271-GR1 Rel 004

Release Notes
A10 ThunderTM Series and AX

Series
Document No.: D-030-02-00-0003

ACOS 2.7.1-GR1 10/23/2015
©
A10 Networks, Inc. 10/23/2015 - All Rights Reserved
Information in this document is subject to change without notice.
Trademarks
The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS Policy
Engine, Affinity, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder,
Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. in the
United States and other countries. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all Thunder Series products are protected by one or more of the following
U.S. patents: 8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372,
8813180, 8782751, 8782221, 8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925,
8312507, 8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635, 7627672,
7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286,
5931914, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695, 7287084, 6970933,
6473802, 6374300.
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and informa-
tion and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Net-
works, Inc. without prior written consent of A10 Networks, Inc. This information may contain forward
looking statements and therefore is subject to change.
A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Cus-
tomer agrees to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agree-
ment (EULA), provided later in this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any
means
2. sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has
made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks
assumes no responsibility for its use. All information is provided "as-is." The product specifications and fea-
tures described in this publication are based on the latest information available; however, specifications are
subject to change without notice, and certain features may not be available upon initial product release. Con-
tact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific compo-
nent types, please contact the manufacturer of that component. Always consult local authorities for regula-
tions regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your
nearest A10 Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—Release Notes
Contents
Summary of Enhancements 7
Enhancements in 2.7.1-GR1 .................................................................................................................. 7
Enhancements in 2.7.1-P6 ..................................................................................................................... 7
Enhancements in 2.7.1/2.7.1-P1 ............................................................................................................ 9
Fixes in ACOS 2.7.1 and its Patch Releases 17

Issues Fixed in 2.7.1-GR1 .................................................................................................................... 18
Security Advisory Fixes .................................................................................................................. 18
Issues Fixed in 2.7.1-P6 ....................................................................................................................... 35
Issues Fixed in 2.7.1-P5 ....................................................................................................................... 67
Issues Fixed in 2.7.1-P4 ....................................................................................................................... 90
Issues Fixed in 2.7.1-P3 ......................................................................................................................111
Issues Fixed in 2.7.1-P2 ..................................................................................................................... 136
Enhancements in ACOS 2.7.1-GR1 153

CPU Load Sharing .............................................................................................................................. 153
Source port rate limiting .................................................................................................................... 154
Enhancements in ACOS 2.7.1-P6 157

Documentation Enhancements ......................................................................................................... 157
TLS Fallback Signaling Cipher Suite Value (SCSV) to Mitigate SSL POODLE Vulnerability ....... 158
New MIB Object Added: axGlobalTotalThroughput ........................................................................ 158
MIB Objects Re-organized with New MIB Files Added.................................................................... 158
New aXAPI Methods Added for slb.class_list.string....................................................................... 159
Support for up to 500 characters in GET URL method ................................................................... 160
Preventing dropped packets with ‘no ip anomaly-drop’................................................................. 161

Support for HTTP Lines Up to 32K Long.......................................................................................... 163
Increased Subnet Support (up to 2 million entries) ........................................................................ 163
Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015 3 of 236

Contents
Support for Dynamically Selected FTP Data Ports ..........................................................................164
Stateful Request-ID-based DNS Load Balancing .............................................................................165
Configuration ................................................................................................................................ 166
Enabling the query-id-switch Option ......................................................................................... 166
Displaying DNS Sessions and Their Request IDs .................................................................... 166

TACACS+ Server Monitoring..............................................................................................................171
MAC-Based Nexthop Routing ............................................................................................................173
WAF ICSA Certification.......................................................................................................................175
Log DDoS Attack Detection Events...................................................................................................175
Support for 16-port Trunks on Thunder 6430/6430S........................................................................176
Black/White List Group ID for PBSLB Increase................................................................................176
CTR SSH Cipher Support ...................................................................................................................177

Support for Alternate LDAP Login Formats .....................................................................................179
Support for OCSP URI Path................................................................................................................179
Form-based Logon Enhancements ...................................................................................................179
Logon Failure Message Enhancements ....................................................................................... 179
Error Message Customization for Form-based Logon ....................................................................180
Enhancements in ACOS 271-P2 181

Forward Request Headers to Proxy Servers ....................................................................................181
Configurable MSS Source for Proxied SLB Traffic ..........................................................................182
Non-HTTP-bypass Support for Invalid HTTP Versions....................................................................183
Additional Changes and Notes 185

Configure Servers to Listen on Same Port (DSR) ............................................................................185
SNMP Agent Default Community Name Should Be Changed.........................................................185
Deprecated BGP Commands .............................................................................................................185
Fail-safe Hardware Monitoring Enabled By Default .........................................................................185
Documentation Errata.........................................................................................................................186
AX 5100 Not Supported in ACOS 2.7.1 and Later ....................................................................... 186
NetFlow Supported Over UDP Only ............................................................................................. 186
4 of 236 Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015

Contents
Default BGP Neighbor Timers ...................................................................................................... 186
TCP-proxy Template Option fin-timeout ....................................................................................... 187
Server-SSL Template Binding ...................................................................................................... 187
Request-rate Limiting in Real Port Templates .............................................................................. 187
Access to SNMP Agent in ADP Private Partitions ........................................................................ 187
Known Issues in Release 2.7.1 189
Upgrade Instructions 199

Image File Names ............................................................................................................................... 200
Cautions .............................................................................................................................................. 201
Boot Order—How ACOS Gets the Image To Boot ........................................................................... 205
Upgrading Devices in GSLB Groups ................................................................................................ 209
Upgrading the Software Image (non-aVCS deployment) ................................................................ 210
Upgrading the Software Image (aVCS virtual chassis) ................................................................... 217
Using the GUI ............................................................................................................................... 218
Backing Up the System ............................................................................................................. 218
Full Chassis Upgrade (with or without VRRP-A) ....................................................................... 219
Staggered Upgrade (with VRRP-A) ........................................................................................... 220
Staggered Upgrade (no VRRP-A) ............................................................................................. 222
Using the CLI ................................................................................................................................ 224
Backing Up the System ............................................................................................................. 224
Full Chassis Upgrade (with or without VRRP-A) ....................................................................... 225
Staggered Upgrade (with VRRP-A) ........................................................................................... 225
Staggered Upgrade (no VRRP-A) ................................................................................................ 229
Management GUI Requirements ....................................................................................................... 230
Disabling HTTP-to-HTTPS Redirection ........................................................................................ 231
Trunk and Layer 2/3 Virtualization Support...................................................................................... 231
Common Criteria 233

Contents

Summary of Enhancements
This chapter provides a summary of enhancements for ACOS 2.7.1 and its
subsequent patch releases.
For detailed information about Thunder Series or AX Series models,

and about ACOS features, see the documentation CD for ACOS 2.7.1
(August 5th, 2013 or later version).
Notes
• To protect from potential vulnerability, it is recommended to change the
name of the SNMP public community from its default ("public") to
another name.
• To ensure proper display of the ACOS management GUI after you
upgrade, clear the web browser cache on each PC you use to access the
GUI.
(For additional upgrade considerations, see “Upgrade Instructions” on
page 199.)
• This release does not support any 32-bit ACOS models. For a list of the
models this release does support, see “Image File Names” on page 200.
• Beginning in ACOS 2.7.1-P3, the product name for the ACOS virtual
appliance that supports SLB features is changed from “SoftAX” to
“vThunder”. This document uses the new name, but some installation
guides may still refer to “SoftAX”. In these cases, the installation
instructions can still be used, but only if the hypervisor version on which
you are attempting to install the ACOS virtual appliance is supported.
You can determine whether a particular ACOS release supports vThun-
der by checking the following section: “Image File Names” on page 200
Enhancements in 2.7.1-GR1
• CPU Load Sharing
• Source Port Rate Limiting
Enhancements in 2.7.1-P6
• Documentation Enhancements

• TLS Fallback SCSV to mitigate SSL POODLE vulnerability
• New MIB Object Added: axGlobalTotalThroughput
• MIB Objects Re-organized with New MIB Files Added
• New aXAPI Methods Added for slb.class_list.string
• Support for up to 500 characters in GET URL method
• Preventing Dropped Packets with ‘no ip anomaly-drop’
New A10 Thunder Product Line
• A10 Thunder 6630(S)
• A10 Thunder 5430(S)-11
Other System Enhancements

• Support for HTTP Lines Up to 32K Long
• Support for up to 2 Million subnet entries in a Black/White List
• Support for Dynamically Selected FTP Data Ports
• Stateful Request-ID-based DNS Load Balancing
• TACACS+ Server Monitoring
• MAC-Based Nexthop Routing
• WAF ICSA Certification
• Log DDoS Attack Detection Events
• Support for 16-port Trunks on Thunder 6430/6430S
• Black/White List Group ID for PBSLB Increase

• CTR SSH Cipher Support
Application Access Management (AAM) enhancements:
• Support for alternate LDAP login formats
• Support for URI path in OCSP
Form-based authentication enhancements:

• Logon Failure Message Enhancements
• Error Message Customization for Form-based Logon
• Option to specify request headers to forward to proxy servers
• Configurable MSS source for proxied SLB traffic
• Non-HTTP-bypass support for invalid HTTP versions
Enhancements in 2.7.1/2.7.1-P1
New A10 Thunder Product Line
• A10 Thunder 6430S
• A10 Thunder 6430
• A10 Thunder 930

Security Enhancements
• Web Application Firewall (WAF)
• Application Access Management (AAM), a new suite of features for

solutions such as the following:
• Logon Portal
• Single sign-on and password change
• Online Certificate Status Protocol (OCSP)
• Authentication Relay
• AAA load balancing
• Enhanced SYN-cookie buffering and statistics
vThunder Enhancements
• XenServer Hypervisor 5.6 support
• Opensource Xen.org Xen Hypervisor support
• Application Delivery Partition (ADP) support
• Multiple CPU support
System-level Enhancements
• Power On Auto Provisioning (POAP)
• System Center Operations Manager (SCOM) support
• Support for “UTC” as timezone name
• Network Time Protocol (NTP) enhancements:

• Message Digest 5 (MD5) authentication
• Option to specify a preferred NTP server
• Single-priority logging (logs restricted to a single severity level)
• Support for up to 8 million I/O buffers on models AX 5630 and

AX 5200-11
• Configurable system monitors for connection and Symmetric Multi-Pro-
cessing (SMP) resources
• Access Control List (ACL) enhancements:
• Object groups for simplified configuration and update
• Named IPv4 ACLs
• IPv6 type and code options
• Websocket support (RFC 6455)

VRRP-A/HA Enhancements
• aVCS/VRRP-A affinity (vMaster is always the current active VRRP-A
device)
• Increased number of VLANs supported for VRRP-A VRID tracking
(up to 64)
• Configuration persistence for HA force-self-standby
Layer 2/3 Enhancements

• Increased VLAN support (up to 4093 802.1Q tagged VLANs per inter-
face)
• Link Layer Discovery Protocol (LLDP)
• Bidirectional Forwarding Detection (BFD)
• Dynamic Host Configuration Protocol (DHCP) for IP address configu-

ration of the management interface and Ethernet data interfaces
• Support for VE or trunk IP address as next hop for static routes
• Multiple IP helper addresses per interface
• Border Gateway Protocol (BGP) enhancements:

• Increased BGP route support (up to 65536
• Increased BGP peer support (up to 50)
• IGMPv2 membership query generation
• Option to clear individual OSPF neighbors rather than all neighbors
• Enhanced Virtual Ethernet (VE) statistics
Layer 2/3 Virtualization Enhancements
• Increased L3V partition support (up to 1024 depending on model)
• Inter-partition routing
• Support for non-default VRRP-A VRIDs
• Admin-based GUI display/hide for individual SLB resources
• DHCP support
• Per-partition port monitoring/mirroring

Layer 4-7 Feature Enhancements

• Server Load Balancing (SLB) configuration enhancements:
• VIP-to-real port mapping
• Virtual port ranges
• MySQL/MSSQL database load balancing
• Financial Information eXchange (FIX) load balancing
• Short Message Peer to Peer (SMPP) load balancing
• Traffic Steering (useful for solutions such as redirection to Skyfire video

optimization controllers or URL filtering servers)
• SSL enhancements:
• Secure TLS renegotiation (RFC 5746)
• Option to disable SSLv3 support in client-SSL templates
• SSLv2 redirect to alternate service group
• Stateless SSL session ticketing, for faster SSL session refresh
• SSL session-ID reuse for server-side SSL
• New SSL session-ID cache aging options
• Server certificate validation and error notification
• Validity checks for SSL template configuration
• Increased lead time for SSL certificate expiration emails (up to 60
days)
• SSL Intercept bypass based on Server Name Indication (SNI) value
• SSL file management enhancements:
• Bulk import/export of SSL certificate and key files
• New CLI commands to delete SSL files (includes option to spe-
cifically delete only unused files )
• Enhanced certificate statistics
• HTTP/HTTPS enhancements:
• Support for ICY 200 OK response code from servers
• HTTP/HTTPS template option to keep client sessions up even after
the backend server session ends
• Customizable web logging in World Wide Web Consortium (W3C)
format
• Configurable request header wait time for prevention of Slowloris
attacks
• Temporary compression disable during high CPU utilization
• Enhanced compression statistics

• HTTP status code statistics

• HTTP policy templates (currently used only with the WAF feature)
• Increased RAM Cache size (up to 36 GB) on models containing 96 GB
• DNS enhancements:
• Global DNS caching for IPv6
• DNS caching for Domain Name System Security Extensions (DNS-
SEC)
• DNSSEC Hardware Security Module (HSM) support
• 1+1 NAT
• Simplified Layer 3 Direct Server Return (DSR) deployment using

IP-in-IP tunneling
• Alternate virtual ports for backup
• Realtime logging for server selection failures
• Policy template binding at service-group level
• Quality of Service (QoS) marking for TCP traffic
• Client-IP insertion into TCP options header (useful for non-HTTP load-
balanced traffic)
• More granular force-delete-timeout option for TCP-proxy templates (as
short as 100 milliseconds)
• Shorter configurable idle timeout for TCP, TCP-proxy, and UDP tem-
plates (as short as 1 second)
• Health monitoring enhancements:
• Longer maximum configurable timeout (180 seconds)
• TCL UDP extension support
• Automatic adjustment of health monitor interval based on HTTP
status code
• Configurable response code range for SIP health monitoring
• Kerberos health monitoring
• Online Certificate Status Protocol (OCSP) health monitoring
• Enhanced LDAP health monitoring:
• Support for searchRequest and searchResponse
• STARTTLS support
• Support for more symbols in a health monitor (up to 127 sym-
bols)

Global SLB Enhancements

• Simplified configuration based on fully-qualified domain name (FQDN)
• FQDN service groups for easy site and service management
• IPv6 support in imported geo-location databases
• Configurable TTLs for more types of DNS records (SRV, TXT, MX,
PTR, NS) belonging to services in GSLB zones
• Support for multiple SRV records with the same name but different
ports
• Longer maximum GSLB protocol status interval (up to 1800 seconds)
Usability Enhancements
• GUI enhancements:
• Customizable GUI banner
• Clear button for clearing sessions from the session table using the
GUI
• AXdebug access
• Clone button for easy configuration of multiple virtual servers
• Support for 128-character SLB resource names
• SLB configuration sort option in the CLI
• Credential store for easy backup and file import/export
• Default ICMP health monitor included in output of show running-con-

fig with-default
• Support for show interface media command on FPGA models
SNMP/MIB Enhancements
• MIB objects for GSLB
• “All clear” SNMP notifications when a condition indicated by a previ-

ous notification is no longer occurring
• CLI access to SLB MIB object tables
aFleX Enhancements
• New aFleX capabilities for SSL
• New option for UDP payload replacement
• aFleX-based session table management

• Enhanced support for global variables
• Selective logging for template parameters
• aFleX commands for database load balancing


Fixes in ACOS 2.7.1 and its Patch Releases
These release notes describe the fixes in this ACOS Release.
For each issue, the following information is provided:

• System area – Part of the system that had the issue (IP NAT, SLB,
aFleX, and so on).
• Description – Description of the issue.
• Trigger – System condition that caused the issue, or steps taken by

A10 Networks to recreate the issue for diagnosis.
• Version – Software version(s) in which the issue is present. Later ver-
sions (including the version documented by this release note) are not
affected by the issue.
• Reproducibility – Indicates how consistently the issue could be repro-
duced: 100%, High, Medium, or Low.
• Severity – Indicates the impact the issue had or could potentially have:
• P1 – Major issue that caused or could cause a major service outage
or a reload of the ACOS device.
• P2 – Minor issue that caused or could cause a minor service outage.
• P3 – Minor issue.
• P4 – Cosmetic issue.
• Reported by customer – Indicates whether the issue was reported by a

customer (Yes) or was discovered internally (No).
• Workaround – Indicates how to compensate for the issue, if applicable.
Not all issues have a workaround.

Issues Fixed in 2.7.1-GR1

ACOS Release 2.7.1-GR1 contains fixes for issues listed in Table 1. The
issues are listed by A10 tracking ID, beginning with the highest issue ID
(the most recently logged issue).
Security Advisory Fixes

AX Release 2.7.1-GR1 resolves the following Security Advisories:
• CVE-2014-9293 (A10 Tracking ID 231859)
• CVE-2014-9294 (A10 Tracking ID 231859)
• CVE-2014-9295 (A10 Tracking ID 231859)
• CVE-2014-9296 (A10 Tracking ID 231859)
• CVE-2014-9297 (A10 Tracking ID 241171)
• CVE-2014-9298 (A10 Tracking ID 241171)
• CVE-2014-3572 (A10 Tracking ID 239113)
• CVE-2015-0204 (A10 Tracking ID 239113)
• CVE-2014-8275 (A10 Tracking ID 239113)
• CVE-2014-3570 (A10 Tracking ID 239113)
• CVE-2015-0235 (A10 Tracking ID 236371)

TABLE 1 Fixes in ACOS Release 2.7.1-GR1

A10
Tracking
ID Issues
252853 System area: VRRP-A
Description: The HA configuration sync removed all black/white lists on the VRRP-A standby device.
Trigger: Described above.
Version: 2.7.1-P6 and earlier
Reproducibility: 100%
Severity: P1
Reported by customer: No
249889 System area: Web GUI
Description: Users were unable to access the A10 GUI with Firefox browser version 37.
Severity: P3
Reported by customer: Yes
Workaround: Set the security.tls.version.min and security.tls.version.max preferences on the Firefox
browser.
248803 System area: Web
Description: A javascript issue was occurring that caused users to be unable to select all real servers
when clicking the “Select All” button in the GUI interface.
Severity: P2
248248 System area: Class-list
Description: The ACOS device could sometimes reload when importing or editing a class-list file that
contained an invalid or improperly formatted string.
Reproducibility: High
Severity: P1


A10
Tracking
ID Issues
247822 System area: SSL (March OpenSSL vulnerabilities)
Description: This patch addresses the following Security Advisories:
• CVE-2015-0286
• CVE-2015-0292
• CVE-2015-0209
Trigger: N/A
Reproducibility: N/A
Severity: N/A
247822 System area: SSL
• CVE-2014-9297
• CVE-2014-9298
Trigger: N/A
Severity: P1
246382 System area: VCS
Description: The SSL certificate was only updated on the vMaster, but it was not updated on the
vBlade after the SSL certificate and key were changed under the client-ssl template.
Severity: P2
Workaround: Update the SSL key first, and then change the SSL certificate in that exact order.
245950 System area: SLB (HTTP)
Description: The ACOS device could unexpectedly reload when processing jumbo frame packets if
the jumbo packets had a header exceeding 4K, thus causing it to be split across multiple packets.
Severity: P1


A10
Tracking
ID Issues
244645 System area: aXAPI
Description: The aXAPI created client-ssl templates and set an unexpected ssl-false-start-disable
parameter.
Trigger: When client-ssl templates are configured via aXAPI, this the ssl-false-start-disable parame-
ter was seen in a show run output.
Severity: P1
243160 System area: GSLB
Description: ACOS did not allow for identical slb-dev IPs to be created under a given GSLB site,
meaning ACOS did not support multiple local sites. This has been fixed in this release.
Severity: P2
242719 System area: SLB
Description: Even after issuing the ‘slb disable-server-auto-reselect’ CLI command, ACOS sometimes
erroneously re-enabled the feature based on the data CPU load/usage.
Reproducibility: Low
Severity: P2
242029 System area: Thunder 6630 (MAC learning)
Description: The MAC learning was not occurring correctly for traffic sent to 100 Gbps ports on the
Thunder 6630 model. This failure in MAC learning caused the VIP to stop responding to pings after
fail-over had occurred.
Reproducibility: Medium
Severity: P2


A10
Tracking
ID Issues
241813 System area: Health Monitor
Description: The health monitor was continuing to perform Layer 2 Direct Server Return (DSR) for
service group members which had been manually disabled.
Severity: P2
Description: ACOS did not accept any imported health monitors (through the CLI or GUI) if the name
contained more than 31 characters.
Severity: P2
Description: Health monitors could not be deleted from the system, even when there were no active
bindings. This issue could occur if the health-check-follow-port had been entered two or
more times under the real server’s port configuration.
Severity: P2
241171 System area: NTP
• CVE-2014-9297
• CVE-2014-9298
Trigger: N/A
Severity: P1


A10
Tracking
ID Issues
Description: If the same server was configured under many VIPs with several different service groups,
each having different health monitors, then this caused the ACOS device to send the wrong DSR health
monitor to the VIP.
Severity: P2
239428 System area: FTA-based platforms (XAUI link)
Description: On FTA-based platforms, the ACOS device did not have a mechanism in place to detect
and recover from a bad XAUI link from the FPGA to the Broadcom chip. This mechanism has been
added in the latest release.
Severity: P1
239113 System area: Security
• CVE-2014-3572
• CVE-2015-0204
• CVE-2014-8275
• CVE-2014-3570
Trigger: N/A
Severity: P1


A10
Tracking
ID Issues
238915 System area: FAN numbering incorrect on AX 5630 and Thunder 6630
Description: The FAN numbering scheme on some models, such as AX 5630 and Thunder 6630,
was incorrect. For example, the rear view of the FAN numbering showed the following wrong
information for the TH 6630:
7865
3421
The numbering has been corrected in this release to show the following output:
1234
5678
Severity: P2
238285 System area: gARP
Description: If a large number of VIPs are configured, then gratuitous ARP was sometimes not sent.
Severity: P2
237259 System area: Management interface
Description: Applying a named access class-list to a management interface sometimes dropped SSH
connectivity.
Severity: P2
236953 System area: Management and data port
Description: Using no with a command on the port configuration (for example, no duplex full) some-
times affected other configurations on the management port.
Severity: P3


A10
Tracking
ID Issues
Description: This patch addresses the CVE-2015-0235 Security Advisories regarding GHOST vulner-
ability.
Trigger: N/A
Severity: P1
236083 System area: Management port
Description: When speed or duplexity were configured on the management port, auto-neg was not
disabled.
Version: 2.7.1-P6
Severity: P3
235819 System area: System (bootup)
Description: Running the script “nitrox_cchk” caused unnecessary error messages for devices that did
not have Cavium Nitrox SSL cards. Indeed, it is not necessary for the script to run on ACOS systems
that did not have a Cavium SSL cards. When there are no SSL chips, then the addresses that the “set-
pci” process/module was trying to use were not valid, and this caused many error messages.
Reproducibility: 100% (on ACOS devices that do not have Cavium SSL chips)
Severity: P3
Workaround: Run the script only when Cavium SSL chips are detected on board.
Description: The Web GUI sometimes reloaded if too many users were simultaneously attempting to
log onto the device at the same time.
Severity: P2


A10
Tracking
ID Issues
235570 System area: VLAN Tagging
Description: If VLAN tagging was enabled on the ACOS device, packets transmitted from the ACOS
device had random Class of Service (CoS) values set.
Severity: P2
Workaround: Remove any unnecessary VE interfaces.
234937 System area: OSPF
Description: An OSPF process caused the CPU utilization rate to spike to 100%.
This issue could be replicated using the following configurations:
1. Boot the ACOS device with the following OSPF configuration:
outer ospf 1
ospf router-id 37.1.1.1
area 33 range 10.1.1.0/24
network 10.1.1.0/24 area 33
2. The CPU usage spikes to 100%.
3. Removing “area 33 range 10.1.1.0/24” from router ospf 1 configuration caused the CPU utilization
rate to immediately return to normal levels.
Severity: High
Workaround: Remove the configuration to summarize the prefixes.
233248 System area: aVCS
Description: The vcs enable command could not be applied if there was an access list bound to the
trunk interface.
Severity: P2
Reported by Customer: Yes
Workaround: Enable aVCS before binding the access list to the trunk interface.


