into the string to begin hash calculation.
The first and last options specify which end of the URL string to use to calculate the hash value.
The bytes option specifies how many bytes to use to calculate the hash value.
Optionally, you can use URL hashing with either URL switching or host switching.
Without URL switching or host switching configured, URL hash switching uses the
hash value to choose a server within the default service group (the one bound to
the virtual port). If URL switching or host switching is configured, for each HTTP
request, the ACOS device first selects a service group based on the URL or host
switching values, then calculates the hash value and uses it to choose a server
within the selected service group.
The use-server-status option enables server load awareness, which allows
servers to act as backups to other servers, based on server load.
NOTE: This feature requires some custom configuration on the server. For information, see the “URL Hash Switching” section in the “HTTP Options for SLB” chapter of
the Application Delivery and Server Load Balancing Guide.
[no] url-switching
{starts-with |
ends-with |
url-case-insensitive |
url-hits-enable}
url-string
service-group
service-group-name
Selects a service group based on the URL string requested by the client. The selection overrides the service group configured on the virtual port.
•
•
•
•
starts-with – matches only if the URL starts with url-string.
contains – matches if the url-string appears anywhere within the URL.
ends-with – matches only if the URL ends with url-string.
url-case-insensitive – enable case-insensitive matching for URL switch-
ing rules.
• url-hits-enable – enable URL hits.
Each URL matching pattern can be up to 64 bytes long.
NOTE: You can use URL switching or Host switching in an HTTP template, but not
both. However, if you need to use both types of switching, you can do so with an
aFleX script.
NOTE:
For a list of media type strings, see the Internet Assigned Numbers Authority Web
site: http://www.iana.org/assignments/media-types
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 70
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
NOTE:
The order in which content-type, exclude-content-type, and excludeuri filters appear in the configuration does not matter.
NOTE:
You can use URL switching or Host switching in an HTTP template, but not both.
However, if you need to use both types of switching, you can do so with an aFleX
script.
Default
The configuration has a default HTTP template. In the template, most options are disabled or
not set.
Compression is disabled by default. When you enable it, it has the default settings described
in the table above.
To display the default HTTP template settings, use the show slb template http
default command.
Mode
Configuration mode
Usage
The normal form of this command creates an HTTP configuration template. The no form of
this command removes the template.
You can bind only one HTTP template to a virtual port. However, you can bind the same
HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.
When the keep-client-alive option is enabled, the way ACOS keeps the session with
the client up depends on the way the server session is terminated:
• Normal TCP/IP connection termination by a TCP RST or FIN – ACOS does not forward
the RST or FIN to the client, and instead leaves the client session open. (Technically, the
session is left in the client-request-state, wherein ACOS awaits the client’s next request.)
• “Connection: Close” header option in the response – ACOS removes this header from
the server reply before forwarding the reply to the client.
• Client is using HTTP 1.0, and did not use the “Connection: Keep-Alive” header option –
ACOS inserts this header from the server reply before forwarding the reply to the client.
Starts-with, Contains, and Ends-with Rule Matching
The starts-with, contains, and ends-with options are always applied in the following
order, regardless of the order in which the commands appear in the configuration. The
service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option (starts-with,
contains, or ends-with) and a host name or URL matches on more than one of them, the
most-specific match is always used. For example, if a template has the following commands,
host "ddeeff" will always be directed to service group http-sgf:
page 71 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb template http http-host
host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string, the endswith rule is used, because it has the more specific match.
If you use the starts-with option with URL switching, use a slash in front of the URL string.
For example:
url-switching starts-with /urlexample service-group http-sg1
Redirect-Rewrite Rule Matching
If a URL matches on more than redirect-rewrite rule within the same HTTP template, the
ACOS device selects the rule that has the most specific match to the URL. For example, if a
server sends redirect URL 66.1.1.222/000.html, and the HTTP template has the redirectrewrite rules shown below, the ACOS device will use the last rule because it is the most
specific match to the URL:
slb template http 1
redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/
003.bmp
Example
The following commands configure an HTTP template called “http-compression” that
enables compression. The minimum length a packet must be for it to be compressed is set at
120 bytes.
ACOS(config)# slb template http http-compression
ACOS(config-http)# compression enable
ACOS(config-http)# compression minimum-content-length 120
Example
The following commands configure an HTTP template called “http-header” that inserts the
client IP address and a Cookie field into HTTP headers in requests from clients before sending
the requests to servers:
ACOS(config)# slb template http http-header
ACOS(config-http)# insert-client-ip
ACOS(config-http)# header-insert Cookie:a = b
Example
The following commands configure an HTTP template called “http-host” that selects a service group based on the contents of the Host field in the HTTP headers of client requests.
Requests for hostnames that start with “Gossip” are directed to service group “http-sg1”.
Requests for hostnames that contain “NewsDeskA” are directed to service group “http-sg2”.
Requests for hostnames that end with “weather.com” are directed to service group “httpsg3”.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 72
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config)# slb template http http-host
ACOS(config-http)# host-switching starts-with Gossip service-group http-sg1
ACOS(config-http)# host-switching contains NewsDeskA service-group http-sg2
ACOS(config-http)# host-switching ends-with weather.com service-group http-sg3
Example
The following commands configure an HTTP template to use URL hashing. Hash values will
be calculated based on the last 8 bytes of the URL. In this example, URL switching is also configured in the template. As a result, the ACOS device uses URL switching to select a service
group first, then uses URL hashing to select a server within that service group. If the template
did not also contain URL switching commands, this template would always select a server
from service group sg3.
ACOS(config)# slb template http hash
ACOS(config-http)# url-hash-switching last 8
ACOS(config-http)# url-switching starts-with /news service-group sg1
ACOS(config-http)# url-switching starts-with /sports service-group
sg2
ACOS(config-http)# exit
ACOS(config)# slb virtual-server vs1 1.1.1.1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group sg3
ACOS(config-slb vserver-vport)# template http hash
Example
The following commands configure an HTTP template called “http-compress”, that uses
compression level 5 to compress files with media type “application” or “image”. Files with
media type “application/zip” are explicitly excluded from compression.
ACOS(config)# slb template http http-compress
ACOS(config-http)# compression enable
ACOS(config-http)# compression level 5
ACOS(config-http)# compression content-type image
ACOS(config-http)# compression exclude-content-type application/zip
Example
The following commands configure an HTTP template that replaces the client IP addresses in
the X-Forwarded-For field with the current client IP address:
ACOS(config)# slb template http clientip-replace
ACOS(config-http)# insert-client-ip X-Forwarded-For replace
slb template http-policy
Description
Configure an HTTP-policy template to override WAF template application for different types
of client traffic.
Syntax
[no] slb template http-policy template-name
Replace template-name with the name of the template, up to 31 characters long.
page 73 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This command enters the SLB HTTP-Policy Template Configuration mode where the
following commands are available.
Command
Description
[no] cookie
match-option cookie-value
template waf-template-name
Matches based on cookie values. For descriptions of the other options, see
below.
[no] cookie-name
match-option cookie-name
template waf-template-name
Matches based on cookie names. For descriptions of the other options, see
below.
[no] geo-location string
{service-group group-name
[template waf template-name]
| template waf template-name
[service-group group-name]}
Matches the traffic source based on its geo-location.
[no] host
match-option host-name
template waf-template-name
Matches based on host names. For descriptions of the other options, see below.
[no] url
match-option url-string
template waf-template-name
Matches based on URL strings. For descriptions of the other options, see below.
match-option
Type of matching to perform:
• equals – Matches only if the URL, hostname, or cookie name completely
matches the specified string.
• starts-with – Matches only if the URL, hostname, or cookie name starts
with the specified string.
• contains – Matches if the specified string appears anywhere within the
URL, hostname, or cookie name.
• ends-with – Matches only if the URL, hostname, or cookie name ends with
the specified string.
Usage
These match options are always applied in the order shown above, regardless of the order in
which the rules appear in the configuration. The WAF template associated with the rule that
matches first is used.
If a template has more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a URL matches on more than one of them, the most-specific
match is always used.
For more information, see the Web Application Firewall Guide.
slb template imap-pop3
Description
Configure an IMAP/POP3 template.
Syntax
[no] slb template imap-pop3 template-name
Replace template-name with the name of the template, up to 31 characters long.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 74
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This command enters the SLB IMAP Template Configuration mode where the following
commands are available:
Command
Description
logindisabled
When used, the server will expect the login to be in an encrypted
format.
This option is only valid for IMAP configuration.
starttls
{disabled |
optional |
enforced}
Configure whether or not STARTTLS is used.
• disabled - the ACOS device will not support STARTTLS.
• optional - the ACOS device will not expect STARTLS and can
function without using SSL.
• enforced - for IMAP., only the CAPABILITY command can precede STARTTLS; all other commands are rejected. For POP3, no
commands are allowed before STARTTLS; all commands are
rejected.
Default
The configuration does not have a default logging template.
Mode
Configuration mode
Example
The following example configures an IMAP template with STARTTLS enforced, then applies
the template to a virtual port:
ACOS(config)# slb template imap-pop3 imap-temp
ACOS(config-imap-pop3)# logindisabled
ACOS(config-imap-pop3)# starttls enforced
ACOS(config-imap-pop3)# exit
ACOS(config)# slb virtual-server imap-vserver
ACOS(config-slb vserver)# port 143 imap
ACOS(config-slb vserver-vport)# template imap-pop3 imap-temp
slb template logging
Description
Configure external logging over TCP.
Syntax
[no] slb template logging template-name
Replace template-name with the name of the template, up to 31 characters long.
page 75 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This command enters the SLB Logging Template Configuration mode where the following
commands are available.
Command
Description
[no] format string
Configures a log string. For syntax information, see the Application Delivery and
Server Load Balancing Guide.
[no] local-logging {0 | 1}
Enables or disables local logging:
• 0 – Disables local logging.
• 1 – Enables local logging.
The default is 0 (disabled).
Mask matched Perl Compatible Regular Expression (PCRE) pattern in the log.
[no] pcre-mask pattern
[keep-end num |
keep-start num |
mask char
]
• Use keep-end to specify the number of unmasked characters to keep at the
end (0-65535); the default is 0.
• Use keep-start to specify the number of unmasked characters to keep at
the start (0-65535); the default is 0.
• Use mask to specify a character to use as the mask for the matched pattern; the
default is “X”.
[no] service-group
group-name
For remote logging, specifies the name of the service group that contains the log
servers.
[no] template tcp-proxy
template-name
Binds a TCP-proxy template to the logging template.
Default
The configuration does not have a default logging template.
Mode
Configuration mode
Usage
Logging over TCP also requires some additional configuration. See the Application Delivery
and Server Load Balancing Guide.
slb template monitor
Description
Configure a link monitoring template.
Syntax
[no] slb template monitor num
Replace num with the identification number of the template. This can be a number between
1 to 16.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 76
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This command enters the SLB Monitor Template Configuration mode where the following
commands are available.
Command
Description
[no] action options
Specifies the action to perform when a monitored event is detected.
• clear sessions {all | sequence portnum}
• link-disable eth portnum sequence portnum
• link-enable eth portnum sequence portnum
Specifies the events and links (Ethernet data ports) to monitor.
[no] monitor options
• link-down eth portnum [eth portnum ...]
sequence portnum
• link-up eth portnum [eth portnum ...]
sequence portnum
[no] monitor-and
Uses the logical operator “AND” for link monitoring. The actions are
performed only if all of the monitored events are detected. This is
selected by default.
[no] monitor-or
Uses the logical operator “OR”. The actions are performed if any of the
monitored events are detected.
Default
The ports within a given monitor entry are always ANDed. If you specify more than one port
(eth portnum option) in the same monitor entry, the specified event must occur on all the
ports in the entry. For example, if you specify link-down eth 9 eth 11, the link must go down
on ports 9 and 11, for the link-state changes to count as a monitored event.
Mode
Configuration mode
Usage
The logical operator applies only to monitor entries, not to action entries. For example, if the
logical operator is OR, and at least one of the monitored events occurs, all the actions configured in the template are applied.
You can configure the entries in any order. In the configuration, the entries of each type are
ordered based on sequence number.
Example
The following commands configure monitor template 1:
ACOS(config)#slb template monitor 1
ACOS(config-monitor)#monitor-or
ACOS(config-monitor)#monitor link-down eth 5 sequence 1
ACOS(config-monitor)#monitor link-down eth 6 sequence 2
ACOS(config-monitor)#monitor link-down eth 9 sequence 3
ACOS(config-monitor)#monitor link-down eth 10 sequence 4
ACOS(config-monitor)#action clear sessions sequence 1
ACOS(config-monitor)#action link-disable eth 5 sequence 2
ACOS(config-monitor)#action link-disable eth 6 sequence 3
ACOS(config-monitor)#action link-disable eth 9 sequence 4
ACOS(config-monitor)#action link-disable eth 10 sequence 5
page 77 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb template persist cookie
Description
Configure session persistence by inserting persistence cookies into server replies to clients.
Syntax
[no] slb template persist cookie template-name
Replace template-name with the name of the template, up to 31 characters long.
This command enters the SLB Persist Cookie Template Configuration mode where the
following commands are available.
Command
Description
[no] domain domain-name
Adds the specified domain name to the cookie.
[no] dont-honor-conn-rules
Ignores connection limit settings configured on real servers and real ports. This
option is useful for applications in which multiple sessions (connections) are likely
to be used for the same persistent cookie.
By default, this is disabled; the connection limit set on real servers and real ports is
used.
[no] expire expire-seconds
Specifies the number of seconds a cookie persists on a client’s PC before being
deleted by the client’s browser. You can specify from 0 to 31,536,000 seconds (one
year). (Do not enter the commas.) If you specify 0, cookies persist only for the current session.
The default value is 10 years.
NOTE: Although the default is 10 years (essentially, unlimited), the maximum
configurable expiration is one year.
[no] httpOnly
Sets the HTTP-only flag in the persistence cookie.
[no] insert-always
Specifies whether to insert a new persistence cookie in every reply, even if the
request already had a persistence cookie previously inserted by the ACOS device.
This is disabled by default; the ACOS device inserts a persistence cookie only if the
client request does not already contain a persistence cookie inserted by the ACOS
device, or if the server referenced by the cookie is unavailable.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 78
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] match-type
{server [service-group] |
service-group}
[scan-all-members]
Changes the granularity of cookie persistence.
• server – The cookie inserted into the HTTP header of the server reply to a client ensures that subsequent requests from the client for the same VIP are sent
to the same real server. (This assumes that all virtual ports of the VIP use the
same cookie persistence template with match-type set to server.)
Without this option, the default behavior is used: subsequent requests from
the client will be sent to the same real port on the same real server.
• server service-group – Sets the granularity to the same as server, and
also enables cookie persistence to be used along with URL switching or host
switching. Without the service-group option, URL switching or host switching can be used only for the initial request from the client. After the initial
request, subsequent requests are always sent to the same service group.
• service-group – This option enables support for URL switching and host
switching, along with the default cookie persistence behavior.
• scan-all-members – This option scans all members bound to the template.
This option is useful in configurations where match-type “server” is used, and
where some members have different priorities or are disabled. (For more information about this option, see the “Scan-All-Members Option in Persistence
Templates” chapter in the Application Delivery and Server Load Balancing Guide.)
NOTE: To use URL switching or host switching, you also must configure an HTTP
template with the host-switching or url-switching command.
The default match type is port. (There is no port keyword. See “Usage” for more
information.)
Specifies the name of the persistence cookie, 1-63 characters.
[no] name cookie-name
The default name is “sto-id”.
Enables pass-through mode for passive cookie persistence.
[no] pass-thru
This is disabled by default.
Adds path information to the cookie, 1-31 characters.
[no] path path-name
The default path is “/”.
Enable secure attribute.
[no] secure
Default
The configuration does not have a default cookie-persistence template. If you create one, it
has the defaults described in the table above.
Mode
Configuration mode
Usage
The normal form of this command creates a cookie-persistence template. The no form of this
command removes the template.
You can bind only one cookie-persistence template to a virtual port. However, you can bind
the same cookie-persistence template to multiple ports.
When cookie persistence is configured, the ACOS device adds a persistence cookie to the
server reply before sending the reply to the client. The client’s browser re-inserts the cookie
into each request.
page 79 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
NOTE:
For security, address information in the cookie is encrypted.
The format of the cookie depends on the match-type setting:
• match-type (port) – This is the default setting. Subsequent requests from the client will be sent to the same real port on the same real server. URL switching or host
switching can be used only for the first request.
The cookie that the ACOS device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP address and the
rport is the real server port number.
NOTE:
The port option is shown in parentheses because the CLI does not have a “port”
keyword. If you do not set the match type to server (see below), the match type is
automatically “port”.
• match-type server – Subsequent requests from the client for the same VIP will be
sent to the same real server, provided that all virtual ports of the VIP use the same
cookie persistence template with match-type set to server. URL switching or host
switching can be used only for the first request.
The cookie that the ACOS device inserts into the server reply has the following format:
Set-Cookie: cookiename=rserverIP
• match-type (port) service-group – Subsequent requests from the client will
be sent to the same real port on the same real server, within the service group selected
by URL switching or host switching. URL switching or host switching, if configured, is
still used for every request.
The cookie that the ACOS device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
• match-type server service-group – Subsequent requests from the client for
the same VIP will be sent to the same real server, within the service group selected by
URL switching or host switching. URL switching or host switching, if configured, is still
used for every request.
The cookie that the ACOS device inserts into the server reply has the following format:
Set-Cookie: cookiename-servicegroupname=rserverIP
Example
The following commands configure a cookie persistence template named “persist-cookie”.
The template inserts a cookie named “MyCookie”, containing the real server’s IP address and
protocol port in encrypted form, into server responses before sending the responses to clients. The template also sets the cookie to persist on client PCs for only 10 minutes (600 seconds).
ACOS(config)#slb template persist cookie persist-cookie
ACOS(config-cookie persist)#name MyCookie
ACOS(config-cookie persist)#expire 600
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 80
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb template persist destination-ip
Description
Configure the granularity of load balancing persistence (selection of the same server
resources) for clients, based on destination IP address.
Syntax
[no] slb template persist destination-ip
template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB Persist Destination-IP Template Configuration mode where
the following commands are available.
Command
Description
[no]
dont-honor-conn-rules
Ignores connection limit settings configured on real servers and real ports. This
option is useful for applications in which multiple sessions (connections) are likely to
be used for the same persistent destination IP address.
This is disabled by default; the connection limit set on real servers and real ports is
used.
[no] hash-persist
Enables hash-based persistence. Hash-based persistence provides the persistence
and performance benefits of hash-based load balancing, while allowing use of
advanced SLB features that require stateful load balancing.
(For more information, see “Hash-based IP Persistence” in the Application Delivery and
Server Load Balancing Guide.)
This is disabled by default.
[no] match-type
{server | service-group}
[scan-all-members]
Specifies the granularity of persistence:
• server – Traffic to a given destination IP address is always sent to the same real
server, for any service port.
By default (without the server option), traffic to the same destination IP address
and virtual port is always sent to the same real port. This is the most granular setting.
• service-group – This option is applicable if you also plan to use URL switching or host switching. If you use the service-group option, URL or host switching is used for every request to select a service group. The first time URL or host
switching selects a given service group, the load-balancing method is used to
select a real port within the service group. The next time URL or host switching
selects the same service group, the same real port is used. Thus, service group
selection is performed for every request, but once a service group is selected for a
request, the request goes to the same real port that was selected the first time that
service group was selected.
• scan-all-members – This option scans all members bound to the template.
This option is useful in configurations where match-type “server” is used, and
where some members have different priorities or are disabled. (For more information about this option, see the “Scan-All-Members Option in Persistence Templates” chapter in the Application Delivery and Server Load Balancing Guide.)
To use URL switching or host switching, you also must configure an HTTP template
with the host-switching or url-switching command.
For SLB, by default, traffic to a given destination IP address and port is always sent to
the same real port. This is the most granular setting. (There is no port keyword.)
page 81 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] netmask ipaddr
Specifies the granularity of IPv4 address hashing for initial server port selection.
You can specify an IPv4 network mask in dotted decimal notation.
• To configure initial server port selection to occur once per destination VIP subnet,
configure the network mask to indicate the subnet length. For example, to select a
server port once for all requested VIPs within a subnet such as 10.10.10.x,
192.168.1.x, and so on (“class C” subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP subnet, the sends all other requests
for the same VIP subnet to the same port.
• To configure initial server port selection to occur independently for each requested
VIP, use mask 255.255.255.255. (This is the default.)
Specifies the granularity of IPv6 address hashing for initial server port selection. (See
above for more information.)
[no] netmask6
mask-length
The default is 128.
Specifies how many minutes the mapping remains persistent after the last time it is
used. You can specify 1-2000 minutes.
[no] timeout
timeout-minutes
The default is 5 minutes.
Default
The configuration does not have a default destination-IP persistence template. If you configure one, it has the defaults specified in the table above.
Mode
Configuration mode
Usage
The normal form of this command creates a destination-IP persistence template. The “no”
form of this command removes the template.
You can bind only one destination-IP persistence template to a virtual port. However, you
can bind the same destination-IP persistence template to multiple ports.
Use of the service-group match-type option scan-all-members is not useful in
conjunction with destination-IP persistence templates, and is not supported.
Example
The following command creates a destination-IP persistence template named “persist-dest”:
ACOS(config)#slb template persist destination-ip persist-source
slb template persist source-ip
Description
Configure the granularity of load balancing persistence (selection of the same server
resources) for clients, based on source IP address.
Syntax
[no] slb template persist source-ip template-name
Replace template-name with the name of the template, 1-31 characters.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 82
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This command enters the SLB Persist Source-IP Template Configuration mode where the
following commands are available.
Command
Description
[no]
dont-honor-conn-rules
Ignores connection limit settings configured on real servers and real ports. This
option is useful for applications in which multiple sessions (connections) are likely
to be used for the same persistent client source IP address.
This is disabled by default; the connection limit set on real servers and real ports is
used.
[no]
enforce-higher-priority
Enables Source-IP Persistence Override and Reselect. When this feature is enabled,
the ACOS device continually checks for the presence of higher-priority servers,
even if source-IP persistence is enabled and sessions are already established
between client and server.
[no] hash-persist
Enables hash-based persistence. Hash-based persistence provides the persistence
and performance benefits of hash-based load balancing, while allowing use of
advanced SLB features that require stateful load balancing.
This is disabled by default.
[no] incl-dst-ip
Used to support the ALG protocol firewall load balancing feature for protocols such
as FTP. This option helps ensure that special persistent session will be matched on
both the source IP and destination IP addresses.
[no] incl-sport
Includes the source port in persistent sessions.
This is disabled by default.
page 83 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] match-type
{server [scan-all-members]
| service-group}
Specifies the granularity of persistence:
• server – Traffic from a given client to the same VIP is always sent to the same
real server, for any service port requested by the client.
By default (without the server option), traffic from a given client to the same
virtual port is always sent to the same real port. This is the most granular setting.
• The scan-all-members option scans all members bound to the template. This
option is useful in configurations where match-type “server” is used, and where
some members have different priorities or are disabled.
• service-group – This option is applicable if you also plan to use URL switching or host switching. If you use the service-group option, URL or host
switching is used for every request to select a service group. The first time URL or
host switching selects a given service group, the load-balancing method is used
to select a real port within the service group. The next time URL or host switching selects the same service group, the same real port is used. Thus, service
group selection is performed for every request, but once a service group is
selected for a request, the request goes to the same real port that was selected
the first time that service group was selected.
NOTE: To use URL switching or host switching, you also must configure an HTTP
template with the host-switching or url-switching command.
NOTE: The match type for FWLB is always server, which sets the granularity of
source-IP persistence to individual firewalls, not firewall groups or individual service
ports.
For SLB, by default, traffic from a given client to the same virtual port is always sent
to the same real port. This is the most granular setting. (There is no port keyword.)
For FWLB, the default is server and none of the other match-type options are
applicable.
[no] netmask ipaddr
Specifies the granularity of IP address hashing for server port selection.
• To configure server port selection to occur on a per subnet basis, configure the
network mask to indicate the subnet length. For example, to send all clients
within a subnet such as 10.10.10.x, 192.168.1.x, and so on (“class C” subnets) to
the same server port, use mask 255.255.255.0. SLB selects a server port for the
first client in a given subnet, the sends all other clients in the same subnet to the
same port.
• To configure server port selection to occur on a per client basis, use mask
255.255.255.255. SLB selects a server port for the first request from a given client,
the sends all other requests from the same client to the same port. (This is the
default.)
The default is 255.255.255.255.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 84
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] netmask6 mask-length
Specifies the granularity of IPv6 address hashing for initial server port selection.
(See above for more information.)
The default is 128.
[no] timeout minutes
Specifies how many minutes the mapping remains persistent after the last time
traffic from the client is sent to the server. You can specify 1-2000 minutes (about 33
hours).
NOTE: The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP persistence template is set to 1 minute. If the timeout is set to 1
minute, sessions will always age out after 1 minute, even if they are active.
The default timeout is 5 minutes.
Default
The configuration does not have a default source-IP persistence template. If you configure
one, it has the defaults described in the table above.
Mode
Configuration mode
Usage
The normal form of this command creates a source-IP persistence template. The “no” form of
this command removes the template.
You can bind only one source-IP persistence template to a virtual port. However, you can
bind the same source-IP persistence template to multiple ports.
The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP
persistence template is set to 1 minute. If the timeout is set to 1 minute, sessions will always
age out after 1 minute, even if they are active.
If you use the incl-sport option, the IP address in the Forward Source column of show
session output is modified to include the source port. For example, “155.1.1.151:33067” is
shown as “1.151.129.43”.
Using the Same VIP and Port Number for TCP and UDP Ports
If you apply the source-IP persistence template to two virtual ports that have the same VIP
and protocol port number but different Layer 4 protocols (TCP or UDP), the member lists for
the ports must be identical in both the TCP and UDP service groups.
For example, the following configuration will work because service groups 5060-tcp and
5060-udp have the same member list although their protocols are different.
slb virtual-server vip2 13.0.0.100
port 5060 sip-tcp
service-group 5060-tcp
template persist source-ip per-sip
port 5060 sip
service-group 5060-udp
template persist source-ip per-sip
!
slb service-group 5060-tcp tcp
member s1 5060
member s2 5060
!
page 85 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb service-group 5060-udp udp
member s1 5060
member s2 5060
The configuration will not work if the member lists in the service groups are different. For
example, the configuration will not work if the TCP group's member list is changed to either
of the following:
slb service-group 5060-tcp tcp
member s3 5060
member s4 5060
or
slb service-group 5060-tcp tcp
member s1 5061
member s2 5061
Example
The following commands configure a source-IP persistence template named “persist-source”
and set the granularity to service-group:
ACOS(config)#slb template persist source-ip persist-source
ACOS(config-source ip persist)#match-type service-group
slb template persist ssl-sid
Description
Direct clients based on SSL session ID.
SSL session-ID persistence directs all client requests for a given virtual port, and that have a
given SSL session ID, to the same real server and real port. For example, with SSL session-ID
persistence configured, all client requests for virtual port 443 on virtual server 1.2.3.4 that
have the same SSL session ID will be directed to the same real server and port.
The persistence is based on the SSL session ID, not on the client IP address.
Syntax
[no] slb template persist ssl-sid template-name
Replace template-name with the name of the template, 1-31 characters.
This command enters the SLB Persist SSL-SID Template Configuration mode where the
following commands are available.
Command
Description
[no]
dont-honor-conn-rules
Ignores connection limit settings configured on real servers and real ports. This option
is useful for applications in which multiple sessions (connections) are likely to be used
for the same persistent SSL session ID.
This is disabled by default; the connection limit set on real servers and real ports is
used.
[no] timeout minutes
Specifies how many minutes the mapping remains persistent after the last time traffic
with the SSL session ID is sent to the server. You can specify 1-250 minutes.
The default is 5 minutes.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 86
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Default
The configuration does not have a default SSL session-ID persistence template. If you configure one, it has the defaults described in the table above.
Mode
Configuration mode
Usage
The normal form of this command creates an SSL session-ID persistence template. The “no”
form of this command removes the template.
You can bind only one SSL session-ID persistence template to a virtual port. However, you
can bind the same SSL session-ID persistence template to multiple ports.
To display statistics for SSL session-ID persistence, use the following command: show slb
l4
Example
The following commands configure an SSL session-ID persistence template named “ssl-persist1” and apply it to virtual port 443 on virtual server “vip1”:
ACOS(config)#slb template persist ssl-sid ssl-persist1
ACOS(config-ssl session id persist)#exit
ACOS(config)#slb virtual-server vip1 1.2.3.4
ACOS(config-slb vserver)#port 443 tcp
ACOS(config-slb vserver-vport)#service-group https-sg1
ACOS(config-slb vserver-vport)#template ssl-sid ssl-persist1
slb template policy
Description
See “Config Commands: SLB Policy Templates” on page 127.
slb template port
Description
See “Config Commands: SLB Real Port Templates” on page 145.
slb template reqmod-icap
Description
See “Config Commands: SLB REQMOD ICAP Templates” on page 157.
slb template respmod-icap
Description
See “Config Commands: SLB RESPMOD ICAP Templates” on page 163.
slb template server
Description
See “Config Commands: SLB Server Templates” on page 169.
slb template server-ssl
Description
See “Config Commands: SLB Server SSL Templates” on page 181.
page 87 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb template sip (over UDP)
Description
See “Config Commands: SLB SIP Templates” on page 193.
slb template sip (over TCP/TLS)
Description
See “Config Commands: SLB SIP Templates” on page 193.
slb template smpp
Description
See “Config Commands: SLB SMPP Templates” on page 211.
slb template smtp
Description
See “Config Commands: SLB SMTP Templates” on page 215.
slb template ssli
Description
See “Config Commands: SLB SSLi Templates” on page 221.
slb template tcp
Description
See “Config Commands: SLB TCP Templates” on page 225.
slb template tcp-proxy
Description
See “Config Commands: SLB TCP Proxy Templates” on page 233.
slb template udp
Description
See “Config Commands: SLB UDP Templates” on page 249.
slb template virtual-port
Description
See “Config Commands: SLB Virtual Port Templates” on page 255.
slb template virtual-server
Description
See “Config Commands: SLB Virtual Server Templates” on page 265.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 88
Config Commands: SLB Cache Templates
This chapter describes the commands and subcommands for configuring SLB cache templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Cache Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB cache templates:
• slb template cache
slb template cache
Description
Configure the ACOS device to perform transparent Web caching.
Syntax
[no] slb template cache template-name
Replace template-name with the name of the template, up to 31 characters long.
This command enters the SLB Cache Template Configuration mode where the commands in
SLB Cache Template Configuration Mode Commands are available.
page 89 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
Default
See descriptions.
Mode
Configuration mode
Usage
The normal form of this command creates a RAM caching configuration template. The no
form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However, you can bind the
same RAM caching template to multiple ports.
If a URI matches the pattern in more than one policy command, the policy command with
the most specific match is used. For example, if a template has the following commands,
content for page122 is cached whereas content for page123 is not cached:
policy uri /page12 cache 300
policy uri /page123 nocache
Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For
example, if the string pattern contains “*”, it is interpreted literally, as the “*” character.
Matching is performed based on containment; all URIs containing the pattern string match
the rule. For example, the following policy matches all URIs that contain the string “.jpg” and
sets the cache timeout for the matching objects to 7200 seconds:
policy uri .jpg cache 7200
Example
The following commands configure a RAM caching template. In this example, all the default
RAM cache settings are used.
ACOS(config)# slb template cache ramcache
ACOS(config-ram caching)#
Example
The following commands configure some dynamic caching policies. The policy that matches
on “/list” caches content for 5 minutes. The policy that matches on “/private” does not cache
content.
ACOS(config)# slb template cache ram-cache
ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
Example
The following commands configure a RAM caching template that will only cache content
from www.xyz.com/news-clips.
ACOS(config)# slb template cache ramcache
ACOS(config-ram caching)# default-policy-nocache
ACOS(config-ram caching)# policy uri www.xyz.com/news-clips cache
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 90
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
SLB Cache Template Configuration Mode Commands
The following SLB cache template commands are available:
• accept-reload-req
• age
• default-policy-nocache
• disable-insert-age
• disable-insert-via
• max-cache-size
• max-content-size
• min-content-size
• policy
• remove-cookies
• replacement-policy LFU
• template logging
• verify-host
To access these commands at the SLB cache template level, enter the slb template cache command.
accept-reload-req
Description
Enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the ACOS device to reload
the cached object from the origin server.
Syntax
[no] accept-reload-req
Default
Disabled.
Mode
SLB cache template configuration mode
Example
Enable this feature:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# accept-reload-req
page 91 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
age
Description
Specifies how long a cached object can remain in the ACOS RAM cache without being
requested.
NOTE:
NOTE: his value is used if the web server specifies that the object is cacheable but
does not specify for how long. If the server does specify how long the object is
cacheable, then the server value is used instead.
Syntax
[no] age seconds
Parameter
Description
seconds
Number of seconds (1-999999, about 11.5 days).
Default
3600 seconds (1 hour), if the server specifies that the object is cacheable but does not specify for how long.
Mode
SLB cache template configuration mode
Example
Set the age to 7200 seconds (2 hours):
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# age 7200
default-policy-nocache
Description
Changes the default cache policy in the template from cache to nocache. This option gives
you tighter control over content caching. When you use the default no-cache policy, the
only content that is cached is cacheable content whose URI matches an explicit cache policy.
Syntax
[no] default-policy-nocache
Default
Default policy is cache.
Mode
SLB cache template configuration mode
Example
Set the default policy to nocache:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# default-policy-nocache
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 92
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
disable-insert-age
Description
Disables insertion of Age headers into cached responses.
Syntax
[no] disable-insert-age
Default
Insertion of Age headers is enabled by default.
Mode
SLB cache template configuration mode
Example
Disable the insertion of Age headers into cached responses:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# disable-insert-age
disable-insert-via
Description
Disables insertion of Via headers into cached responses.
Syntax
[no] disable-insert-via
Default
Insertion of Via headers is enabled by default.
Mode
SLB cache template configuration mode
Example
Disable the insertion of Via headers into cached responses:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# disable-insert-via
max-cache-size
Description
Specifies the size (in MB) of the RAM cache.
Syntax
[no] max-cache-size num
Parameter
Description
num
Maximum size (in MB) of the RAM cache (1-4096).
Default
80MB.
Mode
SLB cache template configuration mode
Example
Set the maximum RAM cache size to 256MB:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# max-cache-size 256
page 93 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
max-content-size
Description
Specifies the maximum object size that can be cached. The ACOS device will not cache
objects larger than this size. If you specify 0, no objects can be cached.
Syntax
[no] max-content-size num
Parameter
Description
num
Maximum object size in Bytes, 0-268435455 bytes (256MB).
Default
81920 bytes (80 KB).
Mode
SLB cache template configuration mode
Example
Set the maximum object size to 256MB:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# max-content-size 268435455
min-content-size
Description
Specifies the minimum object size that can be cached. The ACOS device will not cache
objects smaller than this size. If you specify 0, all objects smaller than or equal to the maximum content size can be cached.
Syntax
[no] min-content-size num
Parameter
Description
num
Minimum object size in Bytes, 0-268435455 bytes (256MB).
Default
512 bytes.
Mode
SLB cache template configuration mode
Example
Set the minimum object size to 1024 bytes:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# min-content-size 1024
policy
Description
Configure a policy for dynamic caching.
Syntax
[no] policy {
local-uri pattern |
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 94
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
uri pattern {cache seconds | invalidate inv-pattern | nocache}
}
Parameter
Description
local-uri
Specifies the portion of a local URL string to match on (1-63 characters).
uri
Specifies the portion of the URL string to match on (1-63 characters).
cache
Caches the content.
By default, the content is cached for the number of seconds configured in the template (set by the age command). To override the aging
period set in the template, specify the number of seconds with the
cache command
invalidate
Invalidates the content that has been cached for inv-pattern.
nocache
Does not cache the content.
Mode
SLB cache template configuration mode
Example
The following commands configure some dynamic caching policies. The policy that matches
on “/list” caches content for 5 minutes. The policy that matches on “/private” does not cache
content.
ACOS(config)# slb template cache ram-cache
ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
remove-cookies
Description
Removes cookies from server replies so the replies can be cached. RAM caching does not
cache server replies that contain cookies. (Image files are an exception. RAM caching can
cache images that have cookies.)
Syntax
[no] remove-cookies
Default
By default, cookies are not removed.
Mode
SLB cache template configuration mode
Example
Enable this feature:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# remove-cookies
replacement-policy LFU
Description
Specifies that the Least Frequently Used (LFU) policy should be used to make room for new
objects when the RAM cache is full. When the RAM cache becomes more than 90% full, the
page 95 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
ACOS device discards the least-frequently used objects to ensure there is sufficient room for
new objects.
Syntax
[no] replacement-policy LFU
Default
Not enabled.
Mode
SLB cache template configuration mode
Example
Enable this feature:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# replacement-policy LFU
template logging
Description
Specifies a logging template to use for external logging of RAM caching events over TCP.
Syntax
[no] template logging {v-log | name}
Parameter
Description
v-log
name
Name of an existing logging template.
Default
512 bytes.
Mode
SLB cache template configuration mode
Example
Specify a logging template “extlog1” that should be used for logging RAM caching events:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# tempalte logging extlog1
verify-host
Description
Enables the ACOS device to cache the host name in addition to the URI for cached content.
Use this command if a real server that contains cacheable content will host more than one
host name (for example, www.abc.com and www.xyz.com).
Syntax
[no] verify-host
Default
By default, this is disabled. Host names are not cached along with URIs for cached content.
Mode
SLB cache template configuration mode
Example
Enable this feature:
ACOS(config)# slb template cache cache1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 96
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
ACOS(config-ram caching)# verify-host
page 97 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Cache Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 98
Config Commands: SLB Client SSL Templates
This chapter describes the commands and subcommands for configuring SLB client SSL templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Client SSL Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB client SSL templates:
• slb template client-ssl
slb template client-ssl
Description
Names an SSL client template and enters the configuration mode where you can enable SSL
client services, such as validation of SSL clients.
Syntax
[no] slb template client-ssl template-name
Replace template-name with the name of the template, up to 31 characters long.
This command enters the SLB Client-SSL Template Configuration mode where the
commands in SLB Client SSL Template Configuration Mode Commands are available.
page 99 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
Default
If none of the SSL Client template sub-commands in the preceding table are configured, the
default action of the SSL Client template is the combined default actions of the individual
SSL C;lient sub-commands.
Mode
Configuration mode
Usage
The normal form of this command creates a client-SSL configuration template. The no form
of this command removes the template.
For the forward-proxy-bypass option, match rules are always applied in the following
order:
•
•
•
•
equals sni-string
starts-with sni-string
contains sni-string
ends-with sni-string
A client-SSL template can contain up to 128 certificates or certificate chains. They must be
imported onto the ACOS device. To import a certificate or certificate chain, see the import
command or “slb common” on page 18.
You can bind only one client-SSL template to a virtual port. However, you can bind the same
client-SSL template to multiple ports.
The close-notify option can not be used along with the TCP-proxy template forcedelete-timeout option. Doing so may cause unexpected behavior
Example
The following commands configure a client-SSL template named “client-ssl1” that uses
imported CA certificates and requires clients to present their certificates when requesting
connections to servers:
ACOS(config)# slb template client-ssl client-ssl1
ACOS(config-client ssl)# ca-cert ca-bundle.crt
ACOS(config-client ssl)# client-certificate require
Example
The following commands configure a client SSL template to use an imported CA certificate
and key, and an imported Certificate Revocation List (CRL) from the CA:
ACOS(config)# slb template client-ssl client-ssl1
ACOS(config-client ssl)# ca-cert ca-cert.pem
ACOS(config-client ssl)# ca-cert ca-crl.pem
ACOS(config-client ssl)# client-certificate require
Example
The following example shows how the certificate drop action is enabled in the SSL Client
template named, ClientSide_vRouter. Specifically, the drop action occurs when OCSP
reports the certificate is not currently valid.
ACOS-Inside(config)# slb template client-ssl ClientSide_vRouter
ACOS-Inside(config-client ssl# forward-proxy-verify-cert-drop
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 100
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
Example
The following example shows how the forward-proxy-inspect command works. In this
example of an AC class-list, all URLs ending with private.abc.com will be bypassed, while
all URLs ending with public.abc.com will go through SSLi processing.
ACOS# show config class-list
!Section configuration: 77 bytes
!
class-list my_class_list ac
ends-with abc.com
user-tag Security
!
ACOS# config
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# slb template client-ssl SSLi_vip_001_client_ssl
ACOS(config-client ssl)# forward-proxy-inspect class-list my_class_list
ACOS(config-client ssl)# forward-proxy-bypass contains private.abc.com
SLB Client SSL Template Configuration Mode Commands
The following SLB client SSL template commands are available:
• auth-username
• auth-username-attribute
• authorization
• ca-cert
• cert
• chain-cert
• cipher
• client-certificate
• close-notify
• crl
• dh-param
• disable-sslv3
• ec-name
• enable-tls-alert-logging
page 101 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
• forward-proxy-alt-sign
• forward-proxy-bypass
• forward-proxy-ca-cert
• forward-proxy-ca-key
• forward-proxy-cache-persistence
• forward-proxy-cert-cache
• forward-proxy-cert-expiry
• forward-proxy-cert-ext
• forward-proxy-cert-revoke-action
• forward-proxy-cert-unknown-action
• forward-proxy-crl-disable
• forward-proxy-enable
• forward-proxy-failsafe-disable
• forward-proxy-inspect
• forward-proxy-log-disable
• forward-proxy-ocsp-disable
• forward-proxy-selfsign-redir
• forward-proxy-ssl-version
• forward-proxy-trusted-ca
• forward-proxy-verify-cert-fail-action
• hsm-param
• key
• non-ssl-bypass
• ocsp-stapling
• server-name
• session-cache-size
• session-cache-timeout
• session-ticket-lifetime
• ssl-false-start-disable
• sslv2-bypass
• template
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 102
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
To access these commands at the SLB client SSL template level, enter the slb template client-ssl command.
auth-username
Description
Specifies the field to check in SSL certificates from clients in order to find the client name.
Syntax
[no] auth-username {
[common-name]
[subject-alt-name-email]
[subject-alt-name-othername]
}
Parameter
Description
common-name
Configuring this option causes the ACOS device to extract the client’s common
name from the certificate.
subject-alt-name-email
Configuring this option causes the ACOS device to extract the Email address from
the client’s certificate. For example, if the client name is “user@example.com”
then the entire string “user@example.com” would be extracted with this option
subject-alt-name-othername
Configuring this option causes the ACOS device to extract the UPN information
from the certification. For example, if the client name is “user@example.com”
then the string “user” would be extracted with this option.
Default
The default is common-name.
Mode
SLB client SSL template configuration mode
Usage
Multiple options can be specified, but you must specify at least one.
If multiple options are specified, the ACOS device will attempt to extract the username from
the options in the order they are specified. For example:
auth-username subject-alt-name-email subject-alt-name-othername
This command causes the ACOS device to first attempt to extract the username from
subject-alt-name-email, and only if not found, will it then attempt to extract the
username from subject-alt-name-othername.
Example
Configure the ACOS device to extract the Email address from the client certificate:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# auth-username subject-alt-name-email
page 103 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
auth-username-attribute
Description
Specify attribute name of username for client SSL.
Syntax
[no] auth-username-attribute string
Parameter
Description
string
Attribute name (1-31 characters).
Default
None.
Mode
SLB client SSL template configuration mode
Example
Configure “username” as the username attribute name:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# auth-username-attribute username
authorization
Description
Specify an LDAP server to user for client SSL authorization.
Syntax
[no] authorization {name | service-group name}
[ldap-base-dn-from-cert]
[ldap-search-filter name]
Parameter
Description
name
Specify an LDAP authentication server (1-63 characters).
service-group
Specify an LDAP service group name (1-127 characters).
ldap-base-dn-from-cert
Use the Subject DN as the LDAP search base DN.
ldap-search-filter
Specify the name of a specific search filter.
Mode
SLB client SSL template configuration mode
Example
Configure an LDAP server for client SSL authorization:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# authorization ldap1 ldap-base-dn-from-cert
ca-cert
Description
Specify the name of the Certificate Authority (CA) certificate to use for validating client certificates. The CA certificate must be installed on the ACOS device.
(Use the import ca-cert command to install the CA certificate.)
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 104
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
If either of the ocsp options is included in the command line, ACOS checks client’s SSL
certificate via OCSP CA rather than using the CRL of the CA-signer.
Syntax
[no] ca-cert cert-name
[ocsp {ocsp-server-name | service-group ocsp-service-group-name}]
Parameter
Description
cert-name
CA certificate name (1-255 characters).
ocsp-server-name
Name of the OCSP server.
ocsp-service-group-name
Name of the OCSP service group.
Default
Disabled by default.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# ca-cert exampleCA ocsp ocsp-server1
cert
Description
Specifies the name of the certificate to use for terminating or initiating an SSL connection.
The certificate must be installed on the ACOS device.
Syntax
[no] cert cert-name
Parameter
Description
cert-name
CA certificate name (1-255 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# cert examplecert
page 105 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
chain-cert
Description
Specifies a certificate-key chain.
Syntax
[no] chain-cert chain-cert-name
Parameter
Description
chain-cert-name
Chain certificate name (1-255 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# chain-cert examplechaincert
cipher
Description
Specifies the cipher suite to support for certificates from clients.
Syntax
[no] cipher cipher-name
Parameter
Description
cipher-name
CA certificate name (1-255 characters).
By default, all supported ciphers (listed in Table 1 on page 53) are
enabled.
You can remove (or re-add) one cipher in the template with a single
command. Enter separate commands for each cipher to remove or readd.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# cipher SSL3_RSA_DES_64_CBC_SHA
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 106
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
client-certificate
Description
Specifies the action that the ACOS device takes in response to a client’s connection request.
Syntax
[no] client-certificate {Ignore | Require | Request}
Parameter
Description
Ignore
The ACOS device does not request the client to send its certificate.
Require
The ACOS device requires the client certificate. This action requests the client to send its certificate. However, the SSL handshake does not proceed
(it fails) if the client sends a NULL certificate or the certificate is invalid.
Request
The ACOS device requests the client to send its certificate. With this action,
the SSL handshake proceeds even if either of the following occurs:
• The client sends a NULL certificate (one with zero length).
• The certificate is invalid, causing client verification to fail.
Use this option if you want the request to trigger an aFleX policy for further
processing.
Default
Ignore.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# client-certificate Require
close-notify
Description
Enables closure alerts for SSL sessions. When this option is enabled, the ACOS device sends a
close_notify message when an SSL transaction ends, before sending a FIN. This behavior is
required by certain types of client applications, including PHP cgi. For this type of client, if the
ACOS device does not send a close_notify, an error or warning appears on the client.
Syntax
[no] close-notify
Default
Not enabled.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# close-notify
page 107 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
crl
Description
Specifies the names of the Certificate Revocation Lists (CRLs) to use for verifying whether
server certificates have been revoked. The CRLs must be installed on the ACOS device first.
(Use the import command for more details). The CA certificate relevant to the CRL must
also be specified.
When you add a CRL to a server-SSL template, the ACOS device checks the CRL to confirm
whether or not the servers’ certificates have been revoked or not by the issuing Certificate
Authority (CA).
Syntax
[no] crl file-name
Parameter
Description
file-name
CRL file name (1-255 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
Example
The following example shows how to add CRL and CA certificates to a client-SSL template.
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# client-certificate Require
ACOS(config-client ssl)# crl 10_ca.crt_crl.pem
ACOS(config-client ssl)# crl 20_ca.crt_crl.pem
ACOS(config-client ssl)# crl root-ca.pem.crl.pem
ACOS(config-client ssl)# ca-cert 10_ca_crt
ACOS(config-client ssl)# ca-cert 20_ca.crt
ACOS(config-client ssl)# ca-cert root-ca.pem
NOTE:
NOTE: If you plan to use a CRL, you must set the client-certificate mode to
Require. The CRL should be signed by the same issuer as the CA certificate. Otherwise, the client and ACOS device will not be able to establish a connection.
dh-param
Description
Specify Diffie-Hellman parameters.
Syntax
[no] dh-param {1024 | 1024-dsa | 2048 | 512}
Default
Not enabled.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# dh-param 1024
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 108
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
disable-sslv3
Description
Disables support for SSLv3 in client-SSL templates.
NOTE:
NOTE: If you disable SSLv3 support, when ACOS receives an SSL Hello message
from a client, ACOS responds by sending a TCP-FIN to the client to end the session.
Syntax
[no] disable-sslv3
Default
SSLv3 support is enabled by default.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# disable-sslv3
ec-name
Description
Specifies the Elliptic Curve name.
Syntax
[no] ec-name {secp256r1 | secp384r1}
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# ec-name secp384r1
enable-tls-alert-logging
Description
Enables logging of TLS alerts that include the flow information such as source IP address.
Syntax
[no] enable-tls-alert-logging
Default
Disabled by default.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# enable-tls-alert-logging
page 109 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
forward-proxy-alt-sign
Description
Sets the forward proxy alternate signing certificate and certificate key. Optionally sets a password phrase and corresponding encrypted password string.
If the SSL site requested by the client is not on the trusted list (set by the forward-proxytrusted-ca-list command), the inside ACOS device signs the cert with the key specified
by this command.
Syntax
[no] forward-proxy-alt-sign cert cert-name key key-name
[pass-phrase {pass-phrase | {encrypted encrypt-pw-string}}]
Parameter
Description
cert-name
Certificate name.
key-name
Certificate key.
pass-phrase
Password (1-128 characters).
encrypt-pw-string
Encrypted password string (1-512 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration.
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-alt-sign cert certA key keyA pass-phrase examplepassword
Example
The keyword encrypted is only allowed in the no form of the command. For example:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-alt-sign cert certA key keyA pass-phrase encrypted
$1$7fe8790d$QepxCQt0M4aG9HUQvgwKO0
forward-proxy-bypass
Description
Sets the match criteria for bypassing SSL Insight.
Syntax
[no] forward-proxy-bypass {
case-insensitive |
class-list {name | multi-class-list name}
client-auth {
case-insensitive |
class-list name |
contains sni-string |
ends-with sni-string |
equals sni-string |
starts-with sni-string
}
contains sni-string |
ends-with sni-string |
equals sni-string |
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 110
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
starts-with sni-string |
web-category option
}
Parameter
Description
case-insensitive
Disables case sensitivity for SNI string matching.
class-list
Bypasses SSLi when the SNI of the external server URL matches based on the specified AC class
list or class-lists.
When enabled by the multi-class-list command option, you can enter the names of up
to 16 file-type class lists for each slb template client-ssl instance. If not enabled by the
multi-class-list command option, you can enter only one class list name.
client-auth
Bypasses interception of client SSL authentication traffic. The class-list option specifies an
AC class list to use for SNI matching as a required additional criteria. The sni-string options
(equals, contains, ends-with, and starts-with) are described below; these are SNI
string criteria for matching as an additional criteria.
contains
A string criteria that matches if the specified string appears anywhere within the SNI value of
the server URL.
ends-with
A string criteria that matches only if the SNI value of the server URL ends with the specified
string.
equals
A string criteria that matches only if the SNI value of the server URL completely matches the
specified string.
starts-with
A string criteria that matches only if the SNI value of the server URL starts with the specified
string.
web-category
Bypasses traffic to URLs that are within the specified category.
Use web-category ? to view the list of available category options.
Mode
SLB client SSL template configuration mode
Example
Example configuration to bypass SSLi for specific web categories:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-bypass web-category financial-services
ACOS(config-client ssl)# forward-proxy-bypass web-category legal
page 111 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
forward-proxy-ca-cert
Description
Name of the CA-signed certificate. Specify the same name you specified when you uploaded
the certificate to the ACOS device.
Syntax
[no] forward-proxy-ca-cert cert-name
Parameter
Description
cert-name
CA-signed certificate name (1-255 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-ca-cert myCAcert
forward-proxy-ca-key
Description
Name of the private key for the CA-signed certificate. Specify the same name you specified
when you uploaded the key to the ACOS device.
Syntax
[no] forward-proxy-ca-key key-name
Parameter
Description
key-name
Key name (1-255 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-ca-key myCAkey
forward-proxy-cache-persistence
Description
Specifies an Aho-Corasick (AC) class-list of SNIs of forged certificates that are to be retained in
the cache when ACOS is rebooted or whenever the ACOS forward-proxy process is restarted.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 112
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
If an SNI in the certificate matches an entry in this class list, it is retained; otherwise, it is
dropped.
Syntax
[no] forward-proxy-cache-persistence class-list name
Parameter
Description
name
Class-list name (1-63 characters).
Default
If a persist class list is not bound to a client-SSL template, the cached forged certificates do
not persist.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-cache-persistence class-list cl1
forward-proxy-cert-cache
Description
Configures forward proxy certificate cache options.
Syntax
[no] forward-proxy-cert-cache {limit bytes | timeout seconds}
Parameter
Description
limit
Specifies the certificate cache size limit in bytes (0-2147483647).
The default is 1024. Set the limit to 0 for unlimited size.
timeout
Specifies the certificate cache timeout value in seconds (0-2147483647).
The default is 1 hour.
Set the timeout to 0 for the certificate cache to never timeout. A Certificate
can remain in the cache up to the value set in cache timeout. When a certificate exceeds that time, it is removed.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-cert-cache timeout 7200
forward-proxy-cert-expiry
Description
The number of hours that the forward proxy certificates will be valid.
page 113 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
Shortening the lifetime of the forged forward-proxy certs reduces the security risk if any are
stolen. From 1 to 168 hours can be specified.
