Beruflich Dokumente
Kultur Dokumente
Trademarks
The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS Policy
Engine, Affinity, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder,
Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. in the
United States and other countries. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all Thunder Series products are protected by one or more of the following
U.S. patents: 8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372,
8813180, 8782751, 8782221, 8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925,
8312507, 8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635, 7627672,
7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286,
5931914, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695, 7287084, 6970933,
6473802, 6374300.
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and informa-
tion and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Net-
works, Inc. without prior written consent of A10 Networks, Inc. This information may contain forward
looking statements and therefore is subject to change.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agree-
ment (EULA), provided later in this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any
means
2. sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has
made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks
assumes no responsibility for its use. All information is provided "as-is." The product specifications and fea-
tures described in this publication are based on the latest information available; however, specifications are
subject to change without notice, and certain features may not be available upon initial product release. Con-
tact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific compo-
nent types, please contact the manufacturer of that component. Always consult local authorities for regula-
tions regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your
nearest A10 Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—Release Notes
Contents
Summary of Enhancements 7
Enhancements in 2.7.1-GR1 .................................................................................................................. 7
Enhancements in 2.7.1-P6 ..................................................................................................................... 7
Enhancements in 2.7.1-P5 ..................................................................................................................... 8
Enhancements in 2.7.1-P4 ..................................................................................................................... 8
Enhancements in 2.7.1-P3 ..................................................................................................................... 9
Enhancements in 2.7.1-P2 ..................................................................................................................... 9
Enhancements in 2.7.1/2.7.1-P1 ............................................................................................................ 9
Summary of Enhancements
This chapter provides a summary of enhancements for ACOS 2.7.1 and its
subsequent patch releases.
Notes
• To protect from potential vulnerability, it is recommended to change the
name of the SNMP public community from its default ("public") to
another name.
• To ensure proper display of the ACOS management GUI after you
upgrade, clear the web browser cache on each PC you use to access the
GUI.
(For additional upgrade considerations, see “Upgrade Instructions” on
page 199.)
• This release does not support any 32-bit ACOS models. For a list of the
models this release does support, see “Image File Names” on page 200.
• Beginning in ACOS 2.7.1-P3, the product name for the ACOS virtual
appliance that supports SLB features is changed from “SoftAX” to
“vThunder”. This document uses the new name, but some installation
guides may still refer to “SoftAX”. In these cases, the installation
instructions can still be used, but only if the hypervisor version on which
you are attempting to install the ACOS virtual appliance is supported.
You can determine whether a particular ACOS release supports vThun-
der by checking the following section: “Image File Names” on page 200
Enhancements in 2.7.1-GR1
• CPU Load Sharing
Enhancements in 2.7.1-P6
• Documentation Enhancements
Enhancements in 2.7.1-P5
New A10 Thunder Product Line
• A10 Thunder 6630(S)
Enhancements in 2.7.1-P4
• TACACS+ Server Monitoring
Enhancements in 2.7.1-P3
Application Access Management (AAM) enhancements:
• Support for alternate LDAP login formats
Enhancements in 2.7.1-P2
• Option to specify request headers to forward to proxy servers
Enhancements in 2.7.1/2.7.1-P1
New A10 Thunder Product Line
• A10 Thunder 6430S
Security Enhancements
• Web Application Firewall (WAF)
vThunder Enhancements
• XenServer Hypervisor 5.6 support
System-level Enhancements
• Power On Auto Provisioning (POAP)
VRRP-A/HA Enhancements
• aVCS/VRRP-A affinity (vMaster is always the current active VRRP-A
device)
• Increased number of VLANs supported for VRRP-A VRID tracking
(up to 64)
• Configuration persistence for HA force-self-standby
• Inter-partition routing
• DHCP support
• HTTP/HTTPS enhancements:
• Support for ICY 200 OK response code from servers
• HTTP/HTTPS template option to keep client sessions up even after
the backend server session ends
• Customizable web logging in World Wide Web Consortium (W3C)
format
• Configurable request header wait time for prevention of Slowloris
attacks
• Temporary compression disable during high CPU utilization
• Enhanced compression statistics
• DNS enhancements:
• Global DNS caching for IPv6
• DNS caching for Domain Name System Security Extensions (DNS-
SEC)
• DNSSEC Hardware Security Module (HSM) support
• 1+1 NAT
• Client-IP insertion into TCP options header (useful for non-HTTP load-
balanced traffic)
• More granular force-delete-timeout option for TCP-proxy templates (as
short as 100 milliseconds)
• Shorter configurable idle timeout for TCP, TCP-proxy, and UDP tem-
plates (as short as 1 second)
• Health monitoring enhancements:
• Longer maximum configurable timeout (180 seconds)
• TCL UDP extension support
• Automatic adjustment of health monitor interval based on HTTP
status code
• Configurable response code range for SIP health monitoring
• Kerberos health monitoring
• Online Certificate Status Protocol (OCSP) health monitoring
• Enhanced LDAP health monitoring:
• Support for searchRequest and searchResponse
• STARTTLS support
• Support for more symbols in a health monitor (up to 127 sym-
bols)
• Configurable TTLs for more types of DNS records (SRV, TXT, MX,
PTR, NS) belonging to services in GSLB zones
• Support for multiple SRV records with the same name but different
ports
• Longer maximum GSLB protocol status interval (up to 1800 seconds)
Usability Enhancements
• GUI enhancements:
• Customizable GUI banner
• Clear button for clearing sessions from the session table using the
GUI
• AXdebug access
• Clone button for easy configuration of multiple virtual servers
SNMP/MIB Enhancements
• MIB objects for GSLB
aFleX Enhancements
• New aFleX capabilities for SSL
In this example, either of the following character combinations results in empty matches:
,|
||
2. Next, the decision as to which data CPU will process the packet is determined.
In most cases, the number of packets are evenly divided and processed by the CPUs. However, if an attack
targets one data CPU, it may receive an abundance of packets in comparison to others. This feature helps
offload the attacked CPU and distributes incoming traffic amongst the CPUs.