A10
Tracking
ID Issues
232789 System area: AX 3400
Description: The AX 3400 model unexpectedly reloaded when processing ICMP packets of a certain
size. This was caused by inconsistencies within the Broadcom switch ASIC configuration. More speci-
ficially, it was happening because the Broadcom switch was allowing entry of packets that were 4 bytes
larger than the maxFrameSize configured for that chip.
Severity: P1
232618 System area: SLB TCP sessions and NAT resources
Description: Under certain circumstances, TCP sessions on an SLB device were found to be incor-
rectly synced to the standby device, with no such sessions alive on the active device. This caused NAT
resources to be held on standby, and this could sometimes lead to NAT resource allocation failures on
the standby device.
Severity: P2
232513 System area: System
Description: When upgrading the ACOS device using FTP, if the default filename was used, intermit-
tent failures occurred with warning log messages such as: “Non-supported special characters detected
by FTP Utility.”
Severity: P3
Reported by Customer: No
Workaround: Use a filename other than the default, or use a different file transfer method.
232504 System area: CLI (memory leak)
Description: CLI sessions upon becoming stale were not being cleared, which resulted in memory
leaks seen against "rimacli" process.
Severity: P1


A10
Tracking
ID Issues
Description: This patch adds "X-Frame-Options: Deny" to the HTTP header for all responses from the
ACOS device.
Trigger: N/A
Severity: P1
231859 System area: NTP
• CVE-2014-9293
• CVE-2014-9294
• CVE-2014-9295
• CVE-2014-9296
Trigger: N/A
Severity: P1
Description: Use member r-port template health monitor higher priority than service group health
check.
Severity: P2
Workaround: Configure member real port template health monitor again.
231080 System area: GUI
Description: aVCS handshaking occurred when a new Web certificate was imported using the GUI.
Severity: P2


A10
Tracking
ID Issues
231025 System area: Class-list
Description: When importing type “string” into the class-list file, the value was truncated after the first
" " (space) character in the value. This issue only occurred during import, and it did not occur when
configuring the class-list directly on the ACOS device.
Severity: P2
Description: ACOS did not support the ability to export show techsupport from the “System” tab.
In other words, the user could navigate as follows: System > Diagnostics > Show techsupport, and
while the showtech contents were correctly displayed on-screen, the data could not be exported.
Severity: P2
Description: a10gmpd core generated Synchronization between GSLB group members failed if any of
the members contained a TACACS server.
Trigger: Described above
Severity: P1
Workaround: Disable TACACS servers before performing full sync for GSLB groups.
229807 System area: Hardware
Description: The Power Supply Unit appeared to be flapping even though it was not actually doing so.
Trigger: This issue could be caused by running the show tech command periodically.
Version: All
Severity: P3


A10
Tracking
ID Issues
226633 System area: SLB (HTTPS)
Description: The ACOS device reloaded while processing traffic from a real server (corresponding to
an HTTPS virtual port) and encrypting the traffic before sending to the client. This was typically seen
when the backend server was sending fragmented packets as part of the response and not honoring the
maximum segment size (MSS) advertised by the ACOS device.
Severity: P1
226558 System area: LACP trunk
Description: The UP/DOWN log messages related to LACP trunking were not accurately depicting
the trunk number.
Severity: P2
226355 System area: Router OSPF (CLI)
Description: When issuing the CLI command "no default-information originate
route-map", this was not taking effect when configured under “router ospf”.
Severity: P2
Description: An error was seen in the GUI when configuring the GSLB Resource Usage template.
Severity: P3


A10
Tracking
ID Issues
216907 System area: GSLB group
Description: The vBlade would reload with aVCS and GSLB members that were not part of the aVCS
group.
Severity: P2
Workaround: On the GSLB member’s aVCS cluster, configure standalone for other vBlade physical
IPs. On the GSLB master’s aVCS cluster, don't configure standalone. Remove the physical IPs in the
group configuration, and use only floating IP in the GSLB group configuration on the member’s aVCS
cluster.
212593 System area: ACL
Description: If an ACL existed with a higher number (for example, 150) and if the user configured
another ACL having a lower number (for example, 140), the expectation is that ACL 140 will be eval-
uated first before ACL 150. However, this was not happening. Instead, ACL 150 was getting evaluated
first before ACL 140.
Severity: P2
Workaround: To restore the proper sequence of evaluation, the user needs to save the ACOS configu-
ration and reload the device.
205966 System area: Routing
Description: In Layer 2 deployments, the show ipv6 neighbor command was displayed in the
output as “aten <number>” for the interface name, instead of being displayed as “interface <number>”.
Severity: P3


A10
Tracking
ID Issues
204520 System area: Platform
Description: The 10Gbps port no longer linked up correctly after it was used as a 1-Gbps port.
Trigger: This issue could be recreated by plugging in the SFP, and then plugging in the SPF+
transceivers on the 10G ports of the 6430/5430 models.
Severity: P2
Workaround: Reboot the system.
Description: ACOS sometimes had an uneven connection distribution between service group members
if the data CPU usage was high and if some (but not all) members had one of the following configura-
tions applied:
conn-limit, conn-rate-limit, or slow-start
Severity: P2
Workaround: If this issue continues to occur, please try one of the following solutions:
1) Have ‘conn-limit’ applied under all real servers/ports that are part of the service-group, OR
2) Do not have ‘conn-limit’ under any real server/port that is a service-group member, OR
3) Specify method ‘round-robin-strict’ as an SLB algorithm under the service group.
202354 System area: Trunk group port usage
Description: The client-side trunk port usage could become unbalanced when running SLB fast-http
traffic with 'use-rcv-hop-for-resp' under virtual port fast-http and if the default route configured on
ACOS was such that the default route was choosing a different trunk to reach the client.
Severity: P2
Workaround: Avoid configuring a default route on the ACOS device that would cause a different
trunk group to be selected in order to reach the client, when compared to the one that was used for 'use-
rcv-hop-for-resp'.


A10
Tracking
ID Issues
191614 System area: SLB L7 and trunk port traffic distribution
Description: For HTTP/FAST-HTTP virtual ports, if the connection was not set up while receiving
SYN, ACOS selected the trunk member twice, which caused uneven trunk distribution. A similar issue
was seen when ‘connection-reuse’ was enabled on virtual ports.
Severity: P2
182713 System area: System (TH6630)
Description: The show environment command showed that the lower right power unit was
absent, although the power supply was present and plugged in.
Severity: P3
168895 System area: Access-list and NAT
Description: Access-lists were being processed based on the order in which they were configured.
This was causing incorrect access lists to be matched for traffic when choosing resource for NAT
resource. With this change, access lists are now traversed in the order of their user-configured IDs to
determine a match.
Severity: P2
Workaround: Reboot the system when changes are made to access list configuration.


A10
Tracking
ID Issues
Description: When graceful shutdown and cookie persistence were configured on an L3V partition,
subsequent requests would go to the new server instead of the same disabled server in the service
group.
Severity: P1
155128 System area: NAT
Description: The CLI command ip nat reset-idle-tcp-conn was not working correctly.
Trigger: This issue could be recreated by configure the IP NAT option:
ip nat reset-idle-tcp-conn
Then, let the NAT TCP session time out.
Severity: P2

Issues Fixed in 2.7.1-P6

ACOS Release 2.7.1-P6 contains fixes for issues listed in Table 2. The
TABLE 2 Fixes in ACOS Release 2.7.1-P6
A10
Tracking
ID Issues
229183 System area: SNMP
Description: After an crash, SNMP traps were not able to receive traffic.
Severity: P1
Workaround: Reboot the device.
226966 System area: Health monitor
Description: TCP responses received in two separate packets causes TCP health monitors to fail.
Severity: P1
Description: The ACOS GUI could sometimes reload due to a suspected memory issue. This could be
because the amount of data exceeded the range of the parameter type.
Trigger: Navigate to Monitor Mode > SLB > Service > Virtual Server, and from the Virtual Server
GUI page, select the time range and click export. This will cause the device to reload.
Severity: P1
224383 System area: IPv6 and SLB DNS
Description: The ACOS device could sometimes restart when processing anIPv6 DNS response packet
with fragmentation extension header for virtual port 53 UDP.
Severity: P2


A10
Tracking
ID Issues
Description: The recently-discovered POODLE attack has been widely described as only affecting
SSLv3. This assumption was based on the fact that SSLv3 uses “random padding.” However, it was
found that TLS could use the same CBC decoding function as SSLv3, thus making TLS vulnerable to
the same types of POODLE attacks as SSLv3. By identifying the lack of CBC padding checks that
could occur in TLS, this issue has been addressed in this latest ACOS release, mitigating the risk of
POODLE attacks in TLS. This patch addresses Security Advisory: CVE-2014-8730.
Trigger: This issue could be replicated by attack the ACOS device with packets containing incorrect
CBC padding.
Severity: P1
222982 System area: aFleX (SSL)
Description: If aFleX was used to configure SSL, the ACOS device could sometimes reload when
attempting to read an uninitialized or NULL SSL context block before completing the client SSL hand-
shake. The SSL context block was initialized after the client SSL handshake had been completed.
Trigger: Attack the ACOS device with packets that contain incorrect CBS padding.
Severity: P1
222850 System area: BGP
Description: The ACOS device dropped BGP connections if another BGP speaker sent a next-hop
field while no NLRI was present in the multi-protocol situation.
Trigger: This issue could occur if another BGP speaker was not in full RFC compliance.
Severity: P2
219976 System area: RTSP
Description: The ACOS device could sometimes reload if an early response was received on the Real
Time Streaming Protocol (RTSP) virtual port.
Severity: P1


A10
Tracking
ID Issues
216163 System area: HA/VRRP
Description: After switchover occurred between VRRP-A (with affinity VCS), the VIP was not
always advertised by the active device.
Severity: P2
Workaround: Increase the “vrrp-a hello-interval” to a larger value.
Description: For VIPs in a private partitions, VRRP-A did not send a gratuitous ARP for the VIP when
the status switched to “active.”
Severity: P2
Description: When setting up multiple partitions in RADIUS or TACACS+ attribute-value pairs
(AVPs), if one of the partitions did not exist, then the user could not log in.
Severity: P2
Workaround: Use the existing partitions in an aXAPI call.
Description: This patch addresses CVE-2014-6271.
Trigger: N/A
Severity: P1
Workaround: Restrict management access to the device.


A10
Tracking
ID Issues
Description: A memory leak occurred with the web server process when exporting statistics.
Severity: P2
Description: The DSR health-check fails if there are more than 645 DSR TCP health-checks that are
using the same source IP with the default interval value.
Severity: P2
Workaround: Increase the health-check interval value by using the formula that the DSR TCP health-
check number should be less than 64511/(500/interval).
Description: DSR stopped working when the stateless SLB method was configured.
Trigger: This issue could be triggered by configuring a stateless SLB method in a service group and
binding the service group to a virtual port, but if no-dest-nat was not set up for the virtual port.
Severity: P2
211787 System area: ICMP (error handling)
Description: The ACOS device sometimes failed to fragment excessively large outbound “ICMPv6
type=2” packets while processing SLB Layer 7 sessions. This issue occurred more frequently when the
connection-reuse option was enabled under the Layer 7 virtual port.
Severity: P2


A10
Tracking
ID Issues
211282 System area: HA (session sync)
Description: A CPU mismatch sometimes occurred while performing an HA session sync. The
standby unit mistakenly created the session on a different data CPU that the active unit.
Severity: P2
210442 System area: GSLB (HA)
Description: The high availability ‘ha sync all’ command did not completely synchronize the gslb ser-
vice-ip entry.
Severity: P2
Description: Running the ‘system-reset’ CLI command sometimes did not delete the Export Store
Information.
Severity: P2
207535 System area: Smart-NAT
Description: With multiple requests in a session, the smart-NAT resource was not released.
Trigger: On a layer 7 virtual port, configure a strict transaction switch and have sessions with multiple
requests in one session.
Severity: P2
Workaround: Do not use a strict transaction switch.


A10
Tracking
ID Issues
Description: The system priority can be configured in the GUI in transparent mode to match the CLI.
Trigger: In transparent mode, to configure LACP system priority, click Config Mode > Network >
LACP > LACP.
Severity: P2
207313 System area: HA (session sync)
Description: If the active ACOS device in an HA pair had more than several million sessions, and
standby unit was reloaded or rebooted, not all of the existing sessions were correctly synced to the
standby device.
Severity: P2
206413 System area: Platform Level
Description: The FPGA_STAT offset 0x8 bits [23:16] value is wrong when this status register is peri-
odically polled.
Severity: P1
205963 System area: SLB/HTTP
Description: When using with compression and cookie persist, The ACOS device sometimes inserted
duplicate cookies when both compression and cookie persistence were enabled at the same time.
Severity: P2


A10
Tracking
ID Issues
205588 System area: DNS SLB
Description: Responses from the DNS cache on the ACOS device intermittently swapped IP addresses
for answers and additional records of the name server IPs. Upon enabling DNS cache with 'round-
robin' for dns-udp or dns-tcp virtual port, under certain circumstances, the responses from a DNS cache
on the ACOS device were found to intermittently swap IPs for Type A Host IP address entries from the
'Answers' section. The Type A host IP address entry from the “Additional records” corresponded to the
name server IPs.
Severity: P2
Workaround: Avoid enabling 'round-robin' for DNS cache.
205378 System area: SLB L7 and IPv6
Description: SLB Layer 7 traffic involving IPv6 protocol sometimes had random packets dropped
while processing Layer 7 traffic.
Severity: P2
205369 System area: SSL-proxy virtual port (idle-timeout)
Description: The idle-timeout value was not being correctly applied to sessions if the ssl-proxy virtual
port was configured with an idle-timeout value less than 30 seconds.
Severity: P2
205165 System area: SSL Intercept
Description: When using SSL Intercept, the A10 “inside” device selectively dropped individual HTTP
requests.
Severity: P2


A10
Tracking
ID Issues
Description: The ACOS device did not respond if a close_notify was sent without a TCP FIN.
Severity: P3
Workaround: Ensure that the client software sends a FIN after sending a close_notify.
Description: A link connection failure occurred on the 10G ports after it was used as a 1G port.
Trigger: This issue could be recreated by plugging in the SFP, and then the SFP+ transceivers on the
10G ports of the ACOS 6430 or ACOS 5430 models.
Severity: P2
Workaround: Reload the ACOS device.
204469 System area: CLI (Transparent Mode)
Description: The error message displayed when attempting to configure a broadcast/network address
provided the generic “communication error” message. Now, if the user attempts to configure a bad
gateway address, the error message has been changed to the more meaningful “invalid gateway
address”.
Severity: P2
Description: If a new server was added to a service group, the Ip-in-IP health monitor did not work
correctly on the new server that was added.
Severity: P2


A10
Tracking
ID Issues
Description: The GUI did not allow special characters in fields used for creating a CSR while the CLI
did allow the same special characters. This required all limitations, except sanity checks for length, to
be removed from the GUI for Organization and Locality.
Trigger: Configuring special characters, such as & and ‘ on the Create using the GUI page. To access
this page, click Config Mode > SLB > SSL Management > Certificate > Create using the GUI.
Severity: P2
202708 System area: SLB L4
Description: On the Layer 4 wildcard VIP with SYN-cookie enabled, the ACOS device does not
resend a TCP SYN if the server does not respond to a TCP SYN/ACK.
Severity: P1
Description: When you create a key string under the key chain that has a symbol, for example, "%"
followed by a letter, for example, "s", this caused the ACOS device to reload.
Severity: P1
Description: The ACOS device sometimes reloaded when processing fragmented SSL packets from
the real server.
Severity: P1


A10
Tracking
ID Issues
Description: A bug in the OpenSSL server code could be triggered if the ClientHello message was
heavily fragmented.
Trigger: None, a separate bug was causing the ACOS device to drop fragments after the first fragment,
so the vulnerability cannot be triggered.
Severity: P2
Description: In the one of the underlying OpenSSL functions, OBJ_obj2txt(), information could leak.
An issue could occur if some of CLI commands eventually called upon this function. This is related to
OpenSSL 8/6 CVE-2014-3508.
Reproducibility: None
Severity: N/A
Description: The ACOS device could reload upon receiving a large GSLB-proxied response to type
ANY DNSSEC requests.
Trigger: This issue could occur if the packet size was greater than the MTU.
Severity: P1
Description: The configuration sync to the running configuration did not work as expected.
Trigger: If you use sync to start the configuration without reloading, the configuration reloads the box,
but the configuration is only synced to the running configuration and not to the start-up configuration.
Severity: P2


A10
Tracking
ID Issues
201922 System area: HA
Description: The ha sync all to-startup-config all-partitions command could not sync partition
(RBA) to the standby device, even though a log was generated.
Trigger: Issue the command on the ACOS device where the RBA partitions are configured.
Severity: P2
Description: The OSPF message digest key was missing after a system reboot or reload.
Trigger: Add an OSPF message digest key under the trunk or loopback.
Severity: P2
Description: A class-list entry that was configured in the GUI sometimes failed to appear in the CLI.
Trigger: Append “\n” to the last entry in a class-list file if there is no “\n” after the last entry.
Severity: P2
Description: There was a memory leak in the GSLB library.
Trigger: The memory leak occurs when the GSLB is configured but did not actually have the real data.
Severity: P1
200482 System area: CLI
Description: The repeat x show slb service-group | include 7778 command caused a memory leak in
the rimacli process.
Severity: P1
Workaround: Do not use the repeat option.


A10
Tracking
ID Issues
Description: Packets with a bad TCP check-sum are not dropped by the non-FTA platform.
Severity: P2
199987 System area: SLB and reset-unknown-conn
Description: Under certain situations, upon receiving a packet from a client with no corresponding ses-
sion on the ACOS device with 'reset-unknown-conn' configured under SLB L4/L7 virtual port, the
ACOS device was performing a Layer 2 lookup. The ACOS device should have instead checked for
route/ARP information before sending a RST to the client.
Severity: P2
Description: Before a new capture occurs, a check has been added to determine whether the number of
debug files have already reached the maximum limit in the web API.
Trigger: Starting a new capture on the web GUI after the number of debug file has reached the maxi-
mum value.
Severity: P2
199531 System area: WAF (HTTP proxy)
Description: If certain features were enabled in a WAF template (such as 'csrf-check', etc), and the
WAF template was bound to an HTTP virtual port, then the real server responded with the incorrect
HTTP version (1.0 instead of 1.1). The ACOS device was forwarding the server’s response to the client
with the chunk encoding header, but it incorrectly showed HTTP v1.0, and this was causing issues in
processing the response on the client-side.
Severity: P2
Workaround: Use aFleX to set the HTTP version in the server response to 1.1 for such situations.


A10
Tracking
ID Issues
Description: When using the GUI to monitor the fan status, the status for all of fans (Fan1B, Fan2B,
Fan3B, and Fan4B) was initially displayed correctly, but the information disappeared from the GUI
monitoring page several minutes later.
Severity: P3
198478 System area: Static ARP
Description: Static ARP entries configured in transparent mode (or for a trunk interface) showed up as
having the wrong Ethernet interface.
Severity: P2
198365 System area: FTP
Description: As part of creating a symmetric multiprocessing (SMP) system, the smp_conn_id file is
stored in the control_conn directory. The file is used to verify and promote the SMP system. If dynamic
source routing (DSR) is used when creating an SMP system, the control_conn directory is not updated
with the smp_conn_id file. As a result, the check failed during promotion, and the connection was not
created.
Severity: P2
Description: When using Internet Explorer versions 6-9, the GUI did not allow use of the drop-down
list to select a real server on the pages used to create (or update) a service group, in the Server section.
Severity: P3


A10
Tracking
ID Issues
Description: An error message appeared when attempting to change the value of the TCP SYN cook-
ies threshold via the ACOS GUI. The following error message appeared: “Failed to set TCP SYN
cookies. Cannot perform requested operation. Device is in Transparent mode.”
Trigger: While in transparent mode, change the value of the TCP SYN cookies threshold via the GUI
by navigating as follows:
Config Mode > Network > Interface > Global.
In the Threshold field, change the value and save your changes by clicking OK.
Severity: P3
Workaround: Clear the “L3-VLAN-fwd-disable” checkbox if ACOS is in transparent mode.
Description: Under heavy bursts of traffic, HA and other such control packets were sometimes
dropped.
Severity: P2
195940 System area: CLI (Access-list)
Description: If an access list was created with a host address 0.0.0.0, but the mask was not set to zero,
the ACOS device interpreted the configuration as any.
Severity: P2
195406 System area: System (hard disk)
Description: The hard drive occasionally went into a BAD/inconsistent state when reporting disk
usage statistics.
Severity: P2


A10
Tracking
ID Issues
Description: A process associated with a particular CLI command sometimes caused the control CPU
usage rate to spike to 100%.
Severity: P2
195064 System area: SLB (aFleX)
Description: If a persist uie session already existed, and the real server went down, the next session
request kept using the same DOWN server.
Severity: P2
Workaround: Clear the persist uie session.
Description: The ACOS device terminated session with the client and server upon receiving a “Hello
request” from the backend server upon completion of the SSL handshake. ACOS sent “FIN” packets to
the client and server. This issue was occurring because ACOS was erroneously including TLS_EMP-
TY_RENEGOTIATION_INFO_SCSV in the cipher list, even though ACOS does not support renego-
tiation.
Severity: P3
Workaround: Disable renegotiation on the backend server.
Description: Cipher Suite TLS_RSA_WITH_RC4_128_MD5 (0x0004) did not work when the
“ssl-falsestart-disable” option was configured.
Trigger: Configuring the ssl-false-start-disable in a client SSL template caused the SSL handshakes
to fail.
Severity: P3
Workaround: Do not configure "ssl-false-start-disable" in the template.


A10
Tracking
ID Issues
192898 System area: WAF
Description: When the 'sqlia-check sanitize' option was configured for a WAF template, the ACOS
device could reload while attempting to sanitize URIs in some scenarios.
Severity: P1
Description: The axInterfaceStatTable was implemented with a 60-second data refresh interval, which
was not consistent with the ifTable and ifXTable implementation, which has a 1-second refresh interval.
Trigger: The timeout value is set to 1 minute.
Severity: P3
Workaround: Retrieve the statistics data through ifTable that has a 1-second timeout value.
192175 System area: TFTP on control plane
Description: Attempting to change the TFTP block size configuration on the ACOS device could
sometimes fail.
Severity: P3
Description: If the “show running” CLI command was used for logging templates, the output for “slb
template logging name” was incorrect when more than 9 templates were configured.
Severity: P2


A10
Tracking
ID Issues
Description: When you add a service-group level trap to detect a server member in the service-group,
the status changes for up and down events.
Severity: P2
191257 System area: Compression and keep-client-alive
Description: An AOCS device might return a partial server response when the compression and keep-
client-alive options are enabled for a Layer 7 virtual port, such as HTTP, HTTPs, and so on.
Severity: P2
Workaround: Do not configure the keep-client-alive option when compression is enabled on a layer 7
virtual port.
190765 System area: aFleX (clock command)
Description: An issue with the aFleX clock scan and clock format commands when you try to convert
the date to seconds.
Severity: P2
190357 System area: SSL driver
Description: When the PCI config space reads from the Cavium driver code, a memory corruption
could occur, which resulted in reading 0xffff, and this caused the ACOS device to reboot.
Trigger: The Cavium driver PCI reads coinciding with reads from other places.
Severity: P1
Workaround: Disable PCI reads from driver code.


A10
Tracking
ID Issues
Description: A memory leak occurred when using the GUI to edit the GSLB zone service.
Trigger: This issue can be replicated by doing the following:
1. Login to the GUI.
2. Navigate as follows: Config Mode > GSLB > Zone and select any zone, such as example.com
3. Select any service, such as www, and then click Edit.
4. Memory will increase about 0.1
5. Repeat these steps to see a gradual increase in the memory usage.
Severity: P1
Description: The backslash “/” special character was not allowed when using the GUI to configure a
health monitor for HTTP and HTTPS.
Severity: P2
Description: The ip-in-ip command could not be added under the virtual port using the aXAPI.
Severity: P3
189673 System area: RADIUS SLB
Description: The RADIUS return packet from the server is processed by using a wildcard VIP instead
of the VIP that was specified for the server.
Severity: P2


A10
Tracking
ID Issues
189613 System area: Connection reuse and session age
Description: The age value for a connection-reuse session that was associated with an HTTP and Fast-
HTTP virtual port was computed incorrectly.
Severity: P2
Description: SCP failed when the /home/user directory was not available on a Linux computer.
Trigger: This issue occurs when you create a user on a Linux computer, but you do not create the
user’s home directory and scp a file uses the user’s username and password.
Severity: P3
Workaround: Create a home directory on the Linux computer.
Description: When the run-search option is configured for an LDAP health monitor, and you run a
search query and review the statistics, the LDAP server is down.
Severity: P2
187969 System area: This is to patch a security vulnerability.
Description: SSL/TLS MITM vulnerability (CVE-2014-0224)
Trigger: N/A
Severity: N/A
Reported by customer: N/A


A10
Tracking
ID Issues
Description: When using the GUI to configure the banner, the configuration was lost when the ACOS
device was reloaded. This did not happen if the banner was configured using the CLI.
Severity: P2
Description: The object access control (OAC) config file did not get saved during system backup, so
the admin account was not usable when the system was restored.
Severity: P2
186760 System area: CLI/Web Authentication
Description: When the ACOS device is configured with ip control-apps-use-mgmt-port on the man-
agement interface, but the external authentication server, such as TACACS+, RADIUS, or LDAP, is
only reachable from the ACOS data interface, the ACOS external authentication fails because the
authentication server cannot be reached.
Severity: P2
186688 System area: FTP ALG
Description: If an ACL was configured to permit FTP to control port 21 and deny the rest of the con-
trol ports, ALG protocols like FTP failed when they were applied to client interfaces.
Severity: P2


A10
Tracking
ID Issues
186535 System area: System (interface driver)
Description: The CLI command ‘show interface media’ stopped working after the transceiver was
unplugged and added to another interface.
Severity: P2
Workaround: Restart the system.
186523 System area: Multicast packet processing
Description: When the ACOS data interface was flooded with IP multicast packets, legitimate TCP-
based management traffic to the ACOS device on this data interface was sometimes dropped.
Severity: P2
Workaround: Configure the ACOS data interfaces so that the interfaces cannot view these types of
unwanted multicast packets.
Description: When a health monitor was created using aXAPI, a segmentation fault occurred when
exercising the “show run” command.
Severity: P2
Workaround: The valid post should be: "health_monitor": {
"name": "sarasa5",
"type": 3,
"http": {
"port": 8080,
"url": "GET /ping",
"expect_pattern": "pong"


A10
Tracking
ID Issues
Description: Sysname can not get through SNMP.
Trigger: Issue the SNMP query to get sysname.
Severity: P2
Description: When an admin account was created with a customized role, it caused a GUI display
issue.
Severity: P2
Description: Adding or editing the GSLB zone parameters from the browser caused the GUI to reboot.
Severity: P1
185164 System area: DNS fast-path and policy template
Description: ACOS may have rebooted when the SLB DNS (port 53 UDP) flows were being pro-
cessed via fast-path and the policy template enforcing connection rate limiting through PBSLB/class-
list/GLID was bound to the virtual port.
Severity: P2


A10
Tracking
ID Issues
Description: The control CPU sometimes spiked to high levels if a trunk was configured with multiple
ports.
Severity: P2
Description: When making GSLB object additions or changes in the GUI, the user was sometimes
logged out of the GUI.
Severity: P2
Workaround: Use the CLI.
184678 System area: TACACS+ (GUI)
Description: When the TACACS+ user login required the user to change the password, this could
sometimes cause the ACOS GUI to restart.
Severity: P2
Description: Additional debugging logs and fail-safe code were added to help troubleshoot SSL chips
that could sometimes hang.
Severity: P1
Workaround: Do a manual reboot of the ACOS device.


A10
Tracking
ID Issues
184399 System area: System Logging
Description: The power supply view definition in system logging incorrectly indicated 'rear view'
when it should have shown 'front view'.
Severity: P3
184030 System area: DSR and MSL
Description: The ACOS device did not honor the maximum segment lifetime (MSL) time for a direct
server return (DSR) session that you configured by entering the slb msl-time command.
Severity: P2
Description: In a two device configuration, reloading VCS caused device 2 to join the chassis with a
disabled interface.
Severity: P2
183322 System area: Health Monitor (DNS)
Description: The up-retry command option sometimes did not work when configured under a DNS
health monitor.
Severity: P2
Workaround: Change up-retry to the default value (1) or use an external Health Monitor.