NOTE:
This command applies only to the certs that are forged on the ACOS device and
does not apply to imported certificates.
Syntax
[no] forward-proxy-cert-expiry hours hours
Parameter
Description
hours
Number of hours (1-168).
Default
By default, the forged forward proxy certs have the same expiration as the original certificates.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-cert-expiry hours 48
forward-proxy-cert-ext
Description
Specify the certificate extension for a Certificate Revocation List Distribution Point (CRLDP) or
an Authority Information Access (AIA) extension for Online Certificate Status Protocol (OCSP)
or Certificate Authority (CA) Issuer for certificate validation.
Syntax
[no] forward-proxy-cert-ext {crldp | aia {ca-issuers | ocsp}} URI
Mode
SLB client SSL template configuration mode
Example
Example configuration to add a distribution point extension for a CRL.
ACOS(config)#slb template client-ssl SSL-Client
ACOS(config-client ssl)#forward-proxy-cert-ext crldp http://www.example.com/example.crt
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 114
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
forward-proxy-cert-revoke-action
Description
Configures the action of the client connection if OCSP or CRL verification determines the certificate status is ‘unknown.’ The options available are bypassing SSL Proxy, continuing with
the connection, or dropping the connection.
Syntax
[no] forward-proxy-cert-unknown-action {bypass | continue | drop}
Default
By default, SSL proxy is bypassed if OCSP or CRL verification determines any certificate in the
chain is unknown.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-cert-unknown-action drop
forward-proxy-cert-unknown-action
Description
Configures the action of the client connection if OCSP or CRL verification determines the certificate is irreversibly revoked. The options available are bypassing SSL Proxy, continuing with
the connection, or dropping the connection.
Syntax
[no] forward-proxy-cert-revoke-action {bypass | continue | drop}
Default
By default, SSL proxy is bypassed if OCSP or CRL verification determines any certificate in the
chain is irreversibly revoked.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-cert-revoke-action continue
forward-proxy-crl-disable
Description
Disable Certificate Revocation List (CRL) services for SSLi (forward-proxy).
Syntax
[no] forward-proxy-crl-disable
Default
By default, CRL for SSLi is enabled.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-crl-disable
page 115 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
forward-proxy-enable
Description
Enable SSL Insight support.
Syntax
[no] forward-proxy-enable
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-enable
forward-proxy-failsafe-disable
Description
Forward proxy (SSLi) failsafe enables SSLi traffic interception to be bypassed when there is a
handshake failure. The most common handshake failures are due to servers only accepting
elliptical ciphers.
Syntax
[no] forward-proxy-failsafe-disable
Default
This feature is enabled by default; use this command to disable SSLi failsafe.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-failsafe-disable
forward-proxy-inspect
Description
Perform SSL Insight only if the traffic matches an entry in the specified class list. and is not
bypassed by any other matching criteria. Only Aho-Corasick class-lists are supported by this
command.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 116
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
The forward-proxy-inspect criteria are applied first before any forward proxy bypass
matching criteria. If forward-proxy-inspect is not configured, all SSL sessions are
inspected for the other bypass matching criteria.
Syntax
[no] forward-proxy-inspect class-list name
Parameter
Description
name
Class-list name (1-63 characters).
Mode
SLB client SSL template configuration mode
Example
The following example shows how the forward-proxy-inspect command works. In this
example of an AC class-list, all URLs ending with private.abc.com will be bypassed, while
all URLs ending with public.abc.com will go through SSLi processing.
ACOS# show config class-list
!Section configuration: 77 bytes
!
class-list my_class_list ac
ends-with abc.com
user-tag Security
!
ACOS# config
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# slb template client-ssl SSLi_vip_001_client_ssl
ACOS(config-client ssl)# forward-proxy-inspect class-list my_class_list
ACOS(config-client ssl)# forward-proxy-bypass contains private.abc.com
forward-proxy-log-disable
Description
Disable SSL forward proxy (SSLi) logging.
Syntax
[no] forward-proxy-log-disable
Default
SSLi logging is enabled by default; use this command to disable SSLi logging.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-log-disable
page 117 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
forward-proxy-ocsp-disable
Description
Disable OCSP Stapling for SSL forward proxy (SSLi).
Syntax
[no] forward-proxy-ocsp-disable
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-ocsp-disable
forward-proxy-selfsign-redir
Description
With this option enabled, ACOS redirects traffic away from the self-signed site and to a warning page in which the client sees “The page you have tried to reach uses an untrusted certificate, please contact your administrator.”
Syntax
[no] forward-proxy-selfsign-redir
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-selfsign-redir
forward-proxy-ssl-version
Description
Specify the version of SSL to be used with SSL Insight.
Syntax
[no] forward-proxy-ssl-version {31 | 32 | 33}
Parameter
Description
31
SSL/TLS v1.0.
32
SSL/TLS v1.1.
33
SSL/TLS v1.2.
Default
SSL/TLS v1.2
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-ssl-version 33
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 118
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
forward-proxy-trusted-ca
Description
File in PEM format listing all the trusted CAs.
Syntax
[no] forward-proxy-trusted-ca file
Parameter
Description
file
Trusted CA file name (1-255 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-trusted-ca trustedCAs.pem
forward-proxy-verify-cert-fail-action
Description
Configure the action of the client connection if CRL verification of any certificate fails. The
options available are bypassing SSL Proxy, continuing with the connection, or dropping the
connection.
Syntax
[no] forward-proxy-verify-cert-fail-action
{bypass | continue | drop}
Default
By default, the client connection is dropped if CRL verification of any certificate in the chain is
not successful.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-verify-cert-fail-action bypass
page 119 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
hsm-param
Description
Specify HSM parameters.
Syntax
[no] hsm-param {thales-embed | thales-hwcrhk}
Parameter
Description
thales-embed
Thales embed key.
thales-hwcrhk
Thales hwcrhk key.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# hsm-param thales-embed
key
Description
Specifies the key for the certificate, and the passphrase used to encrypt the key.
Syntax
[no] key key-name [passphrase string]
Parameter
Description
key-name
Key name (1-255 characters).
string
Password phrase (1-128 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# key MyKey passphrase MyPassword
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 120
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
non-ssl-bypass
Description
Specifies that non-SSL session traffic is redirected to the specified service group.
Syntax
[no] non-ssl-bypass service-group name
Parameter
Description
name
Service group name (1-127 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# non-ssl-bypass service-group Non_SSL_sg1
ocsp-stapling
Description
Configure OCSP Stapling support.
Syntax
[no] ocsp-stapling ca-cert cert-name ocsp
{auth-server-name | service-group group-name}
[period [days num | hours num | minutes num]
[timeout minutes]
Parameter
Description
cert-name
CA certificate name.
auth-server-name
OCSP authentication server name (1-63 characters).
group-name
OCSP authentication service-group name (1-127 characters).
period
Specifies how often ACOS contacts the server or service group
for updates.
Default is 1 hour.
timeout
Specifies the timeout for server retries, 1-65535.
Default is 30 minutes.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# ocsp-stapling ca-cert MyCACert ocsp AuthServerName period hours 2
page 121 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
server-name
Description
Configure Server Name Indication (SNI) in the client Hello extension.
Syntax
[no] server-name server-name cert cert-name key key-name
[pass-phrase string]
Parameter
Description
server-name
Server name string (1-63 characters).
cert-name
Server certificate associated to SNI (1-255 characters).
key-name
Server private key associated to SNI (1-255 characters).
string
Help password phrase (1-128 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# server-name SNIServer cert SNICert key SNIKey pass-phrase SNIHelp
session-cache-size
Description
Maximum number of cached sessions for SSL session ID reuse.
Syntax
[no] session-cache-size entries
Parameter
Description
entries
Number of entries (0-131072).
The value 0 disables session ID reuse.
Default
The default is 0; session ID reuse is disabled.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# session-cache-size 5000
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 122
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
session-cache-timeout
Description
Sets the maximum number of seconds a cache entry can remain unused before being
removed from the cache. Cache entries age according to the ticket age time. The age time is
not reset when a cache entry is used.
Syntax
[no] session-cache-timeout seconds
Parameter
Description
seconds
Number of seconds (1-7200).
Default
7200 seconds.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# session-cache-timeout 5400
session-ticket-lifetime
Description
Sets the lifetime for stateless SSL session ticketing. After a client’s SSL ticket expires, they
must complete an SSL handshake in order to set up the next secure session with ACOS.
NOTE:
This option is only supported on vThunder systems, and is not supported on hardware A10 Thunder Series or AX Series devices
Syntax
[no] session-ticket-lifetime seconds
Parameter
Description
seconds
Number of seconds (0-2147483647).
Setting the lifetime to 0 disables the feature.
Default
The default is 0; session ticket lifetime is disabled.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# session-ticket-lifetime 7200
page 123 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
ssl-false-start-disable
Description
SSL False Start support for Google Chrome browser.
NOTE:
The following ciphers are not supported for SSL False Start in the current release:
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
If no other ciphers but these are enabled in the client-SSL template, SSL False Start
handshakes will fail.
Syntax
[no] ssl-false-start-disable
Default
SSL false start is enabled by default.
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# ssl-false-start-disable
sslv2-bypass
Description
Redirects clients who request SSLv2 sessions to the specified service group.
Syntax
[no] sslv2-bypass service-group service-group-name
Parameter
Description
service-group-name
Name of the service group (1-127 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# sslv2-bypass service-group SSLv2_SG
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 124
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
template
Description
Name of a cipher or HSM template to bind to client-SSL and server-SSL templates. In this
case, the settings in the cipher template override any cipher settings in the client-SSL template.
Syntax
[no] template {cipher template-name | hsm template-name}
Parameter
Description
cipher
SLB cipher template name (1-63 characters).
hsm
HSM template name (1-63 characters).
Mode
SLB client SSL template configuration mode
Example
Example configuration:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# template cipher SLB_Cipher_Template
page 125 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Client SSL Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 126
Config Commands: SLB Policy Templates
This chapter describes the commands and subcommands for configuring SLB policy templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Policy Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB policy templates:
• slb template policy
slb template policy
Description
Configure a template of Policy-Based SLB (PBSLB) settings.
Syntax
[no] slb template policy template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB Policy Template Configuration Mode Commands for the
specified policy template.
Default
The configuration does not have a default SIP over UDP template.
Mode
Configuration mode
Usage
The normal form of this command creates a PBSLB template. The no form of this command
removes the template.
page 127 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
You can bind only one PBSLB template to a virtual port. However, you can bind the same
PBSLB template to multiple ports.
PBSLB configuration on a virtual port can be set either using a template or by configuring
the individual settings on the port. Individual PBSLB settings and a PBSLB template can not
be configured on the same virtual port.
Apply the Policy Globally or on Individual Virtual Ports
The ACOS device also allows policy templates to be applied at the virtual-server level.
However, PBSLB does not take effect if you apply the policy template at the virtual-server
level. Only class lists are supported at the virtual-server level. To use PBSLB, apply the policy
template globally or on individual virtual ports.
Example
The following commands configure a PBSLB template and bind it to a virtual port:
ACOS(config)# slb template policy bw1
ACOS(config-policy)# bw-list name bw1
ACOS(config-policy)# bw-list id 2 service srvcgroup2
ACOS(config-policy)# bw-list id 4 drop
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server PBSLB_VS1 10.10.10.69
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-port)# template policy bw1
Example
The following example configures a bandwidth limit per source IP, using a policy template
and class list.
Configure the class list:
ACOS(config)# class-list clist1
ACOS(config-class list)# 100.100.1.1/24 lid 1
ACOS(config-class list)# exit
Configure the PBSLB template:
ACOS(config)# slb template policy p1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
Configure the bandwidth limit (1 MB per second), and reset the connection when the limit is
exceeded.
ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit 1000 per 10
ACOS(config-policy-class-list:clist1-lid:1)# over-limit-action reset
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 128
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
SLB Policy Template Configuration Mode Commands
The following SLB policy template commands are available:
• bw-list id
• bw-list name
• bw-list over-limit
• bw-list timeout
• bw-list use-destination-ip
• class-list
• forward-policy
• geo-location full-domain-tree
• geo-location overlap
• geo-location share
To access these commands at the SLB policy template level, enter the slb template policy command.
page 129 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
bw-list id
Description
Specifies the action to take for clients using a Black/White list ID.
Syntax
[no] bw-list id id {service-group name | drop | reset}
[logging [minutes] [fail]}
Parameter
Description
id
Group ID in the Black/White list (0-31).
name
Sends clients to the SLB service group with the specified name on the ACOS device.
drop
Drops connections for IP addresses that are in the specified group.
reset
Resets connections for IP addresses that are in the specified group.
logging
Enables logging. The minutes option specifies how often messages can be generated. This option
reduces overhead caused by frequent recurring messages.
For example, if the logging interval is set to 5 minutes, and the PBSLB rule is used 100 times within a
five-minute period, the ACOS device generates only a single message. The message indicates the
number of times the rule was applied since the last message. You can specify a logging interval from 0
to 60 minutes. To send a separate message for each event, set the interval to 0.
PBSLB rules that use the service-group name option also have a fail option for logging. This
option configures the ACOS device to generate log messages only when there is a failed attempt to
reach a service group. Messages are not generated for successful connections to the service group.
The fail option is disabled by default.
The fail option is not available for rules with the drop or reset option, since any time a drop or
reset rule affects traffic, this indicates a failure condition.
Logging is disabled by default. If you enable it, the default is 3 minutes.
Mode
SLB policy template
Example
Drop connections for clients matching Black/White list 3.
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list id 3 drop
bw-list name
Description
Binds the specified Black/White list to the virtual ports that use this template.
Syntax
[no] bw-list name name
Parameter
Description
name
Black/White list file name.
Mode
SLB policy template
Example
Bind the Black/White list “example-bw-list” to virtual ports using this template.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 130
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list name example-bw-list
bw-list over-limit
Description
Specifies the action to take for traffic that is over the limit.
Syntax
[no] bw-list over-limit {lockup lock-min | logging log-min | reset}
Parameter
Description
lock-min
Do not accept any new connections for the specified number of minutes
(1-127).
log-min
Generates a log message when traffic goes over the limit. This option
specifies the log interval and can be 1-255 minutes.
reset
Resets new connections until the number of concurrent connections on
the virtual port falls below the connection limit.
Default
Drop
Mode
SLB policy template
Usage
The over-limit rule in a system-wide PBSLB policy includes an optional lockup period. If the
lockup period is configured, the ACOS device continues to enforce the over-limit action for
the duration of the lockup.
For example, if the over-limit action is drop, and a client exceeds the connection limit that is
specified in the Black/White list, the ACOS device continues to drop all connection attempts
from the client until the lockup expires.
By default, the lockup option is disabled. To enable it, you must specify a lockup period of 1127 minutes.
The dynamic Black/White-list entry for a client does not age while the client is locked up.
After the lockup ends, the timeout for the entry is reset to its full value and begins
decreasing.
Example
When traffic goes over the limit, do not accept any new connections for five minutes.
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list over-limit lockup 5
page 131 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
bw-list timeout
Description
Number of minutes dynamic Black/White-list client entries can remain idle before aging out.
Syntax
[no] bw-list timeout num
Parameter
Description
num
Number of minutes (1-127).
Default
5 minutes
Mode
SLB policy template
Example
Configure the timeout to 7 minutes.
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list timeout 7
bw-list use-destination-ip
Description
Matches Black/White list entries based on the client’s destination IP address, instead of
matching by client source address. Generally, this option is applicable when wildcard VIPs are
used.
Syntax
[no] bw-list use-destination-ip
Default
Disabled by default; the ACOS device matches by client source IP address.
Mode
SLB policy template
Example
Enable this feature.
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list use-destination-ip
class-list
Description
Create a class-list or geo-location class-list within the template.
Syntax
[no] class-list name
Parameter
Description
name
Name of the class-list (1-63 characters).
This command places you in a sub-configuration mode, where the following additional
commands are available:
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 132
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
Command
Description
[no] client-ip
{l3-dest | l7-header [name]}
Specifies the IP address to use for matching entries in an IP class list.
l3-dest
Matches based on the destination IP address in packets from clients.
l7-header [name]
Matches based on the IP address in the specified header name in packets
from clients. If you do not specify a header name, the X-Forwarded-For header
is used.
By default, the client’s IP address is used.
Adds a Limit ID (LID) entry to the class list, to specify traffic limits for client traffic.
[no] lid num
This command enters another configuration sub-mode, where the commands
described in “SLB Policy Template Class-List LID Configuration Commands” on
page 140 are available.
Mode
SLB policy template
Usage
The class-list request-limit and request-rate-limit options apply only to HTTP, fastHTTP, and HTTPS virtual ports.
These options, when configured in a policy template, are applicable only in policy templates
that are bound to virtual ports. These options are not applicable in policy templates bound
to virtual servers (rather than individual ports).
The over-limit-action log option, when used with request-limit or requestrate-limit, always lists Ethernet port 1 as the interface.
page 133 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
forward-policy
Description
Configure a forward policy of an slb policy template to specify permitted traffic destinations
and sources along with the actions to apply. Forward policy is a required component when
configuring an explicit HTTP proxy.
Syntax
[no] forward-policy
This command changes the CLI to forward-policy configuration mode, where the
commands in Table 2 are available:
TABLE 2
Commands in the forward-policy Configuration Mode
Command
action action-name
no-client-conn-reuse
Description
Command in forward-policy configuration mode that specifies what to do with
requests. This command places you in a sub-configuration mode, where the commands in Table 3 are available.
Command in forward-policy configuration mode that dictates that the HTTP/
HTTPS client will not send multiple requests to different destinations over the
same TCP connection between the client and the ACOS device. This command
has no sub-commands or command options.
NOTE: In the case of transparent proxy with SSL or SSLi, the no-client-connreuse command is not supported.
source source-name
ssli-url-filtering
{bypassed-sni-disable |
intercepted-sni-enable |
intercepted-http-disable |
no-sni-allow}
Command in forward-policy configuration mode to specify match rules for traffic
sources and destination rules to define what destinations clients are allowed to
access. Multiple source rules may be defined, but only a single source rule of
match-any may be defined. This command places you in a sub-configuration
mode, where the commands in Table 4 are available.
Command in forward-policy configuration mode to change default actions
related to the ACOS device device being used as a transparent proxy in SSLi.The
following options are available for this command at this level:
• bypassed-sni-disable
By default, an SNI extension inspection is done on bypassed transparent proxy
SSLi traffic. Use this parameter to disable SNI inspection on bypassed traffic.
• intercepted-sni-enable
By default, intercepted traffic is inspected only at the HTTP header level. Use
this parameter to enable SNI matching for intercepted transparent proxy SSLi
traffic.
• intercepted-http-disable
By default, intercepted transparent proxy SSLi traffic has the HTTP header
inspected. Use this parameter to disable http header inspection for intercepted
transparent proxy SSLi traffic.
• no-sni-allow
By default, if SNI filtering is enabled for bypassed or intercepted connections,
and an SNI extension is not present, the packet is dropped. Use this parameter
to allow requests to be forwarded if SNI extension is not found for transparent
proxy SSLi traffic.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 134
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
TABLE 3
Sub-Commands in the forward-policy action Configuration Mode
Command
[no] drop
[no] forward-to-internet fwd-sg
[snat snat-pool-name]
[fallback fallback-sg [snat fbsnat-pool-name] |
proxy-chaining]
Description
Sub-command in forward-policy-action configuration mode to drop traffic.
Sub-command in forward-policy-action configuration mode to specify the
service-group name to send internet traffic to. The following options are
available in this command:
• snat snat-pool-name
Parameters that apply a configured source NAT.
• fallback fallback-sg
Parameters that specify a service-group to send requests to for approved
destinations that the ACOS device device cannot resolve .
• snat fb-snat-pool-name
Parameters that apply a configured source NAT for fallback requests.
[no]
forward-to-service-group fwd-sg
[snat snat-pool-name |
proxy-chaining]
• proxy-chaining
Parameter to chain an ACOS device device to an upstream proxy server
when ACOS device device acts as a transparent proxy.
Sub-command in forward-policy-action configuration mode to specify the
service-group to send service-group traffic to. The following options are
available in this command:
• snat snat-pool-name
Parameters that apply a configured source NAT.
[no] log
[no] drop-message text
• proxy-chaining
Parameter to chain an ACOS device to an upstream proxy server when
ACOS device acts as an explicit proxy.
Sub-command in forward-policy-action configuration mode to provide log
of actions taken.
Sub-command in forward-policy-action configuration mode. Following the
drop command, specify a message to appear. A default “Access to this site
is blocked by administrator” message appears if nothing is specified.
NOTE:
• Commands drop-message and drop-redirect-url are mutually exclusive actions. If both are entered, the prior command will be
overwritten by the more recent one.
• The command drop-message is not supported with SNI filtering.
page 135 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
TABLE 3
Sub-Commands in the forward-policy action Configuration Mode
Command
[no] drop-redirect-url url
http-status-code
http-status-code]
Description
Sub-command in forward-policy-action configuration mode. Following a
drop command, specify a url to redirect to after a client’s request is
dropped. The http-status-code default is 302 Found.
NOTE:
• Commands drop-message and drop-redirect-url are mutually exclusive actions. If both are entered, the prior command will be
overwritten by the more recent one.
[no] sampling-enable {all |
hits}
no-client-conn-reuse
• The command drop-redirect-url is not supported with SNI filtering.
Sub-command in forward-policy-action configuration mode. Specify sampling-enable to enable baselining for all requests or for requests that match
the destination rule.
Command in forward-policy configuration mode that dictates that the
HTTP/HTTPS client will not send multiple requests to different destinations
over the same TCP connection between the client and the ACOS device
device. This command has no sub-commands or command options.
NOTE: In the case of transparent proxy with SSL or SSLi, the
no-client-conn-reuse command is not supported.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 136
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
TABLE 4
Sub-Commands in the forward-policy source Configuration Mode
Command
[no] destination any {action
action-name | sampling-enable
{all | hits}}
Description
Sub-command in forward-policy-source configuration mode to specify the
destination rule to default to for requests. The following options are available in this command:
• action action-name
Specify the action to take for requests not defined.
[no] destination {class-list
class-list- name |
web-category-list
web-category-list-name} {action
action-name} {host | url}
{priority priority-num}
[sampling-enable {all | hits}]
• sampling-enable {all | hits}
Specify sampling-enable to enable baselining for all requests or for
requests that match the destination rule.
Sub-command in forward-policy-source configuration mode to specify the
destination to send internet traffic to, either based on a class-list or webcategory list. The following options are available in this command:
• class-list class-list-name
Specify the allowed class-list to apply your action to.
• web-category-list web-category-list-name
Specify the web-category-list to apply your action to.
• action action-name
Specify the action to take for the previously defined class-list or web-category-list.
• host | url
Define if a match should be based on the http host header or on the url.
• priority priority num
Define the priority by providing a number for priority num. The number
determines what rule to use when multiple matches occur.
[no] match-any
page 137 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
• sampling-enable {all | hits}
Specify sampling-enable to enable baselining for all requests or for
requests that match the destination rule.
Sub-command in forward-policy-source configuration mode for specifying
a rule to when there is no class-list or web-category list match from defined
sources.
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
TABLE 4
Sub-Commands in the forward-policy source Configuration Mode
Command
[no] match-class-list class-list
[or match-class-list class-list]
[no] sampling-enable {all |
destination-match-not-found |
hits | no-host-info}...
Description
Sub-command in forward-policy-source configuration mode for specifying
the IPv4 or IPv6 class-list name to use with the matching source rule. Two
class-lists may be used with a source rule using the Boolean or operator.
• class-list
Specify one or two class-lists to match the source rule.
Sub-command in forward-policy-source configuration mode to specify
baselining. The following options are available in this command at this
level:
• all
Gather the number of all requests.
• hits
Gather the number of requests that match the defined source rule.
• destination-match-not-found
Gather the number of requests with no matching destination rule.
• no-host-info
Gather number of requests that failed to parse ip or host information.
Mode
SLB policy template
Usage
The forward policy action command defines actions that can be taken, and is normally used in conjunction with forward-policy source rules that link destination and
matching rules for an slb template policy.
forward-to-internet fw-sg is just a placeholder.
Example
Configure the action list Default_Deny to drop packets
ACOS(config)#slb template policy p1
ACOS(config-policy)#forward-policy
ACOS(config-policy-forward-policy)#action Default_Deny
ACOS(config-policy-forward-policy-action)#drop
Example
Configure the source list Any_Source to apply the Default_Deny action for any requests
that are not defined by a class-list or web-category-list
ACOS(config-policy-forward-policy)#source Any_Source
ACOS(config-policy-forward-policy-source)#match-any
ACOS(config-policy-forward-policy-source)#destination any action
Default_Deny
Example
Configure the source s1 to match IPs from class-list Src-List and links the destinations
from class-list dest with rules to apply from the a1 action sub template, using a url
check with a priority of 10.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 138
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Configuration Mode Commands
ACOS(config)#slb template policy p1
ACOS(config-policy)#forward-policy
ACOS(config-policy-forward-policy)#source s1
ACOS(config-policy-forward-policy-source)#match-class-list Src-List
ACOS(config-policy-forward-policy-source)#destination class-list
dest action a1 url priority 10
geo-location full-domain-tree
Description
Checks the current connection count not only for the client’s specific geo-loca­tion, but for
all geo-locations higher up in the domain tree.
It is recommended to enable or disable this option before enabling GSLB. Chang­ing the
state of this option while GSLB is running can cause the related statistics counters to be
incorrect.
Syntax
[no] geo-location full-domain-tree
Default
Disabled by default; when a client requests a connection, the ACOS device checks the connection count only for the specific geo-location level of the client. If the connection limit for
that specific geo-location level has not been reached, the client’s connection is permitted.
Mode
SLB policy template
Example
Enable this feature.
ACOS(config)#slb template policy p1
ACOS(config-policy)#geo-location full-domain-tree
geo-location overlap
Description
Enables overlap matching mode. If there are overlapping addresses in the Black/White list or
class list, use this option to enable the ACOS device to find the most precise match.
Syntax
[no] geo-location overlap
Default
Disabled
Mode
SLB policy template
Example
Enable this feature.
ACOS(config)#slb template policy p1
ACOS(config-policy)#geo-location overlap
page 139 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Class-List LID Configuration Commands
geo-location share
Description
Enables sharing of PBLSB statistics counters for all virtual servers and virtual ports that use
the template. This option causes the following counters to be shared:
• Permit
• Deny
• Connection number
• Connection limit
It is recommended to enable or disable this option before enabling GSLB. Changing the state
of this option while GSLB is running can cause the related statistics counters to be incorrect.
Syntax
[no] geo-location share
Default
Disabled
Mode
SLB policy template
Example
Enable this feature.
ACOS(config)# slb template policy p1
ACOS(config-policy)# geo-location share
SLB Policy Template Class-List LID Configuration
Commands
This section describes the commands available at the SLB policy template class-list LID configuration level. Below is an example of how to access this level:
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)#
The following commands are available:
• bw-rate-limit
• conn-limit
• conn-rate-limit
• over-limit-action
• request-limit
• request-rate-limit
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 140
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Class-List LID Configuration Commands
• response-code-rate-limit
bw-rate-limit
Description
Configure the bandwidth rate limit for servers that use this template.
Syntax
[no] bw-rate-limit num-bytes per num-100ms
Parameter
Description
num-bytes
Rate limit in bytes (1-2147483647).
num-100ms
Rate interval in number of 100ms increments (1-65535).
Mode
SLB policy template class-list LID
Example
This example configures a bandwidth rate limit of 1,024,000 bytes per second (10 100ms
intervals):
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit 1024000 per 10
conn-limit
Description
Specifies the maximum number of concurrent connections allowed for a client.
Syntax
[no] conn-limit num
Parameter
Description
num
Maximum number of concurrent connections allowed (0-1048575).
Connection limit 0 immediately locks down matching clients.
Mode
SLB policy template class-list LID
Example
This example configures a connection limit of 10000 concurrent connections.
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# conn-limit 10000
page 141 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Class-List LID Configuration Commands
conn-rate-limit
Description
Specifies the maximum number of new connections allowed for a client within the specified
limit period.
Syntax
[no] conn-rate-limit num-conn per num-100ms
Parameter
Description
num-conn
Maximum number of new connections allowed (1-2147483647).
num-100ms
Interval in number of 100ms increments (1-65535).
Mode
SLB policy template class-list LID
Example
This example configures 1,000,000 new connections allowed per second (10 100ms intervals):
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# conn-rate-limit 1000000 per 10
over-limit-action
Description
Specifies the action to take when a client exceeds one or more of the limits. The command
also configures lockout and enables logging.
Syntax
[no] over-limit-action [forward | reset] [lockout minutes]
[log minutes]
Parameter
Description
drop
The ACOS device drops that traffic. If logging is enabled, the ACOS device
also generates a log message.
NOTE: There is no drop keyword; this is the default action.
forward
The ACOS device forwards the traffic. If logging is enabled, the ACOS
device also generates a log message.
reset
For TCP, the ACOS device sends a TCP RST to the client. If logging is
enabled, the ACOS device also generates a log message.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 142
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Class-List LID Configuration Commands
Parameter
Description
lockout
Specifies the number of minutes during which to apply the over-limit
action after the client exceeds a limit. The lockout period is activated
when a client exceeds any limit. The lockout period can be 1-1023 minutes.
log
Generates log messages when clients exceed a limit. When you enable
logging, a separate message is generated for each over-limit occurrence,
by default. You can specify a logging period, in which case the ACOS
device holds onto the repeated messages for the specified period, then
sends one message at the end of the period for all instances that
occurred within the period. The logging period can be 0-255 minutes.
The default is 0 (no wait period)
Mode
SLB policy template class-list LID
Example
Example configuration:
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# over-limit-action drop log 1
request-limit
Description
Specifies the maximum number of concurrent Layer 7 requests allowed for a client.
Syntax
[no] request-limit num
Mode
Parameter
Description
num
Number of concurrent Layer 7 requests (1-1048575).
SLB policy template class-list LID
request-rate-limit
Description
Specifies the maximum number of Layer 7 requests allowed for the client within the specified limit period.
Syntax
[no] request-rate-limit num-req per num-100ms
Mode
Parameter
Description
num-req
Maximum number of new requests allowed (1-4294967295).
num-100ms
Interval in number of 100ms increments (1-65535).
SLB policy template class-list LID
page 143 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Policy Template Class-List LID Configuration Commands
response-code-rate-limit
Description
Configure a limit for the number of times a specified range of server response codes is
received in a specified period of time.
NOTE:
This feature only works for SMTP virtual ports. See the example below.
Syntax
[no] response-code-rate-limit
start-code-range - end-code-range num per seconds
Parameter
Description
start-code-range
Start rage of server response codes (100-600).
end-code-range
End range of server response codes (100-600).
num
Number of times there is a match on the specified response
code(s).
seconds
Time limit interval, in seconds.
Mode
SLB policy template class-list LID
Example
This example configures a policy template with a response code rate limit and then applies
the template to an SMTP virtual port. The response code rate limit will be exceeded when
there are:
• 2 matches every 20 seconds for response codes numbered 500-590
• 15 matches per 127 seconds for response codes numbered 300-390
If either of these limits are exceeded, the reset action is applies fro 10 minutes and logged.
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# over-limit-action reset lockout 10 log
ACOS(config-policy-class-list:clist1-lid:1)# response-code-rate-limit 500 - 590 2 per 20
ACOS(config-policy-class-list:clist1-lid:1)# response-code-rate-limit 300 - 390 15 per 127
ACOS(config-policy-class-list:clist1-lid:1)# end
ACOS# configure
ACOS(config)# slb virtual-server VS_SMTP1
ACOS(config-slb vserver)# port 25 smtp
ACOS(config-slb vserver-vport)# template policy pol1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 144
Config Commands: SLB Real Port Templates
This chapter describes the commands and subcommands for configuring SLB real port templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Port Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB real port templates:
• slb template port
slb template port
Description
Configure a template of SLB settings for service ports on real servers.
Syntax
[no] slb template port {default | template-name}
Parameter
Description
default
Edit the default port template. This template can be modified in
the same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB Port Template Configuration Mode Commands for the
specified port template.
page 145 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
Mode
Configuration mode
Usage
The normal form of this command creates a real port template. The no form of this command removes the template.
You can bind only one real port template to a real port. However, you can bind the real port
template to multiple real ports.
Some of the parameters that can be set using a template can also be set or changed on the
individual port.
• If a parameter is set (or changed from its default) in both a template and on the individual port, the setting on the individual port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not set or
changed from its default on the individual port, the setting in the template takes precedence.
Example
The following example configures a real port template named “common-rpsettings”, enables
slow-start in the template, and binds the template to a real port:
ACOS(config)# slb template port common-rpsettings
ACOS(config-rport)# slow-start from 256
ACOS(config-rport)# exit
ACOS(config)# slb server rs1 10.1.1.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# template port common-rpsettings
SLB Port Template Configuration Mode Commands
The following SLB port template commands are available:
• conn-limit
• conn-rate-limit
• dest-nat
• down-grace-period
• dscp
• dynamic-member-priority
• extended-stats
• health-check
• health-check-disable
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 146
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
• inband-health-check
• no-ssl
• request-rate-limit
• slow-start
• source-nat
• stats-data-disable
• stats-data-enable
• weight
To access these commands at the SLB port template level, enter the slb template port command.
conn-limit
Description
Maximum number of connections allowed on the port using this template.
Syntax
[no] conn-limit max-num [resume resume-num] [no-logging]
Parameter
Description
max-num
Maximum number of concurrent connections (0-8000000).
resume-num
Maximum number of connections the port can have before the ACOS
device resumes use of the port (1-1048575).
no-logging
Disables logging for this feature.
Default
8000000 (8 million)
Mode
SLB port template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure 7 million as the maximum number of connections, with no logging:
ACOS(config)#slb template port default
ACOS(config-rport)#conn-limit 7000000 no-logging
page 147 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
conn-rate-limit
Description
Limits the rate of new connections the ACOS device is allowed to send to ports that use this
template. When a port reaches its connection limit, the ACOS device stops selecting the port
for client requests.
Syntax
[no] conn-rate-limit connections [per {100ms | 1sec}] [no-logging]
Parameter
Description
connections
Maximum number of new connections allowed on a port. You can specify 1-1048575 connections.
per {100ms | 1sec}
Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is one-second intervals (1sec).
no-logging
Disable logging when this feature is enabled.
Default
By default this is not set; when enabled, the default sampling rate is per 1sec.
Mode
SLB port template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure 1 million as the maximum number of new connections per second, with no logging:
ACOS(config)#slb template port default
ACOS(config-rport)#conn-rate-limit 1000000 per 1sec no-logging
dest-nat
Description
Enables destination Network Address Translation (NAT) on ports that use this template.
Destination NAT is enabled by default, but is automatically disabled in Direct Server Return
(DSR) configurations. You can re-enable destination NAT on individual ports for deployment
of mixed DSR configurations, which use backup servers across Layer 3 (in different subnets).
Syntax
[no] dest-nat
Default
Disabled.
Mode
SLB port template
Example
Enable destination NAT on ports that use this template:
ACOS(config)#slb template port default
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 148
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
ACOS(config-rport)#dest-nat
down-grace-period
Description
Number of seconds the ACOS device will continue to forward packets to a port that is down.
This option is useful for taking servers down for maintenance without immediately impacting existing sessions on the servers. You can specify 1-86400 seconds.
NOTE:
The service group must contain 2 or more servers for this feature to work.
This feature supports stateless and stateful load balancing. However, the feature is
not supported for stateful hash load-balancing methods, such as source-IP-based
or destination-IP-based hashing.
Syntax
[no] down-grace-period num
Parameter
Description
num
Number of seconds (1-86400).
Mode
SLB port template
Example
Set the grace period to 3600 seconds.
ACOS(config)#slb template port default
ACOS(config-rport)#down-grace-period 3600
dscp
Description
Sets the differentiated services code point (DSCP) value in the IP header of a client request
before sending the request to ports that use this template.
Syntax
[no] dscp num
Parameter
Description
num
DSCP value (1-63).
Default
By default, DSCP is not set by the ACOS device.
Mode
SLB port template
Example
Set the DSCP value to 55.
ACOS(config)#slb template port default
ACOS(config-rport)#dscp 55
page 149 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
dynamic-member-priority
Description
Configure service-group priority settings for ports on dynamically created servers. When
configuring the service group, add the port template to the member.
Syntax
[no] dynamic-member-priority num decrement delta
Parameter
Description
num
Initial TTL for dynamically created service-group members (1-16).
The default is 16.
delta
Amount to decrement the TTL if the IP address is not included in the
DNS reply (0-7).
The default is 0.
Mode
SLB port template
Example
Set the initial TTL to 12 and decrement value to 1.
ACOS(config)#slb template port default
ACOS(config-rport)#dynamic-member-priority 12 decrement 1
extended-stats
Description
Enables collection of SLB peak connection statistics for the port.
Syntax
[no] extended-stats
Default
Disabled.
Mode
SLB port template
Example
Enable this feature:
ACOS(config)#slb template port default
ACOS(config-rport)#extended-stats
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 150
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
health-check
Description
Enables health monitoring of ports that use this template.
Syntax
[no] health-check name
Parameter
Description
name
Name of a configured health monitor.
Default
By default, health checking is disabled.
Mode
SLB port template
Usage
If you omit this command or you enter it without the monitor-name option, the default TCP
or UDP health monitor is used:
• TCP—Every 30 seconds, the ACOS device sends a connection request (TCP SYN) to the
specified TCP port on the server. The port passes the health check if the server replies
to the ACOS device by sending a TCP SYN ACK.
• UDP—Every 30 seconds, the ACOS device sends a packet with a valid UDP header and
a garbage payload to the UDP port. The port passes the health check if the server either
does not reply, or replies with any type of packet except an ICMP Error message.
Example
Create health monitor “hm-dad” the enable health monitoring for ports using this template,
using “hm-dad” as the health monitor.
ACOS(config)#health monitor hm-dad
ACOS(config-health:monitor)#disable-after-down
ACOS(config-health:monitor)#exit
ACOS(config)#slb template port default
ACOS(config-rport)#health-check hm-dad
health-check-disable
Description
Disable health checking for the port.
Syntax
[no] health-check-disable
Default
By default, health checking is disabled.
Mode
SLB port template
Example
Disable health checking:
ACOS(config)#slb template port default
ACOS(config-rport)#health-check-disable
page 151 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
inband-health-check
Description
Supplements the standard Layer 4 health checks by using client-server traffic to check the
health of service ports.
Syntax
[no] inband-health-check [down-timer seconds] [resel-on-reset]
[retry max-retries] [reassign max-reassigns]
Parameter
Description
seconds
Amount of time in seconds to bring up the server or port that is marked down (0-255).
The default is 0; the server or port is never brought up.
resel-on-reset
When receiving a reset from server, also re-select the server and port.
This is disabled by default.
max-retries
Each client-server session has its own retry counter. The ACOS device increments a session’s retry
counter each time a SYN ACK is late. If the retry counter exceeds the configured maximum number of retries allowed, the ACOS device sends the next SYN for the session to a different server. The
ACOS device also resets the retry counter to 0. You can set the retry counter to 0-7 retries.
The default number of retries is 2.
max-reassigns
Each real port has its own reassign counter. Each time the retry counter for any session is
exceeded, the ACOS device increments the reassign counter for the server port. If the reassign
counter exceeds the configured maximum number of reassignments allowed, the ACOS device
marks the port down.
In this case, the port remains down until the next time the port successfully passes a standard
health check. Once the port passes a standard health check, the ACOS device starts using the port
again and resets the reassign counter to 0. You can set the reassign counter to 0-255 reassignments.
The default is 25 reassignments.
Default
Disabled.
Mode
SLB port template
Usage
It is recommended that you continue to use standard Layer 4 health monitoring even if you
enable in-band health monitoring. Without standard health monitoring, a server port
marked down by an in-band health check remains down.
Example
Enable inband health checking.
ACOS(config)#slb template port default
ACOS(config-rport)#inband-health-check down-timer 5 resel-on-reset
no-ssl
Description
Disables SSL for server-side connections. This command is useful if a server-SSL template is
bound to the virtual port that uses this real port, and you want to disable encryption on this
real port.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 152
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
Using the double-negative form of the command (no no-ssl) enables SSL for server-side
connections..
Syntax
[no] no-ssl
Default
Encryption is disabled by default, but it is enabled for server-side connections when the real
port is used by a virtual port that is bound to a server-SSL template.
Mode
SLB port template
Example
Disable SSL for server-side connections:
ACOS(config)#slb template port default
ACOS(config-rport)#no-ssl
request-rate-limit
Description
Limits the number of new requests that can be received by the port.
NOTE:
This command applies only to configurations that use an external-service template.
Syntax
[no] request-rate-limit num
[per {100ms | second}] [reset] [no-logging]
Parameter
Description
num
Maximum number of new connection requests allowed per the specified interval (1-1048575).
per
Interval for the rate:
• 100ms—Up to num new connection requests are allowed per onetenth second (100-ms).
• second—Up to num new connection requests are allowed per second.
reset
Sends a RST to a client that sends a new request during an interval in
which the request rate has been exceeded. By default, requests that are
received after the limit is exceeded are dropped with no RST.
no-logging
Disable logging for this feature.
Mode
SLB port template
Example
Set the request rate limit to 500,000 per 100ms.
ACOS(config)#slb template port default
ACOS(config-rport)#request-rate-limit 500000 per 100ms
page 153 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
slow-start
Description
Provides time for real ports that use the template to ramp-up after TCP/UDP service is enabled, by temporarily limiting the number of new connections on the ports.
Syntax
[no] slow-start
[from start-conn-limit]
[times scale-factor | add conn-increment | every interval]
[till end-conn-limit]
Parameter
Description
start-conn-limit
Maximum number of concurrent connections to allow on the service port after it first
comes up. You can specify from 1-4095 concurrent connections. The default is 128.
scale-factor
Number by which to multiply the starting connection limit. For example, if the scale factor
is 2 and the starting connection limit is 128, the ACOS device increases the connection
limit to 256 after the first ramp-up interval. The scale factor can be 2-10. The default is 2.
conn-increment
Number of additional concurrent connections to allow. You can specify 1-4095 new connections.
interval
Number of seconds between each increase of the number of concurrent connections
allowed. For example, if the ramp-up interval is 10 seconds, the number of concurrent
connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60
seconds. The default is 10 seconds.
end-conn-limit
Maximum number of concurrent connections to allow during the final ramp-up interval.
After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify from 1-65535 connections. The default is 4096.
Mode
SLB port template
Example
Configure ramp-up for ports; 128 connections to start, increase every 15 seconds, until 4096
connections are reached.
ACOS(config)#slb template port default
ACOS(config-rport)#slow-start from 128 every 15 till 4096
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 154
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
source-nat
Description
Specifies the IP NAT pool to use for assigning source IP addresses to client traffic sent to ports
that use this template. When the ACOS device performs NAT for a port that is bound to the
template, the device selects an IP address from the pool.
Syntax
[no] source-nat name
Parameter
Description
name
Name of the configured NAT pool.
Mode
SLB port template
Example
Use “np1” as the source NAT pool.
ACOS(config)#slb template port default
ACOS(config-rport)#source-nat np1
stats-data-disable
Description
Disables statistical data collection for ports that use this template..
Syntax
[no] stats-data-disable
Default
Stats collection is enabled by default.
Mode
SLB port template
Example
Disable statistical data collection:
ACOS(config)#slb template port default
ACOS(config-rport)#stats-data-disable
stats-data-enable
Description
Enables statistical data collection for ports that use this template..
Syntax
[no] stats-data-enable
Default
Stats collection is enabled by default.
Mode
SLB port template
Example
Enable statistical data collection:
ACOS(config)#slb template port default
ACOS(config-rport)#stats-data-enable
page 155 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Port Template Configuration Mode Commands
weight
Description
Specifies the load-balancing preference for ports that use this template. A higher weight
gives more favor to the server and port relative to the other servers and ports.
This option applies only to the service-weighted-least-connection load-balancing
method. This option does not apply to the weighted-least-connection or weightedround-robin load-balancing methods.
Syntax
[no] weight num
Parameter
Description
num
Weight (1-100).
Default
1
Mode
SLB port template
Example
Configure 3 as the weight.
ACOS(config)#slb template port default
ACOS(config-rport)#weight 3
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 156
Config Commands: SLB REQMOD ICAP Templates
This chapter describes the commands and subcommands for configuring SLB REQMOD ICAP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB REQMOD ICAP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB REQMOD ICAP templates:
• slb template reqmod-icap
slb template reqmod-icap
Description
Creates a template that you can apply to ACOS virtual servers to enable ICAP REQMOD message capability on the virtual server.
Syntax
[no] slb template reqmod-icap reqmod-template-name
This command changes the configuration mode to a new sub-level, where the commands
in SLB REQMOD ICAP Template Configuration Mode Commands are available.
Default
ACOS does not have a default SLB REQMOD ICAP template.
Mode
Global Configuration mode
Example
The following example creates a REQMOD ICAP template with the name REQMOD_abcd,
and then binds it to the HTTP vPort of a wildcard SLB virtual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11
ACOS(config-real server)# port 1344 tcp
page 157 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB REQMOD ICAP Template Configuration Mode Commands
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config-slb svc group-member:1344)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template reqmod-icap REQMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/reqmod_abcd
ACOS(config-reqmod-icap)# exit
ACOS(config)# slb virtual-server wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template reqmod-icap REQMOD_abcd
SLB REQMOD ICAP Template Configuration Mode
Commands
The following SLB REQMOD ICAP template commands are available:
• allowed-http-methods
• fail-close
• include-protocol-in-uri
• min-payload-size
• preview
• service-group
• service-url
• template
To access these commands at the SLB REQMOD ICAP template level, enter the slb template reqmod-icap command.
allowed-http-methods
Description
List of allowed HTTP methods.
Syntax
[no] allowed-http-methods methods
The allowed methods that can be specified are GET, POST, HEAD, PUT, OPTIONS, TRACE,
DELETE, PURGE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 158
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB REQMOD ICAP Template Configuration Mode Commands
Default
If none are specified, the default is “allow all.”
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# allowed-http-methods GET
fail-close
Description
Mark the virtual port down when the template service group is down.
Syntax
[no] fail-close
Default
Not enabled.
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# fail-close
include-protocol-in-uri
Description
Include the protocol and port in the HTTP URI.
Syntax
[no] include-protocol-in-uri
Default
Not enabled.
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# include-protocol-in-uri
page 159 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB REQMOD ICAP Template Configuration Mode Commands
min-payload-size
Description
Set the minimum payload size.
Syntax
[no] min-payload-size num
Parameter
Description
num
Set the minimum payload size. You can specify 1-65536.
Default
4096
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# min-payload-size 8192
preview
Description
Command to allow the ICAP server to preview to REQMOD messages.
If you do not configure a preview value, the ACOS device uses the preview value obtained
from the ICAP server.
Syntax
[no] preview num
Parameter
Description
num
The number of bytes the ACOS device forwards to the ICAP server at
the beginning of a transaction. This number applies only to the encapsulated body (the HTTP payload).
Default
32768
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# preview 8192
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 160
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB REQMOD ICAP Template Configuration Mode Commands
service-group
Description
Specify the names of the ICAP service groups.
Syntax
[no] service-group service-group-name
Parameter
Description
service-group-name
Name of a configured service-group.
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# service-group SSLi_SG1
service-url
Description
Specify the URLs of the ICAP servers.
Syntax
[no] service-url url
Parameter
Description
url
URL to send to the ICAP servers.
Mode
SLB REQMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# service-url icap://ExampleURL.com
page 161 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB REQMOD ICAP Template Configuration Mode Commands
template
Description
Apply an ACOS template to this ICAP template.
Syntax
[no] template type name
Parameter
Description
type
The following templates can be applied:
• logging—apply the specified logging template.
• persist source-ip—apply the specified source IP persistence
template.
• server-ssl—apply the specified server-SSL template.
• tcp-proxy—apply the specified TCP proxy template.
name
Name of the desired template.
Mode
SLB REQMOD ICAP template
Example
Apply a logging template:
ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# template logging SSLi_Logging_Template
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 162
Config Commands: SLB RESPMOD ICAP Templates
This chapter describes the commands and subcommands for configuring SLB RESPMOD ICAP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB RESPMOD ICAP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB RESPMOD ICAP templates:
• slb template respmod-icap
slb template respmod-icap
Description
Creates a template that you can apply to ACOS virtual servers to enable ICAP RESPMOD message capability on the virtual server.
Syntax
[no] slb template respmod-icap respmod-template-name
This command changes the configuration mode to a new sub-level, where the commands
in SLB RESPMOD ICAP Template Configuration Mode Commands are available.
Default
ACOS does not have a default SLB RESPMOD ICAP template.
Mode
Global Configuration mode
Example
The following example creates a RESPMOD ICAP template with the name RESPMOD_abcd,
and then binds it to the HTTP vPort of a wildcard SLB virtual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11
ACOS(config-real server)# port 1344 tcp
page 163 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB RESPMOD ICAP Template Configuration Mode Commands
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config-slb svc group-member:1344)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template respmod-icap RESPMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/respmod_abcd
ACOS(config-reqmod-icap)# exit
ACOS(config)# slb virtual-server wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template respmod-icap RESPMOD_abcd
SLB RESPMOD ICAP Template Configuration Mode
Commands
The following SLB RESPMOD ICAP template commands are available:
• fail-close
• include-protocol-in-uri
• min-payload-size
• preview
• service-group
• service-url
• template
To access these commands at the SLB RESPMOD ICAP template level, enter the slb template respmod-icap command.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 164
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB RESPMOD ICAP Template Configuration Mode Commands
fail-close
Description
Mark the virtual port down when the template service group is down.
Syntax
[no] fail-close
Default
Not enabled.
Mode
SLB RESPMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# fail-close
include-protocol-in-uri
Description
Include the protocol and port in the HTTP URI.
Syntax
[no] include-protocol-in-uri
Default
Not enabled.
Mode
SLB RESPMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# include-protocol-in-uri
min-payload-size
Description
Set the minimum payload size.
Syntax
[no] min-payload-size num
Parameter
Description
num
Set the minimum payload size. You can specify 1-65536.
Default
4096
Mode
SLB RESPMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# min-payload-size 8192
page 165 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB RESPMOD ICAP Template Configuration Mode Commands
preview
Description
Command to allow the ICAP server to preview to RESPMOD messages.
If you do not configure a preview value, the ACOS device uses the preview value obtained
from the ICAP server.
Syntax
[no] preview num
Parameter
Description
num
The number of bytes the ACOS device forwards to the ICAP server at
the beginning of a transaction. This number applies only to the encapsulated body (the HTTP payload).
Default
32768
Mode
SLB RESPMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# preview 8192
service-group
Description
Specify the names of the ICAP service groups.
Syntax
[no] service-group service-group-name
Parameter
Description
service-group-name
Name of a configured service-group.
Mode
SLB RESPMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# service-group SSLi_SG1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 166
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB RESPMOD ICAP Template Configuration Mode Commands
service-url
Description
Specify the URLs of the ICAP servers.
Syntax
[no] service-url url
Parameter
Description
url
URL to send to the ICAP servers.
Mode
SLB RESPMOD ICAP template
Example
Example configuration:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# service-url icap://ExampleURL.com
template
Description
Apply an ACOS template to this ICAP template.
Syntax
[no] template type name
Parameter
Description
type
The following templates can be applied:
• logging—apply the specified logging template.
• persist source-ip—apply the specified source IP persistence
template.
• server-ssl—apply the specified server-SSL template.
• tcp-proxy—apply the specified TCP proxy template.
name
Name of the desired template.
Mode
SLB RESPMOD ICAP template
Example
Apply a logging template:
ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# template logging SSLi_Logging_Template
page 167 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB RESPMOD ICAP Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 168
Config Commands: SLB Server Templates
This chapter describes the commands and subcommands for configuring SLB server templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Server Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB Server templates:
• slb template server
slb template server
Syntax
[no] slb template server {default | template-name}
Parameter
Description
default
Edit the default real server template. This template can be modified in the same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB Server Template Configuration Mode Commands for the
specified real server template.
page 169 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all real ports that use the template.
Mode
Configuration mode
Usage
The normal form of this command creates a real server template. The no form of this command removes the template.
You can bind only one real server template to a real server. However, you can bind the real
server template to multiple real servers.
Some of the parameters that can be set using a template can also be set or changed on the
individual server.
• If a parameter is set (or changed from its default) in both a template and on the individual server, the setting on the individual server takes precedence.
• If a parameter is set (or changed from its default) in a template but is not set or
changed from its default on the individual server, the setting in the template takes precedence.
Example
The following commands configure a real server template called “rs-tmplt1” and bind the
template to two real servers:
ACOS(config)# slb template server rs-tmplt1
ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
ACOS(config-rserver)# exit
ACOS(config)# slb server rs1 10.1.1.99
ACOS(config-real server)# template server rs-tmplt1
ACOS(config-real server)# exit
ACOS(config)# slb server rs2 10.1.1.100
ACOS(config-real server)# template server rs-tmplt1
Example
The following commands configure hostname server parameters in a server port template
and a server template:
ACOS(config)# slb template port temp-port
ACOS(config-rport)# dynamic-member-priority 12
ACOS(config-rport)# exit
ACOS(config)# slb template server temp-server
ACOS(config-rserver)# dns-query-interval 5
ACOS(config-rserver)# min-ttl-ratio 3
ACOS(config-rserver)# max-dynamic-server 16
ACOS(config-rserver)# exit
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 170
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
SLB Server Template Configuration Mode Commands
The following SLB server template commands are available:
• conn-limit
• conn-rate-limit
• dns-query-interval
• dynamic-server-prefix
• extended-stats
• health-check
• health-check-disable
• log-selection-failure
• max-dynamic-server
• min-ttl-ratio
• slow-start
• spoofing-cache
• stats-data-enable
• stats-data-disable
• weight
To access these commands at the SLB server template level, enter the slb template server command.
page 171 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
conn-limit
Description
Maximum number of connections allowed on real servers using this template.