The CPU load sharing feature (a.k.a, “CPU Round Robin”) is triggered when all of the following condi-
tions occur:
1. If the utilization rate of the CPU being targeted exceeds the configured high CPU usage threshold
(which has a default value of 75%), AND
2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum configured threshold
(the default is 100,000 packets per second), AND
3. If the CPU being targeted is receiving 150% more packets-per-second than the median CPU packets-
per-second rate on the ACOS device. If all CPUs are under a heavy load, there would be no advantage
to using round robin to distribute the traffic.
The CPU load sharing feature stops when the following conditions are met:
1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND
2. Either of the following packets-per-second rates would apply to the targeted CPU if CPU round robin
support was turned off:
a. If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-sec-
ond threshold, OR
b. If the utilization rate of the targeted CPU is no longer 150% higher than the median of its neigh-
boring CPUs.
You can configure the thresholds for the CPU load sharing feature using the syntax below:
[no] system cpu-load-sharing
{
cpu-usage low percent |
disable |
enable |
packets-per-second min num-pkts
}
Parameter Description
cpu-usage low Maximum CPU utilization allowed on control CPUs, before CPU load sharing is
percent used. You can specify 0-100 percent.
disable Disables CPU load sharing. The feature is not used even if a threshold is exceeded.
enable Enables CPU load sharing. The feature is used when a threshold is exceeded.
packets-per-sec- Maximum number of packets per second any CPU can receive, before CPU load
ond min num-pkts sharing is used. You can specify 0-30000000 (30 million) packets per second.
Defaults
The CPU load sharing feature is enabled. The thresholds have the following default values :
• cpu-usage – 60
• packets-per-second – 100000
To help prevent the home CPU from being a bottleneck, ACOS provides the option of enabling source port
rate limiting and source IP rate limiting on a virtual-port template. This enables traffic rate monitoring on
virtual ports to which the template is bound, and it can be applied when CPU round robin is not active, or
only when CPU round robin is triggered. Rate limit monitoring only applies for client to server traffic.
Packets originating from the server are not monitored.
Keep in mind that source port rate limiting and source IP rate limiting only applied to IPv4 traffic. Incom-
ing IPv6 packets are not rate limit controlled.
You can configure the options for source port and source IP rate limiting under the virtual-port template
using the syntax below:
[no] pkt-rate-limit
[src-ip-port | src-port]
rate [pkt-rate]
[no-logging]
[when-rr-enable]
Parameter Description
src-ip-port Monitor and limit the packet rate for packets sent from the same source port and
source IP to the virtual port.
src-port Monitor and limit the packet rate for packets sent from the same source port to the
virtual port.
rate pkt-rate Packet rate limit per second (1-1048575). The source port or source port and IP are
dropped when this rate is exceeded.
no-logging Disable logging when the packet rate limit is exceeded.
when-rr-enable Monitor the packet rate only when CPU round robin is triggered. For more informa-
tion about configuring CPU round-robin, see “system cpu-load-sharing” in the CLI
Reference.
Without the when-rr-enabled option, the source port rate for client requests is always
monitored.
If you use the when-rr-enabled option, note that rate limiting is not performed if CPU
round-robin is not triggered. Only after CPU round-robin is triggered will the ACOS
device start to monitor the source port rate across all CPUs.
Documentation Enhancements
ACOS 2.7.1-P6 introduces the following documentation enhancements.
• ACOS 2.7.1-P6 provides documentation in responsive HTML format with online search capability per
document. This documentation set will also be available in PDF format.
• The hardware documentation library has been revamped completely. The instructions provide informa-
tion on installing each device, and all field replaceable units (FRUs).
• The core set of manuals and reference guides have been updated to remove references to “Contact A10
Networks”. In most cases, these references were replaced with descriptions provided by subject matter
experts.
• The following documents contain specific changes for this release:
• The aFleX Reference has been reorganized, the structure of the document has been updated, and
many examples have been revised.
• The Application Access Management and DDoS Mitigation Guide has been revised to include
missing information.
• The System Configuration and Administration Guide and Application Delivery and Server Load
Balancing Guide have been restructured to co-locate related content.
At the time of this publication, other documentation provided as part of this documentation set remains
unchanged since the previous release.
• These Release Notes contain cumulative information from prior patch releases for supported features,
known issues, and fixed bugs. Previous release notes were inconsistent in embracing this approach,
sometimes making it necessary to search multiple sets of release notes to find this information.
• All feature content from prior patch release notes has been ported into the core manuals.
• Where possible, certain improvements, both cosmetic and technical, were made to the documentation
set in order to address documentation issues reported by customers in prior releases. Issues corrected
include broken cross references and updating outdated or incorrect values.
• Certain changes or enhancements or corrections have been made to the content in the following topics:
• “port mirroring”
• “udp timers”
• “conn-reuse”
The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-
in-the-middle (MITM) exploit that takes advantage of Internet and security software clients' fallback to
SSL 3.0. This vulnerability has the CVE ID CVE-2014-3566.
In a POODLE attack, the attacker can manipulate the SSL handshake messages in order to trick both the
server and the client into using SSL v3.0. (This can be accomplished even if both the server and client sup-
port the more secure protocols, such as TLS 1.2.)
To prevent the POODLE protocol downgrade attack, ACOS has implemented the TLS Fallback Signaling
Cipher Suite Value (SCSV), which defines a new TLS cipher suite value, TLS_FALLBACK_SCSV (draft-
ietf-tls-downgrade-scsv-00).
TLS_FALLBACK_SCSV serves as a signal value instead of a suite of crypto-systems, and its presence in
the client ‘hello’ message serves as a backwards-compatible signal from the client to the server.
axGlobalTotalThroughput
OID .1.3.6.1.4.1.22610.2.4.3.1.2.13
The name of the compressed .tar file that can be downloaded from the ACOS device has not changed, but
the uncompressed file will contain the following updated set of MIB files:
• A10-AX-MIB.txt
• A10-AX-NOTIFICATIONS-V2C-COMMON.txt
• A10-AX-NOTIFICATIONS-V2C-GSLB.txt
• A10-AX-NOTIFICATIONS-V2C-SLB.txt
• A10-AX-TRAPS-V1-COMMON.txt
• A10-AX-TRAPS-V1-GSLB.txt
• A10-AX-TRAPS-V1-SLB.txt
• A10-COMMON-MIB.txt
For more information about these new MIB files, please see the section called, “ACOS MIB Files” in the
MIB Reference.
Prior releases offered no aXAPI method that could be used to create, modify or remove “str abc def”.