A10
Tracking
ID Issues
Description: Once a partition ID was configured, that value could not be changed using the ACOS
GUI, even though the GUI has a field for changing the partition ID.
Severity: P2
Description: Server priority was reset the aXAPI was used to disable and then re-enable a server.
Severity: P2
Workaround: If this occurs, use the CLI to disable and then re-enable a server.
182635 System area: Layer 7 (graceful-shutdown)
Description: After you enter the slb graceful-shutdown num after-disable command, the ACOS device
did not complete the close, four-way handshake (FIN-ACK/ACK) with the client. The ACOS device
did not send the final ACK message in response to the client’s FIN-ACK.
Severity: P2
182473 System area: System Management
Description: When email logging was configured, ACOS sent emails without line breaks between two
successive messages.
Severity: P3


A10
Tracking
ID Issues
182312 System area: FWLB health monitoring
Description: The ICMP payload of a FWLB health-check was sometimes truncated, and the ACOS
device could not parse the IP address in the payload.
Trigger: Configure an ICMP health check (with transparent method), and bind it to a real server.
Severity: P2
182233 System area: CLI (SLB)
Description: When you enter the show slb virtual-sever command, the Curr-conn counter was some-
times higher than the Peak-conn.
Trigger: Enable extended-stats while traffic is running on the VIP.
Severity: P3
Description: The SNMP notification “axServiceDown” was sent multiple times when the real server
port went down. This occurred when the disable-after-down CLI command option was configured as
part of the health-check for a real port.
Severity: P2
181270 System area: ICMP for SLB
Description: ICMP error packets were being dropped for DSR SLB, causing both IPv4 and IPv6 traf-
fic flows to fail.
Severity: P2


A10
Tracking
ID Issues
Description: When trying to SSH from another device to ACOS, the known_hosts file cannot be
changed to allow connection if the key was changed at some point.
Severity: P2
180970 System area: OSPF and route display
Description: Even after removal of the OSPF route, the show ip route continued to display an OSPF
null route that no longer existed.
Severity: P2
Description: If the 1G SFP was connected to the 10G port of an ACOS 6630, it was able to establish a
link, but the receiver did not work.
Trigger: This issue could be recreated by plugging the SFP transceiver into the 10G port of an ACOS
6630 device.
Severity: P1
179653 System area: LACP trunk with VRRP-A
Description: When configuring VRRP-A with an LACP Trunk, if preemption was disabled and the
active device was rebooted or reloaded, the reloaded box sometimes came back as the active device in
the redundant pair.
Severity: P2


A10
Tracking
ID Issues
179158 System area: TCP Logging
Description: The ACOS “TCP session logging” feature was erroneously creating persistent connec-
tions to handle logging messages. These sessions should have only been created on the active ACOS
device and not on the standby device.
Trigger: Enable TCP Logging
Severity: P2
Workaround: Disable TCP logging.
178939 System area: SLB Dynamic Member
Description: The fully-qualified domain name (FQDN) is always assigned priority 16 and is selected
over other service group members.
Severity: P2
178613 System area: Traceroute and wildcard VIP/VPORT
Description: Allow traceroute to work for TCP and UDP methods when using a wildcard VIP with a
virtual port that has no-dest-nat enabled. The earlier traceroute was working only when the ICMP
method was used.
Severity: P2
Workaround: Use ICMP for traceroute functionality.
177991 System area: TCS and HA/VRRP-A
Description: The ACOS device sometimes failed to synchronize the transparent cache switching
(TCS) sessions between the Active and Standby devices in an HA or VRRP-A pair. This could happen
if the packets from the client had a different source port than those on the cache server.
Severity: P2


A10
Tracking
ID Issues
Description: The slb.ssl.upload/download method caused a memory leak.
Severity: P1
Description: Removing a real server from a service group that had priority affinity enabled caused a
priority affinity reset for a different service group. This could happen if a second service group shared
one of the real servers in the first service group.
Severity: P2
Description: The generate name could not be retrieved.
Severity: P2
Description: When adding the "logging creation" option to an IP NAT logging template,
‘port-mappings both’ and ‘logging creation’ both show up in the configuration at same time. Only
one option should be enabled for port-mappings. If ‘port-mappings creation’ is set, then
‘port-mappings both’ should have been disabled.
Severity: P2


A10
Tracking
ID Issues
171523 System area: VCS and vMaster/vBlade reload
Description: In VCS, when you issue reload device <n> from the vMaster to reload the corresponding
vBlade device, the vMaster and vBlade were reloaded, instead of just the vBlade.
Severity: P2
169147 System area: System software
Description: Interface utilization reported over 100%
Trigger: Invalid bucket pickup occurred during interface statistics calculation from the hardware and
software.
Severity: P1
168499 System area: System management port
Description: Unable to access the new IP via SSH if the IP address on the management interface was
changed dynamically.
Trigger: Changing the management IP address.
Severity: P1
Workaround: Change the IP address again or reload the device.
168232 System area: SLB/aFleX
Description: The aFleX method (HTTP::method) logic failed to recognize “TRACK”.
Severity: P2


A10
Tracking
ID Issues
161671 System area: TCP-proxy
Description: If an idle-timeout value of less than 30 seconds was configured in a tcp-proxy virtual
port, then the idle-timeout failed to be correctly applied to sessions.
Severity: P2
149138 System area: Clearing statistics
Description: Clearing real server statistics for SLB using the CLI command clear slb server server-
name sometimes caused imbalances in the amounts of traffic sent to that real server. This could happen
if the SLB method 'least-connection' or 'weighted-least-connection' was configured for the correspond-
ing service group.
Severity: P2
Workaround: Instead of using the 'clear slb server server-name', use the alternative CLI command,
'clear slb server all' to mitigate traffic imbalances.
Description: When more than one RBA partition is configured, issuing an snmpwalk for the MIB
object, “axAppGlobalTotalCurrentConnections” results in output that is multiplied by the number of
RBA partitions that have been configured.
Severity: P3
Description: The SNMP daemon could get into a deadlocked situation, thus causing the routing dae-
mon to also become locked, which prevented ACOS from being able to route traffic.
Severity: P2


A10
Tracking
ID Issues
Description: The system log messages for inband health checks was erroneously displaying the [AX].
In this release, the behavior has been changed and the message will display [Inband] when the ports get
marked down by inband health checks.
Severity: P4
Description: In rare cases, an interface could become unusable due to a PCI link issue. If this occurred,
the “Error for Ethernet X has exceeded Y” message appeared in the log and the AX device rebooted.
Severity: P1



A10
Tracking
ID Issues
180667 System area: SLB (TCS)
Description: If a real server port was configured with the dest-nat option but the TCS had the regular
no-dest-nat option configured, then destination NAT did not happen if that real server port was
selected.
Severity: P2
Description: SNMP virtual port type value for SIP and SPDYS were both 11. When the virtual port
types of sip and spdys were configured under a VIP, if the OID was sent from an SNMP client, the
same value was retrieved, as shown in the example below:
snmpwalk <AX_IP> -v 2c -c public .1.3.6.1.4.1.22610.2.4.3.4.3.1.1.2
(output)
SNMPv2-SMI::enterprises.22610.2.4.3.4.3.1.1.2.3.118.115.49.11.200 = INTEGER: 11
SNMPv2-SMI::enterprises.22610.2.4.3.4.3.1.1.2.3.118.115.49.11.201 = INTEGER: 11
Further, such a configuration changed the values for mysql, mssql, fix, smpp-tcp as shown below:
spdys 11 ==> 30
spdy 13 ==> 29
mysql 123 ==> 25
mssql 124 ==> 26
fix 125 ==> 27
smpp-tcp 126 ==> 28
radius 153 ==> 31
Severity: P2


A10
Tracking
ID Issues
Description: The referenced object for a trap was incorrect because the MIB file had a spelling error.
Severity: P2
Workaround: The OID is correct but this issue could cause a problem with the MIB compiler.
Description: If a health check was flapping for a dynamic GSLB object, ACOS did not add back the
internal counter properly.
Severity: P1
179596 System area: L2/L3
Description: Load balancing on Layer 2 trunks was inconsistent for CPU switched traffic.
Severity: P2
179467 System area: IPv6 Packet Processing and Statistics collection at VE level
Description: Under certain conditions, IPv6 packet transmission could cause ACOS to restart if the
“ve-stats enable” option was configured.
Severity: P2
Workaround: Do not use the “ve-stats enable” option.


A10
Tracking
ID Issues
179077 System area: SLB (TCS)
Description: In network topologies with both SLB servers and TCS cache servers on the same physical
port, ACOS failed to route Layer 4 traffic correctly.
Severity: P2
Workaround: Use separate physical ports for the SLB servers and TCS cache servers.
178816 System area: L3 DSR (IPinIP)
Description: In L3 DSR (IP tunneling) deployments, ACOS did not preserve the TOS field of the outer
IP header.
Severity: P2
Description: Even though ACOS does not support the ability to perform recursive lookups for clients,
the Recursion Available (RA) flag was not turned off in the responses ACOS was sending back to the
clients. The correct behavior is for the GSLB controller to disabled the RA flag if the DNS server does
not contain the resource record that the client requested.
Severity: P2
178531 System area: ICMP
Description: ACOS sometimes dropped ICMP reply packets if they were hashed by a CPU that was
different from the original CPU where the ‘ping’ request was received. ACOS dropped the packet
because there was no session upon which to match the reply packet.
Severity: P2
Workaround: This issue can be addressed by removing the source-nat option.


A10
Tracking
ID Issues
178405 System area: SLB (HTTP compression)
Description: An HTTP VIP did not work correctly if an aFleX script bound to the virtual port used the
http::collect command, and hardware-based HTTP compression was enabled.
Severity: P2
Workaround: Use the http::stream command instead of the http::collect command in the aFleX script.
Description: Use of a specific special character in a read-only admin name could allow the admin to
make configuration changes.
Severity: P2
177568 System area: AXdebug
Description: If a single HEX digit (such as \x2) was specified as an offset value to match within the
AXdebug filter, ACOS did not handle the match correctly.
Severity: P2
Description: In an aVCS deployment, if the cache-spoofing-port option was enabled on an Ethernet
port, and LACP was then configured on the same port, the cache-spoofing-port option was not included
in the configuration synchronized to other devices.
Severity: P2


A10
Tracking
ID Issues
177491 System area: Layer 4 SLB (Class-List rate limiting)
Description: In some situations, class-list based rate-limiting at Layer 4 did not work correctly when
configured within a service group.
Severity: P2
Description: HTTP log messages generated using CEF format could be missing some information for
requests sent to very long URL strings. For these requests, the req='<url>' and msg='..' fields in CEF
format caused the overall log message to exceed 512 bytes, and cut off complete parts of the message.
Severity: P3
177292 System area: SLB (client-SSL)
Description: In a deployment using the client-SSL option to require client certificates, a client request
to use TLS v1.2 caused ACOS to reload.
Severity: P1
Description: The Thunder 5630 hardware watch dog sometimes did not kick-in in the case of a system
hang.
Severity: P2


A10
Tracking
ID Issues
177098 System area: Health Monitoring
Description: HTTPS health monitor using authentication (username/password) caused a memory leak.
Severity: P1
Workaround: Use an external health monitor instead.
177094 System area: SLB (Diameter)
Description: If source-NAT was enabled on a Diameter virtual port and the service group was bound to
the port, ACOS could reload.
Severity: P1
Description: Importing a certificate in P7B format did not work correctly using the aXAPI.
Severity: P2
176989 System area: SLB (HTTP template)
Description: The ACOS device could reload when a host-switching or URL-switching line was
removed from an HTTP template.
Severity: P1


A10
Tracking
ID Issues
176908 System area: CLI/System
Description: An aFleX script with the POLICY::bwlist command could be unbound from the virtual
port following a reload or reboot.
Severity: P2
Description: The aXAPI slb.virtual_server.fetchAllStatistics method in aXAPI v2.1 erroneously
reported the status for virtual ports as “5” (unknown).
Severity: High
Workaround: Use aXAPI v1.x methods or use cli.show_info methods instead.
Description: In a configuration with both an HTTP-policy template and a WAF template bound to the
same HTTP virtual port, the WAF policy was used to process an SQLIA check even though the traffic
matched the HTTP-policy.
Severity: P2
Description: The VRRP-A status was not updated correctly after configuration synchronization was
performed manually using the GUI.
Severity: P2


A10
Tracking
ID Issues
Description: Using the aXAPI ‘method=authenticate’ call showed the unencrypted password when
using the CLI command show audit.
Severity: P2
176108 System area: aFleX
Description: The aFleX pool command was not supported under the DNS_REQUEST event type.
Severity: P2
175966 System area: SLB (TCP-proxy on Layer 7)
Description: If the keepalive interval and probes were set in a TCP-proxy template bound to a Layer 7
virtual port, ACOS mistakenly sent a second RST to a client who did not respond to a keepalive before
the timeout expired.
Severity: P2
175963 System area: SLB (TCP-proxy template)
Description: If TCP-proxy templates were bound specifically to client or server traffic (template tcp-
proxy client template-name or template tcp-proxy server template-name under the virtual port), the
idle-timeout values in the templates were not used. Instead, the idle-timeout that was used was the low-
est setting among the templates bound using the client or server option and the default TCP-proxy tem-
plate.
Severity: P2
Workaround: Use a single TCP-proxy template for both traffic directions, and omit the client or
server option.


A10
Tracking
ID Issues
Description: On a device running a large number of health checks, the control CPU could experience a
high utilization rate following an authentication failure.
Severity: P2
Description: If a space “ ” is used in a server-name cert/key associated to SNI, this could result in a
parse error when ACOS reads the startup-config file.
Severity: P2
Workaround: Do not use a space " " in server-name cert/key.
175078 System area: SLB (Layer 7 proxy) and Jumbo Frames
Description: The ACOS device could reload if it received a jumbo frame from a backend server on a
Layer 7 proxy virtual port.
Trigger: Receive a client request that includes a jumbo MSS value, and send that request to the back-
end server.
Severity: P1
174637 System area: Routing (BGP)
Description: BGP peer connection failed if the peer sent a SAFI(128) request as part of negotiation.
Severity: P2


A10
Tracking
ID Issues
Description: The GUI allow selection of legacy High Availability (HA) settings for ADP L3V parti-
tions even though this combination of features is not supported.
Severity: P2
Description: Importing certificates in P7B format did not work.
Severity: P2
173731 System area: SLB (L3V)
Description: The snat-on-vip option did not work for a Layer 7 virtual port in an L3V ADP partition.
Severity: P2
Workaround: Use the snat-on-vip option at the virtual port level instead.
Description: A cryptic error message (Error code 10000) appeared when accessing the following GUI
page: Monitor Mode > System > HA > Status
Severity: P3


A10
Tracking
ID Issues
173296 System area: System (Transparent mode)
Description: In a transparent mode deployment with source NAT and a UDP virtual port, ACOS incor-
rectly sent a response packet to the real server interface instead of the client interface.
Severity: P2
173293 System area: System (Transparent mode)
Description: An IPv6 ACL configured on incoming Ethernet interface denied IPv4 SLB traffic.
Severity: P2
Workaround: Remove the IPv6 ACL.
Description: If a backend server used HTTP 1.0 and its response to a health check did not contain a
Content-Length header, ACOS marked the server Down.
Severity: P2
Description: aFleX persistence based on custom a header might not work correctly, resulting in
requests being sent to incorrect servers.
Severity: P2


A10
Tracking
ID Issues
Description: ACOS could reload when an aFleX script containing the global virtual name command in
its RULE_INIT was bound to a virtual port.
Severity: P2
172930 System area: aVCS (BGP)
Description: In an aVCS deployment with BGP, if a device was booted or reloaded from its startup-
config, the exit-address-family command was omitted from the BGP section of the configuration. If
the configuration was then saved without re-adding the command, parsing errors occurred due to the
missing command the next time the startup-config was loaded.
Severity: P2
Workaround: Re-add the exit-address-family command and save the configuration.
Description: Remote AAA using LDAP did not work for GUI access.
Severity: P2
Workaround: Configure a static route to the LDAP server that uses the management interface to reach
the default gateway. This works with or without use of the ip control-apps-use-mgmt-port command.
Description: The raid install command did not work in ACOS 2.7.1-P4.
Version: 2.7.1-P4
Reproducibility: Yes
Severity: P1


A10
Tracking
ID Issues
Description: Use of the Tcl internal command “clock scan” to retrieve the current time could cause the
ACOS device to reload.
To prevent this issue from recurring in the current release, the “clock scan” command is disabled. To
get the time from within an aFleX script, use the TIME::clock command instead.
Severity: P1
Workaround: Use the TIME::clock command instead.
Description: Custom XSS policy that included an empty (wildcard) PCRE match could cause the
ACOS device to reload.
Trigger:
1. In a WAF policy, set a rule to have an empty match either in the beginning or in the middle of the
match list. For example:
rule1,|bgsound||applet
instead of:
rule1,bgsound|applet
In this example, either of the following character combinations results in empty matches:
,|
||
2. Bind the WAF policy to an HTTP virtual port.

3. Send a request to the port.
Severity: P1
Workaround: Edit the WAF policy file to avoid empty matches.


A10
Tracking
ID Issues
Description: CPU utilization was not averaged over 60-second intervals when retrieved using SNMP.
This is already supported in previous releases in the CLI. The current release adds this support in
SNMP.
Severity: P2
Description: ACOS did not allow hostnames that included parentheses when configured using the
GUI, but the character was allowed in a hostname when configured using the ACOS CLI. This incon-
sistency in the GUI and CLI behavior has been fixed.
Trigger: Configure a hostname using the ACOS GUI that includes the “(“ or “)” characters.
Severity: P3
Description: Including the version attribute ($Version=0 or 2) could cause a failure to parse cookie.
Severity: P3
Description: When using the built-in SNMP health-check, ACOS sent the wrong OID. This issue
occurred because the built-in SNMP health monitor OID automatically prefixes the OID with the first
set of digits: 1.3.6.1.2.1.
However, if these first few digits are eliminated from the command, then ACOS sends out the correct
configuration.
Severity: P2
Workaround: When using the built-in SNMP health monitor, do not “double-input” the OID prefix
value of “1.3.6.1.2.1” because this prefix already exists.


A10
Tracking
ID Issues
170506 System area: TCS (Hardware SYN-cookie)
Description: When hardware SYN-cookies were enabled within a TCS setup, the ACOS device could
sometimes use the incorrect source MAC when sending the packet back to the client.
Severity: P2
170056 System area: Hardware Syn-cookie (FPGA platforms)
Description: In a configuration where hardware-based SYN cookies were disabled, the MAC address
for the HA floating IP address for a VLAN was not programmed into the MAC table following certain
VLAN and VE configuration changes. This prevented clients from being able to ping the floating IP
address.
Severity: P2
Workaround: Enable/disable hardware-based SYN cookies. This results in reprogramming of all vir-
tual MAC addresses (including HA MAC) for all VLANs.
169873 System area: AXdebug
Description: When configuring an AX debug filter, the offset position option was not being
saved if the value was specified using hexadecimal notation.
Severity: P3
Workaround: Use an integer instead of hexadecimal notation when specifying the offset value in an
axdebug filter.
169855 System area: Layer 2/3
Description: If ICMP traffic was sent to the IP for a trunk (VE interface), the traffic was sent over only
one interface and was not properly distributed across all the trunk interfaces.
Severity: P1


A10
Tracking
ID Issues
Description: The ACOS axAppGlobalBufferCurrentUsage counter displayed a high number (even
when there were no sessions) because various buffers were not being subtracted during calculations.
Severity: P2
169414 System area: IP NAT
Description: If ACOS was configured in an HA/VRRP-A deployment, the ACOS device sent packets
that had an incorrect MAC address.
Severity: P2
Description: Continuous poll of the OIDs over a long period of time could result in a lower number
showing than in previous polls. This was due to internal counter initialization and/or rollover. If the
OID was defined as Counter64 then it was not expected to decrease.
Severity: P2
Workaround: Change Counter64 to CounterBasedGuage64.
Description: SNMPv3 traps were no longer sent after a reboot. This issue could occur if special char-
acters, such as “#” were included in the CLI command snmp password, and if the special character
also appeared in the keyword in snmpd.conf.
Severity: P2
Workaround: Do not use the # character in the password.


A10
Tracking
ID Issues
169159 System area: L3 DSR (IPinIP)
Description: ACOS did not allow an MTU value of greater than 1460 bytes, even though the ICMP
unreachable message sent to clients was advertising an MTU of 1480 bytes.
Severity: P2
169153 System area: SNMP (HA)
Description: The SNMP process was non-functional and could not pass any data because the SNMP
process was not registering correctly.
Severity: P2
168529 System area: System (FPGA models)
Description: A buffer leak occurred in some uncommon situations in which the ACOS device received
a UDP packet greater than 1500 bytes requiring Layer 2 or Layer 3 forwarding. The issue would only
occur if the infrequently used disable-buff-debug option was enabled.
Severity: P2
Workaround: Do not use the disable-buff-debug command.
168358 System area: AAA
Description: When using Active Directory Domain Services (AD DS) for Windows Server 2012 to
perform AAA services, the ACOS device was unable to authenticate users based upon the sAMAc-
countName object attribute.
Severity: P2


A10
Tracking
ID Issues
168334 System area: SLB/SIP
Description: ACOS restarted if the device was configured with a sip-tcp virtual port, and then
received a SIP request containing the INVITE header.
Severity: P1
Description: ACOS could reload if the debug aflex and debug monitor commands were used at the
same time as an aFleX script containing a command exceeding 256 bytes.
Severity: P2
Workaround: When using an aFleX script, do not issue the debug aflex and debug monitor com-
mands at the same time.
168172 System area: Session aging counters and non-established session
Description: The “Session aged out” counter in the show slb l4 command was being incremented
twice while aging out a non-established TCP connection. This was seen for the L4 TCP virtual port
with the idle-timeout value set to 60 seconds.
Severity: P2
Workaround: Set the idle-timeout to 120 seconds or higher for any L4 TCP virtual port that may be
handling non-established TCP sessions.
168062 System area: L3V (HA/VRRP-A)
Description: The ACOS device dropped the SYN-ACK packets instead of forwarding to the client.
This could happen if an L3V partition used a non-default VRID, because the HA status was incorrectly
seen as Standby.
Severity: P2
Workaround: Use the default VRID when configuring HA/VRRP-A in a network partition.


A10
Tracking
ID Issues
Description: If ha conn-mirror ip was removed from the config file, this could cause “flapping”, in
which the active ACOS device erroneously changed to standby mode based on the HA priority of the
pair.
Severity: P2
167830 System area: aXAPI (ADP)
Description: Using the method cli.deploy to deploy many CLI commands within an ADP partition
could cause ACOS to reload.
Severity: P1
Description: An error was mistakenly logged when a geo-location file that was periodically imported
was later modified.
Severity: P2
Description: If special characters such as ?, ", \ were entered as part of the value for a string within a
class-list, they were not being saved to the running-config or startup-config files. As a result, the class-
list string values were not being applied correctly to configuration after reloading or rebooting the
ACOS device, and ACOS generated parse errors.
Severity: P2


A10
Tracking
ID Issues
Description: When configuring a health method for LDAP, the overssl option did not work if the run-
search option was also configured.
Severity: P2
Description: The flow-control option could not be configured on the management interface on some
FPGA models, such as the AX 3400.
Severity: P2
Description: In an HA deployment, if session synchronization occurred at the same time the running-
config was being saved to the startup-config file, then ACOS did not save the configuration using the
correct date.
Severity: P3
Workaround: Issue the write memory command to save the date changes.
Description: The ICMP health check interval was delayed with strict-retry, resulting in an “unreach-
able” error.
Severity: P2
Workaround: Use a compound health monitor to wrap the ICMP health check.


A10
Tracking
ID Issues
Description: The ACOS device experienced a memory leak when opening the SSL Management Page.
Severity: P3
163048 System area: SLB (FTP)
Description: When using the “slb traffic-steering” option to configure multi-steering and sending FTP
TCS sessions to an FTP virtual port, the data sessions were only sent to the first VIP or TCS caching
server.
Severity: P2
Description: Certain SNMP OIDs that were defined as “Counter 32” were not able to “decrease”.
These OIDs have been redefined.
Severity: P3
159305 System area: GUI (GSLB)
Description: The ACOS GUI failed to allow searching for an IP address in the GSLB geo-location
database.
Trigger: Navigate to Config Mode > Geo-location >Find, enter an IPv4 address in the search field, and
then click Find. The GUI responds with an error message: “Failed to list GSLB geo-locations. The
specified field does not exist.”
Severity: P2


A10
Tracking
ID Issues
156686 System area: SLB (DNS)
Description: ACOS could restart if the slb dns-cache-entry-size option was configured in an L3V
partition.
Severity: P1
Description: In an aVCS virtual chassis, if a vBlade had an “ext” (extended) software image but the
vMaster did not, the vBlade abnormally restarted after the vBlade requested the ext image from the
vMaster during synchronization with the vMaster.
Severity: P2
Workaround: If the vMaster does not have an ext image, make sure the vBlades do not have ext
images either.
127714 System area: L3V (bw-list)
Description: Periodic updating of bw-list sometimes did not happen when configured in a private par-
tition.
Severity: P2
126103 System area: TCS
Description: In a topology that used no VLANs, the source MAC address was not changed to the
ACOS device’s MAC address for traffic that was forwarded by the ACOS device to a directly con-
nected cache server.
Severity: P1


A10
Tracking
ID Issues
Description: If the ‘snmpwalk’ command was sent to the shared and private partitions simultaneously,
then the resulting output could be mixed.
Severity: P2
93325 System area: CLI/SSL
Description: The SSL counters were not cleared (reset to ‘0’) after using the clear slb ssl stats CLI
command.
Severity: P3
Description: Tabular displays in the GUI were not sorted based on IP address.
Severity: P2


(the most recently logged issue)

A10
Tracking
ID Issues
168193 System area: aFleX/DNS
Description: ACOS could reload when using an aFleX script to process malformed DNS packets.
Severity: P1
Description: ACOS could reboot if the system uptime causes part of an internal data structure to wrap
around. This is a very rare reboot situation and does not happen at every instance of such a wrap
around.
Severity: P1
Description: The ip ospf retransmit-interval command caused the ACOS device to return an error.
Severity: P2
Description: A flood of aXAPI requests using the cli.show_info method, could lead to a restart of the
ACOS device.
Severity: P1
Workaround: Limit the speed of incoming requests.


A10
Tracking
ID Issues
Description: ACOS performed the form consistency check even though the consistency check was not
configured.
Severity: P2
Description: The respond-to-user-mac command worked only for sessions initiated internally.
Severity: P2
163744 System area: IPv6, SLB
Description: Under a certain IPv6 traffic profile, high CPU utilization could occur during session cre-
ation. Because of this, the packet processing was interrupted, resulting in packet drops.
Trigger: A large amount of IPv6 traffic created millions of IPv6 sessions. This is more prominent with
persist IPv6 sessions.
Severity: P2
Description: The LDAP method for configuring the StartTLS or Over-SSL could be erased if the
“AcceptNotFound” option was not configured after rebooting.
Trigger: Configure an LDAP method with the StartTLS or Over-SSL along with “AcceptNotFound.”
Then, issue the write memory command and reboot.
Severity: P2


A10
Tracking
ID Issues
Description: A memory leak occurred in the GUI when the SSL Management page was opened.
Severity: P1
Reported by customer: yes
Description: The no-dest-nat port-translation option did not work for the SSL-proxy and TCP-proxy
virtual port types.
Severity: P2
Description: Without the ha-conn-mirror command configured, the ACOS device did not GARP
immediately.
Trigger: Configure an HA set without an IP address for the ha-conn-mirror command, then do a
failover.
Severity: P2
Workaround: Configure the HA conn-mirror with an IP address.
163378 System area: NAT-ALG
Description: If an FTP client and FTP server are in the same private network, and the FTP server has
static NAT mapping configured, the ACOS could reboot if the FTP client establishes a PASV connec-
tion to the static NAT address of the FTP server.
Severity: P1


A10
Tracking
ID Issues
Description: The clientip-sticky-nat command did not work with the NAT pool groups.
Severity: P2
163217 System area: AAA (RADIUS)
Description: RADIUS AAA for admin access might not work correctly, if a valid DNS server was not
available for ACOS to use to resolve the RADIUS server IP address.
Trigger:
1. Enable use of RAIDUS for admin authentication: authentication type radius local
2. Configure a RADIUS server.
3. Configure an unavailable DNS server: ip dns primary inaccessible-ip-addr
4. Try to log in to the ACOS device in order to trigger RADIUS authentication.
Severity: P2
163180 System area: HTTP
Description: If the use-rcv-hop-for-resp command was issued, ACOS could reload due to an invalid
destination address in the tuple.
Severity: P1
Description: The “configuration last saved at” information was not updated on the vBlade device in an
aVCS deployment.
Trigger: Issue the write memory command for one or all partitions, then check the “configuration last
saved at” information using the show startup-config command.
Severity: P2


A10
Tracking
ID Issues
162848 System area: Layer 2 DSR / Health Monitoring
Description: In a Layer 2 DSR deployment using Layer 7 health checks, ACOS sent a FIN packet to
the correct destination IP address to close the connection, but then erroneously sent the subsequent
RST packet to the real server IP address instead.
Severity: P2
Description: ACOS allowed a static NAT IP address to be configured as a VIP address.
Severity: P2
162235 System area: HTTP / Trunk Redundancy
Description: If the selected port member in a trunk was DOWN, ACOS did not reselect another port
member in the trunk.
Severity: P2
Description: SSL support was not enabled on the Thunder 930 model by default.
Severity: P2
Workaround: Use the slb ssl-module software command, followed by the write memory command
and reboot.