Syntax
[no] conn-limit max-num [resume resume-num] [no-logging]
Parameter
Description
max-num
Maximum number of concurrent connections (0-8000000).
resume-num
Maximum number of connections the server can have before the
ACOS device resumes use of the server (1-1048575).
no-logging
Disables logging for this feature.
Default
8000000 (8 million)
Mode
SLB server template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure 7 million as the maximum number of connections, with no logging:
ACOS(config)#slb template server default
ACOS(config-rserver)#conn-limit 7000000 no-logging
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 172
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
conn-rate-limit
Description
Limits the rate of new connections the ACOS device is allowed to send to servers that use
this template. When a real server reaches its connection limit, the ACOS device stops selecting the server for client requests.
Syntax
[no] conn-rate-limit connections [per {100ms | 1sec}] [no-logging]
Parameter
Description
connections
Maximum number of new connections allowed on a server. You
can specify 1-1048575 connections.
per
{100ms | 1sec}
Specifies whether the connection rate limit applies to one-second
intervals or 100-ms intervals. The default is one-second intervals
(1sec).
no-logging
Disable logging when this feature is enabled.
Default
By default this is not set; when enabled, the default sampling rate is per 1sec.
Mode
SLB server template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure 1 million as the maximum number of new connections per second, with no logging:
ACOS(config)#slb template server default
ACOS(config-rserver)#conn-rate-limit 1000000 per 1sec no-logging
dns-query-interval
Description
Specifies how often the ACOS device sends DNS queries for the IP addresses of dynamic real
servers.
Syntax
[no] dns-query-interval minutes
Parameter
Description
minutes
DNS query interval in minutes (1-1440 minutes, or one day).
Default
10 minutes
Mode
SLB server template
Example
Configure 30 minutes as the DNS query interval:
page 173 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
ACOS(config)#slb template server default
ACOS(config-rserver)#dns-query-interval 30
dynamic-server-prefix
Description
Specifies the prefix added to the front of dynamically created servers.
Syntax
[no] dynamic-server-prefix string
Parameter
Description
string
Prefix string (1-3 characters).
Default
The default string is “DRS”
Mode
SLB server template
Example
Configure “MDS” as the server prefix string:
ACOS(config)#slb template server default
ACOS(config-rserver)#dynamic-server-prefix MDS
extended-stats
Description
Enables collection of peak connection statistics for a server.
Syntax
[no] extended-stats
Default
Disabled by default
Mode
SLB server template
Example
Enable the feature:
ACOS(config)# slb template server default
ACOS(config-rserver)# extended-stats
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 174
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
health-check
Description
Enables health monitoring of ports that use this template.
Syntax
[no] health-check [name]
Parameter
Description
name
Name of a configured health monitor.
Mode
SLB server template
Usage
If this command is not used, or is used without a specific monitor name, the default ICMP
health monitor is used; a ping is sent every 30 seconds. If the ping fails 2 times consecutively,
the ACOS device sets the server state to DOWN.
Example
Use the health monitor named “hm1”:
ACOS(config)# slb template server default
ACOS(config-rserver)# health-check hm1
health-check-disable
Description
Disables health monitoring of servers that use this template.
Syntax
[no] health-check-disable
Mode
SLB server template
Example
Disable server health monitoring:
ACOS(config)# slb template server default
ACOS(config-rserver)# health-check-disable
log-selection-failure
Description
Enables real-time logging for server-selection failures.
Syntax
[no] log-selection-failure
Default
Disabled by default.
Mode
SLB server template
Example
Enable the logging of server-selection failures:
ACOS(config)# slb template server default
ACOS(config-rserver)# log-selection-failure
page 175 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
max-dynamic-server
Description
Maximum number of dynamic real servers that can be created for a given hostname.
Syntax
[no] max-dymanic-server [num]
Parameter
Description
num
Maximum number of servers (1-1023).
Default
255
Mode
SLB server template
Example
Allow a maximum of 500 dynamic real servers to be created:
ACOS(config)# slb template server default
ACOS(config-rserver)# max-dynamic-server 500
min-ttl-ratio
Description
Minimum initial value for the TTL of dynamic real servers. The ACOS device multiplies this
value by the DNS query interval to calculate the minimum TTL value to assign to the dynamically created server.
Syntax
[no] min-ttl-ratio [num]
Parameter
Description
num
Initial value (1-15).
Default
2
Mode
SLB server template
Example
Configure a DNS query interval of 30 minutes and minimum initial value of 3; this will set the
TTL of dynamic real servers to 90:
ACOS(config)# slb template server default
ACOS(config-rserver)# dns-query-interval 30
ACOS(config-rserver)# min-ttl-ratio 3
slow-start
Description
Provides time for real ports that use the template to ramp-up after TCP/UDP service is enabled, by temporarily limiting the number of new connections on the ports.
Syntax
[no] slow-start
[from starting-conn-limit]
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 176
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
[times scale-factor | add conn-incr]
[every interval]
[till ending-conn-limit]
Parameter
Description
starting-con-limit
Maximum number of concurrent connections to allow on the server after it first comes up.
You can specify from 1-4095 concurrent connections.
The default is 128.
scale-factor
Number by which to multiply the starting connection limit. For example, if the scale factor
is 2 and the starting connection limit is 128, the ACOS device increases the connection limit
to 256 after the first ramp-up interval. The scale factor can be 2-10.
The default is 2.
conn-incr
As an alternative to specifying a scale factor, you can instead specify how many more concurrent connections to allow. You can specify 1-4095 new connections.
interval
Number of seconds between each increase of the number of concurrent connections
allowed. For example, if the ramp-up interval is 10 seconds, the number of concurrent connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60 seconds.
The default is 10 seconds.
ending-conn-limit
Maximum number of concurrent connections to allow during the final ramp-up interval.
After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify from 1-65535 connections.
The default is 4096.
Default
Slow-start is disabled by default.
Mode
SLB server template
Usage
If a normal runtime connection limit is also configured on the server (for example, by the
conn-limit command), and the normal connection limit is smaller than the slow-start ending
connection limit, the ACOS device limits slow-start connections to the maximum allowed by
the normal connection limit.
Example
Enable slow-start using the default values:
ACOS(config)# slb template server default
ACOS(config-rserver)# slow-start
page 177 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
spoofing-cache
Description
Enables support for a spoofing cache server. A spoofing cache server uses the client’s IP
address instead of its own as the source address when obtaining content requested by the
client.
Syntax
[no] spoofing-cache
Default
Disabled.
Mode
SLB server template
Example
Enable this feature:
ACOS(config)# slb template server default
ACOS(config-rserver)# spoofing-cache
stats-data-enable
Description
Enable statistical data collection for servers that use this template.
Syntax
stats-data-enable
Default
Statistical data collection is enabled by default.
Mode
SLB server template
Example
Enable stats data collection:
ACOS(config)# slb template server default
ACOS(config-rserver)# stats-data-enable
stats-data-disable
Description
Disable statistical data collection for servers that use this template.
Syntax
stats-data-disable
Default
Statistical data collection is enabled by default.
Mode
SLB server template
Example
Disable stats data collection:
ACOS(config)# slb template server default
ACOS(config-rserver)# stats-data-disable
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 178
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
weight
Description
Assigns an administrative weight to the server, for weighted load balancing.
Syntax
[no] weight num
Parameter
Description
num
Administrative weight assigned to the server. You can specify 1-100.
Default
1
Mode
SLB server template
Example
Assign an administrative weight of 5:
ACOS(config)# slb template server default
ACOS(config-rserver)# weight 5
page 179 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 180
Config Commands: SLB Server SSL Templates
This chapter describes the commands and subcommands for configuring SLB Server SSL templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Server-SSL Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB Server SSL templates:
• slb template server-ssl
slb template server-ssl
Description
Configure the ACOS device to validate real servers based on their certificates.
Syntax
[no] slb template server-ssl template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB Server-SSL Template Configuration Mode for the specified
server-ssl template. See “SLB Server-SSL Template Configuration Mode Commands” on
page 182 for more information.
page 181 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
Default
The configuration does not have a default server-side SSL template.
Mode
Global Configuration mode
Usage
The normal form of this command creates a server-SSL configuration template.
The no form of this command removes the template.
You can bind only one server-SSL template to a virtual port. However, you can bind the same
server-SSL template to multiple ports.
SLB Server-SSL Template Configuration Mode
Commands
The following SLB server-SSL template commands are available:
• ca-cert
• cert
• cipher
• close-notify
• crl
• dh-param
• ec-name
• enable-tls-alert-logging fatal
• forward-proxy-enable
• key
• ocsp-stapling
• renegotiation-enable
• server-certificate-error
• session-cache-size
• session-cache-timeout
• session-ticket-enable
• template cipher
• use-client-sni
• version
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 182
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
To access these commands at the SLB Server-SSL template level, enter the slb template server-ssl command.
ca-cert
Description
Specifies the name of a CA certificate. A server-SSL template can have multiple CA-signed
certificates.
You can add the CA certificates to the server-SSL template in either of the following ways:
• As separate files (one for each certificate)
• As a single file containing multiple certificates
Syntax
[no] ca-cert ca-cert-name [ocsp {ocsp-server-name | service-group
ocsp-service-group-name}]
Parameter
Description
ca-cert-name
Name of the CA certificate (1-255 characters)
ocsp-server-name
Name of the OCSP server (1-255 characters)
ocsp-service-group-name
Name of the OCSP service-group (1-255 characters)
Mode
SLB server-SSL template
Usage
Note: If validation of the ca-cert fails, the connection to the server is terminated.
Example
Specify “example.pem” as the name of the certificate:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# ca-cert example.pem
cert
Description
Specifies the name of the certificate to use for terminating or initiating an SSL connection.
The certificate must be installed on the ACOS device.
Syntax
[no] cert name
Parameter
Description
name
Name of the certificate (1-255 characters).
Mode
SLB server-SSL template
Example
Specify “example.pem” as the name of the certificate:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# cert example.pem
page 183 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
cipher
Description
Specifies the cipher suite to support for certificates from servers.
You can remove (or re-add) one cipher in the template with a single command. Enter
separate commands for each cipher to remove or re-add.
Syntax
[no] cipher name
Parameter
Description
name
Name of the cipher.
See Table on page 53 for a list of supported ciphers, or enter cipher
? from the command line.
Mode
SLB server-SSL template
Example
Specify “ SSL3_RSA_RC4_128_SHA ” as the cipher:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# cipher SSL3_RSA_RC4_128_SHA
close-notify
Description
NOTE:
Enables support for close notification (close_notify) alerts. When this option is enabled, the
ACOS device sends a close_notify message when an SSL transaction ends, before sending a
FIN. This behavior is required by certain types of applications, including PHP cgi.The close
notification option may not work if connection reuse is also configured on the same virtual
port. In this case, when the server sends a FIN to the ACOS device, the ACOS device will not
send a FIN followed by a close notification. Instead, the ACOS device will send a RST.
This command can not be used along with the TCP-proxy template forcedelete-timeout option. Doing so may cause unexpected behavior.
Syntax
[no] close-notify
Default
Not enabled.
Mode
SLB server-SSL template
Example
Enable this feature:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# close-notify
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 184
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
crl
Description
Specifies the the names of the Certificate Revocation Lists (CRLs) to use for verifying whether
server certificates have been revoked. The CRLs must be installed on the ACOS device first.
((See the import command for more details). The CA certificate relevant to the CRL must
also be specified.
When you add a CRL to a server-SSL template, the ACOS device checks the CRL to confirm
whether or not the servers’ certificates have been revoked or not by the issuing Certificate
Authority (CA).
If you plan to use a CRL, you must set the client-certificate mode to require. The
CRL should be signed by the same issuer as the CA certificate. Otherwise, the client and
ACOS device will not be able to establish a connection.
Syntax
[no] crl filename
Default
This command has no default.
Mode
SLB server-SSL template
Example
The following example shows how to add CRL and CA certificates to a server-SSL template
named, SSL-Svr along with the import of CA certificates. The CRL section is highlighted for
clarity.
ACOS(config-server ssl)#slb template server-ssl SSL-Svr
ACOS(config-server ssl)#crl 10_ca.crt_crl.pem
ACOS(config-server ssl)#crl 20_ca.crt_crl.pem
ACOS(config-server ssl)#crl root-ca.pem.crl.pem
ACOS(config-server ssl)#ca-cert 10_ca_crt
ACOS(config-server ssl)#ca-cert 20_ca.crt
ACOS(config-server ssl)#ca-cert root-ca.pem
page 185 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
dh-param
Description
Enable Diffie-Hellman key exchange and set its parameters.
Syntax
[no] dh-param {1024 | 1024-dsa | 2048 | 512}
Parameter
Description
1024
Use 1024 bit keys
1024-dsa
Use 1024 bit DSA keys
2048
Use 2048 bit keys
512
Use bit512 bit keys
Default
Not enabled.
Mode
SLB server-SSL template
Example
Enable this feature for 1024 bit keys:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# dh-param 1024
ec-name
Description
Enable Elliptic Curve Cryptography (ECC) and specify the name of the extension used.
Syntax
[no] ec-name {secp256r1 | secp384r1}
Parameter
Description
secp256r1
an ECC extension specified in RFC 4492
secp384r1
an ECC extension specified in RFC 4492
Default
Not enabled.
Mode
SLB server-SSL template
Example
Enable this feature for the secp256r1 ECC extension:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# ec-name secp256r1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 186
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
enable-tls-alert-logging fatal
Description
Enables logging of fatal TLS alerts that include the flow information such as source IP
address.
Syntax
[no] enable-tls-alert-logging fatal
Default
Not enabled.
Mode
SLB server-SSL template
Example
Enable this feature:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# enable-tls-alert-logging fatal
forward-proxy-enable
Description
Enables SSL Insight support.
Syntax
[no] forward-proxy-enable
Default
Not enabled.
Mode
SLB server-SSL template
Example
Enable this feature:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# forward-proxy-enable
key
Description
Specifies the key for the certificate, and the passphrase used to encrypt the key.
Syntax
[no] key name [passphrase string]
Parameter
Description
name
Name of the certificate for the key.
string
Passphrase used to encrypt the key.
Default
Not enabled.
Mode
SLB server-SSL template
Example
Specify a key name and passphrase:
ACOS(config)# slb template server-ssl sstmp1
page 187 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
ACOS(config-server ssl)# key examplekey passphrase examplephrase
ocsp-stapling
Description
Enables OCSP stapling.
Syntax
[no] ocsp-stapling
Mode
SLB server-SSL template
Example
Enable OCSP stapling:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# ocsp-stapling
renegotiation-enable
Description
Enables SSL secure renegotiation.
Syntax
[no] renegotiation-enable
Default
SSL renegotiation is disabled.
Mode
SLB server-SSL template
Example
Enable SSL secure renegotiation:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# renegotiation-enable
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 188
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
server-certificate-error
Description
Specifies the ACOS response if there is a server certificate error.
Syntax
[no] server-certificate-error {email | ignore | logging | trap}
Parameter
Description
email
Send an Email.
ignore
Ignore the error and allow traffic.
logging
Generate a log message.
trap
Generate an SNMP trap.
Default
Not set; the connection is refused without any notification.
Mode
SLB server-SSL template
Example
Send an SNMP trap when there is a server certificate error:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# server-certificate-error trap
session-cache-size
Description
Sets the maximum number of session-ID entries.
Syntax
[no] session-cache-size num
Parameter
Description
num
Number of session-ID entries, 0-8000000.
Specify 0 to disable caching.
Default
Not enabled.
Mode
SLB server-SSL template
Example
Specify 5000000 entries:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# session-cache-size 5000000
session-cache-timeout
Description
Sets the maximum number of seconds a cache entry can remain unused before being
removed from the cache.
page 189 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
Cache entries age according to the ticket age time. The age time is not reset when a cache
entry is used. After a client’s SSL ticket expires, they must complete an SSL handshake in
order to set up the next secure session with ACOS.
Syntax
[no] session-cache-timeout num
Parameter
Description
num
Number of seconds (0-7200).
Default
7200 seconds.
Mode
SLB server-SSL template
Example
Specify 5000 seconds as the timeout value:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# session-cache-timeout 5000
session-ticket-enable
Description
Enables stateless SSL session ticketing features.
Syntax
[no] session-ticket-enable
Default
Feature is not enabled.
Mode
SLB server-SSL template
Example
Enable stateless SSL session ticketing features:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# session-ticket-enable
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 190
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
template cipher
Description
Name of a cipher template to bind to the server-SSL template. In this case, the settings in the
cipher template override any cipher settings in the server-SSL template.
Syntax
[no] template cipher name
Parameter
Description
name
Name of the cipher template (1-63 characters).
Default
Not set; the ciphers enabled in the server-SSL template are used.
Mode
SLB server-SSL template
Example
Bind the cipher template “cipher-tmp1” to this server-SSL template:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# template cipher cipher-tmp1
use-client-sni
Description
Pass the client domain name to the server side of an SSL proxy configuration.
Syntax
[no] use-client-sni
Default
Client domain name is not passed through to the server-side.
Mode
SLB server-SSL template
Usage
This feature is useful when the SSL server hosts multiple services.
Example
The following example shows the server side template in an ACOS SSL proxy configuration
where the client domain name is passed through to the SSL server:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# use-client-sni
version
Description
Specifies the security version and minimum allowable security version that can be used
when communicating with servers.
page 191 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Server-SSL Template Configuration Mode Commands
In SSLi configurations, the security version from this template must match the security
version configured under the client-SSL template through the forward-proxy-ssl-version
command.
Syntax
[no] version {version-num} [downgrade-version-num]
Parameter
Description
version-num
Select one of the following:
•
•
•
•
downgrade-version-num
30 - Secure Sockets Layer (SSL) v3.0
31 - Transport Layer Security (TLS) v1.0
32 - Transport Layer Security (TLS) v1.1
33 - Transport Layer Security (TLS) v1.2.
Specifies the minimum SSL/TLS version to which a session can be downgraded.
To disable downgrading, specify the same version number for both the version-num
and downgrade-version-num
Default
31
Mode
SLB server-SSL template
Usage
For important information about default behavior changes with the TLS version and the
version command, refer to the “Changes in Default Behavior” chapter in the ACOS Release
Notes.
Example
The following example configures TLS version 1.1 for use in SSL communication with the
server. Depending on the response received from the server, TLS version 1.0 may also be
used.
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# version 32 31
Note that the downgrade version does not need to be specified for downgrade to occur;
downgrade can occur by default to the default TLS level (TLS version 1.0). The following
configuration is identical to the example above:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# version 32
Example
The following example disables downgrade; only TLS version 1.2 can be used to communicate with servers. If the server is using a lower (less secure) version of TLS, the session is not
be created.
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# version 32 32
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 192
Config Commands: SLB SIP Templates
This chapter describes the commands and subcommands for configuring SLB SIP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB SIP (Over UDP) Template Configuration Mode Commands
• SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following SLB template commands are available:
• slb template sip (over UDP)
• slb template sip (over TCP/TLS)
slb template sip (over UDP)
Description
Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and
non-registration traffic for SIP clients.
Syntax
[no] slb template sip template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB SIP (Over UDP) Template Configuration Mode Commands for
the specified SIP (over UDP) template.
page 193 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
Default
The configuration does not have a default SIP over UDP template.
Mode
Configuration mode
Usage
The normal form of this command creates a SIP configuration template. The no form of this
command removes the template.
You can bind only one SIP template to a virtual port. However, you can bind the same SIP
template to multiple ports.
The header-erase and header-insert options apply to both traffic directions, client-toserver and server-to-client traffic.
Example
The following commands configure a SIP template named “Registrar_template”:
ACOS(config)# slb template sip Registrar_template
ACOS(config-sip)# registrar service-group Registrar_gp
ACOS(config-sip)# client-request-header insert max-Forwards:15
ACOS(config-sip)# client-request-header erase Contact
slb template sip (over TCP/TLS)
Description
Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and
non-registration traffic for SIP over TCP/TLS.
Syntax
[no] slb template sip template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
for the specified SIP (over UDP) template.
Default
The configuration does not have a default SIP over TCP/TLS template.
Mode
Configuration mode
Usage
The normal form of this command creates a SIP configuration template. The no form of this
command removes the template.
You can bind only one SIP template to a virtual port. However, you can bind the same SIP
template to multiple ports.
Example
The following commands configure a SIP over TCP/TLS template:
ACOS(config)# slb template sip siptls-tmplt
ACOS(config-sip)# insert-client-ip
ACOS(config-sip)# client-keep-alive
ACOS(config-sip)# failed-client-selection "480 Temporarily Unavailable"
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 194
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
ACOS(config-sip)# failed-server-selection "504 Server Time-out"
ACOS(config-sip)# exclude-translation header Authentication
SLB SIP (Over UDP) Template Configuration Mode
Commands
The following commands apply to only SIP over UDP, with the exception of timeout, alg-dest-nat, and alg-sourcenat commands, which apply both to SIP over UDP and SIP over TCP/TLS.
• alg-dest-nat
• alg-source-nat
• client-request-header erase
• client-request-header insert
• client-response-header erase
• client-response-header insert
• keep-server-ip-if-match-acl
• registrar service-group
• server-request-header erase
• server-request-header insert
• server-response-header erase
• server-response-header insert
• timeout
To access these commands at the SLB SIP Over UDP template level, enter the slb template sip (over UDP) command.
alg-dest-nat
Description
Translates the VIP address into the real server IP address in SIP messages, when destination
NAT is used.
Syntax
[no] alg-dest-nat
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
page 195 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# alg-dest-nat
alg-source-nat
Description
Translates source IP address in to the NAT IP address in SIP messages, when source NAT is
used.
The status of ALG support does not affect address translation at the IP layer. Address
translation at the IP layer is still performed, if applicable, even if ALG support is disabled.
Syntax
[no] alg-source-nat
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# alg-source-nat
client-request-header erase
Description
Erases the specified header.
Syntax
[no] client-request-header erase string [all]
Parameter
Description
string
Specify the header to erase.
all
Erase all instances of the specified header. If not specified, only the first
instance is erased.
Default
All instances of the specified header are erased.
Mode
SLB SIP template
Example
Erase the first instance of the “Max-Forwards” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# client-request-header erase Max-Forwards
client-request-header insert
Description
Inserts the specified header into requests.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 196
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
Syntax
[no] client-request-header insert field:value
[insert-always | insert-if-not-exist]
Parameter
Description
field:value
Header field name and the value to insert.
Use a colon between the header name and the value. To use a blank space between the
header name and the value, use double quotation marks.
Examples:
client-request-header insert Max-Forwards:15
client-request-header insert “Max-Forwards: 15”
insert-always
Always inserts the field:value pair. If the request already contains a header with the
same field name, the new field:value pair is added after the existing field:value
pair. Existing headers are not replaced.
insert-if-not-exist
Inserts the header only if the request does not already contain a header with the same field
name.
Without either insert-always or insert-if-not-exist option, if a request already
contains one or more headers with the specified field name, the command replaces the last
header.
Mode
SLB SIP template
Example
Insert the “Max-Forwards: 15” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# client-request-header insert “Max-Forwards: 15”
client-response-header erase
Description
Erases the specified header.
Syntax
[no] client-response-header erase string [all]
Parameter
Description
string
Specify the header to erase.
all
Erase all instances of the specified header. If not specified, only the first
instance is erased.
Default
All instances of the specified header are erased.
Mode
SLB SIP template
Example
Erase the first instance of the “Max-Forwards” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# client-response-header erase Max-Forwards
page 197 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
client-response-header insert
Description
Inserts the specified header into responses.
Syntax
[no] client-response-header insert field:value
[insert-always | insert-if-not-exist]
Parameter
Description
field:value
Header field name and the value to insert.
Use a colon between the header name and the value. To use a blank space between the
header name and the value, use double quotation marks.
Examples:
client-response-header insert Max-Forwards:15
client-response-header insert “Max-Forwards: 15”
insert-always
Always inserts the field:value pair. If the request already contains a header with the
same field name, the new field:value pair is added after the existing field:value
pair. Existing headers are not replaced.
insert-if-not-exist
Inserts the header only if the request does not already contain a header with the same field
name.
Without either insert-always or insert-if-not-exist option, if a response already
contains one or more headers with the specified field name, the command replaces the last
header.
Mode
SLB SIP template
Example
Insert the “Max-Forwards: 15” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# client-response-header insert “Max-Forwards: 15”
keep-server-ip-if-match-acl
Description
Disables reverse NAT based on the IP addresses in an extended ACL. This command is useful
in cases where a SIP server needs to reach another server, and the traffic must pass through
the ACOS device.
Syntax
[no] keep-server-ip-if-match-acl
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 198
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
ACOS(config-sip)# keep-server-ip-if-match-acl
registrar service-group
Description
Specifies the name of a service group of SIP Registrar servers.
Syntax
[no] registrar service-group name
Parameter
Description
name
Service group name (1-127 characters).
Mode
SLB SIP template
Example
Specify “sip-sg1” as the service group:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# registrar service-group sip-sg1
server-request-header erase
Description
Erases the specified header.
Syntax
[no] server-request-header erase string [all]
Parameter
Description
string
Specify the header to erase.
all
Erase all instances of the specified header. If not specified, only the first
instance is erased.
Default
All instances of the specified header are erased.
Mode
SLB SIP template
Example
Erase the first instance of the “Max-Forwards” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# server-request-header erase Max-Forwards
page 199 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
server-request-header insert
Description
Inserts the specified header into requests.
Syntax
[no] client-request-header insert field:value
[insert-always | insert-if-not-exist]
Parameter
Description
field:value
Header field name and the value to insert.
Use a colon between the header name and the value. To use a blank space between the
header name and the value, use double quotation marks.
Examples:
server-request-header insert Max-Forwards:15
server-request-header insert “Max-Forwards: 15”
insert-always
Always inserts the field:value pair. If the request already contains a header with the
same field name, the new field:value pair is added after the existing field:value
pair. Existing headers are not replaced.
insert-if-not-exist
Inserts the header only if the request does not already contain a header with the same field
name.
Without either insert-always or insert-if-not-exist option, if a request already
contains one or more headers with the specified field name, the command replaces the last
header.
Mode
SLB SIP template
Example
Insert the “Max-Forwards: 15” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# server-request-header insert “Max-Forwards: 15”
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 200
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over UDP) Template Configuration Mode Commands
server-response-header erase
Description
Erases the specified header.
Syntax
[no] server-response-header erase string [all]
Parameter
Description
string
Specify the header to erase.
all
Erase all instances of the specified header. If not specified, only the first
instance is erased.
Default
All instances of the specified header are erased.
Mode
SLB SIP template
Example
Erase the first instance of the “Max-Forwards” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# server-response-header erase Max-Forwards
server-response-header insert
Description
Inserts the specified header into responses.
Syntax
[no] server-response-header insert field:value
[insert-always | insert-if-not-exist]
Parameter
Description
field:value
Header field name and the value to insert.
Use a colon between the header name and the value. To use a blank space between the
header name and the value, use double quotation marks.
Examples:
client-response-header insert Max-Forwards:15
client-response-header insert “Max-Forwards: 15”
insert-always
Always inserts the field:value pair. If the request already contains a header with the
same field name, the new field:value pair is added after the existing field:value
pair. Existing headers are not replaced.
insert-if-not-exist
Inserts the header only if the request does not already contain a header with the same field
name.
Without either insert-always or insert-if-not-exist option, if a response already
contains one or more headers with the specified field name, the command replaces the last
header.
page 201 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
Mode
SLB SIP template
Example
Insert the “Max-Forwards: 15” header:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# server-response-header insert “Max-Forwards: 15”
timeout
Description
Specifies the number of minutes a SIP session can remain idle before the ACOS device terminates the session.
Syntax
[no] timeout num
Parameter
Description
num
Number of minutes (1-250).
Default
30 minutes
Mode
SLB SIP template
Example
Configure the timeout for 5 minutes:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# timeout 5
SLB SIP (Over TCP/TLS) Template Configuration Mode
Commands
The following commands apply to only SIP over TCP/TLS, with the exception of timeout, alg-dest-nat, and algsource-nat commands, which apply both to SIP over UDP and SIP over TCP/TLS.
• alg-dest-nat
• alg-source-nat
• call-id-persist-disable
• client-keepalive
• dialog-aware
• exclude-translation
• insert-client-ip
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 202
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
• failed-client-selection
• failed-server-selection
• keep-server-ip-if-match-acl
• server-keep-alive
• server-selection-per-request
• smp-call-id-rtp-session
• timeout
To access these commands at the SLB SIP Over TCP/TLS template level, enter the slb template sip (over TCP/TLS) command.
alg-dest-nat
Description
Enables SIP ALG support for the destination IP address.
Syntax
[no] alg-dest-nat
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# alg-dest-nat
alg-source-nat
Description
Enables SIP ALG support for the source IP address.
The status of ALG support does not affect address translation at the IP layer. Address
translation at the IP layer is still performed, if applicable, even if ALG support is disabled.
Syntax
[no] alg-source-nat
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# alg-source-nat
page 203 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
call-id-persist-disable
Description
Disables call-ID persistence.
Syntax
[no] call-id-persist-disable
Default
Call-ID persistence is enabled by default.
Mode
SLB SIP template
Example
Disable call-ID persistence.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# call-id-persist-disable
client-keepalive
Description
Enables the ACOS device to respond to SIP pings from clients on behalf of SIP servers. When
this option is enabled, the ACOS device responds to a SIP ping from a client with a “pong”.
This option is disabled by default.
NOTE:
If connection reuse is configured, even if client keepalive is disabled, the ACOS
device will respond to a client SIP ping with a pong.
Syntax
[no] client-keepalive
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# client-keepalive
dialog-aware
Description
Enables support for multiple active client instances with the same end-user login.
Syntax
[no] dialog-aware
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# dialog-aware
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 204
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
exclude-translation
Description
Disables translation of the virtual IP address and virtual port in specific portions of SIP messages.
Syntax
[no] exclude-translation {body | header string | start-line}
Parameter
Description
body
Does not translate virtual IP addresses and virtual ports in the body of
the message.
string
Does not translate virtual IP addresses and virtual ports in the specified header.
start-line
Does not translate virtual IP addresses and virtual ports in the SIP
request line or status line.
Default
Not set; the ACOS device does not translate addresses in any header except the top Via
header.
Mode
SLB SIP template
Example
Do not translate virtual IP addresses and virtual ports in the body of the message:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# exclude-translation body
insert-client-ip
Description
Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets from the client to the
SIP server. The header contains the client IP address and source protocol port number. The
ACOS device uses the header to identify the client when forwarding a server reply.
Syntax
[no] insert-client-ip
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# insert-client-ip
failed-client-selection
Description
Specifies the response when selection of an SIP client fails.
page 205 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
NOTE:
This option is applicable only if the configuration includes a connection-reuse template.
Syntax
[no] failed-client-selection {string | drop}
Parameter
Description
string
Message string to send to the server; for example:
“480 Temporarily Unavailable”
If the message string contains a space, use double quotation marks
around the string.
drop
Drop the traffic.
Default
Not set; the ACOS device resets the connection when selection of an SIP server fails
Mode
SLB SIP template
Example
Configure a response for failed client selection:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# failed-client-selection “480 Temporarily Unavailable”
failed-server-selection
Description
Specifies the response when selection of an SIP server fails.
Syntax
[no] failed-server-selection {string | drop}
Parameter
Description
string
Message string to send to the client; for example:
“504 Server Time-Out”
If the message string contains a space, use double quotation marks
around the string.
drop
Drop the traffic.
Default
Not set; the ACOS device resets the connection when selection of an SIP server fails
Mode
SLB SIP template
Example
Configure a response for failed server selection:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# failed-server-selection “504 Server Time-Out”
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 206
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
keep-server-ip-if-match-acl
Description
Use the real server’s IP for addresses that match the ACL for a call ID.
Syntax
[no] keep-server-ip-if-match-acl
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# keep-server-ip-if-match-acl
server-keep-alive
Description
For configurations that use a connection-reuse template, this option specifies how often the
ACOS device sends a SIP ping on each persistent connection. The ACOS device silently drops
the server’s reply. If the server does not reply to a SIP ping within the connection-reuse timeout, the ACOS device closes the persistent connection.
The connection-reuse timeout is configured by the timeout command at the configuration
level for the connection-reuse template. For more information, see “slb template
connection-reuse” on page 55.
Syntax
[no] server-keep-alive num
Parameter
Description
num
Number of seconds (5-300).
Mode
SLB SIP template
Example
Configure the keep-alive for 10 seconds:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# server-keep-alive 10
server-selection-per-request
Description
Forces the ACOS device to perform the server selection process anew for every SIP request.
Without this option, the ACOS device reselects the same server for subsequent requests
(assuming the same server group is used), unless overridden by other template options. This
page 207 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
option applies to SIP-TCP and SIPS virtual ports. The option is unnecessary for SIP over UDP.
Strict transaction switching is automatically used for SIP over UDP.
Syntax
[no] server-selection-per-request
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# server-selection-per-request
smp-call-id-rtp-session
Description
Create a cross-CPU call-ID RTP session.
This feature enables your ACOS device to monitor RTP and SIP traffic. This command creates
a cross-CPU RTP session which can be matched by RTP traffic.
Use this command in conjunction with rtp-sip-call-id-match to configure this feature.
Syntax
[no] smp-call-id-rtp-session
Default
Not enabled.
Mode
SLB SIP template
Example
Enable this feature.
!
slb template sip test
smp-call-id-rtp-session
!
!
slb virtual-server vv 0.0.0.0
port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
rtp-sip-call-id-match
port 5060 sip
message-switching
force-routing-mode
service-group winms
template sip test
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 208
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
!
timeout
Description
Specifies the number of minutes a SIP session can remain idle before the ACOS device terminates the session.
Syntax
[no] timeout num
Parameter
Description
num
Number of minutes (1-250).
Default
30 minutes
Mode
SLB SIP template
Example
Configure the timeout for 5 minutes:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# timeout 5
page 209 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 210
Config Commands: SLB SMPP Templates
This chapter describes the commands and subcommands for configuring SLB SMPP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB SMPP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB SMPP templates:
• slb template smpp
slb template smpp
Description
Configure a template for Short Message Peer-to-Peer (SMPP 3.3) protocol load balancing.
Syntax
[no] slb template smpp template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB SMPP Template Configuration Mode Commands for the
specified SMPP template.
Default
The configuration does not have a default SMPP template.
Usage
The normal form of this command creates an SMPP template. The no form of this command
removes the template.
Mode
Configuration mode
page 211 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMPP Template Configuration Mode Commands
SLB SMPP Template Configuration Mode Commands
The following SLB SMPP template commands are available:
• client-enquire-link
• server-enquire-link
• server-selection-per-request
• user
To access these commands at the SLB SMPP template level, enter the slb template smpp command.
client-enquire-link
Description
When enabled, ACOS replies to clients directly with an ENQUIRE_LINK message. The
ENQUIRE_LINK message prevents the client connection from timing out and serves the
same purpose as a keepalive message.
Syntax
[no] client-enquire-link
Default
Not enabled.
Mode
SLB SMPP template
Example
Enable this feature.
ACOS(config)# slb template smpp smpp-tmp1
ACOS(config-smpp)# client-enquire-link
server-enquire-link
Description
Prevents reusable connections to the SMPP server from aging out. When this option is enabled, ACOS regularly sends an ENQUIRE_LINK message to the SMPP server to maintain the
client-to-server connection.
Syntax
[no] server-enquire-link num
Parameter
Description
num
Number of seconds at which the keepalive message is sent (5-300).
Default
30 seconds.
Mode
SLB SMPP template
Example
Set the interval to 15 seconds.
ACOS(config)# slb template smpp smpp-tmp1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 212
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMPP Template Configuration Mode Commands
ACOS(config-smpp)# server-enquire-link 15
server-selection-per-request
Description
Forces the ACOS to perform the server selection process for every SMPP request. Without
this option, the ACOS device reselects the same server for subsequent requests (assuming
the same server group is used), unless overridden by other template options.
NOTE:
This command works only in conjunction with a connection-reuse template. In
addition, this command requires that a username-password pair is configured in
the SMPP template, so that ACOS can immediately authenticate SMPP clients for
every instance of server selection.
Syntax
[no] server-selection-per-request
Default
Not enabled.
Mode
SLB SMPP template
Example
Enable this feature and configure a username-password pair.
ACOS(config)# slb template smpp smpp-tmp1
ACOS(config-smpp)# server-selection-per-request
ACOS(config-smpp)# user exampleuser password examplepassword
user
Description
Sets a username and password which the ACOS device will use to authenticate SMPP clients.
NOTE:
If you configure a user and password, you must configure the same username-password pair for all SMPP clients and servers. Otherwise, the ACOS device will never
open a TCP connection between the clients and servers.
Syntax
[no] user username password password
Parameter
Description
username
User name to use for SMPP client authentication (1-63 characters).
password
Password to use for SMPP client authentication (1-63 characters).
Mode
SLB SMPP template
Example
Create “exampleuser” and “examplepassword”.
ACOS(config)# slb template smpp smpp-tmp1
ACOS(config-smpp)# user exampleuser password examplepassword
page 213 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMPP Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 214
Config Commands: SLB SMTP Templates
This chapter describes the commands and subcommands for configuring SLB SMTP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB SMTP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB SMTP templates:
• slb template smtp
slb template smtp
Description
Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP) clients.
Syntax
[no] slb template smtp template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB SMTP Template Configuration Mode Commands for the
specified SMTP template.
Usage
The normal form of this command creates an SMTP template. The no form of this command
removes the template.
page 215 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMTP Template Configuration Mode Commands
You can bind only one SMTP template to a virtual port. However, you can bind the same
SMTP template to multiple ports.
Example
The following commands configure an SMTP template named “secure-mail”. The template
enforces use of STARTTLS by mail clients, disables client use of certain SMTP commands, and
directs clients to a service group based on client domain.
ACOS(config)# slb template smtp secure-mail
ACOS(config-smtp)# starttls enforced
ACOS(config-smtp)# command-disable expn turn vrfy
ACOS(config-smtp)# client-domain-switching contains hq service-group smtp-sg1
ACOS(config-smtp)# client-domain-switching contains northdakota service-group smtp-sg2
Example
The following commands configure an SMTP template called “smtp-domain”. The template
uses client domain switching to select a service group based on the email client’s domain.
Clients from any domain that starts with “smb” are sent to service group “smtp-sg1”. Clients
whose domain name does not start with “smb” and whose domain name contains “company1” are sent to service group “smtp-sg2”. Clients whose domain name does not match on
the starts-with or contains strings and ends with “.com” are sent to service group “smtp-sg3”.
ACOS(config)# slb template smtp smtp-domain
ACOS(config-smtp)# client-domain-switching starts-with smb service-group smtp-sg1
ACOS(config-smtp)# client-domain-switching contains company1 service-group smtp-sg2
ACOS(config-smtp)# client-domain-switching ends-with .com service-group smtp-sg3
SLB SMTP Template Configuration Mode Commands
The following SLB SMTP template commands are available:
• client-domain-switching
• command-disable
• server-domain
• service-ready-msg
• starttls
To access these commands at the SLB SMTP template level, enter the slb template smtp command.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 216
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMTP Template Configuration Mode Commands
client-domain-switching
Description
Selects a service group based on the domain of the client. You can specify all or part of the
client domain name. This command is applicable when you have multiple SMTP service
groups.
Syntax
[no] client-domain-switching {starts-with | contains | ends-with}
string service-group name
Parameter
Description
starts-with
Matches only if the client’s domain name starts with string.
contains
Matches if the string appears anywhere within the domain name of
the client.
ends-with
Matches only if the client’s domain name starts with string.
name
Name of the service group to use for matches.
Default
Not set; all client domains match, and any service group can be used.
Mode
SLB SMTP template
Usage
The starts-with, contains, and ends-with options are always applied in the following
order, regardless of the order in which the commands appear in the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option (starts-with,
contains, or ends-with) and a client domain matches on more than one of them, the
most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same string, the endswith rule is used, because it has the more specific match. Here is an example of a set of
client-domain-switching rules in an SMTP template. The numbers to the right indicate the
precedence of the rules when matching on client domain name “localhost”. In this case, the
last rule is the best match and will be used.
client-domain-switching contains localhost service-group sg-a
(4)
client-domain-switching contains local service-group sg-b
(5)
client-domain-switching ends-with host service-group sg-c
(6)
client-domain-switching ends-with localhost service-group sg-d
(3)
client-domain-switching starts-with local service-group sg-e
(2)
client-domain-switching starts-with localhost service-group sg-f
(1)
Example
This example directs clients to service group “smtp-sg1” if their domain contains the string
“hq”:
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# client-domain-switching contains hq service-group smtp-sg1
page 217 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMTP Template Configuration Mode Commands
command-disable
Description
Disables support of the specified SMTP commands. If a client tries to issue a disabled SMTP
command, ACOS sends the following message to the client:
502 - Command not implemented
Syntax
[no] command-disable {expn | turn | vrfy}
Parameter
Description
expn
Disable SMTP EXPN commands.
turn
Disable SMTP TURN commands.
vrfy
Disable SMTP VRFY commands.
Default
EXPN, TURN, and VRFY are all enabled.
Mode
SLB SMTP template
Example
Disable SMTP EXPN commands:
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# command-disable expn
server-domain
Description
Specifies the Email server domain. This is the domain for which the ACOS device provides
SMTP load balancing.
Syntax
[no] server-domain name
Parameter
Description
name
Name of the Email server domain (1-31 characters).
Default
“mail-server-domain”
Mode
SLB SMTP template
Example
Set “exampledomain” as the Email server domain.
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# server-domain exampledomain
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 218
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMTP Template Configuration Mode Commands
service-ready-msg
Description
Specifies the text of the SMTP service-ready message sent to clients. The complete message
sent to the client is constructed as follows:
200 - smtp-domain service-ready-string
Syntax
[no] service-ready-msg string
Parameter
Description
string
Service-ready message (1-127 characters).
Default
“ESMTP mail service ready”
Mode
SLB SMTP template
Example
Set “Your ESMTP mail service is ready” as the service-ready message.
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# service-ready-msg “Your ESMTP mail service is ready”
starttls
Description
Specifies whether or not use of STARTTLS by clients is required.
Syntax
starttls {client | server} {optional | enforced}
Parameter
Description
client
Configure client-side STARTTLS.
server
Configure server-side STARTTLS.
optional
Client or server can use STARTTLS but are not required to do so.
enforced
Before any mail transactions are allowed, the client must issue the
STARTTLS command to establish a secured session. If the client does
not issue the STARTTLS command, ACOS sends the following message
to the client:
530 - Must issue a STARTTLS command first
Default
Disabled.
Mode
SLB SMTP template
Example
Make STARTTLS use mandatory for the client.
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# starttls client enforced
page 219 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SMTP Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 220
Config Commands: SLB SSLi Templates
This chapter describes the commands and subcommands for configuring SLB SSLi templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB SSLi Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
page 221 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
Global Configuration Commands
The following global configuration mode command is available to configure SLB SSLi templates:
• slb template ssli
slb template ssli
Description
Configures a virtual server template that specifies the accepted protocols that the virtual
server can provide SSLi services. The type sub-commands specify the accepted protocols
running over SSL.
Syntax
[no] slb template ssli template-name
Parameter
Description
template-name
Template name (1-31 characters)
This command enters the SLB SSLi Template Configuration Mode for the specified SSLi
template. For additional commands, see “SLB SSLi Template Configuration Mode
Commands” on page 223.
Default
SSLi on HTTPS sessions is enabled by default.
Mode
Configuration mode
Example
Create an SLB SSLi template for SMTP:
ACOS(config)# slb template ssli smtp_insight
ACOS(config-ssli)# type smtp
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 222
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SSLi Template Configuration Mode Commands
SLB SSLi Template Configuration Mode Commands
The following SLB SSLi template commands are available:
• type
To access these commands at the SLB SSli template level, enter the slb template ssli command.
type
Description
Specifies the service that is intercepted by SSLi.
Syntax
[no] type {http | xmpp | smtp | pop}
Parameter
Description
http
HTTP service.
xmpp
XMPP service.
smtp
SMTP service.
pop
POP service.
Default
HTTP
Mode
SLB SSLi template
Example
Create an SLB SSLi template for SMTP:
ACOS(config)# slb template ssli ssli-tmp1
ACOS(config-ssli)# type smpt
page 223 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB SSLi Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 224
Config Commands: SLB TCP Templates
This chapter describes the commands and subcommands for configuring SLB TCP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB TCP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB TCP templates:
• slb template tcp
slb template tcp
Description
Create or modify a template for configuring TCP connection settings.
Syntax
[no] slb template tcp {default | template-name}
Parameter
Description
default
Edit the default TCP template. This template can be modified in the
same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB TCP Template Configuration Mode Commands for the
specified TCP template.
page 225 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
Mode
Configuration mode
Usage
The normal form of this command creates a TCP configuration template. The no form of this
command removes the template.
You can bind only one TCP template to a virtual port. However, you can bind the same TCP
template to multiple ports.
Example
The following commands configure a TCP template named “test” that sets the TCP window
size to 1460 bytes, and bind the template to virtual service port 22 on virtual server vs1:
ACOS(config)# slb template tcp test
ACOS(config-l4 tcp)# initial-window-size 1460
ACOS(config-l4 tcp)# exit
ACOS(config)# slb virtual-server vs1 1.1.1.1
ACOS(config-slb vserver)# port 22 tcp
ACOS(config-slb vserver-vport)# template tcp test
Example
The following commands configure a TCP template that quickly terminates half-open sessions while allowing active sessions to continue.
ACOS(config)# slb template tcp halfopen-tcp
ACOS(config-l4 tcp)# force-delete-timeout 3 alive-if-active
ACOS(config-l4 tcp)# reset-fwd
ACOS(config-l4 tcp)# reset-rev
SLB TCP Template Configuration Mode Commands
The following SLB TCP template commands are available:
• force-delete-timeout
• force-delete-timeout-100ms
• half-close-idle-timeout
• half-open-idle-timeout
• idle-timeout
• initial-window-size
• insert-client-ip
• lan-fast-ack
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 226
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
• qos
• reset-fwd
• reset-rev
To access these commands at the SLB TCP template level, enter the slb template tcp command.
force-delete-timeout
Description
Specifies the maximum number of seconds a session can remain active, and forces deletion
of any session that is still active after the specified number of sec­onds.
This option is useful for small, fast transactions for which the completion time of sessions is
guaranteed. When used in combination with the reset-fwd and reset-rev options, the forcedelete-timeout option can help clean up user connections with RSTs instead of allowing the
connections to hang.
NOTE:
This command can not be used with the client-SSL or server-SSL template closenotify option. Doing so may cause unexpected behavior
Syntax
[no] force-delete-timeout num [alive-if-active]
Parameter
Description
num
Number of seconds (1-31).
alive-if-active
Terminates half-open TCP sessions on the virtual port while
allowing active sessions to continue without being terminated.
Default
Not set.
Mode
SLB TCP template
Example
Set the timeout to 10 seconds.
ACOS(config)# slb template tcp tcp-tmp1
ACOS(config-l4 tcp)# force-delete-timeout 10
page 227 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
force-delete-timeout-100ms
Description
Specifies the maximum number of milliseconds a session can remain active, and forces deletion of any session that is still active after the specified number of milliseconds.
Syntax
[no] force-delete-timeout-100ms num [alive-if-active]
Parameter
Description
num
Number of 100ms units (1-31).
alive-if-active
Terminates half-open TCP sessions on the virtual port while
allowing active sessions to continue without being terminated.
Default
Not set.
Mode
SLB TCP template
Example
Set the timeout to 10 100-milliseconds (1 second).
ACOS(config)# slb template tcp tcp-tmp1
ACOS(config-l4 tcp)# force-delete-timeout-100ms 10
half-close-idle-timeout
Description
Enables aging of half-closed TCP sessions. A half-closed TCP session is a session in which the
server sends a FIN but the client does not reply with an ACK.
Syntax
[no] half-close-idle-timeout num
Parameter
Description
num
Number of seconds (60-15000).
Default
Not set; half-closed TCP sessions are kept open indefinitely.
Mode
SLB TCP template
Example
Set the timeout to 60 seconds.
ACOS(config)# slb template tcp tcp-tmp1
ACOS(config-l4 tcp)# half-close-idle-timeout 60
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 228
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
half-open-idle-timeout
Description
Enables aging of half-open TCP sessions. A half-open TCP session is one in which the client
receives a SYN-ACK, but does not reply with an ACK.
Syntax
[no] half-open-idle-timeout num
Parameter
Description
num
Number of seconds (1-60).
Default
Not set.
Mode
SLB TCP template
Example
Set the timeout to 60 seconds.
ACOS(config)# slb template tcp tcp-tmp1
ACOS(config-l4 tcp)# half-open-idle-timeout 60
idle-timeout
Description
Specifies the number of minutes that a connection can be idle before the ACOS device terminates the connection.
Syntax
[no] idle-timeout num
Parameter
Description
num
Number of seconds (1-2097151, about 24 days).
If you specify 31 seconds or higher, ACOS rounds up to the next
multiple of 60 seconds.
Default
120 seconds
Mode
SLB TCP template
Example
Set the idle timeout to 60 seconds.
ACOS(config)# slb template tcp tcp-tmp1
ACOS(config-l4 tcp)# idle-timeout 60
initial-window-size
Description
Sets the initial TCP window size in SYN ACK packets to clients. The TCP window size in a SYN
ACK or ACK packet specifies the amount of data that a client can send before it needs to
receive an ACK.
page 229 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
The initial TCP window size applies only to the SYN ACKs sent to the client. After the SYN
ACK, the ACOS device does not modify the TCP window size for any other packets in the
session.
By default, the ACOS device uses the TCP window size set by the client or server:
Syntax
[no] initial-window-size num
Parameter
Description
num
Window size in bytes (1-65535).
Mode
SLB TCP template
Example
Set the initial TCP window size to 256.
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# initial-window-size 256
insert-client-ip
Description
Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client IP address, but that
do not use HTTP or another protocol such as Financial Information eXchange (FIX) that can
include this information.
For example, insertion of the client IP address into the TCP header can be useful for financial
applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a TCP option field of type
0x1c, with a length of 7 bytes. For example, the value placed by ACOS into the TCP header for
client 40.40.40.26 is 0x1c07012828281a.
Syntax
[no] insert-client-ip
Default
Not enabled
Mode
SLB TCP template
Example
Enable this feature.
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# insert-client-ip
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 230
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
lan-fast-ack
Description
Increases performance of bidirectional peer sessions by acknowledging receipt of data on
behalf of clients and servers.
Syntax
[no] lan-fast-ack
Default
Not enabled
Mode
SLB TCP template
Example
Enable this feature.
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# lan-fast-ack
qos
Description
Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server SLB traffic.
Syntax
[no] qos num
Parameter
Description
num
You can set a value between 1 to 63. Based on the value you
specify, ACOS marks the traffic as follows:
• Layer 3 marking – ACOS sets the Diffserv Control Point (DSCP)
value in the IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the MAC
header to the value you specify, divided by 9.
Mode
SLB TCP template
Example
Set the QOS value to 63:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# qos 63
reset-fwd
Description
Sends a TCP RST to the real server after a session times out.
Syntax
[no] reset-fwd
Default
Not enabled.
Mode
SLB TCP template
Example
Enable this feature:
page 231 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Template Configuration Mode Commands
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# reset-fwd
reset-rev
Description
Sends a TCP RST to the client after a session times out.
NOTE:
This command does not send an RST if a server selection failure occurs. To do this,
use the reset-on-server-selection-fail option at the configuration level
for the service group or virtual port.
Syntax
[no] reset-rev
Default
Not enabled.
Mode
SLB TCP template
Example
Enable this feature:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# reset-rev
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 232
Config Commands: SLB TCP Proxy Templates
This chapter describes the commands and subcommands for configuring SLB TCP Proxy templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB TCP Proxy Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB TCP Proxy templates:
• slb template tcp-proxy
slb template tcp-proxy
Description
Configure TCP/IP stack parameters.
Syntax
[no] slb template tcp-proxy {default | template-name}
Parameter
Description
default
Edit the default TCP proxy template. This template can be modified
in the same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB TCP Proxy Template Configuration Mode Commands for the
specified TCP-Proxy template.
page 233 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
Mode
Configuration mode
Usage
The normal form of this command creates a TCP-proxy configuration template. The no form
of this command removes the template.
You can bind only one TCP-proxy template to a virtual port. However, you can bind the same
TCP-proxy template to multiple ports.
Example
The following commands create a TCP-proxy template named “rst” and set the idle timeout
to 3000 seconds: When the idle timeout occurs, the ACOS device will send an RST to the client. In cases where the server goes down, the ACOS device will reset the connection.
ACOS(config)# slb template tcp-proxy rst
ACOS(config-tcp proxy)# idle-timeout 3000
ACOS(config-tcp proxy)# reset-rev
ACOS(config-tcp proxy)# server-down-action RST
SLB TCP Proxy Template Configuration Mode Commands
The following SLB TCP proxy template commands are available:
• ack-aggressiveness
• backend-wscale
• dynamic-buffer-allocation
• fin-timeout
• force-delete-timeout
• force-delete-timeout-100ms
• half-close-idle-timeout
• half-open-idle-timeout
• idle-timeout
• init-cwnd
• initial-window-size
• insert-client-ip
• keepalive-interval
• keepalive-probes
• mss
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 234
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
• nagle
• qos
• receive-buffer
• reno
• reset-fwd
• reset-rev
• retransmit-retries
• syn-retries
• timewait
• transmit-buffer
To access these commands at the SLB TCP proxy template level, enter the slb template tcp-proxy command.
ack-aggressiveness
Description
Specifies the cases in which the ACOS device sends an ACK to the client.
A high ACK aggressiveness helps reduce the delay of interactive client-server applications,
but at a cost of more ACKs.
Syntax
[no] ack-aggressiveness {high | medium | low}
Parameter
Description
high
Send ACK for each packet.
medium
Delayed ACK, with ACK on each packet with PUSH flag.
low
Delayed ACK.
Default
low
Mode
SLB TCP proxy template
Example
Set the ACK aggressiveness level to medium:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# ack-aggressiveness medium
backend-wscale
Description
Specifies the TCP window scaling factor for backend connections to servers.
page 235 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
The TCP window scaling factor is applicable to virtual ports for which the ACOS device acts
as a TCP proxy.
The TCP window scaling factor is used to calculate the TCP receive window, which is the
maximum amount of data (in bytes) the receiver on a TCP connection will buffer. The sender
is not allowed to send more than this amount of data before receiving an acknowledgement
that the data has arrived.
Syntax
[no] backend-wscale num
Parameter
Description
num
Scaling factor (1-14).
Default
1
Mode
SLB TCP proxy template
Example
Set the scaling factor to 3.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# backend-wscale 3
dynamic-buffer-allocation
Description
Optimally adjusts the transmit and receive buffer sizes of TCP-proxy while maintaining a constant sum of combined values.
Syntax
[no] dynamic-buffer-allocation
Default
Not enabled
Mode
SLB TCP proxy template
Example
Enable the feature.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# dynamic-buffer-allocation
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 236
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
fin-timeout
Description
Specifies the number of seconds that a connection can be in the FIN-WAIT or CLOSING state
before the ACOS device terminates the connection.
Syntax
[no] fin-timeout num
Parameter
Description
num
Timeout in seconds (1-60).
Default
5
Mode
SLB TCP proxy template
Example
Set the timeout to 7 seconds.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# fin-timeout 7
force-delete-timeout
Description
Specifies the maximum number of seconds a session can remain active, and forces deletion
of any session that is still active after the specified number of seconds.
This option is useful for small, fast transactions for which the completion time of sessions is
guaranteed. When used in combination with the reset-fwd and reset-rev commands, this
option can help clean up user connections with RSTs instead of allowing the connections to
hang.
Syntax
[no] force-delete-timeout num [alive-if-active]
Parameter
Description
num
Number of seconds (1-31).
alive-if-active
Terminates half-open TCP sessions on the virtual port while
allowing active sessions to continue without being terminated.
Mode
SLB TCP proxy template
Example
Set the timeout to 10 seconds.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# force-delete-timeout 10
page 237 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
force-delete-timeout-100ms
Description
Specifies the maximum number of milliseconds a session can remain active, and forces deletion of any session that is still active after the specified number of milliseconds.
Syntax
[no] force-delete-timeout-100ms num [alive-if-active]
Parameter
Description
num
Number of 100ms units (1-31).
alive-if-active
Terminates half-open TCP sessions on the virtual port while
allowing active sessions to continue without being terminated.
Mode
SLB TCP proxy template
Example
Set the timeout to 10 100-milliseconds (1 second).
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# force-delete-timeout-100ms 10
half-close-idle-timeout
Description
Enables aging of half-closed TCP sessions. A half-closed TCP session is a session in which the
server sends a FIN but the client does not reply with an ACK.
Syntax
[no] half-close-idle-timeout num
Parameter
Description
num
Number of seconds (60-120).
Mode
SLB TCP proxy template
Example
Set the timeout to 60 seconds.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# half-close-idle-timeout 60
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 238
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
half-open-idle-timeout
Description
Enables aging of half-open TCP sessions. A half-open TCP session is one in which the client
receives a SYN-ACK, but does not reply with an ACK.
Syntax
[no] half-open-idle-timeout num
Parameter
Description
num
Number of seconds (1-60).
Mode
SLB TCP proxy template
Example
Set the timeout to 60 seconds.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# half-open-idle-timeout 60
idle-timeout
Description
Specifies the number of minutes that a connection can be idle before the ACOS device terminates the connection.
Syntax
[no] idle-timeout num
Parameter
Description
num
Number of seconds (1-2097151, about 24 days).
Default
600 seconds
Mode
SLB TCP proxy template
Usage
See “keepalive-interval” on page 242 for more information about how the idle timeout and
keepalive values are related.
Example
Set the idle timeout to 60 seconds.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# idle-timeout 60
init-cwnd
Description
Specifies the maximum number of unacknowledged packets that can be sent on a TCP connection.
page 239 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
A large initial congestion-control window size helps reduce HTTP response latency,
especially for short web pages.
Syntax
[no] init-cwnd num
Parameter
Description
num
Number of unacknowledged packets (1-15).
Default
10
Mode
SLB TCP proxy template
Example
Set the initial congestion-window size to 12.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# init-cwnd 12
initial-window-size
Description
Sets the initial TCP window size in SYN ACK packets to clients. The TCP window size in a SYN
ACK or ACK packet specifies the amount of data that a client can send before it needs to
receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the client. After the SYN
ACK, the ACOS device does not modify the TCP window size for any other packets in the
session.
By default, the ACOS device uses the TCP window size set by the client or server:
• If the virtual port is one of the service types that is proxied by the ACOS device, initial
TCP window size applies to SYN ACKs generated by the ACOS device and sent to clients. By default, the ACOS device uses the TCP window size in the client’s SYN. The following service types are proxied by the ACOS device: HTTP, HTTPS, Fast-HTTP, SSLproxy, and SMTP.
• If the virtual port is not one of the service types that is proxied by the ACOS device (for
example, the tcp service type), initial TCP window size applies to SYN ACKs generated
by servers and forwarded by the ACOS device to clients. By default, the ACOS device
uses the TCP window size in the server’s SYN ACK.
NOTE:
If SYN cookies are enabled, either globally or on the virtual service port, the ACOS
device acts as a TCP proxy even though the service type is not normally proxied. In
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 240
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
this case, the behavior is the same as for any of the other service types TCP proxied
by the ACOS device
Syntax
[no] initial-window-size num
Parameter
Description
num
Window size in bytes (1-65535).
Mode
SLB TCP proxy template
Example
Set the initial TCP window size to 256.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# initial-window-size 256
insert-client-ip
Description
Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client IP address, but that
do not use HTTP or another protocol such as Financial Information eXchange (FIX) that can
include this information.
For example, insertion of the client IP address into the TCP header can be useful for financial
applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a TCP option field of type
0x1c, with a length of 7 bytes. For example, the value placed by ACOS into the TCP header for
client 40.40.40.26 is 0x1c07012828281a.
Syntax
[no] insert-client-ip
Default
Not enabled
Mode
SLB TCP proxy template
Example
Enable this feature.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# insert-client-ip
page 241 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
keepalive-interval
Description
Number of seconds a TCP-proxy session can remain idle before the ACOS device sends a TCP
ACK to the devices on both ends of the session.
Syntax
[no] keepalive-interval num
Parameter
Description
num
Keepalive interval in seconds (60-12000).
Default
Not set
Mode
SLB TCP proxy template
Usage
The keepalive feature, which for TCP-proxy templates, periodically verifies that a TCP-proxy
session is still up on both ends of the session. The keepalive feature uses keepalive interval to
establish the number of seconds a TCP-proxy session can remain idle before the ACOS
device sends a TCP ACK to the devices on both ends of the session, and the keepalive probe
count allows you to set the maximum number of times the ACOS device sends a keepalive
ACK, before deleting the session.
The ACOS device sends the first keepalive ACK if a session remains idle for the duration of the
keepalive interval:
• If both devices respond with an ACK before the next keepalive interval expires, the
ACOS device resets the keepalive time to 0. This starts a new keepalive interval.
• If either device does not respond with an ACK before the next keepalive interval
expires, the action taken by the ACOS device depends on the setting of the keepalive
probe count.
• Keepalive probe count set to value greater than 1 – The ACOS device sends another
ACK to each device.
- If both devices respond, the ACOS device resets the keepalive time to 0, to begin a
new keepalive interval.
- If either device does not respond, the ACOS device sends another ACK to each
device. This action can be repeated up to the configured maximum number of
probes (the probe count).
• Keepalive probe count set to 1 – The ACOS device does not send new probe ACKs.
Instead, the ACOS device deletes the session.
Relation of Keepalive to Idle-timeout
The keepalive and idle-timeout options work independently of one another.
By default, the keepalive interval is shorter than the idle timeout. In this case, keepalive
probes are triggered before the idle timeout expires.
• If both devices respond with an ACK before either of the following occurs, the keepalive interval time and the idle time are both reset to 0.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 242
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
• Idle timeout expires – If this occurs, the session is deleted, even if the maximum
number of keepalive probes have not been sent.
• Maximum number of keepalive probes are sent, but at least one of the devices still
does not respond – In this case, the session is deleted even if the idle timeout has
not expired.
If you change the keepalive or idle-timeout settings so that the idle timeout is shorter than
the keepalive interval, the keepalive mechanism is never triggered. The idle timeout always
expires first, causing the session to be deleted. No keepalive probes are ever sent.
Example
Set the keepalive interval to 120 seconds.
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# keepalive-interval 120
keepalive-probes
Description
Maximum number of times the ACOS device sends a keepalive ACK, before deleting the session.
Syntax
[no] keepalive-probes num
Parameter
Description
num
Number of keepalive probes (2-10).
Default
Not set
Mode
SLB TCP proxy template
Example
Send 5 keepalive ACKs before deleting the session:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# keepalive-probes 5
page 243 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
mss
Description
Change the minimum supported TCP Maximum Segment Size (MSS).
Syntax
[no] mss num
Parameter
Description
num
TCP maximum segment size in octets (128-1460).
Default
1460
Mode
SLB TCP proxy template
Example
Set the MSS to 1460:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# mss 1460
nagle
Description
Enables Nagle congestion compression (described in RFC 896).
Syntax
[no] nagle
Default
Not enabled
Mode
SLB TCP proxy template
Example
Enable the feature:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# nagle
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 244
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
qos
Description
Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server SLB traffic.
Syntax
[no] qos num
Parameter
Description
num
You can set a value between 1 to 63. Based on the value you
specify, ACOS marks the traffic as follows:
• Layer 3 marking – ACOS sets the Diffserv Control Point (DSCP)
value in the IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the MAC
header to the value you specify, divided by 9.
Mode
SLB TCP proxy template
Example
Set the QOS value to 63:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# qos 63
receive-buffer
Description
Specifies the maximum number of bytes addressed to the port that the ACOS device will
buffer.
Syntax
[no] receive-buffer num
Parameter
Description
num
Number of bytes to buffer (1-2147483647).
Default
204800 bytes (200KB)
Mode
SLB TCP proxy template
Example
Set the buffer size to 51200:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# receive-buffer 51200
page 245 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
reno
Description
Enables the TCP Reno congestion control algorithm, and disables Cubic.
Syntax
[no] reno
Default
Not enabled; Cubic is used by default
Mode
SLB TCP proxy template
Example
Enable TCP Reno congestion control algorithm:
ACOS(config)#slb template tcp-proxy default
ACOS(config-tcp proxy)# reno
reset-fwd
Description
Sends a TCP RST to the real server after a session times out.
Syntax
[no] reset-fwd
Mode
SLB TCP proxy template
Example
Enable this feature:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# reset-fwd
reset-rev
Description
Sends a TCP RST to the client after a session times out.
Syntax
[no] reset-rev
Mode
SLB TCP proxy template
Example
Enable this feature:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# reset-rev
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 246
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
retransmit-retries
Description
Specifies the maximum number of times the ACOS device can retransmit a data segment for
which the ACOS device does not receive an ACK.
Syntax
[no] retransmit-retries num
Parameter
Description
num
Number of retries (1-20).
Default
5
Mode
SLB TCP proxy template
Example
Configure 3retry attempts:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# retransmit-retries 3
syn-retries
Description
Specifies the maximum number of times the ACOS device can retransmit a SYN for which
the ACOS device does not receive an ACK.
Syntax
[no] syn-retries num
Parameter
Description
num
Number retries (1-20).
Default
5
Mode
SLB TCP proxy template
Example
Configure 7 retry attempts:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# syn-retries 7
page 247 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB TCP Proxy Template Configuration Mode Commands
timewait
Description
Specifies the number of seconds that a connection can be in the TIME-WAIT state before the
ACOS device transitions it to the CLOSED state.
Syntax
[no] timewait num
Parameter
Description
num
Number of seconds (1-60).
Default
5 seconds
Mode
SLB TCP proxy template
Example
Set the timewait interval to 7 seconds:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# timewait 7
transmit-buffer
Description
Specifies the maximum number of bytes sent by the port that the ACOS device will buffer.
Syntax
[no] transmit-buffer num
Parameter
Description
num
Number of bytes to buffer (1-2147483647).
Default
204800 bytes (200KB)
Mode
SLB TCP proxy template
Example
Set the buffer size to 51200 bytes:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# transmit-buffer 51200
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 248
Config Commands: SLB UDP Templates
This chapter describes the commands and subcommands for configuring SLB UDP templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB UDP Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB UDP templates:
• slb template udp
slb template udp
Description
Configure UDP connection settings.
Syntax
[no] slb template udp {default | template-name}
Parameter
Description
default
Edit the default SLB UDP template. This template can be modified
in the same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB UDP Template Configuration Mode Commands for the
specified UDP template.
page 249 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB UDP Template Configuration Mode Commands
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
Mode
Configuration mode
Usage
The normal form of this command creates a UDP configuration template. The no form of this
command removes the template.
You can bind only one UDP template to a virtual port. However, you can bind the same UDP
template to multiple ports.
Example
The following commands create a UDP template named “udp-quickterm” and set session
termination to occur immediately after a response is received:
ACOS(config)# slb template udp udp-quickterm
ACOS(config-l4 udp)# aging immediate
SLB UDP Template Configuration Mode Commands
The following SLB UDP template commands are available:
• aging
• idle-timeout
• qos
• re-select-if-server-down
• stateless-conn-timeout
To access these commands at the SLB UDP template level, enter the slb template udp command.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 250
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB UDP Template Configuration Mode Commands
aging
Description
Specifies how quickly sessions are terminated when the request is received.
Syntax
[no] aging {immediate | short [seconds]}
Parameter
Description
immediate
• Response Received—Session is terminated within 1 second.
• No Response—Idle timeout value in UDP template is used.
short
• Response Received—Session is terminated within 1 second.
• No Response—Session is terminated after configured short aging
period (1-31 seconds).
NOTE:
It is recommended to explicitly set the aging in UDP templates used for DNS virtual
ports.
Default
Not set by default; the default behavior is:
• Response Received—Behavior depends on the port number:
• Port 53 (default DNS port)—Session is terminated within 1 second.
• Any other port number—Session is terminated after the idle timeout expires.
• No Response— Idle timeout value in UDP template is used.
Mode
SLB UDP template
Example
Configure immediate aging:
ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# aging immediate
idle-timeout
Description
Specifies the number of seconds a connection can remain idle before the ACOS device terminates the connection.
Syntax
[no] idle-timeout num
NOTE:
Parameter
Description
num
Idle timeout value in seconds (1-2097151, which is about 24 days).
The maximum idle timeout supported for TFTP virtual ports is 15300 seconds (255
minutes).
page 251 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB UDP Template Configuration Mode Commands
Default
120 seconds
Mode
SLB UDP template
Example
Set the idle timeout to 300 seconds (5 minutes):
ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# idle-timeout 300
qos
Description
Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server SLB traffic.
Syntax
[no] qos num
Parameter
Description
num
You can set a value between 1 to 63. Based on the value you specify,
ACOS marks the traffic as follows:
• Layer 3 marking – ACOS sets the Diffserv Control Point (DSCP) value
in the IP header to value you specify.
• Layer 2 marking – ACOS sets the 802.1p value in the MAC header to
the value you specify, divided by 9.
Mode
SLB UDP template
Example
Set the QOS value to 54:
ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# qos 54
re-select-if-server-down
Description
Configures the ACOS device to select another real server if the server that is bound to an
active connection goes down. Without this option, another server is not selected.
Syntax
[no] re-select-if-server-down
Default
Not enabled.
Mode
SLB UDP template
Example
Enable the feature.
ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# re-select-if-server-down
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 252
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB UDP Template Configuration Mode Commands
stateless-conn-timeout
Description
Set the stateless current connection timeout value in seconds.
Syntax
[no] stateless-conn-timeout num
Parameter
Description
num
Stateless connection timeout value in seconds (5-120).
Default
120 seconds
Mode
SLB UDP template
Example
Set the stateless connection timeout to 60 seconds.
ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# stateless-conn-timeout 60
page 253 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB UDP Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 254
Config Commands: SLB Virtual Port Templates
This chapter describes the commands and subcommands for configuring SLB virtual port templates.
The following sections are available in this chapter:
• Global Configuration Commands
• SLB Virtual Port Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Commands
The following global configuration mode command is available to configure SLB virtual server templates:
• slb template virtual-port
slb template virtual-port
Description
Configure a template of SLB settings for virtual service ports.
Syntax
[no] slb template virtual-port {default | template-name}
Parameter
Description
default
Edit the default virtual port template. This template can be modified in the same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB Virtual Port Template Configuration Mode Commands for the
specified Virtual-Port template.
page 255 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Global Configuration Commands
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
Mode
Configuration mode
Usage
The normal form of this command creates a virtual service port template. The no form of this
command removes the template.
You can bind only one virtual service port template to a virtual service port. However, you
can bind the virtual service port template to multiple virtual service ports.
Some of the parameters that can be set using a template can also be set or changed on the
individual virtual port.
• If a parameter is set (or changed from its default) in both a template and on the individual virtual port, the setting on the individual virtual port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not set or
changed from its default on the individual virtual port, the setting in the template takes
precedence.
Example
The following commands configure a virtual service port template named “common-vpsettings”, set the connection limit, and bind the template to a virtual port:
ACOS(config)# slb template virtual-port common-vpsettings
ACOS(config-vport)# conn-limit 500000
ACOS(config-vport)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.99
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template virtual-port common-vpsettings
Example
The following commands create real servers “s1” at 5.5.5.1 (with a real port range of 10), real
server “s2” at 5.5.5.2 (with a range of 25), and real server “s3” at 5.5.5.3 (which does not have a
range configured and will not be used for this feature). These real servers are then bound to a
service group “sg1”, which is in turn, bound to a VIP (“vip3”) at 10.10.10.0 /24. A virtual port
template “vport1” is created, and the allow-vip-to-rport-mapping option is used, and
the template is bound to the “vip3.
ACOS(config)# slb server s1 5.5.5.1
ACOS(config-real server)# port 80 tcp range 10
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb server s2 5.5.5.2
ACOS(config-real server)# port 80 tcp range 25
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb server s3 5.5.5.3
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 256
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
ACOS(config)#
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s3 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# exit
ACOS(config)#
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# allow-vip-to-rport-mapping
ACOS(config-vport)# exit
ACOS(config)#
ACOS(config)# slb virtual-server vip3 10.10.10.0 /24
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)# service-group sg1
ACOS(config-slb vserver-vport)# template virtual-port vport1
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# port 90 http
ACOS(config-slb vserver-vport)# service-group sg1
ACOS(config-slb vserver-vport)# template virtual-port vport1
ACOS(config-slb vserver-vport)# exit
SLB Virtual Port Template Configuration Mode
Commands
The following SLB virtual port template commands are available:
• aflow
• allow-syn-otherflags
• allow-vip-to-rport-mapping
• conn-limit
• conn-rate-limit
• drop-unknown-conn
• dscp
• ignore-tcp-msl
• reset-l7-on-failover
page 257 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
• reset-unknown-conn
• snat-msl
• snat-port-preserve
To access these commands at the SLB virtual-port template level, enter the slb template virtual-port command.
aflow
Description
Enables aFlow control. aFlow helps avoid packet drops and retransmissions when a real
server port reaches its configured connection limit. aFlow control is triggered when either of
the following occurs:
• If connection limit is configured on the real server or real port – The backend real server
or real port reaches its configured connection limit.
• If connection limit is not configured on the real server or real port – The response time
of the backend real server or real port increases dramatically. The response time is the
time between when the ACOS device forwards a request to the server, when the ACOS
device receives the first reply packet from the server.
NOTE:
In the current release, it is recommended to use the first method for triggering
aFlow, by configuring connection limits on the real servers or real ports. The second
method of triggering aFlow is still being refined and is considered to be in Beta status.
When aFlow is enabled, the ACOS device queues HTTP/HTTPS packets from clients when a
server port reaches a configured connection limit, instead of dropping them. The ACOS
device then monitors the port, and begins forwarding the queued packets when
connections become available again. To prevent flooding of the port, the ACOS device
forwards the queued packets at a steady rate.
aFlow applies only to HTTP and HTTPS virtual ports.
Syntax
[no] aflow
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport-tmplt1
ACOS(config-vport)# aflow
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 258
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
allow-syn-otherflags
Description
Allows initial SYN packet with other flags.
Syntax
[no] allow-syn-otherflags
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport-tmplt1
ACOS(config-vport)# allow-syn-otherflags
allow-vip-to-rport-mapping
Description
Enables the VIP to Real Port Mapping feature for a subnet VIP.
NOTE:
The virtual port template containing this option must be bound to the VIP, and the
VIP itself must use a subnet for the last octet (for example,10.10.10.0 /24), or the feature will not work.
Syntax
[no] allow-vip-to-rport-mapping
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport-tmplt1
ACOS(config-vport)# allow-vip-to-rport-mapping
page 259 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
conn-limit
Description
Specifies the maximum number of connections allowed on virtual ports that use this template.
Syntax
[no] conn-limit connections [reset] [no-logging]
Parameter
Description
connections
Maximum number of concurrent connections, 0-8000000.
reset
Specify the action to take for connections after the connection limit is
reached on the virtual port. By default, excess connections are
dropped. If you change the action to reset, the connections are reset
instead. Excess connections are dropped by default.
no-logging
Disable logging when this feature is enabled.
Default
Not configured by default.
Mode
SLB virtual-port template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure a connection limit of 10000 connections per second, and disable logging:
ACOS(config)# slb template virtual-port vport-tmplt1
ACOS(config-vserver)# conn-limit 10000 no-logging
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 260
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
conn-rate-limit
Description
Limits the rate of new connections the ACOS device is allowed to send to virtual ports that
use this template. When a virtual port reaches its connection limit, the ACOS device stops
selecting the port for client requests.
Syntax
[no] conn-rate-limit connections
[per {100ms | 1sec}] [reset] [no-logging]
Parameter
Description
connections
Maximum of new connections allowed on a server. You can specify 1-1048575 connections.
per {100ms | 1sec}
Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is one-second intervals (1sec).
reset
Send a reset (RST) to a client after the connection rate has been exceeded. By default (without
this option), the ACOS device silently drops the request.
If you configure a limit for a virtual server and also for an individual port, the ACOS device uses
the lower limit.
no-logging
Disable logging when this feature is enabled.
Default
Not configured by default.
Mode
SLB virtual-port template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure a connection rate limit of 10000 connections per second, and disable logging:
ACOS(config)# slb template virtual-port vport-tmply1
ACOS(config-vserver)# conn-rate-limit 10000 no-logging
drop-unknown-conn
Description
Drop the connection a TCP packet without a SYN or RST flag is received, and the packet does
not belong to any existing connections.
Syntax
[no] drop-unknown-conn
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport1
page 261 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
ACOS(config-vport)# drop-unknown-conn
dscp
Description
Sets the Differentiated Services Code Point (DSCP) value in client requests before forwarding
them to the server.
Syntax
[no] dscp num
Parameter
Description
num
You can set the DSCP value to 1-63.
Mode
SLB virtual-port template
Example
Set the DSCP value to 63:
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# dscp 63
ignore-tcp-msl
Description
Immediately reuse TCP sockets after session termination, without waiting for the SLB Maximum Session Life (MSL) time to expire.
Syntax
[no] ignore-tcp-msl
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# ignore-tcp-msl
reset-l7-on-failover
Description
Resets a Layer 7 connection upon failover.
Syntax
[no] reset-l7-on-failover
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 262
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# reset-l7-on-failover
reset-unknown-conn
Description
Enables sending of a TCP Reset (RST) in response to a session mismatch. A session mismatch
occurs when the ACOS device receives a TCP packet for a TCP session that is not in the active
session table on the ACOS device.
Syntax
[no] reset-unknown-conn
Default
Not enabled.
Mode
SLB virtual-port template
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# reset-unknown-conn
snat-msl
Description
Set the Maximum Segment Life (MSL) for source-NAT connections. This option is useful for
servers that have older TCP/IP stacks, which wait up to 240 seconds (4 minutes) after a FIN
before the endpoint can enter a new connection.
Syntax
[no] snat-msl seconds
Parameter
Description
seconds
You can set the MSL to 1-1800 seconds.
Mode
SLB virtual-port template
Example
Set the source-NAT MSL to 45 seconds.
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# snat-msl 45
page 263 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Port Template Configuration Mode Commands
snat-port-preserve
Description
Attempts to preserve the client’s source port for traffic destined for the virtual port.
Syntax
[no] snat-port-preserve
Default
Not enabled.
Mode
SLB virtual-port template
Usage
Note about this feature:
• Port preservation is not always guaranteed and is performed on a best-effort basis.
• Port preservation does not work for FTP active mode sessions.
• Port preservation works only if source NAT is enabled for the virtual port.
Example
Enable this feature:
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# snat-port-preserve
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 264
Config Commands: SLB Virtual Server Templates
This chapter describes the commands and subcommands for configuring SLB virtual server templates.
The following sections are available in this chapter:
• Global Configuration Mode Commands
• SLB Virtual Server Template Configuration Mode Commands
To apply a template to a virtual port, use the template command at the configuration level for the virtual port.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
DNS templates have the highest priority and are used first, followed by policy templates. Then the other types of templates
are used as applicable.
Global Configuration Mode Commands
The following global configuration mode command is available to configure SLB virtual server templates:
• slb template virtual-server
slb template virtual-server
Description
Configure a template of SLB settings for virtual servers.
Syntax
[no] slb template virtual-server {default | template-name}
Parameter
Description
default
Edit the default virtual server template. This template can be modified in the same way as any custom template-name you specify.
template-name
Template name (1-31 characters)
This command enters the SLB Virtual Server Template Configuration Mode Commands for
the specified Virtual-Server template.
CAUTION:
Before changing a default template, make sure the changes you plan to make are
applicable to all virtual ports that use the template.
page 265 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
Mode
Configuration mode
Usage
The normal form of this command creates a virtual server template. The no form of this command removes the template.
You can bind only one virtual server template to a virtual server. However, you can bind the
virtual server template to multiple virtual servers.
Some of the parameters that can be set using a template can also be set or changed on the
individual virtual server:
• If a parameter is set (or changed from its default) in both a template and on the individual virtual server, the setting on the individual virtual server takes precedence.
• If a parameter is set (or changed from its default) in a template but is not set or
changed from its default on the individual virtual server, the setting in the template
takes precedence.
Example
The following commands configure a virtual server template called “vs-tmplt1” that sets
ICMP rate limiting and bind the template to a virtual server:
ACOS(config)# slb template virtual-server vs-tmplt1
ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.2
ACOS(config-slb virtual server)# template virtual-server vs-tmplt1
SLB Virtual Server Template Configuration Mode
Commands
The following SLB virtual server template commands are available:
• conn-limit
• conn-rate-limit
• icmp-rate-limit
• icmpv6-rate-limit
• subnet-gratuitous-arp
To access these commands at the SLB virtual-server template level, enter the slb template virtual-server command.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 266
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
conn-limit
Description
Specifies the maximum number of connections allowed on virtual servers that use this template.
Syntax
[no] conn-limit connections [reset] [no-logging]
Parameter
Description
connections
Maximum number of concurrent connections, 0-8000000.
reset
Specify the action to take for connections after the connection limit is reached on the virtual
server. By default, excess connections are dropped. If you change the action to reset, the connections are reset instead. Excess connections are dropped by default.
no-logging
Disable logging when this feature is enabled.
Default
Not configured by default.
Mode
SLB virtual-server template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure a connection limit of 10000 connections per second, and disable logging:
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# conn-limit 10000 no-logging
page 267 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
conn-rate-limit
Description
Limits the rate of new connections the ACOS device is allowed to send to servers that use
this template. When a real server reaches its connection limit, the ACOS device stop selecting the server for client requests.
Syntax
[no] conn-rate-limit connections
[per {100ms | 1sec}] [reset] [no-logging]
Parameter
Description
connections
Maximum of new connections allowed on a server. You can specify 1-1048575 connections.
per {100ms | 1sec}
Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is one-second intervals (1sec).
reset
Send a reset (RST) to a client after the connection rate has been exceeded. By default (without
this option), the ACOS device silently drops the request.
If you configure a limit for a server and also for an individual port, the ACOS device uses the
lower limit.
no-logging
Disable logging when this feature is enabled.
Default
Not configured by default.
Mode
SLB virtual-server template
Usage
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active
connections.
Example
Configure a connection rate limit of 10000 connections per second, and disable logging:
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# conn-rate-limit 10000 no-logging
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 268
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
icmp-rate-limit
Description
Configures ICMP (v4) rate limiting for the virtual server, to protect against denial-of-service
(DoS) attacks.
Syntax
[no] icmp-rate-limit normal-rate [lockup max-rate lockup-time]
Parameter
Description
normal-rate
Maximum number of ICMP packets allowed per second. If the virtual
server receives more than the normal rate of ICMP packets, the excess
packets are dropped until the next one-second interval begins. The
normal rate can be 1-65535 packets per second.
max-rate
Maximum number of ICMP packets allowed per second before the
ACOS device locks up ICMP traffic to the virtual server. When ICMP
traffic is locked up, all ICMP packets are dropped until the lockup
expires. The maximum rate can be 1-65535 packets per second. The
maximum rate must be larger than the normal rate.
lockup-time
Number of seconds for which the ACOS device drops all ICMP traffic to
the virtual server, after the maximum rate is exceeded. The lockup
time can be 1-16383 seconds.
Default
By default, this is not set. If you enable it, specifying a maximum rate (lockup rate) and lockup
time is optional. If you do not specify them, lockup does not occur.
Mode
SLB virtual-server template
Example
Configure ICMP rate limiting to allow 5000 packets per second.
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# icmp-rate-limit 5000
page 269 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
icmpv6-rate-limit
Description
Configures ICMPv6 rate limiting for the virtual server, to protect against denial-of-service
(DoS) attacks.
Syntax
[no] icmpv6-rate-limit normal-rate [lockup max-rate lockup-time]
Parameter
Description
normal-rate
Maximum number of ICMPv6 packets allowed per second. If the virtual server receives more than the normal rate of ICMP packets, the
excess packets are dropped until the next one-second interval begins.
The normal rate can be 1-65535 packets per second.
max-rate
Maximum number of ICMPv6 packets allowed per second before the
ACOS device locks up ICMPv6 traffic to the virtual server. When
ICMPv6 traffic is locked up, all ICMPv6 packets are dropped until the
lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be larger than the normal rate.
lockup-time
Number of seconds for which the ACOS device drops all ICMPv6 traffic
to the virtual server, after the maximum rate is exceeded. The lockup
time can be 1-16383 seconds.
Default
By default, this is not set. If you enable it, specifying a maximum rate (lockup rate) and lockup
time is optional. If you do not specify them, lockup does not occur.
Mode
SLB virtual-server template
Example
Configure ICMPv6 rate limiting to allow 5000 packets per second.
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# icmpv6-rate-limit 5000
subnet-gratuitous-arp
Description
Enables gratuitous ARPs for all VIPs in subnet VIPs. A subnet VIP is a range of VIPs created from
a range of IP addresses within a subnet.
NOTE:
This option applies only to VIPs that are created using a range of subnet IP
addresses. The option has no effect on VIPs created with a single IP address.
Syntax
[no] subnet-gratuitous-arp
Default
This is disabled by default; the ACOS device sends gratuitous ARPs for only the first IP address
in a subnet VIP.
Mode
SLB virtual-server template
Example
Send a gratuitous ARPs for every IP in the subnet virtual server.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 270
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# subnet-gratuitous-arp
page 271 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SLB Virtual Server Template Configuration Mode Commands
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 272
Config Commands: SLB Servers
This chapter describes the commands for configuring SLB servers.
NOTE:
The commands in this chapter apply to real servers, not to virtual servers. To configure
virtual servers, see “Config Commands: SLB Virtual Servers” on page 307.
The following commands are available:
• alternate
• conn-limit
• conn-resume
• disable
• disable-with-health-check
• enable
• extended-stats
• external-ip
• health-check
• health-check-disable
• ipv6
• port
• slow-start
• spoofing-cache
• stats-data-disable
• stats-data-enable
• template server
• weight
To access this configuration level, enter the slb server server-name command at the global Config level. For example:
ACOS(config)# slb server s1
ACOS(config-real server)#
To display configured servers, use the show slb server command.
page 273 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
alternate
Description
Assign an alternate server as a dedicated backup for a primary server.
Syntax
[no] alternate sequence-num server-name
Parameter
Description
sequence-num
Priority of the server as a backup. You can specify 1-16.
server-name
Name of the alternate server.
Default
Not set
Mode
Real server
Usage
You can assign up to 16 alternate servers to a primary server. Only 1 alternate server for a
given primary server can be active at a time.
This feature places an alternate server into service only if the primary server goes down.
Other features such as connection limiting or connection-rate limiting can not cause an
alternate server to be used.
Do not add alternate servers to the service group.
For more information, see the “Alternate Servers for Server-specific Backup” chapter in the
Application Delivery and Server Load Balancing Guide.
conn-limit
Description
Specify the maximum number of concurrent connections allowed on a real server.
Syntax
[no] conn-limit max-connections
Replace max-connections with the maximum number of concurrent connections allowed
on the server. You can specify 1-8000000 (eight million).
Default
8000000
Mode
Real server
Usage
If you set a connection limit, it is recommended that you also set the conn-resume interval.
(See conn-resumeconn-resume“conn-resume” on page 275.)
You also can set the connection limit on individual protocol ports. In this case, the limit
specified for the port overrides the limit set at the server level.
Example
The following command sets the connection limit to 10,000:
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 274
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config)#slb server rs123
ACOS(config-real server)#conn-limit 10000
conn-resume
Description
Specify the maximum number of connections the server can have before the ACOS device
resumes use of the server. Use does not resume until the number of connections reaches the
configured maximum or less.
Syntax
[no] conn-resume connections
Replace connections with the maximum number of connections the server can have before
the ACOS device resumes use of the server. You can specify 1-1000000 (1 million)
connections.
Default
By default, this option is not set. The ACOS device is allowed to start sending new connection requests to the server as soon as the number of connections on the server falls back
below the connection limit threshold set by the conn-limit command.
Mode
Real server
Usage
You also can set the conn-resume value on individual protocol ports. In this case, the value
specified for the port overrides the value set at the server level.
Example
The following command sets the conn-resume option to 500,000 connections:
ACOS(config)#slb server rs123
ACOS(config-real server)#conn-resume 500000
disable
Description
Disable a real server.
Syntax
[no] disable
Default
Enabled
Mode
Real server
Example
The following commands disable a server named “rs123”:
ACOS(config)#slb server rs123
ACOS(config-real server)#disable
disable-with-health-check
Description
Disable a service-group member from normal server selection, but still maintain the health
of the server.
page 275 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
This feature is ideal if you periodically need to take active servers out of service pools for
maintenance, but this maintenance is done through a remote client. The feature allows you
to access these servers using the same front-end VIP in the presence of a persistent cookie
template or LB::reselect aFleX command.
This feature is available in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 and later.
Syntax
disable-with-health-check
Default
This feature is not enabled be default.
Mode
Real server
Usage
In addition to real server configuration mode, this command is also available from the following modes:
• Real server port configuration (see “port” on page 279)
• Service -group member (see “member” on page 291)
Example
The following example configures health monitor “hm1” to use the ICMP transparent health
method, and apply the monitor to a TCP port on real server “realserver1”. The disablewith-health-check option is enabled at the SLB server configuration level.
ACOS(config)#health monitor hm1
ACOS(config-health:monitor)#method icmp transparent 1.0.0.1
ACOS(config-health:monitor)#exit
ACOS(config)#slb server realserver1 10.1.1.2
ACOS(config-real server)#disable-with-health-check
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#health-check hm1
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group sg1 tcp
ACOS(config-slb svc group)#member realserver1 80
ACOS(config-slb svc group-member:80)#
enable
Description
Re-enable a real server.
Syntax
[no] enable
Default
Enabled
Mode
Real server
Example
The following commands re-enable a disabled server named “rs123”:
ACOS(config)#slb server rs123
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 276
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-real server)#enable
extended-stats
Description
Enable collection of peak connection statistics for a server.
Syntax
[no] extended-stats
Default
Disabled
Mode
Real server
external-ip
Description
Assign an external Network Address Translation (NAT) IP address to the server. The external IP
address allows a server that has an internal IP address to be reached from outside the internal network.
Syntax
[no] external-ip ipaddr
Default
None
Mode
Real server
Example
The following commands configure external IP address 192.168.10.11 on real server “rs123”:
ACOS(config)#slb server rs123
ACOS(config-real server)#external-ip 192.168.10.11
health-check
Description
Enable health monitoring for a server.
Syntax
[no] health-check monitor-name
Replace monitor-name with the name of a configured health monitor.
If you omit this command, the default ICMP health monitor is used. (See below.)
Default
ICMP ping (echo request), sent every 5 seconds. If the ping fails 4 times consecutively (the
first attempt followed by 3 retries), the ACOS device sets the server state to DOWN.
Mode
Real server
Usage
Entering the command at this level enables Layer 3 health checking. The monitor you specify
must use the ICMP method.
Example
The following command sets a server to use the “RUthere” health monitor:
ACOS(config)#slb server rs123
ACOS(config-real server)#health-check RUthere
page 277 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
health-check-disable
Description
Disable health monitoring of the server.
Syntax
[no] health-check-disable
Default
The default Layer 3 health method (ping) is used by default.
Description
Assign an IPv6 address to the real server for GSLB.
Syntax
[no] ipv6 ipv6addr
Default
None
Mode
Real server
ipv6
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 278
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
port
Description
Configure a TCP or UDP port on a server.
Syntax
[no] port port-num {tcp | udp} [range num]
Parameter
Description
port-num
Protocol port number, 0-65534.
NOTE: Port number 0 is a wildcard port used for IP protocol load balancing. (For more information, see the “IP Protocol Load Balancing”
chapter of the Application Delivery and Server Load Balancing Guide.)
tcp | udp
Protocol type.
NOTE: If you are configuring a port for NetFlow, use UDP. TCP is not
supported for NetFlow.
range num
Specifies the range of real ports you want to create within the real
server configuration. This value can range from 0-254.
NOTE: The port number (port-num) specified will be the base number
for the range of real ports.
This command changes the CLI to the configuration level for the specified port, where the
following port-related commands are available:
Command
Description
[no] alternate sequence-num
server-name port portnum
Configure an alternate port for the primary port. The sequence-num and servername can be 1-16. (For more information, see “Dedicated Backups for Real
Server Ports” in the Application Delivery and Server Load Balancing Guide.)
[no] conn-limit
max-connections
Specifies the maximum number of concurrent connections allowed on the
server for this port, 0-8000000 (eight million).
The default is 8000000.
[no] conn-resume
connections
Specifies the maximum number of connections the service port can have
before the ACOS device resumes use of the port. Use does not resume until the
number of connections reaches the configured maximum or less. You can
specify 1-1000000 (1 million) connections.
By default, this option is not set. The ACOS device is allowed to start sending
new connection requests to the service port as soon as the number of connections on the port falls back below the connection limit threshold set by the
conn-limit command.
disable
page 279 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
Disables the port.
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
disable-with-health-check
Disable the member service port, but maintain the server’s health check status.
This feature is introduced in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 to allow
you to disable a service-group member’s port from normal server selection, but
still maintain the health of the server.
This feature is ideal if you periodically need to take active servers out of service
pools for maintenance, but this maintenance is done through a remote client.
The feature allows you to access these servers using the same front-end VIP in
the presence of a persistent cookie template or LB::reselect aFleX command.
enable
Enables the port.
[no] extended-stats
Enables collection of SLB peak connection statistics for the port.
[no] health-check monitorname
Enables health monitoring of the port. The monitor-name specifies the name of
a configured health monitor.
If you omit this command or you enter it without the monitor-name option, the
default TCP or UDP health monitor is used:
• TCP – Every 5 seconds, the ACOS device sends a connection request (TCP
SYN) to the specified TCP port on the server. The port passes the health
check if the server replies to the ACOS device by sending a TCP SYN ACK.
• UDP – Every 5 seconds, the ACOS device sends a packet with a valid UDP
header and a garbage payload to the UDP port. The port passes the health
check if the server either does not reply, or replies with any type of packet
except an ICMP Error message.
[no] health-check-followport port-num {tcp | udp}
Specifies another real port upon which to base this port’s health status. Both
the real port and the port to use for the real port’s health status must be the
same type, TCP or UDP. By default, this option is not set.
[no] health-check-disable
Disables health monitoring of the port.
[no] no-ssl
Disables SSL for server-side connections. This command is useful if a server-SSL
template is bound to the virtual port that uses this real port, and you want to
disable encryption on this real port.
Encryption is disabled by default, but it is enabled for server-side connections
when the real port is used by a virtual port that is bound to a server-SSL template.
Using the double-negative form of the command (no no-ssl) enables SSL for
server-side connections.
[no] service-principal-name
string [...]
Specifies the Kerberos principal name of this server port. This is the ACOS client
name presented to the application server.
NOTE: This option applies to Application Access Management (AAM).
stats-data-disable |
stats-data-enable
Disable or enable statistical data collection for the port.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 280
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Command
Description
[no] template
{port template-name |
server-ssl template-name}
The port option binds a port template to the port. The parameter settings in
the template are applied to the port.
The real port template named “default” is bound to real ports by default. The
parameter settings in the default real port template are automatically applied
to the port, unless you bind a different real port template to the port.
If a parameter is set individually on this port and also is set in a port template
bound to this port, the individual setting on this port is used instead of the setting in the template.
To configure a port template, see “slb template port” on page 87.
The server-ssl option binds a server-side SSL template to the port. The
parameter settings in the template are applied to the port. This may be useful in
cases where the real servers load balanced by a VIP have different SSL settings.
Specifies the load-balancing preference for this port, 1-100. A higher weight
gives more favor to this server for this port relative to the other servers. Default
is 1.
[no] weight number
This option applies only to the service-weighted-least-connection
load-balancing method.
Default
No ports are configured by default. The defaults for the command options are described
with the options, above. Statistical data collection of load-balancing resources is enabled by
default.
Mode
Real server
The no form of this command resets the port’s connection limit, health monitoring, or
weight to its default value. To collect statistical data for a load-balancing resource, statistical
data collection also must be enabled globally. (See “slb common” on page 18.)
Usage
Include the range option for each real server that will be included in the service group, but
only if you want that real server to be included in the mapping feature. The service group
can be “mixed”. That is, some real servers within a service group can have the range option
set, but it is not mandatory for all servers in a service group to be configured for “VIP to real
port mapping”.
Example
The following commands configure server “terap” and add TCP port 69 to the server. The
health-check command is not entered, so by default the ACOS device will check the service port’s health by sending a connection request to 69 on terap every 30 seconds.
ACOS(config)#slb server terap 10.2.4.69
ACOS(config-real server)#port 69 tcp
ACOS(config-real server-node port)#
Example
The following commands bind the server-SSL template directly to TCP port 80 on the real
server at IP 10.8.8.8:
ACOS(config)#slb server rs88 10.8.8.8
ACOS(config-real server)#port 80 tcp
page 281 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-real server-node port)#template server-ssl server-ssl1
Example
The following example configures health monitor “hm1” to use the ICMP transparent health
method, and apply the monitor to a TCP port on real server “realserver1”. The disablewith-health-check option is enabled at the SLB server port configuration level.
ACOS(config)#health monitor hm1
ACOS(config-health:monitor)#method icmp transparent 1.0.0.1
ACOS(config-health:monitor)#exit
ACOS(config)#slb server realserver1 10.1.1.2
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#health-check hm1
ACOS(config-real server-node port)#disable-with-health-check
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group sg1 tcp
ACOS(config-slb svc group)#member realserver1 80
ACOS(config-slb svc group-member:80)#
slow-start
Description
Enable slow-start for a server. Slow start allows time for a server to ramp up after the server is
enabled or comes online, by temporarily limiting the number of new connections on the
server.
NOTE:
It is recommended to configure this feature in the real server template or real port
template instead. See the “Behavior When Slow Start Is Also Configured on the Real
Server Itself” section in the “Server and Port Templates” chapter of the Application
Delivery and Server Load Balancing Guide.
Syntax
[no] slow-start
Default
Disabled
Mode
Real server
Usage
Slow-start allows a maximum of 128 new connections during the first interval (anywhere
between 0 and 10 seconds). During each subsequent 10-second interval, the total number
of concurrent connections allowed to the server is doubled. Thus, during the first 20 seconds, the server is allowed to have a total of 256 concurrent connections. After 59 seconds,
slow-start ends the ramp-up and no longer limits the number of concurrent connections.
After the ramp-up period ends, the number of new connections is controlled by the connlimit setting. (See “conn-limit” on page 274 and the description of conn-limit in “port” on
page 279.)
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 282
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Slow-start is also configurable in server and port templates. (See “slb template server” on
page 87 and “slb template port” on page 87.)
Example
The following command enables slow-start:
ACOS(config)#slb server rs123
ACOS(config-real server)#slow-start
spoofing-cache
Description
Enable support for a spoofing cache server. A spoofing cache server uses the client’s IP
address instead of its own as the source address when obtaining content requested by the
client.
Syntax
[no] spoofing-cache
Default
Disabled
Mode
Real server
Usage
This command applies to the Transparent Cache Switching (TCS) feature. For more information about TCS, including additional configuration requirements and examples, see the
“Transparent Cache Switching” chapter in the Application Delivery and Server Load Balancing
Guide.
Example
The following commands configure a real server for a spoofing cache server:
ACOS(config)#slb server cache-rs 110.110.110.10
ACOS(config-real server)#spoofing-cache
ACOS(config-real server)#port 80 tcp
stats-data-disable
Description
Disable collection of statistical data for the server.
Syntax
stats-data-disable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Real server
page 283 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
stats-data-enable
Description
Enable collection of statistical data for the server.
Syntax
stats-data-enable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Real server
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be
enabled globally. (See “slb common” on page 18.)
template server
Description
Bind a a real server template to the server.
Syntax
[no] template server template-name
Default
The real server template named “default” is bound to servers by default. The parameter settings in the default real server template are automatically applied to the new server, unless
you bind a different real server template to the server.
Mode
Real server
Usage
If a parameter is set individually on this server and also is set in a server template bound to
this server, the individual setting on this server is used instead of the setting in the template.
To configure a real server template, see “slb template server” on page 87.
Example
The following commands configure a real server template called “rs-tmplt1” and bind the
template to two real servers:
ACOS(config)#slb template server rs-tmplt1
ACOS(config-rserver)#health-check ping2
ACOS(config-rserver)#conn-limit 500000
ACOS(config-rserver)#exit
ACOS(config)#slb server rs1 10.1.1.99
ACOS(config-real server)#template server rs-tmplt1
ACOS(config-real server)#exit
ACOS(config)#slb server rs2 10.1.1.100
ACOS(config-real server)#template server rs-tmplt1
weight
Description
Assign an administrative weight to the server, for weighted load balancing.
Syntax
[no] weight num
Replace num with the administrative weight assigned to the server. You can specify 1-100.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 284
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Default
1
Mode
Real server
Usage
This parameter applies only to the weighted-least-connection, weighted-rr
(weighted round robin), and round-robin-strict load-balancing methods.
Example
The following commands assign a weight of 20 to a server:
ACOS(config)#slb server 10.10.10.5
ACOS(config-real server)#weight 20
page 285 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 286
Config Commands: SLB Service Groups
This chapter describes the commands for configuring SLB service groups.
To access this configuration level, enter the slb service-group command at the Global configuration level. For example:
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)#
To display configured service groups, use the slb service-group ? command.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
The following commands are available:
• backup-server-event-log
• extended-stats
• health-check
• health-check-disable
• member
• method
• min-active-member
• priority
• priority-affinity
• reset auto-switch
• reset-on-server-selection-fail
• sample-rsp-time
• stats-data-disable
• stats-data-enable
• template
• traffic-replication-type
page 287 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
backup-server-event-log
Description
Enable log messages to indicate when a backup service-group member is placed into service or is removed from service.
Syntax
[no] backup-server-event-log
Default
Disabled
Mode
Service group
A backup member is a member that has a lower priority than the primary (highest priority)
members of the same service group. The ACOS device will not use a lower-priority member
(backup server) unless high priority members (primary servers) exceed their connection
limits or connection-rate limits, or are down.
The backup-server-event-log command generates a log message when a backup
service-group member is placed into service for either of the following reasons:
• The connection limit on the primary servers or member ports is exceeded.
• The primary servers or member ports go down.
Likewise, the command generates a log message when a backup service-group member is
removed from service, and a primary server is returned to service for either of the following
reasons:
• The primary server or member port’s connection-resume limit is reached.
• The primary server or member port comes back up.
Generation of log messages for these events is rate-limited to once per minute. The events
described in a message occur at some point within the 60 seconds prior to the log message’s
timestamp.
NOTE:
By default, the backup servers are placed into service only when both primary servers exceed their connection limits or go down. You can use the min-activemember command to allow secondary servers to be placed into service even when
some primary servers are still available. (See “min-active-member” on page 298.)
SNMP Trap Requirements
To also generate SNMP notifications, the following SLB traps must be enabled:
• slb server-conn-limit
• slb server-conn-resume
• slb service-conn-limit
• slb service-conn-resume
Log Message Examples
A message such as the following is generated when a backup member is placed into service:
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 288
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Enabled new connections on server rs-backup1 port 80 in sg1 group
In this example, member rs-backup1 in service group sg1 is placed into service.
When the backup member is removed from service, a message such as one of the following
is generated:
Disabled new connections on backup server(s) on group sg1, resume
primary server rs1 port 80
Disabled new connections on backup server(s), resume primary server
rs1 port 80
In the first message, the service group name is included. The service group name is not
included in the second message.
• If the primary server is a member of only one service group, or the service group can
otherwise be determined, the first message is used.
• If the primary server is a member of more than one service group, and the service
group can not be determined, the second message is used.
extended-stats
Description
Enable collection of peak connection statistics for a service group.
Syntax
[no] extended-stats
Default
Disabled
Mode
Service group
health-check
Description
Use a health monitor to check the health of all members of the service group.
Syntax
[no] health-check monitor-name
Replace monitor-name with the health monitor to use.
Default
None
Mode
Service group
Usage
The health monitor is used to test the health of all members of the service group, including
any members that are added in the future.
Service group health status applies only within the context of the service group. For
example, a health check of the same port from another service group can result in a different
health status, depending on the resource requested by the health check.
Health checks can be applied to the same resource (real server or port) at the following
levels:
page 289 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
• In a service group that contains the server and port as a member
• In a server or server port configuration template that is bound to the server or port
• Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the following priority:
1. Health check on real server
2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real server, real server port,
and service group members are marked Down. However, if a health check on the service
group level (3) fails, only that service group member in that service group is marked Down.
Example
The following commands configure a health monitor and apply it to a service group:
ACOS(config)#health monitor qrs
ACOS(config-health:monitor)#method http url GET /media-qrs/
index.html
ACOS(config-health:monitor)#exit
ACOS(config)#slb service-group qrs tcp
ACOS(config-slb svc group)#member media-rs 80
ACOS(config-slb svc group-member:80)#exit
ACOS(config-slb svc group)#health-check qrs
health-check-disable
Description
Disable health monitoring of the service group.
Syntax
[no] health-check-disable
Default
Health checking is enabled by default.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 290
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
member
Description
Add a server to a service group.
Syntax
[no] member server-name portnum
Parameter
Description
server-name portnum
Name of the real server you want to add to the service group. This server must already
exist on the system.
portnum
Protocol port number on the server.
This command drops you into a sub-configuration mode, where the following additional
commands are available:
Parameter
Description
enable
Enable the server and port for this service-group only.
disable
Disable the server and port for this service-group only.
disable-with-health-check
Disable the member server, but maintain the server’s health check status.
This feature is introduced in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 to allow you
to disable a service-group member from normal server selection, but still maintain
the health of the server.
This feature is ideal if you periodically need to take active servers out of service
pools for maintenance, but this maintenance is done through a remote client. The
feature allows you to access these servers using the same front-end VIP in the
presence of a persistent cookie template or LB::reselect aFleX command.
priority num
Sets the preference for this server and port, 1-16. The highest priority is 16.
page 291 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
sampling-enable param
Enable baselining. The following parameters are available:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
all - All connections.
curr_conn - Current connections.
total_fwd_bytes - Total forward bytes.
total_fwd_pkts - Total forward packets.
total_rev_bytes - Total reverse bytes.
total_rev_pkts - Total reverse packets.
total_conn - Total connections.
total_rev_pkts_inspected - Total reverse packets inspected.
total_rev_pkts_inspected_status_code_2xx - Total reverse packets inspected
(status code 2xx).
total_rev_pkts_inspected_status_code_non_5xx - Total reverse packets
inspected (status code non 5xx).
curr_req - Current requests.
total_req - Total requests.
total_req_succ - Total requests successful.
peak_conn - Peak connections.
response_time - Response time.
fastest_rsp_time - Fastest response time.
slowest_rsp_time - Slowest response time.
stats-data-disable
Disable statistical data collection for the service-group member.
template template-name
Binds a real port template to this member port.
NOTE: The port template option slow-start is not supported if the port template is applied using this command.
stats-data-disable
Default
Disable statistical data collection for the service-group member.
There are no servers in a service group by default. When you add a server and port to the service group, the default state is enabled and the default priority is 1. Statistical data collection
of load-balancing resources is enabled by default.
To configure a real port template, see “slb template port” on page 87.
Mode
Service group
Usage
The normal form of this command adds a configured server to the service group. The “no”
form of this command removes the server from the group.
If you disable or re-enable a port, the state change applies only to this service group. The
state of the port is unchanged in other service groups.
To collect statistical data for a load-balancing resource, statistical data collection also must be
enabled globally. (See “slb common” on page 18.)
Example
The following commands add servers “s1” and “s2” to service group “sgroup1”:
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 292
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config)# slb service-group sgroup1
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)#
Example
The following command adds a member server and port to a service group and binds a real
port template to the port:
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member rs1 80
ACOS(config-slb svc group-member:80)# template rptemplate1
Example
The following example configures health monitor “hm1” to use the ICMP transparent health
method, and apply the monitor to a TCP port on real server “realserver1”. Then, the disable-with-health-check option is enabled at the service group member configuration
level.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method icmp transparent 1.0.0.1
ACOS(config-health:monitor)# exit
ACOS(config)# slb server realserver1 10.1.1.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check hm1
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member realserver1 80
ACOS(config-slb svc group-member:80)# disable-with-health-check
method
Description
Set the load-balancing method for a service group.
Syntax
[no] method lb-method
[auto-switch
[
stateless-lb-method
{
conn-rate rate duration
[revert-rate revert-duration]
[grace-period seconds] [log] |
l4-session-usage percent duration
[revert-rate revert-duration]
[grace-period seconds] [log]
]
page 293 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
}
]
Parameter
Description
lb-method
Load-balancing method:
• dest-ip-hash – Calculates a hash value based on the destination IP address and protocol port of
the client’s request.
• dest-ip-only-hash – Calculates a hash value based on only the destination IP address of the
client’s request.
• fastest-response – Selects the server with the fastest first data packet response time (after
three-way handshake) from end-user traffic requests.
NOTE: The fastest-response method is not applicable in Direct Server Return (DSR) deployments.
• least-connection [pseudo-round-robin] – Selects the server that currently has the fewest
connections.
For this and the other least-connection methods, if there is a tie, the default behavior is to select the
port (among those tied) that has the lowest number of request bytes plus response bytes. If there is
still a tie, a port is randomly selected from among the ones that are still tied.
To override this tie-breaker behavior, use the pseudo-round-robin option. This option selects
the server that has not been selected for the longest time.
• service-least-connection [pseudo-round-robin] – Selects the server port that currently has the fewest connections.
• weighted-least-connection [pseudo-round-robin] – Selects a server based on a combination of the server’s administratively assigned weight and the number of connections on the
server. (To assign a weight to a server, see “weight” on page 284.)
• service-weighted-least-connection [pseudo-round-robin] – Same as weightedleast-connection, but per service. (To assign a weight to a service, see “port” on page 279. Use
the weight option.)
• src-ip-hash – Calculates a hash value based on the source IP address and protocol port of the
client’s request.
• src-ip-only-hash – Calculates a hash value based on only the source IP address of the client’s
request.
• least-request – Selects the real server port for which the ACOS device is currently processing
the fewest HTTP requests. This method is applicable to HTTP load balancing.
• weighted-rr – Selects servers in rotation, based on the servers’ administratively assigned
weights.
To use this method, you also need to assign weights to the servers. (See “weight” on page 284.) If
the weight value is the same on each server, this load-balancing method simply selects the servers
in rotation.
The weighted-rr method uses only the server weight. Server port weight is not used. (Instead,
server port weight is used by the service-weighted-least-connection method).
• round-robin – Selects servers in simple rotation.
• round-robin-strict – Provides a more exact round-robin method. The standard, default round
robin method is optimized for high performance. Over time, this optimization can result in a slight
imbalance in server selection. Server selection is still basically round robin, but over time some servers may be selected slightly more often than others. An optional weight can also be assigned. (See
“weight” on page 284.)
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 294
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
lb-method
Load balancing method (continued):
(cont.)
The following methods apply only to stateless SLB. See the “Usage” section of this command for more
information.
• stateless-src-ip-hash – Balances server load based on a hash value calculated using the
source IP address and source TCP or UDP port.
• stateless-src-dst-ip-hash – Balances server load based on a hash value calculated using
both the source and destination IP addresses, and the source and destination TCP or UDP ports.
• stateless-src-dst-ip-only-hash – Balances server load based on a hash value calculated
using only the source and destination IP addresses.
• stateless-dst-ip-hash – Balances server load based on a hash value calculated using the destination IP address and destination TCP or UDP port.
• stateless-per-pkt-round-robin – Balances server load by sending each packet to a different
server, in rotation. This method is applicable only for UDP DNS traffic.
• stateless-src-ip-only-hash – Calculates a hash value based only on the source IP address of
the request, and selects a server based on the hash value. Subsequently, all requests from the same
client address are sent to the same server.
auto-switch
[options]
You can configure the following options for this feature.
The stateless-lb-method option specifies the stateless load-balancing method to use if the traffic
reaches the configured threshold, and can be one of the following:
•
•
•
•
•
•
stateless-dst-ip-hash
stateless-per-pkt-round-robin
stateless-src-dst-ip-hash
stateless-src-dst-ip-only-hash
stateless-src-ip-hash
stateless-src-ip-only-hash
You can specify either of the following sets of thresholds:
• conn-rate rate duration – Rate of new connection requests per second at which the load
balancing method is changed. The rate applies collectively to all servers in the service group. The
threshold can be 1-1000000 connection requests per second.
• l4-session-usage percent duration – Percentage of the system-wide Layer 4 session
capacity that is currently in use. The threshold can be 1-100 percent.
For each set of thresholds, you can specify the following options:
• revert-rate – (Optional) Rate to revert to stateful method. You can specify
1-1000000 connections per second.
• revert-duration – (Optional) Number of seconds during which the specified revert trigger
must continue to occur before the service group changes to stateful load balancing again. You can
specify 1-600 seconds.
• grace-period seconds – (Optional) Number of seconds the ACOS device continues to use the
current load balancing method for active sessions, before changing to the other load balancing
method. You can specify 1-600 seconds.
NOTE: The grace period applies only to sessions that are active when the load balancing change is
triggered. The change applies immediately to new sessions that begin after the change is triggered.
• log – Logs changes between stateful and stateless load balancing that occur due to this feature.
This is disabled by default.
page 295 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Default
The default method is round-robin.
Mode
Service group
Usage
The fastest-response method takes effect only if the traffic rate on the servers is at least
5 connections per second (per server). If the traffic rate is lower, the first server in the service
group usually is selected.
To set a server’s weight, see “weight” on page 284.
Stateless SLB
Stateless SLB conserves system resources by operating without session table entries on the
ACOS device. The stateless SLB methods are valid for the following types of traffic:
• Traffic with very short-lived sessions, such as DNS
• Layer 2 Direct Server Return (DSR) traffic
• Other types of traffic that do not require features that use session-table entries. (See list
of limitations below.)
You can enable stateless SLB on an individual service-group basis, by selecting a stateless SLB
load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• Session synchronization
• Application Layer Gateway (ALG)
• Layer 3 DSR
• SLB-PT
• aFleX
• FWLB ALG
A given real server can be used in only one stateless SLB service group. A real server that is in
a stateless SLB service group cannot be used in any other stateless service groups.
If the virtual port is on a wildcard VIP, destination NAT must be disabled on the virtual port. To
disable destination NAT, see “no-dest-nat” on page 326.
Graceful transitions between stateful and stateless SLB in a service group are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the multiple data
CPUs. In this case, for DNS traffic only, try using the stateless-per-pkt-round-robin method.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 296
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
NOTE:
The stateless-per-pkt-round-robin method is applicable only for traffic
that uses a single packet for a request. Examples include DNS queries or RADIUS
requests without a Challenge-request/Response message used for EAP.
Example
The following example sets the load-balancing method for a service group to least-connection:
ACOS(config)# slb service-group sg-lc1 tcp
ACOS(config-slb svc group)# method least-connection
Example
The following commands configure a stateless SLB service group for UDP traffic:
ACOS(config)# slb service-group dns-stateless udp
ACOS(config-slb svc group)# member dns1 53
ACOS(config-slb svc group-member:53)# exit
ACOS(config-slb svc group)# member dns2 53
ACOS(config-slb svc group-member:53)# exit
ACOS(config-slb svc group)# method stateless-src-dst-ip-hash
Example
The following commands configure a service group that uses the stateless-per-pkt-roundrobin stateless load-balancing method. This method is used if the rate of new connection
requests to the virtual port bound to the service group reaches 80,000 connections per second, and remains at least this high for 300 seconds.
ACOS(config)# slb service-group auto-stateless tcp
ACOS(config-slb svc group)# method weighted-rr auto-switch stateless-per-pkt-round-robin
conn-rate 80000 300 60000 300 grace-period 15 log
To return to using the stateful load-balancing method (weighted round-robin in this
example), the rate of new connection requests to the virtual port must drop to 60,000 per
second, and remain that low for at least 300 seconds. Once this occurs, the ACOS device
waits for and additional 15 seconds (the grace period) before returning to use of stateful load
balancing. Logging is enabled.
Example
In the following configuration, if Layer 4 session usage reaches 2 percent and stays at least
this high for 5 seconds, both service-group members begin using the stateless-dst-ip-hash
method. The ACOS device reverts back to stateful load balancing when 1 percent or less is
reached for 5 seconds.
ACOS(config)# slb service-group sg-auto1 tcp
ACOS(config-slb svc group)# method dst-ip-hash auto-switch stateless-dst-ip-hash l4-session-usage 2 5 1 5
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# member s2 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb service-group sg-auto tcp
ACOS(config-slb svc group)# method dst-ip-hash auto-switch stateless-dst-ip-hash l4-ses-
page 297 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
sion-usage 2 5 1 5
ACOS(config-slb svc group)# member s3 80
ACOS(config-slb svc group-member:80)# member s4 80
min-active-member
Description
Use backup servers even if some primary servers are still up.
Syntax
[no] min-active-member num [dynamic-priority] [skip-pri-set]
Default
Parameter
Description
num
Minimum number of primary servers that can still be active
(available), before the backup servers are used. You can specify
1-63. There is no default.
dynamic-priority
Dynamically adds lower-priority servers to the active list to meet
the min-active member requirement.
skip-pri-set
Specifies whether the remaining primary servers continue to be
used. If you use this option, the ACOS device uses only the
backup servers and stops using any of the primary servers.
By default, the servers with the highest priority value are the primary servers. All other servers
are backups only, and are used only if all the primary servers are unavailable.
When you use this command, the skip-pri-set option is disabled by default.
Mode
Service group
Usage
Primary and backup servers are designated based on member priority (set with the member
command). For example, if a service group contains real servers with the following priority
settings, real servers s1, s2, and s3 are the primary servers. Real servers s4 and s5 are backup
servers.
• s1 – priority 16
• s2 – priority 16
• s3 – priority 16
• s4 – priority 8
• s5 – priority 8
When the minimum number of active members (primary servers) comes back up, the ACOS
device immediately returns to using only the primary servers.
Example
The following commands add members with different priorities to a service group, and configure promiscuous VIP to begin using backup servers if any of the primary servers becomes
unavailable:
ACOS(config)# slb service-group sg-prom tcp
ACOS(config-slb svc group)# method least-connection
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 298
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s3 80
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s4 80
ACOS(config-slb svc group-member:80)# priority 8
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s5 80
ACOS(config-slb svc group-member:80)# priority 8
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb service group)# min-active-member 1
priority
Description
Configure the ACOS device to respond to the failure of service-group members of a certain
priority by taking a designated action, such as dropping the request or sending a TCP reset
back to the client.
Syntax
priority num
[
drop |
drop-if-exceed-limit |
proceed |
reset |
page 299 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
reset-if-exceed-limit
]
Parameter
Description
num
Priority of the port, ranging from 1-16. Higher-priority nodes are preferred over nodes
with lower numbers. There is no default.
drop
Drops the request if all nodes with this same priority fail for any reason.
drop-if-exceed-limit
Drops the request if all nodes with this same priority fail, and if one or more nodes
exceed the configured connection limit or connection-rate-limit.
proceed
The ACOS device uses the node(s) with the next-highest priority if all nodes with the
currently-selected priority fail (this is the default behavior).
reset
Sends a reset to the client if all nodes with this same priority fail for any reason.
reset-if-exceed-limit
Sends a reset to the client if all nodes with this same priority fail, and if failure is due to
one or more nodes exceeding the configured connection-limit or connection-ratelimit.
Default
By default, the ACOS device will use the node(s) with the next-highest priority if all nodes
with the currently-selected priority fail.
Mode
Service group
Usage
Use this feature to define specific actions that should occur when higher-priority servicegroup members fail. By default, the ACOS device uses the highest priority service-group
members until they are no longer available. When the higher-priority nodes fail, the ACOS
device fails over to the nodes with the next-highest priority.
This priority option enables you to tie actions (drop, reset, and others) to a general failure,
such as service group members becoming disabled or failing a health check. Alternatively,
actions can be tied to connection-limits or connection-rate-limits being exceeded.
Configuring the "priority option" feature allows you to prevent lower-priority servers, which
are presumably less robust than higher-priority servers, from being overwhelmed by a flood
of traffic when a failover occurs.
NOTE:
The actions are mutually exclusive. Only one action can be configured for each priority level.
The reset or drop actions can be triggered for the following reasons:
• If a health check fails
• If a user disables a server or port
• If another Load Balancing feature causes the currently-used priority to become unavailable (for example, min-active-member feature)
• If a connection-limit or connection-rate-limit is exceeded
Example
The following commands create the TCP service group “sg1” with several servers with a priority of 10, and one server with a priority of 5. The commands also assign the reset-ifexceed-limit action for members with priority 10, and assign the drop action for members with priority 5.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 300
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# priority 10 reset-if-exceed-limit
ACOS(config-slb svc group)# priority 5 drop
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# priority 10
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# priority 10
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s3 80
ACOS(config-slb svc group-member:80)# priority 10
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s4 80
ACOS(config-slb svc group-member:80)# priority 5
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)#
priority-affinity
Description
Configure the ACOS device to continue using backup servers (servers with lower priority)
even when the primary (high priority) servers come back up.
Syntax
[no] priority-affinity [reset]
The reset option resets the priority affinity feature so that the primary servers can be used
again.
Default
Disabled.
By default, the ACOS device uses only the service-group members with the highest priority.
If all the highest-priority servers go down, the ACOS device starts using the secondary
(lower-priority) members. Also by default, when one or more of the highest-priority servers
comes back up, the ACOS device returns to using only those highest-priority servers and
stops using the backup servers.
Mode
Service group
Usage
The min-active-member option continues using backup servers in order to maintain a
minimum number of active servers, but does not continue using only the backup servers
after the primary servers come back up.
If the ACOS device stops using the primary servers due to other features (for example,
exceeding connection limits), the priority affinity feature will take effect just as if the
switchover to the backup servers were triggered by a change in the status of the primary
servers. If those higher-priority servers become available due to the number of connections
dropping below the configured threshold, ACOS will not use them, but will instead continue
using the lower-priority backup servers.
page 301 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
reset auto-switch
Description
Reset load balancing from stateless back to the configured stateful method.
This command applies to configurations that use the auto-switch feature, which
automatically switches from the configured stateful load-balancing method to a stateless
load-balancing method, based on a configured threshold. (See “method” on page 293.)
Syntax
reset auto-switch
Default
N/A
Mode
Configuration
Usage
This command is operational only and does not affect the configuration. The command is
not saved in the startup-config.
reset-on-server-selection-fail
Description
Send a TCP reset (RST) to the client if server selection fails.
Syntax
[no] reset-on-server-selection-fail
Default
Disabled
Mode
Service group
sample-rsp-time
Description
View sample server response time information.
Syntax
[no] sample-rsp-time [
rpt-ext-server
[report-delay mins | top-fastest | top-slowest]
]
Mode
Parameter
Description
rpt-ext-server
Report the top 10 fastest or slowest servers.
report-delay mins
Set the reporting frequency in minutes (1-7200).
top-fastest
Report the top 10 fastest servers.
top-slowest
Report the top 10 slowest servers.
Service group
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 302
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
stats-data-disable
Description
Disable collection of statistical data for the service group.
Syntax
stats-data-disable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Service group
stats-data-enable
Description
Enable collection of statistical data for the service group.
Syntax
stats-data-enable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Service group
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be
enabled globally. (See “slb common” on page 18.)
template
Description
Apply a server or port configuration template to a service group.
Syntax
template
{policy template-name | port template-name | server template-name}
Parameter
Description
policy template-name
Name of a policy template.
port template-name
Name of a port template.
server template-name
Name of a server template.
Default
The settings in the server or port template applied to the server or port are used, unless overridden by settings in the individual server or port configuration.
Mode
Service group
page 303 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
traffic-replication-type
Description
Replicate or “mirror” traffic to one or more collector servers in a service group using one of
the traffic replication types.
Syntax
traffic-replication-type {
mirror |
mirror-da-repl |
mirror-ip-repl |
mirror-sa-da-repl |
mirror-sa-repl
}
Parameter
Description
mirror
The ACOS device sends the packets “as is” to the collector server(s). Forwarding is based on
the IP address in the original packet. This mode does not change the packet header at all. The
original Layer 2 Destination Address (DA) or Source Address (SA) and Layer 3 IP addresses are
left intact.
mirror-da-repl
Mirror Destination MAC Address replacement mode uses Layer 2 forwarding, with the ACOS
device replacing the destination MAC address on the incoming packet with the destination
MAC for each of the collector servers within the designated service group.
mirror-ip-repl
Mirror IP-replacement mode replaces the incoming packet’s IP address with the IP address of
the collector server(s) and then forwards the duplicated packet to those servers. This option
affects the packet at Layer 4, with minor changes made to the L4 source and destination
ports. This option is recommended for scenarios in which collector servers are directly connected to the ACOS device.
mirror-sa-da-repl
Mirror Source MAC Address and Destination MAC Address replacement mode replaces both
the source and destination MAC addresses at Layer 2 but does not change the Layer 3 IP
addressing information.
mirror-sa-repl
Mirror Source MAC Address replacement mode replaces the source MAC address on the
incoming packet with the MAC address corresponding to virtual server on the ACOS device.
NOTE:
In general, most of the traffic replication options modify the headers of the duplicated packets at Layer 2 by changing the MAC address. Only one of the Traffic Replication modes alters the packets’ IP address.
Default
Disabled
Mode
Service group
Usage
The traffic replication feature intercepts traffic feeds, such as SNMP or Syslog packets, copies
them to a buffer, and forwards the duplicated packet to multiple collector servers, where the
data can be used to track users and devices. This can be helpful for organizations that need
Network Monitoring feeds to be replicated to multiple destinations.
When configuring the feature, after defining the VIP and setting up the real collector servers,
configure a service group for the collector servers, add the real collector servers to the
service group, and specify the traffic which replication mode will be used.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 304
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Example
The following commands configure a service group for the collector servers and add the real
collector servers to the service group. Then, the commands specify that the mirror-darepl traffic replication mode will be used to forward duplicated network monitoring traffic
to the collector servers.
ACOS(config)# slb service-group SG-RS tcp
ACOS(config-slb svc group)# member RS1 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# member RS2 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# traffic-replication-type mirror-da-repl
page 305 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 306
Config Commands: SLB Virtual Servers
This chapter describes the commands for configuring SLB virtual servers.
NOTE:
The commands in this chapter apply to virtual servers (also called “VIPs”), not to real
servers. To configure real servers, see “Config Commands: SLB Servers” on page 273.
To access this configuration level, enter the slb virtual-server command at the global Config level. For example:
ACOS(config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver)#
To display configured virtual servers, use the show slb virtual-server ? command.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
The following commands are available:
• arp-disable
• description
• disable
• disable-when-all-ports-down
• disable-when-any-port-down
• enable
• extended-stats
• port
• redistribution-flagged
• stats-data-disable
• stats-data-enable
• template logging
• template policy
• template scaleout
• template virtual-server
• vrid
page 307 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
arp-disable
Description
Disable ARP replies from a virtual server.
Syntax
[no] arp-disable
Default
ARP replies are enabled by default.
Mode
Virtual server
Usage
Use this command if you do not want the ACOS device to reply to ARP requests to the virtual
server’s IP address. For example, you can use this command to put a VIP out of service on one
ACOS device and use that device as a switch or router for another ACOS device providing
SLB for the VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP is automatically
disabled.
Example
The following command disables ARP replies:
ACOS(config-slb vserver)#arp-disable
description
Description
Add a description to a VIP.
Syntax
description string
Replace string with a description of the VIP (up to 63 characters long). The string can contain
blanks. Quotation marks are not required.
Default
None
Mode
Virtual server
Introduced in Release
2.7.0
disable
Description
Disable a virtual server.
Syntax
[no] disable
Default
Virtual servers are enabled by default.
Mode
Virtual server
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 308
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
disable-when-all-ports-down
Description
Automatically disable the virtual server if all its service ports are down. If OSPF redistribution
of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition to disabling the virtual server.
Syntax
[no] disable-when-all-ports-down
Parameter
Description
when-all-ports-down
Automatically disables the virtual server if all its service ports are down. If OSPF redistribution of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition
to disabling the virtual server.
when-any-port-down
Automatically disables the virtual server if any of its service ports is down. If OSPF redistribution of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition to disabling the virtual server.
Default
Enabled.
Mode
Virtual server
disable-when-any-port-down
Description
Automatically disable the virtual server if any of its service ports is down. If OSPF redistribution of the VIP is enabled, the ACOS device also withdraws the route to the VIP in addition to
disabling the virtual server.
Syntax
[no] disable-when-any-port-down
Default
Disabled.
Mode
Virtual server
enable
Description
Enable a virtual server.
Syntax
[no] enable
Default
Enabled
Mode
Virtual server
Example
The following commands re-enable virtual server “vs1”:
ACOS(config)#slb virtual-server vs1
ACOS(config-slb vserver)#enable
page 309 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
extended-stats
Description
Enable collection of peak connection statistics for a virtual server.
Syntax
[no] extended-stats
Default
Disabled
Mode
Virtual server
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 310
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
port
Description
Configure a virtual port on a virtual server.
Syntax
[no] port port-number service-type
Parameter
Description
port
Port number, 0-65534.
service-type
Service type of the port:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
[range length] [alternate]
diameter – Diameter AAA load balancing
dns-tcp – DNS service over TCP
dns-udp – DNS caching
fast-http – Streamlined Hypertext Transfer Protocol (HTTP) service
fix – File Information Exchange (FIX) load balancing
ftp – File Transfer Protocol
ftp -proxy – FTP proxy service
http – HTTP
https – Secure HTTP (SSL)
imap - (Internet Message Access Protocol)
mlb – MLB service over TCP
mms – Microsoft Media Server
mssql – Database load balancing for MS-SQL servers
mysql – Database load balancing for MySQL servers
others – Wildcard port used for IP protocol load balancing. (For more information, see the “IP
Protocol Load Balancing” chapter of the Application Delivery and Server Load Balancing Guide.)
pop3 - (Post Office Protocol 3)
radius – RADIUS
reqmod-icap - ICAP
respmod-icap - ICAP
rtsp – Real Time Streaming Protocol
sip – Session Initiation Protocol (SIP) over UDP
sip-tcp – SIP over TCP
sips – SIP over TCP / TLS
smpp-tcp – Short Message Peer-to-Peer (SMPP 3.3) load balancing over TCP
smtp – Simple Mail Transfer Protocol
spdy – Google SPeeDy protocol
spdys – Secure SPDY
ssl-proxy – SSL proxy service
ssli – non-HTTP over SSL
tcp – Layer 4 Transmission Control Protocol (TCP)
tcp-proxy – Full TCP-stack service for load-balanced Layer 7 applications
tftp – Trivial File Transfer Protocol
udp – User Datagram Protocol
page 311 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
range length
Assigns a range of ports to the VIP for the specified virtual-service type. The length specifies the number of contiguous ports to add to the base port, 0-254.
alternate
Designates this virtual port as an alternate port for another virtual port. An alternate port is a standby
for the primary port. (See “alternate” on page 320.)
Default
N/A
Mode
Virtual server
Usage
The normal form of this command creates a new or edits an existing virtual port. The CLI
changes to the configuration level for the virtual port. (See “Config Commands: SLB Virtual
Server Ports” on page 317.)
The “no” form of this command removes the specified virtual port from current virtual server.
The maximum number of virtual service ports allowed and the maximum number per virtual
server depend on the ACOS model.
The ACOS device allocates processing resources to HTTPS virtual ports when you bind them
to an SSL template. This results in increased CPU utilization, regardless of whether traffic is
active on the virtual port.
Fast-HTTP
Fast-HTTP is optimized for very high performance information transfer in comparison to
regular HTTP. Due to this optimization, fast-HTTP does not support all the comprehensive
capabilities of HTTP such as header insertion and manipulation. It is recommended not to
use fast-HTTP for applications that require complete data transfer integrity.
Packet Processing on HTTP Virtual Ports
Packets reaching a Layer 7 HTT{P virtual port are processed in the following order of priority:
1. PBSLB (policy template) action drop/reset
2. PBSLB action service-group, in conjunction with PBSLB action.
3. Source-IP persistence template
4. Layer 4 aFleX policy (for example, CLIENT_ACCEPTED event)
5. Cookie persistence template
6. Layer 7 aFleX script (for example, HTTP_REQUEST event)
7. URL switching configured in HTTP template
8. Cookie persistence template with match-type set to service-group, and bound to a
source-IP persistence template with match-type set to service-group.
9. Configured service- group bound to the virtual port
Example
The following example creates a new (or edits an existing) virtual port:
ACOS(config-slb vserver)#port 443 https
ACOS(config-slb vserver-vport)#
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 312
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
redistribution-flagged
Description
Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Syntax
[no] redistribution-flagged
Default
Not set. The VIP is automatically redistributed if VIP redistribution is enabled in OSPF.
Mode
Virtual server
Usage
Use this option if you want to redistribute only some of the VIPs rather than all of them.
Selective VIP redistribution also requires configuration in OSPF. See the description of the
vip option of the redistribute command in the “Config Commands: Router - OSPF”
chapter in the Network Configuration Guide.
stats-data-disable
Description
Disable collection of statistical data for the virtual server.
Syntax
stats-data-disable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Virtual server
stats-data-enable
Description
Enable collection of statistical data for the virtual server.
Syntax
stats-data-enable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Virtual server
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be
enabled globally. (See “slb common” on page 18.)
template logging
Description
Bind a logging template to the virtual server.
Syntax
[no] template logging template-name
Default
None
Mode
Virtual server
Introduced in Release
2.7.0
page 313 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
template policy
Description
Bind a PBSLB policy template to the virtual server.
Syntax
[no] template policy template-name
Default
None
Mode
Virtual server
Usage
This command is applicable only for PBSLB policy templates configured for IP limiting. (See
the Application Access Management and DDoS Mitigation Guide.)
template scaleout
Description
Bind a Scale Out template to the virtual server.
More information about Scale Out is available in “Configuring Scale Out” in the System
Configuration and Administration Guide.
Syntax
[no] template scaleout template-name
Default
None
Mode
Virtual server
Introduced in Release
4.0.1
template virtual-server
Description
Bind a virtual server template to the virtual server.
Syntax
[no] template virtual-server template-name
Default
The virtual server template named “default” is bound to virtual servers by default. The parameter settings in the default virtual server template are automatically applied to the new virtual server, unless you bind a different virtual server template to the virtual server.
Mode
Virtual server
Usage
If a parameter is set individually on this virtual server and also is set in a virtual server template bound to this virtual server, the individual setting on this virtual server is used instead
of the setting in the template.
To configure a virtual server template, see “slb template virtual-server” on page 88.
Example
The following commands configure a virtual server template called “vs-tmplt1” that sets
ICMP rate limiting, and bind the template to a virtual server:
ACOS(config)#slb template virtual-server vs-tmplt1
ACOS(config-vserver)#icmp-rate-limit 25000 lock 30000 60
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 314
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-vserver)#exit
ACOS(config)#slb virtual-server vip1 10.10.10.2
ACOS(config-slb vserver)#template virtual-server vs-tmplt1
vrid
Description
Assign the virtual server to a VRRP-A VRID.
Syntax
[no] vrid num
Use num to specify the VRID (1-31 in the shared partition, or 1-7 in an L3V partition).
Default
The default VRID, if none is assigned, is 0.
Mode
Virtual server configuration mode
page 315 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 316
Config Commands: SLB Virtual Server Ports
This chapter describes the commands for configuring virtual ports.
To access this configuration level, enter the port command at the configuration level for a virtual server. For example:
ACOS(config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)#
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
The following commands are available:
• aaa-policy
• access-list
• aflex
• alternate
• bucket-count
• clientip-sticky-nat
• conn-limit
• def-selection-if-pref-failed
• def-selection-if-pref-failed-disable
• disable
• enable
• extended-stats
• force-routing-mode
• ha-conn-mirror
• ipinip
• message-switching
• name
• no-auto-up-on-aflex
page 317 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
• no-dest-nat
• redirect-to-https
• reset-on-server-selection-fail
• rtp-sip-call-id-match
• service-group
• skip-rev-hash
• snat-on-vip
• source-nat auto
• source-nat pool
• stats-data-disable
• stats-data-enable
• syn-cookie
• template
• template virtual-port
• use-default-if-no-server
• use-rcv-hop-for-resp
aaa-policy
Description
Bind an AAM policy to the virtual port.
Syntax
[no] aaa-policy policy-name
Mode
Virtual port
access-list
Description
Apply an Access Control List (ACL) to a virtual server port.
Syntax
[no] access-list {acl-num | name acl-name}
[source-nat-pool {pool-name | pool-group-name}
[sequence-number num]]
Parameter
Description
acl-num | name acl-name
Number of a configured IPv4 ACL (acl-num), or the name of a configured IPv6
ACL (name acl-name).
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 318
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
source-nat-pool
{pool-name | pool-group-name}
[sequence-number num]
Name of a configured IP source NAT pool or pool group. Use this option if you
are configuring policy-based source NAT. Source NAT is required if the real servers are in a different subnet than the VIP.
The sequence-number num option specifies the position of this ACL in the
sequence of ACLs that are associated with IP source NAT pools and which are
assigned to this virtual port. The sequence number is important because the
ACOS device will use the IP addresses in the pool associated with the first ACL
that matches the traffic.
By default, the ACL sequence is based on the order in which you apply them to
the virtual port. The first ACL has sequence number 1, the second ACL has
sequence number 2, and so on. You can specify 1-32 as the sequence number.
To view the sequence, use the show running-config command to view the
configuration for this virtual port.
Default
N/A
Mode
Virtual port
Usage
The ACL must be configured before you can apply it to a virtual port. To configure an ACL,
see “access-list (standard)” on page 74 and “access-list (extended)” on page 76.
To permit or deny traffic on the virtual port, specify an ACL but do not specify a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool. Use an extended ACL.
The source IP address must match on the client address. The destination IP address must
match on the real server address. The action must be permit. The NAT pool is used only for
traffic that matches the ACL. This configuration allows the virtual port to have multiple pools,
and to select a pool based on the traffic.
Example
The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x,
and apply the ACL to the inbound traffic direction on virtual port 8080 on virtual server
“slb1”:
ACOS(config)#access-list 99 deny 10.10.10.0 0.0.0.255
ACOS(config)#slb virtual-server vslb1
ACOS(config-slb vserver)#port 8080 http
ACOS(config-slb vserver-vport)#access-list 99
Example
The following commands configure policy-based source NAT, by binding ACLs to NAT pools
on the virtual port.
ACOS(config)#slb virtual-server vs1 10.10.10.100
ACOS(config-slb virtual server)#port 80 tcp
ACOS(config-slb vserver-vport)#access-list 30 source-nat-pool pool1
ACOS(config-slb vserver-vport)#access-list 50 source-nat-pool pool2
page 319 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
aflex
Description
Apply an aFleX policy to a virtual port.
Syntax
[no] aflex policy-name
Replace policy-name with the name of a configured aFleX policy.
Default
N/A
Mode
Virtual port
Usage
The normal form of this command applies the specified aFleX policy to the port.
The no form of this command removes the aFleX policy from the port.
For more information about aFleX policies, see the aFleX Scripting Language Reference.
Example
The following command applies aFleX policy “aflex1” to a virtual port:
ACOS(config-slb vserver-vport)#aflex aflex1
alternate
Description
Enables switchover to another virtual port, based on specific conditions.
Syntax
[no] alternate port port-num
{alt-port-service-type [switchover-event]}
Parameter
Description
port-num
Port number of the alternate virtual port.
alt-port-service-type
Service type of the alternate port, tcp or http.
switchover-event
The event types that cause switchover from the primary port to the alternate port:
For TCP alternate ports, you can specify the following:
• req-fail – Switches over if a request fails.
• when-down – Switches over if the service group for the primary port is down.
For HTTP alternate ports, you can specify the following:
• serv-sel-fail – Switches over if SLB server selection fails.
• when-down – Switches over if the service group for the primary port is down.
Default
Not set
Mode
Virtual port
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 320
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
bucket-count
Description
Configure the number of traffic buckets used in a Scale Out configuration.
Syntax
[no] bucket-count num
Replace num with the number of traffic buckets (1-256).
Mode
Virtual port
clientip-sticky-nat
Description
Configure client stickiness for outbound Next Hop Load Distributor (NHLD).
Syntax
[no] clientip-sticky-nat
Default
Disabled
Mode
Virtual port
Usage
Sticky NAT for outbound Next Hop Load Distributor (NHLD) provides a virtual-port option to
ensure the ACOS device always uses the same outbound link for a given client’s traffic. You
can enable it on individual virtual ports.
NOTE:
The Sticky NAT option applies only to NHLD. The option does not apply to other
features, such as SLB.
NOTE:
The sticky NAT option is not supported with the ip-rr (IP round-robin) option.
conn-limit
Description
Set the connection limit for a virtual port.
Syntax
[no] conn-limit number [reset] [no-logging]
Parameter
Description
number
Connection limit, 0-8000000 (8 million); 0 means no limit.
reset
Sends a connection reset to the client, if the connection limit has
been reached. If you omit this option, the connection is silently
dropped and no reset is sent to the client.
no-logging
Disables logging for this feature.
page 321 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Default
Not set. If you set a limit, the default action for any new connection request after the limit has
been reached is to silently drop the connection, without sending a reset to the client. Logging is enabled by default.
Mode
Virtual port
Usage
The normal form of this command changes the current port’s connection limit.
The no form of this command resets the port’s connection limit to its default value.
The connection limit puts a hard limit on the number of concurrent connections supported
by the port. No more connections will be put on the port if its number of current
connections is already equal to or bigger than the limit.
If you change the connection limiting configuration on a virtual port or virtual server that
has active sessions, or in a virtual-port or virtual-server template bound to the virtual server
or virtual port, the current connection counter for the virtual port or server in show
command output and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not have any active
connections.
Example
The following command changes a virtual port’s connection limit to 10000:
ACOS(config)#slb virtual-server vs1
ACOS(config-slb vserver)#port 80 tcp
ACOS(config-slb vserver-vport)#conn-limit 10000
def-selection-if-pref-failed
Description
Configure SLB to continue checking for an available server in other service groups if all of the
servers are down in the first service group selected by SLB.
Syntax
def-selection-if-pref-failed
Default
Enabled
Mode
Virtual port
Usage
During SLB selection of the preferred server to use for a client request, SLB checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
• aFleX policies triggered by Layer 4 events
• Policy-based SLB (black/white lists). PBSLB is a Layer 3 configuration item because it
matches on IP addresses in black/white lists.
2. Layer 7 configuration items:
• Cookie switching
• aFleX policies triggered by Layer 7 events
• URL switching
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 322
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
• Host switching
3. Default service group. If none of the items above results in selection of a server, the
default service group is used.
• If the configuration uses only one service group, this is the default service group.
• If the configuration uses multiple service groups, the default service group is the
one that is used if none of the templates used by the configuration selects another
service group instead.
For example, if the CLIENT_ACCEPTED event triggers the aFleX policy, the policy is consulted
first. Similarly, if the HTTP_REQUEST event triggers the aFleX policy, the policy is consulted
only if none of the Layer 4 configuration items results in selection of a server.
The first configuration area that matches the client or VIP (as applicable) is used, and the
client request is sent to a server in the service group that is applicable to that configuration
area. For example, if the client's IP address is in a black/white list, the service group specified
by the list is used for the client request.
When the def-selection-if-pref-failed option is enabled, SLB continues to check for an
available server in other service groups if all servers are down in the first service group
selected by SLB.
If Policy-Based SLB (PBSLB) is also configured on the same virtual port, PBSLB server-selection
failures are not logged. This limitation does not affect failures that occur because a client is
over their PBSLB connection limit. These failures are still logged.
To disable the option, see “def-selection-if-pref-failed-disable” on page 1.
Example
The following command enables this option:
ACOS(config-slb vserver-vport)#def-selection-if-pref-failed
def-selection-if-pref-failed-disable
Description
Disable the def-selection-if-pref-failed option. (See “def-selection-if-pref-failed” on page 1.)
Syntax
def-selection-if-pref-failed-disable
disable
Description
Disable a virtual port.
Syntax
[no] disable
Default
Enabled
Mode
Virtual port
Example
The following command disables a virtual port:
ACOS(config)#slb virtual-server vs1
ACOS(config-slb vserver)#port 80 tcp
page 323 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-slb vserver-vport)#disable
enable
Description
Enable a virtual port.
Syntax
[no] enable
Default
Enabled
Mode
Virtual port
Example
The following command re-enables a virtual port:
ACOS(config)#slb virtual-server vs1
ACOS(config-slb vserver)#port 80 tcp
ACOS(config-slb vserver-vport)#enable
extended-stats
Description
Enable collection of peak connection statistics for a virtual port.
Syntax
[no] extended-stats
Default
Disabled
Mode
Virtual port
force-routing-mode
Description
Disables destination NAT, so that server responses go directly to clients.
Syntax
[no] force-routing-mode
Default
Disabled
Mode
Virtual port
NOTE:
In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service
types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types
TCP, UDP, and RTSP.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 324
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ha-conn-mirror
Description
Enable connection mirroring (session synchronization) for the virtual port.
Syntax
[no] ha-conn-mirror
Default
Disabled.
Mode
Virtual port
Usage
Connection mirroring applies to VRRP-A configurations. When connection mirroring is enabled, the Active AACOS device sends information about active client connections to the
Standby ACOS device. If a failover occurs, the newly Active ACOS device continues service for
the session. The client perceives very brief or no interruption.
When connection mirroring is disabled, client session information is lost. Clients must
establish new connections.
In VRRP-A deployments, session synchronization is required for persistent sessions (for
example, source-IP persistence), and is therefore automatically enabled for these sessions by
the ACOS device. Persistent sessions are synchronized even if session synchronization is
disabled in the configuration.
Session synchronization applies only to certain virtual port types. The ha-conn-mirror
command is listed in the CLI help only for those virtual port types.
ipinip
Description
Enables IP-in-IP tunneling. This option is available only on the following port types: TCP, UDP,
RSTP, FTP, MMS, SIP, TFTP and Radius.
Syntax
[no] ipinip
Mode
Virtual port
message-switching
Description
Enable message switching.
This causes messages to be forwarded in their entirety, one hop at a time. Each message is
treated as its own individual entity.
Syntax
[no] message-switching
Mode
Virtual port
page 325 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
name
Description
Change the name assigned to the virtual port.
Syntax
name string
Replace string with the name for the virtual port.
Default
The ACOS device assigns a name that uses the following format:
_vip-addr_service-type_portnum
Mode
Virtual port
no-auto-up-on-aflex
Description
Disable automatic setting of an aFleX-bound virtual port’s state to Up.
Syntax
[no] no-auto-up-on-aflex
Default
Disabled. If an aFleX script is bound to the virtual port, the port is automatically marked Up.
Mode
Virtual port
Usage
This command applies only if an aFleX script is bound to the virtual port.
no-dest-nat
Description
Disable destination NAT.
Syntax
[no] no-dest-nat
[port-translation]
For wildcard VIPs, the port-translation option enables the ACOS device to translate the
destination protocol port in a client request before sending the request to a server.
This option is useful if the real port number on the server is different from the virtual port
number of the VIP. Without this option, the ACOS device sends the request to the server
without changing the destination port number.
This option does not change the destination IP address of the request.
NOTE:
This option is supported only for virtual ports that are on wildcard VIPs.
Default
Destination NAT is enabled by default.
Mode
Virtual port
Usage
This option can be used for Direct Server Return (DSR) or for wildcard VIPs.
Direct Server Return
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 326
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
For virtual servers that have a specific virtual IP address (VIP), disabling destination NAT
enables Direct Server Return (DSR). When DSR is enabled, only the destination MAC address
is translated from the VIP’s MAC address to the real server’s MAC address. The destination IP
address is still the VIP.
In DSR topologies, reply traffic from the server to the client is expected to bypass the ACOS
device.
In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service types) TCP,
UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP, UDP, and RTSP.
Wildcard VIPs
For wildcard VIPs (VIPs that can have any IP address), this option enables the ACOS device to
send the client request to the server without changing the destination IP address of the
request.
The destination port of the request also is unchanged, unless you use the porttranslation option. (See above.)
Depending on the network topology and the application, reply traffic from the server to the
client may or may not pass back through the ACOS device. If the port-translation
option is used, and reply traffic passes through the ACOS device, the ACOS device translates
the source port of the server reply back into the destination port to which the client sent the
request, before forwarding the reply to the client.
The port-translation option is supported only for the following virtual port types: TCP,
UDP, and HTTP/HTTPS.
page 327 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
redirect-to-https
Description
Responds to client HTTP requests with an HTTP redirect response with response code 302
(Moved Permanently). The client is redirected to the same host and URI they requested, but
using HTTPS instead of HTTP.
Syntax
[no] redirect-to-https
Default
Disabled
Mode
Virtual port
Usage
This command is only available on HTTP virtual ports.
reset-on-server-selection-fail
Description
Send a TCP reset (RST) to the client if server selection fails.
Syntax
[no] reset-on-server-selection-fail
Default
Disabled
Mode
Virtual port
Usage
The TCP template reset-rev option also can be used to send a RST to clients. In AX
releases prior to 2.2.2, the reset-rev option would send a RST in response to a server selection failure. In AX Release 2.2.2 and later, this is no longer true. The reset-on-serverselection-fail option must be used instead.
rtp-sip-call-id-match
Description
Causes RTP traffic try to match the real server of an SIP SMP call-id session.
This command is used in conjunction with the smp-call-id-rtp-session option under
SIP template configuration (“slb template sip (over UDP)” on page 88), which creates a crossCPU RTP session that can be matched by RTP traffic.
Syntax
[no] rtp-sip-call-id-match
Mode
Virtual port
Introduced in Release
4.0.1
Example
The example below shows a sample configuration:
!
slb template sip test
smp-call-id-rtp-session
!
!
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 328
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
slb virtual-server vv 0.0.0.0
port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
rtp-sip-call-id-match
port 5060 sip
message-switching
force-routing-mode
service-group winms
template sip test
!
service-group
Description
Bind a virtual port to a service group.
Syntax
[no] service-group group-name
Replace group-name with the service-group name.
Default
N/A
Mode
Virtual port
Usage
The normal form of this command binds the virtual port to the specified service group. The
“no” form of this command removes the binding.
One virtual port can be associated with one service group only, while one service group can
be associated with multiple virtual ports.
The type of service group and type of virtual port should match. For example, a UDP service
group can not be bound to an HTTP virtual port.
skip-rev-hash
Description
Will not insert reverse tuple into the hash for lookup.
This is used with aFlex with stateless load-balancing methods.
Syntax
[no] skip-rev-hash
Mode
Virtual port
Example
The following example shows how to activate this feature.
page 329 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config)#slb virtual-server vs1
ACOS(config-slb vserver)#port 80 tcp
ACOS(config-slb vserver-vport)#skip-rev-hash
snat-on-vip
Description
Enable IP NAT support for the virtual port.
Syntax
[no] snat-on-vip
Default
Disabled
Mode
Virtual port
Usage
Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source NAT is
configured using an ACL on the virtual port, and the slb snat-on-vip command is also
used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For
traffic that is not permitted by the ACL, VIP source NAT can be used instead.
NOTE:
The current release does not support source IP NAT on FTP or RTSP virtual ports.
source-nat auto
Description
Configure Smart NAT, to automatically create NAT mappings using the ACOS interface connected to the real server.
Syntax
[no] source-nat auto [precedence]
This option is applicable if standard NAT pools are also used by the virtual port. In this case,
using the precedence option causes Smart NAT to be used before the standard NAT pools
are used.
Default
Disabled
Mode
Virtual port
Usage
Up to 45 K mappings per real server port are supported. The ACOS device can use the same
ACOS interface IP address and port for more than one server connection. The combination
of ACOS IP address and port number (source) and server IP address and port (destination)
uniquely identifies each mapping.
Smart NAT can be used along with standard NAT pools or pool groups. In this case, by
default, the standard pool addresses are used first. Smart NAT is used only when the standard
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 330
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
pools can not support any more mappings. You can change this behavior so that Smart NAT
is used first.
Additional Notes
• Smart NAT applies only to ACOS devices deployed in route mode (also called “gateway”
mode). The feature is not applicable to devices deployed in transparent mode.
• Smart NAT uses only the primary IP address on an interface, even if multiple addresses
are configured on the interface.
• Smart NAT uses protocol ports 20032-65535.
• Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.
• VRRP-A support:
• A floating IP addresses is required for session synchronization.
• Bind the service group to only a single virtual port. If this is not possible, make sure
all virtual ports bound to the service group have the same VRID.
source-nat pool
Description
Enable source NAT. Source NAT is required if the real servers are in a different subnet than the
VIP.
NOTE:
This command is not applicable to the MMS or RTSP service types.
Syntax
[no] source-nat pool {pool-name | pool-group-name}
Parameter
Description
pool-name
Specifies the name of an IP pool of addresses to use as source
addresses.
pool-group-name
Specifies the name of a group of IP address pools to use as
source addresses.
Default
Disabled.
Mode
Virtual port
Usage
This command enables source NAT using a single NAT pool or pool group, for all source
addresses. If you want the ACOS device to select from among multiple pools based on
source IP address, configure policy-based source NAT instead. See “access-list” on page 1.
Example
The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)#source-nat pool pool2
page 331 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
stats-data-disable
Description
Disable collection of statistical data for the virtual port.
Syntax
stats-data-disable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Virtual port
stats-data-enable
Description
Enable collection of statistical data for the virtual port.
Syntax
stats-data-enable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Virtual port
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be
enabled globally. (See “slb resource-usage” on page 497.)
syn-cookie
Description
Enable software-based SYN cookies for a virtual port. SYN cookies provide protection against
TCP SYN flood attacks.
Syntax
[no] syn-cookie
[expand]
The expand option enables expanded SYN cookie support. When enabled, the ACOS device
can encode values for the following TCP options in the SYN-ACK:
• Windows Scale for outbound traffic (send)
• Windows Scale for inbound traffic (receive)
• Selective acknowledgement (SACK) flag
NOTE:
These options are described in RFC 1323, TCP Extensions for High Performance.
Default
Disabled.
Mode
Virtual port
Usage
If hardware-based SYN cookies are enabled, software-based SYN cookies are not needed and
are not used. (Hardware-based SYN cookies are enabled at the global configuration level. See
“syn-cookie” in the Command Line Interface Reference guide.
For software-based SYN cookies, the ACOS device bases Selective Acknowledgment (SACK)
support, and the maximum segment size (MSS) setting, in software-based SYN cookies on
server replies to TCP health checks sent to the servers.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 332
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
SACK
The ACOS device includes the Sack-Permitted option in TCP SYN health check packets sent
to servers.
• If all up servers in the service group reply with a TCP SYN-ACK that contains a SACK
option, the ACOS device uses SACK with the software-based SYN-cookie feature, for all
servers in the service group.
• If any of the up servers in the service group does not send a SACK option, the ACOS
device does not use SACK with the software-based SYN-cookie feature, for any servers
in the service group.
The software-based SYN-cookie feature cannot enable SACK. If you are upgrading an ACOS
device whose startup-config contains the SACK option, the option is ignored.
MSS
The lowest MSS value supported by any of the servers in the service group is the MSS value
used by the ACOS device for software-based SYN-cookies.
template
Description
Apply an SLB configuration template to a virtual port.
Syntax
[no] template template-type template-name
Parameter
Description
template-type
Type of template. The template types that are available depend
on the service type of the virtual port. To list the available template types, enter the following command: template ?
For information about the virtual-port template type, see
“template virtual-port” on page 334.
template-name
Name of the template.
Default
If the ACOS device has a default template that is applicable to the service type, the default
template is automatically applied. The ACOS device has a default virtual-port template,
which is applied to a virtual port when you create it.
Mode
Virtual port
Usage
The normal form of this command applies the specified template to the virtual port. The no
form of this command removes the template from the virtual port but does not delete the
template itself.
A virtual port can be associated with only one template of a given type. However, the same
template can be associated with more than one virtual port.
To bind a virtual-port template to the port, see “template virtual-port” on page 1.
Example
The following example applies connection reuse template “reuse-template” to a virtual port:
page 333 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-slb vserver-vport)# template connection-reuse reuse-template
template virtual-port
Description
Bind a virtual service port template to the virtual port.
Syntax
[no] template virtual-port template-name
Default
The virtual port template named “default” is bound to virtual ports by default. The parameter
settings in the default virtual port template are automatically applied to the new virtual port,
unless you bind a different virtual port template to the virtual port.
Mode
Virtual port
Usage
If a parameter is set individually on this virtual port and also is set in a virtual port template
bound to this virtual port, the individual setting on this port is used instead of the setting in
the template.
To configure a virtual port template, see “slb template virtual-port” on page 603.
Example
The following commands configure a virtual service port template named “common-vpsettings”, set the connection limit, and bind the template to a virtual port:
ACOS(config)# slb template virtual-port common-vpsettings
ACOS(config-vport)# conn-limit 500000
ACOS(config-vport)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.99
ACOS(config-slb vserver)#p ort 80 http
ACOS(config-slb vserver-vport)# template virtual-port common-vpsettings
use-default-if-no-server
Description
Forward client traffic at Layer 3, if SLB server selection fails.
Syntax
[no] use-default-if-no-server
Default
Disabled. If SLB server selection fails, the traffic is dropped.
Mode
Virtual port
Usage
This command applies only to wildcard VIPs (VIP address 0.0.0.0).
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 334
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
use-rcv-hop-for-resp
Description
Force the ACOS device to send replies to clients back through the last hop on which the
request for the virtual port's service was received.
Syntax
use-rcv-hop-for-resp
[
src-dst-ip-swap-persist |
use-src-ip-for-dst-persist |
use-dst-ip-for-src-persist
]
Parameter
Description
src-dst-ip-swap-persist
Creates a persistent session after the source IP and destination IP have been
swapped. The new persistent session that is created should match both the
source IP and the destination IP. This option should be used with the incl-dstip option for the ALG FWLB feature.
NOTE: This option cannot be used for the SIP protocol, because a SIP transaction
may involve three or more parties.
use-src-ip-for-dst-persist
Creates a destination persistent session based on the source IP.
use-dst-ip-for-src-persist
The ACOS device uses the destination IP to create source-IP persistent sessions
for SIP or FTP sessions. With this option, the response packet will go through the
same firewall as the client’s request packet, and the SIP session and communication sessions will be load balanced through the same firewall node.
Default
Disabled.
Mode
Virtual port
Usage
For simple protocols, load balancing across a firewall is relatively easy. However, load balancing Application Layer Gateway (ALG) protocols, such as SIP and FTP, which have multiple
connections that can originate from either side of the firewall deployment can be more challenging. The lack of predictability that occurs with ALG protocols can cause the protocol’s
control connection and data connection to be sent to different firewalls, thus causing the
application to break.
The ACOS device uses the use-rcv-hop-for-resp command and its sub-options to load
balance ALG protocols through a firewall deployment consisting of paired firewalls.
NOTE:
For the use-rcv-hop-for-resp command to work for incoming packets on the
default VLAN, you must also configure vlan-global enable-def-vlan-l2forwarding. For example:
ACOS(config)# vlan-global enable-def-vlan-l2-forwarding
ACOS(config)# slb virtual-server outbound_wc 0.0.0.0 acl 100
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# service-group SG_TCP
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
page 335 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
For more information, refer to the “ALG Protocol FWLB Support for FTP and SIP” chapter in
the Application Delivery and Server Load Balancing Guide.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 336
Config Commands: Health Monitors
This chapter describes the CLI commands available to configure SLB health monitors:
• disable-after-down
• interval
• method
• override-ipv4
• override-ipv6
• override-port
• passive
• retry
• ssl-ciphers
• strictly-retry-on-server-error-response
• up-retry
To access this configuration level, enter the health monitor command at the global configuration level. For example:
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)#
For more information about health monitors, see the “Health Monitoring” chapter of the Application Delivery and Server Load
Balancing Guide.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
page 337 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
disable-after-down
Description
Disable the target of a health check if the target fails the health check.
Syntax
[no] disable-after-down
Default
Disabled
Mode
Health monitor configuration
Usage
This command applies to all servers, ports, or service groups that use the health monitor.
When a server, port, or service group is disabled based on this command, the server, port, or
service group’s state is changed to disable in the running-config. If you save the configuration while the server, port, or service group is disabled, the state change is written to the
startup-config.
The server, port, or service group remains disabled until you explicitly enable it.
interval
Description
Number of seconds between health check attempt, 1-180 seconds. A health check attempt
consists of the ACOS device sending a packet to the server. The packet type and payload
depend on the health monitor type. For example, an HTTP health monitor might send an
HTTP GET request packet.
Syntax
[no] interval seconds [timeout seconds]
Parameter
Description
interval seconds
Number of seconds between health check attempts, 1-180
seconds.
The default is 5 seconds.
timeout seconds
Number of seconds ACOS waits for a reply to a health check,
1-12 seconds.
The default is 5 seconds.
Default
See descriptions.
Mode
Health monitor configuration
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 338
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
method
Description
Configure a health method.
Syntax
[no] method method-options
Valid parameters for method-options are shown in the following table:
Parameter
Description
compound sub monitor-name
[sub monitor-name ...]
Boolean-operators
Configures a compound health monitor. A compound health monitor consists of a set of health monitors joined in a Boolean expression (AND / OR /
NOT). For more information, see the “Compound Health Monitors” section in
the “Health Monitoring” chapter of the Application Delivery and Server Load Balancing Guide.
[no] database database-type
db-name name
username username-string
password password-string
[query-options]
Configures a database health monitor. The ACOS device sends a database
query to the specified server.
• database database-type – Specifies the type of database to test:
• mssql
• mysql
• oracle
• postgresql
• db-name name – Specifies the name of the database to query.
• username username-string password password-string – Specifies the login information required to access the database.
• query-options – Specifies query information:
send query
[receive expected-reply | receive-integer integer]
[row row-num column col-num]
• send query – SQL query to send to the database.
• receive expected-reply – Query result expected from the database in order to pass the health check. To use the receive (1-31 characters) or receive-integer (0-2147483647) options, you also must use
the send option. If you do not use send, the ACOS device does not send
a query.
• row row-num column col-num – For replies that consist of multiple
results, the results are in a table. You can specify the row and column
location within the results table to use as the receive string. If you do not
specify the row and column, row 1 and column 1 are queried by default.
page 339 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
dns
{ipaddr | domain domain-name}
[options]
Sends a lookup request to the specified port number for the specified domain
name. By default, expects reply with code 0. You can specify a domain name
or a server IP address as the target of the health check.
You also can configure the following options:
• expect response-code code-list – Specifies a list of response
codes, in the range 0-15, that are valid responses to a health check. The
DNS server can respond with any of the expected response codes. By
default, the expect list is empty, in which case the ACOS device expects status code 0 (No error condition).
• port port-num – Specifies the protocol port number on which the DNS
server listens for DNS queries. Use this option if the server is not using the
default DNS port, 53.
• recurse {enabled | disabled} – Specifies whether the tested DNS
server is allowed to send the health check’s request to another DNS server if
the tested server can not fulfill the request using its own database. Recursion is enabled by default.
• tcp – Enables use of TCP for a DNS health monitor.
• type {A | CNAME | SOA | PTR | MX | TXT | AAAA} – For health
checks sent to a domain name, specifies the record type the responding
server is expected to send in reply to health checks.
You can specify one of the following record types:
•
•
•
•
•
•
•
A – IPv4 address record
CNAME – Canonical name record for a DNS alias
SOA – Start of authority record
PTR – Pointer record for a domain name
MX – Mail Exchanger record
TXT – Text string
AAAA – IPv6 address record
By default, the ACOS device expects the DNS server to respond to the
health check with an A record.
external [port portnum]
program program-name
[arguments argument-string]
[preference]
Runs an external program (for example, a Tcl script) and bases the health status on the outcome of the program. See “Usage” below for more information
on health check using an external program.
The preference option applies to weighted load-balancing methods such
as SNMP-based load balancing. (See the “SNMP-based Load Balancing” chapter in the Application Delivery and Server Load Balancing Guide.)
External health methods are not supported in Direct Server Return (DSR)
deployments.
ftp
[[username name
password string]
port port-num]
Sends an FTP login request to the specified port. Expects OK message, or Password message followed by OK message. Unless you use anonymous login,
the username and password must be specified in the health check configuration.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 340
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
http [options]
Sends an HTTP request to the specified TCP port and URL. Expects OK message (200).
You can specify the following options:
• expect {string | response-code code-list} – Specifies a
response code or string expected from the server, in which case this value
is also expected. To specify a range of response codes, use a dash ( - )
between the low and high numbers of the range. Use commas to delimit
individual code numbers or separate ranges. By default, the ACOS device
expects response code 200 (OK).
• host {ipv4-addr | ipv6-addr | domain-name} [:port-num] –
Replaces the information in the Host field of the request sent to the real
server. By default, the real server’s IP address is placed in the field.
• Kerberos-auth realm realm_name kdc ip/ipv6-addr port num
– Specifies Kerberos authentication by using the HTTP negotiation mechanism. To enable Kerberos authentication on the health monitor, enter a Kerberos realm as well as the IP address of the KDC server and its related port.
• maintenance-code code-list – Specifies a response code that indicates the server needs to be placed into maintenance mode. If the ACOS
device receives the specified status code in response to a health check, the
ACOS device changes the server’s health status to Maintenance.
When a server’s health status is Maintenance, the server will accept new
requests on existing cookie-persistent or source-IP persistent connections,
but will not accept any other requests.
To leave maintenance mode, the server must do one of the following:
• – Successfully reply to a health check by sending the expected string or
response code, but without including the maintenance code. In this
case, the server’s health status changes to Up.
• – Fail a health check. In this case, the server’s status changes to Down.
The Maintenance health status applies to server ports and service-group
members. When a port’s status changes to Maintenance, this change
applies to all service-group members that use the port.
NOTE: The expect maintenance-code option applies only to servers
in cookie-persistence or source-IP persistence configurations, and can be
used only for HTTP and HTTPS ports.
page 341 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
http [options]
(cont.)
• port port-num – Specifies the protocol port on which the server listens
for HTTP traffic. Use this option if the server does not use the default HTTP
port, 80.
• url string – Specifies the request type and the page (url-path) to which
to send the request. By default, GET requests are sent for “ / ”, the index.html
page. You can specify one of the following:
• GET url-path
• HEAD url-path
• POST url-path postdata string
• POST / postfile filename
In a postdata string, use “=” between a field name and the value you are
posting to it. If you post to multiple fields, use “&” between the fields. For
example: postdata fieldname1=value&fieldname1=value. The
string can be up to 255 bytes long.
• username name – Specifies the username required for HTTP access to the
server. Unless anonymous login is used, the username must be specified.
https [options]
Similar to an HTTP health check, except SSL is used to secure the connection.
The default port is 443.
The disable-sslv2hello option disables encapsulation of SSLv3, TLSv1,
or TLSv1.1 hello messages within the SSLv2 hello messages for HTTPS health
checks.
The cert cert-name and key key-name options are used to add an SSL
certificate and key to an HTTPS health monitor. When you use this option, the
ACOS device uses the certificate and key during the SSL handshake with the
HTTPS port on the server.
The certificate you plan to use with the health monitor must be present on
the ACOS device before you configure the health monitor.
icmp [transparent ipaddr]
Sends an ICMP echo request to the server. Expects ICMP echo reply message.
The transparent ipaddr option is applicable if the target of the health
monitor is reached through an intermediary device. The option tests the path
through the intermediary device to the target device.
imap
[port port-num]
[username name password string
[auth auth-type]]
Sends an IMAP login request with the specified username name and password string. Expects reply with OK message.
For the auth-type, you can specify one or more of the following authentication methods:
• cram-md5—Challenge-response authentication. Note that the user’s password will be used as the shared secret.
• login—Simple login authentication.
• plain—Plain text authentication.
If all three options are specified, plain will be selected.
If plain is not specified, then cram-md5 will be used.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 342
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
kerberos-kdc kinit
principal password
{kdc-hostname | kdc-ipaddr}
[port port-num]
[tcp-only]
Configures a method to check accessibility of the KDC for obtaining a TGT.
kerberos-kdc kadmin
realm-name principal password
{kdc-hostname | kdc-ipaddr}
[port port-num]
{admin-hostname |
admin-ipaddr}
[port port-num]
• principal – Name of the Kerberos principal. This is the ACOS client
name presented to the server.
• password – Kerberos admin password.
• {kdc-hostname | kdc-ipaddr} [port port-num] – Hostname or
IP address of the server where the KDC is running. The port option specifies the protocol port on which the server listens for TGT requests. The
default KDC port is 88.
• tcp-only – Sends health checks only over TCP.
Configures a method to check accessibility of the Kerberos server for user
account administration.
• realm-name – Name of the Kerberos realm.
• principal – Name of the Kerberos principal.
• {kdc-hostname | kdc-ipaddr} [port port-num] – Hostname or
IP address of the Kerberos server. The port option specifies the TCP port
on which the server listens for user account administration requests. The
default TCP port is 749.
For information about the other options, see the descriptions for kerberoskdc kinit (described above).
kerberos-kdc kpasswd
principal password
{kdc-hostname | kdc-ipaddr}
[port port-num]
{pwd-hostname | pwd-ipaddr}
[port port-num]
Configures a method to check accessibility of the Kerberos server for user
password change.
• {pwd-hostname | pwd-ipaddr} [port port-num] – Hostname or
IP address of the Kerberos server. The port option specifies the UDP port
on which the server listens for user password-change requests. The default
UDP port is UDP port 464.
For information about the other options, see the descriptions for kerberoskdc kinit (described above).
ldap
[StartTLS]
[binddn dn-string password]
[overssl]
[port port-num]
[run-search options]
Configures a method to check accessibility the KDC for obtaining a TGT.
•
•
•
•
StartTLS – Begins the health check by sending a StartTLS request.
binddn dn-string password – DN name and password.
overssl – Uses TLS to secure the connection.
port port-num – UDP port on which the server listens for user password-change requests. The default UDP port is UDP port 464.
• run-search options – Performs the specified database search. The following options are supported:
• BaseDN dn-string – Searched the database for the specified DN.
• query query-string [AcceptNotFound] – Sends the specified
query string to the server.
The AcceptNotFound option allows the health check to pass even if the
search query is unsuccessful.
ntp
page 343 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
Sends an NTP client message to UDP port 123. Expects a standard NTP 48byte reply packet.
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
pop3
port port-num
username name
password string
Sends a POP3 user login request with the specified username and password.
Expects reply with OK message.
radius username name
password string
secret string
[port port-num]
[expect response-code
code-list]
Sends a Password Authentication Protocol (PAP) request to the specified port
to authenticate the specified username. Expects Access Accepted message
(reply code 2). The secret option specifies the shared secret required by the
RADIUS server.
rtsp
port port-num
rtspurl string
Sends a request to the specified port for information about the file specified
by rtspurl. Expects reply with information about the specified file.
sip
[register]
[port port-num]
[expect-response-code values]
[tcp]
Sends a SIP request to the SIP port. Expects 200 OK in response by default. The
request is an OPTION request, unless you use the register option to send a
REGISTER request instead.
The code-list can contain one or more numeric response codes. To specify
more than one code, use commas but no spaces. (See “CLI Example” below.)
The expect-response-code option specifies a set of SIP status codes. In
this case, a SIP health check is successful only if the server reply includes one
of the specified SIP status codes. You can specify any or a combination of
individual code numbers and code ranges. Use commas as delimiters, with no
spaces. Use a dash and no spaces to delimit the lower and upper values of a
range. Examples:
expect-response-code 100,101,121,200
expect-response-code 100-121,200
expect-response-code any
The tcp option configures the health method for SIP over TCP/TLS. Without
this option, the health method is for SIP over UDP.
smtp domain domain-name
[port portnum]
[starttls]
Sends an SMTP Hello message to the specified server in the specified domain.
Expects reply with OK message (reply code 250).
snmp [port port-num]
[community string]
[oid oid-name]
[operation {get | getnext}]
Sends an SNMP Get or Get Next request to the specified OID, from the specified community. Expects reply with the value of the OID. The OID can be sysDescr, sysUpTime, sysName, or another name in ASN.1 style.
You can optionally specify a specific port number, and also check for STARTTLS support when the Hello message is received.
NOTE: Although you can enter these objects in ASN.1 format, only MIB-2
OIDs are supported.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 344
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
tcp
port port-num
[halfopen]
[send send-string
response contains
response-string]
Sends a connection request (TCP SYN) to the specified TCP port on the server.
Expects TCP SYN ACK in reply.
By default, ACOS responds to the SYN ACK by sending an ACK. To configure
ACOS to send a RST (Reset) instead, use the halfopen option.
Use the send and response contains options to send and receive text
strings in TCP health checks.
The send-string is the string the ACOS device sends to the TCP port after the
three-way handshake is completed. The response-string is the string that must
be present in the server reply.
Each string can be 1-127 characters long. If a string contain blank spaces or
other special characters (for example, “ / ” or “ \ ”), use double quotation marks
around the entire string.
Sends a packet with a valid UDP header and a garbage payload to the specified UDP port on the server. Expects either of the following:
udp port port-num
• server reply from the specified UDP port, with any type of packet.
• server does not reply at all.
The server fails the health check only if the server replies with an ICMP Error
message.
Default
The configuration has a default “ping” health monitor that uses the icmp method. The ACOS
device applies the ping monitor by default. The ACOS device also applies the TCP or UDP
health monitor by default, depending on the port type. These default monitors are used
even if you also apply configured monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new monitors with the
ICMP, TCP, or UDP method and apply those monitors instead.
When specifying a protocol port number, specify the port number on the real server, not the
port number of the virtual port. By default, the well-known port number for the service type
of the health monitor is used. For example, for LDAP, the default port is 389 (or 636 if the
overssl option is used).
If you specify the protocol port number in the health monitor, the protocol port number
configured in the health monitor is used if you send an on-demand health check to a server
without specifying the protocol port. (See the “health-test” command in the Command Line
Interface Reference. After you bind the health monitor to a real server port, health checks
using the monitor are addressed to the real server port number instead of the port number
specified in the health monitor’s configuration. In this case, you can override the IP address
or port using the override commands described later in this chapter.
Mode
Health monitor configuration
page 345 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Usage
To use a health method, you must do the following:
1. Configure a health monitor, by assigning a name to it and by assigning one of the
health methods listed above to it. Use the health monitor command at the global
Config level to create and name the monitor. (See the “health monitor” command in
the Command Line Interface Reference.) Use the method command at the monitor configuration level to assign a health method to the monitor.
2. Apply the health monitor to a real server or real server port, using the health-check
command at the configuration level for the server or the server port. Apply monitors
that use the ICMP method to real servers. (See “health-check” on page 277.) Apply
monitors that use any of the other types of methods to individual server ports. (See
“port” on page 279.)
Example
The following commands apply health monitor “ping” to server “rs0”. The ping monitor is
included in the ACOS device’s configuration by default, so you do not need to configure it.
ACOS(config)#slb server rs0 10.2.3.4
ACOS(config-real server)#health-check ping
Example
The following commands configure health monitor “hm1” to use the TCP health method,
and apply the monitor to a TCP port on real server “rs1”. The TCP health checks are sent to
TCP port 23 on the server.
ACOS(config)#health monitor hm1
ACOS(config-health:monitor)#method tcp port 23
ACOS(config-health:monitor)#exit
ACOS(config)#slb server rs1 1.1.1.1
ACOS(config-real server)#port 23 TCP
ACOS(config-real server-node port)#health-check hm1
Example
The following commands configure health monitor “hm2” and set it to use the HTTP
method. The health monitor is applied to port 80 on real server “rs1”.
ACOS(config)#health monitor hm2
ACOS(config-health:monitor)#method http
ACOS(config-health:monitor)#exit
ACOS(config)#slb server rs1 2.2.2.2
ACOS(config-real server)#port 80 http
ACOS(config-real server-node port)#health-check hm2
Example
The following commands configure a TCP health monitor that sends an HTTP GET request to
TCP port 80, and expects the string “200” to be present in the reply:
ACOS(config)#health monitor tcp-with-http-get
ACOS(config-health:monitor)#method tcp port 80 send "GET / HTTP/1.1\r\nHost:
22.1.2.2\r\nUser-Agent: a10\r\nAccept: */*\r\n\r\n" response contains 200
This health monitor sends an HTTP GET request to TCP port 80 on the target server. This
particular request uses the following header fields:
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 346
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
• Host – Specifies the host (server) to which the request is being sent.
• User-Agent – Identifies the entity (user agent) that is sending the request. In this example, the sending entity is “a10”.
• Accept – Specifies the types of media that are allowed in the response. This example
uses wildcards (*/*) to indicate that any valid media type and range are acceptable.
If the string “200” is present anywhere in the reply from the port, the port passes the health
check.
Example
The following commands configure a RADIUS health monitor that accepts response code 2
or 3 as passing (healthy) responses from a server:
ACOS(config)#health monitor rad1
ACOS(config-health:monitor)#method radius port 1812 expect response-code 2,3 secret a10rad
username admin1 password pwd1
Example
Here is an external health-check example. Besides internal health checks, which use a predefined health check method, you can use external health checks with any of the following
types of scripts are supported:
• Perl
• Shell
• TCL
Utility commands such as ping, ping6, wget, dig, and so on are supported.
For Tcl scripts, the health check parameters are transmitted to the script through the
predefined TCL array ax_env. The array variable ax_env(ServerHost) is the server IP address
and ax_env(ServerPort) is the server port number. Set ax_env(Result) 0 as pass and set the
others as fail. TCL script filenames must use the “.tcl” extension.
To use the external method, you must import the program onto the ACOS device. The script
execution result indicates the server status, which must be stored in ax_env(Result).
The following commands import external program “ext.tcl” from FTP server 192.168.0.1, and
configure external health method “hm3” to use the imported program to check the health of
port 80 on the real server:
ACOS(config)#health external import "checking HTTP server" ftp://192.168.0.1/ext.tcl
ACOS(config)#health monitor hm3
ACOS(config-health:monitor)#method external port 80 program ext.tcl
For additional information and more examples, see the “External Health Method Examples”
section in the “Health Monitoring” chapter of the Application Delivery and Server Load
Balancing Guide.
override-ipv4
Description
Send the health check to a specific IPv4 address, instead of sending the health check to the
IP address of the real server or GSLB service IP to which the health monitor is bound. This
page 347 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
command and the other override commands are particularly useful for testing the health of
remote links.
Syntax
[no] override-ipv4 ipaddr
Default
By default, a health check is addressed to the real server IP address of the server to which the
health monitor is bound.
Mode
Health monitor configuration
Example
The following commands configure a health monitor to check 192.168.1.1:
ACOS(config)#health monitor site1-hm
ACOS(config-health:monitor)#method icmp
ACOS(config-health:monitor)#override-ipv4 192.168.1.1
override-ipv6
Description
Send the health check to a specific IPv6 address, instead of sending the health check to the
IP address of the real server to which the health monitor is bound.
Syntax
[no] override-ipv6 ipv6addr
Default
By default, a health check is addressed to the real server IP address of the server to which the
health monitor is bound.
Mode
Health monitor configuration
Example
The following commands configure a health monitor to check 2001:db8::1521:31ab:
ACOS(config)#health monitor site2-hm
ACOS(config-health:monitor)#method icmp
ACOS(config-health:monitor)#override-ipv6 2001:db8::1521:31ab
override-port
Description
Send the health check to a specific protocol port, instead of sending the health check to the
server port to which the health monitor is bound.
Syntax
[no] override-port portnum
Default
By default, a health check is addressed to the protocol port number to which the health
monitor is bound.
Mode
Health monitor configuration
Example
The following commands configure a health monitor to check port 8081 on 192.168.1.1:
ACOS(config)#health monitor site3-hm
ACOS(config-health:monitor)#method http
ACOS(config-health:monitor)#override-ipv4 192.168.1.1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 348
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config-health:monitor)#override-prt 8081
passive
Description
Configures inband health monitoring based on HTTP status code.
Syntax
[no] passive
{status-code-2xx | status-code-non-5xx}
[passive-interval seconds]
[sample-threshold samples-per-second]
[threshold percent]
Parameter
Description
status-code-2xx |
status-code-non-5xx
Healthy status code numbers – The set of status codes that indicate the HTTP service
is healthy. You can specify any 2xx status code or any status code other than a 5xx
code.
passive-interval seconds
The health-monitor interval that is used when passive health monitoring is activated.
For proper operation of the feature, the passive interval should be longer than the
health monitor’s interval. You can specify 1-180 seconds.
The default is 10 seconds.
sample-threshold
samples-per-second
Minimum number of server replies that must contain one of the specified status
codes, within a given one-second interval, before passive health monitoring is
enabled. The sample threshold helps prevent passive health monitoring from taking
effect after only a small total number of samples are taken. You can specify 1-10000
samples per second.
The default is 50.
threshold percent
Minimum percentage of server replies that must contain a healthy status code, within
a given one-second interval, before passive health monitoring is activated. You can
specify 0-100 percent.
The default is 75 percent. If you specify 0, this parameter is disabled, in which case
there is no minimum threshold.
Default
See descriptions.
Mode
Health monitor configuration
Example
The following commands create a new health monitor, and enable passive health-monitoring mode:
ACOS(config)#health monitor http-passive
ACOS(config-health:monitor)#passive status-code-2xx
The following command sets the method to HTTP:
ACOS(config-health:monitor)#method http
The following commands configure a real server, service group, and virtual server. The HTTP
health monitor configured above is applied to the TCP port on the real server.
page 349 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS(config)#slb server ser1 172.168.1.107
ACOS(config-real server)#no health-check
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#health-check http-passive
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group sg1 tcp
ACOS(config-slb svc group)#member ser1 80
ACOS(config-slb svc group-member:80)#exit
ACOS(config-slb svc group)#exit
ACOS(config)#slb virtual-server vs1 172.168.6.100
ACOS(config-slb vserver)#port 80 tcp
ACOS(config-slb vserver-vport)#service-group sg1
retry
Description
Maximum number of times ACOS will send the same health check to an unresponsive server
before determining that the server is down. You can specify 1-5.
Syntax
[no] retry number
Default
3
Mode
Health monitor configuration
ssl-ciphers
Description
Specify the ciphers to use in the health check of a real server or real server port.
Syntax
[no] ssl-ciphers openSSL-ciphers
Parameter
Description
openSSLciphers
The OpenSSL Project ciphers command.
For information on the OpenSSL Project ciphers command, see the
ciphers manpage in the OpenSSL Project documentation.
Mode
Health monitor configuration
Example
Configure a health monitor to use the default OpenSSL Project cipher suite with the exclusion of EDH ciphers.
ACOS(config)#health monitor hm-https
ACOS(config-health:monitor)#ssl-ciphers DEFAULT:!EDH
ACOS(config-health:monitor)#method https
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 350
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Example
Bind the hm-https health monitor to the s1 real server on its 1.1.1.1 network interface.
ACOS(config)#slb server s1 1.1.1.1
ACOS(config-real server)#health-check hm-https
ACOS(config-real server)#end
Example
Bind the hm-https health monitor to the TCP port 80 of the s1 real server on its 1.1.1.2
network interface. Also apply the Server_SSL1 server-SSL template to the same port.
NOTE: If the Server_SSL1 server-SSL template specifies a cipher suite in its configuration
(cipher command), that cipher suite takes precedence if and only if the ACOS device is
equipped with hardware that supports the ciphers listed in Table on page 53.
ACOS(config)#slb server s1 1.1.1.2
ACOS(config-real server)#port 443 tcp
ACOS(config-real server-node port)#template server-ssl Server_SSL1
ACOS(config-real server-node port)#health-check hm-https
ACOS(config-real server-node port)#end
strictly-retry-on-server-error-response
Description
Force the ACOS device to wait until all retries are unsuccessful before marking a server or
port Down.
Syntax
[no] strictly-retry-on-server-error-response
Default
Disabled. For some health method types, the ACOS device marks the server or port Down
after the first failed health check attempt, even if the retries option for the health monitor is
set to higher than 0.
Mode
Health monitor configuration
Usage
This command is applicable only to some types of health monitors, such as HTTP health
monitors. For example, this command applies to HTTP health monitors that expect a string in
the server reply. By default, if the server’s HTTP port does not reply to the first health check
attempt with the expected string, the ACOS device immediately marks the port Down.
Example
The following commands configure an HTTP health monitor that checks for the presence of
“testpage.html”, and enable strict retries for the monitor.
ACOS(config)#health monitor http-exhaust
ACOS(config-health:monitor)#method http url GET /testpage.html
ACOS(config-health:monitor)#strictly-retry-on-server-error-response
page 351 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
up-retry
Description
Number of consecutive times the device must pass the same periodic health check, in order
to be marked Up. You can specify 1-10.
Syntax
[no] up-retry number
Default
1
Mode
Health monitor configuration
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 352
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Config Commands: Web Category
This chapter describes the commands for configuring Web Category classification.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show, write) are described in
the Command Line Interface Reference.
web-category
Syntax
[no] web-category
This command changes the CLI to configuration level for Web Category classification, where
the following commands are available.
Parameter
Description
[no] category-list category-list-name
[no] cloud-query-disable
Disables cloud queries for URLs that are not present in the local
cache or database.
By default, cloud queries are enabled.
[no] database-server server-url
URL of the BrightCloud database server.
Default: database.brightcloud.com
[no] db-update-time hh:mm
Time of day at which ACOS requests an updated web category
database from the BrightCloud server.
Default is 00:00 (12 a.m.).
[no] enable
Initializes and enables the BrightCloud library. The web-category
license file must be imported prior to using this feature to enable
the feature.
Disabled by default.
[no] port portnum
Protocol port on which the BrightCloud server listens for requests.
Default is 80.
[no] remote-syslog-enable
Enables data plane logging to a remote syslog server.
[no] rtu-update-disable
Disables realtime updates.
Enabled by default. ACOS periodically checks for realtime updates
based on the rtu-update-interval setting and adds them to
the service cache.
page 353 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Parameter
Description
[no] rtu-update-interval minutes
Interval at which to periodically check for real time updates. You
can specify 10-14400 minutes.
Default is 60 minutes.
URL of the BrightCloud server.
[no] server server-url
Default: service.brightcloud.com
[no] server-timeout seconds
Maximum number of seconds to wait for the BrightCloud server to
respond to a query from ACOS. You can specify 1-300 seconds.
If a reply is not received before the timeout, ACOS terminates the
connection with the server.
Default is 30 seconds.
Protocol port on which the BrightCloud server listens for SSL traffic.
[no] ssl-port seconds
Default is 443.
Uses the management interface for all communication with
BrightCloud servers, including downloading the database and any
lookup queries.
[no] use-mgmt-port
Default
N/A
Mode
Configuration mode
Default
N/A
Mode
Global Configuration mode
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 354
SLB Show Commands
The show slb commands display information for Server Load Balancing (SLB).
To automatically re-enter a show slb command at regular intervals, use the repeat command.
In addition to the command options provided with some show commands, you can use output modifiers to search and filter
the output. See “Searching and Filtering CLI Output” in the Command Line Interface Reference.
NOTE:
For information about other show commands, see the “Show Commands” chapter in
the Command Line Interface Reference.
The following commands are available:
• show slb aflow
• show slb attack-prevention
• show slb cache
• show slb compression
• show slb connection-reuse
• show slb conn-rate-limit
• show slb diameter
• show slb fast-http-proxy
• show slb fix
• show slb ftp
• show slb ftp-proxy
• show slb generic-proxy
• show slb geo-location
• show slb http-proxy
• show slb hw-compression
• show slb icap
• show slb l4
• show slb mssql
• show slb mssql
page 355 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
• show slb mysql
• show slb passthrough
• show slb performance
• show slb persist
• show slb pop3-proxy
• show slb rate-limit-logging
• show slb resource-usage
• show slb server
• show slb service-group
• show slb sip
• show slb smpp
• show slb smtp
• show slb spdy-proxy
• show slb ssl
• show slb ssl-cert-revoke-stats
• show slb ssl-counters
• show slb ssl-crl
• show slb ssl-expire-check
• show slb ssl-forward-proxy-cert
• show slb ssl-ocsp cache
• show slb ssl-ocsp cache detail
• show slb switch
• show slb syn-cookie-buffer
• show slb tcp stack
• show slb template
• show slb virtual-server
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 356
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb aflow
Description
Show aFlow statistics.
Syntax
show slb aflow [detail]
Mode
Parameter
Description
detail
List separate counters for each CPU in the statistics output.
All
show slb attack-prevention
Description
Show SYN-cookie statistics for the number of packets received during different intervals of
time.
Syntax
show slb attack-prevention
Mode
All
Usage
When running the show slb attack-prevention command on an FTA-enabled model,
the “SYN attack” field does not show output for the historical counters (1s/5s/30s/1min/
5min). Output is only provided for the “current” column.
This feature is supported for L3V private partitions in non-FTA-enabled models. If the show
slb attack-prevention command is run from an L3V network partition on an FTAenabled model, the “SYN attack” counter displays zero for all columns.
Example
The following command shows SYN-cookie statistics:
ACOS#show slb attack-prevention
Current
1 sec
5 sec
30 sec
1 min
5 min
-------------------------------------------------------------------------------------SYN cookie snt
0
0
0
0
0
0
SYN cookie snt ts
0
0
0
0
0
0
SYN cookie snt fail
0
0
0
0
0
0
SYN cookie chk fail
0
0
0
0
0
0
SYN attack
0
0
0
0
0
0
The following table describes the fields in the command output.
Field
Description
SYN cookie snt
Number of TCP SYN cookies sent.
SYN cookie snt ts
Number of expanded TCP SYN cookies sent.
SYN cookie snt fail
Number of TCP SYN cookie send attempts that failed.
page 357 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
SYN cookie chk fail
Number of TCP SYN cookies for which the responding ACK failed
the SYN cookie check.
SYN attack
Total number of SYN connections that did not receive an ACK
from the client and assumed to be SYN attack.
show slb cache
Description
Display statistics and other information for RAM caching.
Syntax
show slb cache
[entries vip-name port-num |
memory-usage |
replacement vip-name port-num |
stats [vip-name port-num]]
Option
Description
entries vip-name port-num
Shows a list of the cached objects.
memory-usage
Shows memory usage for RAM caching.
replacement vip-name port-num
Shows replacement information for the specified virtual port on the specified virtual server.
stats [vip-name port-num]
Lists RAM caching statistics by VIP. If you specify a VIP or port number, statistics are displayed only for that VIP or port number.
Mode
All
Usage
If you do not use any of the optional parameters, RAM caching statistics are displayed. This is
equivalent to entering the show slb cache stats command.
Example
The following command shows RAM caching statistics:
ACOS#show slb cache
Total
--------------------------------------------------------------Cache Hits
0
Cache Misses
0
Memory Used
0
Bytes Served
0
(0.0 %)
Requests
- Total Requests
0
- Cacheable Requests
0
- No-cache Requests
0
- IMS Requests
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 358
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Responses (from server)
- 304 Not Modified
0
- 200 OK - Cont Len
0
- 200 OK - Chnk Enc
0
- 200 OK - Other
0
- Not cacheable
0
Responses (from cache)
- 304 Not Modified
0
- 200 OK - No Comp
0
- 200 OK - Gzip
0
- 200 OK - Deflate
0
- Other
0
Entries
- Cached
0
- Replaced
0
- Aged Out
0
- Cleaned
0
- Create failures
0
Revalidation
- Successes
0
- Failures
0
Policies
- URI nocache
0
- URI cache
0
- URI invalidate
0
- Content Too Big
0
- Content Too Small
0
The following table describes the fields in the command output.
Field
Description
Cache Hits
Number of times a requested page was found in the cache and served from the cache.
Cache Misses
Number of times a requested page was not found in the cache.
Memory Used
Amount of RAM currently used by cached content.
Bytes Served
Number of bytes served.
page 359 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Requests
Contains the following conters:
• Total Requests – Total number of requests received on all virtual server ports on which
caching is configured.
• Cacheable Requests – Number of requests that are potentially cacheable.
• No-cache Requests – Number of requests with no-cache header directives.
• IMS Requests – Number of requests that contained an If-Modified-Since header.
Responses (from server)
Contains the following counters:
•
•
•
•
•
Responses (from cache)
304 Not Modified – Number of “304 Not Modified” responses sent from the server.
200 OK - Cont Len – Number of “200 OK - Cont Len” responses sent to clients.
200 OK - Chnk Enc – Number of “200 OK - Chnk Enc” responses sent to clients.
200 OK - Other – Number of “200 OK - Other” responses sent to clients.
Not cacheable – Number of responses with no-cache header directives.
Contains the following counters:
• 304 Not Modified – Number of “304 Not Modified” responses sent from the cache.
• 200 OK - No Comp – Number of “200 OK - No Comp” responses sent from the cache. “No
Comp” indicates that the object is not compressed.
• 200 OK - Gzip – Number of “200 OK - Gzip” responses sent from the cache. This indicates
that an object was compressed using gzip. Gzip is an encoding format produced by the
file compression program “gzip” (GNU zip) as described in RFC 1952 (Lempel-Ziv coding
[LZ77] with a 32 bit CRC).
• 200 OK - Deflate – Number of “304 Not Modified” responses sent from the cache. This indicates that an object was compressed using deflate. Deflate is the “zlib” format defined in
RFC 1950 in combination with the “deflate” compression mechanism described in RFC
1951.
• Other – Number of “Other” responses sent from the cache. This indicates that an object
was compressed using compress. Compress is the encoding format produced by the common UNIX file compression program “compress” (adaptive Lempel-Ziv-Welch coding
[LZW]).
Entries
Contains the following counters:
• Cached – Number of objects currently in the cache.
• Replaced – Number of cached items that were removed to make room for newer entries,
per the replacement policy.
• Aged Out – Number of entries that were removed because they are older than their expiration time.
• Cleaned – Number of cached objects that have aged out and therefore been removed
from the cache.
• Create Failures – Number of times ACOS failed to create a cache entry.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 360
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Revalidation
Contains the following counters:
• Successes – Number of entries that were successfully revalidated by the server.
• Failures– Number of times revalidation failed.
Policies
Contains the following counters:
URI nocache – Number of times requested content was not cached due to a URI policy.
URI cache – Number of times a request was cached due to a URI policy.
URI invalidate – Number of times a request was invalidated due to a URI policy.
Content Too Big – Number of cacheable items that were not cached because the file size
was larger than the configured maximum content size.
• Content Too Small – Number of cacheable items that were not cached because the file
size was smaller than the configured minimum content size.
•
•
•
•
Example
The following command shows cached objects:
ACOS#show slb cache entries vs-cookie-cache 80
vs-cookie-cache:80
Host
Object URL
Bytes
Type
Status
Expires in
--------------------------------------------------------------------------------------10.20.0.120
/static2/1000.txt
1365
CL,No
FR
3410 s
10.20.0.120
/static2/10000.txt
10366
CL,No
FR
3490 s
10.20.0.120
/static2/1000000.txt
636152
CE,Gz
FR
3594 s
10.20.0.120
/static2/1000000.txt
1000368
CL,No
FR
2719 s
10.20.0.120
/ewen/index.html
1479
CL,Mo
FR
-57 s
page 361 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields in the command output.
Field
Description
cached-vip
Virtual port number on which RAM caching is enabled.
Host
IP address of the content server.
Object URL
URL from which the cached object was obtained by the ACOS device.
Bytes
Length of the cached object.
Type
Indicates whether the cached object has a Content-Length header, is
compressed, or is chunk-encoded.
The value after the comma indicates the type of compression used:
• No – Object is uncompressed.
• Gz – Object was compressed using gzip. Gzip is an encoding format
produced by the file compression program “gzip” (GNU zip) as
described in RFC 1952 (Lempel-Ziv coding [LZ77] with a 32 bit CRC).
• Cm – Object was compressed using compress. Compress is the
encoding format produced by the common UNIX file compression
program “compress” (adaptive Lempel-Ziv-Welch coding [LZW]).
• Df – Object was compressed using deflate. Deflate is the “zlib” format
defined in RFC 1950 in combination with the “deflate” compression
mechanism described in RFC 1951.
Status
Status of the entry:
•
•
•
•
•
•
Expires in
Example
FR – Fresh
ST – Stale
IN – Incomplete
FA – Failed
UN – Unknown
R – The entry must be revalidated.
Number of seconds the object can remain unused before it ages out.
The following command shows RAM caching memory usage:
ACOS#show slb cache memory-usage
VIP
Port
Memory Configured
Memory Used
Percent Used
--------------------------------------------------------------------------------------vs120
80
10485760
8386560
79.98%
--------------------------------------------------------------------------------------Total
Example
10485760
8386560
79.98%
The following command shows replacement statistics:
ACOS#show slb cache replacement cached-vip 80
Frequency
Total
--------------------------------------------------------------1/256
6
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 362
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
1/128
0
1/64
0
1/32
0
1/16
0
1/8
0
1/4
0
1/2
0
1
0
2
0
4
0
8
0
16
0
32
0
64
0
128
2
The output shows the distribution of requests for the cached entries. Entries listed for 1/256
(one in 256 requests) are the least requested, whereas entries listed for 128 are the most
requested.
show slb compression
Description
Show HTTP compression statistics in bytes.
Syntax
show slb compression
[virtual-server port-num]
[all-partitions | partition {shared | name}]
Option
Description
virtual-server
port-num
Show HTTP compression statistics for the specified virtual server
only.
The port-num option shows information only for the specified
virtual port on the virtual server.
Mode
all-partitions
Show HTTP compression statistics in all partitions.
partition
{shared | name}
Show HTTP compression statistics in the specified partition or
shared partition.
All
show slb connection-reuse
Description
Show SLB connection-reuse statistics.
page 363 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Syntax
show slb connection-reuse [detail]
Parameter
Description
detail
List separate counters for each CPU in the statistics output.
Mode
All
Example
The following command shows summary connection-reuse statistics:
ACOS#show slb connection-reuse
Total
-----------------------------------------------------------------Open persist
0
Active persist
0
Total established
1787
Total terminated
1787
Total terminated by err
0
Total bind
1277
Total unbind
2389
Delayed unbind
4
Long resp
0
Missed resp
0
Unbound data rcvd
0
Pause request
0
Pause request fail
0
Resume request
0
Not remove from list
0
The following table describes the fields in the command output.
Field
Description
Open persist
Number of new client connections directed to the same server as previous connections by
the persistence feature.
Active persist
Number of currently active connections that were sent to the same real server by the persistence feature.
Total established
Total number of established connections to the backend server.
Total terminated
Total number of terminated connections to the backend server.
Total terminated by err
Total Number of backend connections terminated due to an error.
Total bind
Total number of client persistent connections bound to the backend server.
Total unbind
Total number of client persistent connections unbound from the backend server.
Delayed unbind
Number of connections whose unbinding was delayed.
NOTE: In the current release, this counter is unused and is always 0.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 364
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Long resp
Number of responses that took too long.
Missed resp
Number of missed responses to HTTP requests.
Unbound data rcvd
Amount of data received on an unbound connection. This is used for debugging purposes.
Pause request
These are internal counters used by A10 Technical Support for debugging purposes.
Pause request fail
Resume request
Not remove from list
show slb conn-rate-limit
Description
Show statistics for source-IP based connection rate limiting.
Syntax
show slb conn-rate-limit src-ip
{locked-out-ips | statistics [debug]}
Mode
All
Example
The following command shows statistics for source-IP based connection rate limiting:
ACOS(config)#show slb conn-rate-limit src-ip statistics
Sessions allocated 0
Sessions freed 0
Too many sessions consumed 0
Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted
1000
No DNS response for request 1021000
The following table describes the fields in the show command output.
Field
Description
Sessions allocated
Number of sessions allocated.
Sessions freed
Number of sessions freed.
Too many sessions consumed
Number of times too many sessions were consumed.
Out of sessions
Number of times the device ran out of sessions.
Threshold check count
Number of times the ACOS device has checked for connection-limit violations.
Honor threshold count
Number of requests permitted because they were within the connection limit.
page 365 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Threshold exceeded count
Number of requests denied because they exceeded the connection limit.
Lockout drops
Number of requests dropped because a client was locked out.
Log messages sent
Number of log messages generated by this feature.
DNS requests re-transmitted
Number of re-transmitted DNS requests detected. These are DNS requests for which
no response was received by the ACOS device.
No DNS response for request
Number of DNS requests for which no response was received.
show slb diameter
Description
Show statistics for Diameter load balancing.
Syntax
show slb diameter [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows statistics for Diameter load balancing:
ACOS#show slb diameter
Total
-----------------------------------------------------------------Current proxy conns
0
Total proxy conns
0
client fail
0
server fail
0
Server selection failure 0
no route failure
0
Source NAT failure
0
concurrent user-session
0
acr out
0
acr in
0
aca out
0
aca in
0
cea out
0
cea in
0
cer out
0
cer in
0
dwr out
0
dwr in
0
dwa out
0
dwa in
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 366
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
str out
0
str in
0
sta out
0
sta in
0
asr out
0
asr in
0
asa out
0
asa in
0
other out
0
other in
0
The following table describes the fields in the command output.
Field
Description
Current proxy conns
Number of currently active Diameter connections using the ACOS device as an Diameter
proxy.
Total proxy conns
Total number of Diameter connections that have used the ACOS device as an Diameter
proxy.
client fail
Number of times selection of a client failed.
server fail
Number of times selection of a server failed.
Server selection failure
Number of times selection of a real server failed.
no route failure
Number of failures due to no route.
Source NAT failure
Number of source NAT failures.
concurrent user-session
Number of concurrent user sessions.
acr out
Number of Accounting-Request messages sent by the ACOS device.
acr in
Number of Accounting-Request messages received by the ACOS device.
aca out
Number of Accounting-Answer messages sent by the ACOS device.
aca in
Number of Accounting-Answer messages received by the ACOS device.
cea out
Number of Capabilities-Exchange-Answer messages sent by the ACOS device.
cea in
Number of Capabilities-Exchange-Answer messages received by the ACOS device.
cer out
Number of Capabilities-Exchange-Request messages sent by the ACOS device.
cer in
Number of Capabilities-Exchange-Request messages received by the ACOS device.
dwr out
Number of Device-Watchdog-Request messages sent by the ACOS device.
dwr in
Number of Device-Watchdog-Request messages received by the ACOS device.
dwa out
Number of Device-Watchdog-Answer messages sent by the ACOS device.
dwa in
Number of Device-Watchdog-Answer messages received by the ACOS device.
str out
Number of Session-Termination-Request messages sent by the ACOS device.
str in
Number of Session-Termination-Request messages received by the ACOS device.
sta out
Number of Session-Termination-Answer messages sent by the ACOS device.
sta in
Number of Session-Termination-Answer messages received by the ACOS device.
asr out
Number of Abort-Session-Request messages sent by the ACOS device.
page 367 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
asr in
Number of Abort-Session-Request messages received by the ACOS device.
asa out
Number of Abort-Session-Answer messages sent by the ACOS device.
asa in
Number of Abort-Session-Answer messages received by the ACOS device.
other out
Number of Diameter messages of other types (other message codes) sent by the ACOS
device.
other in
Number of Diameter messages of other types received by the ACOS device.
show slb fast-http-proxy
Description
Show statistics for SLB fast-HTTP proxy.
Syntax
show slb fast-http-proxy [server-name port] [detail]
Parameter
Description
server-name
port
Show statistics for the specified server and port only.
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows summary fast-HTTP-proxy statistics:
ACOS#show slb fast-http-proxy
Total
-----------------------------------------------------------------Curr Proxy Conns
0
Total Proxy Conns
0
HTTP requests
0
HTTP requests(succ)
0
No proxy error
0
Client RST
0
Server RST
0
No tuple error
0
Parse req fail
0
Server selection fail
0
Fwd req fail
0
Fwd req data fail
0
Req retransmit
0
Req pkt out-of-order
0
Server reselection
0
Server premature close
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 368
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Server conn made
0
Source NAT failure
0
Request over limit
0
Request rate over limit
0
Out RSTs
0
Full proxy tot
0
Full proxy POST
0
Full proxy pipeline
0
Full proxy fpga err
0
Close on DDoS
0
DNS unresolve
0
Policy drop
0
The following table describes the fields in the command output.
Field
Description
Curr Proxy Conns
Number of currently active connections using the fast-HTTP proxy.
Total Proxy Conns
Total number of connections that have used the fast-HTTP proxy.
HTTP requests
Number of HTTP requests received by the fast-HTTP proxy.
HTTP requests(succ)
Number of HTTP requests successfully fulfilled (by establishing a connection to a real
server).
No proxy error
Number of proxy errors.
Client RST
Number of times TCP connections with clients were reset.
Server RST
Number of times TCP connections with servers were reset.
No tuple error
Number of tuple errors.
Parse req fail
Number of times the HTTP parser failed to parse a received HTTP request.
Server selection fail
Number of times selection of a real server failed.
Fwd req fail
Number of forward request failures.
Fwd req data fail
Number of forward request data failures.
Req retransmit
Number of retransmitted requests.
Req pkt out-of-order
Number of request packets received from clients out of sequence.
Server reselection
Number of times initial selection of a real server for an HTTP request failed (for example,
due to a TCP Reset sent by the server).
Server premature close
Number of times the connection with a server closed prematurely.
Server conn made
Number of connections made with servers.
Source NAT failure
Number of source NAT failures.
Request over limit
Number of times the request limit was exceeded.
Request rate over limit
Number of times the request rate limit was exceeded.
Out RSTs
Number of TCP RSTs sent out.
Full proxy tot
Total number of full proxy HTTP sessions.
page 369 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Full proxy POST
Total number of full proxy sessions for HTTP POST request.
Full proxy pipeline
Total number of pipelined requests.
Full proxy fpga err
Total number of FPGA errors.
Close on DDoS
Number of times session is closed due to Denial of Service attack.
show slb fix
Description
Show SLB statistics for the Financial Information Exchange (FIX) proxy.
Syntax
show slb fix [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows FIX SLB statistics.
ACOS(config)#show slb fix
Total
-----------------------------------------------------------------Current proxy conns
4
Total proxy conns
2
Client fail
7
Server fail
2
Server selection failure 1
no route failure
0
Source NAT failure
1
Insert client IP
5
Default switching
1
Sender ID switching
4
Target ID switching
0
The following table describes the fields in the command output.
Field
Description
Current proxy conns
Number of currently active connections using the FIX proxy.
Total proxy conns
Total number of connections that have used the FIX proxy.
Client fail
Number of times that the connection was terminated due to an error on the client side.
Server fail
Number of times that the connection was terminated due to an error on the server side.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 370
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Server selection failure
Number of times selection of a real server failed.
no route failure
Number of times FIX failed due to a route lookup failure.
Source NAT Failure
Number of source NAT failures.
Insert client IP
Number of times that the ACOS inserted the client’s IP address into tag 11447 and forwarded
the recalculated request packet to the FIX server.
Default switching
Number of times that the ACOS parsed the tag value from a client’s request and selected a
service-group based on a match with the configured tag keyword.
Sender ID Switching
Instances of content switching based on the sender’s identification tag (SenderCompID).
Target ID Switching
Instances of content switching based on the receiver’s identification tag (TargetCompID).
show slb ftp
Description
Show SLB FTP statistics.
Syntax
show slb ftp
Mode
All
Example
The following command shows SLB FTP statistics.
ACOS#show slb ftp
Total Control Sessions
0
Total ALG packets
0
ALG packets rexmitted
0
Total Data Sessions
0
Total PORT helper sessions
0
Total PASV helper sessions
0
Drop Data Port out of range
0
The following table describes the fields in the command output.
Field
Description
Total Control Sessions
Total number of FTP control sessions load-balanced by the ACOS device.
Total ALG packets
Total number of Application Layer Gateway (ALG) packets.
ALG packets rexmitted
Number of ALG packets that have been retransmitted.
Out of Connections
Number of times an FTP control session could not be established because none of the real
servers had available connections.
Total Data Sessions
Total number of FTP data sessions load-balanced by the ACOS device.
Out of Connections
Number of times an FTP data session could not be established because none of the real
servers had available connections.
page 371 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb ftp-proxy
Description
Display FTP-proxy statistics.
Syntax
show slb ftp-proxy [detail]
Mode
Parameter
Description
detail
Show statistics per CPU in the output.
All
show slb generic-proxy
Description
Display generic-proxy statistics.
Syntax
show slb generic-proxy [detail]
Mode
Parameter
Description
detail
Show statistics per CPU in the output.
All
show slb geo-location
Description
Display geo-location information.
Syntax
show gslb geo-location
[
virtual-server-name |
port-num |
bad-only |
depth num |
id group-id |
ip ipaddr |
location location-name |
statistics
]
Option
Description
virtual-server-name
Displays geo-location information for only the specified virtual server.
port-num
Displays geo-location information for only the specified virtual port.
bad-only
Displays only the invalid entries.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 372
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Option
Description
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to
display only continent and country entries and hide individual state and city entries,
specify depth 2. By default, the full tree (all nodes) is displayed. You can specify 1-5.
id group-id
Displays geo-location information for only the specified black/white-list group ID.
ip ipaddr
Displays geo-location database entries for only the specified IP address.
location location-name
Displays geo-location database entries for only the specified location.
statistics
Displays statistics for the specified geo-location.
Mode
All
Usage
Some options can be combined on the same command line. See the CLI help for information.
show slb http-proxy
Description
Show statistics for SLB HTTP proxy.
Syntax
show slb http-proxy [virtual-server port-num] [detail]
Option
Description
detail
Lists separate counters for each CPU.
virtual-server
port-num
Displays counters for HTTP response codes. For the virtual-server
port-num, enter the name of a virtual server and its port. The portnum can be 1-65534.
Mode
All
Example
The following command shows summary HTTP-proxy statistics:
ACOS#show slb http-proxy
Total
-----------------------------------------------------------------Curr Proxy Conns
23
Total Proxy Conns
621328
HTTP requests
621324
HTTP requests(succ)
621323
HTTP requests(CONNECT)
0
HTTP requests enter SSLi
0
HTTP req (cache succ)
0
No proxy error
0
Client RST
0
Server RST
12
No tuple error
0
Parse req fail
0
page 373 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Server selection fail
0
Fwd req fail
0
Fwd req data fail
0
Req retransmit
0
Req pkt out-of-order
0
Server reselection
0
Server premature close
0
Server conn made
621324
Source NAT failure
0
Tot data before compress
0
Tot data after compress
0
Request over limit
0
Request rate over limit
0
Close on DDoS
0
The following table describes the fields in the command output.
Field
Description
Curr Proxy Conns
Number of currently active HTTP connections using the ACOS device as an HTTP proxy.
Total Proxy Conns
Total number of HTTP connections that have used the ACOS device as an HTTP proxy.
HTTP requests
Total number of HTTP requests received by the HTTP proxy.
HTTP requests(succ)
Number of HTTP requests received by the HTTP proxy that were successfully fulfilled (by
connection to a real server).
HTTP requests(CONNECT)
Number of CONNECT requests received by the HTTP proxy.
HTTP requests enter SSLi
Number of HTTP requests directed to SSLi.
HTTP req (cache succ)
Number of HTTP requests received by the HTTP proxy that were successfully fulfilled
from the cache.
No proxy error
Number of proxy errors.
Client RST
Number of times TCP connections with clients were reset.
Server RST
Number of times TCP connections with servers were reset.
No tuple error
Number of tuple errors.
Parse req fail
Number of times parsing of an HTTP request failed.
Server selection fail
Number of times selection of a real server failed.
Fwd req fail
Number of forward request failures.
Fwd req data fail
Number of forward request data failures.
Req retransmit
Number of retransmitted requests.
Req pkt out-of-order
Number of request packets received from clients out of sequence.
Server reselection
Number of times a request was forwarded to another server because the current server
was failing.
Server premature close
Number of times the connection with a server closed prematurely.
Server conn made
Number of connections made with servers.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 374
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Source NAT failure
Number of source NAT failures.
Tot data before compress
These counters show statistics for HTTP compression, in bytes.
Tot data after compress
Request over limit
Current request number exceeds the limit defined in policy template.
Request rate over limit
Request rate exceeds the limit defined in policy template.
Close on DDoS
Connection was forced to close due to a DDoS attack.
Example
The following command shows HTTP response code statistics:
ACOS(config)#show slb http-proxy vs800-http 80
Total
-----------------------------------------------------------------status code 1XX
3
status code 2XX
1
status code 3XX
12
status code 4XX
8
status code 5XX
2
status code 6XX
3
...
Rsp time < 200m
0
Rsp time < 500m
1
Rsp time < 1s
3
Rsp time < 2s
7
Rsp time < 5s
13
Rsp time >= 5s
22
show slb hw-compression
Description
Show statistics for hardware-based compression.
page 375 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Syntax
show slb hw-compression [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Usage
Hardware-based compression is available using an optional hardware module in some models. If this command does not appear on your ACOS device, the device does not contain a
compression module.
Example
The following commands first enable hardware-based compression (hw-compression
command), then display statistics for the feature:
ACOS(config)# slb common
ACOS(config-common)# hw-compression
ACOS(config-common)# show slb hw-compression
Hardware compression device is installed.
Hardware compression module is enabled.
Total
-----------------------------------------------------------------total request count
177157
total submit count
177157
total response count
177157
total failure count
0
last failure code
0
compression queue full
0
max queued request count 84
max queued submit count
68
show slb icap
Description
Show ICAP statistics for debugging.
Syntax
show slb icap [detail]
Mode
All
Example
The following command shows SYN-cookie statistics:
ACOS#show slb icap detail
DP0
DP1
DP2
DP3
DP4
DP5
Total
-----------------------------------------------------------------reqmod request
0
0
0
0
0
0
0
respmod request
0
0
0
0
0
0
0
reqmod req after 100
0
0
0
0
0
0
0
respmod req after 100
0
0
0
0
0
0
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 376
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
reqmod response
0
0
0
0
0
0
0
respmod response
0
0
0
0
0
0
0
reqmod resp after 100
0
0
0
0
0
0
0
respmod resp after 100
0
0
0
0
0
0
0
send option req
0
0
0
0
0
0
0
recv option resp
0
0
0
0
0
0
0
chunk no allow 204
0
0
0
0
0
0
0
Big CL so no allow 204
0
0
0
0
0
0
0
result continue
0
0
0
0
0
0
0
result icap response
0
0
0
0
0
0
0
result 100 continue
0
0
0
0
0
0
0
result other
0
0
0
0
0
0
0
status 2xx
0
0
0
0
0
0
0
status 200
0
0
0
0
0
0
0
status 201
0
0
0
0
0
0
0
status 202
0
0
0
0
0
0
0
status 203
0
0
0
0
0
0
0
status 204
0
0
0
0
0
0
0
status 205
0
0
0
0
0
0
0
status 206
0
0
0
0
0
0
0
status 207
0
0
0
0
0
0
0
status 1xx
0
0
0
0
0
0
0
status 100
0
0
0
0
0
0
0
status 101
0
0
0
0
0
0
0
status 102
0
0
0
0
0
0
0
status 3xx
0
0
0
0
0
0
0
status 300
0
0
0
0
0
0
0
status 301
0
0
0
0
0
0
0
status 302
0
0
0
0
0
0
0
status 303
0
0
0
0
0
0
0
status 304
0
0
0
0
0
0
0
status 305
0
0
0
0
0
0
0
status 306
0
0
0
0
0
0
0
status 307
0
0
0
0
0
0
0
status 4xx
0
0
0
0
0
0
0
status 400
0
0
0
0
0
0
0
status 401
0
0
0
0
0
0
0
status 402
0
0
0
0
0
0
0
status 403
0
0
0
0
0
0
0
status 404
0
0
0
0
0
0
0
status 405
0
0
0
0
0
0
0
status 406
0
0
0
0
0
0
0
status 407
0
0
0
0
0
0
0
status 408
0
0
0
0
0
0
0
page 377 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
status 409
0
0
0
0
0
0
0
status 410
0
0
0
0
0
0
0
status 411
0
0
0
0
0
0
0
status 412
0
0
0
0
0
0
0
status 413
0
0
0
0
0
0
0
status 414
0
0
0
0
0
0
0
status 415
0
0
0
0
0
0
0
status 416
0
0
0
0
0
0
0
status 417
0
0
0
0
0
0
0
status 418
0
0
0
0
0
0
0
status 419
0
0
0
0
0
0
0
status 420
0
0
0
0
0
0
0
status 422
0
0
0
0
0
0
0
status 423
0
0
0
0
0
0
0
status 424
0
0
0
0
0
0
0
status 425
0
0
0
0
0
0
0
status 426
0
0
0
0
0
0
0
status 449
0
0
0
0
0
0
0
status 450
0
0
0
0
0
0
0
status 5xx
0
0
0
0
0
0
0
status 500
0
0
0
0
0
0
0
status 501
0
0
0
0
0
0
0
status 502
0
0
0
0
0
0
0
status 503
0
0
0
0
0
0
0
status 504
0
0
0
0
0
0
0
status 505
0
0
0
0
0
0
0
status 506
0
0
0
0
0
0
0
status 507
0
0
0
0
0
0
0
status 508
0
0
0
0
0
0
0
status 509
0
0
0
0
0
0
0
status 510
0
0
0
0
0
0
0
status 6xx
0
0
0
0
0
0
0
status unknown
0
0
0
0
0
0
0
app serv conn no pcb err
0
0
0
0
0
0
0
app serv conn err
0
0
0
0
0
0
0
chunk1 hdr err
0
0
0
0
0
0
0
chunk2 hdr err
0
0
0
0
0
0
0
chunk bad trail err
0
0
0
0
0
0
0
no payload next buff err
0
0
0
0
0
0
0
no payload buff err
0
0
0
0
0
0
0
resp hdr incomplete err
0
0
0
0
0
0
0
serv sel fail err
0
0
0
0
0
0
0
start icap conn fail err
0
0
0
0
0
0
0
prep req fail err
0
0
0
0
0
0
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 378
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
icap ver err
0
0
0
0
0
0
0
icap line err
0
0
0
0
0
0
0
encap hdr incomplete err
0
0
0
0
0
0
0
no icap resp err
0
0
0
0
0
0
0
resp line read err
0
0
0
0
0
0
0
resp line parse err
0
0
0
0
0
0
0
resp hdr err
0
0
0
0
0
0
0
req hdr incomplete err
0
0
0
0
0
0
0
no status code err
0
0
0
0
0
0
0
http resp line read err
0
0
0
0
0
0
0
http resp line parse err
0
0
0
0
0
0
0
http resp hdr err
0
0
0
0
0
0
0
show slb l4
Description
Show Layer-4 SLB statistics.
Syntax
show slb l4 [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows summary statistics for Layer 4 SLB:
ACOS#show slb l4
Total
-----------------------------------------------------------------IP out noroute
0
TCP out RST
0
TCP out RST no SYN
0
TCP out RST L4 proxy
0
TCP out RST ACK attack
0
TCP out RST aFleX
0
TCP out RST stale sess
0
TCP out RST TCP proxy
0
TCP SYN received
226510
TCP SYN cookie snt
226510
TCP SYN cookie expd snt
0
TCP SYN cookie snt fail
0
TCP received
1042844
UDP received
0
L2 DSR received
0
page 379 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
L3 DSR received
0
Server sel failure
0
Source NAT failure
0
Source NAT no fwd route
0
Source NAT no rev route
0
Source NAT ICMP Process
0
Source NAT ICMP No Match 0
Auto NAT id mismatch
0
TCP SYN cookie failed
0
L4 SYN attack
226510
NAT no session drops
0
vport not matching drops 0
No SYN pkt drops
0
No SYN pkt drops - FIN
0
No SYN pkt drops - RST
0
No SYN pkt drops - ACK
0
Conn Limit drops
0
Conn Limit resets
0
Conn rate limit drops
0
Conn rate limit resets
0
Proxy no sock drops
0
aFleX drops
0
Session aged out
0
TCP Session aged out
0
UDP Session aged out
0
Other Session aged out
0
TCP no SLB
0
UDP no SLB
0
SYN Throttle
0
Inband HM retry
0
Inband HM reassign
0
Auto-reselect server
0
Fast aging set
0
Fast aging reset
0
TCP invalid drop
0
Out of sequence ACK drop 0
SYN stale sess drop
589824
Anomaly out of sequence
0
Anomaly zero window
0
Anomaly bad content
0
Anomaly pbslb drop
0
No resource drop
0
Reset unknown conn
0
RST L7 on failover
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 380
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
TCP SYN Other Flags Drop 0
TCP SYN With Data Drop
0
ignore msl
0
NAT Port Preserve Try
0
NAT Port Preserve Succ
0
BW-Limit Exceed drop
0
BW-Watermark drop
0
L4 CPS exceed drop
0
NAT CPS exceed drop
0
L7 CPS exceed drop
0
SSL CPS exceed drop
0
SSL TPT exceed drop
0
SSL TPT-Watermark drop
0
L3V Conn Limit Drop
0
L4 server handshake fail 0
L4 AX re-xmit SYN
0
L4 rcv ACK on SYN
0
L4 rcv RST on SYN
0
TCP no-Est Sess aged out 0
no-Est CSYN rcv aged out 0
no-Est SSYN snt aged out 0
L4 rcv rexmit SYN
589824
L4 rcv rexmit SYN (delq) 589824
L4 rcv rexmit SYN|ACK
0
L4 rcv rexmit SYN|ACK DQ 0
L4 rcv fwd last ACK
0
L4 rcv rev last ACK
0
L4 rcv fwd FIN
0
L4 rcv fwd FIN dup
0
L4 rcv fwd FIN|ACK
0
L4 rcv rev FIN
0
L4 rcv rev FIN dup
0
L4 rcv rev FIN|ACK
0
L4 rcv fwd RST
226510
L4 rcv rev RST
0
L4 UDP reqs no rsp
0
L4 UDP req rsps
0
L4 UDP req/rsp not match 0
L4 UDP req > rsps
0
L4 UDP rsps > reqs
0
L4 UDP reqs
0
L4 UDP rsps
0
L4 TCP Established
0
Skip Insert-client-ip
0
page 381 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
DNS query id switch
0
The following table describes the fields in the command output.
Field
Description
IP out noroute
Number of IP packets that could not be routed. These packets are dropped by the ACOS
device.
TCP out RST
Number of TCP Resets sent.
TCP out RST no SYN
Number of Resets sent for which there was no SYN.
TCP out RST L4 proxy
Number of TCP Reset packets the ACOS device has sent as a Layer 4 proxy.
TCP out RST ACK attack
Number of TCP Resets sent in response to a TCP ACK attack.
TCP out RST aFleX
Number of TCP Reset packets the ACOS device has sent due to an aFleX policy.
TCP out RST stale sess
This counter is incremented each time the following occurs:
• A client SYN is received
• “reset on terminated session SYN packet” is enabled in the delete queue (this is enabled
by default)
• “slb reset-stale-session” is enabled.
In such cases, an RST is sent out and the counter is incremented.
TCP out RST TCP proxy
Number of TCP Reset packets the ACOS device has sent as a TCP proxy.
TCP SYN received
Number of first SYN packets the ACOS device has received from the client.
TCP SYN cookie snt
Number of TCP SYN cookies sent.
TCP SYN cookie expd snt
Number of TCP SYN cookies with expanded options that were sent.
NOTE: Expanded SYN cookie options are disabled by default but can be enabled. (See “syncookie” on page 332.)
TCP SYN cookie snt fail
Number of TCP SYN cookie send attempts that failed because delivery to the client failed.
TCP received
Number of subsequent packets ACOS received from a client during a particular session.
Counter includes the following types of packets: SA, A, FINACK, PSHACK.
UDP received
Number of UDP packets received.
L2 DSR received
Number of reply packets received for Layer 2 DSR sessions.
L3 DSR received
Number of reply packets received for Layer 3 DSR sessions.
Server sel failure
Number of times selection of a real server failed.
Source NAT failure
Number of times a source NAT failure occurred.
Source NAT no fwd route
Number of times there was no route to the destination for Layer 3 NAT traffic.
Source NAT no rev route
Number of times there was no route to the source for Layer 3 NAT traffic.
Source NAT ICMP Process
Number of times an ICMP error related to source NAT occurred.
Source NAT ICMP No
Match
Number of times an ICMP error related to source NAT occurred, and there was no matching
session for the traffic.
Auto NAT ID mismatch
Number of times a mismatch has occurred between a Smart NAT resource and a VRRP-A
VRID.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 382
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
TCP SYN cookie failed
Number of times a TCP SYN cookie validate failure occurred when the client never sent an
ACK packet to complete the TCP three-way handshake.
L4 SYN attack
Total number of TCP SYNs received by the ACOS device that were not followed by a valid
client ACK to establish the connection.
This counter is calculated as follows:
(Total-SYNs-Received-by-Hardware +
Total-SYNs-Received-by-Software) Total-Number-of-Successful-Connections =
L4-SYN-Attack-Count
NAT no session drops
Number of packets sent to the NAT Pool IP, but for which there was no corresponding session on the device.
vport not matching drops
Number of packets received on a virtual port that was either down, disabled, or non-existent.
No SYN pkt drops
The cumulative number of the following three types of packets: ACK, RST, FIN.
No SYN pkt drops - FIN
Number of FIN packets received for which there was no corresponding session on the
ACOS device.
No SYN pkt drops - RST
Number of RST packets received for which there was no corresponding session on the
ACOS device.
No SYN pkt drops - ACK
Number of ACK packets received for which there was no corresponding session on the
ACOS device.
Conn Limit drops
Number of connections dropped because the server connection limit had been reached.
Conn Limit resets
Number of connections reset because the server connection limit had been reached.
Conn rate limit drops
Number of connections dropped by connection rate limiting.
Conn rate limit resets
Number of connections reset by connection rate limiting.
Proxy no sock drops
Number of packets dropped because the proxy did not have an available socket.
aFleX drops
Number of packets dropped due to an aFleX policy.
Session aged out
Total number of TCP (TCP Session aged out), UDP (UDP Session aged out) and other (Other
session aged out) sessions that aged out.
TCP Session aged out
Number of TCP sessions that aged out, including both half-open and established sessions.
UDP Session aged out
Number of UDP sessions that have aged out.
Other Session aged out
Number of sessions of other types (not TCP or UDP) that have aged out.
TCP no SLB
This counter is deprecated and is no longer used.
UDP no SLB
Number of non-SLB UDP packets received by the ACOS device.
SYN Throttle
If the count of buffers allocated from system memory is higher than currently available free
system buffers, a flag is enabled to ‘throttle SYN’. For TCP connections, this means that
incoming packets for new TCP connections are dropped to avoid queuing more buffers for
processing.
Inband HM retry
Number of times the ACOS device retried an inband health check, because a SYN-ACK was
not received for the previous SYN.
page 383 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Inband HM reassign
Number of times the ACOS device reassigned a client’s traffic to another server, because
the initial server exceeded the maximum number of retries allowed by the inband health
check.
Auto-reselect server
Number of times the ACOS device has reperformed server selection automatically because
the initially selected server did not respond to the TCP-SYN from the ACOS device.
NOTE: In the current release, this counter applies only to traffic on HTTP/HTTPS virtual
ports.
Fast aging set
Number of times fast aging of idle connections was automatically enabled by the ACOS
device due to factors such as low availability of I/O buffers, number of sessions or amount
of available memory.
Fast aging reset
Number of times fast aging of idle connections was disabled. This occurs after a sufficient
number of buffers become available again.
TCP invalid drop
Number of TCP packets received by the ACOS device that did not conform to the standard
format for TCP packets. For example, this counter is incremented if the ACOS device
receives a packet whose total length is less than the following:
Internet-Header-Length * 4 + TCP-data-offset *4
Out of sequence ACK drop
Number of TCP ACKs that were dropped because they were out of sequence.
SYN stale sess drop
This counter is incremented each time the following occurs:
• A client SYN is received
• “reset on terminated session SYN packet” is enabled in the delete queue (this is enabled
by default)
• “slb reset-stale-session” is disabled.
In such cases, the packet is dropped and the counter is incremented.
Anomaly out of sequence
Number of packets that matched an IP anomaly out-of-sequence filter.
NOTE: To configure IP anomaly filters, see the ip anomaly-drop command in the “Config
Commands: IP” chapter in the Network Configuration Guide.
Anomaly zero window
Number of packets that matched an IP anomaly zero-window filter.
Anomaly bad content
Number of packets that matched an IP anomaly bad-content filter.
Anomaly PBSLB drop
Number of packets that matched an IP anomaly filter used for system-wide Policy-Based
SLB (PBSLB).
No resource drop
Number of times traffic has been dropped because the ACOS device had run out of Layer 4
session resources.
Reset unknown conn
Number of times the ACOS device sent a RST in response to a non-SYN packet for a nonexistent session.
NOTE: This feature is enabled using the reset-unknown-conn option in virtual port templates. See “slb template virtual-port” on page 88.
RST L7 on failover
Number of Layer 7 sessions that were reset following VRRP-A failover.
TCP SYN Other Flags Drop
Number of TCP SYN packets that were dropped by the ACOS device because they contained a flag other than the SYN flag.
TCP SYN With Data Drop
Number of TCP SYN packets that were dropped by the ACOS device because they contained data.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 384
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Ignore MSL
Number of times a SYN packet reaches the MSL limit (default is 2 seconds) during a timewait state and does not get dropped due to the “ignore-tcp-msl” option being configured
in the virtual-port template.
(See “slb template virtual-port” on page 88.)
NAT Port Preserve Try
Number of times the client port preservation feature attempted to preserve a client’s
source port for traffic destined to a virtual port.
Note: This feature is enabled using the snat-port-preserve option in virtual port templates. See “slb template virtual-port” on page 88.
NAT Port Preserve Succ
Number of times the client port preservation feature successfully preserved a client’s
source port for traffic destined to a virtual port.
BW-Limit Exceed drop
Number of times traffic was dropped because a configured bandwidth limit was exceeded.
BW-Watermark drop
Number of times traffic was dropped because a configured bandwidth watermark was
exceeded.
L4 CPS exceed drop
Number of times traffic was dropped because the maximum allowed number of Layer 4
connections per second (CPS) was exceeded.
NAT CPS exceed drop
Number of times traffic was dropped because the maximum allowed number of NAT CPS
was exceeded.
L7 CPS exceed drop
Number of times traffic was dropped because the maximum allowed number of Layer 7
CPS was exceeded.
SSL CPS exceed drop
Number of times traffic was dropped because the maximum allowed number of SSL CPS
was exceeded.
SSL TPT exceed drop
Number of times SSL traffic was dropped because SSL throughput exceeded the maximum
allowed by a system-resource template.
SSL TPT-Watermark drop
Number of times SSL traffic was dropped because SSL throughput exceeded the configured watermark.
L3V Conn Limit Drop
Number of times Layer 3 traffic was dropped because a configured connection limit was
exceeded.
L4 server handshake fail
Number of times traffic was dropped because the Layer 4 handshake with a server failed.
L4 AX re-xmit SYN
Number of times the ACOS device needed to retransmit a TCP SYN.
L4 rcv ACK on SYN
Number of SYN-ACKs (ACKs in response to TCP-SYNs) received by the ACOS device.
L4 rcv RST on SYN
Number of TCP Resets (RST) the ACOS device received in response to a SYN.
TCP no-Est Sess aged out
Number of half-open sessions on the ACOS device. A half-open session means the ACOS
device received a SYN packet, forwarded it to the backend server but there was no SYNACK from the backend server, resulting in a half-open session on the ACOS device. These
sessions are created with a session age time of 60 seconds. If the session is idle for more
than 60 seconds, ACOS terminates the session and removes it from the session table and
increments this counter.
no-Est CSYN rcv aged out
Number of times the ACOS device received a SYN from a client and forwarded it to the
server. This can create a half-open session on the ACOS device if there is no SYN-ACK from
the server for a period exceeding 60 seconds. If this happens, ACOS kills the session and
increments this counter.
page 385 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
no-Est SSYN snt aged out
Number of TCP sessions that aged out before a SYN was received from the server, and
therefore could not be established.
L4 rcv rexmit SYN
Number of times the client does not get a SYN-ACK from the server. This causes the client
to retransmit same SYN packet that it sent earlier. This counter will increment each time
such a re-transmission of the SYN packet occurs.
L4 rcv rexmit SYN (delq)
Number of times the client SYN packet matches an existing session currently in the delete
queue. When this occurs, both the “L4 rcv rexmit SYN” and “L4 rcv rexmit SYN (delq)” counters are incremented.
L4 rcv rexmit SYN|ACK
Total number of retransmitted SYN-ACKs received by the ACOS device.
L4 rcv rexmit SYN|ACK DQ
Number of retransmitted SYN-ACKs received by the ACOS device for sessions that had
already been moved to the delete queue.
L4 rcv fwd last ACK
Number of final ACKs (last ACKs of a given TCP session) received by the ACOS device from
clients.
Note: In this field and the following fields, the following terms describe the traffic origination and direction:
• rcv fwd – Final ACKs received from the client.
• rcv rev – Final ACKs received from the server.
L4 rcv rev last ACK
Number of final ACKs (last ACKs of a given TCP session) received by the ACOS device from
servers.
L4 rcv fwd FIN
Number of TCP FINs received from clients.
L4 rcv fwd FIN dup
Number of times more than one FIN packet is received from the client.
An example of this would be if the server did not reply to a FIN-ACK in time, thus causing
the client to send another FIN.
L4 rcv fwd FIN|ACK
Number of TCP FIN-ACKs received from clients.
L4 rcv rev FIN
Number of TCP FINs received from servers.
L4 rcv rev FIN dup
Number of duplicate TCP FINs received from servers.
L4 rcv rev FIN|ACK
Number of TCP FIN-ACKs received from servers.
L4 rcv fwd RST
Number of TCP RST packets that the ACOS device received from a client and forwarded to
the server.
L4 rcv rev RST
Number of TCP RST packets that the ACOS device received from a server and forwarded to
the client.
L4 UDP reqs no rsp
Number of port 53 UDP requests received to which there was no response.
L4 UDP req rsps
Number of port 53 UDP requests received to which there was a response.
L4 UDP req/rsp not match
Number of mismatches between port 53 UDP requests and responses.
L4 UDP req > rsps
Number of port 53 UDP requests received for which there was no corresponding response.
L4 UDP rsps > reqs
Number of port 53 UDP responses received for which there was no corresponding request.
L4 UDP reqs
Total number of port 53 UDP requests received by the ACOS device.
L4 UDP rsps
Total number of port 53 UDP responses received by the ACOS device.
L4 TCP Established
Number of established sessions that completed a 3-way TCP handshake.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 386
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Skip Insert-client-ip
Number of times client IP insertion into TCP option failed due to lack of space.
DNS query id switch
Number of requests load balanced based on DNS query ID.
show slb mssql
Description
Display statistics for database load-balancing (DBLB) for a MS-SQL database system.
Syntax
show slb mssql [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command displays MS-SQL statistics:
ACOS(config)#show slb mssql
Total
-----------------------------------------------------------------Curr Proxy Conns
0
Total Proxy Conns
0
Curr BE Encryption Conns
0
Total BE Encryption Conns 0
Curr FE Encryption Conns
0
Total FE Encryption Conns 0
Client FIN
0
Server FIN
0
Session err
0
DB Queries
0
DB commands reply
0
Authentication Success
0
Authentication Failure
0
The following table describes the output:
page 387 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields in the command output.
Field
Description
Current Proxy Connections
Number of currently active connections that use the DBLB proxy.
Total Proxy Connections
Total number of connections that have used the DBLB proxy.
Current BE Encryption Connections
Number of currently active, encrypted connections on the back-end (BE),
between the ACOS device and server which process database queries.
Total BE Encryption Connections
Total number of encrypted connections on the back-end (BE), between the
ACOS device and server which process database queries.
Current FE Encryption Connections
Number of currently active, encrypted connections on the front-end (FE),
between the ACOS device and a client.
Total FE Encryption Connections
Total number of encrypted connections on the front-end (FE), between the
ACOS device and a client.
Client FIN
Number of TCP connections that were closed on the client side.
Server FIN
Number of TCP connections that were closed on the server side.
Session Error
Total number of session errors that occurred while processing DBLB requests.
DB Queries
Total number of received database queries.
Note: This counter corresponds to the number of instances that the aFleX
DB_QUERY event was triggered.
DB Commands Reply
Total number of received database commands.
Note: This counter corresponds to the number of instances that the aFleX
DB_COMMAND event was triggered.
Authentication Success
Number of successful AUTH commands.
Authentication Failure
Number of failed AUTH commands.
Introduced in Release
2.7.1
show slb mysql
Description
Display statistics for database load-balancing (DBLB) for a MySQL database system.
Syntax
show slb mysql [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command displays MySQL statistics:
ACOS(config)#show slb mysql
Total
------------------------------------------------------------------
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 388
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Curr Proxy Conns
0
Total Proxy Conns
0
Curr BE Encryption Conns
0
Total BE Encryption Conns 0
Curr FE Encryption Conns
0
Total FE Encryption Conns 0
Client FIN
0
Server FIN
0
Session err
0
DB Queries
0
DB commands reply
0
The following table describes the output:
The following table describes the fields in the command output.
Field
Description
Current Proxy Connections
Number of currently active connections that use the DBLB proxy.
Total Proxy Connections
Total number of connections that have used the DBLB proxy.
Current BE Encryption Connections
Number of currently active, encrypted connections on the back-end (BE),
between the ACOS device and server which process database queries.
Total BE Encryption Connections
Total number of encrypted connections on the back-end (BE), between the ACOS
device and server which process database queries.
Current FE Encryption Connections
Number of currently active, encrypted connections on the front-end (FE),
between the ACOS device and a client.
Total FE Encryption Connections
Total number of encrypted connections on the front-end (FE), between the ACOS
device and a client.
Client FIN
Number of TCP connections that were closed on the client side.
Server FIN
Number of TCP connections that were closed on the server side.
Session Error
Total number of session errors that occurred while processing DBLB requests.
DB Queries
Total number of received database queries.
Note: This counter corresponds to the number of instances that the aFleX
DB_QUERY event was triggered.
DB Commands Reply
Total number of received database commands.
Note: This counter corresponds to the number of instances that the aFleX
DB_COMMAND event was triggered.
page 389 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb passthrough
Description
Display statistics for pass-through TCP sessions. A pass-through TCP session is one that is not
terminated by the ACOS device (for example, a session for which the ACOS device is not
serving as a proxy for SLB).
Syntax
show slb passthrough
Mode
All
Example
The following command displays TCP pass-through session statistics:
ACOS#show slb passthrough
Request packets:
Request bytes:
10741
Response packets:
570272
Current connections:
Response bytes:
0
38195
56562872
Total connections:
4
show slb performance
Description
Show SLB performance statistics.
Syntax
show slb performance
[interval number [detail]]
[{l4cpi | l7cpi | l7tpi | natcpi | sslcpi} [detail]]
Option
Description
interval
number
Automatically refreshes the output at the specified interval. The interval
can be 1-32 seconds. If you omit this option, the output is shown one
time. If you use this option, the output is repeatedly refreshed at the specified interval until you press ctrl+c.
detail
Lists separate counters for each CPU.
l4cpi
Shows only Layer 4 connections per interval.
l7cpi
Shows only Layer 7 connections per interval.
l7tpi
Shows only Layer 7 transactions per interval.
natcpi
Shows only Network Address Translation (NAT) connections per interval.
sslcpi
Shows only SSL connections per interval.
detail
This option is not used in the current release.
Mode
All
Example
The following command shows SLB performance statistics:
ACOS#show slb performance
Refreshing SLB performance every 1 seconds. (press ^C to quit)
Note: cpi conn/interval, tpi transactions/interval
CPU Usage
L4cpi
L7cpi
L7tpi
SSLcpi
Natcpi
Time
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 390
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
-----------------------------------------------------------------------8/9
0
0
0
0
0
11:46:10
4/4
4222
0
0
0
0
11:46:11
4/4
3
0
0
0
0
11:46:12
The following table describes the fields in the command output.
Field
Description
Refreshing SLB
performance
every # seconds
Interval at which the statistics are refreshed.
CPU Usage
Utilization on each data CPU.
Each number is the utilization on one data CPU. In the example
shown above, the ACOS model has three data CPUs, and the utilization on each one is 1%.
L4cpi
Layer 4 connections per interval.
L7cpi
Layer 7 connections per interval.
L7tpi
Layer 7 transactions per interval.
SSLcpi
SSL connections per interval.
Natcpi
NAT connections per interval.
Time
System time when the statistics were collected.
show slb persist
Description
Show persistence load-balancing statistics.
Syntax
show slb persist [detail]
Example
Parameter
Description
detail
Show statistics per CPU in the output.
The following command shows summary persistence statistics:
ACOS#show slb persist
Total
-----------------------------------------------------------------URL hash persist(pri)
0
URL hash persist(sec)
0
URL hash persist fail
0
SRC IP persist ok
0
SRC IP persist fail
0
SRC IP hash persist(pri) 0
SRC IP hash persist(sec) 0
SRC IP hash persist fail 0
page 391 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
DST IP persist ok
0
DST IP persist fail
0
DST IP hash persist(pri) 0
DST IP hash persist(sec) 0
DST IP hash persist fail 0
SSL SID persist ok
0
SSL SID persist fail
0
Cookie persist ok
0
Cookie persist fail
0
Persist cookie not found 0
Persist cookie Pass-thru 0
Enforce higher priority
30
The following table describes the fields in the command output.
Field
Description
URL hash persist(pri)
Number of requests successfully sent to the primary server selected by URL hashing. The
primary server is the one that was initially selected and then re-used based on the hash
value.
URL hash persist(sec)
Number of requests that were sent to another server (a secondary server) because the primary server selected by URL hashing was unavailable.
URL hash persist fail
Number of requests that could not be fulfilled using URL hashing.
SRC IP persist ok
Number of requests successfully sent to the same server as previous requests from the
same client, based on source-IP persistence.
SRC IP persist fail
Number of requests that could not be fulfilled by the same server as previous requests
from the same client, based on source-IP persistence.
SRC IP hash persist(pri)
Number of requests successfully sent to the primary server selected by source IP hashing.
The primary server is the one that was initially selected and then re-used based on the
hash value.
SRC IP hash persist(sec)
Number of requests that were sent to another server (a secondary server) because the primary server selected by source IP hashing was unavailable.
SRC IP hash persist fail
Number of requests that could not be fulfilled using source IP hashing.
DST IP persist ok
Number of requests that were sent to the same resource, based on destination-IP persistence.
DST IP persist fail
Number of requests that could not be sent to the same resource, based on destination-IP
persistence.
DST IP hash persist(pri)
Number of requests successfully sent to the primary server selected by destination IP hashing. The primary server is the one that was initially selected and then re-used based on the
hash value.
DST IP hash persist(sec)
Number of requests that were sent to another server (a secondary server) because the primary server selected by destination IP hashing was unavailable.
DST IP hash persist fail
Number of requests that could not be fulfilled using destination IP hashing.
SSL SID persist ok
Number of requests successfully sent to the same server as previous requests that had the
same SSL session ID, based on SSL session-ID persistence.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 392
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
SSL SID persist fail
Number of requests that could not be fulfilled by the same server as previous requests that
had the same SSL session ID, based on SSL session-ID persistence.
Cookie persist ok
Number of requests successfully sent to the same server as previous requests based on a
persistence cookie.
Cookie persist fail
Number of requests that could not be fulfilled by the same server as previous requests
based on a persistence cookie.
Persist cookie not found
Number of requests in which a persistence cookie was not found in the request header.
Persist cookie Pass-thru
Number of requests that contained a pass-through cookie.
Enforce higher priority
Number of times the enforce-higher-priority option overrode server persistence and
selected another server.
show slb pop3-proxy
Description
Show POP3 proxy statistics
Syntax
show slb pop3-proxy [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
Example output for this command:
ACOS-Inside# show slb pop3-proxy
Total
-----------------------------------------------------------------Current proxy conns
0
Total proxy conns
0
Total POP3 Request
0
Server selection failure
0
no route failure
0
source nat failure
0
request line freed
0
request line freed
0
invalid start line
0
other cmd
0
line too long
0
Control chn ssl
0
Bad Sequence
0
Serv Sel Persist fail
0
Serv Sel SMPv6 fail
0
Serv Sel SMPv4 fail
0
page 393 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Serv Sel ins tpl fail
0
Client EST state erro
0
Serv CTNG state erro
0
Serv RESP state erro
0
Client RQ state erro
0
show slb rate-limit-logging
Description
Show log rate-limiting statistics.
Syntax
show slb rate-limit-logging [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows log rate-limiting statistics:
ACOS#show slb rate-limit-logging
Total
-----------------------------------------------------------------Total log times
51
Total log messages
26
Local log messages
190
Remote log messages
1959
Local rate (per sec)
32
Remote rate (per sec)
453
Log message too big
0
No route
0
Buffer alloc fail
0
Buffer send fail
0
Log-session alloc
15
Log-session free
15
Log-session alloc fail
0
No repeat message
4
The following table describes the fields in the command output.
Field
Description
Total log times
Total number of times log rate limiting has been used.
Total log messages
Total number of log messages generated by the ACOS device.
NOTE: The ACOS device combines repeated messages into a single message. For this
reason, the Total log times count will differ from the Total log messages count.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 394
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Local log messages
Total number of log messages in the ACOS device’s log buffer. These messages can be
displayed using the show log command.
Remote log messages
Total number of log messages the ACOS device has sent to external log servers.
Local rate (per sec)
Number of messages sent to the ACOS device’s log buffer during the most recent onesecond interval.
Remote rate (per sec)
Number of messages sent to external log servers during the most recent one-second
interval.
Log message too big
Number of log messages dropped by the ACOS device because they were too long.
No route
Number of log messages dropped by the ACOS device because the device did not have
a route to the log server.
Buffer alloc fail
Number of times the ACOS device was unable to allocate a buffer for sending a log message to an external log server.
Buffer send fail
Number of times the ACOS device was unable to send a log message that had been
placed in the buffer for sending to an external log server.
Log-session alloc
Number of times the ACOS device allocated a log session for repeated log messages.
Log-session free
Number of times the ACOS device freed a log session that was allocated for repeated log
messages.
Log-session alloc fail
Number of times the ACOS device was unable to allocate a log session for repeated log
messages.
No repeat message
Number of times there was no repeated message for a log session allocated for repeated
messages.
show slb resource-usage
Description
Display the minimum and maximum numbers of SLB resources that can be configured or
used, the default maximum number allowed by the configuration, and the number currently
in use.
Syntax
show slb resource-usage
Example
Below is an example of the output for this command:
ACOS#show slb resource-usage
Resource
Current
Default
Minimum
Maximum
-------------------------------------------------------------------------nat-pool-addr-count
10
10
10
2000
real-server-count
128
128
32
8192
real-port-count
256
256
64
16384
service-group-count
128
128
32
8192
virtual-port-count
128
128
32
8192
virtual-server-count
64
64
16
4096
http-template-count
128
128
32
4096
proxy-template-count
128
128
32
4096
page 395 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
conn-reuse-template-count
128
128
32
4096
fast-tcp-template-count
128
128
32
4096
fast-udp-template-count
128
128
32
4096
client-ssl-template-count
128
128
32
8192
server-ssl-template-count
128
128
32
8192
stream-template-count
128
128
32
4096
persist-cookie-template-count
128
128
32
4096
persist-srcip-template-count
128
128
32
4096
class-list-ipv6-addr-count
524288
524288
524288
1048576
gslb-site-count
500
500
500
500
gslb-device-count
1000
1000
1000
1000
gslb-service-ip-count
128
128
32
5000
gslb-service-port-count
256
256
64
10000
gslb-zone-count
5000
5000
5000
5000
gslb-service-count
10000
10000
10000
10000
gslb-policy-count
10000
10000
10000
10000
gslb-geo-location-count
5000000
5000000
5000000
5000000
gslb-ip-list-count
500
500
500
500
gslb-template-count
1000
1000
1000
1000
gslb-svc-group-count
500
500
500
500
auth-portal-html-file-size
20
20
4
120
auth-portal-image-file-size
6
6
1
80
show slb server
Description
Show information about real servers.
Syntax
show slb server [bindings]
or
show slb server
[server-name [port-num]
[all-partitions | partition {shared | name} | detail] |
[config]
[all-partitions | partition {shared | name}] |
[connection-reuse]
[all-partitions | partition {shared | name}] |
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 396
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
[auto-nat-stats]
[all-partitions | partition {shared | name}]
Parameter
Description
server-name [[port-num] detail
Shows information only for the specified server or port. If you omit this
option, information is shown for all real servers and ports.
The detail option shows statistics for the specified server or port. This
option also displays the name of the server or port template bound to the
server or port.
bindings
Shows the bindings for real server ports.
config
Shows the SLB configuration of the real servers.
connection-reuse
Shows connection-reuse state information and statistics for the real servers.
auto-nat-stats
Shows statistics for Smart NAT.
all-partitions
Show SLB server configuration for all partitions.
partition {shared | name}
Show SLB server configuration for either the shared partition, or the specified L3V partition name.
Mode
All
Example
The following command shows the output for the basic show slb server command. The
“State”
ACOS#show slb server
Total Number of Servers configured: 1
Total Number of Services configured: 1
Current = Current Connections, Total = Total Connections
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service
Current
Total
Fwd-pkt
Rev-pkt
Peak-conn
State
-----------------------------------------------------------------------------------------test-s1:80/tcp
0
0
0
0
0
Disb/Down
test-s1: Total
0
0
0
0
0
Disb/Down
Example
The following command shows SLB statistics for real server “http1”. This server is in a service
group that is bound to an HTTP virtual port:
ACOS#show slb server http1
Total Number of Services configured on Server http1: 1
Service: http1:80/tcp (Status: Up)
Forward packets:
0
Reverse packets:
0
Forward bytes:
0
Reverse bytes:
0
Current connections:
0
Persistent connections: 0
Current requests:
0
Total requests:
0
Total connections:
0
Total requests succ:
0
Response time:
0
tick
Peak connections:
0
page 397 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Health-check:
-------------------------------------------------------Up reason:
HTTP Status Code OK
Monitor name:
http
Method:
HTTP
Attribute:
port=80
url="GET /"
Wait for HTTP response:False
L4 conn made:
938
L4 errors:
0
Health-check average RTT (us):15930
Health-check current RTT (us):15958
Health-check average TCP RTT (us):7895
Health-check current TCP RTT (us):7933
Example
HTTP requests sent:
938
HTTP errors:
0
Received OK:
938
Received error:
0
Response timeout:
0
The following table describes fields in the output for the show slb server command.
The output from this command includes statistics for health check fields. Keep in mind that
these health check fields only appear in the output for HTTP traffic. The counters begin when
the health check is configured and increment until the statistics are cleared or the health
check is deleted.
Field
Description
Total Number of Services configured
Total number of services configured on the ACOS device (if a server name is not specified) or on the specified server.
Service
Real server name, service protocol port, and transport protocol (TCP or UDP), and Status (Up/Down/Disabled)
Forward packets
Number of request packets received for the service.
Reverse packets
Number of response packets sent on behalf of the real server.
Forward bytes
Number of request bytes received for the service.
Reverse bytes
Number of response bytes sent on behalf of the real server.
Current
Current number of connections to the service.
Persistent connections
Number of persistent connections to the service.
Current requests
Current number of requests to the service.
Total requests
Total number of requests to the service.
Total connections
Total number of connections to the service.
Total requests succ
Total number of requests to the service successfully received.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 398
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Response time
Server response time.
Peak-conn
Peak connection rate.
Note: Peak connection statistics are collected only if the extended-stats option is
enabled. To enable extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 277 (individual server)
Health check fields (HTTP traffic only)
Up / Down reason
Reason the ACOS device marked the port up or down.
Monitor name
Name of the health monitor used to perform the health check.
Method
Health method in the monitor used for the health check.
Attribute
The destination TCP port of the health check, and the HTTP request sent to the port.
Wait for HTTP response
Indicates whether the ACOS device is still waiting for a response to the HTTP request.
L4 conn made
Total number of Layer 4 connections made to the destination TCP port for health
checking.
L4 errors
Total number of Layer 4 errors that occurred during health checking.
Health-check average RTT
The average length of time it took for each health check. The time is expressed in
microseconds (us).
This counter includes the entire health-check process.
Health-check current RTT
The length of time it took to perform the most recent health check.
Health-check average TCP RTT
The average length of time it took to complete the 3-way handshake with the server
port.
Health-check current TCP RTT
The length of time it took to complete the 3-way handshake in the most recent health
check.
HTTP requests sent
Total number of HTTP requests sent to the server as part of health checks.
HTTP errors
Total number of HTTP errors that occurred during health checking.
Received OK
Number of times the payload of a Layer 4 health check reply was successfully read by
the ACOS device.
Received error
Number of times a a read failure occurred in the a10hm module.
Response timeout
Number of times a health check to the port timed out.
NOTE:
The same health check fields appear in the output for the show slb service-group
group-name and similarly only apply to HTTP traffic.
Example
The following command shows details for a real server:
ACOS#show slb server dang0 detail
Server name:
dang0
Server IP address:
192.168.120.21
Server gateway ARP:
0000:0000:0000
State:
Down
page 399 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Server template:
default
Health check:
default
Current connection:
0
Current request:
0
Total connection:
0
Total request:
0
Total request success:
0
Total forward bytes:
0
Total forward packets:
0
Total reverse bytes:
0
Total reverse packets:
0
Peak connection:
0
The following table describes the fields in the command output.
Field
Description
Server name
Name of the server.
Server IP address
IP address of the server.
Server gateway ARP
Server ARP value (if directly connected) or nexthop ARP value
(if connected through a gateway).
State
Current state of the service:
• Up
• Down
• Disabled
Server template
Name of the real server template bound to the server.
Health check
Name of the health monitor used to check the health of the
real port.
Current connection
Current number of connections to the port.
Current request
Current number of HTTP requests being processed by the
port.
Note: In this field and the Total request and Total request success fields, Layer 7 requests are counted only if Layer 7 request
accounting is enabled. See “slb common” on page 18.
Total connection
Total number of connections that have been made to the port.
Total request
Total number of HTTP requests processed by the port.
Total request success
Total number of HTTP requests that were successful.
Total forward bytes
Number of request bytes forwarded to the port.
Total forward packets
Number of request packets forwarded to the port.
Total reverse bytes
Number of request bytes received from the port.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 400
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Total reverse packets
Number of request packets received from the port.
Peak connection
Peak connection count.
Note: Peak connection statistics are collected only if the
extended-stats option is enabled. To enable extended-stats,
see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 277 (individual server)
Example
The following command shows details for a real port on a server:
ACOS(config)#show slb server dang1 80 detail
Server name:
dang1
Port:
1.1.1.1:80
State:
Up
Port template:
default
Health check:
default
Current connection:
53
Current request:
42
Total connection:
10011
Total request:
20090
Total request success:
20089
Total forward bytes:
36378463
Total forward packets:
378463
Total reverse bytes:
463784638
Total reverse packets:
3784638
Peak connection:
24411
The following table describes the fields in the command output.
Field
Description
Server name
Name of the server.
Server IP address
IP address of the server.
Server gateway
ARP
Server ARP value (if directly connected) or nexthop ARP value (if
connected through a gateway).
Port
Real port number.
State
Current state of the service:
• Up
• Down
• Disabled
Port template
page 401 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
Name of the real port template bound to the port.
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Health check
Name of the health monitor used to check the health of the real
port.
Current connection
Current number of connections to the port.
Current request
Current number of HTTP requests being processed by the
port.
NOTE: In this field and the Total request and Total request success
fields, Layer 7 requests are counted only if Layer 7 request accounting is enabled. See “slb common” on page 18.
Total connection
Total number of connections that have been made to the port.
Total request
Total number of HTTP requests processed by the port.
Total request
success
Total number of HTTP requests that were successful.
Total forward bytes
Number of request bytes forwarded to the port.
Total forward
packets
Number of request packets forwarded to the port.
Total reverse bytes
Number of request bytes received from the port.
Total reverse
packets
Number of request packets received from the port.
Peak connection
Peak connection count.
NOTE: Peak connection statistics are collected only if the
extended-stats option is enabled. To enable extended-stats, see
the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 277 (individual server)
Example
The following command displays detailed information for a dynamic hostname server. The
configuration details are shown first, followed by details for the dynamically created servers.
ACOS#show slb server s-test1 detail
Server name:
s-test1
Hostname:
s1.test.com
Last DNS reply:
Tue Nov 17 03:41:59 2009
State:
Up
Server template:
temp-server
DNS query interval:
5
Minimum TTL ratio:
3
Maximum dynamic server:16
Health check:
none
Current connection:
0
Current request:
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 402
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Total connection:
1919
Total request:
1919
Total request success:
1877
Total forwarded byte:
546650
Total forwarded packet:
5715
Total received byte:
919730
Total received packet:
5631
Dynamic server name:
DRS-10.4.2.5-s1.test.com
Last DNS reply:
Tue Nov 17 03:41:59 2009
TTL:
4500
State:
Up
Server template:
test
DNS query interval:
5
Minimum TTL ratio:
15
Maximum dynamic server:1023
Health check:
Example
none
Current connection:
0
Current request:
0
Total connection:
1919
Total request:
1919
Total request success:
1877
Total forward bytes:
546650
Total forward packets:
5715
Total reverse bytes:
919730
Total reverse packets:
5631
The following command shows SLB configuration information for real servers:
ACOS#show slb server config
Total Number of Services configured: 30
H-check = Health check
Service
Max conn = Max. Connection
Address
H-check
Wgt = Weight
Status
Max conn Wgt
-----------------------------------------------------------------------------1_yahoo_finance:80/tcp
69.147.86.163
None
Enable
1000000
1
1_yahoo_finance
69.147.86.163
None
Enable
1000000
1
1_cybozu:80/tcp
202.218.147.129 None
Enable
1000000
1
1_cybozu
202.218.147.129 None
Enable
1000000
1
win20:25/tcp
172.22.66.20
Default
Enable
1000000
1
win20
172.22.66.20
ping
Disable
1000000
1
win21:25/tcp
172.22.66.21
Default
Enable
1000000
1
--MORE--
page 403 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields in the command output.
Field
Description
Total Number of Services configured
Total number of SLB services configured on the ACOS device.
Service
Real server name, service protocol port, and transport protocol (TCP or UDP).
Address
Real IP address of the server.
H-check
Health check enabled for the service:
• None – No health check has been applied to the service.
• Default – The default health monitor for the service type was automatically
applied to the service by the ACOS device.
• Name of a configured health monitor (for example, “ping”) – The named
health monitor was applied to the service by an ACOS administrator.
Status
Current administrative status of the service:
• Enable
• Disable
Max conn
Maximum number of connections allowed to the service.
Wgt
Administrative weight assigned to the service.
Example
The following command shows connection-reuse state information and statistics for real
servers:
ACOS#show slb server connection-reuse
Total Number of Services configured: 30
Service
State
Persistent-Conn
---------------------------------------------------1_yahoo_finance:80/tcp
Up
0
1_cybozu:80/tcp
Up
0
win20:25/tcp
Down
0
win21:25/tcp
Up
0
win21:110/tcp
Up
0
win21:80/tcp
Up
0
win21:443/tcp
Down
0
linux22:25/tcp
Disb
0
linux22:80/tcp
Up
0
linux22:53/udp
Disb
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 404
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields in the command output.
Field
Description
Total Number of Services configured
Total number of SLB services configured on the ACOS device.
Service
Real server name, service protocol port, and transport protocol (TCP or UDP).
State
Current state of the service:
• Up
• Down
• Disabled
Persistent-Conn
Number of connections sent to the server by the persistence feature.
Example
The following command shows Smart NAT statistics:
ACOS(config-slb vserver-vport)#show slb server auto-nat-stats
Service
HA/VR ID Nat Address
Port Usage
Total Used
Total Freed
Failed
--------------------------------------------------------------------------------------s1:80/tcp
0
160.160.160.1
5
1513
1508
0
s1:21/tcp
0
160.160.160.1
0
0
0
0
In this example, both virtual ports are using Smart NAT. The Nat Address, Port Usage, Total
Used, Total Freed, and Failed columns show the same information shown in show ip nat
pool statistics output. (See the CLI Reference.)
The Service column lists the server, protocol port, and Layer 4 protocol. The HA/VR ID
column lists the HA group ID or VRRP-A VRID, if applicable. In this example, the ACOS device
is deployed as a standalone device, so “0” is shown in this column.
The following table describes the fields in the command output.
Example
Field
Description
Service
Real server name and port number, and the Layer 4 protocol (TCP or
UDP).
HA/VR ID
The HA group ID or VRRP-A VRID, if applicable.
NAT Address
The IP address used for the NAT mapping.
Port Usage
Number of mappings currently in use by sessions.
Total Used
Total number of sessions that have been NATted for the source address.
Total Freed
Total number of NATted sessions that have been terminated, thus freeing
up a port for another session.
Failed
Number of times a mapping attempt failed. Generally, this type of error
occurs if the system does not have any resources for new mappings.
The following example output shows a list of server bindings:
page 405 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
ACOS#show slb server bindings
Total Number of Servers configured: 24
Total Number of Services configured: 35
Service
Port
Address
State
------------------------------------------------------------------rs1
8080
20.20.20.20
+sg-8080
+=>vip2
All Up
10.10.10.200:8080
+linux:8080
+=>ITA-VIP-01
Functional Up
192.168.19.120:8080
This example shows server bindings for server “rs1”.
The service groups are indicated by “+”. In this example, the server is a member of the
following service groups:
• sg-8080
• linux:8080
The VIP bindings are indicated by “+=>”. In this example, “rs1” has the following bindings:
• Bound to “vip2” through service group “sg-8080”
• Bound to “ITA-VIP-01” through service group “linux:8080”
The state of each service group is shown. In this example, service group “sg-8080” is All Up.
This indicates all service ports on all real servers in the service group are up. Service group
“linux:8080” is Functionally Up. The service is up on at least one real server in the service
group, but not on all the servers in the group.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 406
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb service-group
Description
Show SLB service-group information.
Syntax
show slb service-group [group-name] [brief] [config]
[all-partitions | partition {shared | name}]
Parameter
Description
group-name
Shows information only for the specified service group. If you omit this option, information is
shown for all service groups configured on the ACOS device.
brief
Shows a summary view of the configured service groups and their operational status. If you
specify a service-group name, summary information is displayed for only that group. Otherwise, summary information for all groups is displayed.
config
Shows the SLB configuration of the service groups.
all-partitions
Show SLB service group information in all partitions.
partition
Show SLB service group information in the specified partition only.
Mode
All
Example
The following command shows statistics for SLB service groups:
ACOS#show slb service-group
Current = Current Connections, Total = Total Connections
Fwd-p = Forward packets, Rev-p = Reverse packets
Peak-c = Peak connections
Service Group Name
Service
Current Total
Fwd-p
Rev-p
Peak-c
-----------------------------------------------------------------------------*sg-80-1
State: Down
rs-http:80
*sg-80-2
0
0
0
0
0
1
1
4
5
State: All Up
rs-http-2:80
page 407 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
1
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields in the command output.
Field
Description
Total Number of Service Groups configured
Total number of SLB service groups configured on the ACOS device.
Service Group Name
Name of the service group.
State
Indicates the state of the service group:
• All Up – All service ports on all real servers in the service group are up.
• Functional Up – Each service port number is up on at least one real
server in the service group.
• Down – Either all the service ports are down, or some but not all of
them are Disabled.
• Disabled – All the service ports are disabled.
Current
Current number of connections to the service.
Total
Total number of connections to the service.
Fwd-p
Total number of request packets received by the ACOS device for the service.
Rev-p
Total number of server response packets sent to clients by the ACOS
device on behalf of real servers.
Peak-c
Peak connection count.
Note: Peak connection statistics are collected only if the extended-stats
option is enabled. To enable extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 277 (individual server)
Example
The following command shows configuration information and statistics for SLB service
group “louis”:
ACOS#show slb service-group louis
Service group name: louis State: Disb
Service selection fail drop: 2
Service selection fail reset: 1
Service peak connection:
0
Priority affinity: 10
Service: s-4-2-1:80 DOWN
Request packets: 6 Response packets: 0
Request bytes: 360 Response bytes: 0
Current connections: 2 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn:
0
Service: s-2-2-1:80 DOWN
Forward packets: 12 Reverse packets: 9
Forward bytes: 951 Reverse bytes: 396
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 408
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn:
0
The following table describes the fields in the command output.
NOTE:
A separate set of health check fields appears in the show slb service-group command output for HTTP traffic.
Field
Description
Service group name
Name of the service group.
State
Indicates the state of the service group:
• All Up – All service ports on all real servers in the service group are up.
• Functional Up – Each service port number is up on at least one real server in the service
group.
• Partially Up – Some service ports are up but others are down.
• Down – Either all the service ports are down, or some but not all of them are Disabled.
• Disabled – All the service ports are disabled.
Service selection fail drop
Number of server selection failures for which the ACOS device dropped the client request.
Service selection fail reset
Number of server selection failures for which the ACOS device sent a RST to the client.
Service peak connection
Peak number of connections.
Priority affinity
Number associated with the currently active priority level. By default, the primary servicegroup members with the highest priority are active and appear in the output. However, if
failover occurs, then the priority of the lower-priority secondary members appears in the
output.
Service
Service bound to the service group. Also indicates the state of the service.
Forward packets
Total number of request packets received by the ACOS device for the service.
Reverse packets
Total number of server response packets sent to clients by the ACOS device on behalf of
real servers.
Forward bytes
Total number of request bytes received by the ACOS device for the service.
Reverse bytes
Total number of server response bytes sent to clients by the ACOS device on behalf of real
servers.
Current connections
Current number of connections to the service.
Persistent connections
Number of connections established on the server due to an SLB persistence feature.
Current requests
Current number of HTTP requests being processed by the server.
Note: In this field and the Total Requests and Total requests success fields, Layer 7 requests
are counted only if Layer 7 request accounting is enabled. See “slb common” on page 18.
Total requests
Total number of HTTP requests processed by the server.
Total connections
Total number of connections to the service.
page 409 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Response time
Server response time.
Total requests succ
Total number of HTTP requests that were successful.
Peak conn
Peak connection count.
Note: Peak connection statistics are collected only if the extended-stats option is enabled.
To enable extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 277 (individual server)
Example
The following command shows configuration information for SLB service groups:
ACOS#show slb service-group config
slb service-group sg1 tcp
member s1 80
!
slb service-group sg2 tcp
member s2 80
member s1 80
!
slb service-group sg3 tcp
member s3 80
!
Example
The following command displays a brief, summarized display of service-group information
for all service groups:
ACOS#show slb service-group brief
Total Number of Service Groups configured: 2
slb service-group rontest tcp
Service group name: rontest
Type: tcp
Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
slb service-group udptest udp
Service group name: udptest
Type: udp
Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 410
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
In this example, 2 service groups are configured. Each service group
has 1 server. In each of the groups, the server is down.
show slb sip
Description
Display SIP SLB statistics.
Syntax
show slb sip [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows SIP SLB statistics:
ACOS#show slb sip
Total
-----------------------------------------------------------------SIP Session created
0
SIP Session freed
0
Curr SIP Proxy
0
Total SIP Proxy
0
Client message rcvd
0
Sent to server
0
Incomplete
0
Drop
0
Connecting server
0
Failed
0
Server message rcvd
0
Sent to client
0
Incomplete
0
Drop
0
Failed
0
Server conn created
0
Created successfully
0
Failed
0
The following table describes the fields in the command output.
Field
Description
SIP Session created
Total number of SIP sessions created.
SIP Session freed
Total number of SIP connection freed.
page 411 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Curr SIP Proxy
Current number of SIP connections between the ACOS device
and SIP servers.
Total SIP Proxy
Total number of SIP connections between the ACOS device and
SIP servers.
Client message rcvd
Total number of SIP messages received from clients:
• Sent to server — Number of SIP messages received from client
and forwarded to server.
• Incomplete — Number of packet which contains incomplete
message.
• Drop — Number of packets dropped.
• Connecting server — Client message currently in server connecting state.
• Failed — Number of SIP messages received from clients that
were not forwarded to servers.
Server message rcvd
Total number of SIP messages received from servers:
• Sent to client — Number of SIP messages received from server
and forwarded to client.
• Incomplete — Number of packet which contains incomplete
message.
• Drop — Number of SIP messages received from servers that
were not forwarded to clients.
Server conn created
Total number of connections made with servers:
• Created successfully — Number of successful connections.
• Failed — number of failed connections.
show slb smpp
Description
Display Short Message Peer-to-Peer (SMPP) protocol SLB statistics.
Syntax
show slb smpp [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows SMPP SLB statistics.
ACOS(config)#show slb smpp
Total
-----------------------------------------------------------------Curr SMPP Proxy
0
Total SMPP Proxy
0
Client message rcvd
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 412
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Sent to server
0
Incomplete
0
AX responds directly
0
Drop
0
Connecting server
0
Failed
0
Server message rcvd
0
Sent to client
0
Incomplete
0
Drop
0
Failed
0
Server conn created
0
Created successfully
0
Failed
0
Client conn selection
0
Select by request
0
Select by roundbin
0
Select by conn
0
Select failed
0
Server conn selection
0
Select by request
0
Select by roundbin
0
Select by conn
0
Select failed
0
The following table describes the fields in the command output.
Field
Description
SMPP msg mem allocated
Total amount of memory currently in use for SMPP connections.
SMPP msg mem cached
Total amount of memory cached for SMPP connections.
SMPP msg mem freed
Total amount of memory freed after an SMPP connection has closed.
SMPP msg payload allocated
Total amount of memory allocated for the SMPP packet payload.
SMPP msg payload freed
Total amount of memory freed from the SMPP packet payload.
Curr SMPP Proxy
Number of currently active connections using the SMPP proxy.
Total SMPP Proxy
Total number of connections that have used the SMPP proxy.
page 413 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Client message rcvd
Total number of SMPP messages received from clients.
• Sent to server – Number of SMPP messages received by the client and forwarded to the server.
• Incomplete – Number of packets which contain incomplete messages.
• AX responds directly – Number of times the ACOS device responded directly
to a client’s request.
• Drop – Number of packets dropped due to the configured SMP resource limit.
• Connecting server – Number of times the ACOS device forwarded a client’s
request to the SMPP server.
• Failed – The following counters display the number of failed connections,
listed by the cause:
• Failed to parse
• Failed to process
• Failed to SNAT
• Exceeded buff
• Failed to send
• Server conn start failed
Server message rcvd
Total number of SMPP messages received from servers.
• Sent to client – Number of SMPP messages received by the server and forwarded to the client.
• Incomplete – Number of packets which contain incomplete messages.
• Drop – Number of packets dropped due to the configured SMP resource limit.
• Failed – Number of SMPP messages received by the server that were not forwarded to the client. The following counters display the number of failed connections, listed by cause:
• Failed to parse
• Failed to process
• Failed to sel client conn
• Failed to SNAT
• Exceeded buff
• Failed to send
Server conn created
• Created successfully – Number of server connections created successfully.
• Failed – Number of failed server connection attempts, listed by cause:
• Failed to SNAT
• Failed to construct
• Failed to reserve
• Failed to start
• Server conn already exists
• Failed to insert
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 414
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Message parsing failed
Number of SMPP messages that the ACOS failed to parse. The following subcounters describe the cause:
• The packet size too small – Number of SMPP messages that were not parsed
because the message size was less than 4 bytes.
• Invalid sequence number – SMPP messages are incremented by +1. This
counter indicates the total number of SMPP messages that were not parsed
because of an incorrect sequence number.
Message processing failed
Number of times the ACOS could not process the SMPP message. The following
sub-counters describe the cause:
• No vport – There was no virtual port that matched the destination of the SMPP
message.
• Failed to select server – Server selection failure to forward the SMPP request.
Client conn selection
The following counters apply to SMPP client selection:
• Select by request – Number of client connections, selected by the type of
request message.
• Select by roundbin – Number of client connection selected by the Round
Robin algorithm.
• Select by conn – Number of client connections, selected by the connection
type.
• Select failed – Number of times the ACOS failed to select a client for the SMPP
connection.
Server conn selection
The following counters apply to SMPP server selection:
• Select by request – Number of server connections, selected by the type of
request message.
• Select by roundbin – Number of server connection selected by the Round
Robin algorithm.
• Select by conn – Number of server connections, selected by the connection
type.
• Select failed – Number of times the ACOS failed to select a server for the SMPP
connection.
Bind client and server
Number of times the ACOS successfully forwarded the initial BIND message from
a client an SMPP server.
Unbind client and server
Number of times the ACOS disconnected the client to an SMPP server.
Receive enquire_link
Total number of ENQUIRE_LINK messages that the ACOS received from the SMPP
client or server.
Receive enquire_link_resp
Total number of ENQUIRE_LINK_RESP messages that the ACOS received from the
SMPP client or server.
Send enquire_link
Total number of ENQUIRE_LINK messages that the ACOS device has sent.
Send enquire_link_resp
Total number of ENQUIRE_LINK_RES messages that the ACOS device has sent.
Fail to bind server
Total number of times the ACOS device received a BIND message and failed to
connect the client to an SMPP server.
Single message
Total number of single messages that were sent to the ACOS and did not require
a response.
page 415 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Transfer msg from L4 to L7 CPU
Number of SMPP messages that the ACOS transferred from a Layer 4 CPU to a
Layer 7 CPU.
Fetch msg from L7 CPU
Number of SMPP messages that the ACOS transferred from the Layer 7 CPU to a
Layer 4 CPU.
Transfer msg from proxy to conn CPU
Number of SMPP messages that the ACOS transferred from the proxy CPU to the
connection CPU.
Fetch msg from conn CPU
Number of SMPP messages that the ACOS transferred from the connection CPU
to the proxy CPU.
Transfer msg from L7 to L4 CPU
Number of SMPP messages that the ACOS transferred from a Layer 7 CPU to a
Layer 4 CPU.
Transfer msg from conn to proxy CPU
Number of SMPP messages that the ACOS transferred from the connection CPU
to the proxy CPU.
Alloc mem failed
Number of times a connection failed because the ACOS device did not have
access to sufficient memory resources.
Unexpected error
Number of unexpected errors that are not categorized by the other counters.
AX holds msg
Number of messages that the ACOS device has received from a client or server
and has yet to forward.
Splited packet
Number of times the ACOS split TCP packets which contain multiple SMPP messages.
Message in pipeline
Number of SMPP messages that the ACOS processed using an HTTP pipeline.
Client RST
Number of times TCP connections with clients were reset.
Server RST
Number of times TCP connections with servers were reset.
show slb smtp
Description
Shows SLB information for SMTP.
Syntax
show slb smtp [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows summary SMTP SLB statistics:
ACOS# show slb smtp
Total
-----------------------------------------------------------------Current proxy conns
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 416
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Total proxy conns
0
SMTP requests
0
SMTP requests (success)
0
No proxy error
0
Client reset
0
Server reset
0
No tuple error
0
Parse request failure
0
Server selection failure 0
Forward request failure
0
Forward REQ data failure 0
Request retransmit
0
Request pkt out-of-order 0
Server reselection
0
Server premature close
0
Server connection made
0
Source NAT failure
0
Init server starttls
0
Real server starttls disable 0
Server starttls fail
0
The following table describes the fields in the command output.
Field
Description
Current proxy conns
Number of currently active SMTP connections using the ACOS device as an SMTP proxy.
Total proxy conns
Total number of SMTP connections that have used the ACOS device as an SMTP proxy.
SMTP requests
Total number of SMTP requests received by the SMTP proxy.
SMTP requests (success)
Number of SMTP requests received by the ACOS device that were successfully fulfilled
(by connection to a real server).
No proxy error
Number of proxy errors.
Client reset
Number of times TCP connections with clients were reset.
Server reset
Number of times TCP connections with servers were reset.
No tuple error
Number of tuple errors.
Parse request failure
Number of times parsing of an SMTP request failed.
Server selection failure
Number of times selection of a real server failed.
Forward request failure
Number of forward request failures.
Forward REQ data failure
Number of forward request data failures.
Request retransmit
Number of retransmitted requests.
Request pkt out-of-order
Number of request packets received from clients out of sequence.
Server reselection
Number of times a request was forwarded to another server because the current server
was failing.
page 417 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Server premature close
Number of times the connection with a server closed prematurely.
Server connection made
Number of connections made with servers.
Source NAT failure
Number of source NAT failures.
Init server starttls
Number of STARTTLS sessions initiated with the server.
Real server starttls disable
Number of times the server was unable to negotiate a STARTTLS session.
Server starttls fail
Number of times a server STARTTLS session failed due to a TCP error event.
Example
The following command shows detailed SMTP SLB statistics for each data processor (DP):
ACOS#show slb smtp detail
DP0
DP1
DP2
Total
-----------------------------------------------------------------Current proxy conns
0
0
0
0
Total proxy conns
0
0
0
0
SMTP requests
0
0
0
0
SMTP requests (success)
0
0
0
0
No proxy error
0
0
0
0
Client reset
0
0
0
0
Server reset
0
0
0
0
No tuple error
0
0
0
0
Parse request failure
0
0
0
0
Server selection failure 0
0
0
0
Forward request failure
0
0
0
0
Forward REQ data failure 0
0
0
0
Request retransmit
0
0
0
0
Request pkt out-of-order 0
0
0
0
Server reselection
0
0
0
0
Server premature close
0
0
0
0
Server connection made
0
0
0
0
Source NAT failure
0
0
0
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 418
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb spdy-proxy
Description
Show statistics for SLB SPDY proxy.
Syntax
show slb spdy-proxy [debug] [detail]
Parameter
Description
debug
Show debug information.
detail
Show statistics per CPU in the output.
Mode
All
Example
Sample output for this command:
ACOS# show slb spdy-proxy
Total
-----------------------------------------------------------------Curr Proxy Conns
0
Total Proxy Conns
0
Curr HTTP Proxy Conns
0
Total HTTP Proxy Conns
0
Version 2 Streams
0
Version 3 Streams
0
Curr Streams
0
Total Streams
0
Streams(succ)
0
Server RST sent
0
Server GOAWAY sent
0
TCP sock error
0
Inflate context
0
Deflate context
0
PING sent
0
STREAM not found
0
Client FIN
0
Server FIN
0
Stream close
0
Session close
0
Stream err
0
Session err
0
Control frame rcvd
0
SYN stream
0
SYN reply
0
RST
0
Setting
0
Ping
0
page 419 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Goaway
0
Headers
0
Window update
0
Data frame rcvd
0
Dt no stream found
0
Dt no stream & goaway
0
Dt no str&gw & cl ses
0
Est callback no tuple
0
Dat callback no tuple
0
Contex alloc fail
0
FIN close session
0
Serv RST close stream
0
Stream found
0
Clse St ses not found
0
Clse St str not found
0
Clsing closed stream
0
Str cl session close
0
Clsing closed session
0
Max conc stream limit
0
Stream alloc fail
0
HTTP conn alloc fail
0
Req/Header alloc fail
0
NV tot len exceed
0
NV zero name length
0
NV ivld http version
0
NV connection
0
NV keep alive
0
NV proxy-connection
0
NV transfer encoding
0
NV no must have
0
Decompress fail
0
SYN after goaway
0
Stream id < previous
0
Str already exist
0
Unidirectional SYN
0
Syn reply alr rcvd
0
Cl RST str not found
0
Win upd no str found
0
Invalid window size
0
Unknown control frame
0
Data on closed stream
0
Invalid frame size
0
Invalid version
0
Hdr after ses close
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 420
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Compr ctx alloc fail
0
Header compress fail
0
HTTP data ses close
0
HTTP data str nt fnd
0
Clse Str not http-pr
0
Session needs reque
0
New Str aftr Ses del
0
HTTP fin str alr clsd
0
HTTP cl str alr clsd
0
HTTP err str alr clsd
0
HTTP hdr str alr clsd
0
HTTP data str alr clsd
0
show slb ssl
Description
Show SSL statistics.
Syntax
show slb ssl {
counters vserver vport |
error |
stats |
}
Parameter
Description
counters
Shows the number of successes and failures for key exchange methods, and SSL/TLS version. Shows the session cache count for new, hits,
missed, and expired. Shows the average handshake time and total
renegotiations.
error
Shows errors such as cookie mismatch, wrong signature length,
unsupported cipher, incorrect public key, no certificate returned, etc.
stats
Shows statistics for SSL modules.
Mode
All
Example
The following command shows SSL SLB statistics:
ACOS#show slb ssl stats
SSL module: Hardware
Number of SSL modules: 5
SSL module 1
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 0
SSL module 2
number of enabled crypto engines: 8
page 421 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
number of available crypto engines: 8
number of requests handled: 0
SSL module 3
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 0
SSL module 4
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 0
SSL module 5
number of enabled crypto engines: 6
number of available crypto engines: 6
number of requests handled: 0
Current clientside SSL connections: 0
Total clientside SSL connections: 0
Current serverside SSL connections: 0
Total serverside SSL connections: 0
Total times of reusing SSL sessions(IDs) in client ssl 0
Total times of reusing SSL sessions(IDs) in server ssl 0
Failed SSL handshakes: 0
Failed crypto operations: 0
Dropped serverside SSL connections: 0
SSL memory usage: 0 bytes
SSL server certificate errors: 0
SSL fail CA verification 0
HW Context Memory Total Count 248550
HW Context Memory in Use 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
Total client ssl context malloc failures: 0
SSL Forward Proxy
Bypass Failsafe SSL sessions: 15433
Bypass SNI sessions: 0
Bypass Client Auth sessions: 1492
Failed in SSL handshakes: 2278
Failed in crypto operations: 1
Failed in TCP: 1491
Failed in Certificate verification: 7618
Failed in Certificate signing: 0
Invalid OCSP Stapling Response: 0
Revoked OCSP Response: 0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 422
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields on this output.
Field
Description
SSL Module
“Hardware” indicates SSL processing occurs in hardware modules.
“Software” indicates SSL processing occurs in ACOS software.
Number of SSL modules
Total number of SSL processing modules on the ACOS device.
SSL module n
ID number of the SSL module to which the following statistics
apply.
number of enabled crypto engines
Number of SSL encryption/decryption processing engines that are
enabled.
number of available crypto engines
Number of SSL encryption/decryption processing engines that are
available on the device.
number of requests handled
Number of SSL requests handled by the SSL processing engine.
Current clientside SSL connections
Number of currently active SSL client-side SSL sessions (sessions
between ACOS and clients).
Total clientside SSL connections
Total number of SSL client-side sessions since the last time statistics
were cleared.
Current serverside SSL connections
Number of currently active SSL server-side SSL sessions (sessions
between ACOS and servers).
Total serverside SSL connections
Total number of SSL server-side sessions since the last time statistics were cleared.
Total times of reusing SSL sessions(IDs) in client ssl
SSL session-ID reuse statistics.
Total times of reusing SSL sessions(IDs) in server ssl
Failed SSL handshakes
Number of SSL sessions in which the SSL security handshake failed.
Failed crypto operations
Number of times an encryption/decryption failure occurred for an
SSL record.
Dropped serverside SSL connections
Total number of SSL server-side sessions dropped since the last
time statistics were cleared.
SSL memory usage
Amount of memory in use by the SSL processing module.
SSL server certificate errors
Total count of certificate errors.
SSL fail CA verification
Number of times an SSL session was terminated due to a certificate
verification failure.
HW Context Memory Total Count
Total amount of hardware available for SSL context memory allocation.
HW Context Memory in Use
Total amount of hardware in use for SSL context memory allocation.
HW Context Memory alloc failed
Number of times the encryption processor was unable to allocate
memory.
HW ring full
Number of times the ACOS software was unable to enqueue an
SSL record to the SSL processor for encryption/decryption. (Number of times the processor reached its performance limit.)
page 423 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Record too big
Number of times the ACOS device received an SSL record that
spanned across more than 64 packets.
Total client ssl context malloc failures
Number of times ACOS failed to allocate memory for client SSL
context memory.
Bypass Failsafe SSL sessions
Number of bypassed SSL sessions
Bypass SNI sessions
Number of bypassed SSL sessions based on SNI criteria specified in
the ACOS configuration.
Bypass Client Auth sessions
Number of bypassed SSL sessions based on client authentic criteria
specified in the ACOS configuration.
Failed in SSL handshakes
Number of SSL sessions in which the SSL security handshake failed.
Failed in crypto operations
Number of times an encryption/decryption failure occurred for an
SSL record.
Failed in TCP
Number of TCP sessions that failed.
Failed in Certificate verification
Number of SSL sessions in which the SSL security handshake failed.
Failed in Certificate signing
Number of times an SSL session was terminated due to a certificate
verification failure.
Invalid OCSP Stapling Response
Number of times an SSL session was terminated due to a certificate
verification failure message in the OCSP stapling response.
Revoked OCSP Response
Number of times an SSL session was terminated due to a certificate
verification failure message in the OCSP response.
show slb ssl-cert-revoke-stats
Description
Show statistics for certificate revocation check.
Syntax
show slb ssl-cert-revoke-stats
Example
ACOS#show slb ssl-cert-revoke-stats
OCSP stapling response good:
Certificate chain status good:
Certificate chain status revoked:
Certificate chain status unknown:
OCSP requests:
OCSP responses:
OCSP connection errors:
OCSP URI not found:
OCSP URI https:
OCSP URI unsupported:
OCSP response status good:
OCSP response status revoked:
OCSP response status unknown:
OCSP cache status good:
OCSP cache status revoked:
OCSP cache miss:
OCSP cache expired:
OCSP other errors:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 424
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
CRL
CRL
CRL
CRL
CRL
CRL
CRL
CRL
CRL
CRL
CRL
CRL
requests:
responses:
connection errors:
URI not found:
URI https:
URI unsupported:
response status good:
response status revoked:
response status unknown:
cache status good:
cache status revoked:
other errors:
0
0
0
0
0
0
0
0
0
0
0
0
The following table describes the fields on this output.
Field
Description
OCSP stapling response good
Number of times the OCSP stapling response was good.
Certificate chain status good
Number of times the certificate chain status was good.
Certificate chain status revoked
Number of times the certificate chain status was revoked.
Certificate chain status unknown
Number of times the certificate chain status was unknown.
OCSP requests
Number of OCSP requests.
OCSP responses
Number of OCSP responses.
OCSP connection errors
Number of OCSP connection errors.
OCSP URI not found
Number of times the OCSP URI was not found.
OCSP URI https
Number of times the OCSP URI was HTTPS.
OCSP URI unsupported
Number of times the OCSP URI was unsupported.
OCSP response status good
Number of times the OCSP response status was good.
OCSP response status revoked
Number of times the OCSP response status was revoked.
OCSP response status unknown
Number of times the OCSP response status was unknown.
OCSP cache status good
Number of times the OCSP cache status was good.
OCSP cache status revoked
Number of times the OCSP cache status was revoked.
OCSP cache miss
Number of times the OCSP cache was missed.
OCSP cache expired
Number of times the OCSP cache was expired.
OCSP other errors
Number of times OCSP had other errors.
CRL requests
Number of CRL requests.
CRL responses
Number of CRL responses.
CRL connection errors
Number of CRL connection errors.
CRL URI not found
Number of times the CRL URI was not found.
CRL URI https
Number of times the CRL URI was HTTPS.
CRL URI unsupported
Number of times the CRL URI was unsupported.
CRL response status good
Number of times the CRL response status was good.
CRL response status revoked
Number of times the CRL response status was revoked.
CRL response status unknown
Number of times the CRL response status was unknown.
page 425 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
CRL cache status good
Number of times the CRL cache status was good.
CRL cache status revoked
Number of times the CRL cache status was revoked.
CRL other errors
Number of times CRL had other errors.
show slb ssl-counters
Description
Shows the number of successes and failures for key exchange methods, and SSL/TLS version.
Shows the session cache count for new, hits, missed, and expired. Shows the average handshake time and total renegotiations.
Syntax
show slb ssl-counters vserver vport
Example
ACOS#show slb ssl counters vip 443
Virtual Server Name: vip Port: 443
------------------------------------------------------------------Cumulative sessions = 9
ID
Successes
Failures
0x0300009d TLS1_RSA_AES_256_GCM_SHA384
Name
8
0
Key Exchange Methods
Successes
Failures
8
0
SSL/TLS Version
Successes
Failures
TLS1.2
8
0
Session Cache
Count
New
9
RSA
1024 bits
ECDHE
DHE
Hit
0
Miss
0
Expired
0
Handshake Average time = 3 ms
Renegotiation Counters
Total renegotiations = 0
SSL/TLS Version
Successes
Failures
(none used)
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 426
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb ssl-crl
Description
Show the retrieved Certificate Revocation List for a specific virtual port. If the certificate issuers have listed expiration dates for the certificates, then this command will show you the
issuer and the expired or not expired status.
Syntax
show slb ssl-crl vserver vport
Example
ACOS#show slb ssl-crl vip1 443
Virtual server(vipw : 443):
----Retrieved CRL---Issuer: /C=FR/O=Certplus/CN=Class 2 Primary CA
Status: Not expired
Issuer: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Status: Expired
Issuer: /CN=ComSign Secured CA/O=ComSign/C=IL
Status: Expired
Issuer: /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
Status: Expired
Issuer: /C=US/O=SecureTrust Corporation/CN=Secure Global CA
Status: Expired
Issuer: /C=US/O=SecureTrust Corporation/CN=SecureTrust CA
Status: Expired
Issuer: /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig
Status: Expired
Issuer: /C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Chambers of Commerce Root
Status: Expired
Issuer: /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
Status: Expired
Issuer: /C=EU/O=AC Camerfirma SA CIF A82743287/OU=http://www.chambersign.org/CN=Global Chambersign Root
Status: Expired
page 427 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Issuer: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/
CN=StartCom Certification Authority
Status: Expired
Issuer: /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/
CN=TC TrustCenter Class 2 CA II
Status: Not expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/
CN=AAA Certificate Services
Status: Expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/
CN=Secure Certificate Services
Status: Expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/
CN=COMODO Certification Authority
Status: Expired
Issuer: /C=HU/L=Budapest/O=Microsec Ltd./OU=e-Szigno CA/CN=Microsec
e-Szigno Root CA
Status: Expired
Issuer: /CN=Autoridad de Certificacion Raiz del Estado Venezolano/
C=VE/L=Caracas/ST=Distrito Capital/O=Sistema Nacional de Certificacion Electronica/OU=Superintendencia de Servicios de Certificacion
Electronica/emailAddress=acraiz@suscerte.gob.ve
Status: Not expired
----End of CRL---17 CRL retrieved
show slb ssl-expire-check
Description
Display information about email notification of expired certificates.
Syntax
show slb ssl-expire-check
Mode
All
show slb ssl-forward-proxy-cert
Description
Display hash entries for server certificates forged by ACOS device for SSLi. Also, display status
of the forward-proxy-cert process. The state field displays whether the server certificate is
being verified, whether a CA certificate is in the process of being forged, whether the ACOS
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 428
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
software is ready to forge a new CA certificate, or whether ACOS software is in the ready
state.
Syntax
show slb ssl-forward-proxy-cert name num {ipaddr | all} [sni]
Parameter
Description
name
Wildcard VIP name.
num
Virtual port number to which clients send requests (for example, 443).
ipaddr | all
Displays entries for the certificate associated with a specific server IP
address or for all server IP addresses. The default is all.
sni
The full or partial SNI of the server from which the inside ACOS device
imported the self-signed certificate and private key.
• If you enter the IP address of the server, sni must be an exactly the
same as in the certificate cache. You must enter the full SNI that is
exactly the same as in the certificate cache. sni, The hashing activity for only that specific certificate is reported.
• If you enter the keyword all, sni can be a partial match to the full
server name. If a group of servers meets this partial match, all servers in this group are reported.
Usage
The following field values appear in the output of this command :]
Field
Description
Real Server
• This field specifies the gateway IP address and protocol port of the
server that clients are trying to connect to.
Server Name
• This field specifies the URL or SNI of the server that clients are trying
to connect to.
state
• state: cert verifying
The certificate of the server specified by the Real Server and
Server Name fields is in the process of being verified.
• state: cert forging
The ACOS device is forging the certificate it will use for SSL sessions
with clients trying to reach the specified server.
• state: ready to forge
The ACOS has verified the specified server’s certificate is not
revoked, and it is ready to forge certificates it will use for SSL sessions with clients trying to reach the specified server.
• state: ready
The forge certificate is in the ACOS cache.
Default
None
Mode
All
page 429 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Example
The following example displays the status of the SSL forward proxy certificates.
ACOS#show slb ssl-forward-proxy-cert VIP1 443 all
Virtual server(VIP1 : 443):
----Start One Certificate--Real Server : 52.8.106.9
:443 tcp
Server name: bnc.lt
state: cert verifying
----End One Certificate------Start One Certificate--Real Server : 209.170.210.156 :443 tcp
Server name: stats.ebizautos.com
state: cert forging
----End One Certificate------Start One Certificate--Real Server : 54.215.175.93
:443 tcp
Server name: api.branch.io
state: ready to forge cert
----End One Certificate------Start One Certificate--Real Server : 216.58.192.46
:443 tcp
Server name: maps.google.com
state: ready
hit times : 6
idle time : 0 seconds
timeout after 3600 seconds
expires after 603641 seconds
----End One Certificate---
Example
In the following example, the virtual server name is vsn1. Its protocol port is 443. The IP
address of the real server is 15.15.15.18. And, EnterpriseABC-server is the SNI of the
real server the ACOS device proxies for.
ACOS# show slb ssl-forward-proxy-cert vsn1 443 ipaddr 15.15.15.18 EnterpriseABCserver
Virtual server port vip: 443
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 430
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
----Start One Certificate--Real Server : 15.15.15.18
:443 tcp
Servername: EnterpriseABC-server
hash index : 1000
hit times : 1
idle time : 15 seconds
expires after 604775 seconds
version : 3:
subject: /CN=ubuntu
common Name: ubuntu
division:
locality:
state or province:
country Name:
subject Alt Name::
email:
start time: Jun 5 18:01:25 2014 GMT
expire time: Jun 2 18:01:25 2024 GMT
issuer: /C=US/ST=CA/L=San Jose/O=ATR STED/OU=dev/CN=www.atrsted.com/emailAddress=jason@EnterpriseABC.com
Total number of particular certificates that are printed is 1
show slb ssl-ocsp cache
Description
Displays summarized contents of the SSL OCSP cache.
Syntax
show slb ssl-ocsp cache
Default
None
Mode
All
Usage
The following table describes the fields in the command output:
Example
Field
Description
Total
The total number of cached requests is listed.
Common Name
The common certificate name is listed.
Status
Good, revoked or unknown will appear to indicate certificate status.
The following example displays the contents of the SSL OSCP cache:
ACOS#show slb ssl-ocsp cache
Total: 2
Common Name
Status
------------------------------------------------------------------Company1 Internet Authority G2
page 431 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
Good
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Company2 Root Certificate Authority - G2
Good
show slb ssl-ocsp cache detail
Description
Displays detailed contents of the SSL OCSP cache.
Syntax
show slb ssl-ocsp cache detail
Default
None
Mode
All
Usage
The following table describes the fields in the command output:
Example
Field
Description
Total
The total number of certificates in the ACOS cache
Name
Certificate name
Subject
Certificate subject name
Length:
Length of the certificate in bytes
URI:
URI of the certificate owner
Expire:
Time in seconds remaining before the certificate expires
Hits:
How many times the certificate has been called from the cache by
SSL proxy handshake with a client.
Use this command to display detailed information on SSL OCSP cache, including the name
of the company, status, subject, length, URI, expiration, and number of hits.
ACOS# show slb ssl-ocsp cache detail
Total: 1
------------------------------------------------------------------Name:
Company1 Internet Authority G2
Status:
Good
Subject: /C=US/O=Company1 Inc/CN=Company1 Internet Authority G2
Length:
1012
URI:
http://a.example.com/
Expire:
17731488
Hits:
760
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 432
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb switch
Description
Show SLB switching statistics.
Syntax
show slb switch [detail | ethernet port-num [detail]]
Parameter
Description
detail
Shows statistics per individual CPU in the output.
ethernet port-num
Shows statistics only for the specified Ethernet port.
Mode
All
Example
The following command shows summary SLB switching statistics:
ACOS#show slb switch
Total
-----------------------------------------------------------------L2 Forward
2793
L3 IP Forward
0
IPv4 No Route Drop
0
L3 IPv6 Forward
0
IPv6 No Route Drop
0
L4 Process
709223
Incorrect Len Drop
0
Prot Down Drop
289
Unknown Prot Drop
32136
TTL Exceeded Drop
0
Link Down Drop
0
SRC Port Suppresion
0
VLAN Flood
141022
IP Fragment Rcvd
0
ARP REQ Rcvd
80272
ARP RESP Rcvd
15939
Forward Kernel
91163
IP(TCP) Fragment Rcvd
0
IP Fragment Overlap
0
IP Frag Overload Drops
0
IP Fragment Reasm OKs
23
IP Fragment Reasm Fails
0
IP Fragment Timeout
0
Anomaly Land Attack Drop 0
Anomaly IP OPT Drops
0
Anomaly PingDeath Drop
0
Anomaly All Frag Drop
0
Anomaly TCP noFlag Drop
0
page 433 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Anomaly SYN Frag Drop
0
Anomaly TCP SYNFIN Drop
0
Anomaly Any Drops
0
BPDUs Received
0
BPDUs Sent
0
ACL Denys
0
SYN rate exceeded Drop
0
Packet Error Drops
0
IPv6 Frag UDP
0
IPv6 Frag TCP
0
IPv6 Frag ICMP
0
IPv6 Frag OSPF
0
IPv6 Frag ESP
0
IPv6 Frag Reasm OKs
0
IPv6 Frag Reasm Fails
0
IPv6 Frag Invalid Pkts
0
Bad Pkt Drop
0
IP Frag Exceed Drop
0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0
L2 Default Vlan FWD Drop 507865
BW Limit Drop
0
License Expire Drop
0
L4 Misc Er
0
Management Service Drop
0
Jumbo Frag Drop
0
IPv6 Jumbo Frag Drop
0
The following table describes the fields in the command output.
Field
Description
L2 Forward
When the ACOS device is acting as a Layer-2 switch and receives a packet that has the
destination MAC address in its MAC table, ACOS sends the packet to the outgoing
interface (as per the MAC table entry) and increments this counter.
L3 IP Forward
Number of packets that have been Layer 3 routed.
IPv4 No Route Drop
Number of IPv4 packets that were dropped due to routing failures.
L3 IPv6 Forward
Number of IPv6 packets that have been Layer 3 routed.
IPv6 No Route Drop
Number of IPv6 packets that were dropped due to routing failures.
L4 Process
Number of packets that went to a VIP or NAT for processing.
Incorrect Len Drop
Number of packets dropped due to incorrect protocol length.
Note: A high value for this counter can indicate a packet length attack.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 434
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Prot Down Drop
• Number of IPv6 packets received on an interface for which there was no IPv6
address configured.
• Number of IPv4 packets received on an interface for which there was no IPv4
address configured.
Unknown Prot Drop
Number of times ACOS dropped a packet because the packet was not one of the following: IPv4, IPv6, or ARP
TTL Exceeded Drop
Number of packets dropped due to TTL expiration.
Link Down Drop
Number of packets dropped because the outgoing link was down.
SRC Port
Suppression
Number of packets dropped because the source and destination interface within the
same VLAN is same.
VLAN Flood
Number of times ACOS received a packet that did not have the destination MAC
address in the MAC table, causing ACOS to flood the packet out all other interfaces on
the VLAN.
IP Fragment Rcvd
Number of IPv4 fragments that have been received.
ARP REQ Rcvd
Number of ARP requests the ACOS device received.
ARP RESP Rcvd
Number of ARP responses the ACOS device received in response to an ARP request
sent by itself.
Forward Kernel
When the ACOS device receives a health monitor packet (for example, LACP or ARP
packets), ACOS forwards these packets to the kernel for processing and increments
this counter.
IP(TCP) Fragment Rcvd
Number of IP TCP fragments received.
IP Fragment Overlap
Number of overlapping fragments received.
IP Frag Overload Drops
Number of fragments dropped due to overload.
IP Fragment Reasm OKs
Number of successfully reassembled IP fragments.
IP Fragment Timeout
Number of times ACOS device does not receive subsequent fragments for fragmentation reassembly.
IP Fragment Reasm Fails
Number of IP fragment reassembly failures.
Anomaly Land Attack Drop
Number of SYN packets dropped because they were spoofed (used the destination IP
address as the source IP address).
Anomaly IP OPT Drops
Number of packets dropped because they had IP options set.
Anomaly PingDeath Drop
Number of oversized (longer than 32 K) ICMP packets dropped.
An oversized ICMP packet can trigger Denial of Service (DoS), crashing, freezing, or
rebooting.
Anomaly All Frag Drop
Number of IP fragments dropped.
Anomaly TCP noFlag Drop
Number of TCP packets dropped because they had no flags set.
TCP packets are normally sent with at least one bit in the flags field set.
Anomaly SYN Frag Drop
Number TCP SYN fragments dropped that had the fragmentation bit set.
A SYN fragment attack floods the target host with SYN packet fragments. An unprotected host will store the fragments, in order to reassemble them. By not completing
the connection, and flooding the server or host with such fragmented SYN packets,
the attacker can cause the host’s memory buffer to fill up eventually.
page 435 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Anomaly TCP SYNFIN Drop
Number of TCP packets dropped that had TCP SYN and FIN bits set.
An attacker can send a packet with both bits set to determine what kind of system
reply is returned, and then use the system information for further attacks using known
system vulnerabilities. Also, some older devices will let such packets through even
though there is an established ACL defined and the state of the TCP connection is not
considered to be established.
Anomaly Any Drops
Total number of packets dropped by IP anomaly filtering.
BPDUs Received
Number of Bridge Protocol Data Units (BPDUs) received.
BPDUs Sent
Number of Bridge Protocol Data Units (BPDUs) sent.
ACL Denys
Number of times traffic was not forwarded due to a deny rule in an Access Control List
(ACL).
This counter also includes traffic dropped due to the l3-vlan-fwd-disable action in ACL
rules.
SYN rate exceeded Drop
Number of packets dropped because the TCP SYN threshold had been exceeded.
Packet Error Drops
Number of times the ACOS device dropped a packet due to a TCP/UDP checksum
error.
IPv6 Frag UDP
Number of IPv6 UDP fragments received by the ACOS device.
IPv6 Frag TCP
Number of IPv6 TCP fragments received by the ACOS device.
IPv6 Frag ICMP
Number of IPv6 ICMP fragments received by the ACOS device.
IPv6 Frag OSPF
Number of IPv6 OSPF fragments received by the ACOS device.
IPv6 Frag ESP
Number of IPv6 ESP fragments received by the ACOS device.
IPv6 Frag Reasm OKs
Number of successfully reassembled IPv6 fragments.
IPv6 Frag Reasm Fails
Number of IPv6 fragment reassembly failures.
IPv6 Frag Invalid Pkts
Number of IPv6 fragments that were invalid.
Bad Pkt Drop
Number of bad packets dropped; this is a cumulative number for all packets that
could not be processed (for example, packet has an incorrect length).
IP Frag Exceed Drop
Number of fragmented IP packets that were dropped because they exceeded the
allowed maximum.
IPv4 No L3 VLAN FWD Drop
Number of IP packets that were dropped by the l3-vlan-fwd-disable action in an IPv4
ACL.
IPv6 No L3 VLAN FWD Drop
Number of IP packets that were dropped by the l3-vlan-fwd-disable action in an IPv6
ACL.
L2 Default VLAN FWD Drop
Number of times The DLF packets were dropped because the ACOS is configured to
disallow flooding on the default VLAN (VLAN1).
BW Limit Drop
Number of packets dropped because they exceeded the bandwidth limit.
NOTE: This field does not apply to hardware models.
License Expire Drop
Number of packets dropped due to an invalid license.
NOTE: This field does not apply to hardware models.
L4 Misc Er
Number of Layer 4 packets dropped due to miscellaneous errors.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 436
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Management Service Drop
Number of times management traffic was drop because the specific service type was
not enabled.
Jumbo Frag Drop
Number of dropped fragmented IPv4 jumbo packets.
IPv6 Jumbo Frag Drop
Number of dropped fragmented IPv6 jumbo packets.
Example
The following command shows detailed SLB switching statistics for Ethernet port 1:
ACOS#show slb switch ethernet 1 detail
DP0
DP1
DP2
Total
-----------------------------------------------------------------L2 Forward
2115
227
453
2795
L3 IP Forward
0
0
0
0
IPv4 No Route Drop
0
0
0
0
...
show slb syn-cookie
Description
Show SLB hardware SYN-cookie statistics
Syntax
show slb syn-cookie
Mode
All
show slb syn-cookie-buffer
Description
Show SYN-cookie buffer statistics.
Syntax
show slb syn-cookie-buffer
Mode
All
Example
The following command shows SYN-cookie buffer information:
ACOS#show slb syn-cookie-buffer
Maximum SYN cookie buffer size
: 10
Total SYN cookie buffer queued
: 0
Total SYN cookie buffer drop
: 0
page 437 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb tcp stack
Description
Show statistics for TCP SLB.
Syntax
show slb tcp stack [detail]
Parameter
Description
detail
Show statistics per CPU in the output.
Mode
All
Example
The following command shows summary TCP stack statistics:
ACOS#show slb tcp stack
Total
-----------------------------------------------------------------Currently EST conns
29
Active open conns
6968
Passive open conns
7938
Connect attemp failures
0
Total in TCP packets
678804
Total out TCP packets
712974
Retransmited packets
359
Resets rcvd on EST conn
5369
Reset Sent
4303
The following table describes the fields in the command output.
Field
Description
Currently EST conns
Current number of established TCP connections being handled by the proxy.
Active open conns
Number of active connections open.
Passive open conns
Number of passive connections open.
Connect attemp failures
Number of TCP connection attempts that failed.
Total in TCP packets
Total number of TCP packets received by the TCP proxy.
Total out TCP packets
Total number of TCP packets sent by the TCP proxy.
Retransmitted packets
Number of TCP packets retransmitted by the TCP proxy.
Resets rcvd on EST conn
Number of TCP Resets received for established connections.
Reset Sent
Number of TCP Resets sent by the ACOS device.
TCPIP out noroute
Number of times request failed to send due to route failure.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 438
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
show slb template
Description
Show configuration information for SLB templates. The template configuration commands
in the running-config are displayed.
Syntax
show slb template
[template-type
[certificate-status]
[default]
[template-name]
]
[all-partitions]
[partition {shared | name}]
Parameter
Description
template-type
The type of SLB template configure.
Enter show slb template ? to view a list of supported template types.
certificate-status
Show the status of the virtual server’s certificate (OCSP-Stapling)
default
Show the configuration of the default template.
template-name
Show the configuration of the specified template.
all-partitions
Show SLB template configuration in all partitions.
partition
Show SLB template configuration in the specified partition only.
Mode
All
Example
The following command shows the template configuration commands in the running-config on an ACOS device:
ACOS#show slb template
slb template udp udp-aging
aging immediate
slb template http X-Forwarded-For
insert-client-ip "X-Forwarded-For"
compression minimum-content-length 120
slb template http clientip-insert
insert-client-ip "x-Forwarded-For"
slb template http cookie-delete
header-erase "Cookie"
slb template http hostdelete
header-erase "Host"
slb template http hostinsert
header-insert "Host: www.example.com"
slb template http http100
header-insert "Expect: 100-continue"
slb template http httpinsert
header-erase "Host"
page 439 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
header-insert "Host: www.example.com"
slb template tcp-proxy tcp-timeout
idle-timeout 180
slb template connection-reuse creuse
timeout 60
--MORE--
show slb template policy forward-policy-stats
Description
Displays statistics for the configured forward policies
Mode
all modes
Usage
Statistics for the following fields are displayed::
Example
Field
Description
slb template policy name
The name of the policy template the forward-policy is bound to.
Source NAT failure
The count of source NAT failures.
Unresolved DNS requests
The count of DNS requests for the IP address of the downstream
server that could not be resolved.
Outstanding DNS requests
The current number of queued DNS requests.
Hits
The count of the matches to the source IP address specified in the
forward-policy.
Requests forward to Internet
The count of hits that have been forwarded to the Internet URL
requested by the clients.
Requests forward to Service
Group
The count of hits that been forwarded to service-group specified in
the forward-policy.
Requests dropped
The count of client connection requests dropped.
Source Match not found
The count of client connection requests in which the source IP
address could not be found.
Expected Client HELLO
requests not found
The count of client connection requests in which the HELLO message was absent or could not be parsed.
The policy template defines what actions are applied to upstream traffic by the client-facing
virtual server on the ACOS device. A configuration of this policy template follows:
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool log
source Any_Source
match-any
destination any action Permit_to_Internet
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 440
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Example
The statistics for the policy template Explicit_Proxy follow:
ACOS#show slb template policy forward-policy-stats
slb template policy name: Explicit_Proxy
Source NAT failure:
0
Unresolved DNS requests:
0
Outstanding DNS requests:
0
Hits:
0
Requests forward to Internet:
0
Requests forward to Service Group:
0
Requests dropped:
0
Source Match not found:
0
Expected Client HELLO requests not found:
show slb virtual-server
Description
Show information for SLB virtual servers.
page 441 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
0
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Syntax
show slb virtual-server
[
virtual-server-name
[vport-num
{
port-type [service-group-name] |
detail |
host-hits-counter {host-name | all} |
url-hits-counter {url-string | all}
}
]
[bind]
[config]
[all-partitions]
[partition {shared | name}]
Option
Description
virtual-server-name
Shows information only for the specified virtual server.
• The vport-num port-type option shows information only for the specified virtual
port on the virtual server.
• The service-group-name option further restricts the output, to show information
only for the specified service group.
• The detail option displays connection and packet statistics.
In ACOS release 4.0.1, specifying detail also shows the connection rate per virtual
port for each virtual server. For more information, see the examples below.
• The host-hits-counter option displays rule-matching statistics for host switching.
Each time traffic matches a host-matching rule in an HTTP template, the applicable
“hits” counter is incremented.
• The url-hits-counter option displays rule-matching statistics for URL switching.
Each time traffic matches a URL-switching rule in an HTTP template, the applicable
“hits” counter is incremented.
all-partitions
Show information for all partitions.
bind
Includes the service groups and real servers and ports bound to the virtual ports.
config
Displays virtual-server configuration information.
You can optionally specify the specific partition for which you want to view this configuration.
partition
Show information for a specific partition.
Mode
All
Usage
To display virtual-server information for a specific partition, use the partition option; use
partition shared for the shared partition, or partition name, where name is a specific
L3V partition.
Example
The following command shows summary information for all virtual servers:
ACOS#show slb virtual-server
Total Number of Virtual Services configured: 2
Virtual Server Name
IP
Service-Group
Service
Current
Total
Request
connection connection packets
Response Peak
packets
connection
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 442
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
-----------------------------------------------------------------------------------------*v-server(A)
port 80
3.1.1.99
http
abctcp
80/http
0
3
14
10
611
0
2
14
10
2112
0
0
0
0
411
0
0
0
0
696969
Total received conn attempts on this port: 3
port 53
udp
abcudp
53/udp
Total received conn attempts on this port: 0
...
The following table describes the fields in the command output.
Field
Description
Total Number of Virtual Services configured
Total number of virtual services (virtual server ports) configured on the
ACOS device.
Virtual Server Name
Name of the virtual server.
Underneath the virtual server name, each of the virtual ports on the
server is listed, followed by the service groups in which the virtual server
and the virtual port are members.
In the example above, virtual server “v-server” has two virtual ports, HTTP
port 80 and UDP port 53. HTTP port 80 is a member of service group
“abctcp”, and UDP port 53 is a member of service group “abcudp”.
For each VIP, its VRRP-A state on the ACOS device is shown by one of the
following:
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
The primary servers are listed under the virtual port. If alternates are configured for a primary server, the alternates are listed under the primary
server. If an asterisk is shown at the end of an alternate server name, the
primary server is down and the alternate server is active instead.
IP
Virtual IP address of the virtual server.
Current connection
Current number of connections to the virtual service port.
NOTE: Connection and packet counters are listed separately for virtual
ports and for service groups.
Total connection
Total number of connections to the virtual service port.
Request packets
Number of request packets received for the virtual service.
Response packets
Number of server reply packets sent by the ACOS device for the virtual
service.
page 443 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Peak connection
Peak connection count.
Note: Peak connection statistics are collected only if the extended-stats
option is enabled. To enable extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 310 (individual virtual server)
• “extended-stats” on page 324 (individual virtual service port)
Total received conn attempts on this port
Total number of connection requests received for this port.
Service-Group
Service group bound to the virtual service.
Service
Virtual service port number and service type.
Example
The following command shows status information for SLB virtual server “v-server”:
ACOS(config)#show slb virtual-server v-server
Virtual server: v-server
Port
State: All Up
Curr-conn
IP: 3.1.1.99
Total-conn Rev-Pkt
Fwd-Pkt
Peak-conn
------------------------------------------------------------------------------------Virtual Port:80 / service:abctcp / state:All Up
port 80
http
0
3
10
14
1011
0
0
0
811
3
10
14
1822
Source NAT Pool: pootest
Virtual Port:53 / service:abcudp / state:All Up
port 53
udp
0
Source NAT Pool: pootest
Total Traffic
0
...
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 444
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
The following table describes the fields in the command output.
Field
Description
Virtual server
Name of the virtual server.
State
State information is shown separately for virtual servers and for individual virtual ports.
Virtual server state:
• All Up – All virtual ports on the virtual server are Running.
• Functional Up – Some of the virtual ports are Running or Functional Running, but at least one of them
is not Running.
• Partial Up – At least one virtual port is Running or Functional Running, but at least one other virtual
port is Down.
• Down – All the virtual ports are Down.
• Disb – The virtual server has been administratively disabled.
Virtual port state:
• All Up – All members (real servers and ports) in all service groups bound to the virtual port are up.
• Functional Up – At least one member in a service group bound to the virtual port is up, but not all
members are up.
• Down – All members in all service groups bound to the virtual port are down.
Disb – The virtual port has been administratively disabled.
IP
Virtual IP address of the virtual server.
Port
Virtual port number and service type.
Curr-conn
Current number of connections to the virtual service port.
Total-conn
Total number of connections to the virtual service port.
Rev-Pkt
Number of server reply packets sent by the ACOS device for the virtual service.
Fwd-Pkt
Number of request packets received for the virtual service.
Peak-conn
Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is enabled. To enable
extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 310 (individual virtual server)
• “extended-stats” on page 324 (individual virtual service port)
Example
The following command shows configuration information:
ACOS#show slb virtual-server config
Total Number of Virtual Services configured: 1
Virtual server Name
Address
-----------------------------------------------louis2
192.168.20.253
member0:louis
page 445 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
80/http
Source NAT Pool: p1
HTTP Template: clientip-insert
Reuse Template: cr
Persist Cookie:cookie-persist
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
aFleX: bugzilla_proxy_fix
The following table describes the fields in the command output.
Field
Description
Total Number of Virtual Services configured
Total number of virtual services (virtual server ports) configured on the
ACOS device.
Virtual server Name
Name of the virtual server.
Address
Virtual IP address of the virtual server.
member
Real server bound to the virtual server. The number at the end is assigned
by the ACOS device for this show command output.
Under the member name, the NAT pools and SLB templates bound to the
virtual server are listed.
Example
The following command shows details for a virtual server:
ACOS#show slb virtual-server vip1 detail
Virtual server name:
vip1
Virtual server IP address:
200.200.200.100
Virtual server MAC:
021f:a000:0000
Virtual server template:
adi
Connection rate limit:
800000 per second
Connection rate over limit action:
drop
Current connection:
24254
Current request:
0
Total connection:
3024486
Total request:
0
Total request success:
0
Total forward bytes:
2561556963
Total forward packets:
42249486
Total reverse bytes:
286542491
Total reverse packets:
75962845
Peak connections:
0
Current connection rate:
121 per second
The following table describes the fields in the command output.
Field
Description
Virtual server name
Name of the virtual server.
Virtual server IP address
IP address of the virtual server.
Virtual server MAC
MAC address of the VIP.
Virtual server template
Name of the virtual server template bound to the virtual server.
Current connection
Current number of connections to the virtual port.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 446
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Current request
Current number of HTTP requests being processed by the virtual port.
NOTE: In this field and the Total request and Total request success fields, Layer 7 requests
are counted only if Layer 7 request accounting is enabled. See “slb common” on page 18.
Total connection
Total number of connections that have been made to the virtual port.
Total request
Total number of HTTP requests processed by the virtual port.
Total request success
Total number of HTTP requests that were successful.
Total forward bytes
Number of request bytes forwarded to the virtual port.
Total forward packets
Number of request packets forwarded to the virtual port.
Total reverse bytes
Number of request bytes received from the virtual port.
Total reverse packets
Number of request packets received from the virtual port.
Peak connections
Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is
enabled. To enable extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 310 (individual virtual server)
• “extended-stats” on page 324 (individual virtual service port)
Current connection rate
Example
Current connection rate for the virtual port on the virtual server.
The following command shows details for a virtual port on a virtual server:
ACOS(config)#show slb virtual-server vip1 80 detail
Virtual port name:
vip1:80:tcp
Virtual port number:
220.220.220.100:80
Virtual port template:
default
Current connection:
11216
Current request:
0
Total connection:
6215984
Total request:
0
Total request success:
0
Total forward bytes:
51614803
Total forward packets:
80370519
Total reverse bytes:
3536281441
Total reverse packets:
39742461
Peak connections:
0
Response time:
1
Fastest Rsp time:
1
Slowest Rsp time:
1
Current connection rate:
268 per second
The following table describes the fields in the command output.
page 447 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Field
Description
Virtual port name
Name of the virtual server, virtual port, and port type.
Virtual port number
IP address of the virtual server and protocol port number of the virtual port.
Virtual port template
Name of the virtual port template bound to the virtual port.
Current connection
Current number of connections to the virtual port.
Current request
Current number of HTTP requests being processed by the virtual port.
NOTE: In this field and the Total request and Total request success fields, Layer 7 requests are
counted only if Layer 7 request accounting is enabled. See “slb common” on page 18.
Total connection
Total number of connections that have been made to the virtual port.
Total request
Total number of HTTP requests processed by the virtual port.
Total request success
Total number of HTTP requests that were successful.
Total forward bytes
Number of request bytes forwarded to the virtual port.
Total forward packets
Number of request packets forwarded to the virtual port.
Total reverse bytes
Number of request bytes received from the virtual port.
Total reverse packets
Number of request packets received from the virtual port.
Peak connections
Peak connection count.
NOTE: Peak connection statistics are collected only if the extended-stats option is
enabled. To enable extended-stats, see the following:
• “slb common” on page 18 (global)
• “extended-stats” on page 310 (individual virtual server)
• “extended-stats” on page 324 (individual virtual service port)
Current connection rate
Example
Current connection rate for the virtual port on the virtual server.
The following command shows service group and port bindings:
ACOS#show slb virtual-server bind
--------------------------------------------------------------------------------*Virtual Server : SanJose(A)
+port 80
tcp ====>sg-80-1
+rs-http:80
tcp ====>sg-80-2
+rs-http-2:80
State :Down
192.168.215.16
*Virtual Server : Chicago(A)
+port 80
192.192.100.100 Down
State : Down
192.192.200.200 All Up
State :All Up
192.168.215.13
State : Up
In this example, virtual port 80 on virtual server SanJose is bound to real port 80 on real
server rs-http in service group sg-80-1. Likewise, virtual port 80 on virtual server Chicago is
bound to real port 80 on real server rs-http-2 in service group sg-80-2.
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 448
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
For each VIP, its VRRP-A state on the ACOS device is shown by one of the following:
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
Example
The following example shows the information displayed if alternate (backup) servers are configured:
ACOS(config)#show slb virtual-server bind
Total Number of Virtual Services configured: 1
--------------------------------------------------------------------------------*Virtual Server : http-with-alternates(A)
+port 80
http ====>http1
+rs1:80
192.168.10.10 Functional Up
State :Functional Up
10.10.10.10
State : Up
10.10.10.20
State : Down
Alternate: rs1-a1, rs1-a2, rs1-a3
+rs2:80
Alternate: rs2-a1*, rs2-a2, rs2-a3
The primary servers are listed under the virtual port. Under each primary server, that server’s
alternate servers are listed.
If an asterisk is shown at the end of an alternate server name, the primary server is down and
the alternate server is active instead. In the example above, rs2 is down, so alternate rs2-a1 is
being used instead.
page 449 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Document No.: 410-P3-CLI-ADC-001 - 6/24/2016 | page 450
A10 Thunder Series and AX Series—Command Line Interface Reference for ADC
Test
page 451 | Document No.: 410-P3-CLI-ADC-001 - 6/24/2016
4
Document No.: 410-P3-CLI-ADC-001 | 6/24/2016