In order to provide a way to delete, create, or update SLB class-list entries with string type, ACOS
2.7.1-P6 adds the following new aXAPI methods:
• slb.class_list.string.create
• slb.class_list.string.update
• slb.class_list.string.delete
• string_list - an entry list that is composed of string-type entries, each of which will contain the string,
and either an lid (with flag and lid_index) or a string_value.
These methods require Read Write privilege and support JSON format. The following URLs are used for
these methods:
http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-
mat=json&method=slb.class_list.string.create
http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-
mat=json&method=slb.class_list.string.update
http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-
mat=json&method=slb.class_list.string.delete
Example
The HTTP POST body below shows an example of the JSON data for this method:
{
"name": "c2",
"string_list": [
{
"string": "name00",
"lid": {
"flag": 1,
"lid_index": 100
}
},
{
"string": "name01",
"lid": {
"flag": 0,
"lid_index": 1
}
},
{
"string": "name02",
"string_value": "dddd"
}
]
}
To achieve this desired goal, the no ip anomaly-drop ip-option command should be used.
Notes:
• This command should not be used for AX 5100 and AX 5200 models.
• AX 3030
• AX 3200
• AX 3400
• AX 3500
• AX 5100
• AX 5200
• AX 5430
• AX 5630
• AX 6430
Note: This feature only expands the subnet capacity in Black/White Lists. It
does not affect host entry capacities.
You can configure support for dynamically assigned FTP data ports within
the FTP template. You can choose to support all valid ports, or you can
specify the range of ports the server can choose from to send to the client.
Each template only supports one range of data ports.
The template can be bound to any FTP virtual port; it does not need to be
the port the FTP server is listening on. When the template is bound to a port,
it immediately takes effect. It is not advisable to bind a template to a virtual
port when there is live traffic.
The current release does not support configuration of FTP templates using
the GUI.
To enable support for dynamically assigned FTP data ports, use the follow-
ing command at the configuration level for the FTP template:
CLI Example
The following command enables use of protocol ports 1024-2024 for active
data connections to load balanced FTP servers:
ACOS(config-ftp template)#active-mode-port 1024 to 2024
The following command enables use of protocol ports 1-65534 for active
data connections to load balanced FTP servers:
ACOS(config-ftp template)#active-mode-port any
Note: This feature applies only to DNS port 53. For other load-balanced DNS
virtual ports, requests are load balanced based on the following: |
Configuration
To configure stateful request-ID-based load balancing:
1. Create a real server configuration for each DNS server.
4. Create a VIP and bind the service group and template to the VIP. Create
separate VIPs for IPv4 and IPv6.
This section shows the syntax for enabling the query-id-switch option. The
syntax for the configuring the other options is the same as in previous
releases.
Note: If a real server will support both IPv4 and IPv6 DNS, create separate real
server configurations for IPv4 and for IPv6. Likewise, use separate ser-
vice groups for the IPv4 servers and for the IPv6 servers. (Shown in “CLI
Example” on page 167.)
query-id-switch
To display DNS sessions, including their request IDs, use the following
command:
For each stateful DNS session for a load-balanced DNS request, the DNS-
ID field lists the query ID.
To display the total count of DNS queries that were load balanced based on
query ID, use the following command:
show slb l4
CLI Example
Each VIP receives DNS requests on UDP port 53. The requests all come
from the same proxying local DNS resolver, but actually are not all from the
same end-user.
The following commands add the configurations for the IPv4 DNS servers:
port 53 udp
port 53 udp
port 53 udp
port 53 udp
port 53 udp
The following commands add the configurations for the IPv6 DNS servers:
port 53 udp
port 53 udp
port 53 udp
port 53 udp
port 53 udp
member dns1:53
member dns2:53
member dns3:53
member dns4:53
member dns5:53
member dns1v6:53
member dns2v6:53
member dns3v6:53
member dns4v6:53
member dns5v6:53
malformed-query drop
query-id-switch
port 53 udp
service-group dnsv4
port 53 udp
service-group dnsv6
After the ACOS device receives some DNS requests and load balances
them to the DNS servers, the following command is used to show the state-
ful DNS sessions in the session table:
ACOS#show session dns-id-switch
Prot Forward Source Forward Dest Reverse Source Reverse Dest
Age Hash Flags DNS-ID
------------------------------------------------------------------------------
---------------------------
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53
60.60.60.60:12345 120 18 NFe0 15376
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53
60.60.60.60:12345 120 18 NFe0 63804
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53
60.60.60.60:12345 120 18 NFe0 45116
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.74:53
60.60.60.60:12345 120 18 NFe0 41047
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.73:53
60.60.60.60:12345 120 18 NFe0 57688
Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53
60.60.60.60:12345 120 18 NFe0 48444
The following command shows the total count of DNS requests that were
load balanced based on query ID:
ACOS#show slb l4
Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP SYN received 0
...
DNS query id switch 596597
With the new TACACS+ monitoring feature enabled, the ACOS device
actively checks the status of both the primary and secondary TACACS+
servers. The user’s authentication request is sent to whichever TACACS+
server is active, regardless of whether it is the primary or secondary. If there
is a problem with the primary server, ACOS quickly discovers that the pri-
mary server is down and routes the user’s authentication request to the other
TACACS+ server (assuming it is up and available). In this way, monitoring
the status of the TACACS+ servers helps increase the speed with which
user’s requests are authenticated.
Details:
• The ACOS device sends a TACACS+ monitor request, which contains
the user name and password to the server in order to log into the device
and check if the server is available. If it is, then the last_available_time-
stamp will be updated with current time.
• If a user login authentication request arrives at the ACOS device, then
ACOS will send the request to the TACACS+ server that has the most
recent last_available_timestamp value.
• If the user’s login attempt is successful, then timestamp for that
server will be updated to the current time.
• However, if the user authentication request fails, then ACOS will
send the request to the secondary TACACS+ server.
• To enable this feature, you must configure the user name and password
for the TACACS+ server’s administrative account. While a simple
server port “ping” could be used to check the status, this is not recom-
mended because it could cause the ACOS device to be mistakenly seen
as an attacker, thus causing it to be added to the ACL.