A10
Tracking
ID Issues
Description: Certain SNMP OIDs that were defined as “Counter 32” were not able to “decrease”.
These OIDs have been redefined.
Severity: P3
159532 System area: CLI / Class List
Description: If a string in a string-based class list contained a space, it was not saved properly in the
configuration file.
Trigger: Create a str class list with a space in the str value.
Severity: P3
Workaround: Do not use a space.
Description: ACOS failed to configure or show the ha force-self-standby persistent or the vrrp-a
force-self-standby persistent options in the GUI.
Severity: P2
Description: the show running config command output did not show the “slb” keyword of the follow-
ing command: slb snat-on-vip
Severity: P2


A10
Tracking
ID Issues
Description: The ACOS device reloaded with traffic running when it was configured with Server
Name Indication (SNI) and while using an aXAPI or external script that both added and removed SNI
entries from the client-SSL template at the same time.
Version: 2.7.1-P3
Severity: P1
158320 System area: SMTP Proxy
Description: While sending a connection close message to a client, the SMTP proxy could cause a
restart under certain circumstances.
Severity: P1
Workaround: Add an HTTP template to the configuration. This does not need to be referenced by any
particular virtual port. This helps in mitigating reloads.
158284 System area: SLB Layer 7
Description: If half-close-idle-timeout was configured and the client never sent a FIN request, as part
of the half-close-idle-timeout logic, ACOS could forward ACK from a server during session aging
Severity: P2
Workaround: Avoid configuring half-close-idle-timeout on SLB L7
158173 System area: TCP
Description: When retransmitting a SYN packet, ACOS could reload due to an internal error.
Severity: P1


A10
Tracking
ID Issues
Description: The banner exec command could become corrupted after each write memory command
and reload was issued.
Severity: P2
Workaround: Use a multi-line banner.
Description: When using the ACOS GUI to configure HA sync, the “With Reload" checkbox did not
remain selected. This was caused by a javascript error in on-click event of “With Reload” checkbox.
Trigger: This can be triggered by following these steps:
1. Navigate to Config Mode > System > HA > Config Sync.
2. Select the checkbox next to the “Operation” field.
3. Select the checkbox in the “Peer Option” field labeled “With Reload”.
4. Click “OK” when the pop-up asks if you are sure you want to reload after the configuration sync.
At this point, the “With Reload” box does not remain selected.
Severity: P2
Workaround: This bug only exists in the Chrome browser. Use a different browser.
Description: The incorrect data type appeared in the axNetStatTable for the axNetStatCpuIndex object.
The MIB table defined the data type as Counter when it should have been defined as Integer 32.
Severity: P3


A10
Tracking
ID Issues
157801 System area: SYN Cookies and Wildcard VIP
Description: If SYN cookies were enabled on a wildcard port on a wildcard VIP, ACOS did not initiate
a connection to the backend server after completing the three-way handshake with the client.
Version: 2.7.1-P2 and P3
Severity: P2
Workaround: Disable fast-path processing using the slb fast-path-disable command.
157771 System area: System Log
Description: If a configured fail-safe threshold was reached, the log messages did not use the correct
description. This issue was cosmetic only.
Trigger: Configure a fail-safe threshold and have the ACOS device cross that threshold.
Severity: P3
Description: The show environment command indicated that a PSU was absent even though the PSU
was powered on.
Trigger: CLI/Log Facility
Severity: P3
Description: Some AX models, for example: AX 5200-11, AX 3400, and AX 3200-12, could some-
times fail to boot due to an SSD-related issue. This issue resulted in the following error message: “grep:
/a10data/linkUpa10switch: No such file or directory”.
Severity: P1


A10
Tracking
ID Issues
Description: System log messages were incorrect on model AX 5630.
Version: 2.7.1-P3
Severity: P2
Description: ACOS failed to run the aXAPI slb.service_group.update correctly in 2.7.1-P3.
Trigger: 1. Run the attached python script using the command:
$ python 10005.py AX_IP
2. You should see the following output:
{"response": {"status": "OK"}}
{"response": {"status": "OK"}}
{"response": {"status": "fail", "err": {"code": 654508034, "msg": "
Communication error with LB process."}}}
Version: 2.7.1-P3
Severity: P2
Description: The show environment command displayed “State: On” for an unplugged PSU.
Severity: P2
155629 System area: FTP
Description: If an HW SYN-cookie was enabled, and an aFleX script was used to select LW nodes,
FTP did not work properly.
Version: 271-P3 and earlier
Severity: P3


A10
Tracking
ID Issues
Description: The erase reload command did not reset the administrator account.
Trigger: Execute the erase reload command in the CLI.
Severity: P2
155308 System area: System (Diagnostics)
Description: The run-hw-diag command might not finish running diagnostics on the ACOS device.
Severity: P2
155143 System area: DHCP Helper
Description: DHCP helper packets that had a broadcast flag were dropped in a one-arm topology.
Severity: P2
Description: If a template was bound to a real server and then later removed from that real server,
ACOS continued to process new flows hitting the virtual port/service group via slow-path (as if the real
server template was applied). This applies to SLB L4/L7 traffic. This caused slightly different behavior
in the handling of flows when 'port 53 udp' (SLB DNS) was involved, given different treatment in fast
v/s slow path.
Reproducibility:100%
Severity: P2
Workaround: Reload ACOS after configuring a change to unbind the real server template to restore
correct behavior.


A10
Tracking
ID Issues
154967 System area: MGMT
Description: In certain cases, the ACOS device reloaded after the write memory command was
issued, causing the startup configuration to be corrupted (in some cases the configuration was lost).
Severity: P1
154765 System area: Help Description
Description: The Help description has been rectified for keepalive-interval and keepalive-probes
within a TCP-proxy template.
Severity: P3
Description: aFleX scripts were unable to be applied with an SSL template configured in an HTTP vir-
tual port.
Severity: P2
154582 System area: TCP-Proxy Template
Description: If a TCP-Proxy template with the keepalive option was bound to an HTTP virtual port,
ACOS might not send keepalive packets to the client, only to the servers.
Severity: P2


A10
Tracking
ID Issues
Description: Sending a request to the ACOS GUI that included a very long cookie name resulted in a
blank page display instead of a helpful error message.
Severity: P3
154345 System area: AAM
Description: The client was unable to use multiple directories in the initial form-based request.
Severity: P2
Description: Certain system resource’s default thresholds were programmed incorrectly, leading
ACOS to give a false positive error message.
Severity: P2
Description: ACOS was not prompting to save configurations after issuing certain commands. This
has been addressed
Severity: P4


A10
Tracking
ID Issues
Description: If an SSH management session ended abnormally, the admin was not able to reconnect to
the ACOS device through SSH.
Severity: P2
Description: If a server responded to an HTTP POST request with status code 400 (Bad Request), and
the next request from the client arrived in 2 separate packets, the ACOS device did not process the new
request.
Severity: P2
153355 System area: Persist Session Age Refresh
Description: Persist session age was not being refreshed if a data plane session was still active. This
occurred if a source IP persist template was bound to a virtual port and the "incl-sport" option was
configured for this template.
Severity: P2
153094 System area: Layer 4
Description: The lan-fast-ack feature did not handle TCP packets with FPA flags.
Severity: P2
153004 System area: Layer 2/3 (AX 5630)
Description: The AX 5630 could drop packets on a trunk interface after the system powered on.
Trigger: Trunk interface is enabled after the system powers on.
Severity: P2


A10
Tracking
ID Issues
152740 System area: Template
Description: The SYN-retries configured in a TCP-proxy template did not take effect when auto server
re-selection was used.
Severity: P2
Workaround: Provide CLI commands to disable auto server re-selection so that configured SYN-
retries in the TCP-proxy template will take effect.
152156 System area: Fast-HTTP
Description: Failover-url functionality was not working as expected if it was configured under virtual
port Fast-HTTP. This has been addressed
Severity: P2
Workaround: Use virtual port HTTP instead of Fast-HTTP virtual port for failover-url.
Description: In an aVCS deployment, if the access management option for the remote device is
changed and then saved, ACOS could overwrite the local VRRP device ID in the startup configuration
with the remote device ID. If a reboot is issued after this operation, the local device would load the con-
figuration of the remote device.
Trigger: Modify the configuration of the remote device on the vMaster GUI, then “save” on the vMas-
ter GUI.
Severity: P2
151309 System area: RAM Cache
Description: Pipe-lined requests were not being correctly processed by HTTP virtual ports when pre-
vious HTTP requests on the same TCP connection were being responded from HTTP RAM cache.
Severity: P2
Workaround: Avoid making pipe-lined requests to an HTTP virtual port when certain requests could
be served from HTTP RAM cache.


A10
Tracking
ID Issues
Description: Long cookie header values could cause a memory leak issue.
Severity: P1
Description: Spurious error and log messages about 12-volt power issues could be generated; for
example:
Oct 31 2013 02:22:13 Critica [SYSTEM]:System Voltage 12V is over threshold
limit(12000). Current value 12984, allowed range [11160, 12840]
Severity: P4
Workaround: Check the exact reported voltage, and ignore the log or error message if the voltage is
within 10.8-13.2 Volts.
Description: When the server / real port was in MAINTENANCE mode, and was bound to a service
group with a passed health check, then ACOS incorrectly marked the server as UP.
Severity: P2
149764 System area: IP-in-IP / Layer 3-DSR
Description: For an IP-in-IP tunnel, if ACOS received a packet with the DF bit set, and that was larger
than the ingress interface’s MTU, then ACOS did not issue the appropriate “ICMP packet-too-large”
response. Also, if the DF bit was not set, ACOS did not fragment the large packet.
Severity: P2


A10
Tracking
ID Issues
149575 System area: aXAPI / ACL
Description: If an aXAPI script was used to bind an ACL to a virtual port, and there were multiple
ACL configured, the aXAPI could bind the wrong ACL to the virtual port.
Severity: P2
Workaround: Use the CLI
148957 System area: Health Monitor (Compound)
Description: The ACOS device reloaded if a compound health monitor’s method was changed from
ICMP to HTTP.
Severity: P1
Description: For partition admins with web based roles, such as PartitionSLBServiceAdmin or Parti-
tionNetworkOperator, their sessions were not displayed correctly in show admin session output.
Severity: P2
145837 System area: Layer 2 / Layer 3
Description: If it was configured as an HA-standby, the Thunder 3030S did not respond to a ping com-
mand.
Severity: P2


A10
Tracking
ID Issues
145265 System area: SLB (PBSLB)
Description: If the show pbslb command was issued on a device with a large number of PBSLB
entries, and the output was then stopped using either ctrl-C or manually, the control-CPU usage went
up to 100% and stayed at 100% for a while.
Severity: P2
144805 System area: SLB / ICMP Error Handling
Description: ICMP errors for SLB sessions were not handled correctly if the intermediate host or
router generated the errors and sent them to ACOS.
Severity: P2
Description: The ACOS GUI had a potential cross-site scripting vulnerability. This was found on the
GUI only.
Severity: P2
Description: Although ACOS had power, several log messages were erroneously generated indicating
that there was no power to the unit, such as the following:
Sep 14 2013 06:44:28 AX3030 a10logd: [SYSTEM]<2> System Left Power Unit(front
view) failed. Current value is 0.
Severity: P3


A10
Tracking
ID Issues
142234 System area: SLB / NAT
Description: In previous releases, use of the snat-on-vip feature required outside NAT to also be used
(ip nat outside).
Severity: P2
Workaround: Use snat-on-vip per virtual port and configure ip nat outside.
Description: If there was a request that asked for compression, followed by a HEAD, the response
went through the compression path. Because there was no payload in the response, it created an issue.
Trigger: A request is sent with compression and then a HEAD.
Severity: P2
Description: The default fail-safe settings were not included in the output of the show run with-
default command.
Severity: P3
Workaround: Use the show fail-safe config command
138094 System area: Real Server Template
Description: In an aVCS deployment, if the dynamic prefix was changed in a real server template, the
update did not take effect.
Trigger: Configure a dynamic server with a server template, then change the prefix in the template.
Severity: P2


A10
Tracking
ID Issues
132385 System area: Enable/Disable management and RBA partition
Description: ACOS did not allow enable-management and disable-management commands to
be issued from an RBA partition to prevent these settings from being modified by a RBA partition user.
Severity: P3
Description: ACOS logged messages related to a backup server not taking traffic even after higher pri-
ority servers in that service group came UP and started taking traffic. Certain high priority servers in
that service group toggled their state (went from down to up).
Severity: P3
Workaround: Do not configure a backup server in the service group
Description: The BGP MD5 password did not work in certain cases.
Severity: P2


A10
Tracking
ID Issues
128125 System area: Layer 7 Proxy
Description: When a client retransmitted a SYN packet with the same sequence number, ACOS gener-
ated a new SYN/ACK with a different sequence number.
Trigger: When the client retransmits SYN packets with the same sequence number.
Severity: P2
Description: ACOS did not refresh the age of persist session (if any) when it refreshed the age of data
plane SLB sessions if idle-timeout was configured to be greater than 255 minutes (extended age).
Severity: P2
Workaround: Configure idle-timeout value to be less than 255 minutes for SLB.


Note: This document may be updated with additional fix information.

A10
Tracking
ID Issue
Description: With a large CRL, SSL could take too long to verify the client certificate. The A10 load
balancing process could be stopped by the A10 monitoring process, because the monitoring process
thought the ACOS device was not responding, making it appear as if the ACOS device had reloaded.
Trigger: Configure client certificates required with a large size of CRL, such as 4 MB or 2 0K CRL
entries. The ACOS device reloads periodically.
Severity: P1
148819 System area: Session age and half-close-idle-timeout
Description: Under certain circumstances, the SLB Layer 4 or Layer 7 session age could be updated
incorrectly while a session was in a half-closed state (after receiving server FIN while waiting for client
FIN), and if the half-close-idle-timeout was configured.
Severity: P2
Description: Health monitor name was not limited to 29 characters, causing the configuration to be
incorrect.
Trigger: Create a health monitor with a name longer than 29 characters.
Severity: P2


A10
Tracking
ID Issue
Description: HTTP sessions were not closed on the ACOS device after front-end FIN steps were com-
pleted. The sessions remained established until timing out.
Trigger: This problem was seen when data sent by the server exceeded the data length specified in the
Content-length in the HTTP header.
Severity: P2
148126 System area: SLB (TCP-proxy with IPv6)
Description: In a configuration using a TCP-proxy template, or HTTP virtual port on an IPv6 VIP, an
internal error could cause checksum verification to fail for a valid checksum, if the traffic received
includes an IPv6 fragmentation extension header.
Severity: P2
Description: The SNMP configuration could become corrupted during restart of the SNMP process.
Severity: P2
Workaround: Disable and re-enable SNMP.
Description: Client-SSL certificate verification failed if the client certificate chain used different ASN
string encodings, such as UTF8 and PRINTABLESTRING.
Severity: P2


A10
Tracking
ID Issue
147421 System area: TCS (IPv6)
Description: Traffic from Internet to cache server is routed to the client instead of being forwarded to
the cache server if an IPv6 fragmentation extension header exists in the packet. This issue ID covers the
following issues:
• ACOS did not parse all extension headers to find the correct transportation protocol as a parameter to
match a session. This could cause an error if extension headers occured1 in between TCP or UDP
headers.
• The extended matching flag was not supported.
Severity: P2
Description: In a VRRP-A configuration, if a standby ACOS device received a packet that matched an
existing session, the device applied Layer 4 processing to the packet but should not have. This issue did
not affect legacy HA configurations.
Severity: P2
Description: ICMP transparent health checks could fail if the ICMP sequence numbers in multiple
health checks were the same. This issue was observed in a topology in which a real server on one ACOS
device was configured as a floating IP address on another ACOS device.
Severity: P2
Workaround: Change the interval value used in the ICMP health monitor.


A10
Tracking
ID Issue
147004 System area: VRRP, SLB
Description: In a configuration with an L3V partition, VRRP-A failovers in a private partition affected
session timeout in a different partition.
Severity: P2
146845 System area: SLB (DNS-UDP and IP fragmentation)
Description: System memory usage could be high during handling of fragmented IP packets received on
a DNS-UDP virtual port that had an aFleX script bound to it.
Severity: P2
Workaround: Use port 53, with virtual-port type UDP instead of UDP-DNS. Or, unbind the aFleX
script from the DNS-UDP virtual port, if the port will receive fragmented IP packets.
Description: Virtual-server compression statistics displayed in the GUI could be incorrect.
Version: 2.7.1-P2
Severity: P2
Description: AXdebug did not work properly in the GUI.
Severity: P2


A10
Tracking
ID Issue
146224 System area: PBSLB / DNS connection-rate limiting
Description: DNS connection-rate limiting did not operate correctly if its configuration included a
class-list with an LID. Also, the show pbslb CLI command displayed incorrect client IP addresses.
Severity: P2
145981 System area: aFleX, CLI
Description: If aborts or errors had occurred for an aFleX script bound to a virtual port, the CLI could
stop working after the show techsupport command was entered. This occurred due to an error in writ-
ing the aFleX error information to the command output.
Severity: P2
Description: CPU utilization could become high if a large number of GUI admin sessions were open, or
GUI admin sessions were open for a long time.
Trigger: The root cause for the high control CPU is improper handling following termination of multi-
ple admins sessions for the same admin. The accumulated environment variable leak eventually causes
the ACOS GUI process to slow access to ACOS.
Severity: P2
Description: If the GUI was used to remove an IPv6 address from an Ethernet data interface and add the
same address to another Ethernet data interface, the Forwarding Information Base (FIB) was not updated
correctly to reflect the change.
Severity: P2


A10
Tracking
ID Issue
Description: If the show ip bgp neighbor command was entered while the last-known error code for
BGP was (6,7), which indicates session cessation due to collision, ACOS could reload.
Severity: P1
Workaround: Use a passive connection to the BGP peer, which avoids the collision condition. If using
an active connection, avoid entering the show ip bgp neighbor command until the last-known error
code is no longer (6,7).
145774 System area: SLB (wildcard VIP)
Description: In a configuration using a wildcard VIP, a small number of packets for a session on the VIP
mistakenly could be forwarded at Layer 3.
Severity: P2
145672 System area: Layer 7 / SLB
Description: When running SSL Intercept, the decrypted port 8080 SYN-ACK sent to the internal
ACOS device from the Internet ACOS proxy was routed to the client instead of being responded to with
a TCP ACK. This caused clients to experience either slowness while loading web pages or HTTP 504
failures.
Trigger:
Severity: P2
145645 System area: SLB (fast-HTTP and TCS)
Description: TCS did not work with fast-HTTP virtual ports.
Severity: P2
Workaround: Use HTTP virtual port


A10
Tracking
ID Issue
145600 System area: Layer 7 / SLB
Description: During HTTP content compression, the Vary header in the server response was over-writ-
ten by ACOS.
Severity: P2
145378 System area: System / WAF
Description: Entering the system-reset command removed the default WAF definition files.
Severity: P2
Workaround: Re-install the image. (Upgrade, or perform the upgrade again.)
Description: Entering the show running-config command could delete class-list files unexpectedly.
Severity: P2
Workaround: Reboot after restoring system configuration.
144965 System area: GUI / WAF
Description: ACOS could reload if the GUI was used to delete a WAF definition file.
Severity: P1


A10
Tracking
ID Issue
Description: If ACOS received a TCP RST from a client, but the session for the client was still half
open (the 3-way handshake had not yet been completed), the session remained in the system for about a
minute. The current release optimizes the system response to this situation, by deleting the session
immediately.
Severity: P2
Workaround: Use a Layer 4 virtual port type (for example, TCP) instead of a Layer 7 virtual port type.
144457 System area: DNSSEC
Description: DNSEC template did not work if a dash (“ - ”) was used in the template name.
Severity: P3
Description: Client-SSL template could not be configured on an HTTP virtual port in the GUI, but it
can be in the CLI.
Severity: P3
143923 System area: FPGA
Description: Under heavy load conditions, LACP packets could be dropped by the FPGAs.
Trigger: Heavy traffic.
Severity: P2


A10
Tracking
ID Issue
Description: Fan speed out of range message was displayed in the system log.
Trigger: None.
Severity: P2
143272 System area: SLB (fast-HTTP)
Description: In a configuration using a fast-HTTP virtual port, server responses that contained HTTP
headers but not a Content-length header or any data were not handled correctly. If a client sent multiple
requests on the same TCP connection, ACOS did not forward the requests to the server.
Severity: P2
Workaround: Use an HTTP virtual port instead of a fast-HTTP virtual port.
143233 System area: HA / SLB (HTTP)
Description: Standby AX IDLE Layer 7 sessions are being transmitted with source MAC addresses of
shared (VIP MAC), Instead of Interface MAC, causing upstream Layer 2 devices to program MAC on
the wrong port.
Trigger: Forcing HA failover when there are half open sessions.
Severity: P2
Workaround: Clear the half-open session before failover occurs (or before forcing a failover).
Description: The ACOS GUI interface was potentially vulnerable to cross-site scripting. This issue was
found in the GUI only.
Severity: P2


A10
Tracking
ID Issue
Description: Added a new option in the slb.global method to allow configuration on the “disabled_af-
lex_auto_server_up” option.
Severity: P3
143092 System area: RAM Caching
Description: In cases where replies to requests with Accept-encoding: gzip are cached, but the HTTP
header in a later request does not have the Accept-encoding header, ACOS always sent the content that
was cached based on the first request.
Trigger: Presence / absence of accept encoding.
Severity: P2
Description: In an SLB configuration with a WAF template, some requests were not completed.
Trigger:
1. Configure an SLB WAF template.
2. Send a request with some Post data.
For some Post sizes and timings, the data from the client is dropped by the ACOS device and the request
does not reach the server, preventing the client from receiving the page data.
Severity: P2
142738 System area: L7 Authentication
Description: Not all data under the /a10data/auth system directory was included in system backups per-
formed using the backup system command.
Severity: P3


A10
Tracking
ID Issue
Description: Some VRRP-A trunk tracking configuration could be lost on vBlades, if configured using
the GUI directly on the vBlades.

Severity: P2
Workaround: Configure VRRP-A track trunk in CLI in VCS environment.
Description: A duplicate entry was displayed in the GUI for a static route configured in an L3V parti-
tion.
Severity: P2
141628 System area: Connection-rate limiting
Description: If a connection-rate limit was specified in a template bound to a virtual port, and a real port
or real server was transitioning from DOWN to UP, “connection-rate-limit exceeded” messages could be
erroneously logged for real ports or real servers associated with that virtual port. This could occur even
if the number of connections did not exceed the configured connection-rate limit.
Severity: P2
141118 System area: SLB (Layer 7)
Description: If an ICMP destination unreachable message was sent to a VIP that also was processing an
SLB Layer 7 session, ACOS did not correctly modify the destination IP address before sending the mes-
sage packet. This resulted in the message being sent back to the VIP.
Severity: P2


A10
Tracking
ID Issue
Description: Hostname-based SLB server answers were not returned to clients when all health checks
were up.
Version: 2.7.1-P2
Severity: P2
140749 System area: IP NAT
Description: Active FTP did not work on an IP NAT session; ACOS did not correctly handle the FTP
PORT command.
Severity: P2
Description: Clearing the GSLB configuration could cause the device to reload, if the configuration
contained a GSLB host server.
Severity: P1
Description: Some directly connected routes were missing following LACP trunk flaps.
Trigger: LACP timeout.
Reproducibility: Low, need LACP timeout
Severity: P1
Workaround: Re-configure / flip those routes manually.


A10
Tracking
ID Issue
Description: The following SNMP traps, axServiceGroupMemberDisabledForNewConn, and axSer-
viceGroupMemberEnabledForNewConn, could not be sent when the event occurred.
Severity: P2
Description: In an SLB configuration with a WAF template, some requests were not completed.
Severity: P1
Description: The description of the axAppGlobalTotalSSLConnections (.1.3.6.1.4.1.22610.2.4.3.1.2.6)
object was incorrect.
• Correct – Get the total number of SSL connections.
• Incorrect – Get the total number of new SSL connections.
Note: The axAppGlobalTotalSSLConnections object returns the same value as axSslStatTotalSSLConn
(.1.3.6.1.4.1.22610.2.4.3.9.3).
Severity: P2


A10
Tracking
ID Issue
139945 System area: SLB (fast-HTTP)
Description: In a fast-HTTP configuration, the ACOS device sent a separate TCP SYN to the backend
server, for every request packet from the client, until the server responded. This could occur if the client
began sending data packets before receiving the first ACK from the ACOS device. As part of the ACOS
device’s normal behavior as an HTTP proxy, it sends an ACK to a client only after receiving the ACK
from the backend server. In the current release, the ACOS behavior is changed. Beginning in this
release, the ACOS device resends a SYN only for retransmitted packets, rather than for every packet.
Severity: P2
Workaround: Use virtual-port type HTTP instead of fast-HTTP.
Description: In a configuration using a RADIUS virtual port, where a source NAT pool was not bound
to the virtual port, ACOS correctly changed the VIP address into the real server IP address before for-
warding a client request to the backend RADIUS server, but did not change the server IP address back
into the VIP address before forwarding the server’s reply to the client.
Severity: P2
Description: On model AX 3030, the show cpu command showed 100 percent utilization on the control
CPU every 30 seconds, for a span of 1-2 seconds during each occurrence.
Severity: P2
Description: When HTTP received FIN-ACK from a server, ACOS responded with a FIN-ACK even if
there was data from the client that needed to be sent to the server.
Severity: P2


A10
Tracking
ID Issue
138991 System area: Smart NAT / External-services template
Description: After the status of a health check changed from down to up, smart NAT attempted to delete
the sessions associated with the real port that was down. During this route change period, ACOS could
not allocate NAT pool resources, resulting in a delay before traffic could be load balanced to the backend
servers.
Severity: P2
138988 System Area: PBSLB
Description: In a configuration running both IP NAT and SLB traffic concurrently, the ACOS device
could reload during deletion of a session.
Severity: P1
Description: When logging out of the ACOS GUI, the user preferences were saved to a file and syn-
chronized across all of the vBlades. This caused the aVCS configuration information to change.
Severity: P2
138811 System area: ICMP rate limiting
Description: The rate-limit counters in show icmp output could be incorrect, even though the feature
was working properly.
Severity: P4


A10
Tracking
ID Issue
Description: On models AX 5100 and AX 5200, the usage meter for system memory was erroneously
labeled “CPU Usage”. This issue affected the page displayed by Monitor Mode > Overview > Perfor-
mance > Summary.
Severity: P2
138286 System area: Health Monitoring (Layer 3 DSR)
Description: In an IPv6 Layer 3 DSR configuration, an IPv6 health monitor did not work if it was
applied at the real-port configuration level. This issue did not affect health monitors applied at the ser-
vice-group level.
Severity: P2
138283 System area: SLB (External-services template)
Description: In an external-services configuration, ACOS could reload if the health-check status of a
server changed from down to up.
Severity: P1
138157 System area: aXAPI, SSL
Description: The response to an call for an x.509 v3 certificate included the private key.
Severity: P2


A10
Tracking
ID Issue
138004 System area: Hardware-based SYN cookies / connection-rate limiting
Description: In a configuration including both the hardware-based SYN cookie feature and connection-
rate limiting, when the limit was exceeded, the over-limit sessions were not removed properly. Instead:
• A half-open session was left in the session table, with the VIP address listed in both the Forward Dest
and Reverse Source columns.
• An invalid SYN segment was sent to the client, due to a re-route error.
Severity: P2
137881 System area: aFleX (SSL)
Description: The ACOS device could reload when using aFleX to perform content replacement over
SSL.
Severity: P1
Description: During heavy IP NAT traffic, the ACOS device could select different IP addresses from a
NAT pool for the control and data sessions of the same FTP connection.
Severity: P2
137419 System area: SLB (External-services template)
Description: If ACOS received a 403 (Forbidden) message from the backend server, ACOS forwarded a
200 (OK) message to the client. This is expected behavior. However, in a case where the maximum ses-
sion life (MSL) timer was set to 20, and the reset-unknown-conn option was enabled, ACOS should send
a RST for any PUSH Acknowledge (PA) packet that arrives after resetting the client. However, before
this issue was fixed, ACOS simply dropped PUSH packets that arrived after reset of the client connec-
tion.
Severity: P3


A10
Tracking
ID Issue
Description: If the backend server sent a response without the Content-length header, then closed the
connection, the ACOS device forwarded the FIN to the client and removed the session, without waiting
for the client to close the connection. Beginning in the current release, the ACOS device waits for the
client to close the connection before deleting the session.
Severity: P2
Description: The ACOS device experienced abnormally high control CPU utilization rates if the aXAPI
gzip option was used to retrieve a configuration in which a large number of ports had been assigned to a
real server.
Trigger: This issue could occur under the following conditions:
1. Configure a real server with a large number o f ports.
2. Repeatedly use the aXAPI gzip option to retrieve the configuration, while simultaneously monitoring
CPU usage.
Severity: P2
Workaround: Disable gzip by removing the “Accept-Encoding: gzip” header from the HTTP client.
Description: The output for aXAPI method slb.virtual_server was missing the vrid element.
Severity: P2
Description: Oracle database Health-check failures could fill the failure log on the ACOS device drive,
causing operational issues.
Trigger: Described
Severity: P1


A10
Tracking
ID Issue
Description: If an event command was included within a when body, ACOS reloaded. For example,
the following command could cause a reload: when HTTP_REQUEST { HTTP_RESPONSE }
Severity: P2
136246 System area: SLB (MSL timer)
Description: The maximum session life (MSL) timer was not applied to a session following expiration
of the half-close-idle-timeout.
The half-close-idle-timeout is optional. If the option is enabled, a session enters the half-closed state
when the ACOS device receives a FIN from the backend server, before receiving a FIN from the client.
In previous releases, the session was deleted after the half-close-idle-timeout expired. Beginning in this
release, the MSL timer begins for a session after the half-close-idle-timeout for that session expires.
Severity: P3
Workaround: Do not use the half-close-idle-timeout option for SLB TCP sessions.
136189 System area: HA / VRRP-A / aFleX
Description: If HA or VRRP-A was configured, and an ACOS device failed over from an active device
to the standby device, an internal error during aFleX processing could cause a reload.
Severity: P1
136063 System area: SLB - HTTP
Description: The SYN-ACK request sent to a client could have the same MAC address for the source as
for the destination.
Trigger: Configure an HA pair without an HA group ID.
Version: 2.7.1 and later
Severity: P2


A10
Tracking
ID Issue
Description: If the ACOS device was configured to use the management port to send Syslog messages,
using the GUI to change the management IP address stopped further Syslog messages from being sent
on the port.
Severity: P2
135631 System area: SLB (DNS session aging)
Description: SLB DNS sessions aged out sooner than expected under the following circumstances:
• Aging was set to “short” within a UDP template bound to UDP port 53 (the default DNS port)
• Multiple requests/responses were processed for the same session on that port
Severity: P2
Description: Under a rare internal error condition, AX fail-safe checks could get false-positive results.
This would cause the fail-safe mechanism to restart the ACOS device to avoid further disruption in traf-
fic processing.
Severity: P1
135094 System area: SLB (TCP)
Description: The ACOS device could sometimes send a RST packet to a client if a FIN was received
from the backend server. This could create issues if there was buffered data waiting to be transmitted to
the client. The ACOS device also could send an ACK with an incorrect sequence number to the backend
server during connection close.
Severity: P2


A10
Tracking
ID Issue
134806 System area: HA (configuration synchronization)
Description: Admin usernames and passwords were not synchronized to the standby device.
Severity: P2
Workaround: Manually configure the admin account info on the standby device.
134740 System area: L3V (Resource-usage templates)
Description: An SSL throughput limit configured in a resource-usage template in a private partition
might not take effect.
Severity: P2
134686 System area: Routing (IS-IS)
Description: The MD5 authentication TLV in IS-IS LSPs could become corrupted when the ACOS
device flooded the received LSPs with lifetime == 0.
Trigger:
1. Generate lifetime == 0 LSP from the neighboring router with MD5 authentication TLV encoded.
2. Capture the LSP packet flooded by ACOS device on non-LSP received IS-IS interface.
3. LSP with lifetime ==0 flooded by ACOS device has a corrupted authentication TLV, which will be
dropped by the neighboring router, due to the authentication failure.
Severity: P2
134191 System area: aFleX (SLB)
Description: The ACOS device sent a TCP RST instead of dropping traffic, for traffic that matched an
aFleX script that used the “drop” command.
Severity: P2


A10
Tracking
ID Issue
Description: If the idle-timeout value in the default TCP or UDP template was set to higher than 255
minutes, the setting was not used.
Severity: P2
Description: In some error cases, a NAT resource was not released.
Severity: P2
Description: IP routes could not be deleted using the GUI.
Severity: P2
Description: GSLB TTL values were not correct when the geoloc-alias option was used. This issue
could occur if there was data flowing between multiple services.
Severity: P2
Description: A shutdown or restart notification (such as axSystemShutdown) might not be generated if
the shutdown or restart was initiated using the CLI.
Severity: P2


A10
Tracking
ID Issue
132223 System area: System (LACP)
Description: The ACOS device could reload following a state change (up/down) of an LACP VE.
Severity: P1
Description: Sessions could remain in the session table even after the MSL timer expired. This could
occur under either of the following circumstances:
• If the half-close-idle-timeout option was configured for a Layer 7 virtual port, the connection was re-
queued for another 2 seconds, delaying its removal from the session table.
• An HTTP proxy (Layer 7) connection was put in the delete queue by the proxy state machine, and was
re-queued to be examined 4 seconds later. This could occur if ACOS saw any ACK/FIN-ACK packets
arriving on that connection after it had been put it in the delete queue. This delayed the removal of the
session.
Version:2.7.1-P2 and earlier
Severity: P3
Workaround: Avoid using the half-close-idle-timeout command for Layer 7 virtual ports.
131458 System area: SLB (aFlow and connection-reuse)
Description: If both the aFlow and the connection-reuse features were enabled on a Layer 7 virtual port
(such as HTTP or HTTPS), the ACOS device could reload.
Severity: P1
Workaround: Do not enable the aFlow feature if connection-reuse is also enabled.
Description: The show debug command displayed incorrect debug packet parameters.
Severity: P2


A10
Tracking
ID Issue
129793 System area: DDoS (IP anomaly filtering)
Description: Using the IP anomaly-drop frag option to drop potentially malicious IP fragments did not
work on non-FPGA based ACOS devices for non-TCP traffic, such as UDP and ICMP traffic.
Severity: P2
Description: Graceful restart was not supported for BGP decline of open capability 64.
Trigger: Neighbors sends open capability 64, which should cause a graceful restart.
Version: 2.7.1-P2
Severity: P2
Workaround: Disable capability negotiation.
128125 System area: Layer 7 proxy (HTTP, tcp-proxy, HTTPS)
Description: If a client re-transmitted a SYN request with the same sequence number, ACOS generated
a new SYN/ACK request with a different sequence number.
Version: 2.7.1-P1
Severity: P2
124361 System area: ICMP / NAT / SLB
Description: Traceroute did not work correctly for ICMPv4 or ICMPv6, in configurations that included
a wildcard virtual port (a VIP configured with port 0 others), and also included IP NAT.
Severity: P2


A10
Tracking
ID Issue
103834 System area: External service (URL filtering service)
Description: In a configuration with dynamically removed proxy servers, the ACOS device could
reload during heavy traffic load.
Severity: P1
Description: ACOS sent a RST to an incorrect interface when the slb msl-time or slb reset-stale-ses-
sion options were enabled and if ACOS received a SYN or PSH/ACK packet.
Severity: P3


ACOS 2.7.1-P2 contains fixes for issues listed in Table 6. The issues are
listed by A10 tracking ID, beginning with the highest issue ID (the most
recently logged issue).
Note: This document may be updated with additional fix information.
TABLE 6 Fixes in ACOS 2.7.1-P2

A10
Tracking
ID Issue
135040 System area: SLB (HTTP and connection requests)
Description: If ACOS received multiple connection requests from a client by way of an SLB HTTP
proxy, ACOS applied client IP insertion (from a template or aFleX) on only the first such connection
request. This behavior has been fixed in this release such that ACOS will apply the requested template
action for all client connection requests until the server replies with the proper status code (such as 200).
Severity: P2
134221 System area: vThunder (GUI)
Description: Attempting to use the vThunder GUI could result in a failure to access the GUI and high
CPU utilization in some cases. For example, this issue could occur due to process: 'sh -c cp'
Severity: P2
133819 System area: SLB (WAF template)
Description: If a POST request in a WAF template contained the key=value pair option and the length
of the value was greater than 2048 characters, then ACOS could fail to parse the POST request, and this
resulted in a failure to parse valid HTTP traffic.
Severity: P2

TABLE 6 Fixes in ACOS 2.7.1-P2 (Continued)

A10
Tracking
ID Issue
133753 System area: ACLs
Description: If changes (such as adding or removing rules) were made to an ACL that was bound to a
management interface, the changes were not applied immediately.
Severity: P2
Workaround: Reload the device for the modified ACL to take effect.
133564 System area: aFleX (HTTP::collect feature)
Description: ACOS stopped collecting data after the first 1200 bytes when using HTTP::collect to do
string replacement in an HTTP payload.
Severity: P2
Description: WAF caused ACOS to reload when an XSS check (within the WAF template) was done on
a long URL with more than 511 characters.
Severity: P1
133516 System area: HTTP (chunk encoding)
Description: ACOS erroneously considered non-chunked HTTP packets to be chunked packets if they
were preceded by a chunk-encoded request. This caused Layer 7 HTTP to terminate the connections too
early.
Severity: P2


A10
Tracking
ID Issue
Description: The internal ACOS device in an SSL Intercept deployment could reload if a server
responded with an SSL handshake packet that also included application data.
Severity: P1
Description: When viewing the running-config and startup-config files through the ACOS GUI, incon-
sistent sizes were displayed for the files within an RBA partition. The running-config file should have
been the same as the startup config, but it appeared to be larger than the startup-config file.
Severity: P2
Description: ACOS reloaded if there was an HTTP template with the response-content-replace option
configured under a Layer 7 virtual port.
Severity: P1
133219 System area: aVCS (SSL Intercept)
Description: In an aVCS deployment, SSL Intercept commands within a client-SSL template were not
synchronized to the vBlades.
Severity: P2


A10
Tracking
ID Issue
Description: The logging email filter module name was inconsistently displayed in the CLI and GUI.
Severity: P4
132785 System area: aVCS (aXAPI)
Description: A memory leak could occur when the vMaster retrieved information from a vBlade using
the aXAPI.
Severity: P1
Description: The header sanity check erroneously denied cookies that were longer than 4k long.
Severity: P2
Description: The internal ACOS device in an SSL Intercept deployment experienced an SSL memory
leak if a Client Hello packet was received containing a Server Name Indication (SNI) extension.
Severity: P1
Description: The internal ACOS device in an SSL Intercept deployment could reload if it received a
server certificate which contained a Subject Name Extension.
Severity: P1


A10
Tracking
ID Issue
132400 System area: SLB (WAF template)
Description: If an ACOS device was deployed in WAF Learning Mode and ACOS was then reloaded or
rebooted, this caused the WAF policy to be automatically restored to WAF Active Mode.
Severity: P1
132265 System area: SNMP (MIBs)
Description: A third-party MIB application could not parse the ACOS MIB file (A10-AX-MIB.txt) due
to objects that had data type Counter. To fix this issue, these objects now use data type Counter32.
Severity: P2
Description: Following upgrade to ACOS 2.7.1-P1, the fail-safe hw-error-monitor-enable command
appeared in the running-config. Although the state change for this feature is part of a documented behav-
ior change for 2.7.1, the command’s appearance in the configuration was not an expected behavior. (For
more information on this change, see “Fail-safe Hardware Monitoring Enabled By Default”.)
Severity: P2
Description: If a server-SSL template included the close-notify option and the virtual-port template
included the reset-unknown-conn option, the server-side SSL connection did not close following server
certificate verification failure.
Severity: P2


A10
Tracking
ID Issue
Description: The internal ACOS device in an SSL intercept deployment experienced a memory leak as
a result of the clear slb ssl-forward-proxy-cert command failing to clear the ACOS-signed server cer-
tificates. In such situations, memory was not released as expected.
This issue occurred with internal certificates containing the Subject Name Extension.
Severity: P1
Description: The internal ACOS device in an SSL intercept deployment experienced an SSL memory
leak due to ACOS not releasing the original server certificate after it had been signed.
Severity: P1
Description: An issue occurred in which ACOS self-signed certificates were not accepted by the Safari
Internet browser used on iPad or iPhone devices.
Severity: P2
Description: The WWW-Authenticate header was removed if the header value was 9 characters or
more.
Severity: P2


A10
Tracking
ID Issue
Description: If when big buffer pool support was enabled, the value for the total number of FPGA buf-
fers was incorrect and caused an incorrect number to be reported in the “Approximate # buffers in total”
field within the output of the show system platform buffer-stats command.
Version: 2.7.1 and 2.7.1-P1 releases
Severity: P4
131455 System area: SSL (client-SSL template)
Description: The disable-sslv3 and sslv2-bypass options within a client-SSL template failed to work as
intended for vThunder.
Severity: P2
131449 System area: SLB (external-service template/URL filtering)
Description: In an external-service configuration, ACOS could unexpectedly accept an HTTP request.
This could happen in the following scenario:
• The client sent two consecutive HTTP requests to the destination server over one TCP connection.
• For the first request, the proxy server responded with “HTTP 200 OK”, and the request was for-
warded to the destination server, as expected.
• For the second request, when the proxy server responded with a FIN message instead of “200 OK”,
the ACOS device forwarded the request to the destination server. However, ACOS should have
instead sent a RST to both the client and the destination server.
Severity: P2
Description: ACOS reloaded due to memory corruption if codenomicon negative SSL traffic was sent
to an SSL Intercept deployment that used a server key field exceeding 64 bytes.
Severity: P1


A10
Tracking
ID Issue
Description: Mismatched error messages could appear for some failed aFleX commands due to an inter-
nal error.
Severity: P3
131014 System area: SLB (MSL timer)
Description: The MSL timer did not take effect for Layer 4 TCS sessions that were subject to the half-
close-idle-timeout option.
Severity: P2
Workaround: Do not configure the half-close-idle-timeout option under the TCP template.
Description: A maximum file size of 8K for class-list file size was supported. In the current release, the
size has been increased to 32K.
Severity: P2
130693 System area: SNMPv3
Description: DES/AES message data encryption was not supported for SNMPv3.
Severity: P2


A10
Tracking
ID Issue
Description: Some 64-bit FPGA-based models experienced a memory leak if traffic included ICMP/
ICMPv6 NAT or static NAT sessions.
Severity: P1
130469 System area: System/logging (WAF)
Description: ACOS could reload if a WAF template contained the special character “%”.
Severity: P1
Workaround: Format the string as text only.
130436 System area: SLB (Health Monitor)
Description: If the disable [when-all-ports-down | when-any-port-down] option was enabled on a
virtual server, the service group state was marked functional up even when one member was disabled
and another was down.
Severity: P2
Description: The http-request-packet option could cause a reload.
Severity: P1


A10
Tracking
ID Issue
130123 System area: Smart NAT
Description: It could take up to 5 seconds for a server to be selected by SLB after successfully passing a
Layer 3 health check following server recovery.
Severity: P2
Description: If the reset-unknown-conn feature was configured on a Layer 7 VIP, ACOS could send a
RST to an incorrect interface.
Severity: P2
130078 System area: Layer 7 HTTPS
Description: Compression did not work as expected when chunk encoding was used at the same time as
SSL on the same virtual port.
Severity: P2
Description: The axAppGlobalStats MIB object always returned 0.
Severity: P2


A10
Tracking
ID Issue
Description: aVCS staggered-upgrade could fail due to a connectivity delay. To fix this issue, a new
command is added in this release to delay the start of aVCS following a reload/reboot:
vcs force-wait-interval
Severity: P1
129340 System area: SLB (transparent session)
Description: TCP/UDP transparent sessions had an abnormally long idle-timeout of 1800 secs. The
default idle-timeout for TCP/UDP transparent sessions has been restored to 120 seconds.
Severity: P2
Description: The aFleX “incr” command for global variables could cause a memory leak if used with
server selection and logging commands.
Severity: P1
Workaround: Use "expr $::var + 1" instead of "incr".
Description: The VE link up/down trap had an incorrect enterprise OID, causing an erroneous ACOS
model to appear in the name of the SNMP trap.
Severity: P3


A10
Tracking
ID Issue
Description: If a client sent an ICMP Type 3 Code 1 packet to the VIP, ACOS sent an incorrect ICMP
packet to the server.
Severity: P2
Description: The SNMP agent did not respond properly to SNMP requests that timed out or were for an
invalid object. This could cause high CPU utilization or a reload.
Severity: P2
Description: The ACOS GUI did not display the CPU Usage Chart and Memory Usage Chart correctly
when using Internet Explorer version 10.
Trigger: From the ACOS GUI, navigate to Monitor Mode > Overview > Summary, or
Monitor Mode > Overview > Performance.
Severity: P2
Description: If a client re-transmitted a SYN that contained the same sequence number as a previously
sent SYN, ACOS erroneously generated a new SYN/ACK that contained a different sequence number.
Severity: P2


A10
Tracking
ID Issue
127832 System area: System (SNMP)
Description: Output from the CLI command show snmp oid virtual-server displayed incorrect spell-
ings for the following objects: “axVirtualServerStatPkgIn” and “axVirtualServerStatPkgsOut”.
These spellings have been corrected to the following: “axVirtualServerStatPktsIn” and “axVirtualS-
erverStatPktsOut”.
Severity: P3
127702 System area: Hardware-based SYN Cookies
Description: If hardware-based SYN cookies were enabled and a reset (RST) packet was sent by the cli-
ent to the TCP virtual port, the ACOS device created a session for the packet and the session remained in
a half-open state.
Severity: P3
Description: The power supply voltage was not measured correctly. This resulted in incorrect values
being displayed by the show environment debug command.
Severity: P3
126070 System area: System (fan logging)
Description: The system log could contain erroneous fan failure or power supply failure messages.
Severity: P2


A10
Tracking
ID Issue
125866 System area: ICMP rate limiting
Description: When the icmp-rate-limit option was configured on a VE interface, ACOS could some-
times erroneously report that the rate limit was exceeded, and it dropped any subsequent ICMP packets
on that VE interface. The 'over limit drops' was also incremented.
Severity: P2
Description: If the server name option was used in a client-SSL template in a private partition, the
server name was mistakenly treated as an CLI object instead of an string. This issue did not affect con-
figuration in the shared partition.
Severity: P4
Description: The FPGA IP Anomaly counters cannot be cleared using the clear slb all command.
Severity: P2
Workaround: Use the clear slb switch command.
Description: If the clear slb all command was used on a standby ACOS device in an HA pair, the cur-
rent connection counter for the real servers did not get cleared.
Trigger: With live client traffic running on the ACOS device, use the show slb server command and
check the output for the current connection counter for the real server on the standby ACOS device.
Severity: P3


A10
Tracking
ID Issue
Description: The port number is incorrect in log for HA port track.
Trigger: “HA sync” command.
Version: 2.6.1-GR1-P9, Trunk (before 2.7.1-P1 Build 53).
Severity: P1
Description: If a partition admin exported tech support output using the show techsupport export com-
mand, the output contained details for all partitions and should not have.
Severity: P2
104419 System area: Template (TCP proxy)
Description: If the reset-rev option was enabled within a TCP-proxy template, and the template was
bound to a virtual port, the ACOS device sent a FIN instead of a RST to the client when the session aged
out.
Severity: P2
102115 / System area: SLB (external-service template/URL filtering)
131089 Description: The total failure action counter for external-service templates/URL filtering was not incre-
mented if any of the following failures occurred:
• host field not valid
• host field length over 263 bytes
• proxy response unknown status code
• connection failure
Severity: P2


A10
Tracking
ID Issue
101308 System area: SLB (Logging)
Description: ACOS did not generate a log message when a VIP was enabled or disabled.
Severity: P3
101272 System area: System (CLI)
Description: On some ACOS devices, an incorrect range was displayed in the CLI for the monitor buf-
fer-usage command. Although the actual supported range could go up to 8 million (with big-buff-pool
enabled), the allowable range that could be specified in the CLI was limited to no more than 4 million.
Severity: P4
99869 System area: aFleX (HA)
Description: Sessions that were made persistent by the aFleX persist uie command were not synchro-
nized to the standby ACOS device.
Severity: P2
99610 System area: SLB (external-service template)
Description: When the ACOS device received a “403 forbidden” error message from a proxy, instead of
transitioning to a client request state as expected, the ACOS device transitioned to an invalid state and
sent a RST to the client without waiting for an ACK, thus causing the connection to be erroneously
deleted.
Severity: P2


A10
Tracking
ID Issue
99073 System area: SLB (external-service template)
Description: The ACOS device did not send a RST to the client and real server if the external service
sent a FIN to the ACOS device.
Severity: P2

Enhancements in ACOS 2.7.1-GR1
ACOS 2.7.1-GR1 includes the following enhancements.
CPU Load Sharing

When the ACOS device detects that one CPU is oversubscribed (due to a UDP flood attack), the packets
destined to that CPU are distributed to other CPUs for processing using the round robin algorithm. The
typical way in which this is accomplished is described below:
1. When packets enter the ACOS device, they are processed by the data CPUs. For example, the AX5200
has 15 data CPUs that are available to process packets.
2. Next, the decision as to which data CPU will process the packet is determined.
In most cases, the number of packets are evenly divided and processed by the CPUs. However, if an attack
targets one data CPU, it may receive an abundance of packets in comparison to others. This feature helps
offload the attacked CPU and distributes incoming traffic amongst the CPUs.
The CPU load sharing feature (a.k.a, “CPU Round Robin”) is triggered when all of the following condi-
tions occur:
1. If the utilization rate of the CPU being targeted exceeds the configured high CPU usage threshold
(which has a default value of 75%), AND
2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum configured threshold
(the default is 100,000 packets per second), AND
3. If the CPU being targeted is receiving 150% more packets-per-second than the median CPU packets-
per-second rate on the ACOS device. If all CPUs are under a heavy load, there would be no advantage
to using round robin to distribute the traffic.
The CPU load sharing feature stops when the following conditions are met:
1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND
2. Either of the following packets-per-second rates would apply to the targeted CPU if CPU round robin
support was turned off:
a. If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-sec-
ond threshold, OR
b. If the utilization rate of the targeted CPU is no longer 150% higher than the median of its neigh-
boring CPUs.

You can configure the thresholds for the CPU load sharing feature using the syntax below:
[no] system cpu-load-sharing
{
cpu-usage low percent |
disable |
enable |
packets-per-second min num-pkts
}
Parameter Description
cpu-usage low Maximum CPU utilization allowed on control CPUs, before CPU load sharing is
percent used. You can specify 0-100 percent.
disable Disables CPU load sharing. The feature is not used even if a threshold is exceeded.
enable Enables CPU load sharing. The feature is used when a threshold is exceeded.
packets-per-sec- Maximum number of packets per second any CPU can receive, before CPU load
ond min num-pkts sharing is used. You can specify 0-30000000 (30 million) packets per second.
Defaults
The CPU load sharing feature is enabled. The thresholds have the following default values :
• cpu-usage – 60
• packets-per-second – 100000
Source port rate limiting

For some DDoS attacks on CPUs, the attack originates from the same source IP with a fixed source port.
Because of hashing algorithms, packets from the same source IP with a fixed source port are always sent to
the same CPU. This allows the DDoS attack to target a CPU and consume resources that are needed to
direct legitimate traffic.
To help prevent the home CPU from being a bottleneck, ACOS provides the option of enabling source port
rate limiting and source IP rate limiting on a virtual-port template. This enables traffic rate monitoring on
virtual ports to which the template is bound, and it can be applied when CPU round robin is not active, or
only when CPU round robin is triggered. Rate limit monitoring only applies for client to server traffic.
Packets originating from the server are not monitored.
Keep in mind that source port rate limiting and source IP rate limiting only applied to IPv4 traffic. Incom-
ing IPv6 packets are not rate limit controlled.

You can configure the options for source port and source IP rate limiting under the virtual-port template
using the syntax below:
[no] pkt-rate-limit
[src-ip-port | src-port]
rate [pkt-rate]
[no-logging]
[when-rr-enable]
Parameter Description
src-ip-port Monitor and limit the packet rate for packets sent from the same source port and
source IP to the virtual port.
src-port Monitor and limit the packet rate for packets sent from the same source port to the
virtual port.
rate pkt-rate Packet rate limit per second (1-1048575). The source port or source port and IP are
dropped when this rate is exceeded.
no-logging Disable logging when the packet rate limit is exceeded.
when-rr-enable Monitor the packet rate only when CPU round robin is triggered. For more informa-
tion about configuring CPU round-robin, see “system cpu-load-sharing” in the CLI
Reference.
Without the when-rr-enabled option, the source port rate for client requests is always
monitored.
If you use the when-rr-enabled option, note that rate limiting is not performed if CPU
round-robin is not triggered. Only after CPU round-robin is triggered will the ACOS
device start to monitor the source port rate across all CPUs.