To enable TACACS+ server monitoring on the ACOS device, and to set the
frequency with which status checks are performed, use the following com-
mand at the global configuration level:
The seconds option allows you to specify the frequency with which the
ACOS device will check the status of the TACACS+ server. You can spec-
ify a value from 1-120 seconds, and the default is 60 seconds.
Use the following command to specify the name and secret for the
TACACS+ server that will be monitored. This command also allows you to
set the administrative username and password needed to log into this server
(which is required to check the status of the device). This command is used
at the global configuration level:
The hostname option allows you to specify the name of the TACACS+
server.
The name option allows you to specify the administrative username needed
to access the TACACS+ server, without which the status cannot be checked.
The password option allows you to specify password associated with the
administrative username for the TACACS+ server.
When finished with your configurations, use the show tacacs-server CLI
command to verify your changes. This command provides the configured
values for the following parameters:
• current status
• last_available_timestamp
• total_number_of_failed connection
Notes
• To allow replies to be sent to the inside client through the same route
hop on which the request was received, the MAC entry of the inside cli-
ent on the ACOS device must be valid. When the MAC entry expires,
the ACOS device will send the reply using the route table to select the
next hop.
• A session on standby will use the route table to select the next hop even
when the respond-to-user-mac command is enabled.
This ACOS release does not support this feature in the GUI.
Note: The ha-use-all-ports option applies only to DNS virtual ports. Using this
option with other virtual port types is not valid. (For information about
this option, see the CLI Reference.)
3. To enable MAC-based nexthop routing for inside source NAT, use the
following command:
ip nat inside source list acl-name
pool {pool-name | pool-group-name} respond-to-user-
mac
CLI Example
ACOS(config)# access-list 1 per 30.30.30.0 /24
ACOS(config)# ip nat pool nat pool 40.40.40.1 40.40.40.10 netmask /32
AX(config)# ip nat inside source list 1 pool nat pool respond-to-user-mac
In the example above, the user configures an ACL to specify the internal
hosts to be NATed. They then configure an IPv4 pool of external addresses
to use for the NAT translations. Finally, they enable the inside source NAT
and associate the ACL with the pool in which MAC-based nexthop routing
is enabled.
Each of the new commands can be accessed and enabled from the global
configuration level. As a default, ACOS will run system checks every 30
seconds. If ACOS detects any changes, the appropriate log will be printed.
CLI Example
The following CLI example shows the log output generated by system
anomaly log.
Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the TCP NO
FLAG profile have been detected. Previous 531, Current 6999
Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the LAND
ATTACK profile have been detected. Previous 531, Current 6999
The following CLI example shows the log output generated by system
attack log.
Jun 23 2013 14:40:45 Warning [SYSTEM]:IP packets matching the TCP SYN ATTACK
profile have been detected. Previous 0, Current 820711
Jun 23 2013 14:39:45 Warning [SYSTEM]:IP packets matching the TCP ACK ATTACK
profile have been detected. Previous 0, Current 2754803
The following CLI example shows the log output generated by system
pbslb log
Feb 16 2014 02:38:51 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB
ZERO WINDOW profile have been detected. Previous 0, Current 12
Feb 16 2014 02:20:10 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB
ZERO WINDOW profile have been detected. Previous 0, Current 11
Note: The current release does not support this enhancement in the GUI.
CLI Example
The following commands create a static trunk containing 16 data ports:
ACOS-6430(config)#trunk 1
ACOS-6430(config-trunk:1)#ethernet 1 to 16
You can customize the error message string included in the Logon form ().
The default error message string for login failures is “Invalid username or
password. Please try again.” You can customize the string, which can be
1-127 characters.
Notes
When using the Request Header Forwarding feature to forward HTTP head-
ers to a proxy server, the following caveats apply:
• Up to 16 headers can be extracted from a client request.
CLI Example
The following example enables header request forwarding within an exter-
nal-service template for the header “user-agent”.
ACOS(config-external-service)#request-header-forward user-agent
ACOS can use either of the following methods to determine the MSS value
for TCP SYN-ACKs from a VIP to a client:
• Interface MTU and MSS value received from client in SYN packet
Note: If ACOS receives different MSS sizes from multiple real servers, ACOS
bases the value on the smallest MSS value received.
Note: The current release does not support configuration of this option using the
GUI.
To configure ACOS to base the MSS in replies from VIPs to clients on the
interface MTU and MSS value received from clients in SYNs, use the fol-
lowing command at the global configuration level of the CLI:
In previous releases, ACOS did not provide this support. For example, in
previous releases, the Non-HTTP-bypass feature did not provide bypass
support for requests that had the following invalid HTTP versions:
• GET / HTTP/0.8
• GET / HTTP/1.2
• GET / HTTP/1.9
• GET / HTTP/2.1
• GET / HTTP/10.1
• GET / HTTP/a.b
The feature continues to recognize traffic with valid HTTP versions such as
the following:
• GET / HTTP/0.9
• GET / HTTP/1.0
• GET / HTTP/1.1
• GET / HTTP/1.10
• GET / HTTP/1.1000
If you prefer to leave hardware error monitoring disabled, you can disable it
using the following new command, at the global configuration level of the
CLI:
fail-safe hw-error-monitor-disable
Documentation Errata
The following sections clarify or expand on information in the manuals for
previous releases. This information will be incorporated into the manuals
for ACOS 2.7.1.
ACOS does not support the use of a copper adapter on a fiber port in the
current release across all platforms. (A10 issue 248521)
AAA ISSUE
VTHUNDER ISSUES
• The vThunder for VMware ESXi may reload if only one VMXNET3
virtual interface is configured. This issue happens only with vThunder
for VMware ESXi, and does not occur when vThunder is used with
other hypervisors. To work around this issue, make sure 2 VMXNET3
virtual interfaces are configured for each vThunder for ESXi instance.
This is the default behavior for the shipping version of the vThunder for
VMware ESXi image. (A10 issue 190093)
• The show interface brief command incorrectly shows the speed of
vThunder Ethernet interfaces as “10000Mbps”.
• The show interface command’s output always shows the utilization for
the input and output rates as 0%.