Enhancements in ACOS 2.7.1-P6
ACOS 2.7.1-P6 includes the following enhancements.
Documentation Enhancements
ACOS 2.7.1-P6 introduces the following documentation enhancements.
• ACOS 2.7.1-P6 provides documentation in responsive HTML format with online search capability per
document. This documentation set will also be available in PDF format.
• The hardware documentation library has been revamped completely. The instructions provide informa-
tion on installing each device, and all field replaceable units (FRUs).
• The core set of manuals and reference guides have been updated to remove references to “Contact A10
Networks”. In most cases, these references were replaced with descriptions provided by subject matter
experts.
• The following documents contain specific changes for this release:
• The aFleX Reference has been reorganized, the structure of the document has been updated, and
many examples have been revised.
• The Application Access Management and DDoS Mitigation Guide has been revised to include
missing information.
• The System Configuration and Administration Guide and Application Delivery and Server Load
Balancing Guide have been restructured to co-locate related content.
At the time of this publication, other documentation provided as part of this documentation set remains
unchanged since the previous release.
• These Release Notes contain cumulative information from prior patch releases for supported features,
known issues, and fixed bugs. Previous release notes were inconsistent in embracing this approach,
sometimes making it necessary to search multiple sets of release notes to find this information.
• All feature content from prior patch release notes has been ported into the core manuals.
• Where possible, certain improvements, both cosmetic and technical, were made to the documentation
set in order to address documentation issues reported by customers in prior releases. Issues corrected
include broken cross references and updating outdated or incorrect values.
• Certain changes or enhancements or corrections have been made to the content in the following topics:
• “port mirroring”
• “udp timers”
• “conn-reuse”

TLS Fallback Signaling Cipher Suite Value (SCSV) to

Mitigate SSL POODLE Vulnerability
This release introduces support for TLS Fallback Signaling Cipher Suite Value (SCSV), which has been
added to eliminate the SSL POODLE vulnerability and associated POODLE attacks.
The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-
in-the-middle (MITM) exploit that takes advantage of Internet and security software clients' fallback to
SSL 3.0. This vulnerability has the CVE ID CVE-2014-3566.
In a POODLE attack, the attacker can manipulate the SSL handshake messages in order to trick both the
server and the client into using SSL v3.0. (This can be accomplished even if both the server and client sup-
port the more secure protocols, such as TLS 1.2.)
To prevent the POODLE protocol downgrade attack, ACOS has implemented the TLS Fallback Signaling
Cipher Suite Value (SCSV), which defines a new TLS cipher suite value, TLS_FALLBACK_SCSV (draft-
ietf-tls-downgrade-scsv-00).
TLS_FALLBACK_SCSV serves as a signal value instead of a suite of crypto-systems, and its presence in
the client ‘hello’ message serves as a backwards-compatible signal from the client to the server.
New MIB Object Added: axGlobalTotalThroughput

The following new MIB object was added to 2.7.1-P6:
axGlobalTotalThroughput
Description Gets the total throughput of all the interfaces.
OID .1.3.6.1.4.1.22610.2.4.3.1.2.13
Data Type Counter 64
MIB Objects Re-organized with New MIB Files Added

In ACOS 2.7.1-P6, the MIB files have been modified to merge generated traps, and the MIB objects have
been re-organized according to their functional area.

The name of the compressed .tar file that can be downloaded from the ACOS device has not changed, but
the uncompressed file will contain the following updated set of MIB files:
• A10-AX-MIB.txt
• A10-AX-NOTIFICATIONS-V2C-COMMON.txt
• A10-AX-NOTIFICATIONS-V2C-GSLB.txt
• A10-AX-NOTIFICATIONS-V2C-SLB.txt
• A10-AX-TRAPS-V1-COMMON.txt
• A10-AX-TRAPS-V1-GSLB.txt
• A10-AX-TRAPS-V1-SLB.txt
• A10-COMMON-MIB.txt
For more information about these new MIB files, please see the section called, “ACOS MIB Files” in the
MIB Reference.
New aXAPI Methods Added for slb.class_list.string

In previous releases, the aXAPI method “slb.class_list.entry.delete” did not support type = string, and
could therefore not be used to remove such entries.
For example, if the following class-list was configured:

class-list list1 string
str abc def
Prior releases offered no aXAPI method that could be used to create, modify or remove “str abc def”.
In order to provide a way to delete, create, or update SLB class-list entries with string type, ACOS
2.7.1-P6 adds the following new aXAPI methods:
• slb.class_list.string.create
• slb.class_list.string.update
• slb.class_list.string.delete
These methods have the following input parameters:

• name - the name that identifies the entry.
• string_list - an entry list that is composed of string-type entries, each of which will contain the string,
and either an lid (with flag and lid_index) or a string_value.

These methods require Read Write privilege and support JSON format. The following URLs are used for
these methods:
http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-
mat=json&method=slb.class_list.string.create
mat=json&method=slb.class_list.string.update
mat=json&method=slb.class_list.string.delete
Example
The HTTP POST body below shows an example of the JSON data for this method:
{
"name": "c2",
"string_list": [
{
"string": "name00",
"lid": {
"flag": 1,
"lid_index": 100
}
},
{
"string": "name01",
"lid": {
"flag": 0,
"lid_index": 1
}
},
{
"string": "name02",
"string_value": "dddd"
}
]
}
Support for up to 500 characters in GET URL method

In previous releases, when configuring a GET url-path for a health monitor, previous releases supported
128 characters. In this release, the maximum limit has been increased to support up to 500 characters for
the url string GET url-path option.

Preventing dropped packets with ‘no ip anomaly-drop’

The ip anomaly-drop CLI command is used to offer protection against distributed denial-of-service
(DDoS) attacks. In prior releases, the ip-option sub-option sometimes did not behave as expected, and the
default behavior was to drop all IPv4 packets that have IP options (i.e, IP headers greater than 20 bytes in
length). However, in some load balancing situations, it would be preferable to allow these packets to pass
through the ACOS device.
To achieve this desired goal, the no ip anomaly-drop ip-option command should be used.
Notes:
• This command should not be used for AX 5100 and AX 5200 models.
• Packets with IP fragments should not be subject to this behavior.


Support for HTTP Lines Up to 32K Long

ACOS 2.7.1-P5 increases the maximum length supported for an HTTP
header in a request, from 16K to 32K, regardless of which header line is
larger.
HTTP header lengths are dependent on the information included in the
header. In previous releases, ACOS only supported up to 16 kilobytes for
the header, including the header name, but excluding the trailing carriage
return line feed.
Strictly for HTTP virtual ports, ACOS now supports double the header size.
ACOS load balancing accepts HTTP headers up to 32 kilobytes. Any header
line can be larger, meaning that any of the header fields (for example, autho-
rization, cookie, expect, host, etc.) can be longer, and the larger header size
is not restricted to allowing only certain fields to be larger.
No additional configuration is needed for this enhancement.
Increased Subnet Support (up to 2 million entries)

ACOS high-end platforms support an increased number of subnet entries in
Black/White lists. The upper limit has been increased from 64,000 subnet
entries to up to 2 million entries. The memory for subnet entries is not pre-
allocated. Therefore, the real limit will vary depending on how much mem-
ory is consumed by other features, but it cannot exceed 2 million entries.
The following platforms support up to 2 million subnet entries:

• AX 3000
• AX 3030
• AX 3200
• AX 3400
• AX 3500
• AX 5100

• AX 5200
• AX 5430
• AX 5630
• AX 6430
Note: This feature only expands the subnet capacity in Black/White Lists. It
does not affect host entry capacities.
Support for Dynamically Selected FTP Data Ports

ACOS 2.7.1-P5 extends the flexibility of FTP load balancing with support
for randomly selected data ports. In active File Transfer Protocol (FTP)
mode, the server typically responds to a client’s request from the server’s
local data port, port 20. ACOS allows the user to specify a port range that
can be used to initiate the data connection. A randomly selected data port is
a port that is dynamically selected by an FTP server running in active FTP
mode to use as the server's source port for the data connection.
You can configure support for dynamically assigned FTP data ports within
the FTP template. You can choose to support all valid ports, or you can
specify the range of ports the server can choose from to send to the client.
Each template only supports one range of data ports.
The template can be bound to any FTP virtual port; it does not need to be
the port the FTP server is listening on. When the template is bound to a port,
it immediately takes effect. It is not advisable to bind a template to a virtual
port when there is live traffic.
USING THE GUI
The current release does not support configuration of FTP templates using
the GUI.
USING THE CLI
To enable support for dynamically assigned FTP data ports, use the follow-
ing command at the configuration level for the FTP template:
[no] active-mode-port {any | portnum [to portnum]}

To allow active data connections to any available port number (1-65534),

use the any option. To allow only a specific range instead, specify it as fol-
lows: starting-portnum to ending-portnum
CLI Example
The following command enables use of protocol ports 1024-2024 for active
data connections to load balanced FTP servers:
ACOS(config-ftp template)#active-mode-port 1024 to 2024
The following command enables use of protocol ports 1-65534 for active
data connections to load balanced FTP servers:
ACOS(config-ftp template)#active-mode-port any
Stateful Request-ID-based DNS Load Balancing

ACOS 2.7.1-P5 enhances DNS load balancing, with support for stateful
request-ID-based load balancing. Request-ID-based load balancing distrib-
utes DNS queries on a request-ID basis. This helps provide even distribu-
tion of DNS query traffic behind a DNS proxy.
Without the query-ID-based load balancing option, multiple requests

received by a DNS virtual port appear to be from the same source, if the
source IP address and Layer 4 port are the same. For example, without
query-ID-based load balancing, if ACOS receives multiple requests from a
DNS proxy, the requests can appear to be from the same end-user, if they all
have the same source IP address and Layer 4 port.
Note: This feature applies only to DNS port 53. For other load-balanced DNS
virtual ports, requests are load balanced based on the following: |
– Source IP address and Layer 4 port

– Destination IP address and Layer 4 port
– Protocol (virtual port type: DNS, DNS-TCP, or DNS-UDP)
This is the same as DNS load balancing without request-ID-based load

balancing. The feature is “stateful” because ACOS session resources are
used, and the sessions can be viewed in the session table.

Configuration
To configure stateful request-ID-based load balancing:
1. Create a real server configuration for each DNS server.
2. Bind the server configurations to a service group. Use separate service

groups for IPv4 and for IPv6.
3. Create a DNS template. Within the template, enable the query-id-switch

option. The same template can be bound to both IPv4 and IPv6 VIPs.
4. Create a VIP and bind the service group and template to the VIP. Create
separate VIPs for IPv4 and IPv6.
This section shows the syntax for enabling the query-id-switch option. The
syntax for the configuring the other options is the same as in previous
releases.
Note: If a real server will support both IPv4 and IPv6 DNS, create separate real
server configurations for IPv4 and for IPv6. Likewise, use separate ser-
vice groups for the IPv4 servers and for the IPv6 servers. (Shown in “CLI
Example” on page 167.)
Enabling the query-id-switch Option
To enable stateful request-ID-based load balancing, use the following com-

mand at the configuration level for the DNS template:
query-id-switch
Displaying DNS Sessions and Their Request IDs
To display DNS sessions, including their request IDs, use the following
command:
show session dns-id-switch
For each stateful DNS session for a load-balanced DNS request, the DNS-
ID field lists the query ID.
To display the total count of DNS queries that were load balanced based on
query ID, use the following command:
show slb l4

The count is shown in the following field: DNS query id switch
CLI Example
The following commands configure query-ID-based DNS load balancing.

This sample deployment provides load balancing for an IPv4 DNS VIP and
an IPv6 DNS VIP:
• VIP “v4dns” - 70.70.70.70
• VIP “v6dns” - 2001:70:70:70::70
Each VIP receives DNS requests on UDP port 53. The requests all come
from the same proxying local DNS resolver, but actually are not all from the
same end-user.
The following commands add the configurations for the IPv4 DNS servers:
slb server dns1 70.70.70.71
port 53 udp
port 53 udp
port 53 udp
port 53 udp
port 53 udp

The following commands add the configurations for the IPv6 DNS servers:
slb server dns1v6 2001:70:70:70::71
port 53 udp
slb server dns2v6 2001:70:70:70::72
port 53 udp
slb server dns3v6 2001:70:70:70::73
port 53 udp
slb server dns4v6 2001:70:70:70::74
port 53 udp
slb server dns5v6 2001:70:70:70::75
port 53 udp
The following commands configure the service groups:
slb service-group dnsv4 udp
member dns1:53
member dns2:53
member dns3:53
member dns4:53
member dns5:53

slb service-group dnsv6 udp
member dns1v6:53
member dns2v6:53
member dns3v6:53
member dns4v6:53
member dns5v6:53
The following commands configure the DNS template:
slb template dns dns
malformed-query drop
query-id-switch
The query-id-switch command is used to enable stateful query-ID-based

load balancing.
The following commands configure the VIPs:
slb virtual-server v4dns 70.70.70.69
port 53 udp
service-group dnsv4
template dns dns
slb virtual-server v6dns 2001:70:70:70::69
port 53 udp
service-group dnsv6
template dns dns

After the ACOS device receives some DNS requests and load balances
them to the DNS servers, the following command is used to show the state-
ful DNS sessions in the session table:
ACOS#show session dns-id-switch
Prot Forward Source Forward Dest Reverse Source Reverse Dest
Age Hash Flags DNS-ID
------------------------------------------------------------------------------
---------------------------
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53
60.60.60.60:12345 120 18 NFe0 15376
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53
60.60.60.60:12345 120 18 NFe0 63804
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53
60.60.60.60:12345 120 18 NFe0 45116
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.74:53
60.60.60.60:12345 120 18 NFe0 41047
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.73:53
60.60.60.60:12345 120 18 NFe0 57688
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53
60.60.60.60:12345 120 18 NFe0 48444
The following command shows the total count of DNS requests that were
load balanced based on query ID:
ACOS#show slb l4
Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP SYN received 0
...
DNS query id switch 596597

TACACS+ Server Monitoring

ACOS 2.7.1-P4 introduces support for TACACS+ server monitoring, which
can be used to check the status of a pair of TACACS+ authentication serv-
ers. While prior releases supported the use of TACACS+ servers to perform
user authentication, the ACOS device did not support the ability to monitor
the status of those servers.
In previous releases, TACACS+ deployments typically involve a primary

server and a secondary server. User authentication requests are sent to the
primary server, and if the primary is not available, then the user’s authenti-
cation request times-out and the ACOS device redirects the request to the
secondary server. However, this could cause users to wait too long.
With the new TACACS+ monitoring feature enabled, the ACOS device
actively checks the status of both the primary and secondary TACACS+
servers. The user’s authentication request is sent to whichever TACACS+
server is active, regardless of whether it is the primary or secondary. If there
is a problem with the primary server, ACOS quickly discovers that the pri-
mary server is down and routes the user’s authentication request to the other
TACACS+ server (assuming it is up and available). In this way, monitoring
the status of the TACACS+ servers helps increase the speed with which
user’s requests are authenticated.
Details:
• The ACOS device sends a TACACS+ monitor request, which contains
the user name and password to the server in order to log into the device
and check if the server is available. If it is, then the last_available_time-
stamp will be updated with current time.
• If a user login authentication request arrives at the ACOS device, then
ACOS will send the request to the TACACS+ server that has the most
recent last_available_timestamp value.
• If the user’s login attempt is successful, then timestamp for that
server will be updated to the current time.
• However, if the user authentication request fails, then ACOS will
send the request to the secondary TACACS+ server.

• To enable this feature, you must configure the user name and password
for the TACACS+ server’s administrative account. While a simple
server port “ping” could be used to check the status, this is not recom-
mended because it could cause the ACOS device to be mistakenly seen
as an attacker, thus causing it to be added to the ACL.
USING THE GUI
The current release does not support TACACS+ monitoring configuration

using the GUI.
USING THE CLI
To enable TACACS+ server monitoring on the ACOS device, and to set the
frequency with which status checks are performed, use the following com-
mand at the global configuration level:
tacacs-server monitor interval seconds
The seconds option allows you to specify the frequency with which the
ACOS device will check the status of the TACACS+ server. You can spec-
ify a value from 1-120 seconds, and the default is 60 seconds.
Use the following command to specify the name and secret for the
TACACS+ server that will be monitored. This command also allows you to
set the administrative username and password needed to log into this server
(which is required to check the status of the device). This command is used
at the global configuration level:
tacacs-server host hostname secret secret-string monitor username name

password password
The hostname option allows you to specify the name of the TACACS+
server.
The secret-string option allows you to specify the password needed to

access the TACACS+ server.
The name option allows you to specify the administrative username needed
to access the TACACS+ server, without which the status cannot be checked.
The password option allows you to specify password associated with the
administrative username for the TACACS+ server.

When finished with your configurations, use the show tacacs-server CLI
command to verify your changes. This command provides the configured
values for the following parameters:
• current status
• last_available_timestamp
• number_of_failed_attempts after the last health check
• total_number_of_failed connection
• total number of failed authentication
MAC-Based Nexthop Routing

When MAC-based nexthop routing in enabled, the ACOS device sends the
reply to an inside client’s request back through the same route hop on which
the request was received. The ACOS device identifies the route hop based
on its MAC address. The device sends the reply to the MAC address instead
of using the route table to select the next hop for the reply. This feature is
supported only for ACL-based IPv4 NAT. The feature is not supported for
IPv6 NAT, class-list based IPv4 NAT, static IPv4 NAT.
Notes
• To allow replies to be sent to the inside client through the same route
hop on which the request was received, the MAC entry of the inside cli-
ent on the ACOS device must be valid. When the MAC entry expires,
the ACOS device will send the reply using the route table to select the
next hop.
• A session on standby will use the route table to select the next hop even
when the respond-to-user-mac command is enabled.
USING THE GUI
This ACOS release does not support this feature in the GUI.
USING THE CLI

1. Configure an ACL to identify the inside addresses that need to be trans-
lated using either of the following commands at the global configura-
tion level of the CLI.
Use a standard ACL to specify the host IP addresses to translate. All
host addresses that are permitted by the ACL are translated before traffic
is sent to the Internet.

To also specify other information including destination addresses and

source and destination protocol ports, use an extended ACL.
Standard ACL Syntax

access-list acl-num {permit | deny}
source-ipaddr {filter-mask | /mask-length}
Extended ACL Syntax
access-list acl-num {permit | deny} {ip | icmp}
{any | host host-src-ipaddr |

net-src-ipaddr {filter-mask | /mask-length}}
{any | host host-dst-ipaddr |

net-dst-ipaddr {filter-mask | /mask-length}}
or
access-list acl-num {permit | deny} {tcp | udp}
{any | host host-src-ipaddr |

net-src-ipaddr {filter-mask | /mask-length}}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]
{any | host host-dst-ipaddr |

net-dst-ipaddr {filter-mask | /mask-length}}
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]
2. To configure a pool of external addresses to use for translation, use one

of the following commands at the global configuration level of the CLI.
To configure an IPv4 pool:
ip nat pool pool-name start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[gateway ipaddr]
[ha-group-id group-id [ha-use-all-ports]]
Note: The ha-use-all-ports option applies only to DNS virtual ports. Using this
option with other virtual port types is not valid. (For information about
this option, see the CLI Reference.)
3. To enable MAC-based nexthop routing for inside source NAT, use the
following command:
ip nat inside source list acl-name
pool {pool-name | pool-group-name} respond-to-user-
mac

CLI Example
ACOS(config)# access-list 1 per 30.30.30.0 /24
ACOS(config)# ip nat pool nat pool 40.40.40.1 40.40.40.10 netmask /32
AX(config)# ip nat inside source list 1 pool nat pool respond-to-user-mac
In the example above, the user configures an ACL to specify the internal
hosts to be NATed. They then configure an IPv4 pool of external addresses
to use for the NAT translations. Finally, they enable the inside source NAT
and associate the ACL with the pool in which MAC-based nexthop routing
is enabled.
WAF ICSA Certification

A series of minor changes to the WAF behavior in order to complete ICSA
certification.
Log DDoS Attack Detection Events

This feature introduces three new logging commands to detect and log secu-
rity related events. The new commands are as follows:
system anomaly log - will log IP anomalies
system attack log - will log SYN/ACK attacks
system pbslb log - will log sock stress attacks
Each of the new commands can be accessed and enabled from the global
configuration level. As a default, ACOS will run system checks every 30
seconds. If ACOS detects any changes, the appropriate log will be printed.
CLI Example
The following CLI example shows the log output generated by system
anomaly log.
Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the TCP NO
FLAG profile have been detected. Previous 531, Current 6999
Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the LAND
ATTACK profile have been detected. Previous 531, Current 6999

attack log.
Jun 23 2013 14:40:45 Warning [SYSTEM]:IP packets matching the TCP SYN ATTACK
profile have been detected. Previous 0, Current 820711
Jun 23 2013 14:39:45 Warning [SYSTEM]:IP packets matching the TCP ACK ATTACK
profile have been detected. Previous 0, Current 2754803
pbslb log
Feb 16 2014 02:38:51 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB
ZERO WINDOW profile have been detected. Previous 0, Current 12
Feb 16 2014 02:20:10 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB
ZERO WINDOW profile have been detected. Previous 0, Current 11
Support for 16-port Trunks on Thunder 6430/6430S

ACOS 2.7.1-P4 extends trunk interface support on models Thunder 6430
and Thunder 6430S, by increasing the number of data ports an individual
trunk can contain. Beginning in this release, a trunk on either model can
contain up to 16 ports. The maximum in previous releases is 8 ports. This is
still the maximum on other models.
This enhancement applies to static trunks, and to dynamic trunks created

using Link Aggregation Control Protocol (LACP).
There is no new syntax for this enhancement.
Note: The current release does not support this enhancement in the GUI.
CLI Example
The following commands create a static trunk containing 16 data ports:
ACOS-6430(config)#trunk 1
ACOS-6430(config-trunk:1)#ethernet 1 to 16
Black/White List Group ID for PBSLB Increase

This feature increases the Black/White List group ID for PBSLB from 32 to
1,000.

CTR SSH Cipher Support

The ACOS SSH connection extended cipher support to the following
options: aes128-ctr, aes192-ctr, and aes256-ctr.


ACOS 2.7.1-P3 includes the following enhancements. These enhancements

apply to Application Access Management (AAM).
Support for Alternate LDAP Login Formats

The following alternate LDAP bind login name formats are supported:
• username@domain.com
• Domain\username
If the end-user specifies their login name in either of these formats,
ACOS uses the entered form instead of the Bind DN form. This is
because the Common Name does not match the account name in AD.
Support for OCSP URI Path

In previous releases, the path provided in a URL for an OCSP server was
not included in authentication requests. This limitation caused failure of any
authentication request that used the OCSP server.
Form-based Logon Enhancements

Beginning in this release, the Logon form used for form-based authentica-
tion in AAM includes an error message, in cases where a previous attempt
to log on fails. In previous releases, the same form would be presented, con-
taining only the username and password fields.
You can customize the error message string included in the Logon form ().
Logon Failure Message Enhancements

Beginning in this release, the error page returned by ACOS to a client when
an end-user fails authentication includes entry fields for the end-user to re-
enter their username and password.
Figure 1 shows an example of the source code for the page.

FIGURE 1 Login error page for Form-based Logon in ACOS 2.7.1-P3
<form name="logon" action="mylogon-aaa.fo" method="POST">


Username: <input type="text" name="username"><br>
Password: <input type="password" name="pwd">
<input type="submit" value="Submit">
</form>
If the $a10_login_fail_errmsg$ variable is used but commented

out as shown above, ACOS includes the logon failure message in the form
only when applicable. If a client logon failure occurs, ACOS inserts a mes-
sage and negates the HTML comment in the form sent to the client, to make
the message visible on the new logon page presented to the client.
The default error message string for login failures is “Invalid username or
password. Please try again.” You can customize the string, which can be
1-127 characters.
Error Message Customization for Form-based Logon

You can customize the generic message string returned in logon forms that
include a logon failure message. The message can be up to 127 characters.
From the configuration level for the form-based authentication-logon pro-
file, the command is as follows:
[no] login-failure-message message-string

Enhancements in ACOS 271-P2
Forward Request Headers to Proxy Servers

ACOS 2.7.1-P2 provides an enhancement that enables ACOS to extract par-
ticular HTTP headers from client requests and forward the request headers
to a proxy server. This can be accomplished using the request-header-for-
ward option within the external-service template.
Notes
When using the Request Header Forwarding feature to forward HTTP head-
ers to a proxy server, the following caveats apply:
• Up to 16 headers can be extracted from a client request.
• The header-name within the request-header-forward command is not

case-sensitive.
• The maximum supported length of one HTTP header is 1,036 bytes
(including the HTTP header name and header element).
• If the specified HTTP header contains more than 1,036 bytes, ACOS
forwards only the first 1,036 bytes of the HTTP header.
• If there are duplicate headers in the client request, only the first header is
forwarded.
• Header modification is not supported when forwarding HTTP header
requests to a proxy server.
USING THE CLI
To configure ACOS to forward header requests to a proxy server, use the

following command at the external-service template configuration level:
[no] request-header-forward http-header-name […]
CLI Example
The following example enables header request forwarding within an exter-
nal-service template for the header “user-agent”.
ACOS(config-external-service)#request-header-forward user-agent

Configurable MSS Source for Proxied SLB Traffic

ACOS 2.7.1-P2 provides an option to change the way ACOS determines the
TCP MSS value to use in proxied TCP traffic. This option specifies how the
MSS value is determined for TCP SYN-ACKs sent by ACOS from a VIP to
a client.
This option applies to full-proxy SLB configurations, in which the ACOS

device is acting as a proxy for both ends of the client-server session.
ACOS can use either of the following methods to determine the MSS value
for TCP SYN-ACKs from a VIP to a client:
• Interface MTU and MSS value received from client in SYN packet
• (Default) Interface MTU and health-check response packet from real

server
Note: If ACOS receives different MSS sizes from multiple real servers, ACOS
bases the value on the smallest MSS value received.
Note: The current release does not support configuration of this option using the
GUI.
USING THE CLI
To configure ACOS to base the MSS in replies from VIPs to clients on the
interface MTU and MSS value received from clients in SYNs, use the fol-
lowing command at the global configuration level of the CLI:
[no] slb use-mss-tab

Non-HTTP-bypass Support for Invalid HTTP Versions

ACOS 2.7.1-P2 enhances the Non-HTTP-bypass feature by providing
bypass support for HTTP packets that have an invalid HTTP version.
In previous releases, ACOS did not provide this support. For example, in
previous releases, the Non-HTTP-bypass feature did not provide bypass
support for requests that had the following invalid HTTP versions:
• GET / HTTP/0.8
• GET / HTTP/1.2
• GET / HTTP/1.9
• GET / HTTP/2.1
• GET / HTTP/10.1
• GET / HTTP/a.b
With this enhancement, the Non-HTTP-bypass feature now provides bypass

support for such traffic.
The feature continues to recognize traffic with valid HTTP versions such as
the following:
• GET / HTTP/0.9
• GET / HTTP/1.0
• GET / HTTP/1.1
• GET / HTTP/1.10
• GET / HTTP/1.1000
If the Non-HTTP-bypass feature is enabled, ACOS still forwards the

requests to the real server. However, if the Non-HTTP-bypass feature is dis-
abled, ACOS does not send the requests.
Note: HTTP version validation is not performed if an external-service template

is configured.


Additional Changes and Notes
This section describes additional changes not described in previous sections

and provides clarifications on features supported in previous releases.
Configure Servers to Listen on Same Port (DSR)

In Direct Server Return (DSR) configurations, member servers in a
Service Group must be listening on the same port. Port translation is
not supported in DSR topologies.
SNMP Agent Default Community Name Should Be

Changed
To protect from potential vulnerability, the SNMP Agent Default
Community Name (public) should be changed to a non-default name.
Deprecated BGP Commands

The following commands are not supported in this release and are depre-
cated:
[no] bgp nexthop-trigger delay seconds
[no] bgp nexthop-trigger enable
Fail-safe Hardware Monitoring Enabled By Default

Beginning in ACOS 2.7.1 the fail-safe automatic recovery option for moni-
toring hardware errors is enabled by default. The option is disabled by
default in previous releases.
If hardware error monitoring is already enabled, it will remain enabled fol-
lowing upgrade to ACOS 2.7.1. However, as a result of this change, the
fail-safe hw-error-monitor-enable command no longer appears in show
running-config output.