• When the maximum threshold for user accounts is reached and a user
account is deleted, the next user account created is disabled by default
and has no network privileges. To resolve this issue, add the new user
account as disabled and modify the user account to enable access and
assign network privileges. (A10 issue 97459)
• If a second user tries to acquire the console while the first one is still on
the console, the dialog box requesting the first user to deny or grant
access may time out prematurely. If this occurs, the second user is
denied access by default. (A10 issue 94852)
PING ISSUES
• Fragmented ping packets to a VIP address or NAT pool IP address are
not supported. (A10 issue 94870)
• Fragmented ping packets addressed to a floating IP address are not sup-
ported. (A10 issue 96205)
VLAN ISSUE
If you delete all the ports from a VLAN that has a VE and an IP address
configured on the VE, the virtual MAC address is removed for the VE.
However, if you add ports back to the VLAN, the virtual MAC address is
not re-added. To work around this limitation, do either of the following:
• (Preferred) Delete the VE configuration and reconfigure the VE.
• Delete the entire VLAN and reconfigure the VLAN and VE.
ROUTING ISSUES
AVCS ISSUES
Note: The output of the show run | section health global command at the pri-
vate partition level is blank, because the command is still set to its default
value. The change should occur in the private partition’s configuration but
instead occurs in the shared partition’s configuration.
• All devices in the virtual chassis must run the same ACOS Release.
Operation using a mix of the current release and earlier releases (for
example, 2.6.1 and 2.7.0) is not supported.
• aVCS can not run from Compact Flash. (A10 issue 56415)
• File management operations such as import and export are not supported
in private-partition management sessions. (A10 issue 73319)
• SMTP servers can not be configured in private partitions. Thus logging
email is not supported for private partitions. This will be fixed in a later
release.
• In the GUI, the Monitor > Network > Interface page lists only the inter-
faces that belong to the currently selected partition. However, the graphs
on this page always show data for the shared partition.
• In the GUI, shared SLB resources (service groups and servers) appear in
private partition list menus but should not.
• If you configure a class list in a private partition that has the same name
as a class list in the global partition, the system incorrectly creates a
duplicate of the class list in the shared partition. The duplicate class list
persists even if you remove it and reload or reboot. (A10 issue 73574)
• If a resource template configured in an L3V partition has bandwidth or
SSL throughput limits configured, the limits do not take effect. (A10
issue 85108)
• The config-save command for GSLB groups does not work in L3V par-
titions. (A10 issue 96859)
• To use the enable-management service in an L3V partition, the service
must be configured on a VE interface. (A10 issue 96959)
• ip-map-list
DSCP/802.1P MARKING
The current release does not support Layer 2 priority bit marking.
SSL ISSUES
• SSL session-ID persistence is not supported for IPv6.
• SSL session-ID reuse is not supported on ACOS devices that use multi-
ple SSL processors. This issue affects ACOS devices in which an add-
on SSL accelerator module is installed. The following models, if they
contain an add-on SSL accelerator module, are affected: AX 5100, AX
5200, AX 5200-11, AX 3000, and AX 2500.
• Whenever a cipher mismatch occurs, a FIN will be sent without an alert
message.
• Passive IPv6 FTP data connections are not supported with hardware-
based SYN cookies. To work around this issue, use active mode. (A10
issue 96802)
The request-rate-limit option in real port templates has reset and no-logging
options. The reset option cannot be configured. You can configure the no-
logging option, but it will not take effect. (A10 issue 118916)
IPv6 is not supported with system-wide (global) DNS caching. (A10 issue
96484)
AFLOW ISSUE
Highly active audit logging can result in error messages such as the follow-
ing:
Error [SYSTEM]:send audit log failed
This can occur with bursts of about 12 or more audit log messages at a time
or throughput of around 10 K messages or more per minute.
GSLB ISSUE
GUI ISSUES
• Right-clicking on on a sub-module menu displays an option menu.
However, the options on the right-click menu are not supported. For
example, opening a configuration page in a new tab or browser window
is not valid. The page will appear and you can enter data, but the data
will not be written to the configuration. An error also occurs in the pri-
mary GUI window.
• The GUI does not support monitoring of virtual-server class-list statis-
tics.
• In the GUI, the Monitor > Network > Interface page lists only the inter-
faces that belong to the currently selected partition. However, the graphs
on this page always show data for the shared partition.
• The GUI Find option does not work on lists containing over 500 items.
• With a few exceptions, GUI pages can not display lists containing a very
large number of items. Exceptions are the pages that list virtual servers,
service groups, and real servers.
• If you use the GUI to remove the age from a class-list file entry, the orig-
inal age remains in effect. The entry is removed within one minute after
the original age expires. (A10 issue 94466)
• If a description is configured in the GUI for a VIP, the description is lost
following upgrade to 2.7.0.
AXAPI ISSUE
The aXAPI method "slb.server.fetchAllStatistics" does not return any statis-
tics for a server if the server is defined with a DNS name. This issue can be
avoided by defining the server with an IP address rather than a DNS name.
In the error messages list in the manual for aXAPI version 1, the message
code and text are incorrect for all messages with IDs higher than 1032. For
higher-numbered messages, the code and text in the manual actually belong
to the next higher-numbered message. For example, the manual lists text
“The server already exists” for message number 1045. The text actually
belongs to message number 1046. (A10 issue 59210)
HARDWARE ISSUE
Currently copper adapters are not supported on fiber ports on all platforms.
(A10 Issue 248521).
Upgrade Instructions
This chapter describes how to upgrade the software image on your ACOS
device.
Notes
• If you are configuring a new ACOS device, see the Installation
Guide for your model.
• If you are upgrading from a 2.6.0 release, please upgrade from
2.6.0-P4 or later. If you are running a 2.6.0 release older than 2.6.0-
P4, it is recommended to upgrade to 2.6.0-P4 first, then upgrade to
2.6.1.
• If you are upgrading an aVCS virtual chassis from 2.6.0, you must
use the CLI.
• This chapter may contain references to “AX Release” versions. The
term “AX Release” is an older term for “ACOS”, which now also
runs on A10 Thunder devices, beginning in ACOS 2.7.1.
Cautions
Before you upgrade, please carefully read the following cautions. Some
cautions also apply to downgrade.
While command name changes between releases are not common, saving a
backup avoids the need to re-enter the older syntax following a downgrade.
Note: If you are upgrading ACOS devices that run aVCS, also see “Upgrading
the Software Image (aVCS virtual chassis)” on page 217.