If you prefer to leave hardware error monitoring disabled, you can disable it
using the following new command, at the global configuration level of the
CLI:
fail-safe hw-error-monitor-disable
Documentation Errata
The following sections clarify or expand on information in the manuals for
previous releases. This information will be incorporated into the manuals
for ACOS 2.7.1.
MTU Applies to Ethernet Interfaces

The CLI description for mtu erroneously indicated that the command
applied to the management interface and Ethernet data interfaces. This com-
mand only applies to the Ethernet data interfaces.
AX 5100 Not Supported in ACOS 2.7.1 and Later

Several documents in the ACOS 2.7.1-GR1 documentation set erroneously
indicated support for the AX 5100 model. This information was not correct.
The AX 5100 model is not supported in ACOS 2.7.1 or later.
NetFlow Supported Over UDP Only

The CLI example for NetFlow shows uses of TCP. However, NetFlow is
supported only over UDP.
Default BGP Neighbor Timers

The CLI Reference lists incorrect default values for the following BGP
command:
[no] neighbor neighbor-id timers

{interval holdtime | connect seconds}
The correct default values for this command are as follows:

• interval – 30 seconds

• holdtime – Three times the default keepalive value (90 seconds)
• connect seconds – 120 seconds
TCP-proxy Template Option fin-timeout

The fin-timeout option in TCP-proxy templates is not used. For the closest
equivalent functionality, please try using the half-close-idle-timeout option
instead.
Server-SSL Template Binding

ACOS supports use of a server-SSL template with only one instance of a
real port. For example, if the same real server:port member is used in two
service groups, it is valid to bind each of those service groups to a different
virtual port. However, if there are server-SSL templates configured for both
virtual ports, the server-side SSL behavior is not predictable and is not sup-
ported. It is recommended to duplicate the real server port configuration
with different names. Then use the different names in each group.
Request-rate Limiting in Real Port Templates

Templates for SLB real ports have a request-rate-limit option. This option is
supported only when the real port template is bound to an external-service
template. The option is ignored in real port templates bound to real ports or
any other resource.
Access to SNMP Agent in ADP Private Partitions

IPv4 SNMP server access to the ACOS SNMP agent is supported only for
the shared partition, not for any private partitions.


Known Issues in Release 2.7.1
This release has the following issues.
SFP INTERFACE ISSUE
ACOS does not support the use of a copper adapter on a fiber port in the
current release across all platforms. (A10 issue 248521)
Inserting a 1 G optical (SFP) transceiver into to a 10 G port can cause the

port driver to stop working and may result in report of an incorrect MAC
address (0000.0000.0000) and erroneous statistics for the port. If this
occurs, the ACOS device must be rebooted to return it to operational state.
(A10 issues 80746, 92686)
AAA ISSUE
Source NAT is not supported with RADIUS (A10 issue 88609).
The authentication disable-local option is not supported. (A10 issue 86825)
SHA2 CERTIFICATE ISSUES

In ACOS release 2.7.1-P6 and later, importing SHA2 certificates into the
Web GUI is currently not supported as it may cause instability in existing
VCS /VRRP-A environments. (A10 issue 252139)
VTHUNDER ISSUES
• The vThunder for VMware ESXi may reload if only one VMXNET3
virtual interface is configured. This issue happens only with vThunder
for VMware ESXi, and does not occur when vThunder is used with
other hypervisors. To work around this issue, make sure 2 VMXNET3
virtual interfaces are configured for each vThunder for ESXi instance.
This is the default behavior for the shipping version of the vThunder for
VMware ESXi image. (A10 issue 190093)
• The show interface brief command incorrectly shows the speed of
vThunder Ethernet interfaces as “10000Mbps”.
• The show interface command’s output always shows the utilization for
the input and output rates as 0%.

MANAGEMENT INTERFACE ISSUES

• Route cost is not supported in this release for static routes through the
management interface. If you configure a cost for a static route through
the management interface, the cost does not appear in the configuration.
• If you apply an ACL to the management interface as part of the enable-
management feature, the following ACL options are not supported: log,
dscp, fragments. If you do use any of these options, the ACL rule does
not work. (A10 issue 96668)
LOM (IPMI) INTERFACE ISSUES

• IPv6 is not supported for LOM interface addressing. (A10 issue 94933)
• When the maximum threshold for user accounts is reached and a user
account is deleted, the next user account created is disabled by default
and has no network privileges. To resolve this issue, add the new user
account as disabled and modify the user account to enable access and
assign network privileges. (A10 issue 97459)
• If a second user tries to acquire the console while the first one is still on
the console, the dialog box requesting the first user to deny or grant
access may time out prematurely. If this occurs, the second user is
denied access by default. (A10 issue 94852)
ISSUES WITH CONCURRENT CONFIGURATION SESSIONS

• If multiple admins use the GUI to set the ACOS timezone at the same
time, the following error message appears: “Failed to set time. error
code: 10000.” (A10 issue 100154)
• If multiple admins use the GUI to delete a given admin account at the
same time, the following error message appears: “Failed to delete
admins. error code: 10000.” (A10 issue 100025)
• If multiple admins use the GUI to upgrade the software image at the
same time, the upgrade fails for each of the admins, and the following
error message appears: “Access denied: no write privilege. Click to
clear existing Config session.” (A10 issue 100223)
PING ISSUES
• Fragmented ping packets to a VIP address or NAT pool IP address are
not supported. (A10 issue 94870)
• Fragmented ping packets addressed to a floating IP address are not sup-
ported. (A10 issue 96205)

JUMBO SUPPORT ISSUES

• Support for jumbo frames in ACOS 2.7.1 is limited to Layer 4 applica-
tions, such as TCP.
• Half-duplex mode is not supported. (A10 issue 86032)
• On Thunder models 6430, 6430S, and 5430S, and AX models 5200-11,

3400 and 3200-12, for any incoming jumbo frame, if the outgoing MTU
is less than the length of the incoming frame, the frame is always frag-
mented into 1500-byte frames instead of being forwarded using the con-
figured MTU. (A10 issue 87709)
• The ACOS device does not fragment UDP packets when the outgoing
MTU is 1500. (A10 issue 88225)
To work around this issue, you can do either of the following:
• Use a non-default MTU.
• Disable fast-path processing by entering the following command at
the global configuration level of the CLI: slb fast-path-disable
VLAN ISSUE
If you delete all the ports from a VLAN that has a VE and an IP address
configured on the VE, the virtual MAC address is removed for the VE.
However, if you add ports back to the VLAN, the virtual MAC address is
not re-added. To work around this limitation, do either of the following:
• (Preferred) Delete the VE configuration and reconfigure the VE.
• Delete the entire VLAN and reconfigure the VLAN and VE.
(A10 issue 96901)
VIRTUAL ETHERNET STATISTICS ISSUES

• Virtual Ethernet (VE) interface statistics are supported only on 64-bit
ACOS models.
• The packet length listed in VE statistics may not be correct in some
cases.

ROUTING ISSUES
This release has the following routing-related issues:

• The ACOS device does not use an alternative static route if an ECMP
path is no longer available.
• Not-so-stubby areas (NSSAs) are not supported for OSPFv3.
AVCS ISSUES
• Configuration of certain options in a private L3V partition can result in

the configuration changes taking place in the shared partition instead.
This behavior has been observed for commands that configure NTP,
and that set global health monitoring values. (A10 issues 83543, 86759)
Here is an example:
AX2500[l3v](config)#health global interval 180
AX2500[l3v](config)#show run | section health global
AX2500[l3v](config)# (output is blank)
...
AX2500#show run | section health global
health global interval 180
Note: The output of the show run | section health global command at the pri-
vate partition level is blank, because the command is still set to its default
value. The change should occur in the private partition’s configuration but
instead occurs in the shared partition’s configuration.
• All devices in the virtual chassis must run the same ACOS Release.
Operation using a mix of the current release and earlier releases (for
example, 2.6.1 and 2.7.0) is not supported.
• aVCS can not run from Compact Flash. (A10 issue 56415)
• aVCS is not supported in transparent mode. (A10 issue 57699)
• aVCS memory usage is not taken into account in system resources,

which could lead to out-of-memory conditions. For guidelines, see the
“Memory Requirements for aVCS with Layer 2/3 Virtualization” sec-
tion in the “AX Virtual Chassis System” chapter of the AX Series System
Configuration and Administration Guide. (A10 issue 52939)
• The device DeviceID option is not supported with global routing show
or clear commands. When you are logged onto the virtual chassis float-
ing IP address, the commands are supported only on the vMaster. (A10
issue 58348)
For example, the clear ip ospf [process-id] process command does not
support the device DeviceID option.

To work around this issue, do either of the following:

• Use the following command to change the context of the CLI ses-
sion to the device:
vcs device-context DeviceID
After changing the context to the device, you can enter the show or
clear command on that device.
• Establish a new CLI session on the device itself and enter the com-
mand.
• It is possible to configure an SLB real server on the vMaster that has the
same IP address as a vBlade’s interface. The CLI allows this invalid
configuration, which prevents the vBlade from being able to synchro-
nize with its vMaster. (A10 issue 58118)
• There are known issues with removing configuration items shared by all
devices in a virtual chassis, when those items are referenced by device-
specific configuration on a single device. Depending on the command,
the removal of the common configuration item may execute success-
fully on one or more devices, yet fail on the device on which the item is
referenced. (A10 issue 59262)
For example, if you configure an ACL on the vMaster, bind the ACL to
an interface on a vBlade, then delete the ACL from the vMaster, the
ACL is removed from the vMaster but remains in the vBlade's configu-
ration.
LAYER 2/3 VIRTUALIZATION ISSUES

• IPv6 address configuration belonging to the same subnet on physical
interfaces in different partitions is not supported.
• Route logging is not supported in private partitions.
• File management operations such as import and export are not supported
in private-partition management sessions. (A10 issue 73319)
• SMTP servers can not be configured in private partitions. Thus logging
email is not supported for private partitions. This will be fixed in a later
release.
• In the GUI, the Monitor > Network > Interface page lists only the inter-
faces that belong to the currently selected partition. However, the graphs
on this page always show data for the shared partition.
• In the GUI, shared SLB resources (service groups and servers) appear in
private partition list menus but should not.
• If you configure a class list in a private partition that has the same name
as a class list in the global partition, the system incorrectly creates a

duplicate of the class list in the shared partition. The duplicate class list
persists even if you remove it and reload or reboot. (A10 issue 73574)
• If a resource template configured in an L3V partition has bandwidth or
SSL throughput limits configured, the limits do not take effect. (A10
issue 85108)
• The config-save command for GSLB groups does not work in L3V par-
titions. (A10 issue 96859)
• To use the enable-management service in an L3V partition, the service
must be configured on a VE interface. (A10 issue 96959)
PRIVATE PARTITION (ROLE-BASED ADMINISTRATION) ISSUES

• IPv6 OSPF debugging does not work inside private partitions.
• It is not recommended to configure dedicated logging within private

partitions. Attempting to configure logging within a private partition
will result in global syslog messages being added to the log.
• Imported black/white lists can not be used in private partitions. (A10
issue 79547)
• SIP running on the shared partition may intermittently cause the ACOS
device to reload, depending on traffic load.
• If you create a black/white list or class list in the shared partition, then
create an RBA partition, a duplicate of the list appears in the configura-
tion for the shared partition. This issue is cosmetic only and does not
affect operation of features that use the black/white list or class list.
VRRP-A / HIGH AVAILABILITY (HA) ISSUES

• If the configuration on a device you are upgrading from 2.6.1-GR1 (or
any of its patches) to 2.7.1-P1 contains the no-dest-nat option, session
synchronization between the devices does not work. (A10 issue 128254)
• For the older implementation of HA (not VRRP-A), FTP control ses-
sions might not continue after HA failover occurs.
• Config-sync without reload is not supported for merged aFleX scripts.
To work around this issue, use config-sync with reload. (A10 issue
88777)
• HA sync is not supported for the following data files (A10 issue
253346):
• class-list
• auth-portal
• dnssec-ds

• ip-map-list
• HA sync is not supported for the following commands (A10 issue

253346):
• GSLB group
• SLB buff-thresh
• SLB template diameter
ROLE-BASED GUI ACCESS ISSUES

• Private partition admins can not access the Config Mode > Service >
SLB > Global page. (A10 issue 90988)
• The role-based GUI access feature enables you to configure custom GUI
access roles with nearly any combination of read-only, read-write, and
hide settings for GUI page access. It is possible to configure settings
such that an admin can access a page that requires access to another
page that is hidden. In this case, the ACOS web server will drop the
request for the hidden page, and display an error stating that the page
does not exist.
Note: Shared partition objects cannot be referenced by private partitions when

Layer 2/3 virtualization is enabled. This is not restricted in R2.6 but is
restricted starting from R2.6.1.
DSCP/802.1P MARKING
The current release does not support Layer 2 priority bit marking.
SSL ISSUES
• SSL session-ID persistence is not supported for IPv6.
• SSL session-ID reuse is not supported on ACOS devices that use multi-
ple SSL processors. This issue affects ACOS devices in which an add-
on SSL accelerator module is installed. The following models, if they
contain an add-on SSL accelerator module, are affected: AX 5100, AX
5200, AX 5200-11, AX 3000, and AX 2500.
• Whenever a cipher mismatch occurs, a FIN will be sent without an alert
message.
IPV6 PASSIVE FTP / HARDWARE-BASED SYN-COOKIE ISSUES

• On some ACOS models, passive FTP does not work if SYN cookies are
enabled. This issue affects models AX 2200, AX 2200-11, AX 3200,
AX 3200-11, AX 5100, AX 5200, and AX 5200-11.

• Passive IPv6 FTP data connections are not supported with hardware-
based SYN cookies. To work around this issue, use active mode. (A10
issue 96802)
APPLICATION TEMPLATE ISSUE
Unbinding and then rebinding an application template (for example, an

HTTP template) on a virtual port can result in incorrect counter values.
(A10 issue 85243)
REAL PORT TEMPLATE REQUEST-RATE-LIMIT ISSUE
The request-rate-limit option in real port templates has reset and no-logging
options. The reset option cannot be configured. You can configure the no-
logging option, but it will not take effect. (A10 issue 118916)
DNS CACHING ISSUE
IPv6 is not supported with system-wide (global) DNS caching. (A10 issue
96484)
AFLOW ISSUE
aFlow is not supported in combination with Policy-Based SLB (PBSLB).
W3C LOGGING ISSUE

In RAM Caching deployments, the status code is not included in log mes-
sages. The value of “%s” is shown as “-” in the messages. (A10 issue
109091)
AUDIT LOGGING ISSUE
Highly active audit logging can result in error messages such as the follow-
ing:
Error [SYSTEM]:send audit log failed
This can occur with bursts of about 12 or more audit log messages at a time
or throughput of around 10 K messages or more per minute.

GSLB ISSUE
Depending on the size of the geo-location database, GSLB configuration

synchronization can take up to two minutes to synchronize to each remote
GSLB controller.
GUI ISSUES
• Right-clicking on on a sub-module menu displays an option menu.
However, the options on the right-click menu are not supported. For
example, opening a configuration page in a new tab or browser window
is not valid. The page will appear and you can enter data, but the data
will not be written to the configuration. An error also occurs in the pri-
mary GUI window.
• The GUI does not support monitoring of virtual-server class-list statis-
tics.
• In the GUI, the Monitor > Network > Interface page lists only the inter-
faces that belong to the currently selected partition. However, the graphs
on this page always show data for the shared partition.
• The GUI Find option does not work on lists containing over 500 items.
• With a few exceptions, GUI pages can not display lists containing a very
large number of items. Exceptions are the pages that list virtual servers,
service groups, and real servers.
• If you use the GUI to remove the age from a class-list file entry, the orig-
inal age remains in effect. The entry is removed within one minute after
the original age expires. (A10 issue 94466)
• If a description is configured in the GUI for a VIP, the description is lost
following upgrade to 2.7.0.
AXAPI ISSUE
The aXAPI method "slb.server.fetchAllStatistics" does not return any statis-
tics for a server if the server is defined with a DNS name. This issue can be
avoided by defining the server with an IP address rather than a DNS name.
AXAPI DOCUMENTATION ISSUE
In the error messages list in the manual for aXAPI version 1, the message
code and text are incorrect for all messages with IDs higher than 1032. For
higher-numbered messages, the code and text in the manual actually belong
to the next higher-numbered message. For example, the manual lists text

“The server already exists” for message number 1045. The text actually
belongs to message number 1046. (A10 issue 59210)
HARDWARE ISSUE
Currently copper adapters are not supported on fiber ports on all platforms.
(A10 Issue 248521).

Upgrade Instructions
This chapter describes how to upgrade the software image on your ACOS
device.
Notes
• If you are configuring a new ACOS device, see the Installation
Guide for your model.
• If you are upgrading from a 2.6.0 release, please upgrade from
2.6.0-P4 or later. If you are running a 2.6.0 release older than 2.6.0-
P4, it is recommended to upgrade to 2.6.0-P4 first, then upgrade to
2.6.1.
• If you are upgrading an aVCS virtual chassis from 2.6.0, you must
use the CLI.
• This chapter may contain references to “AX Release” versions. The
term “AX Release” is an older term for “ACOS”, which now also
runs on A10 Thunder devices, beginning in ACOS 2.7.1.

Image File Names

Make sure to use the correct image file for your A10 Thunder or AX model.
The image files are named as follows:
TABLE 7 ACOS Image File Names

Flexible Traffic ASIC Model? Model Image Name
Yes. Thunder 6630 ACOS_FTA_version.tgz
These models feature the Flexible Traffic ASIC Thunder 6435
(FTA). Thunder 6430S
Thunder 6430
Thunder 5630
Thunder 5435
Thunder 5430S
Thunder 5430S-11
Thunder 5430-11
Thunder 4435
Thunder 4430S
Thunder 4430
AX 5630
AX 5200-11
AX 5200
AX 5100
AX 3400
AX 3200-12
No. Thunder 3030S ACOS_non_FTA_version.tgz
These models do not use FTAs. Thunder 1030S
Thunder 930
AX 3530
AX 3030
AX 3000-11-GCF
AX 3000
AX 2600
AX 2500
AX 1030
vThunder

Cautions
Before you upgrade, please carefully read the following cautions. Some
cautions also apply to downgrade.
As a best practice, save the configuration, then copy the startup-config to a

remote server, before you upgrade.
While command name changes between releases are not common, saving a
backup avoids the need to re-enter the older syntax following a downgrade.
Note: If you are upgrading ACOS devices that run aVCS, also see “Upgrading
the Software Image (aVCS virtual chassis)” on page 217.
HTTP Compression Modules

If you are upgrading an ACOS device that contains an HTTP compression
module, the module will not work after you upgrade to AX Release 2.6.1.
Likewise, an HTTP compression module installed in an ACOS device con-
figured at the factory with AX Release 2.6.1 or later will not work with ear-
lier software versions. If this this affects your ACOS device, please contact
A10 Networks.
ADP (L3V / RBA)

If ADP is configured on the ACOS device and you plan to upgrade or
downgrade to an ACOS release that does not support it, A10 Networks rec-
ommends that you first delete all the private partitions before installing the
new software. Otherwise, resources such as aFleX policies, SSL certificates
and keys, or external health monitoring programs in the private partitions
will be visible and therefore can pose a security risk.
RADIUS Server Commands in Startup-Config

If the startup-config on the ACOS device you are planning to upgrade con-
tains a radius server or radius port command, these commands are auto-
matically converted to their new formats after you upgrade and save the
configuration.
However, if you later downgrade to a release earlier than AX Release 2.4,

the new commands are converted into their older forms. You will need to re-
enter the older forms of the commands to re-add the RADIUS server. Like-
wise, support for more than one RADIUS server (new in AX Release 2.4)
will not be available after the downgrade.

RADIUS / TACACS+ Shared Secret Strings Longer than 15 Char-

acters
AX Release 2.6.1-P2 increases the maximum shared-secret length for
RADIUS and TACACS+ from 15 characters to 128 characters. If you con-
figure a shared secret longer than 15 characters in this release or later, then
downgrade to an earlier release where the longer string length is not sup-
ported, the shared secret string will be incorrect and will need to be recon-
figured.
NAT Pool-Group Commands in Startup-Config

In AX Release 2.4.3, if the startup-config on the ACOS device you are plan-
ning to upgrade contains pool groups for IP NAT, the commands for the
pool groups are automatically converted to the new syntax after you
upgrade. However, if you later downgrade the ACOS device to a release
earlier than 2.4.3, the software will not recognize pool groups that contain
more than 5 pools.
HA Interfaces
Beginning in AX Release 2.7.0, in deployments that use the older imple-
mentation of High Availability (HA), if an HA interface is a tagged member
of a VLAN, it is required to specify the VLAN ID when configuring the
interface be an HA interface.
GSLB Groups
It is possible for GSLB configuration items to be lost on GSLB group mem-
bers following upgrade. To avoid this issue, see “Upgrading Devices in
GSLB Groups” on page 209.

HA Session Synchronization
When you upgrade ACOS devices that are deployed in High Availability
(HA) mode, the ACOS version running on the active device briefly differs
from the version running on the standby device.
Notes
• If the configuration on a device you are upgrading from 2.6.1-GR1 (or
any of its patches) to 2.7.1-P1 contains the no-dest-nat option, session
synchronization between the devices does not work.
• Session synchronization applies only to TCP and UDP Layer 4 virtual
ports. Session synchronization does not apply to other types of virtual
ports, such as HTTP/HTTPS VIPs.
• Depending on the versions you are upgrading from and to, session syn-
chronization may not work until all devices are running the same ver-
sion. For example, if you are upgrading from 2.6.1-GR1 to 2.7.0,
session synchronization does not work while one of the ACOS devices
is running 2.7.0 but the other device is still running 2.6.1-GR1.
TABLE 8 HA Session Synchronization Support During Upgrade

Version Running on Standby ACOS Device
Version Running on
Active ACOS Device 2.7.1 2.7.0 2.6.1 2.4.3 2.2.5
2.7.1 Supported Supported No session No session No session
sync sync sync
2.7.0 Supported Supported No session No session No session
sync sync sync
2.6.1 No session No session Supported No session No session
sync sync sync sync
2.4.3 No session No session No session Supported No session
sync sync sync sync
2.2.5 No session No session No session No session Supported
sync sync sync sync
Due to the behavior summarized in the table, existing sessions that would
normally be mirrored may be lost. Typically, this means clients will need to
retransmit or re-establish their connections. This should occur only one
time. Once both ACOS devices are running the same software version, ses-
sion synchronization will operate normally again.

Note: On each ACOS device, enable SSH on the HA interface used for configu-
ration synchronization.
• Using the GUI – Config Mode > System > Access Control
• Using the CLI – enable-management service ssh command at
global configuration level
Save the change to the startup-config.
HA Upgrade Example
Here is an example of a typical upgrade scenario:
1. Both ACOS devices are running AX Release 2.7.0
2. Upgrade the HA standby ACOS device to 2.7.1 and reboot.
Note: As part of the upgrade process, make sure to copy the configuration to the
image area (primary or secondary) where you plan to install the upgrade,
before uploading the upgrade. Each image area has its own separate
startup configuration.
3. After rebooting, the HA standby ACOS device resumes HA standby

operation.
4. The HA active ACOS device sends session synchronization packets to

the HA standby ACOS device.
5. If you are upgrading from 2.6.x to 2.7.x, The HA standby ACOS device
will detect a synchronization version mismatch and ignore the synchro-
nization packets. As a result, existing connections are not mirrored.
Refer to Table 8 for supported session synchronization upgrade paths
between different ACOS versions.
6. Upgrade the HA active ACOS device to ACOS 2.7.1 (optionally trigger-

ing HA failover first) and reboot. Since existing connections were not
mirrored, clients will need to retransmit or re-establish their connec-
tions.
7. After the HA active ACOS device reboots, both devices are now run-
ning ACOS 2.7.1. HA session synchronization operates normally.

Boot Order—How ACOS Gets the Image To Boot

Note: If you are upgrading ACOS devices that run aVCS, skip this section
and go to “Upgrading the Software Image (aVCS virtual chassis)” on
page 217.
Each ACOS device has four locations in which software images can be
placed:
• Disk (hard disk or Solid State Drive), in the primary image area
• Disk, in the secondary image area
• Compact flash (CF), in the primary image area
• CF, in the secondary image area
FIGURE 2 Software Image Locations on the ACOS device
At the factory, the current generally available release is loaded into all four
areas before the device is shipped. When you upload a new image onto the
ACOS device, you can select the image device (disk or CF) and the area
(primary or secondary) on the device.
When you power on or reboot the ACOS device, it always attempts to boot
from the disk, using the image area specified in the configuration (disk pri-
mary, by default). If a disk failure occurs, the device attempts to boot from
the same image area on the backup disk (if applicable to the A10 Thunder
Series or AX Series model).
Caution: A10 Networks recommends that you install the new image into only
one disk image area (primary or secondary) and leave the image you
are upgrading from in the other area. If you need to downgrade or an
issue occurs when rebooting with the new image, leaving the old
image on the device will make it easier to restore the system.

In ACOS 2.7.1, when you save the configuration in the current image
area, ACOS displays a prompt asking whether you also want to save
the configuration to the other area. Syntax that is new or changed in
ACOS 2.7.1 may not be compatible with your older ACOS version.
Note: Allow up to five minutes for the reboot to complete. (The typical reboot
time is 2-3 minutes.) During the reboot, the system performs a full reset
and will be offline. The actual time may vary depending on system
parameters.
Note: Copying the configuration does not provide a complete system backup.
For example, copying the configuration does not include aFleX policies,
SSL certificates and keys, or class lists. For a complete system backup,
use the backup option as described in the procedure later in this section.
Recommendations (for non-aVCS deployments)

You can upload a new image into any of the areas listed above and you can
configure the boot profile to try booting from those areas in any order you
choose. However, to simplify the upgrade process and ensure that the sys-
tem always has a backup image in case a problem occurs, A10 Networks
recommends that you use the following process to upgrade.
Note: the ACOS device always tries to boot using the disk first. The CF is used
only if the disk is unavailable.
Note: If the ACOS devices are running AX Virtual Chassis System (aVCS), this
recommendation is not applicable. Instead, see “Upgrading the Software
Image (aVCS virtual chassis)” on page 217.
Alternate Loading of the New Image into the Primary and Secondary
HD Areas
1. Save the configuration to the current image area (the area from which
the device was most recently booted).
2. Back up the system. (A complete system backup is needed, so that all

files, in addition to the configuration files, are included.)
3. Leave the factory-installed images in the CF and never replace them.
4. The first time you upgrade, upload the new image into the primary disk
area. Leave the current image (the image you are upgrading from) in the
secondary disk area.
5. The next time you upgrade, save the startup-config in the image area
you upgraded last time. Also save the same startup-config to the other
image area, where you plan to install the upgrade. You must save the
startup-config that is in the image area you booted from into the image

area you will upgrade, so that the system will be running the correct
configuration following the upgrade.
6. Leave the current image (the image to which you upgraded previously)
in the primary disk area, and upload the new image into the secondary
disk area.
7. For each subsequent upgrade, alternate by saving the startup-config into,

and uploading the new image into, the disk area that has the oldest
image. Generally, the oldest image will be two images back.
For example, if your system is shipped with 2.7.0 installed and you
upgrade to 2.71, 2.7.1 will go into the primary image area and 2.7.0 will
stay in the secondary image area. When you upgrade again, 2.7.1 will
stay in the primary image area and the newer image will go into the sec-
ondary image area.
Note: Make sure to copy the configuration to the image area where you plan to
install the upgrade, before uploading the upgrade. Each image area has its
own separate startup configuration.
8. Modify the boot profile to first attempt to boot from the disk area that
has the newest image.
Note: If you plan to reboot immediately following the upgrade (an option you
can select when you upgrade), modify the boot profile before you
upgrade.