HA Interfaces
Beginning in AX Release 2.7.0, in deployments that use the older imple-
mentation of High Availability (HA), if an HA interface is a tagged member
of a VLAN, it is required to specify the VLAN ID when configuring the
interface be an HA interface.
GSLB Groups
It is possible for GSLB configuration items to be lost on GSLB group mem-
bers following upgrade. To avoid this issue, see “Upgrading Devices in
GSLB Groups” on page 209.
HA Session Synchronization
When you upgrade ACOS devices that are deployed in High Availability
(HA) mode, the ACOS version running on the active device briefly differs
from the version running on the standby device.
Notes
• If the configuration on a device you are upgrading from 2.6.1-GR1 (or
any of its patches) to 2.7.1-P1 contains the no-dest-nat option, session
synchronization between the devices does not work.
• Session synchronization applies only to TCP and UDP Layer 4 virtual
ports. Session synchronization does not apply to other types of virtual
ports, such as HTTP/HTTPS VIPs.
• Depending on the versions you are upgrading from and to, session syn-
chronization may not work until all devices are running the same ver-
sion. For example, if you are upgrading from 2.6.1-GR1 to 2.7.0,
session synchronization does not work while one of the ACOS devices
is running 2.7.0 but the other device is still running 2.6.1-GR1.
Due to the behavior summarized in the table, existing sessions that would
normally be mirrored may be lost. Typically, this means clients will need to
retransmit or re-establish their connections. This should occur only one
time. Once both ACOS devices are running the same software version, ses-
sion synchronization will operate normally again.
Note: On each ACOS device, enable SSH on the HA interface used for configu-
ration synchronization.
• Using the GUI – Config Mode > System > Access Control
• Using the CLI – enable-management service ssh command at
global configuration level
Save the change to the startup-config.
HA Upgrade Example
Here is an example of a typical upgrade scenario:
1. Both ACOS devices are running AX Release 2.7.0
Note: As part of the upgrade process, make sure to copy the configuration to the
image area (primary or secondary) where you plan to install the upgrade,
before uploading the upgrade. Each image area has its own separate
startup configuration.
5. If you are upgrading from 2.6.x to 2.7.x, The HA standby ACOS device
will detect a synchronization version mismatch and ignore the synchro-
nization packets. As a result, existing connections are not mirrored.
Refer to Table 8 for supported session synchronization upgrade paths
between different ACOS versions.
7. After the HA active ACOS device reboots, both devices are now run-
ning ACOS 2.7.1. HA session synchronization operates normally.
Each ACOS device has four locations in which software images can be
placed:
• Disk (hard disk or Solid State Drive), in the primary image area
At the factory, the current generally available release is loaded into all four
areas before the device is shipped. When you upload a new image onto the
ACOS device, you can select the image device (disk or CF) and the area
(primary or secondary) on the device.
When you power on or reboot the ACOS device, it always attempts to boot
from the disk, using the image area specified in the configuration (disk pri-
mary, by default). If a disk failure occurs, the device attempts to boot from
the same image area on the backup disk (if applicable to the A10 Thunder
Series or AX Series model).
Caution: A10 Networks recommends that you install the new image into only
one disk image area (primary or secondary) and leave the image you
are upgrading from in the other area. If you need to downgrade or an
issue occurs when rebooting with the new image, leaving the old
image on the device will make it easier to restore the system.
In ACOS 2.7.1, when you save the configuration in the current image
area, ACOS displays a prompt asking whether you also want to save
the configuration to the other area. Syntax that is new or changed in
ACOS 2.7.1 may not be compatible with your older ACOS version.
Note: Allow up to five minutes for the reboot to complete. (The typical reboot
time is 2-3 minutes.) During the reboot, the system performs a full reset
and will be offline. The actual time may vary depending on system
parameters.
Note: Copying the configuration does not provide a complete system backup.
For example, copying the configuration does not include aFleX policies,
SSL certificates and keys, or class lists. For a complete system backup,
use the backup option as described in the procedure later in this section.
Note: the ACOS device always tries to boot using the disk first. The CF is used
only if the disk is unavailable.
Note: If the ACOS devices are running AX Virtual Chassis System (aVCS), this
recommendation is not applicable. Instead, see “Upgrading the Software
Image (aVCS virtual chassis)” on page 217.
Alternate Loading of the New Image into the Primary and Secondary
HD Areas
1. Save the configuration to the current image area (the area from which
the device was most recently booted).
4. The first time you upgrade, upload the new image into the primary disk
area. Leave the current image (the image you are upgrading from) in the
secondary disk area.
5. The next time you upgrade, save the startup-config in the image area
you upgraded last time. Also save the same startup-config to the other
image area, where you plan to install the upgrade. You must save the
startup-config that is in the image area you booted from into the image
area you will upgrade, so that the system will be running the correct
configuration following the upgrade.
6. Leave the current image (the image to which you upgraded previously)
in the primary disk area, and upload the new image into the secondary
disk area.
Note: Make sure to copy the configuration to the image area where you plan to
install the upgrade, before uploading the upgrade. Each image area has its
own separate startup configuration.
8. Modify the boot profile to first attempt to boot from the disk area that
has the newest image.
Note: If you plan to reboot immediately following the upgrade (an option you
can select when you upgrade), modify the boot profile before you
upgrade.
Note: For group members that are members of an aVCS virtual chassis, perform
these steps on the vMaster.
1. On each member device of the GSLB group, save the configuration.
2. On each member device in the group, disable the GSLB group and save
the configuration.
3. Use the procedures in this chapter to upgrade the GSLB group members,
one group at a time.
For example, if there are 2 GSLB groups, 1 and 2, upgrade all the mem-
ber devices in group 1 first, then upgrade all the member devices in
group 2. After all members come up in the GSLB group 1, upgrade each
member of GSLB group 2.
4. After all members in the last group finish booting with the new software
version, enable the GSLB group on each device. Make sure all members
join the group successfully.
5. On each member device of the GSLB group, again save the configura-
tion.
CLI Example
The following commands perform step 1 through step 4:
AX-gslb:Member(config)#write memory
AX-gslb:Member(config)#gslb group shared
AX-gslb:Member(config-gslb group)#no enable
AX-gslb:Member(config-gslb group)#exit
AX-gslb:Member(config)#write memory
Note: Use this procedure only to upgrade an ACOS device that is running stand-
alone (not in an aVCS virtual chassis). To upgrade ACOS devices in a vir-
tual chassis, see the following section instead: “Upgrading the Software
Image (aVCS virtual chassis)” on page 217.
Note: This step requires the CLI. You cannot perform this step using the GUI.
1. Log onto the CLI.
e. In the User and Password fields, enter the username and password
required for write access to the remote device.
f. Click OK.
6. To also back up the system log files (and core files, if any):
a. Select Backup > Syslog on the menu bar.
b. Select the backup location: Local or Remote. (See above for
descriptions.)
FIGURE 5 Config > System > Maintenance > Backup > System
2. Select Boot on the menu bar. The boot settings are displayed.
3. If the Hard Disk image area where you plan to install the new image is
not selected, select it and click OK. For example, if Primary is selected
but you plan to install the image into the secondary image area, select
Secondary.
Note: Although the Boot Image tab allows selection of an image area in the
compact flash, the ACOS device always tries to boot using the hard disk
first. The compact flash is used only if the hard disk is unavailable.
3. For destination, select the area that contains the oldest image. If both
areas contain the same image version, select Primary.
Note: The image area you select here needs to be the same area selected above,
in the "Change the Boot Order" section.
4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later.
The new image takes affect only after a reboot.
5. For Upgrade from, select the location where you saved the upgrade
image:
• Local – Uploads the image from the PC or workstation where you
are using the GUI.
• Remote – Uploads the image from another PC or workstation.
All the commands described in this section are available at the global Con-
fig level of the CLI.
1. To save the configuration, enter the following command:
write memory
This command saves the configuration to the current image area, from
which the device was most recently booted.
2. To save the configuration to the other image area, where you plan to
install the upgrade, use the following command:
write memory {primary | secondary}
[all-partitions | partition partition-name]
If you plan to install the upgrade into the primary image area, specify
primary. Otherwise, specify secondary.
The all-partitions and partition partition-name options apply only if
you are upgrading an ACOS device with ADP configured. These
options do not appear unless you are logged on with root or super user
(global read-write) privileges.
You can enter the entire URL on the command line or press Enter to dis-
play a prompt for each part of the URL. If you enter the entire URL and
a password is required, you will still be prompted for the password.
The use-mgmt-port option uses the ACOS device’s management port
as the source interface. Otherwise, a data interface is used.
A full system backup includes the startup-config file, aFleX files, and
SSL certificates and keys. To also back up system log files (and core
files, if any), use the following command:
backup log [use-mgmt-port] url
4. To verify and change the boot order (if required), use the following com-
mands:
show bootimage
bootimage hd {pri | sec}
The {pri | sec} option specifies whether the ACOS device first tries to
boot using the image in the primary image area or the secondary image
area.
Note: You only need to change the boot order if you plan to upload the new
image into an image area that is not the first image area the ACOS device
uses when it boots.
Note: The bootimage command also allows selection of an image area in the
compact flash; however, this syntax is not shown above. The ACOS
device always tries to boot using the hard disk first. The compact flash is
used only if the hard disk is unavailable.
5. To upload the new image onto the ACOS device and reboot, use the fol-
lowing command:
upgrade hd {pri | sec} [use-mgmt-port] url
The url specifies the file transfer protocol, username and password (if
required), directory path, and filename. (See above in the description for
the url option of the backup system command.)
The CLI displays a prompt asking you whether to reboot. Enter yes to
reboot now, or no if you prefer to reboot later. The new image takes
affect only after a reboot.
To verify the upgrade after the ACOS device reboots, use the following
command:
show version
Upgrade Example
The following commands upgrade an AX 5200 from AX Release 2.7.0 to
ACOS 2.7.1:
AX(config)#write memory
Building configuration...
[OK]
AX(config)#write memory secondary
Building configuration...
[OK]
AX(config)#backup system tftp:
Address or name of remote host []?192.168.1.144
Destination file name [/]?ax5200-backup
System files backup successful
AX(config)#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard disk primary 2.7.0 (*)
Hard disk secondary 2.6.1
Compact flash primary 2.4.3 (*)
Compact flash secondary 2.4.3
AX(config)#bootimage hd sec
Secondary image will be used if the system is booted from hard disk
AX(config)#upgrade hd sec tftp://192.168.1.144/ACOS_FTA_2_7_1-P1_57.64.tgz
AX>show version
AX Series Advanced Traffic Manager AX2500
Copyright 2007-2013 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
Note: Allow up to five minutes for a reboot to complete. (The typical reboot
time is 2-3 minutes.) During a reboot, the system performs a full reset and
will be offline. The actual time may vary depending on system parame-
ters.
6. To also back up the system log files (and core files, if any):
a. Select Backup > Syslog on the menu bar.
b. Select the backup location: Local or Remote. (See above for
descriptions.)
FIGURE 8 Config > System > Maintenance > Backup > System
Note: This procedure requires a reboot of each ACOS device in the virtual chas-
sis. In this case, the vMaster sends the new image to all vBlades and
reboots all devices in the virtual chassis, including itself. This can take
several minutes, during which a service outage will occur.
4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later.
The new image takes affect only after a reboot.
5. For Upgrade from, select the location where you saved the upgrade
image:
• Local – Uploads the image from the PC or workstation where you
are using the GUI.
• Remote – Uploads the image from another PC or workstation.
9. Click OK.
Note: All devices in the virtual chassis use the same image area (primary or sec-
ondary). For example, if the software running on the vMaster is in the pri-
mary image area, all the vBlades also are running their software from
their own primary image areas.
4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you
prefer to reboot later. The new image takes affect only after a reboot.
5. For Upgrade from, select the location where you saved the upgrade
image:
• Local – Uploads the image from the PC or workstation where you
are using the GUI.
• Remote – Uploads the image from another PC or workstation.
8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the
device to reboot.
9. Click OK.
10. After the ACOS device reboots, set the priority value of each VRID on
the device to a lower value than on the backup ACOS device:
11. Go to the vBlade device and force failover in order to take over the
vMaster role:
a. Select Config Mode > System > aVCS > General.
b. In the vmaster-take-over field, enter 255.
c. Click OK.
During failover, the vBlade becomes the vMaster. vMaster becomes
a vBlade device. The new vMaster will detect that the vBlade
device is running old software, and it will upgrade the vBlade. As
part of the upgrade, the vMaster will reboot the vBlade.
15. For each VRID, reset the VRRP-A priority to its previous value:
a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.
b. Next to Preempt Mode, select Enabled, if not already selected.
c. Select all the VRIDs.
d. Edit the value in the Priority field to a value that is lower than the
priority value(s) for the VRIDs on the backup ACOS device.
e. Click Edit.
f. Click OK.
Note: Staggered upgrade using the GUI is supported only in AX Release 2.7.0
and later. This section is inapplicable to performing staggered upgrade
from 2.6.1 using the GUI.
1. Select Config Mode > System > Maintenance > Upgrade.
Note: All devices in the virtual chassis use the same image area (primary or sec-
ondary). For example, if the software running on the vMaster is in the pri-
mary image area, all the vBlades also are running their software from
their own primary image areas.
4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you
prefer to reboot later. The new image takes affect only after a reboot.
5. For Upgrade from, select the location where you saved the upgrade
image:
• Local – Uploads the image from the PC or workstation where you
are using the GUI.
• Remote – Uploads the image from another PC or workstation.
8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the
device to reboot.
9. Click OK.
10. Go to the vBlade device and force failover in order to take over the
vMaster role:
a. Select Config Mode > System > aVCS > General.
b. In the vmaster-take-over field, enter 255.
c. Click OK.
During failover, the vBlade becomes the vMaster. vMaster becomes
a vBlade device. The new vMaster will detect that the vBlade
The url specifies the file transfer protocol, username (if required), directory
path, and filename. The following types of URLs are supported:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• sftp://[user@]host/file
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password.
Note: This procedure requires a reboot of each ACOS device in the virtual chas-
sis. In this case, the vMaster sends the new image to all vBlades and
reboots all devices in the virtual chassis, including itself. This can take
several minutes, during which a service outage will occur.
3. To verify the upgrade after the ACOS device reboots, use the following
command:
show version
In this procedure, the vBlades are upgraded first, followed by the vMaster.
Note: These steps assume that when you begin the procedure, the vMaster is
also the active VRRP-A device for all VRIDs.
Note: Make sure to use the all-partitions option, if RBA/L3V private partitions
are configured.
3. Upgrade the vBlade, by loading the new software image into the image
area currently in use by the vBlade:
upgrade hd {pri | sec} [use-mgmt-port] url
staggered-upgrade-mode device DeviceID
• The device DeviceID specifies the vBlade’s aVCS device ID.
• The url specifies the file transfer protocol, username and password
(if required), directory path, and filename.
• The use-mgmt-port option uses the ACOS device’s management
port as the source interface. Otherwise, a data interface is used.
This step reboots the vBlade. The vMaster continues to operate.
4. For each VRID that is active on the device, force failover from the
vMaster to the vBlade:
vrrp-a vrid {num | default}
This command changes to the configuration level for the VRID. At this
level, use the following command:
priority 255 device DeviceID
5. Validate that the load-balanced services are working. (The show com-
mands or other techniques depend on your deployment. The show slb
virtual-server command is useful in almost any deployment.)
6. On the vBlade that is running the new software image, enter the fol-
lowing command:
a. At the Privileged EXEC level (AX#), use the following command to
force the vBlade to take over the vMaster role:
vcs vmaster-take-over 255
During failover, the vBlade becomes the vMaster, and the vMaster
becomes a vBlade. The new vMaster will detect that the vBlade
device is running old software, and it will upgrade the vBlade. As
part of this upgrade, the vMaster will reboot the vBlade.
CLI Example
The commands in this example perform a staggered upgrade of a virtual
chassis containing 2 devices (ACOS1 and ACOS2). Before the procedure
begins, and after it is completed, ACOS1 is the vMaster and ACOS2 is the
vBlade. The devices are running the software image located in the primary
image area.
ACOS1-vMaster-Active(config)#show version
AX Series Advanced Traffic Manager AX2500
Copyright 2007-2012 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
...
After this final set of commands, device 1 is again the aVCS vMaster, as
well as the active VRRP-A device for the VRID. Device 2 is again the
vBlade, as well as the standby device for the VRID.
Note: Make sure to use the all-partitions option, if RBA/L3V private partitions
are configured.
3. Upgrade the vBlade, by loading the new software image into the image
area currently in use by the vBlade:
upgrade hd {pri | sec} [use-mgmt-port] url
staggered-upgrade-mode device DeviceID
• The device DeviceID specifies the vBlade’s aVCS device ID.
• The url specifies the file transfer protocol, username and password
(if required), directory path, and filename.
• The use-mgmt-port option uses the ACOS device’s management
port as the source interface. Otherwise, a data interface is used.
This step reboots the vBlade. The vMaster continues to operate.
4. Validate that the load-balanced services are working. (The show com-
mands or other techniques depend on your deployment. The show slb
virtual-server command is useful in almost any deployment.)
5. On the vBlade that is running the new software image, enter the fol-
lowing command:
a. At the Privileged EXEC level (AX#), use the following command to
take over the vMaster role:
vcs vmaster-take-over 255
During failover, the vBlade becomes the vMaster and the vMaster
becomes a vBlade. The new vMaster will detect that a vBlade
device is running old software and it will upgrade that vBlade. As
part of the upgrade, the vMaster will reboot the vBlade.
The browser used to access the GUI must support encryption keys of 128
bits or longer. Beginning in AX Release 2.4.2, shorter encryption keys (for
example, 40 bits) are not supported. The browser also must support TLS
1.0. Beginning in AX Release 2.6.1-P1, browsers that support only SSL are
not supported.
After you upgrade the ACOS device, clear the browser cache to ensure
proper display of the GUI.
If you are already logged into the GUI and want to change the setting for the
next login, you can disable redirection from within the GUI:
1. Select Config > System > Settings.
3. Click Apply.
2. Back up the startup-config and system files. To do so, use the following
command:
backup system [use-mgmt-port] url
Common Criteria
On the ACOS device, when all FIPS self-tests have been passed, the follow-
ing message appears in the log:
All FIPS power on self test have passed.
Any FIPS self-test failures are indicated in the command prompt. For exam-
ple:
AX3000(FIPS FAIL MODE)#
236