FIGURE 3 Upgrade Process (non-aVCS only)

Upgrading Devices in GSLB Groups

If you use GSLB groups, GSLB configuration items can be lost following
upgrade, unless you use the following procedure.
Note: For group members that are members of an aVCS virtual chassis, perform
these steps on the vMaster.
1. On each member device of the GSLB group, save the configuration.
2. On each member device in the group, disable the GSLB group and save
the configuration.
3. Use the procedures in this chapter to upgrade the GSLB group members,
one group at a time.
For example, if there are 2 GSLB groups, 1 and 2, upgrade all the mem-
ber devices in group 1 first, then upgrade all the member devices in
group 2. After all members come up in the GSLB group 1, upgrade each
member of GSLB group 2.
4. After all members in the last group finish booting with the new software
version, enable the GSLB group on each device. Make sure all members
join the group successfully.
5. On each member device of the GSLB group, again save the configura-
tion.
CLI Example
The following commands perform step 1 through step 4:
AX-gslb:Member(config)#write memory
AX-gslb:Member(config)#gslb group shared
AX-gslb:Member(config-gslb group)#no enable
AX-gslb:Member(config-gslb group)#exit
AX-gslb:Member(config)#write memory
The following commands perform step 5:

AX-gslb:Member(config)#gslb group shared
AX-gslb:Member(config-gslb group)#enable

Upgrading the Software Image (non-aVCS deployment)

To upgrade the software image, use either of the following methods.
Note: Use this procedure only to upgrade an ACOS device that is running stand-
alone (not in an aVCS virtual chassis). To upgrade ACOS devices in a vir-
tual chassis, see the following section instead: “Upgrading the Software
Image (aVCS virtual chassis)” on page 217.
USING THE GUI
Save the Configuration
Click on the Save button.
FIGURE 4 Save the Configuration
Save the Configuration to the Image Area Where You Plan to

Install the Upgrade
Note: This step requires the CLI. You cannot perform this step using the GUI.
1. Log onto the CLI.
2. Access the global configuration level:

a. Enter the enable command. If prompted for the enable password,
enter the password. The command prompt changes from
hostname> to hostname#
b. Enter the configure command. The command prompt changes from
hostname# to hostname(config)#
3. Use the following command:

write memory {primary | secondary}
[all-partitions | partition partition-name]
If you plan to install the upgrade into the primary image area, specify
primary. Otherwise, specify secondary.

The all-partitions and partition partition-name options apply only if

you are upgrading an ACOS device with RBA/L3V configured. These
options do not appear unless you are logged on with root or super user
(global read-write) privileges.
4. Exit the configuration mode, by entering the following command:

exit
5. End the CLI session, by entering the following command:

exit
Create a Full System Backup

A full system backup includes the startup-config file, aFleX files, and SSL
certificates and keys.
1. Select Config Mode > System > Maintenance.
2. Select Backup > Config on the menu bar.
3. Select the backup location:

• Local – Saves the backup on the PC or workstation where you are
using the GUI.
• Remote – Saves the backup onto another PC or workstation.
4. If you selected Local:

a. Click Apply.
b. Click Save and navigate to the save location. Optionally, you can
edit the filename.
c. Click Save.
5. If you selected Remote:

a. In the Protocol drop-down list, select the file transfer protocol: FTP,
TFTP, RCP, or SCP.
b. If using FTP and the remote device does not use the default FTP
port, change the port.
c. In the Host field, enter the hostname or IP address of the remote
device.
d. In the Location field, enter the pathname. To change the backup file
from the default (“backup_system.tar”), specify the new name at the
end of the path.

e. In the User and Password fields, enter the username and password
required for write access to the remote device.
f. Click OK.
6. To also back up the system log files (and core files, if any):
a. Select Backup > Syslog on the menu bar.
b. Select the backup location: Local or Remote. (See above for
descriptions.)
FIGURE 5 Config > System > Maintenance > Backup > System
Change the Boot Order

1. Select Config > System > Settings.
2. Select Boot on the menu bar. The boot settings are displayed.
3. If the Hard Disk image area where you plan to install the new image is
not selected, select it and click OK. For example, if Primary is selected
but you plan to install the image into the secondary image area, select
Secondary.
FIGURE 6 Config > System > Settings > Boot
Note: Although the Boot Image tab allows selection of an image area in the
compact flash, the ACOS device always tries to boot using the hard disk
first. The compact flash is used only if the hard disk is unavailable.

Upload the New Image

1. Select Config Mode > System > Maintenance > Upgrade.
2. For Media, leave Hard Disk selected.
3. For destination, select the area that contains the oldest image. If both
areas contain the same image version, select Primary.
Note: The image area you select here needs to be the same area selected above,
in the "Change the Boot Order" section.
4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later.
The new image takes affect only after a reboot.
5. For Upgrade from, select the location where you saved the upgrade
image:
• Local – Uploads the image from the PC or workstation where you
are using the GUI.
• Remote – Uploads the image from another PC or workstation.

a. Click Browse and navigate to the image location.
b. Click Open.
c. Click Apply.

TFTP, RCP, SCP, or SFTP.
device.
d. In the Location field, enter the pathname and image file name.
required for access to the remote device.
f. Click Apply.

FIGURE 7 Config > System > Maintenance
USING THE CLI
All the commands described in this section are available at the global Con-
fig level of the CLI.
1. To save the configuration, enter the following command:
write memory
This command saves the configuration to the current image area, from
which the device was most recently booted.
2. To save the configuration to the other image area, where you plan to
install the upgrade, use the following command:
[all-partitions | partition partition-name]
If you plan to install the upgrade into the primary image area, specify
primary. Otherwise, specify secondary.
The all-partitions and partition partition-name options apply only if
you are upgrading an ACOS device with ADP configured. These
options do not appear unless you are logged on with root or super user
(global read-write) privileges.
3. To create a full system backup, use the following command:

backup system [use-mgmt-port] url
The url specifies the file transfer protocol, username (if required), direc-
tory path, and filename. The following types of URLs are supported:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• sftp://[user@]host/file

You can enter the entire URL on the command line or press Enter to dis-
play a prompt for each part of the URL. If you enter the entire URL and
a password is required, you will still be prompted for the password.
The use-mgmt-port option uses the ACOS device’s management port
as the source interface. Otherwise, a data interface is used.
A full system backup includes the startup-config file, aFleX files, and
SSL certificates and keys. To also back up system log files (and core
files, if any), use the following command:
backup log [use-mgmt-port] url
4. To verify and change the boot order (if required), use the following com-
mands:
show bootimage
bootimage hd {pri | sec}
The {pri | sec} option specifies whether the ACOS device first tries to
boot using the image in the primary image area or the secondary image
area.
Note: You only need to change the boot order if you plan to upload the new
image into an image area that is not the first image area the ACOS device
uses when it boots.
Note: The bootimage command also allows selection of an image area in the
compact flash; however, this syntax is not shown above. The ACOS
device always tries to boot using the hard disk first. The compact flash is
used only if the hard disk is unavailable.
5. To upload the new image onto the ACOS device and reboot, use the fol-
lowing command:
upgrade hd {pri | sec} [use-mgmt-port] url
The url specifies the file transfer protocol, username and password (if
required), directory path, and filename. (See above in the description for
the url option of the backup system command.)
The CLI displays a prompt asking you whether to reboot. Enter yes to
reboot now, or no if you prefer to reboot later. The new image takes
affect only after a reboot.
To verify the upgrade after the ACOS device reboots, use the following
command:
show version

Upgrade Example
The following commands upgrade an AX 5200 from AX Release 2.7.0 to
ACOS 2.7.1:
AX(config)#write memory
Building configuration...
[OK]
AX(config)#write memory secondary
[OK]
AX(config)#backup system tftp:
Address or name of remote host []?192.168.1.144
Destination file name [/]?ax5200-backup
System files backup successful
AX(config)#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard disk primary 2.7.0 (*)
Hard disk secondary 2.6.1
Compact flash primary 2.4.3 (*)
Compact flash secondary 2.4.3
AX(config)#bootimage hd sec
Secondary image will be used if the system is booted from hard disk
AX(config)#upgrade hd sec tftp://192.168.1.144/ACOS_FTA_2_7_1-P1_57.64.tgz
Do you want to reboot the system after the upgrade?[yes/no]:yes
After the ACOS device finishes rebooting, verify the upgrade:

AX>show bootimage
(* = Default)
Version
-----------------------------------------------
Hard disk primary 2.7.0
Hard disk secondary 2.7.1 (*)

AX>show version
AX Series Advanced Traffic Manager AX2500
Copyright 2007-2013 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
64-bit Advanced Core OS (ACOS) version 2.7.1-P1, build 57 (May-31-2013,01:17)

Booted from Hard Disk primary image
...
Upgrading the Software Image (aVCS virtual chassis)

The following upgrade procedures are provided. Use the procedure that is
most applicable to your deployment.
• Full chassis upgrade – This procedure upgrades the software on the
vMaster. The vMaster loads the upgrade image onto each of the
vBlades, then reboots the vBlades to place the new software into effect.
Service is briefly interrupted during the reboot.
The procedure for full chassis upgrade applies to VRRP-A deployments
and to deployments that do not use VRRP-A. See “Full Chassis Upgrade
(with or without VRRP-A)” on page 225.
• Staggered upgrade in VRRP-A deployment – This procedure avoids ser-
vice disruption but has more steps than full chassis upgrade. “Staggered
Upgrade (with VRRP-A)” on page 225.
• Staggered upgrade with no VRRP-A – This procedure is the same as the
staggered upgrade with VRRP-A, except there are no steps related to
VRRP-A. “Staggered Upgrade (with VRRP-A)” on page 225.
Note: Allow up to five minutes for a reboot to complete. (The typical reboot
time is 2-3 minutes.) During a reboot, the system performs a full reset and
will be offline. The actual time may vary depending on system parame-
ters.

Using the GUI

This section describes how to upgrade an aVCS chassis using the GUI.
Backing Up the System
Before you begin the upgrade, it is recommended to back up the system. A

full system backup includes the startup-config file, aFleX files, and SSL
1. Select Config Mode > System > Maintenance.
2. Select Backup > Config on the menu bar.
3. Select the backup location:

• Local – Saves the backup on the PC or workstation where you are
using the GUI.
• Remote – Saves the backup onto another PC or workstation.

a. Click Apply.
b. Click Save and navigate to the save location. Optionally, you can
edit the filename.
c. Click Save.

device.
d. In the Location field, enter the pathname. To change the backup file
from the default (“backup_system.tar”), specify the new name at the
end of the path.
required for write access to the remote device.
f. Click OK.

6. To also back up the system log files (and core files, if any):
a. Select Backup > Syslog on the menu bar.
b. Select the backup location: Local or Remote. (See above for
descriptions.)
FIGURE 8 Config > System > Maintenance > Backup > System
Full Chassis Upgrade (with or without VRRP-A)
Note: This procedure requires a reboot of each ACOS device in the virtual chas-
sis. In this case, the vMaster sends the new image to all vBlades and
reboots all devices in the virtual chassis, including itself. This can take
several minutes, during which a service outage will occur.
Perform the following steps on the vMaster.

3. For destination, leave it unchanged.
4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later.
The new image takes affect only after a reboot.
image:
are using the GUI.


b. Click Open.
c. Click Apply.

device.
f. Click Apply.
8. Leave Staggered Upgrade Mode unselected.
9. Click OK.
Staggered Upgrade (with VRRP-A)

Note: Staggered upgrade using the GUI is supported only in AX Release 2.7.0
and later. This section is inapplicable to performing staggered upgrade
from 2.6.1 using the GUI.
3. Next to Destination, select the image area.
Note: All devices in the virtual chassis use the same image area (primary or sec-
ondary). For example, if the software running on the vMaster is in the pri-
mary image area, all the vBlades also are running their software from
their own primary image areas.
4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you
prefer to reboot later. The new image takes affect only after a reboot.

image:
are using the GUI.

b. Click Open.
c. Click Apply.

device.
f. Click Apply.
8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the
device to reboot.
9. Click OK.
10. After the ACOS device reboots, set the priority value of each VRID on
the device to a lower value than on the backup ACOS device:
Note: Do not use the Force Self Standby option.

a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.
b. Next to Preempt Mode, select Enabled, if not already selected.
c. Select all the VRIDs.
d. Edit the value in the Priority field to a value that is lower than the
priority value(s) for the VRIDs on the backup ACOS device.
e. Click Edit.
f. Click OK.

11. Go to the vBlade device and force failover in order to take over the
vMaster role:
a. Select Config Mode > System > aVCS > General.
b. In the vmaster-take-over field, enter 255.
c. Click OK.
During failover, the vBlade becomes the vMaster. vMaster becomes
a vBlade device. The new vMaster will detect that the vBlade
device is running old software, and it will upgrade the vBlade. As
part of the upgrade, the vMaster will reboot the vBlade.
12. Optionally, force failover back to the original vMaster.
13. Take over the vMaster role:

14. Click OK.
15. For each VRID, reset the VRRP-A priority to its previous value:
a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.
b. Next to Preempt Mode, select Enabled, if not already selected.
c. Select all the VRIDs.
d. Edit the value in the Priority field to a value that is lower than the
priority value(s) for the VRIDs on the backup ACOS device.
e. Click Edit.
f. Click OK.
Staggered Upgrade (no VRRP-A)
Note: Staggered upgrade using the GUI is supported only in AX Release 2.7.0
and later. This section is inapplicable to performing staggered upgrade
from 2.6.1 using the GUI.
3. Next to Destination, select the image area.
Note: All devices in the virtual chassis use the same image area (primary or sec-
ondary). For example, if the software running on the vMaster is in the pri-

mary image area, all the vBlades also are running their software from
their own primary image areas.
4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you
prefer to reboot later. The new image takes affect only after a reboot.
image:
are using the GUI.

b. Click Open.
c. Click Apply.

device.
f. Click Apply.
8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the
device to reboot.
9. Click OK.
10. Go to the vBlade device and force failover in order to take over the
vMaster role:
c. Click OK.
During failover, the vBlade becomes the vMaster. vMaster becomes
a vBlade device. The new vMaster will detect that the vBlade


12. Take over the vMaster role:

13. Click OK.
Using the CLI

This section describes how to upgrade an aVCS chassis using the CLI.
Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. A
full system backup includes the startup-config file, aFleX files, and SSL
To do so, use the following command:
The url specifies the file transfer protocol, username (if required), directory
path, and filename. The following types of URLs are supported:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• sftp://[user@]host/file
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password.
The use-mgmt-port option uses the ACOS device’s management port as

the source interface. Otherwise, a data interface is used.

Full Chassis Upgrade (with or without VRRP-A)
Note: This procedure requires a reboot of each ACOS device in the virtual chas-
sis. In this case, the vMaster sends the new image to all vBlades and
reboots all devices in the virtual chassis, including itself. This can take
several minutes, during which a service outage will occur.
Perform the following steps on the vMaster.

1. Save the startup-config to a new configuration profile:
write memory all-partitions
2. Upload the new image onto the vMaster and reboot:

The CLI displays a prompt asking you whether to reboot. Enter yes to
reboot now, or no if you prefer to reboot later. The new image takes
affect only after a reboot.
3. To verify the upgrade after the ACOS device reboots, use the following
command:
show version
Staggered Upgrade (with VRRP-A)
In this procedure, the vBlades are upgraded first, followed by the vMaster.
Note: These steps assume that when you begin the procedure, the vMaster is
also the active VRRP-A device for all VRIDs.
Perform step 1 through step 5 on the vMaster:

1. On the vMaster, verify the currently running software version and the
image area currently in use.
show bootimage
show version
All devices in the virtual chassis use the same image area (primary or
secondary). For example, if the software running on the vMaster is in
the primary image area, all the vBlades also are running their software
from the primary image areas on those devices.

2. Save the configuration to the other image area:

[all-partitions]
Note: Make sure to use the all-partitions option, if RBA/L3V private partitions
are configured.
3. Upgrade the vBlade, by loading the new software image into the image
area currently in use by the vBlade:
staggered-upgrade-mode device DeviceID
• The device DeviceID specifies the vBlade’s aVCS device ID.
• The url specifies the file transfer protocol, username and password
(if required), directory path, and filename.
• The use-mgmt-port option uses the ACOS device’s management
port as the source interface. Otherwise, a data interface is used.
This step reboots the vBlade. The vMaster continues to operate.
4. For each VRID that is active on the device, force failover from the
vMaster to the vBlade:
vrrp-a vrid {num | default}
This command changes to the configuration level for the VRID. At this
level, use the following command:
priority 255 device DeviceID
Note: Do not use the vrrp-a force-self-standby command.
5. Validate that the load-balanced services are working. (The show com-
mands or other techniques depend on your deployment. The show slb
virtual-server command is useful in almost any deployment.)
Perform step 6 on the vBlade, to take over vMaster role:
6. On the vBlade that is running the new software image, enter the fol-
lowing command:
a. At the Privileged EXEC level (AX#), use the following command to
force the vBlade to take over the vMaster role:
vcs vmaster-take-over 255
During failover, the vBlade becomes the vMaster, and the vMaster
becomes a vBlade. The new vMaster will detect that the vBlade
part of this upgrade, the vMaster will reboot the vBlade.

(Optional) Perform step 7 on the new vBlade (former vMaster), to

resume the vMaster role and again become the active device for
the VRID:

take over the vMaster role:
b. For each VRID, use the following commands to reset the VRRP-A
priority to its previous value.
vrrp-a vrid {num | default}
priority previous-value device DeviceID
CLI Example
The commands in this example perform a staggered upgrade of a virtual
chassis containing 2 devices (ACOS1 and ACOS2). Before the procedure
begins, and after it is completed, ACOS1 is the vMaster and ACOS2 is the
vBlade. The devices are running the software image located in the primary
image area.
The following commands are entered on the ACOS1 (the vMaster):

ACOS1-vMaster-Active(config)#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard disk primary 2.7.1-P1 (*)
Hard disk secondary 2.6.1-GR-P2
ACOS1-vMaster-Active(config)#show version
AX Series Advanced Traffic Manager AX2500
Copyright 2007-2012 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
64-bit Advanced Core OS (ACOS) version 2.6.1-GR1-P2, build 57 (May-07-2012,02:04)

Booted from Hard Disk primary image
Serial Number: AXxxxxxxxxxxxxxx
aFleX version: 2.0.0
aXAPI version: 2.0
Hard Disk primary image (default) version 2.6.1-GR1-P2, build 57

...
ACOS1-vMaster-Active(config)#write memory secondary all-partitions

Write configuration to default startup-config
[OK]
ACOS1-vMaster-Active(config)#upgrade hd pri use-mgmt-port ftp://Administra-

tor@192.168.12.25/Ax52_upg_2_7_1-P1_57.64.tgz staggered-upgrade-mode
device 2
Password []?********
ACOS1-vMaster-Active(config)#vrrp-a vrid default

ACOS1-vMaster-Active(conf-vrid)#priority 255 device 2
ACOS1-vMaster-Standby(conf-vrid)#exit
On ACOS2 (the upgraded vBlade), the following commands access the

Privileged EXEC level of the CLI, and take over the vMaster role:
ACOS2-vBlade-Active>enable
Password:enable-password
ACOS2-vBlade-Active#vcs vmaster-take-over 255
ACOS2-vMaster-Active#
Optionally, the following commands on ACOS1 return that device to the

vMaster role, and reset the the VRID priority so that ACOS1 is again the
active VRRP-A device for the VRID.
ACOS1-vBlade-Standby(config)#vcs vmaster-take-over 255
ACOS1-vMaster-Standby(config)#vrrp-a vrid default
ACOS1-vMaster-Standby(conf-vrid)#priority 100 device 2
ACOS1-vMaster-Active(conf-vrid)#
After this final set of commands, device 1 is again the aVCS vMaster, as
well as the active VRRP-A device for the VRID. Device 2 is again the
vBlade, as well as the standby device for the VRID.

Staggered Upgrade (no VRRP-A)

In this procedure, the vBlades are upgraded first, followed by the vMaster.
Perform step 1 through step 4 on the vMaster:

1. On the vMaster, verify the currently running software version and the
image area currently in use.
show bootimage
show version
All devices in the virtual chassis use the same image area (primary or
secondary). For example, if the software running on the vMaster is in
the primary image area, all the vBlades also are running their software
from the primary image areas on those devices.
2. Save the configuration to the other image area:

[all-partitions]
Note: Make sure to use the all-partitions option, if RBA/L3V private partitions
are configured.
3. Upgrade the vBlade, by loading the new software image into the image
area currently in use by the vBlade:
staggered-upgrade-mode device DeviceID
• The device DeviceID specifies the vBlade’s aVCS device ID.
• The url specifies the file transfer protocol, username and password
(if required), directory path, and filename.
• The use-mgmt-port option uses the ACOS device’s management
port as the source interface. Otherwise, a data interface is used.
This step reboots the vBlade. The vMaster continues to operate.
4. Validate that the load-balanced services are working. (The show com-
mands or other techniques depend on your deployment. The show slb
virtual-server command is useful in almost any deployment.)

Perform step 5 on the vBlade, to take over vMaster role:
5. On the vBlade that is running the new software image, enter the fol-
lowing command:
During failover, the vBlade becomes the vMaster and the vMaster
becomes a vBlade. The new vMaster will detect that a vBlade
device is running old software and it will upgrade that vBlade. As
(Optional) Perform step 6 on the new vBlade (former vMaster), to

resume the vMaster role and again become the active device for
the VRID:

Management GUI Requirements

Table 9 lists the browser versions supported by the ACOS management GUI
in this release.
TABLE 9 GUI Browser Support

Platform
Browser Windows Linux MAC
IE 6.0 and higher Supported N/A N/A
Firefox 3.5 and higher Supported Supported N/A
Safari 3.0 and above Not Supported N/A Supported
Chrome 5.0 and above Supported Supported Supported
The browser used to access the GUI must support encryption keys of 128
bits or longer. Beginning in AX Release 2.4.2, shorter encryption keys (for
example, 40 bits) are not supported. The browser also must support TLS
1.0. Beginning in AX Release 2.6.1-P1, browsers that support only SSL are
not supported.

A screen resolution of at least 1024x768 is required for the GUI to be dis-

played correctly.
After you upgrade the ACOS device, clear the browser cache to ensure
proper display of the GUI.
Disabling HTTP-to-HTTPS Redirection

By default, redirection of HTTP to HTTPS is enabled for access to the man-
agement GUI. As a result, even if both HTTP and HTTPS web access are
enabled on an AX interface, HTTP requests sent to the interface will be
redirected to HTTPS.
To disable redirection of HTTP to HTTPS for web management access,

enter the following command at the global configuration level of the CLI:
no web-service auto-redir
If you are already logged into the GUI and want to change the setting for the
next login, you can disable redirection from within the GUI:
1. Select Config > System > Settings.
2. On the Web tab, click on the Re-direct HTTP to HTTPS checkbox to

deselect the option.
3. Click Apply.
Trunk and Layer 2/3 Virtualization Support

If you are upgrading from a release earlier than 2.6.1, the trunk configura-
tion enhancements in this release are not automatically supported. Likewise,
the startup-config is not automatically modified to match VE numbers to
VLAN IDs, which is required for Layer 2/3 virtualization.
• By default, ACOS does not automatically change VE numbers to match
their VLAN IDs following upgrade from an earlier release to 2.6.1.
Matching of VE number to VLAN ID is not enforced by default.
• If you attempt to enable Layer 2/3 virtualization on a private partition,
the device prompts you to back up the system, then use the write mem-
ory upgrade-startup-config-l3v command to change VE numbers in
the startup-config to match the VLAN IDs. After this, matching of VE
number to VLAN ID is enforced.
• For new ACOS devices (no pre-existing config running on earlier soft-
ware version), matching of VE number to VLAN ID is enforced by

default. The write memory upgrade-startup-config-l3v command is

not required.
To enable the trunk enhancements and modify the startup-config to make

sure VE numbers match their VLANs:
1. Upgrade the image to 2.6.1. See the section in this chapter that is appli-
cable to your deployment:
• “Upgrading the Software Image (non-aVCS deployment)” on
page 210
• “Upgrading the Software Image (aVCS virtual chassis)” on
page 217
2. Back up the startup-config and system files. To do so, use the following
command:
3. Use the following command:

write memory upgrade-startup-config-l3v
The upgrade-startup-config-l3v option is not listed in the CLI help and
is not supported by command completion. You must type the entire
option name as shown.

Common Criteria
The following configuration information applies only to ACOS models that

are validated and certified for Common Criteria, an International Standard
for Computer Security Certification:
• The High Availability feature is not a part of the validation process.
• The Data Plane shall have open ports serviced by applications.
• No routing (either external of internal) is supported between the man-

agement plane and the data plane. Therefore, AX data plane users can
not access the management plane.
On the ACOS device, when all FIPS self-tests have been passed, the follow-
ing message appears in the log:
All FIPS power on self test have passed.
Any FIPS self-test failures are indicated in the command prompt. For exam-
ple:
AX3000(FIPS FAIL MODE)#


Performance by Design 235 of 236

Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015
Performance by Design
© 2014 A10 Networks Corporation. All rights reserved.
236

271-GR1 Rel 004

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

271-GR1 Rel 004

Hochgeladen von

Copyright:

Verfügbare Formate

Release Notes

A10 ThunderTM Series and AX

Document No.: D-030-02-00-0003

A10 Networks Inc. Software License and End User Agreement

Fixes in ACOS 2.7.1 and its Patch Releases 17

Enhancements in ACOS 2.7.1-GR1 153

Enhancements in ACOS 2.7.1-P6 157

Enhancements in ACOS 2.7.1-P5 163

Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015 3 of 236

Enhancements in ACOS 2.7.1-P4 171

Enhancements in ACOS 2.7.1-P3 179

Enhancements in ACOS 271-P2 181

Additional Changes and Notes 185

4 of 236 Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015

Known Issues in Release 2.7.1 189

Upgrade Instructions 199

Common Criteria 233

Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015 5 of 236

6 of 236 Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015

For detailed information about Thunder Series or AX Series models,

• Source Port Rate Limiting

Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015 7 of 236

• TLS Fallback SCSV to mitigate SSL POODLE vulnerability

• New MIB Object Added: axGlobalTotalThroughput

• MIB Objects Re-organized with New MIB Files Added

• New aXAPI Methods Added for slb.class_list.string

• Support for up to 500 characters in GET URL method

• Preventing Dropped Packets with ‘no ip anomaly-drop’

• A10 Thunder 6435(S)

• A10 Thunder 5630(S)

• A10 Thunder 5435(S)

• A10 Thunder 5430(S)-11

• A10 Thunder 4430(S)

Other System Enhancements

• Support for up to 2 Million subnet entries in a Black/White List

• Support for Dynamically Selected FTP Data Ports

• Stateful Request-ID-based DNS Load Balancing

• MAC-Based Nexthop Routing

• WAF ICSA Certification

• Log DDoS Attack Detection Events

• Support for 16-port Trunks on Thunder 6430/6430S

• Black/White List Group ID for PBSLB Increase

8 of 236 Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015

• CTR SSH Cipher Support

• Support for URI path in OCSP

Form-based authentication enhancements:

• Error Message Customization for Form-based Logon

• Configurable MSS source for proxied SLB traffic

• Non-HTTP-bypass support for invalid HTTP versions

• A10 Thunder 6430

• A10 Thunder 5430S

• A10 Thunder 3030S

• A10 Thunder 1030S

• A10 Thunder 930

Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015 9 of 236

• Application Access Management (AAM), a new suite of features for

• Enhanced SYN-cookie buffering and statistics

• Opensource Xen.org Xen Hypervisor support

• Application Delivery Partition (ADP) support

• Multiple CPU support

• System Center Operations Manager (SCOM) support

• Support for “UTC” as timezone name

• Network Time Protocol (NTP) enhancements: