A10 Thunder Series & AX Series Release Notes - BLCR · A10 Networks products including all Thunder Series products are protected by one or more of the following U.S. patents: 8977749,

Release Notes

A10 ThunderTM Series and AX Series

Document No.: D-030-02-00-0003

ACOS 2.7.1-GR1 10/23/2015

© A10 Networks, Inc. 10/23/2015 - All Rights Reserved

Information in this document is subject to change without notice.

Trademarks

The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS PolicyEngine, Affinity, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder,Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. in theUnited States and other countries. All other trademarks are property of their respective owners.

Patents Protection

A10 Networks products including all Thunder Series products are protected by one or more of the followingU.S. patents: 8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372,8813180, 8782751, 8782221, 8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925,8312507, 8291487, 8266235, 8151322, 8079077, 7979585, 7804956, 7716378, 7665138, 7647635, 7627672,7596695, 7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286,5931914, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695, 7287084, 6970933,6473802, 6374300.

Confidentiality

This document contains confidential materials proprietary to A10 Networks, Inc. This document and informa-tion and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Net-works, Inc. without prior written consent of A10 Networks, Inc. This information may contain forwardlooking statements and therefore is subject to change.

A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Cus-tomer agrees to treat Software as confidential information.

Anyone who uses the Software does so only in compliance with the terms of the End User License Agree-ment (EULA), provided later in this document or available separately. Customer shall not:

1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means

2. sublicense, rent or lease the Software.

Disclaimer

This document does not create any express or implied warranty about A10 Networks or about its products orservices, including but not limited to fitness for a particular use and non-infringement. A10 Networks hasmade reasonable efforts to verify that the information contained herein is accurate, but A10 Networksassumes no responsibility for its use. All information is provided "as-is." The product specifications and fea-tures described in this publication are based on the latest information available; however, specifications aresubject to change without notice, and certain features may not be available upon initial product release. Con-tact A10 Networks for current information regarding its products or services. A10 Networks’ products andservices are subject to A10 Networks’ standard terms and conditions.

Environmental Considerations

Some electronic components may possibly contain dangerous substances. For information on specific compo-nent types, please contact the manufacturer of that component. Always consult local authorities for regula-tions regarding proper disposal of electronic components in your area.

Further Information

For additional information about A10 products, terms and conditions of delivery, and pricing, contact yournearest A10 Networks location, which can be found by visiting www.a10networks.com.

http://www.a10networks.com

Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015 3 of 236

A10 Thunder Series and AX Series—Release Notes

Contents

Summary of Enhancements 7

Enhancements in 2.7.1-GR1 .................................................................................................................. 7

Enhancements in 2.7.1-P6 ..................................................................................................................... 7





Enhancements in 2.7.1/2.7.1-P1 ............................................................................................................ 9

Fixes in ACOS 2.7.1 and its Patch Releases 17

Issues Fixed in 2.7.1-GR1 .................................................................................................................... 18

Security Advisory Fixes .................................................................................................................. 18

Issues Fixed in 2.7.1-P6 ....................................................................................................................... 35

Issues Fixed in 2.7.1-P5 ....................................................................................................................... 67

Issues Fixed in 2.7.1-P4 ....................................................................................................................... 90

Issues Fixed in 2.7.1-P3 ......................................................................................................................111

Issues Fixed in 2.7.1-P2 ..................................................................................................................... 136

Enhancements in ACOS 2.7.1-GR1 153

CPU Load Sharing .............................................................................................................................. 153

Source port rate limiting .................................................................................................................... 154

Enhancements in ACOS 2.7.1-P6 157

Documentation Enhancements ......................................................................................................... 157

TLS Fallback Signaling Cipher Suite Value (SCSV) to Mitigate SSL POODLE Vulnerability ....... 158

New MIB Object Added: axGlobalTotalThroughput ........................................................................ 158

MIB Objects Re-organized with New MIB Files Added.................................................................... 158

New aXAPI Methods Added for slb.class_list.string....................................................................... 159

Support for up to 500 characters in GET URL method ................................................................... 160

Preventing dropped packets with ‘no ip anomaly-drop’................................................................. 161


Support for HTTP Lines Up to 32K Long.......................................................................................... 163

Increased Subnet Support (up to 2 million entries) ........................................................................ 163

4 of 236 Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015


Contents

Support for Dynamically Selected FTP Data Ports ..........................................................................164

Stateful Request-ID-based DNS Load Balancing .............................................................................165

Configuration ................................................................................................................................ 166Enabling the query-id-switch Option ......................................................................................... 166Displaying DNS Sessions and Their Request IDs .................................................................... 166


TACACS+ Server Monitoring..............................................................................................................171

MAC-Based Nexthop Routing ............................................................................................................173

WAF ICSA Certification.......................................................................................................................175

Log DDoS Attack Detection Events...................................................................................................175

Support for 16-port Trunks on Thunder 6430/6430S........................................................................176

Black/White List Group ID for PBSLB Increase................................................................................176

CTR SSH Cipher Support ...................................................................................................................177


Support for Alternate LDAP Login Formats .....................................................................................179

Support for OCSP URI Path................................................................................................................179

Form-based Logon Enhancements ...................................................................................................179

Logon Failure Message Enhancements ....................................................................................... 179

Error Message Customization for Form-based Logon ....................................................................180

Enhancements in ACOS 271-P2 181

Forward Request Headers to Proxy Servers ....................................................................................181

Configurable MSS Source for Proxied SLB Traffic ..........................................................................182

Non-HTTP-bypass Support for Invalid HTTP Versions....................................................................183

Additional Changes and Notes 185

Configure Servers to Listen on Same Port (DSR) ............................................................................185

SNMP Agent Default Community Name Should Be Changed.........................................................185

Deprecated BGP Commands .............................................................................................................185

Fail-safe Hardware Monitoring Enabled By Default .........................................................................185

Documentation Errata.........................................................................................................................186

AX 5100 Not Supported in ACOS 2.7.1 and Later ....................................................................... 186NetFlow Supported Over UDP Only ............................................................................................. 186



Contents

Default BGP Neighbor Timers ...................................................................................................... 186TCP-proxy Template Option fin-timeout ....................................................................................... 187Server-SSL Template Binding ...................................................................................................... 187Request-rate Limiting in Real Port Templates .............................................................................. 187Access to SNMP Agent in ADP Private Partitions ........................................................................ 187

Known Issues in Release 2.7.1 189

Upgrade Instructions 199

Image File Names ............................................................................................................................... 200

Cautions .............................................................................................................................................. 201

Boot Order—How ACOS Gets the Image To Boot ........................................................................... 205

Upgrading Devices in GSLB Groups ................................................................................................ 209

Upgrading the Software Image (non-aVCS deployment) ................................................................ 210

Upgrading the Software Image (aVCS virtual chassis) ................................................................... 217

Using the GUI ............................................................................................................................... 218Backing Up the System ............................................................................................................. 218Full Chassis Upgrade (with or without VRRP-A) ....................................................................... 219Staggered Upgrade (with VRRP-A) ........................................................................................... 220Staggered Upgrade (no VRRP-A) ............................................................................................. 222

Using the CLI ................................................................................................................................ 224Backing Up the System ............................................................................................................. 224Full Chassis Upgrade (with or without VRRP-A) ....................................................................... 225Staggered Upgrade (with VRRP-A) ........................................................................................... 225

Staggered Upgrade (no VRRP-A) ................................................................................................ 229

Management GUI Requirements ....................................................................................................... 230

Disabling HTTP-to-HTTPS Redirection ........................................................................................ 231

Trunk and Layer 2/3 Virtualization Support...................................................................................... 231

Common Criteria 233



Contents



Summary of Enhancements

This chapter provides a summary of enhancements for ACOS 2.7.1 and itssubsequent patch releases.

For detailed information about Thunder Series or AX Series models,and about ACOS features, see the documentation CD for ACOS 2.7.1(August 5th, 2013 or later version).

Notes

• To protect from potential vulnerability, it is recommended to change the name of the SNMP public community from its default ("public") to another name.

• To ensure proper display of the ACOS management GUI after you upgrade, clear the web browser cache on each PC you use to access the GUI. (For additional upgrade considerations, see “Upgrade Instructions” on page 199.)

• This release does not support any 32-bit ACOS models. For a list of the models this release does support, see “Image File Names” on page 200.

• Beginning in ACOS 2.7.1-P3, the product name for the ACOS virtual appliance that supports SLB features is changed from “SoftAX” to “vThunder”. This document uses the new name, but some installation guides may still refer to “SoftAX”. In these cases, the installation instructions can still be used, but only if the hypervisor version on which you are attempting to install the ACOS virtual appliance is supported. You can determine whether a particular ACOS release supports vThun-der by checking the following section: “Image File Names” on page 200

Enhancements in 2.7.1-GR1• CPU Load Sharing

• Source Port Rate Limiting

Enhancements in 2.7.1-P6 • Documentation Enhancements



• TLS Fallback SCSV to mitigate SSL POODLE vulnerability

• New MIB Object Added: axGlobalTotalThroughput

• MIB Objects Re-organized with New MIB Files Added

• New aXAPI Methods Added for slb.class_list.string

• Support for up to 500 characters in GET URL method

• Preventing Dropped Packets with ‘no ip anomaly-drop’

Enhancements in 2.7.1-P5

New A10 Thunder Product Line

• A10 Thunder 6630(S)




• A10 Thunder 5430(S)-11


Other System Enhancements

• Support for HTTP Lines Up to 32K Long

• Support for up to 2 Million subnet entries in a Black/White List

• Support for Dynamically Selected FTP Data Ports

• Stateful Request-ID-based DNS Load Balancing

Enhancements in 2.7.1-P4• TACACS+ Server Monitoring

• MAC-Based Nexthop Routing

• WAF ICSA Certification

• Log DDoS Attack Detection Events

• Support for 16-port Trunks on Thunder 6430/6430S

• Black/White List Group ID for PBSLB Increase



• CTR SSH Cipher Support

Enhancements in 2.7.1-P3

Application Access Management (AAM) enhancements:

• Support for alternate LDAP login formats

• Support for URI path in OCSP

Form-based authentication enhancements:

• Logon Failure Message Enhancements

• Error Message Customization for Form-based Logon

Enhancements in 2.7.1-P2 • Option to specify request headers to forward to proxy servers

• Configurable MSS source for proxied SLB traffic

• Non-HTTP-bypass support for invalid HTTP versions

Enhancements in 2.7.1/2.7.1-P1

New A10 Thunder Product Line

• A10 Thunder 6430S

• A10 Thunder 6430




• A10 Thunder 930



Security Enhancements

• Web Application Firewall (WAF)

• Application Access Management (AAM), a new suite of features for solutions such as the following:

• Logon Portal

• Single sign-on and password change

• Online Certificate Status Protocol (OCSP)

• Authentication Relay

• AAA load balancing

• Enhanced SYN-cookie buffering and statistics

vThunder Enhancements

• XenServer Hypervisor 5.6 support

• Opensource Xen.org Xen Hypervisor support

• Application Delivery Partition (ADP) support

• Multiple CPU support

System-level Enhancements

• Power On Auto Provisioning (POAP)

• System Center Operations Manager (SCOM) support

• Support for “UTC” as timezone name

• Network Time Protocol (NTP) enhancements:

• Message Digest 5 (MD5) authentication

• Option to specify a preferred NTP server

• Single-priority logging (logs restricted to a single severity level)

• Support for up to 8 million I/O buffers on models AX 5630 and

AX 5200-11

• Configurable system monitors for connection and Symmetric Multi-Pro-cessing (SMP) resources

• Access Control List (ACL) enhancements:

• Object groups for simplified configuration and update

• Named IPv4 ACLs

• IPv6 type and code options

• Websocket support (RFC 6455)



VRRP-A/HA Enhancements

• aVCS/VRRP-A affinity (vMaster is always the current active VRRP-A device)

• Increased number of VLANs supported for VRRP-A VRID tracking (up to 64)

• Configuration persistence for HA force-self-standby

Layer 2/3 Enhancements

• Increased VLAN support (up to 4093 802.1Q tagged VLANs per inter-face)

• Link Layer Discovery Protocol (LLDP)

• Bidirectional Forwarding Detection (BFD)

• Dynamic Host Configuration Protocol (DHCP) for IP address configu-ration of the management interface and Ethernet data interfaces

• Support for VE or trunk IP address as next hop for static routes

• Multiple IP helper addresses per interface

• Border Gateway Protocol (BGP) enhancements:

• Increased BGP route support (up to 65536

• Increased BGP peer support (up to 50)

• IGMPv2 membership query generation

• Option to clear individual OSPF neighbors rather than all neighbors

• Enhanced Virtual Ethernet (VE) statistics

Layer 2/3 Virtualization Enhancements

• Increased L3V partition support (up to 1024 depending on model)

• Inter-partition routing

• Support for non-default VRRP-A VRIDs

• Admin-based GUI display/hide for individual SLB resources

• DHCP support

• Per-partition port monitoring/mirroring



Layer 4-7 Feature Enhancements

• Server Load Balancing (SLB) configuration enhancements:

• VIP-to-real port mapping

• Virtual port ranges

• MySQL/MSSQL database load balancing

• Financial Information eXchange (FIX) load balancing

• Short Message Peer to Peer (SMPP) load balancing

• Traffic Steering (useful for solutions such as redirection to Skyfire video optimization controllers or URL filtering servers)

• SSL enhancements:

• Secure TLS renegotiation (RFC 5746)

• Option to disable SSLv3 support in client-SSL templates

• SSLv2 redirect to alternate service group

• Stateless SSL session ticketing, for faster SSL session refresh

• SSL session-ID reuse for server-side SSL

• New SSL session-ID cache aging options

• Server certificate validation and error notification

• Validity checks for SSL template configuration

• Increased lead time for SSL certificate expiration emails (up to 60 days)

• SSL Intercept bypass based on Server Name Indication (SNI) value

• SSL file management enhancements:

• Bulk import/export of SSL certificate and key files

• New CLI commands to delete SSL files (includes option to spe-cifically delete only unused files )

• Enhanced certificate statistics

• HTTP/HTTPS enhancements:

• Support for ICY 200 OK response code from servers

• HTTP/HTTPS template option to keep client sessions up even after the backend server session ends

• Customizable web logging in World Wide Web Consortium (W3C) format

• Configurable request header wait time for prevention of Slowloris attacks

• Temporary compression disable during high CPU utilization

• Enhanced compression statistics



• HTTP status code statistics

• HTTP policy templates (currently used only with the WAF feature)

• Increased RAM Cache size (up to 36 GB) on models containing 96 GB

• DNS enhancements:

• Global DNS caching for IPv6

• DNS caching for Domain Name System Security Extensions (DNS-SEC)

• DNSSEC Hardware Security Module (HSM) support

• 1+1 NAT

• Simplified Layer 3 Direct Server Return (DSR) deployment using IP-in-IP tunneling

• Alternate virtual ports for backup

• Realtime logging for server selection failures

• Policy template binding at service-group level

• Quality of Service (QoS) marking for TCP traffic

• Client-IP insertion into TCP options header (useful for non-HTTP load-balanced traffic)

• More granular force-delete-timeout option for TCP-proxy templates (as short as 100 milliseconds)

• Shorter configurable idle timeout for TCP, TCP-proxy, and UDP tem-plates (as short as 1 second)

• Health monitoring enhancements:

• Longer maximum configurable timeout (180 seconds)

• TCL UDP extension support

• Automatic adjustment of health monitor interval based on HTTP status code

• Configurable response code range for SIP health monitoring

• Kerberos health monitoring

• Online Certificate Status Protocol (OCSP) health monitoring

• Enhanced LDAP health monitoring:

• Support for searchRequest and searchResponse

• STARTTLS support

• Support for more symbols in a health monitor (up to 127 sym-bols)



Global SLB Enhancements

• Simplified configuration based on fully-qualified domain name (FQDN)

• FQDN service groups for easy site and service management

• IPv6 support in imported geo-location databases

• Configurable TTLs for more types of DNS records (SRV, TXT, MX, PTR, NS) belonging to services in GSLB zones

• Support for multiple SRV records with the same name but different ports

• Longer maximum GSLB protocol status interval (up to 1800 seconds)

Usability Enhancements

• GUI enhancements:

• Customizable GUI banner

• Clear button for clearing sessions from the session table using the GUI

• AXdebug access

• Clone button for easy configuration of multiple virtual servers

• Support for 128-character SLB resource names

• SLB configuration sort option in the CLI

• Credential store for easy backup and file import/export

• Default ICMP health monitor included in output of show running-con-fig with-default

• Support for show interface media command on FPGA models

SNMP/MIB Enhancements

• MIB objects for GSLB

• “All clear” SNMP notifications when a condition indicated by a previ-ous notification is no longer occurring

• CLI access to SLB MIB object tables

aFleX Enhancements

• New aFleX capabilities for SSL

• New option for UDP payload replacement

• aFleX-based session table management



• Enhanced support for global variables

• Selective logging for template parameters

• aFleX commands for database load balancing





Fixes in ACOS 2.7.1 and its Patch Releases

These release notes describe the fixes in this ACOS Release.

For each issue, the following information is provided:

• System area – Part of the system that had the issue (IP NAT, SLB, aFleX, and so on).

• Description – Description of the issue.

• Trigger – System condition that caused the issue, or steps taken by A10 Networks to recreate the issue for diagnosis.

• Version – Software version(s) in which the issue is present. Later ver-sions (including the version documented by this release note) are not affected by the issue.

• Reproducibility – Indicates how consistently the issue could be repro-duced: 100%, High, Medium, or Low.

• Severity – Indicates the impact the issue had or could potentially have:

• P1 – Major issue that caused or could cause a major service outage or a reload of the ACOS device.

• P2 – Minor issue that caused or could cause a minor service outage.

• P3 – Minor issue.

• P4 – Cosmetic issue.

• Reported by customer – Indicates whether the issue was reported by a customer (Yes) or was discovered internally (No).

• Workaround – Indicates how to compensate for the issue, if applicable. Not all issues have a workaround.



Issues Fixed in 2.7.1-GR1 ACOS Release 2.7.1-GR1 contains fixes for issues listed in Table 1. Theissues are listed by A10 tracking ID, beginning with the highest issue ID(the most recently logged issue).

Security Advisory Fixes

AX Release 2.7.1-GR1 resolves the following Security Advisories:

• CVE-2014-9293 (A10 Tracking ID 231859)

• CVE-2014-9294 (A10 Tracking ID 231859)

• CVE-2014-9295 (A10 Tracking ID 231859)

• CVE-2014-9296 (A10 Tracking ID 231859)

• CVE-2014-9297 (A10 Tracking ID 241171)

• CVE-2014-9298 (A10 Tracking ID 241171)

• CVE-2014-3572 (A10 Tracking ID 239113)

• CVE-2015-0204 (A10 Tracking ID 239113)

• CVE-2014-8275 (A10 Tracking ID 239113)

• CVE-2014-3570 (A10 Tracking ID 239113)

• CVE-2015-0235 (A10 Tracking ID 236371)



TABLE 1 Fixes in ACOS Release 2.7.1-GR1

A10 Tracking ID Issues

252853 System area: VRRP-A

Description: The HA configuration sync removed all black/white lists on the VRRP-A standby device.

Trigger: Described above.

Version: 2.7.1-P6 and earlier

Reproducibility: 100%

Severity: P1

Reported by customer: No

249889 System area: Web GUI

Description: Users were unable to access the A10 GUI with Firefox browser version 37.




Severity: P3

Reported by customer: Yes

Workaround: Set the security.tls.version.min and security.tls.version.max preferences on the Firefox browser.

248803 System area: Web

Description: A javascript issue was occurring that caused users to be unable to select all real servers when clicking the “Select All” button in the GUI interface.




Severity: P2


248248 System area: Class-list

Description: The ACOS device could sometimes reload when importing or editing a class-list file that contained an invalid or improperly formatted string.



Reproducibility: High

Severity: P1




247822 System area: SSL (March OpenSSL vulnerabilities)

Description: This patch addresses the following Security Advisories:

• CVE-2015-0286

• CVE-2015-0292

• CVE-2015-0209

Trigger: N/A


Reproducibility: N/A

Severity: N/A


247822 System area: SSL


• CVE-2014-9297

• CVE-2014-9298

Trigger: N/A



Severity: P1


246382 System area: VCS

Description: The SSL certificate was only updated on the vMaster, but it was not updated on the vBlade after the SSL certificate and key were changed under the client-ssl template.




Severity: P2


Workaround: Update the SSL key first, and then change the SSL certificate in that exact order.

245950 System area: SLB (HTTP)

Description: The ACOS device could unexpectedly reload when processing jumbo frame packets if the jumbo packets had a header exceeding 4K, thus causing it to be split across multiple packets.




Severity: P1






244645 System area: aXAPI

Description: The aXAPI created client-ssl templates and set an unexpected ssl-false-start-disable parameter.

Trigger: When client-ssl templates are configured via aXAPI, this the ssl-false-start-disable parame-ter was seen in a show run output.



Severity: P1


243160 System area: GSLB

Description: ACOS did not allow for identical slb-dev IPs to be created under a given GSLB site, meaning ACOS did not support multiple local sites. This has been fixed in this release.




Severity: P2


242719 System area: SLB

Description: Even after issuing the ‘slb disable-server-auto-reselect’ CLI command, ACOS sometimes erroneously re-enabled the feature based on the data CPU load/usage.



Reproducibility: Low

Severity: P2


242029 System area: Thunder 6630 (MAC learning)

Description: The MAC learning was not occurring correctly for traffic sent to 100 Gbps ports on the Thunder 6630 model. This failure in MAC learning caused the VIP to stop responding to pings after fail-over had occurred.



Reproducibility: Medium

Severity: P2






241813 System area: Health Monitor

Description: The health monitor was continuing to perform Layer 2 Direct Server Return (DSR) for service group members which had been manually disabled.




Severity: P2



Description: ACOS did not accept any imported health monitors (through the CLI or GUI) if the name contained more than 31 characters.




Severity: P2



Description: Health monitors could not be deleted from the system, even when there were no active bindings. This issue could occur if the health-check-follow-port had been entered two or more times under the real server’s port configuration.




Severity: P2


241171 System area: NTP


• CVE-2014-9297

• CVE-2014-9298

Trigger: N/A



Severity: P1







Description: If the same server was configured under many VIPs with several different service groups, each having different health monitors, then this caused the ACOS device to send the wrong DSR health monitor to the VIP.




Severity: P2


239428 System area: FTA-based platforms (XAUI link)

Description: On FTA-based platforms, the ACOS device did not have a mechanism in place to detect and recover from a bad XAUI link from the FPGA to the Broadcom chip. This mechanism has been added in the latest release.




Severity: P1


239113 System area: Security


• CVE-2014-3572

• CVE-2015-0204

• CVE-2014-8275

• CVE-2014-3570

Trigger: N/A



Severity: P1






238915 System area: FAN numbering incorrect on AX 5630 and Thunder 6630

Description: The FAN numbering scheme on some models, such as AX 5630 and Thunder 6630, was incorrect. For example, the rear view of the FAN numbering showed the following wrong information for the TH 6630:

7 8 6 5

3 4 2 1

The numbering has been corrected in this release to show the following output:

1 2 3 4

5 6 7 8




Severity: P2


238285 System area: gARP

Description: If a large number of VIPs are configured, then gratuitous ARP was sometimes not sent.




Severity: P2


237259 System area: Management interface

Description: Applying a named access class-list to a management interface sometimes dropped SSH connectivity.




Severity: P2


236953 System area: Management and data port

Description: Using no with a command on the port configuration (for example, no duplex full) some-times affected other configurations on the management port.




Severity: P3







Description: This patch addresses the CVE-2015-0235 Security Advisories regarding GHOST vulner-ability.

Trigger: N/A



Severity: P1


236083 System area: Management port

Description: When speed or duplexity were configured on the management port, auto-neg was not disabled.


Version: 2.7.1-P6


Severity: P3


235819 System area: System (bootup)

Description: Running the script “nitrox_cchk” caused unnecessary error messages for devices that did not have Cavium Nitrox SSL cards. Indeed, it is not necessary for the script to run on ACOS systems that did not have a Cavium SSL cards. When there are no SSL chips, then the addresses that the “set-pci” process/module was trying to use were not valid, and this caused many error messages.



Reproducibility: 100% (on ACOS devices that do not have Cavium SSL chips)

Severity: P3


Workaround: Run the script only when Cavium SSL chips are detected on board.


Description: The Web GUI sometimes reloaded if too many users were simultaneously attempting to log onto the device at the same time.




Severity: P2






235570 System area: VLAN Tagging

Description: If VLAN tagging was enabled on the ACOS device, packets transmitted from the ACOS device had random Class of Service (CoS) values set.




Severity: P2


Workaround: Remove any unnecessary VE interfaces.

234937 System area: OSPF

Description: An OSPF process caused the CPU utilization rate to spike to 100%.


This issue could be replicated using the following configurations:

1. Boot the ACOS device with the following OSPF configuration:

outer ospf 1

ospf router-id 37.1.1.1

area 33 range 10.1.1.0/24

network 10.1.1.0/24 area 332. The CPU usage spikes to 100%.

3. Removing “area 33 range 10.1.1.0/24” from router ospf 1 configuration caused the CPU utilization rate to immediately return to normal levels.



Severity: High


Workaround: Remove the configuration to summarize the prefixes.

233248 System area: aVCS

Description: The vcs enable command could not be applied if there was an access list bound to the trunk interface.




Severity: P2

Reported by Customer: Yes

Workaround: Enable aVCS before binding the access list to the trunk interface.





232789 System area: AX 3400

Description: The AX 3400 model unexpectedly reloaded when processing ICMP packets of a certain size. This was caused by inconsistencies within the Broadcom switch ASIC configuration. More speci-ficially, it was happening because the Broadcom switch was allowing entry of packets that were 4 bytes larger than the maxFrameSize configured for that chip.




Severity: P1


232618 System area: SLB TCP sessions and NAT resources

Description: Under certain circumstances, TCP sessions on an SLB device were found to be incor-rectly synced to the standby device, with no such sessions alive on the active device. This caused NAT resources to be held on standby, and this could sometimes lead to NAT resource allocation failures on the standby device.




Severity: P2


232513 System area: System

Description: When upgrading the ACOS device using FTP, if the default filename was used, intermit-tent failures occurred with warning log messages such as: “Non-supported special characters detected by FTP Utility.”




Severity: P3

Reported by Customer: No

Workaround: Use a filename other than the default, or use a different file transfer method.

232504 System area: CLI (memory leak)

Description: CLI sessions upon becoming stale were not being cleared, which resulted in memory leaks seen against "rimacli" process.




Severity: P1







Description: This patch adds "X-Frame-Options: Deny" to the HTTP header for all responses from the ACOS device.

Trigger: N/A



Severity: P1


231859 System area: NTP


• CVE-2014-9293

• CVE-2014-9294

• CVE-2014-9295

• CVE-2014-9296

Trigger: N/A



Severity: P1



Description: Use member r-port template health monitor higher priority than service group health check.




Severity: P2


Workaround: Configure member real port template health monitor again.

231080 System area: GUI

Description: aVCS handshaking occurred when a new Web certificate was imported using the GUI.




Severity: P2






231025 System area: Class-list

Description: When importing type “string” into the class-list file, the value was truncated after the first " " (space) character in the value. This issue only occurred during import, and it did not occur when configuring the class-list directly on the ACOS device.




Severity: P2



Description: ACOS did not support the ability to export show techsupport from the “System” tab. In other words, the user could navigate as follows: System > Diagnostics > Show techsupport, and while the showtech contents were correctly displayed on-screen, the data could not be exported.




Severity: P2



Description: a10gmpd core generated Synchronization between GSLB group members failed if any of the members contained a TACACS server.

Trigger: Described above



Severity: P1


Workaround: Disable TACACS servers before performing full sync for GSLB groups.

229807 System area: Hardware

Description: The Power Supply Unit appeared to be flapping even though it was not actually doing so.

Trigger: This issue could be caused by running the show tech command periodically.

Version: All


Severity: P3






226633 System area: SLB (HTTPS)

Description: The ACOS device reloaded while processing traffic from a real server (corresponding to an HTTPS virtual port) and encrypting the traffic before sending to the client. This was typically seen when the backend server was sending fragmented packets as part of the response and not honoring the maximum segment size (MSS) advertised by the ACOS device.




Severity: P1


226558 System area: LACP trunk

Description: The UP/DOWN log messages related to LACP trunking were not accurately depicting the trunk number.




Severity: P2


226355 System area: Router OSPF (CLI)

Description: When issuing the CLI command "no default-information originate route-map", this was not taking effect when configured under “router ospf”.




Severity: P2



Description: An error was seen in the GUI when configuring the GSLB Resource Usage template.




Severity: P3






216907 System area: GSLB group

Description: The vBlade would reload with aVCS and GSLB members that were not part of the aVCS group.




Severity: P2


Workaround: On the GSLB member’s aVCS cluster, configure standalone for other vBlade physical IPs. On the GSLB master’s aVCS cluster, don't configure standalone. Remove the physical IPs in the group configuration, and use only floating IP in the GSLB group configuration on the member’s aVCS cluster.

212593 System area: ACL

Description: If an ACL existed with a higher number (for example, 150) and if the user configured another ACL having a lower number (for example, 140), the expectation is that ACL 140 will be eval-uated first before ACL 150. However, this was not happening. Instead, ACL 150 was getting evaluated first before ACL 140.




Severity: P2


Workaround: To restore the proper sequence of evaluation, the user needs to save the ACOS configu-ration and reload the device.

205966 System area: Routing

Description: In Layer 2 deployments, the show ipv6 neighbor command was displayed in the output as “aten <number>” for the interface name, instead of being displayed as “interface <number>”.




Severity: P3






204520 System area: Platform

Description: The 10Gbps port no longer linked up correctly after it was used as a 1-Gbps port.

Trigger: This issue could be recreated by plugging in the SFP, and then plugging in the SPF+ transceivers on the 10G ports of the 6430/5430 models.



Severity: P2


Workaround: Reboot the system.


Description: ACOS sometimes had an uneven connection distribution between service group members if the data CPU usage was high and if some (but not all) members had one of the following configura-tions applied:

conn-limit, conn-rate-limit, or slow-start




Severity: P2


Workaround: If this issue continues to occur, please try one of the following solutions:

1) Have ‘conn-limit’ applied under all real servers/ports that are part of the service-group, OR

2) Do not have ‘conn-limit’ under any real server/port that is a service-group member, OR

3) Specify method ‘round-robin-strict’ as an SLB algorithm under the service group.

202354 System area: Trunk group port usage

Description: The client-side trunk port usage could become unbalanced when running SLB fast-http traffic with 'use-rcv-hop-for-resp' under virtual port fast-http and if the default route configured on ACOS was such that the default route was choosing a different trunk to reach the client.




Severity: P2


Workaround: Avoid configuring a default route on the ACOS device that would cause a different trunk group to be selected in order to reach the client, when compared to the one that was used for 'use-rcv-hop-for-resp'.





191614 System area: SLB L7 and trunk port traffic distribution

Description: For HTTP/FAST-HTTP virtual ports, if the connection was not set up while receiving SYN, ACOS selected the trunk member twice, which caused uneven trunk distribution. A similar issue was seen when ‘connection-reuse’ was enabled on virtual ports.




Severity: P2


182713 System area: System (TH6630)

Description: The show environment command showed that the lower right power unit was absent, although the power supply was present and plugged in.




Severity: P3


168895 System area: Access-list and NAT

Description: Access-lists were being processed based on the order in which they were configured. This was causing incorrect access lists to be matched for traffic when choosing resource for NAT resource. With this change, access lists are now traversed in the order of their user-configured IDs to determine a match.




Severity: P2


Workaround: Reboot the system when changes are made to access list configuration.






Description: When graceful shutdown and cookie persistence were configured on an L3V partition, subsequent requests would go to the new server instead of the same disabled server in the service group.




Severity: P1


155128 System area: NAT

Description: The CLI command ip nat reset-idle-tcp-conn was not working correctly. Trigger: This issue could be recreated by configure the IP NAT option: ip nat reset-idle-tcp-conn Then, let the NAT TCP session time out.



Severity: P2






Issues Fixed in 2.7.1-P6 ACOS Release 2.7.1-P6 contains fixes for issues listed in Table 2. Theissues are listed by A10 tracking ID, beginning with the highest issue ID(the most recently logged issue).

TABLE 2 Fixes in ACOS Release 2.7.1-P6


229183 System area: SNMP

Description: After an crash, SNMP traps were not able to receive traffic.




Severity: P1


Workaround: Reboot the device.

226966 System area: Health monitor

Description: TCP responses received in two separate packets causes TCP health monitors to fail.




Severity: P1



Description: The ACOS GUI could sometimes reload due to a suspected memory issue. This could be because the amount of data exceeded the range of the parameter type.

Trigger: Navigate to Monitor Mode > SLB > Service > Virtual Server, and from the Virtual Server GUI page, select the time range and click export. This will cause the device to reload.



Severity: P1


224383 System area: IPv6 and SLB DNS

Description: The ACOS device could sometimes restart when processing anIPv6 DNS response packet with fragmentation extension header for virtual port 53 UDP.




Severity: P2





Description: The recently-discovered POODLE attack has been widely described as only affecting SSLv3. This assumption was based on the fact that SSLv3 uses “random padding.” However, it was found that TLS could use the same CBC decoding function as SSLv3, thus making TLS vulnerable to the same types of POODLE attacks as SSLv3. By identifying the lack of CBC padding checks that could occur in TLS, this issue has been addressed in this latest ACOS release, mitigating the risk of POODLE attacks in TLS. This patch addresses Security Advisory: CVE-2014-8730.

Trigger: This issue could be replicated by attack the ACOS device with packets containing incorrect CBC padding.



Severity: P1


222982 System area: aFleX (SSL)

Description: If aFleX was used to configure SSL, the ACOS device could sometimes reload when attempting to read an uninitialized or NULL SSL context block before completing the client SSL hand-shake. The SSL context block was initialized after the client SSL handshake had been completed.

Trigger: Attack the ACOS device with packets that contain incorrect CBS padding.



Severity: P1


222850 System area: BGP

Description: The ACOS device dropped BGP connections if another BGP speaker sent a next-hop field while no NLRI was present in the multi-protocol situation.

Trigger: This issue could occur if another BGP speaker was not in full RFC compliance.



Severity: P2


219976 System area: RTSP

Description: The ACOS device could sometimes reload if an early response was received on the Real Time Streaming Protocol (RTSP) virtual port.




Severity: P1






216163 System area: HA/VRRP

Description: After switchover occurred between VRRP-A (with affinity VCS), the VIP was not always advertised by the active device.




Severity: P2


Workaround: Increase the “vrrp-a hello-interval” to a larger value.


Description: For VIPs in a private partitions, VRRP-A did not send a gratuitous ARP for the VIP when the status switched to “active.”




Severity: P2



Description: When setting up multiple partitions in RADIUS or TACACS+ attribute-value pairs (AVPs), if one of the partitions did not exist, then the user could not log in.




Severity: P2


Workaround: Use the existing partitions in an aXAPI call.


Description: This patch addresses CVE-2014-6271.

Trigger: N/A



Severity: P1


Workaround: Restrict management access to the device.






Description: A memory leak occurred with the web server process when exporting statistics.




Severity: P2



Description: The DSR health-check fails if there are more than 645 DSR TCP health-checks that are using the same source IP with the default interval value.




Severity: P2


Workaround: Increase the health-check interval value by using the formula that the DSR TCP health-check number should be less than 64511/(500/interval).


Description: DSR stopped working when the stateless SLB method was configured.

Trigger: This issue could be triggered by configuring a stateless SLB method in a service group and binding the service group to a virtual port, but if no-dest-nat was not set up for the virtual port.



Severity: P2


211787 System area: ICMP (error handling)

Description: The ACOS device sometimes failed to fragment excessively large outbound “ICMPv6 type=2” packets while processing SLB Layer 7 sessions. This issue occurred more frequently when the connection-reuse option was enabled under the Layer 7 virtual port.




Severity: P2






211282 System area: HA (session sync)

Description: A CPU mismatch sometimes occurred while performing an HA session sync. The standby unit mistakenly created the session on a different data CPU that the active unit.




Severity: P2


210442 System area: GSLB (HA)

Description: The high availability ‘ha sync all’ command did not completely synchronize the gslb ser-vice-ip entry.




Severity: P2



Description: Running the ‘system-reset’ CLI command sometimes did not delete the Export Store Information.




Severity: P2


207535 System area: Smart-NAT

Description: With multiple requests in a session, the smart-NAT resource was not released.

Trigger: On a layer 7 virtual port, configure a strict transaction switch and have sessions with multiple requests in one session.



Severity: P2


Workaround: Do not use a strict transaction switch.






Description: The system priority can be configured in the GUI in transparent mode to match the CLI.

Trigger: In transparent mode, to configure LACP system priority, click Config Mode > Network > LACP > LACP.



Severity: P2


207313 System area: HA (session sync)

Description: If the active ACOS device in an HA pair had more than several million sessions, and standby unit was reloaded or rebooted, not all of the existing sessions were correctly synced to the standby device.




Severity: P2


206413 System area: Platform Level

Description: The FPGA_STAT offset 0x8 bits [23:16] value is wrong when this status register is peri-odically polled.




Severity: P1


205963 System area: SLB/HTTP

Description: When using with compression and cookie persist, The ACOS device sometimes inserted duplicate cookies when both compression and cookie persistence were enabled at the same time.




Severity: P2






205588 System area: DNS SLB

Description: Responses from the DNS cache on the ACOS device intermittently swapped IP addresses for answers and additional records of the name server IPs. Upon enabling DNS cache with 'round-robin' for dns-udp or dns-tcp virtual port, under certain circumstances, the responses from a DNS cache on the ACOS device were found to intermittently swap IPs for Type A Host IP address entries from the 'Answers' section. The Type A host IP address entry from the “Additional records” corresponded to the name server IPs.




Severity: P2


Workaround: Avoid enabling 'round-robin' for DNS cache.

205378 System area: SLB L7 and IPv6

Description: SLB Layer 7 traffic involving IPv6 protocol sometimes had random packets dropped while processing Layer 7 traffic.




Severity: P2


205369 System area: SSL-proxy virtual port (idle-timeout)

Description: The idle-timeout value was not being correctly applied to sessions if the ssl-proxy virtual port was configured with an idle-timeout value less than 30 seconds.




Severity: P2


205165 System area: SSL Intercept

Description: When using SSL Intercept, the A10 “inside” device selectively dropped individual HTTP requests.




Severity: P2







Description: The ACOS device did not respond if a close_notify was sent without a TCP FIN.




Severity: P3


Workaround: Ensure that the client software sends a FIN after sending a close_notify.


Description: A link connection failure occurred on the 10G ports after it was used as a 1G port.

Trigger: This issue could be recreated by plugging in the SFP, and then the SFP+ transceivers on the 10G ports of the ACOS 6430 or ACOS 5430 models.



Severity: P2


Workaround: Reload the ACOS device.

204469 System area: CLI (Transparent Mode)

Description: The error message displayed when attempting to configure a broadcast/network address provided the generic “communication error” message. Now, if the user attempts to configure a bad gateway address, the error message has been changed to the more meaningful “invalid gateway address”.




Severity: P2



Description: If a new server was added to a service group, the Ip-in-IP health monitor did not work correctly on the new server that was added.




Severity: P2







Description: The GUI did not allow special characters in fields used for creating a CSR while the CLI did allow the same special characters. This required all limitations, except sanity checks for length, to be removed from the GUI for Organization and Locality.

Trigger: Configuring special characters, such as & and ‘ on the Create using the GUI page. To access this page, click Config Mode > SLB > SSL Management > Certificate > Create using the GUI.



Severity: P2


202708 System area: SLB L4

Description: On the Layer 4 wildcard VIP with SYN-cookie enabled, the ACOS device does not resend a TCP SYN if the server does not respond to a TCP SYN/ACK.




Severity: P1



Description: When you create a key string under the key chain that has a symbol, for example, "%" followed by a letter, for example, "s", this caused the ACOS device to reload.




Severity: P1



Description: The ACOS device sometimes reloaded when processing fragmented SSL packets from the real server.




Severity: P1







Description: A bug in the OpenSSL server code could be triggered if the ClientHello message was heavily fragmented.

Trigger: None, a separate bug was causing the ACOS device to drop fragments after the first fragment, so the vulnerability cannot be triggered.



Severity: P2



Description: In the one of the underlying OpenSSL functions, OBJ_obj2txt(), information could leak. An issue could occur if some of CLI commands eventually called upon this function. This is related to OpenSSL 8/6 CVE-2014-3508.



Reproducibility: None

Severity: N/A



Description: The ACOS device could reload upon receiving a large GSLB-proxied response to type ANY DNSSEC requests.

Trigger: This issue could occur if the packet size was greater than the MTU.



Severity: P1



Description: The configuration sync to the running configuration did not work as expected.

Trigger: If you use sync to start the configuration without reloading, the configuration reloads the box, but the configuration is only synced to the running configuration and not to the start-up configuration.



Severity: P2






201922 System area: HA

Description: The ha sync all to-startup-config all-partitions command could not sync partition (RBA) to the standby device, even though a log was generated.

Trigger: Issue the command on the ACOS device where the RBA partitions are configured.



Severity: P2



Description: The OSPF message digest key was missing after a system reboot or reload.

Trigger: Add an OSPF message digest key under the trunk or loopback.



Severity: P2



Description: A class-list entry that was configured in the GUI sometimes failed to appear in the CLI.

Trigger: Append “\n” to the last entry in a class-list file if there is no “\n” after the last entry.



Severity: P2



Description: There was a memory leak in the GSLB library.

Trigger: The memory leak occurs when the GSLB is configured but did not actually have the real data.



Severity: P1


200482 System area: CLI

Description: The repeat x show slb service-group | include 7778 command caused a memory leak in the rimacli process.




Severity: P1


Workaround: Do not use the repeat option.






Description: Packets with a bad TCP check-sum are not dropped by the non-FTA platform.




Severity: P2


199987 System area: SLB and reset-unknown-conn

Description: Under certain situations, upon receiving a packet from a client with no corresponding ses-sion on the ACOS device with 'reset-unknown-conn' configured under SLB L4/L7 virtual port, the ACOS device was performing a Layer 2 lookup. The ACOS device should have instead checked for route/ARP information before sending a RST to the client.




Severity: P2



Description: Before a new capture occurs, a check has been added to determine whether the number of debug files have already reached the maximum limit in the web API.

Trigger: Starting a new capture on the web GUI after the number of debug file has reached the maxi-mum value.



Severity: P2


199531 System area: WAF (HTTP proxy)

Description: If certain features were enabled in a WAF template (such as 'csrf-check', etc), and the WAF template was bound to an HTTP virtual port, then the real server responded with the incorrect HTTP version (1.0 instead of 1.1). The ACOS device was forwarding the server’s response to the client with the chunk encoding header, but it incorrectly showed HTTP v1.0, and this was causing issues in processing the response on the client-side.




Severity: P2


Workaround: Use aFleX to set the HTTP version in the server response to 1.1 for such situations.






Description: When using the GUI to monitor the fan status, the status for all of fans (Fan1B, Fan2B, Fan3B, and Fan4B) was initially displayed correctly, but the information disappeared from the GUI monitoring page several minutes later.




Severity: P3


198478 System area: Static ARP

Description: Static ARP entries configured in transparent mode (or for a trunk interface) showed up as having the wrong Ethernet interface.




Severity: P2


198365 System area: FTP

Description: As part of creating a symmetric multiprocessing (SMP) system, the smp_conn_id file is stored in the control_conn directory. The file is used to verify and promote the SMP system. If dynamic source routing (DSR) is used when creating an SMP system, the control_conn directory is not updated with the smp_conn_id file. As a result, the check failed during promotion, and the connection was not created.




Severity: P2



Description: When using Internet Explorer versions 6-9, the GUI did not allow use of the drop-down list to select a real server on the pages used to create (or update) a service group, in the Server section.




Severity: P3







Description: An error message appeared when attempting to change the value of the TCP SYN cook-ies threshold via the ACOS GUI. The following error message appeared: “Failed to set TCP SYN cookies. Cannot perform requested operation. Device is in Transparent mode.”

Trigger: While in transparent mode, change the value of the TCP SYN cookies threshold via the GUI by navigating as follows: Config Mode > Network > Interface > Global.

In the Threshold field, change the value and save your changes by clicking OK.



Severity: P3


Workaround: Clear the “L3-VLAN-fwd-disable” checkbox if ACOS is in transparent mode.


Description: Under heavy bursts of traffic, HA and other such control packets were sometimes dropped.




Severity: P2


195940 System area: CLI (Access-list)

Description: If an access list was created with a host address 0.0.0.0, but the mask was not set to zero, the ACOS device interpreted the configuration as any.




Severity: P2


195406 System area: System (hard disk)

Description: The hard drive occasionally went into a BAD/inconsistent state when reporting disk usage statistics.




Severity: P2







Description: A process associated with a particular CLI command sometimes caused the control CPU usage rate to spike to 100%.




Severity: P2


195064 System area: SLB (aFleX)

Description: If a persist uie session already existed, and the real server went down, the next session request kept using the same DOWN server.




Severity: P2


Workaround: Clear the persist uie session.


Description: The ACOS device terminated session with the client and server upon receiving a “Hello request” from the backend server upon completion of the SSL handshake. ACOS sent “FIN” packets to the client and server. This issue was occurring because ACOS was erroneously including TLS_EMP-TY_RENEGOTIATION_INFO_SCSV in the cipher list, even though ACOS does not support renego-tiation.




Severity: P3


Workaround: Disable renegotiation on the backend server.


Description: Cipher Suite TLS_RSA_WITH_RC4_128_MD5 (0x0004) did not work when the“ssl-falsestart-disable” option was configured.

Trigger: Configuring the ssl-false-start-disable in a client SSL template caused the SSL handshakes to fail.



Severity: P3


Workaround: Do not configure "ssl-false-start-disable" in the template.





192898 System area: WAF

Description: When the 'sqlia-check sanitize' option was configured for a WAF template, the ACOS device could reload while attempting to sanitize URIs in some scenarios.




Severity: P1



Description: The axInterfaceStatTable was implemented with a 60-second data refresh interval, which was not consistent with the ifTable and ifXTable implementation, which has a 1-second refresh interval.

Trigger: The timeout value is set to 1 minute.



Severity: P3


Workaround: Retrieve the statistics data through ifTable that has a 1-second timeout value.

192175 System area: TFTP on control plane

Description: Attempting to change the TFTP block size configuration on the ACOS device could sometimes fail.




Severity: P3



Description: If the “show running” CLI command was used for logging templates, the output for “slb template logging name” was incorrect when more than 9 templates were configured.




Severity: P2







Description: When you add a service-group level trap to detect a server member in the service-group, the status changes for up and down events.




Severity: P2


191257 System area: Compression and keep-client-alive

Description: An AOCS device might return a partial server response when the compression and keep-client-alive options are enabled for a Layer 7 virtual port, such as HTTP, HTTPs, and so on.




Severity: P2


Workaround: Do not configure the keep-client-alive option when compression is enabled on a layer 7 virtual port.

190765 System area: aFleX (clock command)

Description: An issue with the aFleX clock scan and clock format commands when you try to convert the date to seconds.




Severity: P2


190357 System area: SSL driver

Description: When the PCI config space reads from the Cavium driver code, a memory corruption could occur, which resulted in reading 0xffff, and this caused the ACOS device to reboot.

Trigger: The Cavium driver PCI reads coinciding with reads from other places.



Severity: P1


Workaround: Disable PCI reads from driver code.






Description: A memory leak occurred when using the GUI to edit the GSLB zone service.

Trigger: This issue can be replicated by doing the following:

1. Login to the GUI.

2. Navigate as follows: Config Mode > GSLB > Zone and select any zone, such as example.com

3. Select any service, such as www, and then click Edit.

4. Memory will increase about 0.1

5. Repeat these steps to see a gradual increase in the memory usage.



Severity: P1



Description: The backslash “/” special character was not allowed when using the GUI to configure a health monitor for HTTP and HTTPS.




Severity: P2



Description: The ip-in-ip command could not be added under the virtual port using the aXAPI.




Severity: P3


189673 System area: RADIUS SLB

Description: The RADIUS return packet from the server is processed by using a wildcard VIP instead of the VIP that was specified for the server.




Severity: P2






189613 System area: Connection reuse and session age

Description: The age value for a connection-reuse session that was associated with an HTTP and Fast-HTTP virtual port was computed incorrectly.




Severity: P2



Description: SCP failed when the /home/user directory was not available on a Linux computer.

Trigger: This issue occurs when you create a user on a Linux computer, but you do not create the user’s home directory and scp a file uses the user’s username and password.



Severity: P3


Workaround: Create a home directory on the Linux computer.


Description: When the run-search option is configured for an LDAP health monitor, and you run a search query and review the statistics, the LDAP server is down.




Severity: P2


187969 System area: This is to patch a security vulnerability.

Description: SSL/TLS MITM vulnerability (CVE-2014-0224)

Trigger: N/A



Severity: N/A

Reported by customer: N/A






Description: When using the GUI to configure the banner, the configuration was lost when the ACOS device was reloaded. This did not happen if the banner was configured using the CLI.




Severity: P2



Description: The object access control (OAC) config file did not get saved during system backup, so the admin account was not usable when the system was restored.




Severity: P2


186760 System area: CLI/Web Authentication

Description: When the ACOS device is configured with ip control-apps-use-mgmt-port on the man-agement interface, but the external authentication server, such as TACACS+, RADIUS, or LDAP, is only reachable from the ACOS data interface, the ACOS external authentication fails because the authentication server cannot be reached.




Severity: P2


186688 System area: FTP ALG

Description: If an ACL was configured to permit FTP to control port 21 and deny the rest of the con-trol ports, ALG protocols like FTP failed when they were applied to client interfaces.




Severity: P2






186535 System area: System (interface driver)

Description: The CLI command ‘show interface media’ stopped working after the transceiver was unplugged and added to another interface.




Severity: P2


Workaround: Restart the system.

186523 System area: Multicast packet processing

Description: When the ACOS data interface was flooded with IP multicast packets, legitimate TCP-based management traffic to the ACOS device on this data interface was sometimes dropped.




Severity: P2


Workaround: Configure the ACOS data interfaces so that the interfaces cannot view these types of unwanted multicast packets.


Description: When a health monitor was created using aXAPI, a segmentation fault occurred when exercising the “show run” command.




Severity: P2


Workaround: The valid post should be: "health_monitor": {

"name": "sarasa5",

"type": 3,

"http": {

"port": 8080,

"url": "GET /ping",

"expect_pattern": "pong"






Description: Sysname can not get through SNMP.

Trigger: Issue the SNMP query to get sysname.



Severity: P2



Description: When an admin account was created with a customized role, it caused a GUI display issue.




Severity: P2



Description: Adding or editing the GSLB zone parameters from the browser caused the GUI to reboot.




Severity: P1


185164 System area: DNS fast-path and policy template

Description: ACOS may have rebooted when the SLB DNS (port 53 UDP) flows were being pro-cessed via fast-path and the policy template enforcing connection rate limiting through PBSLB/class-list/GLID was bound to the virtual port.




Severity: P2







Description: The control CPU sometimes spiked to high levels if a trunk was configured with multiple ports.




Severity: P2



Description: When making GSLB object additions or changes in the GUI, the user was sometimes logged out of the GUI.




Severity: P2


Workaround: Use the CLI.

184678 System area: TACACS+ (GUI)

Description: When the TACACS+ user login required the user to change the password, this could sometimes cause the ACOS GUI to restart.




Severity: P2



Description: Additional debugging logs and fail-safe code were added to help troubleshoot SSL chips that could sometimes hang.




Severity: P1


Workaround: Do a manual reboot of the ACOS device.





184399 System area: System Logging

Description: The power supply view definition in system logging incorrectly indicated 'rear view' when it should have shown 'front view'.




Severity: P3


184030 System area: DSR and MSL

Description: The ACOS device did not honor the maximum segment lifetime (MSL) time for a direct server return (DSR) session that you configured by entering the slb msl-time command.




Severity: P2



Description: In a two device configuration, reloading VCS caused device 2 to join the chassis with a disabled interface.




Severity: P2


183322 System area: Health Monitor (DNS)

Description: The up-retry command option sometimes did not work when configured under a DNS health monitor.




Severity: P2


Workaround: Change up-retry to the default value (1) or use an external Health Monitor.






Description: Once a partition ID was configured, that value could not be changed using the ACOS GUI, even though the GUI has a field for changing the partition ID.




Severity: P2



Description: Server priority was reset the aXAPI was used to disable and then re-enable a server.




Severity: P2


Workaround: If this occurs, use the CLI to disable and then re-enable a server.

182635 System area: Layer 7 (graceful-shutdown)

Description: After you enter the slb graceful-shutdown num after-disable command, the ACOS device did not complete the close, four-way handshake (FIN-ACK/ACK) with the client. The ACOS device did not send the final ACK message in response to the client’s FIN-ACK.




Severity: P2


182473 System area: System Management

Description: When email logging was configured, ACOS sent emails without line breaks between two successive messages.




Severity: P3






182312 System area: FWLB health monitoring

Description: The ICMP payload of a FWLB health-check was sometimes truncated, and the ACOS device could not parse the IP address in the payload.

Trigger: Configure an ICMP health check (with transparent method), and bind it to a real server.



Severity: P2


182233 System area: CLI (SLB)

Description: When you enter the show slb virtual-sever command, the Curr-conn counter was some-times higher than the Peak-conn.

Trigger: Enable extended-stats while traffic is running on the VIP.



Severity: P3



Description: The SNMP notification “axServiceDown” was sent multiple times when the real server port went down. This occurred when the disable-after-down CLI command option was configured as part of the health-check for a real port.




Severity: P2


181270 System area: ICMP for SLB

Description: ICMP error packets were being dropped for DSR SLB, causing both IPv4 and IPv6 traf-fic flows to fail.




Severity: P2







Description: When trying to SSH from another device to ACOS, the known_hosts file cannot be changed to allow connection if the key was changed at some point.




Severity: P2


180970 System area: OSPF and route display

Description: Even after removal of the OSPF route, the show ip route continued to display an OSPF null route that no longer existed.




Severity: P2



Description: If the 1G SFP was connected to the 10G port of an ACOS 6630, it was able to establish a link, but the receiver did not work.

Trigger: This issue could be recreated by plugging the SFP transceiver into the 10G port of an ACOS 6630 device.



Severity: P1


179653 System area: LACP trunk with VRRP-A

Description: When configuring VRRP-A with an LACP Trunk, if preemption was disabled and the active device was rebooted or reloaded, the reloaded box sometimes came back as the active device in the redundant pair.




Severity: P2






179158 System area: TCP Logging

Description: The ACOS “TCP session logging” feature was erroneously creating persistent connec-tions to handle logging messages. These sessions should have only been created on the active ACOS device and not on the standby device.

Trigger: Enable TCP Logging



Severity: P2


Workaround: Disable TCP logging.

178939 System area: SLB Dynamic Member

Description: The fully-qualified domain name (FQDN) is always assigned priority 16 and is selected over other service group members.




Severity: P2


178613 System area: Traceroute and wildcard VIP/VPORT

Description: Allow traceroute to work for TCP and UDP methods when using a wildcard VIP with a virtual port that has no-dest-nat enabled. The earlier traceroute was working only when the ICMP method was used.




Severity: P2


Workaround: Use ICMP for traceroute functionality.

177991 System area: TCS and HA/VRRP-A

Description: The ACOS device sometimes failed to synchronize the transparent cache switching (TCS) sessions between the Active and Standby devices in an HA or VRRP-A pair. This could happen if the packets from the client had a different source port than those on the cache server.




Severity: P2







Description: The slb.ssl.upload/download method caused a memory leak.




Severity: P1



Description: Removing a real server from a service group that had priority affinity enabled caused a priority affinity reset for a different service group. This could happen if a second service group shared one of the real servers in the first service group.




Severity: P2



Description: The generate name could not be retrieved.




Severity: P2



Description: When adding the "logging creation" option to an IP NAT logging template, ‘port-mappings both’ and ‘logging creation’ both show up in the configuration at same time. Only one option should be enabled for port-mappings. If ‘port-mappings creation’ is set, then ‘port-mappings both’ should have been disabled.




Severity: P2






171523 System area: VCS and vMaster/vBlade reload

Description: In VCS, when you issue reload device <n> from the vMaster to reload the corresponding vBlade device, the vMaster and vBlade were reloaded, instead of just the vBlade.




Severity: P2


169147 System area: System software

Description: Interface utilization reported over 100%

Trigger: Invalid bucket pickup occurred during interface statistics calculation from the hardware and software.



Severity: P1


168499 System area: System management port

Description: Unable to access the new IP via SSH if the IP address on the management interface was changed dynamically.

Trigger: Changing the management IP address.



Severity: P1


Workaround: Change the IP address again or reload the device.

168232 System area: SLB/aFleX

Description: The aFleX method (HTTP::method) logic failed to recognize “TRACK”.




Severity: P2






161671 System area: TCP-proxy

Description: If an idle-timeout value of less than 30 seconds was configured in a tcp-proxy virtual port, then the idle-timeout failed to be correctly applied to sessions.




Severity: P2


149138 System area: Clearing statistics

Description: Clearing real server statistics for SLB using the CLI command clear slb server server-name sometimes caused imbalances in the amounts of traffic sent to that real server. This could happen if the SLB method 'least-connection' or 'weighted-least-connection' was configured for the correspond-ing service group.




Severity: P2


Workaround: Instead of using the 'clear slb server server-name', use the alternative CLI command, 'clear slb server all' to mitigate traffic imbalances.


Description: When more than one RBA partition is configured, issuing an snmpwalk for the MIB object, “axAppGlobalTotalCurrentConnections” results in output that is multiplied by the number of RBA partitions that have been configured.




Severity: P3



Description: The SNMP daemon could get into a deadlocked situation, thus causing the routing dae-mon to also become locked, which prevented ACOS from being able to route traffic.




Severity: P2







Description: The system log messages for inband health checks was erroneously displaying the [AX]. In this release, the behavior has been changed and the message will display [Inband] when the ports get marked down by inband health checks.




Severity: P4



Description: In rare cases, an interface could become unusable due to a PCI link issue. If this occurred, the “Error for Ethernet X has exceeded Y” message appeared in the log and the AX device rebooted.




Severity: P1






Issues Fixed in 2.7.1-P5ACOS Release 2.7.1-P5 contains fixes for issues listed in Table 3. Theissues are listed by A10 tracking ID, beginning with the highest issue ID(the most recently logged issue).



180667 System area: SLB (TCS)

Description: If a real server port was configured with the dest-nat option but the TCS had the regular no-dest-nat option configured, then destination NAT did not happen if that real server port was selected.




Severity: P2



Description: SNMP virtual port type value for SIP and SPDYS were both 11. When the virtual port types of sip and spdys were configured under a VIP, if the OID was sent from an SNMP client, the same value was retrieved, as shown in the example below:

snmpwalk <AX_IP> -v 2c -c public .1.3.6.1.4.1.22610.2.4.3.4.3.1.1.2

(output)

SNMPv2-SMI::enterprises.22610.2.4.3.4.3.1.1.2.3.118.115.49.11.200 = INTEGER: 11

SNMPv2-SMI::enterprises.22610.2.4.3.4.3.1.1.2.3.118.115.49.11.201 = INTEGER: 11Further, such a configuration changed the values for mysql, mssql, fix, smpp-tcp as shown below:

spdys 11 ==> 30

spdy 13 ==> 29

mysql 123 ==> 25

mssql 124 ==> 26

fix 125 ==> 27

smpp-tcp 126 ==> 28

radius 153 ==> 31




Severity: P2





Description: The referenced object for a trap was incorrect because the MIB file had a spelling error.




Severity: P2


Workaround: The OID is correct but this issue could cause a problem with the MIB compiler.


Description: If a health check was flapping for a dynamic GSLB object, ACOS did not add back the internal counter properly.




Severity: P1


179596 System area: L2/L3

Description: Load balancing on Layer 2 trunks was inconsistent for CPU switched traffic.




Severity: P2


179467 System area: IPv6 Packet Processing and Statistics collection at VE level

Description: Under certain conditions, IPv6 packet transmission could cause ACOS to restart if the “ve-stats enable” option was configured.




Severity: P2


Workaround: Do not use the “ve-stats enable” option.





179077 System area: SLB (TCS)

Description: In network topologies with both SLB servers and TCS cache servers on the same physical port, ACOS failed to route Layer 4 traffic correctly.




Severity: P2


Workaround: Use separate physical ports for the SLB servers and TCS cache servers.

178816 System area: L3 DSR (IPinIP)

Description: In L3 DSR (IP tunneling) deployments, ACOS did not preserve the TOS field of the outer IP header.




Severity: P2



Description: Even though ACOS does not support the ability to perform recursive lookups for clients, the Recursion Available (RA) flag was not turned off in the responses ACOS was sending back to the clients. The correct behavior is for the GSLB controller to disabled the RA flag if the DNS server does not contain the resource record that the client requested.




Severity: P2


178531 System area: ICMP

Description: ACOS sometimes dropped ICMP reply packets if they were hashed by a CPU that was different from the original CPU where the ‘ping’ request was received. ACOS dropped the packet because there was no session upon which to match the reply packet.




Severity: P2


Workaround: This issue can be addressed by removing the source-nat option.





178405 System area: SLB (HTTP compression)

Description: An HTTP VIP did not work correctly if an aFleX script bound to the virtual port used the http::collect command, and hardware-based HTTP compression was enabled.




Severity: P2


Workaround: Use the http::stream command instead of the http::collect command in the aFleX script.


Description: Use of a specific special character in a read-only admin name could allow the admin to make configuration changes.




Severity: P2


177568 System area: AXdebug

Description: If a single HEX digit (such as \x2) was specified as an offset value to match within the AXdebug filter, ACOS did not handle the match correctly.




Severity: P2



Description: In an aVCS deployment, if the cache-spoofing-port option was enabled on an Ethernet port, and LACP was then configured on the same port, the cache-spoofing-port option was not included in the configuration synchronized to other devices.




Severity: P2






177491 System area: Layer 4 SLB (Class-List rate limiting)

Description: In some situations, class-list based rate-limiting at Layer 4 did not work correctly when configured within a service group.




Severity: P2



Description: HTTP log messages generated using CEF format could be missing some information for requests sent to very long URL strings. For these requests, the req='<url>' and msg='..' fields in CEF format caused the overall log message to exceed 512 bytes, and cut off complete parts of the message.




Severity: P3


177292 System area: SLB (client-SSL)

Description: In a deployment using the client-SSL option to require client certificates, a client request to use TLS v1.2 caused ACOS to reload.




Severity: P1



Description: The Thunder 5630 hardware watch dog sometimes did not kick-in in the case of a system hang.




Severity: P2






177098 System area: Health Monitoring

Description: HTTPS health monitor using authentication (username/password) caused a memory leak.




Severity: P1


Workaround: Use an external health monitor instead.

177094 System area: SLB (Diameter)

Description: If source-NAT was enabled on a Diameter virtual port and the service group was bound to the port, ACOS could reload.




Severity: P1



Description: Importing a certificate in P7B format did not work correctly using the aXAPI.




Severity: P2


176989 System area: SLB (HTTP template)

Description: The ACOS device could reload when a host-switching or URL-switching line was removed from an HTTP template.




Severity: P1






176908 System area: CLI/System

Description: An aFleX script with the POLICY::bwlist command could be unbound from the virtual port following a reload or reboot.




Severity: P2



Description: The aXAPI slb.virtual_server.fetchAllStatistics method in aXAPI v2.1 erroneously reported the status for virtual ports as “5” (unknown).




Severity: High


Workaround: Use aXAPI v1.x methods or use cli.show_info methods instead.


Description: In a configuration with both an HTTP-policy template and a WAF template bound to the same HTTP virtual port, the WAF policy was used to process an SQLIA check even though the traffic matched the HTTP-policy.




Severity: P2



Description: The VRRP-A status was not updated correctly after configuration synchronization was performed manually using the GUI.




Severity: P2







Description: Using the aXAPI ‘method=authenticate’ call showed the unencrypted password when using the CLI command show audit.




Severity: P2


176108 System area: aFleX

Description: The aFleX pool command was not supported under the DNS_REQUEST event type.




Severity: P2


175966 System area: SLB (TCP-proxy on Layer 7)

Description: If the keepalive interval and probes were set in a TCP-proxy template bound to a Layer 7 virtual port, ACOS mistakenly sent a second RST to a client who did not respond to a keepalive before the timeout expired.




Severity: P2


175963 System area: SLB (TCP-proxy template)

Description: If TCP-proxy templates were bound specifically to client or server traffic (template tcp-proxy client template-name or template tcp-proxy server template-name under the virtual port), the idle-timeout values in the templates were not used. Instead, the idle-timeout that was used was the low-est setting among the templates bound using the client or server option and the default TCP-proxy tem-plate.




Severity: P2


Workaround: Use a single TCP-proxy template for both traffic directions, and omit the client or server option.






Description: On a device running a large number of health checks, the control CPU could experience a high utilization rate following an authentication failure.




Severity: P2



Description: If a space “ ” is used in a server-name cert/key associated to SNI, this could result in a parse error when ACOS reads the startup-config file.




Severity: P2


Workaround: Do not use a space " " in server-name cert/key.

175078 System area: SLB (Layer 7 proxy) and Jumbo Frames

Description: The ACOS device could reload if it received a jumbo frame from a backend server on a Layer 7 proxy virtual port.

Trigger: Receive a client request that includes a jumbo MSS value, and send that request to the back-end server.



Severity: P1


174637 System area: Routing (BGP)

Description: BGP peer connection failed if the peer sent a SAFI(128) request as part of negotiation.




Severity: P2







Description: The GUI allow selection of legacy High Availability (HA) settings for ADP L3V parti-tions even though this combination of features is not supported.




Severity: P2



Description: Importing certificates in P7B format did not work.




Severity: P2


173731 System area: SLB (L3V)

Description: The snat-on-vip option did not work for a Layer 7 virtual port in an L3V ADP partition.




Severity: P2


Workaround: Use the snat-on-vip option at the virtual port level instead.


Description: A cryptic error message (Error code 10000) appeared when accessing the following GUI page: Monitor Mode > System > HA > Status




Severity: P3






173296 System area: System (Transparent mode)

Description: In a transparent mode deployment with source NAT and a UDP virtual port, ACOS incor-rectly sent a response packet to the real server interface instead of the client interface.




Severity: P2


173293 System area: System (Transparent mode)

Description: An IPv6 ACL configured on incoming Ethernet interface denied IPv4 SLB traffic.




Severity: P2


Workaround: Remove the IPv6 ACL.


Description: If a backend server used HTTP 1.0 and its response to a health check did not contain a Content-Length header, ACOS marked the server Down.




Severity: P2



Description: aFleX persistence based on custom a header might not work correctly, resulting in requests being sent to incorrect servers.




Severity: P2







Description: ACOS could reload when an aFleX script containing the global virtual name command in its RULE_INIT was bound to a virtual port.




Severity: P2


172930 System area: aVCS (BGP)

Description: In an aVCS deployment with BGP, if a device was booted or reloaded from its startup-config, the exit-address-family command was omitted from the BGP section of the configuration. If the configuration was then saved without re-adding the command, parsing errors occurred due to the missing command the next time the startup-config was loaded.




Severity: P2


Workaround: Re-add the exit-address-family command and save the configuration.


Description: Remote AAA using LDAP did not work for GUI access.




Severity: P2


Workaround: Configure a static route to the LDAP server that uses the management interface to reach the default gateway. This works with or without use of the ip control-apps-use-mgmt-port command.


Description: The raid install command did not work in ACOS 2.7.1-P4.


Version: 2.7.1-P4

Reproducibility: Yes

Severity: P1







Description: Use of the Tcl internal command “clock scan” to retrieve the current time could cause the ACOS device to reload.

To prevent this issue from recurring in the current release, the “clock scan” command is disabled. To get the time from within an aFleX script, use the TIME::clock command instead.




Severity: P1


Workaround: Use the TIME::clock command instead.


Description: Custom XSS policy that included an empty (wildcard) PCRE match could cause the ACOS device to reload.

Trigger:

1. In a WAF policy, set a rule to have an empty match either in the beginning or in the middle of the match list. For example:

rule1,|bgsound||appletinstead of:

rule1,bgsound|applet

In this example, either of the following character combinations results in empty matches:

,|

||

2. Bind the WAF policy to an HTTP virtual port.

3. Send a request to the port.



Severity: P1


Workaround: Edit the WAF policy file to avoid empty matches.






Description: CPU utilization was not averaged over 60-second intervals when retrieved using SNMP. This is already supported in previous releases in the CLI. The current release adds this support in SNMP.




Severity: P2



Description: ACOS did not allow hostnames that included parentheses when configured using the GUI, but the character was allowed in a hostname when configured using the ACOS CLI. This incon-sistency in the GUI and CLI behavior has been fixed.

Trigger: Configure a hostname using the ACOS GUI that includes the “(“ or “)” characters.



Severity: P3



Description: Including the version attribute ($Version=0 or 2) could cause a failure to parse cookie.




Severity: P3



Description: When using the built-in SNMP health-check, ACOS sent the wrong OID. This issue occurred because the built-in SNMP health monitor OID automatically prefixes the OID with the first set of digits: 1.3.6.1.2.1. However, if these first few digits are eliminated from the command, then ACOS sends out the correct configuration.




Severity: P2


Workaround: When using the built-in SNMP health monitor, do not “double-input” the OID prefix value of “1.3.6.1.2.1” because this prefix already exists.





170506 System area: TCS (Hardware SYN-cookie)

Description: When hardware SYN-cookies were enabled within a TCS setup, the ACOS device could sometimes use the incorrect source MAC when sending the packet back to the client.




Severity: P2


170056 System area: Hardware Syn-cookie (FPGA platforms)

Description: In a configuration where hardware-based SYN cookies were disabled, the MAC address for the HA floating IP address for a VLAN was not programmed into the MAC table following certain VLAN and VE configuration changes. This prevented clients from being able to ping the floating IP address.




Severity: P2


Workaround: Enable/disable hardware-based SYN cookies. This results in reprogramming of all vir-tual MAC addresses (including HA MAC) for all VLANs.

169873 System area: AXdebug

Description: When configuring an AX debug filter, the offset position option was not being saved if the value was specified using hexadecimal notation.




Severity: P3


Workaround: Use an integer instead of hexadecimal notation when specifying the offset value in an axdebug filter.

169855 System area: Layer 2/3

Description: If ICMP traffic was sent to the IP for a trunk (VE interface), the traffic was sent over only one interface and was not properly distributed across all the trunk interfaces.




Severity: P1







Description: The ACOS axAppGlobalBufferCurrentUsage counter displayed a high number (even when there were no sessions) because various buffers were not being subtracted during calculations.




Severity: P2


169414 System area: IP NAT

Description: If ACOS was configured in an HA/VRRP-A deployment, the ACOS device sent packets that had an incorrect MAC address.




Severity: P2



Description: Continuous poll of the OIDs over a long period of time could result in a lower number showing than in previous polls. This was due to internal counter initialization and/or rollover. If the OID was defined as Counter64 then it was not expected to decrease.




Severity: P2


Workaround: Change Counter64 to CounterBasedGuage64.


Description: SNMPv3 traps were no longer sent after a reboot. This issue could occur if special char-acters, such as “#” were included in the CLI command snmp password, and if the special character also appeared in the keyword in snmpd.conf.




Severity: P2


Workaround: Do not use the # character in the password.





169159 System area: L3 DSR (IPinIP)

Description: ACOS did not allow an MTU value of greater than 1460 bytes, even though the ICMP unreachable message sent to clients was advertising an MTU of 1480 bytes.




Severity: P2


169153 System area: SNMP (HA)

Description: The SNMP process was non-functional and could not pass any data because the SNMP process was not registering correctly.




Severity: P2


168529 System area: System (FPGA models)

Description: A buffer leak occurred in some uncommon situations in which the ACOS device received a UDP packet greater than 1500 bytes requiring Layer 2 or Layer 3 forwarding. The issue would only occur if the infrequently used disable-buff-debug option was enabled.




Severity: P2


Workaround: Do not use the disable-buff-debug command.

168358 System area: AAA

Description: When using Active Directory Domain Services (AD DS) for Windows Server 2012 to perform AAA services, the ACOS device was unable to authenticate users based upon the sAMAc-countName object attribute.




Severity: P2






168334 System area: SLB/SIP

Description: ACOS restarted if the device was configured with a sip-tcp virtual port, and then received a SIP request containing the INVITE header.




Severity: P1



Description: ACOS could reload if the debug aflex and debug monitor commands were used at the same time as an aFleX script containing a command exceeding 256 bytes.




Severity: P2


Workaround: When using an aFleX script, do not issue the debug aflex and debug monitor com-mands at the same time.

168172 System area: Session aging counters and non-established session

Description: The “Session aged out” counter in the show slb l4 command was being incremented twice while aging out a non-established TCP connection. This was seen for the L4 TCP virtual port with the idle-timeout value set to 60 seconds.




Severity: P2


Workaround: Set the idle-timeout to 120 seconds or higher for any L4 TCP virtual port that may be handling non-established TCP sessions.

168062 System area: L3V (HA/VRRP-A)

Description: The ACOS device dropped the SYN-ACK packets instead of forwarding to the client. This could happen if an L3V partition used a non-default VRID, because the HA status was incorrectly seen as Standby.




Severity: P2


Workaround: Use the default VRID when configuring HA/VRRP-A in a network partition.






Description: If ha conn-mirror ip was removed from the config file, this could cause “flapping”, in which the active ACOS device erroneously changed to standby mode based on the HA priority of the pair.




Severity: P2


167830 System area: aXAPI (ADP)

Description: Using the method cli.deploy to deploy many CLI commands within an ADP partition could cause ACOS to reload.




Severity: P1



Description: An error was mistakenly logged when a geo-location file that was periodically imported was later modified.




Severity: P2



Description: If special characters such as ?, ", \ were entered as part of the value for a string within a class-list, they were not being saved to the running-config or startup-config files. As a result, the class-list string values were not being applied correctly to configuration after reloading or rebooting the ACOS device, and ACOS generated parse errors.




Severity: P2







Description: When configuring a health method for LDAP, the overssl option did not work if the run-search option was also configured.




Severity: P2



Description: The flow-control option could not be configured on the management interface on some FPGA models, such as the AX 3400.




Severity: P2



Description: In an HA deployment, if session synchronization occurred at the same time the running-config was being saved to the startup-config file, then ACOS did not save the configuration using the correct date.




Severity: P3


Workaround: Issue the write memory command to save the date changes.


Description: The ICMP health check interval was delayed with strict-retry, resulting in an “unreach-able” error.




Severity: P2


Workaround: Use a compound health monitor to wrap the ICMP health check.






Description: The ACOS device experienced a memory leak when opening the SSL Management Page.




Severity: P3


163048 System area: SLB (FTP)

Description: When using the “slb traffic-steering” option to configure multi-steering and sending FTP TCS sessions to an FTP virtual port, the data sessions were only sent to the first VIP or TCS caching server.




Severity: P2



Description: Certain SNMP OIDs that were defined as “Counter 32” were not able to “decrease”. These OIDs have been redefined.




Severity: P3


159305 System area: GUI (GSLB)

Description: The ACOS GUI failed to allow searching for an IP address in the GSLB geo-location database.

Trigger: Navigate to Config Mode > Geo-location >Find, enter an IPv4 address in the search field, and then click Find. The GUI responds with an error message: “Failed to list GSLB geo-locations. The specified field does not exist.”



Severity: P2






156686 System area: SLB (DNS)

Description: ACOS could restart if the slb dns-cache-entry-size option was configured in an L3V partition.




Severity: P1



Description: In an aVCS virtual chassis, if a vBlade had an “ext” (extended) software image but the vMaster did not, the vBlade abnormally restarted after the vBlade requested the ext image from the vMaster during synchronization with the vMaster.




Severity: P2


Workaround: If the vMaster does not have an ext image, make sure the vBlades do not have ext images either.

127714 System area: L3V (bw-list)

Description: Periodic updating of bw-list sometimes did not happen when configured in a private par-tition.




Severity: P2


126103 System area: TCS

Description: In a topology that used no VLANs, the source MAC address was not changed to the ACOS device’s MAC address for traffic that was forwarded by the ACOS device to a directly con-nected cache server.




Severity: P1







Description: If the ‘snmpwalk’ command was sent to the shared and private partitions simultaneously, then the resulting output could be mixed.




Severity: P2


93325 System area: CLI/SSL

Description: The SSL counters were not cleared (reset to ‘0’) after using the clear slb ssl stats CLI command.




Severity: P3



Description: Tabular displays in the GUI were not sorted based on IP address.




Severity: P2






Issues Fixed in 2.7.1-P4ACOS Release 2.7.1-P4 contains fixes for issues listed in Table 4. Theissues are listed by A10 tracking ID, beginning with the highest issue ID(the most recently logged issue)



168193 System area: aFleX/DNS

Description: ACOS could reload when using an aFleX script to process malformed DNS packets.




Severity: P1



Description: ACOS could reboot if the system uptime causes part of an internal data structure to wrap around. This is a very rare reboot situation and does not happen at every instance of such a wrap around.




Severity: P1



Description: The ip ospf retransmit-interval command caused the ACOS device to return an error.




Severity: P2



Description: A flood of aXAPI requests using the cli.show_info method, could lead to a restart of the ACOS device.




Severity: P1

Reported by customer: YesWorkaround: Limit the speed of incoming requests.




Description: ACOS performed the form consistency check even though the consistency check was not configured.




Severity: P2



Description: The respond-to-user-mac command worked only for sessions initiated internally.




Severity: P2


163744 System area: IPv6, SLB

Description: Under a certain IPv6 traffic profile, high CPU utilization could occur during session cre-ation. Because of this, the packet processing was interrupted, resulting in packet drops.

Trigger: A large amount of IPv6 traffic created millions of IPv6 sessions. This is more prominent with persist IPv6 sessions.



Severity: P2



Description: The LDAP method for configuring the StartTLS or Over-SSL could be erased if the “AcceptNotFound” option was not configured after rebooting.

Trigger: Configure an LDAP method with the StartTLS or Over-SSL along with “AcceptNotFound.” Then, issue the write memory command and reboot.



Severity: P2







Description: A memory leak occurred in the GUI when the SSL Management page was opened.




Severity: P1

Reported by customer: yes


Description: The no-dest-nat port-translation option did not work for the SSL-proxy and TCP-proxy virtual port types.




Severity: P2



Description: Without the ha-conn-mirror command configured, the ACOS device did not GARP immediately.

Trigger: Configure an HA set without an IP address for the ha-conn-mirror command, then do a failover.



Severity: P2

Reported by customer: YesWorkaround: Configure the HA conn-mirror with an IP address.

163378 System area: NAT-ALG

Description: If an FTP client and FTP server are in the same private network, and the FTP server has static NAT mapping configured, the ACOS could reboot if the FTP client establishes a PASV connec-tion to the static NAT address of the FTP server.




Severity: P1







Description: The clientip-sticky-nat command did not work with the NAT pool groups.




Severity: P2


163217 System area: AAA (RADIUS)

Description: RADIUS AAA for admin access might not work correctly, if a valid DNS server was not available for ACOS to use to resolve the RADIUS server IP address.

Trigger:

1. Enable use of RAIDUS for admin authentication: authentication type radius local

2. Configure a RADIUS server.

3. Configure an unavailable DNS server: ip dns primary inaccessible-ip-addr

4. Try to log in to the ACOS device in order to trigger RADIUS authentication.



Severity: P2


163180 System area: HTTP

Description: If the use-rcv-hop-for-resp command was issued, ACOS could reload due to an invalid destination address in the tuple.




Severity: P1



Description: The “configuration last saved at” information was not updated on the vBlade device in an aVCS deployment.

Trigger: Issue the write memory command for one or all partitions, then check the “configuration last saved at” information using the show startup-config command.



Severity: P2






162848 System area: Layer 2 DSR / Health Monitoring

Description: In a Layer 2 DSR deployment using Layer 7 health checks, ACOS sent a FIN packet to the correct destination IP address to close the connection, but then erroneously sent the subsequent RST packet to the real server IP address instead.




Severity: P2



Description: ACOS allowed a static NAT IP address to be configured as a VIP address.




Severity: P2


162235 System area: HTTP / Trunk Redundancy

Description: If the selected port member in a trunk was DOWN, ACOS did not reselect another port member in the trunk.




Severity: P2



Description: SSL support was not enabled on the Thunder 930 model by default.




Severity: P2

Reported by customer: YesWorkaround: Use the slb ssl-module software command, followed by the write memory command and reboot.






Description: Certain SNMP OIDs that were defined as “Counter 32” were not able to “decrease”. These OIDs have been redefined.




Severity: P3


159532 System area: CLI / Class List

Description: If a string in a string-based class list contained a space, it was not saved properly in the configuration file.

Trigger: Create a str class list with a space in the str value.



Severity: P3

Reported by customer: YesWorkaround: Do not use a space.


Description: ACOS failed to configure or show the ha force-self-standby persistent or the vrrp-a force-self-standby persistent options in the GUI.




Severity: P2



Description: the show running config command output did not show the “slb” keyword of the follow-ing command: slb snat-on-vip




Severity: P2







Description: The ACOS device reloaded with traffic running when it was configured with Server Name Indication (SNI) and while using an aXAPI or external script that both added and removed SNI entries from the client-SSL template at the same time.


Version: 2.7.1-P3


Severity: P1


158320 System area: SMTP Proxy

Description: While sending a connection close message to a client, the SMTP proxy could cause a restart under certain circumstances.




Severity: P1

Reported by customer: YesWorkaround: Add an HTTP template to the configuration. This does not need to be referenced by any particular virtual port. This helps in mitigating reloads.

158284 System area: SLB Layer 7

Description: If half-close-idle-timeout was configured and the client never sent a FIN request, as part of the half-close-idle-timeout logic, ACOS could forward ACK from a server during session aging




Severity: P2


Workaround: Avoid configuring half-close-idle-timeout on SLB L7

158173 System area: TCP

Description: When retransmitting a SYN packet, ACOS could reload due to an internal error.




Severity: P1







Description: The banner exec command could become corrupted after each write memory command and reload was issued.




Severity: P2

Reported by customer: YesWorkaround: Use a multi-line banner.


Description: When using the ACOS GUI to configure HA sync, the “With Reload" checkbox did not remain selected. This was caused by a javascript error in on-click event of “With Reload” checkbox.

Trigger: This can be triggered by following these steps:

1. Navigate to Config Mode > System > HA > Config Sync.

2. Select the checkbox next to the “Operation” field.

3. Select the checkbox in the “Peer Option” field labeled “With Reload”.

4. Click “OK” when the pop-up asks if you are sure you want to reload after the configuration sync.

At this point, the “With Reload” box does not remain selected.



Severity: P2

Reported by customer: No Workaround: This bug only exists in the Chrome browser. Use a different browser.


Description: The incorrect data type appeared in the axNetStatTable for the axNetStatCpuIndex object. The MIB table defined the data type as Counter when it should have been defined as Integer 32.




Severity: P3






157801 System area: SYN Cookies and Wildcard VIP

Description: If SYN cookies were enabled on a wildcard port on a wildcard VIP, ACOS did not initiate a connection to the backend server after completing the three-way handshake with the client.


Version: 2.7.1-P2 and P3


Severity: P2

Reported by customer: YesWorkaround: Disable fast-path processing using the slb fast-path-disable command.

157771 System area: System Log

Description: If a configured fail-safe threshold was reached, the log messages did not use the correct description. This issue was cosmetic only.

Trigger: Configure a fail-safe threshold and have the ACOS device cross that threshold.



Severity: P3



Description: The show environment command indicated that a PSU was absent even though the PSU was powered on.

Trigger: CLI/Log Facility



Severity: P3



Description: Some AX models, for example: AX 5200-11, AX 3400, and AX 3200-12, could some-times fail to boot due to an SSD-related issue. This issue resulted in the following error message: “grep: /a10data/linkUpa10switch: No such file or directory”.




Severity: P1







Description: System log messages were incorrect on model AX 5630.


Version: 2.7.1-P3


Severity: P2



Description: ACOS failed to run the aXAPI slb.service_group.update correctly in 2.7.1-P3.

Trigger: 1. Run the attached python script using the command:

$ python 10005.py AX_IP

2. You should see the following output:

{"response": {"status": "OK"}}

{"response": {"status": "OK"}}

{"response": {"status": "fail", "err": {"code": 654508034, "msg": "

Communication error with LB process."}}}

Version: 2.7.1-P3


Severity: P2



Description: The show environment command displayed “State: On” for an unplugged PSU.




Severity: P2


155629 System area: FTP

Description: If an HW SYN-cookie was enabled, and an aFleX script was used to select LW nodes, FTP did not work properly.


Version: 271-P3 and earlier


Severity: P3







Description: The erase reload command did not reset the administrator account.

Trigger: Execute the erase reload command in the CLI.



Severity: P2


155308 System area: System (Diagnostics)

Description: The run-hw-diag command might not finish running diagnostics on the ACOS device.




Severity: P2


155143 System area: DHCP Helper

Description: DHCP helper packets that had a broadcast flag were dropped in a one-arm topology.




Severity: P2



Description: If a template was bound to a real server and then later removed from that real server, ACOS continued to process new flows hitting the virtual port/service group via slow-path (as if the real server template was applied). This applies to SLB L4/L7 traffic. This caused slightly different behavior in the handling of flows when 'port 53 udp' (SLB DNS) was involved, given different treatment in fast v/s slow path.



Reproducibility:100%

Severity: P2


Workaround: Reload ACOS after configuring a change to unbind the real server template to restore correct behavior.





154967 System area: MGMT

Description: In certain cases, the ACOS device reloaded after the write memory command was issued, causing the startup configuration to be corrupted (in some cases the configuration was lost).




Severity: P1


154765 System area: Help Description

Description: The Help description has been rectified for keepalive-interval and keepalive-probes within a TCP-proxy template.




Severity: P3



Description: aFleX scripts were unable to be applied with an SSL template configured in an HTTP vir-tual port.




Severity: P2


154582 System area: TCP-Proxy Template

Description: If a TCP-Proxy template with the keepalive option was bound to an HTTP virtual port, ACOS might not send keepalive packets to the client, only to the servers.




Severity: P2







Description: Sending a request to the ACOS GUI that included a very long cookie name resulted in a blank page display instead of a helpful error message.




Severity: P3


154345 System area: AAM

Description: The client was unable to use multiple directories in the initial form-based request.




Severity: P2



Description: Certain system resource’s default thresholds were programmed incorrectly, leading ACOS to give a false positive error message.




Severity: P2



Description: ACOS was not prompting to save configurations after issuing certain commands. This has been addressed




Severity: P4







Description: If an SSH management session ended abnormally, the admin was not able to reconnect to the ACOS device through SSH.




Severity: P2



Description: If a server responded to an HTTP POST request with status code 400 (Bad Request), and the next request from the client arrived in 2 separate packets, the ACOS device did not process the new request.



Severity: P2


153355 System area: Persist Session Age Refresh

Description: Persist session age was not being refreshed if a data plane session was still active. This occurred if a source IP persist template was bound to a virtual port and the "incl-sport" option was configured for this template.




Severity: P2


153094 System area: Layer 4

Description: The lan-fast-ack feature did not handle TCP packets with FPA flags.




Severity: P2


153004 System area: Layer 2/3 (AX 5630)

Description: The AX 5630 could drop packets on a trunk interface after the system powered on.

Trigger: Trunk interface is enabled after the system powers on.



Severity: P2






152740 System area: Template

Description: The SYN-retries configured in a TCP-proxy template did not take effect when auto server re-selection was used.




Severity: P2

Reported by customer: YesWorkaround: Provide CLI commands to disable auto server re-selection so that configured SYN-retries in the TCP-proxy template will take effect.

152156 System area: Fast-HTTP

Description: Failover-url functionality was not working as expected if it was configured under virtual port Fast-HTTP. This has been addressed




Severity: P2


Workaround: Use virtual port HTTP instead of Fast-HTTP virtual port for failover-url.


Description: In an aVCS deployment, if the access management option for the remote device is changed and then saved, ACOS could overwrite the local VRRP device ID in the startup configuration with the remote device ID. If a reboot is issued after this operation, the local device would load the con-figuration of the remote device.

Trigger: Modify the configuration of the remote device on the vMaster GUI, then “save” on the vMas-ter GUI.



Severity: P2


151309 System area: RAM Cache

Description: Pipe-lined requests were not being correctly processed by HTTP virtual ports when pre-vious HTTP requests on the same TCP connection were being responded from HTTP RAM cache. Trigger: Described above.



Severity: P2


Workaround: Avoid making pipe-lined requests to an HTTP virtual port when certain requests could be served from HTTP RAM cache.






Description: Long cookie header values could cause a memory leak issue.




Severity: P1



Description: Spurious error and log messages about 12-volt power issues could be generated; for example:

Oct 31 2013 02:22:13 Critica [SYSTEM]:System Voltage 12V is over threshold

limit(12000). Current value 12984, allowed range [11160, 12840]




Severity: P4


Workaround: Check the exact reported voltage, and ignore the log or error message if the voltage is within 10.8-13.2 Volts.


Description: When the server / real port was in MAINTENANCE mode, and was bound to a service group with a passed health check, then ACOS incorrectly marked the server as UP.




Severity: P2


149764 System area: IP-in-IP / Layer 3-DSR

Description: For an IP-in-IP tunnel, if ACOS received a packet with the DF bit set, and that was larger than the ingress interface’s MTU, then ACOS did not issue the appropriate “ICMP packet-too-large” response. Also, if the DF bit was not set, ACOS did not fragment the large packet.




Severity: P2






149575 System area: aXAPI / ACL

Description: If an aXAPI script was used to bind an ACL to a virtual port, and there were multiple ACL configured, the aXAPI could bind the wrong ACL to the virtual port.




Severity: P2


Workaround: Use the CLI

148957 System area: Health Monitor (Compound)

Description: The ACOS device reloaded if a compound health monitor’s method was changed from ICMP to HTTP.




Severity: P1



Description: For partition admins with web based roles, such as PartitionSLBServiceAdmin or Parti-tionNetworkOperator, their sessions were not displayed correctly in show admin session output.




Severity: P2


145837 System area: Layer 2 / Layer 3

Description: If it was configured as an HA-standby, the Thunder 3030S did not respond to a ping com-mand.




Severity: P2






145265 System area: SLB (PBSLB)

Description: If the show pbslb command was issued on a device with a large number of PBSLB entries, and the output was then stopped using either ctrl-C or manually, the control-CPU usage went up to 100% and stayed at 100% for a while.




Severity: P2


144805 System area: SLB / ICMP Error Handling

Description: ICMP errors for SLB sessions were not handled correctly if the intermediate host or router generated the errors and sent them to ACOS.




Severity: P2



Description: The ACOS GUI had a potential cross-site scripting vulnerability. This was found on the GUI only.




Severity: P2



Description: Although ACOS had power, several log messages were erroneously generated indicating that there was no power to the unit, such as the following:

Sep 14 2013 06:44:28 AX3030 a10logd: [SYSTEM]<2> System Left Power Unit(front view) failed. Current value is 0.




Severity: P3






142234 System area: SLB / NAT

Description: In previous releases, use of the snat-on-vip feature required outside NAT to also be used (ip nat outside).




Severity: P2

Reported by customer: YesWorkaround: Use snat-on-vip per virtual port and configure ip nat outside.


Description: If there was a request that asked for compression, followed by a HEAD, the response went through the compression path. Because there was no payload in the response, it created an issue.

Trigger: A request is sent with compression and then a HEAD.



Severity: P2



Description: The default fail-safe settings were not included in the output of the show run with-default command.




Severity: P3


Workaround: Use the show fail-safe config command

138094 System area: Real Server Template

Description: In an aVCS deployment, if the dynamic prefix was changed in a real server template, the update did not take effect.

Trigger: Configure a dynamic server with a server template, then change the prefix in the template.



Severity: P2






132385 System area: Enable/Disable management and RBA partition

Description: ACOS did not allow enable-management and disable-management commands to

be issued from an RBA partition to prevent these settings from being modified by a RBA partition user.




Severity: P3



Description: ACOS logged messages related to a backup server not taking traffic even after higher pri-ority servers in that service group came UP and started taking traffic. Certain high priority servers in that service group toggled their state (went from down to up).




Severity: P3


Workaround: Do not configure a backup server in the service group


Description: The BGP MD5 password did not work in certain cases.




Severity: P2






128125 System area: Layer 7 Proxy

Description: When a client retransmitted a SYN packet with the same sequence number, ACOS gener-ated a new SYN/ACK with a different sequence number.

Trigger: When the client retransmits SYN packets with the same sequence number.



Severity: P2



Description: ACOS did not refresh the age of persist session (if any) when it refreshed the age of data plane SLB sessions if idle-timeout was configured to be greater than 255 minutes (extended age). Trigger: Described above.



Severity: P2


Workaround: Configure idle-timeout value to be less than 255 minutes for SLB.





Issues Fixed in 2.7.1-P3

ACOS Release 2.7.1-P3 contains fixes for issues listed in Table 5. Theissues are listed by A10 tracking ID, beginning with the highest issue ID(the most recently logged issue).

Note: This document may be updated with additional fix information.


A10 Tracking ID Issue


Description: With a large CRL, SSL could take too long to verify the client certificate. The A10 load balancing process could be stopped by the A10 monitoring process, because the monitoring process thought the ACOS device was not responding, making it appear as if the ACOS device had reloaded.

Trigger: Configure client certificates required with a large size of CRL, such as 4 MB or 2 0K CRL entries. The ACOS device reloads periodically.



Severity: P1


148819 System area: Session age and half-close-idle-timeout

Description: Under certain circumstances, the SLB Layer 4 or Layer 7 session age could be updated incorrectly while a session was in a half-closed state (after receiving server FIN while waiting for client FIN), and if the half-close-idle-timeout was configured.




Severity: P2



Description: Health monitor name was not limited to 29 characters, causing the configuration to be incorrect.

Trigger: Create a health monitor with a name longer than 29 characters.



Severity: P2





Description: HTTP sessions were not closed on the ACOS device after front-end FIN steps were com-pleted. The sessions remained established until timing out.

Trigger: This problem was seen when data sent by the server exceeded the data length specified in the Content-length in the HTTP header.



Severity: P2


148126 System area: SLB (TCP-proxy with IPv6)

Description: In a configuration using a TCP-proxy template, or HTTP virtual port on an IPv6 VIP, an internal error could cause checksum verification to fail for a valid checksum, if the traffic received includes an IPv6 fragmentation extension header.




Severity: P2



Description: The SNMP configuration could become corrupted during restart of the SNMP process.




Severity: P2


Workaround: Disable and re-enable SNMP.


Description: Client-SSL certificate verification failed if the client certificate chain used different ASN string encodings, such as UTF8 and PRINTABLESTRING.




Severity: P2






147421 System area: TCS (IPv6)

Description: Traffic from Internet to cache server is routed to the client instead of being forwarded to the cache server if an IPv6 fragmentation extension header exists in the packet. This issue ID covers the following issues:

• ACOS did not parse all extension headers to find the correct transportation protocol as a parameter to match a session. This could cause an error if extension headers occured1 in between TCP or UDP headers.

• The extended matching flag was not supported.




Severity: P2



Description: In a VRRP-A configuration, if a standby ACOS device received a packet that matched an existing session, the device applied Layer 4 processing to the packet but should not have. This issue did not affect legacy HA configurations.




Severity: P2



Description: ICMP transparent health checks could fail if the ICMP sequence numbers in multiple health checks were the same. This issue was observed in a topology in which a real server on one ACOS device was configured as a floating IP address on another ACOS device.




Severity: P2


Workaround: Change the interval value used in the ICMP health monitor.





147004 System area: VRRP, SLB

Description: In a configuration with an L3V partition, VRRP-A failovers in a private partition affected session timeout in a different partition.




Severity: P2


146845 System area: SLB (DNS-UDP and IP fragmentation)

Description: System memory usage could be high during handling of fragmented IP packets received on a DNS-UDP virtual port that had an aFleX script bound to it.




Severity: P2


Workaround: Use port 53, with virtual-port type UDP instead of UDP-DNS. Or, unbind the aFleX script from the DNS-UDP virtual port, if the port will receive fragmented IP packets.


Description: Virtual-server compression statistics displayed in the GUI could be incorrect.


Version: 2.7.1-P2


Severity: P2



Description: AXdebug did not work properly in the GUI.




Severity: P2






146224 System area: PBSLB / DNS connection-rate limiting

Description: DNS connection-rate limiting did not operate correctly if its configuration included a class-list with an LID. Also, the show pbslb CLI command displayed incorrect client IP addresses.




Severity: P2


145981 System area: aFleX, CLI

Description: If aborts or errors had occurred for an aFleX script bound to a virtual port, the CLI could stop working after the show techsupport command was entered. This occurred due to an error in writ-ing the aFleX error information to the command output.




Severity: P2



Description: CPU utilization could become high if a large number of GUI admin sessions were open, or GUI admin sessions were open for a long time.

Trigger: The root cause for the high control CPU is improper handling following termination of multi-ple admins sessions for the same admin. The accumulated environment variable leak eventually causes the ACOS GUI process to slow access to ACOS.



Severity: P2



Description: If the GUI was used to remove an IPv6 address from an Ethernet data interface and add the same address to another Ethernet data interface, the Forwarding Information Base (FIB) was not updated correctly to reflect the change.




Severity: P2







Description: If the show ip bgp neighbor command was entered while the last-known error code for BGP was (6,7), which indicates session cessation due to collision, ACOS could reload.




Severity: P1


Workaround: Use a passive connection to the BGP peer, which avoids the collision condition. If using an active connection, avoid entering the show ip bgp neighbor command until the last-known error code is no longer (6,7).

145774 System area: SLB (wildcard VIP)

Description: In a configuration using a wildcard VIP, a small number of packets for a session on the VIP mistakenly could be forwarded at Layer 3.




Severity: P2


145672 System area: Layer 7 / SLB

Description: When running SSL Intercept, the decrypted port 8080 SYN-ACK sent to the internal ACOS device from the Internet ACOS proxy was routed to the client instead of being responded to with a TCP ACK. This caused clients to experience either slowness while loading web pages or HTTP 504 failures.

Trigger:



Severity: P2


145645 System area: SLB (fast-HTTP and TCS)

Description: TCS did not work with fast-HTTP virtual ports.




Severity: P2


Workaround: Use HTTP virtual port





145600 System area: Layer 7 / SLB

Description: During HTTP content compression, the Vary header in the server response was over-writ-ten by ACOS.




Severity: P2


145378 System area: System / WAF

Description: Entering the system-reset command removed the default WAF definition files.




Severity: P2


Workaround: Re-install the image. (Upgrade, or perform the upgrade again.)


Description: Entering the show running-config command could delete class-list files unexpectedly.




Severity: P2


Workaround: Reboot after restoring system configuration.

144965 System area: GUI / WAF

Description: ACOS could reload if the GUI was used to delete a WAF definition file.




Severity: P1







Description: If ACOS received a TCP RST from a client, but the session for the client was still half open (the 3-way handshake had not yet been completed), the session remained in the system for about a minute. The current release optimizes the system response to this situation, by deleting the session immediately.




Severity: P2


Workaround: Use a Layer 4 virtual port type (for example, TCP) instead of a Layer 7 virtual port type.

144457 System area: DNSSEC

Description: DNSEC template did not work if a dash (“ - ”) was used in the template name.




Severity: P3



Description: Client-SSL template could not be configured on an HTTP virtual port in the GUI, but it can be in the CLI.




Severity: P3


143923 System area: FPGA

Description: Under heavy load conditions, LACP packets could be dropped by the FPGAs.

Trigger: Heavy traffic.



Severity: P2







Description: Fan speed out of range message was displayed in the system log.

Trigger: None.



Severity: P2


143272 System area: SLB (fast-HTTP)

Description: In a configuration using a fast-HTTP virtual port, server responses that contained HTTP headers but not a Content-length header or any data were not handled correctly. If a client sent multiple requests on the same TCP connection, ACOS did not forward the requests to the server.




Severity: P2


Workaround: Use an HTTP virtual port instead of a fast-HTTP virtual port.

143233 System area: HA / SLB (HTTP)

Description: Standby AX IDLE Layer 7 sessions are being transmitted with source MAC addresses of shared (VIP MAC), Instead of Interface MAC, causing upstream Layer 2 devices to program MAC on the wrong port.

Trigger: Forcing HA failover when there are half open sessions.



Severity: P2


Workaround: Clear the half-open session before failover occurs (or before forcing a failover).


Description: The ACOS GUI interface was potentially vulnerable to cross-site scripting. This issue was found in the GUI only.




Severity: P2







Description: Added a new option in the slb.global method to allow configuration on the “disabled_af-lex_auto_server_up” option.




Severity: P3


143092 System area: RAM Caching

Description: In cases where replies to requests with Accept-encoding: gzip are cached, but the HTTP header in a later request does not have the Accept-encoding header, ACOS always sent the content that was cached based on the first request.

Trigger: Presence / absence of accept encoding.



Severity: P2



Description: In an SLB configuration with a WAF template, some requests were not completed.

Trigger:

1. Configure an SLB WAF template.

2. Send a request with some Post data.

For some Post sizes and timings, the data from the client is dropped by the ACOS device and the request does not reach the server, preventing the client from receiving the page data.



Severity: P2


142738 System area: L7 Authentication

Description: Not all data under the /a10data/auth system directory was included in system backups per-formed using the backup system command.




Severity: P3







Description: Some VRRP-A trunk tracking configuration could be lost on vBlades, if configured using the GUI directly on the vBlades.




Severity: P2


Workaround: Configure VRRP-A track trunk in CLI in VCS environment.


Description: A duplicate entry was displayed in the GUI for a static route configured in an L3V parti-tion.




Severity: P2


141628 System area: Connection-rate limiting

Description: If a connection-rate limit was specified in a template bound to a virtual port, and a real port or real server was transitioning from DOWN to UP, “connection-rate-limit exceeded” messages could be erroneously logged for real ports or real servers associated with that virtual port. This could occur even if the number of connections did not exceed the configured connection-rate limit.




Severity: P2


141118 System area: SLB (Layer 7)

Description: If an ICMP destination unreachable message was sent to a VIP that also was processing an SLB Layer 7 session, ACOS did not correctly modify the destination IP address before sending the mes-sage packet. This resulted in the message being sent back to the VIP.




Severity: P2







Description: Hostname-based SLB server answers were not returned to clients when all health checks were up.


Version: 2.7.1-P2


Severity: P2


140749 System area: IP NAT

Description: Active FTP did not work on an IP NAT session; ACOS did not correctly handle the FTP PORT command.




Severity: P2



Description: Clearing the GSLB configuration could cause the device to reload, if the configuration contained a GSLB host server.




Severity: P1



Description: Some directly connected routes were missing following LACP trunk flaps.

Trigger: LACP timeout.


Reproducibility: Low, need LACP timeout

Severity: P1


Workaround: Re-configure / flip those routes manually.






Description: The following SNMP traps, axServiceGroupMemberDisabledForNewConn, and axSer-viceGroupMemberEnabledForNewConn, could not be sent when the event occurred.




Severity: P2



Description: In an SLB configuration with a WAF template, some requests were not completed.




Severity: P1



Description: The description of the axAppGlobalTotalSSLConnections (.1.3.6.1.4.1.22610.2.4.3.1.2.6) object was incorrect.

• Correct – Get the total number of SSL connections.

• Incorrect – Get the total number of new SSL connections.

Note: The axAppGlobalTotalSSLConnections object returns the same value as axSslStatTotalSSLConn (.1.3.6.1.4.1.22610.2.4.3.9.3).




Severity: P2






139945 System area: SLB (fast-HTTP)

Description: In a fast-HTTP configuration, the ACOS device sent a separate TCP SYN to the backend server, for every request packet from the client, until the server responded. This could occur if the client began sending data packets before receiving the first ACK from the ACOS device. As part of the ACOS device’s normal behavior as an HTTP proxy, it sends an ACK to a client only after receiving the ACK from the backend server. In the current release, the ACOS behavior is changed. Beginning in this release, the ACOS device resends a SYN only for retransmitted packets, rather than for every packet.




Severity: P2


Workaround: Use virtual-port type HTTP instead of fast-HTTP.


Description: In a configuration using a RADIUS virtual port, where a source NAT pool was not bound to the virtual port, ACOS correctly changed the VIP address into the real server IP address before for-warding a client request to the backend RADIUS server, but did not change the server IP address back into the VIP address before forwarding the server’s reply to the client.




Severity: P2



Description: On model AX 3030, the show cpu command showed 100 percent utilization on the control CPU every 30 seconds, for a span of 1-2 seconds during each occurrence.




Severity: P2



Description: When HTTP received FIN-ACK from a server, ACOS responded with a FIN-ACK even if there was data from the client that needed to be sent to the server.




Severity: P2






138991 System area: Smart NAT / External-services template

Description: After the status of a health check changed from down to up, smart NAT attempted to delete the sessions associated with the real port that was down. During this route change period, ACOS could not allocate NAT pool resources, resulting in a delay before traffic could be load balanced to the backend servers.




Severity: P2


138988 System Area: PBSLB

Description: In a configuration running both IP NAT and SLB traffic concurrently, the ACOS device could reload during deletion of a session.




Severity: P1



Description: When logging out of the ACOS GUI, the user preferences were saved to a file and syn-chronized across all of the vBlades. This caused the aVCS configuration information to change.




Severity: P2


138811 System area: ICMP rate limiting

Description: The rate-limit counters in show icmp output could be incorrect, even though the feature was working properly.




Severity: P4







Description: On models AX 5100 and AX 5200, the usage meter for system memory was erroneously labeled “CPU Usage”. This issue affected the page displayed by Monitor Mode > Overview > Perfor-mance > Summary.




Severity: P2


138286 System area: Health Monitoring (Layer 3 DSR)

Description: In an IPv6 Layer 3 DSR configuration, an IPv6 health monitor did not work if it was applied at the real-port configuration level. This issue did not affect health monitors applied at the ser-vice-group level.




Severity: P2


138283 System area: SLB (External-services template)

Description: In an external-services configuration, ACOS could reload if the health-check status of a server changed from down to up.




Severity: P1


138157 System area: aXAPI, SSL

Description: The response to an call for an x.509 v3 certificate included the private key.




Severity: P2






138004 System area: Hardware-based SYN cookies / connection-rate limiting

Description: In a configuration including both the hardware-based SYN cookie feature and connection-rate limiting, when the limit was exceeded, the over-limit sessions were not removed properly. Instead:

• A half-open session was left in the session table, with the VIP address listed in both the Forward Dest and Reverse Source columns.

• An invalid SYN segment was sent to the client, due to a re-route error.




Severity: P2


137881 System area: aFleX (SSL)

Description: The ACOS device could reload when using aFleX to perform content replacement over SSL.




Severity: P1



Description: During heavy IP NAT traffic, the ACOS device could select different IP addresses from a NAT pool for the control and data sessions of the same FTP connection.




Severity: P2


137419 System area: SLB (External-services template)

Description: If ACOS received a 403 (Forbidden) message from the backend server, ACOS forwarded a 200 (OK) message to the client. This is expected behavior. However, in a case where the maximum ses-sion life (MSL) timer was set to 20, and the reset-unknown-conn option was enabled, ACOS should send a RST for any PUSH Acknowledge (PA) packet that arrives after resetting the client. However, before this issue was fixed, ACOS simply dropped PUSH packets that arrived after reset of the client connec-tion.




Severity: P3







Description: If the backend server sent a response without the Content-length header, then closed the connection, the ACOS device forwarded the FIN to the client and removed the session, without waiting for the client to close the connection. Beginning in the current release, the ACOS device waits for the client to close the connection before deleting the session.




Severity: P2



Description: The ACOS device experienced abnormally high control CPU utilization rates if the aXAPI gzip option was used to retrieve a configuration in which a large number of ports had been assigned to a real server.

Trigger: This issue could occur under the following conditions:

1. Configure a real server with a large number o f ports.

2. Repeatedly use the aXAPI gzip option to retrieve the configuration, while simultaneously monitoring CPU usage.



Severity: P2


Workaround: Disable gzip by removing the “Accept-Encoding: gzip” header from the HTTP client.


Description: The output for aXAPI method slb.virtual_server was missing the vrid element.




Severity: P2



Description: Oracle database Health-check failures could fill the failure log on the ACOS device drive, causing operational issues.

Trigger: Described



Severity: P1







Description: If an event command was included within a when body, ACOS reloaded. For example, the following command could cause a reload: when HTTP_REQUEST { HTTP_RESPONSE }




Severity: P2


136246 System area: SLB (MSL timer)

Description: The maximum session life (MSL) timer was not applied to a session following expiration of the half-close-idle-timeout.

The half-close-idle-timeout is optional. If the option is enabled, a session enters the half-closed state when the ACOS device receives a FIN from the backend server, before receiving a FIN from the client. In previous releases, the session was deleted after the half-close-idle-timeout expired. Beginning in this release, the MSL timer begins for a session after the half-close-idle-timeout for that session expires.




Severity: P3


Workaround: Do not use the half-close-idle-timeout option for SLB TCP sessions.

136189 System area: HA / VRRP-A / aFleX

Description: If HA or VRRP-A was configured, and an ACOS device failed over from an active device to the standby device, an internal error during aFleX processing could cause a reload.




Severity: P1


136063 System area: SLB - HTTP

Description: The SYN-ACK request sent to a client could have the same MAC address for the source as for the destination.

Trigger: Configure an HA pair without an HA group ID.

Version: 2.7.1 and later


Severity: P2







Description: If the ACOS device was configured to use the management port to send Syslog messages, using the GUI to change the management IP address stopped further Syslog messages from being sent on the port.




Severity: P2


135631 System area: SLB (DNS session aging)

Description: SLB DNS sessions aged out sooner than expected under the following circumstances:

• Aging was set to “short” within a UDP template bound to UDP port 53 (the default DNS port)

• Multiple requests/responses were processed for the same session on that port




Severity: P2



Description: Under a rare internal error condition, AX fail-safe checks could get false-positive results. This would cause the fail-safe mechanism to restart the ACOS device to avoid further disruption in traf-fic processing.




Severity: P1


135094 System area: SLB (TCP)

Description: The ACOS device could sometimes send a RST packet to a client if a FIN was received from the backend server. This could create issues if there was buffered data waiting to be transmitted to the client. The ACOS device also could send an ACK with an incorrect sequence number to the backend server during connection close.




Severity: P2






134806 System area: HA (configuration synchronization)

Description: Admin usernames and passwords were not synchronized to the standby device.




Severity: P2


Workaround: Manually configure the admin account info on the standby device.

134740 System area: L3V (Resource-usage templates)

Description: An SSL throughput limit configured in a resource-usage template in a private partition might not take effect.




Severity: P2


134686 System area: Routing (IS-IS)

Description: The MD5 authentication TLV in IS-IS LSPs could become corrupted when the ACOS device flooded the received LSPs with lifetime == 0.

Trigger:

1. Generate lifetime == 0 LSP from the neighboring router with MD5 authentication TLV encoded.

2. Capture the LSP packet flooded by ACOS device on non-LSP received IS-IS interface.

3. LSP with lifetime ==0 flooded by ACOS device has a corrupted authentication TLV, which will be

dropped by the neighboring router, due to the authentication failure.



Severity: P2


134191 System area: aFleX (SLB)

Description: The ACOS device sent a TCP RST instead of dropping traffic, for traffic that matched an aFleX script that used the “drop” command.




Severity: P2







Description: If the idle-timeout value in the default TCP or UDP template was set to higher than 255 minutes, the setting was not used.




Severity: P2



Description: In some error cases, a NAT resource was not released.




Severity: P2



Description: IP routes could not be deleted using the GUI.




Severity: P2



Description: GSLB TTL values were not correct when the geoloc-alias option was used. This issue could occur if there was data flowing between multiple services.




Severity: P2



Description: A shutdown or restart notification (such as axSystemShutdown) might not be generated if the shutdown or restart was initiated using the CLI.




Severity: P2






132223 System area: System (LACP)

Description: The ACOS device could reload following a state change (up/down) of an LACP VE.




Severity: P1



Description: Sessions could remain in the session table even after the MSL timer expired. This could occur under either of the following circumstances:

• If the half-close-idle-timeout option was configured for a Layer 7 virtual port, the connection was re-queued for another 2 seconds, delaying its removal from the session table.

• An HTTP proxy (Layer 7) connection was put in the delete queue by the proxy state machine, and was re-queued to be examined 4 seconds later. This could occur if ACOS saw any ACK/FIN-ACK packets arriving on that connection after it had been put it in the delete queue. This delayed the removal of the session.


Version:2.7.1-P2 and earlier


Severity: P3


Workaround: Avoid using the half-close-idle-timeout command for Layer 7 virtual ports.

131458 System area: SLB (aFlow and connection-reuse)

Description: If both the aFlow and the connection-reuse features were enabled on a Layer 7 virtual port (such as HTTP or HTTPS), the ACOS device could reload.




Severity: P1


Workaround: Do not enable the aFlow feature if connection-reuse is also enabled.


Description: The show debug command displayed incorrect debug packet parameters.




Severity: P2






129793 System area: DDoS (IP anomaly filtering)

Description: Using the IP anomaly-drop frag option to drop potentially malicious IP fragments did not work on non-FPGA based ACOS devices for non-TCP traffic, such as UDP and ICMP traffic.




Severity: P2



Description: Graceful restart was not supported for BGP decline of open capability 64.

Trigger: Neighbors sends open capability 64, which should cause a graceful restart.

Version: 2.7.1-P2


Severity: P2


Workaround: Disable capability negotiation.

128125 System area: Layer 7 proxy (HTTP, tcp-proxy, HTTPS)

Description: If a client re-transmitted a SYN request with the same sequence number, ACOS generated a new SYN/ACK request with a different sequence number.


Version: 2.7.1-P1


Severity: P2


124361 System area: ICMP / NAT / SLB

Description: Traceroute did not work correctly for ICMPv4 or ICMPv6, in configurations that included a wildcard virtual port (a VIP configured with port 0 others), and also included IP NAT.




Severity: P2






103834 System area: External service (URL filtering service)

Description: In a configuration with dynamically removed proxy servers, the ACOS device could reload during heavy traffic load.




Severity: P1



Description: ACOS sent a RST to an incorrect interface when the slb msl-time or slb reset-stale-ses-sion options were enabled and if ACOS received a SYN or PSH/ACK packet.




Severity: P3






Issues Fixed in 2.7.1-P2

ACOS 2.7.1-P2 contains fixes for issues listed in Table 6. The issues arelisted by A10 tracking ID, beginning with the highest issue ID (the mostrecently logged issue).

Note: This document may be updated with additional fix information.

TABLE 6 Fixes in ACOS 2.7.1-P2


135040 System area: SLB (HTTP and connection requests)

Description: If ACOS received multiple connection requests from a client by way of an SLB HTTP proxy, ACOS applied client IP insertion (from a template or aFleX) on only the first such connection request. This behavior has been fixed in this release such that ACOS will apply the requested template action for all client connection requests until the server replies with the proper status code (such as 200).




Severity: P2


134221 System area: vThunder (GUI)

Description: Attempting to use the vThunder GUI could result in a failure to access the GUI and high CPU utilization in some cases. For example, this issue could occur due to process: 'sh -c cp'




Severity: P2


133819 System area: SLB (WAF template)

Description: If a POST request in a WAF template contained the key=value pair option and the length of the value was greater than 2048 characters, then ACOS could fail to parse the POST request, and this resulted in a failure to parse valid HTTP traffic.




Severity: P2




133753 System area: ACLs

Description: If changes (such as adding or removing rules) were made to an ACL that was bound to a management interface, the changes were not applied immediately.




Severity: P2


Workaround: Reload the device for the modified ACL to take effect.

133564 System area: aFleX (HTTP::collect feature)

Description: ACOS stopped collecting data after the first 1200 bytes when using HTTP::collect to do string replacement in an HTTP payload.




Severity: P2



Description: WAF caused ACOS to reload when an XSS check (within the WAF template) was done on a long URL with more than 511 characters.




Severity: P1


133516 System area: HTTP (chunk encoding)

Description: ACOS erroneously considered non-chunked HTTP packets to be chunked packets if they were preceded by a chunk-encoded request. This caused Layer 7 HTTP to terminate the connections too early.




Severity: P2


TABLE 6 Fixes in ACOS 2.7.1-P2 (Continued)





Description: The internal ACOS device in an SSL Intercept deployment could reload if a server responded with an SSL handshake packet that also included application data.




Severity: P1



Description: When viewing the running-config and startup-config files through the ACOS GUI, incon-sistent sizes were displayed for the files within an RBA partition. The running-config file should have been the same as the startup config, but it appeared to be larger than the startup-config file.




Severity: P2



Description: ACOS reloaded if there was an HTTP template with the response-content-replace option configured under a Layer 7 virtual port.




Severity: P1


133219 System area: aVCS (SSL Intercept)

Description: In an aVCS deployment, SSL Intercept commands within a client-SSL template were not synchronized to the vBlades.




Severity: P2







Description: The logging email filter module name was inconsistently displayed in the CLI and GUI.




Severity: P4


132785 System area: aVCS (aXAPI)

Description: A memory leak could occur when the vMaster retrieved information from a vBlade using the aXAPI.




Severity: P1



Description: The header sanity check erroneously denied cookies that were longer than 4k long.




Severity: P2



Description: The internal ACOS device in an SSL Intercept deployment experienced an SSL memory leak if a Client Hello packet was received containing a Server Name Indication (SNI) extension.




Severity: P1



Description: The internal ACOS device in an SSL Intercept deployment could reload if it received a server certificate which contained a Subject Name Extension.




Severity: P1






132400 System area: SLB (WAF template)

Description: If an ACOS device was deployed in WAF Learning Mode and ACOS was then reloaded or rebooted, this caused the WAF policy to be automatically restored to WAF Active Mode.




Severity: P1


132265 System area: SNMP (MIBs)

Description: A third-party MIB application could not parse the ACOS MIB file (A10-AX-MIB.txt) due to objects that had data type Counter. To fix this issue, these objects now use data type Counter32.




Severity: P2



Description: Following upgrade to ACOS 2.7.1-P1, the fail-safe hw-error-monitor-enable command appeared in the running-config. Although the state change for this feature is part of a documented behav-ior change for 2.7.1, the command’s appearance in the configuration was not an expected behavior. (For more information on this change, see “Fail-safe Hardware Monitoring Enabled By Default”.)




Severity: P2



Description: If a server-SSL template included the close-notify option and the virtual-port template included the reset-unknown-conn option, the server-side SSL connection did not close following server certificate verification failure.




Severity: P2







Description: The internal ACOS device in an SSL intercept deployment experienced a memory leak as a result of the clear slb ssl-forward-proxy-cert command failing to clear the ACOS-signed server cer-tificates. In such situations, memory was not released as expected.

This issue occurred with internal certificates containing the Subject Name Extension.




Severity: P1



Description: The internal ACOS device in an SSL intercept deployment experienced an SSL memory leak due to ACOS not releasing the original server certificate after it had been signed.




Severity: P1



Description: An issue occurred in which ACOS self-signed certificates were not accepted by the Safari Internet browser used on iPad or iPhone devices.




Severity: P2



Description: The WWW-Authenticate header was removed if the header value was 9 characters or more.




Severity: P2







Description: If when big buffer pool support was enabled, the value for the total number of FPGA buf-fers was incorrect and caused an incorrect number to be reported in the “Approximate # buffers in total” field within the output of the show system platform buffer-stats command.


Version: 2.7.1 and 2.7.1-P1 releases


Severity: P4


131455 System area: SSL (client-SSL template)

Description: The disable-sslv3 and sslv2-bypass options within a client-SSL template failed to work as intended for vThunder.




Severity: P2


131449 System area: SLB (external-service template/URL filtering)

Description: In an external-service configuration, ACOS could unexpectedly accept an HTTP request. This could happen in the following scenario:

• The client sent two consecutive HTTP requests to the destination server over one TCP connection.

• For the first request, the proxy server responded with “HTTP 200 OK”, and the request was for-warded to the destination server, as expected.

• For the second request, when the proxy server responded with a FIN message instead of “200 OK”, the ACOS device forwarded the request to the destination server. However, ACOS should have instead sent a RST to both the client and the destination server.




Severity: P2



Description: ACOS reloaded due to memory corruption if codenomicon negative SSL traffic was sent to an SSL Intercept deployment that used a server key field exceeding 64 bytes.




Severity: P1







Description: Mismatched error messages could appear for some failed aFleX commands due to an inter-nal error.




Severity: P3


131014 System area: SLB (MSL timer)

Description: The MSL timer did not take effect for Layer 4 TCS sessions that were subject to the half-close-idle-timeout option.




Severity: P2


Workaround: Do not configure the half-close-idle-timeout option under the TCP template.


Description: A maximum file size of 8K for class-list file size was supported. In the current release, the size has been increased to 32K.




Severity: P2


130693 System area: SNMPv3

Description: DES/AES message data encryption was not supported for SNMPv3.




Severity: P2







Description: Some 64-bit FPGA-based models experienced a memory leak if traffic included ICMP/ICMPv6 NAT or static NAT sessions.




Severity: P1


130469 System area: System/logging (WAF)

Description: ACOS could reload if a WAF template contained the special character “%”.




Severity: P1


Workaround: Format the string as text only.

130436 System area: SLB (Health Monitor)

Description: If the disable [when-all-ports-down | when-any-port-down] option was enabled on a virtual server, the service group state was marked functional up even when one member was disabled and another was down.




Severity: P2



Description: The http-request-packet option could cause a reload.




Severity: P1






130123 System area: Smart NAT

Description: It could take up to 5 seconds for a server to be selected by SLB after successfully passing a Layer 3 health check following server recovery.




Severity: P2



Description: If the reset-unknown-conn feature was configured on a Layer 7 VIP, ACOS could send a RST to an incorrect interface.




Severity: P2


130078 System area: Layer 7 HTTPS

Description: Compression did not work as expected when chunk encoding was used at the same time as SSL on the same virtual port.




Severity: P2



Description: The axAppGlobalStats MIB object always returned 0.




Severity: P2







Description: aVCS staggered-upgrade could fail due to a connectivity delay. To fix this issue, a new command is added in this release to delay the start of aVCS following a reload/reboot: vcs force-wait-interval




Severity: P1


129340 System area: SLB (transparent session)

Description: TCP/UDP transparent sessions had an abnormally long idle-timeout of 1800 secs. The default idle-timeout for TCP/UDP transparent sessions has been restored to 120 seconds.




Severity: P2



Description: The aFleX “incr” command for global variables could cause a memory leak if used with server selection and logging commands.




Severity: P1


Workaround: Use "expr $::var + 1" instead of "incr".


Description: The VE link up/down trap had an incorrect enterprise OID, causing an erroneous ACOS model to appear in the name of the SNMP trap.




Severity: P3







Description: If a client sent an ICMP Type 3 Code 1 packet to the VIP, ACOS sent an incorrect ICMP packet to the server.




Severity: P2



Description: The SNMP agent did not respond properly to SNMP requests that timed out or were for an invalid object. This could cause high CPU utilization or a reload.




Severity: P2



Description: The ACOS GUI did not display the CPU Usage Chart and Memory Usage Chart correctly when using Internet Explorer version 10.

Trigger: From the ACOS GUI, navigate to Monitor Mode > Overview > Summary, or Monitor Mode > Overview > Performance.



Severity: P2



Description: If a client re-transmitted a SYN that contained the same sequence number as a previously sent SYN, ACOS erroneously generated a new SYN/ACK that contained a different sequence number.




Severity: P2






127832 System area: System (SNMP)

Description: Output from the CLI command show snmp oid virtual-server displayed incorrect spell-ings for the following objects: “axVirtualServerStatPkgIn” and “axVirtualServerStatPkgsOut”. These spellings have been corrected to the following: “axVirtualServerStatPktsIn” and “axVirtualS-erverStatPktsOut”.




Severity: P3


127702 System area: Hardware-based SYN Cookies

Description: If hardware-based SYN cookies were enabled and a reset (RST) packet was sent by the cli-ent to the TCP virtual port, the ACOS device created a session for the packet and the session remained in a half-open state.




Severity: P3



Description: The power supply voltage was not measured correctly. This resulted in incorrect values being displayed by the show environment debug command.




Severity: P3


126070 System area: System (fan logging)

Description: The system log could contain erroneous fan failure or power supply failure messages.




Severity: P2






125866 System area: ICMP rate limiting

Description: When the icmp-rate-limit option was configured on a VE interface, ACOS could some-times erroneously report that the rate limit was exceeded, and it dropped any subsequent ICMP packets on that VE interface. The 'over limit drops' was also incremented.




Severity: P2



Description: If the server name option was used in a client-SSL template in a private partition, the server name was mistakenly treated as an CLI object instead of an string. This issue did not affect con-figuration in the shared partition.




Severity: P4



Description: The FPGA IP Anomaly counters cannot be cleared using the clear slb all command.




Severity: P2


Workaround: Use the clear slb switch command.


Description: If the clear slb all command was used on a standby ACOS device in an HA pair, the cur-rent connection counter for the real servers did not get cleared.

Trigger: With live client traffic running on the ACOS device, use the show slb server command and check the output for the current connection counter for the real server on the standby ACOS device.



Severity: P3







Description: The port number is incorrect in log for HA port track.

Trigger: “HA sync” command.

Version: 2.6.1-GR1-P9, Trunk (before 2.7.1-P1 Build 53).


Severity: P1



Description: If a partition admin exported tech support output using the show techsupport export com-mand, the output contained details for all partitions and should not have.




Severity: P2


104419 System area: Template (TCP proxy)

Description: If the reset-rev option was enabled within a TCP-proxy template, and the template was bound to a virtual port, the ACOS device sent a FIN instead of a RST to the client when the session aged out.




Severity: P2


102115 / 131089

System area: SLB (external-service template/URL filtering)

Description: The total failure action counter for external-service templates/URL filtering was not incre-mented if any of the following failures occurred:

• host field not valid

• host field length over 263 bytes

• proxy response unknown status code

• connection failure




Severity: P2






101308 System area: SLB (Logging)

Description: ACOS did not generate a log message when a VIP was enabled or disabled.




Severity: P3


101272 System area: System (CLI)

Description: On some ACOS devices, an incorrect range was displayed in the CLI for the monitor buf-fer-usage command. Although the actual supported range could go up to 8 million (with big-buff-pool enabled), the allowable range that could be specified in the CLI was limited to no more than 4 million.




Severity: P4


99869 System area: aFleX (HA)

Description: Sessions that were made persistent by the aFleX persist uie command were not synchro-nized to the standby ACOS device.




Severity: P2


99610 System area: SLB (external-service template)

Description: When the ACOS device received a “403 forbidden” error message from a proxy, instead of transitioning to a client request state as expected, the ACOS device transitioned to an invalid state and sent a RST to the client without waiting for an ACK, thus causing the connection to be erroneously deleted.




Severity: P2






99073 System area: SLB (external-service template)

Description: The ACOS device did not send a RST to the client and real server if the external service sent a FIN to the ACOS device.




Severity: P2






Enhancements in ACOS 2.7.1-GR1

ACOS 2.7.1-GR1 includes the following enhancements.

CPU Load Sharing

When the ACOS device detects that one CPU is oversubscribed (due to a UDP flood attack), the packetsdestined to that CPU are distributed to other CPUs for processing using the round robin algorithm. Thetypical way in which this is accomplished is described below:

1. When packets enter the ACOS device, they are processed by the data CPUs. For example, the AX5200 has 15 data CPUs that are available to process packets.

2. Next, the decision as to which data CPU will process the packet is determined.

In most cases, the number of packets are evenly divided and processed by the CPUs. However, if an attacktargets one data CPU, it may receive an abundance of packets in comparison to others. This feature helpsoffload the attacked CPU and distributes incoming traffic amongst the CPUs.

The CPU load sharing feature (a.k.a, “CPU Round Robin”) is triggered when all of the following condi-tions occur:

1. If the utilization rate of the CPU being targeted exceeds the configured high CPU usage threshold (which has a default value of 75%), AND

2. If the CPU being targeted is receiving traffic at a rate that exceeds the minimum configured threshold (the default is 100,000 packets per second), AND

3. If the CPU being targeted is receiving 150% more packets-per-second than the median CPU packets-per-second rate on the ACOS device. If all CPUs are under a heavy load, there would be no advantage to using round robin to distribute the traffic.

The CPU load sharing feature stops when the following conditions are met:

1. If the targeted CPU utilization rate drops below the low threshold (default is 60%), AND

2. Either of the following packets-per-second rates would apply to the targeted CPU if CPU round robin support was turned off:

a. If the targeted CPU is receiving packets at a rate below the minimum configured packets-per-sec-ond threshold, OR

b. If the utilization rate of the targeted CPU is no longer 150% higher than the median of its neigh-boring CPUs.



You can configure the thresholds for the CPU load sharing feature using the syntax below:

[no] system cpu-load-sharing { cpu-usage low percent | disable | enable | packets-per-second min num-pkts }

Defaults

The CPU load sharing feature is enabled. The thresholds have the following default values :

• cpu-usage – 60

• packets-per-second – 100000

Source port rate limiting

For some DDoS attacks on CPUs, the attack originates from the same source IP with a fixed source port.Because of hashing algorithms, packets from the same source IP with a fixed source port are always sent tothe same CPU. This allows the DDoS attack to target a CPU and consume resources that are needed todirect legitimate traffic.

To help prevent the home CPU from being a bottleneck, ACOS provides the option of enabling source portrate limiting and source IP rate limiting on a virtual-port template. This enables traffic rate monitoring onvirtual ports to which the template is bound, and it can be applied when CPU round robin is not active, oronly when CPU round robin is triggered. Rate limit monitoring only applies for client to server traffic.Packets originating from the server are not monitored.

Keep in mind that source port rate limiting and source IP rate limiting only applied to IPv4 traffic. Incom-ing IPv6 packets are not rate limit controlled.

Parameter Description

cpu-usage low percent

Maximum CPU utilization allowed on control CPUs, before CPU load sharing is used. You can specify 0-100 percent.

disable Disables CPU load sharing. The feature is not used even if a threshold is exceeded.

enable Enables CPU load sharing. The feature is used when a threshold is exceeded.

packets-per-sec-ond min num-pkts

Maximum number of packets per second any CPU can receive, before CPU load sharing is used. You can specify 0-30000000 (30 million) packets per second.



You can configure the options for source port and source IP rate limiting under the virtual-port templateusing the syntax below:

[no] pkt-rate-limit [src-ip-port | src-port]rate [pkt-rate][no-logging][when-rr-enable]

Parameter Description

src-ip-port Monitor and limit the packet rate for packets sent from the same source port and source IP to the virtual port.

src-port Monitor and limit the packet rate for packets sent from the same source port to the virtual port.

rate pkt-rate Packet rate limit per second (1-1048575). The source port or source port and IP are dropped when this rate is exceeded.

no-logging Disable logging when the packet rate limit is exceeded.

when-rr-enable Monitor the packet rate only when CPU round robin is triggered. For more informa-tion about configuring CPU round-robin, see “system cpu-load-sharing” in the CLI Reference.

Without the when-rr-enabled option, the source port rate for client requests is always

monitored.

If you use the when-rr-enabled option, note that rate limiting is not performed if CPU round-robin is not triggered. Only after CPU round-robin is triggered will the ACOS device start to monitor the source port rate across all CPUs.





Enhancements in ACOS 2.7.1-P6

ACOS 2.7.1-P6 includes the following enhancements.

Documentation Enhancements ACOS 2.7.1-P6 introduces the following documentation enhancements.

• ACOS 2.7.1-P6 provides documentation in responsive HTML format with online search capability per document. This documentation set will also be available in PDF format.

• The hardware documentation library has been revamped completely. The instructions provide informa-tion on installing each device, and all field replaceable units (FRUs).

• The core set of manuals and reference guides have been updated to remove references to “Contact A10 Networks”. In most cases, these references were replaced with descriptions provided by subject matter experts.

• The following documents contain specific changes for this release:

• The aFleX Reference has been reorganized, the structure of the document has been updated, and many examples have been revised.

• The Application Access Management and DDoS Mitigation Guide has been revised to include missing information.

• The System Configuration and Administration Guide and Application Delivery and Server Load Balancing Guide have been restructured to co-locate related content.

At the time of this publication, other documentation provided as part of this documentation set remains unchanged since the previous release.

• These Release Notes contain cumulative information from prior patch releases for supported features, known issues, and fixed bugs. Previous release notes were inconsistent in embracing this approach, sometimes making it necessary to search multiple sets of release notes to find this information.

• All feature content from prior patch release notes has been ported into the core manuals.

• Where possible, certain improvements, both cosmetic and technical, were made to the documentation set in order to address documentation issues reported by customers in prior releases. Issues corrected include broken cross references and updating outdated or incorrect values.

• Certain changes or enhancements or corrections have been made to the content in the following topics:

• “port mirroring”

• “udp timers”

• “conn-reuse”



TLS Fallback Signaling Cipher Suite Value (SCSV) toMitigate SSL POODLE Vulnerability

This release introduces support for TLS Fallback Signaling Cipher Suite Value (SCSV), which has beenadded to eliminate the SSL POODLE vulnerability and associated POODLE attacks.

The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle (MITM) exploit that takes advantage of Internet and security software clients' fallback toSSL 3.0. This vulnerability has the CVE ID CVE-2014-3566.

In a POODLE attack, the attacker can manipulate the SSL handshake messages in order to trick both theserver and the client into using SSL v3.0. (This can be accomplished even if both the server and client sup-port the more secure protocols, such as TLS 1.2.)

To prevent the POODLE protocol downgrade attack, ACOS has implemented the TLS Fallback SignalingCipher Suite Value (SCSV), which defines a new TLS cipher suite value, TLS_FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).

TLS_FALLBACK_SCSV serves as a signal value instead of a suite of crypto-systems, and its presence inthe client ‘hello’ message serves as a backwards-compatible signal from the client to the server.

New MIB Object Added: axGlobalTotalThroughput

The following new MIB object was added to 2.7.1-P6:

axGlobalTotalThroughput

Description Gets the total throughput of all the interfaces.

OID .1.3.6.1.4.1.22610.2.4.3.1.2.13

Data Type Counter 64

MIB Objects Re-organized with New MIB Files Added

In ACOS 2.7.1-P6, the MIB files have been modified to merge generated traps, and the MIB objects havebeen re-organized according to their functional area.



The name of the compressed .tar file that can be downloaded from the ACOS device has not changed, butthe uncompressed file will contain the following updated set of MIB files:

• A10-AX-MIB.txt

• A10-AX-NOTIFICATIONS-V2C-COMMON.txt

• A10-AX-NOTIFICATIONS-V2C-GSLB.txt

• A10-AX-NOTIFICATIONS-V2C-SLB.txt

• A10-AX-TRAPS-V1-COMMON.txt

• A10-AX-TRAPS-V1-GSLB.txt

• A10-AX-TRAPS-V1-SLB.txt

• A10-COMMON-MIB.txt

For more information about these new MIB files, please see the section called, “ACOS MIB Files” in theMIB Reference.

New aXAPI Methods Added for slb.class_list.string

In previous releases, the aXAPI method “slb.class_list.entry.delete” did not support type = string, andcould therefore not be used to remove such entries.

For example, if the following class-list was configured:

class-list list1 string

str abc def

Prior releases offered no aXAPI method that could be used to create, modify or remove “str abc def”.

In order to provide a way to delete, create, or update SLB class-list entries with string type, ACOS 2.7.1-P6 adds the following new aXAPI methods:

• slb.class_list.string.create

• slb.class_list.string.update

• slb.class_list.string.delete

These methods have the following input parameters:

• name - the name that identifies the entry.

• string_list - an entry list that is composed of string-type entries, each of which will contain the string, and either an lid (with flag and lid_index) or a string_value.



These methods require Read Write privilege and support JSON format. The following URLs are used forthese methods:

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=slb.class_list.string.create

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=slb.class_list.string.update

http(s)://[IP]:[Port]/services/rest/V2.1/?session_id=[SESSION_ID]&for-mat=json&method=slb.class_list.string.delete

Example

The HTTP POST body below shows an example of the JSON data for this method:

{

"name": "c2",

"string_list": [

{

"string": "name00",

"lid": {

"flag": 1,

"lid_index": 100

}

},

{

"string": "name01",

"lid": {

"flag": 0,

"lid_index": 1

}

},

{

"string": "name02",

"string_value": "dddd"

}

]

}

Support for up to 500 characters in GET URL method

In previous releases, when configuring a GET url-path for a health monitor, previous releases supported128 characters. In this release, the maximum limit has been increased to support up to 500 characters forthe url string GET url-path option.



Preventing dropped packets with ‘no ip anomaly-drop’

The ip anomaly-drop CLI command is used to offer protection against distributed denial-of-service(DDoS) attacks. In prior releases, the ip-option sub-option sometimes did not behave as expected, and thedefault behavior was to drop all IPv4 packets that have IP options (i.e, IP headers greater than 20 bytes inlength). However, in some load balancing situations, it would be preferable to allow these packets to passthrough the ACOS device.

To achieve this desired goal, the no ip anomaly-drop ip-option command should be used.

Notes:

• This command should not be used for AX 5100 and AX 5200 models.

• Packets with IP fragments should not be subject to this behavior.







Support for HTTP Lines Up to 32K LongACOS 2.7.1-P5 increases the maximum length supported for an HTTPheader in a request, from 16K to 32K, regardless of which header line islarger.

HTTP header lengths are dependent on the information included in theheader. In previous releases, ACOS only supported up to 16 kilobytes forthe header, including the header name, but excluding the trailing carriagereturn line feed.

Strictly for HTTP virtual ports, ACOS now supports double the header size.ACOS load balancing accepts HTTP headers up to 32 kilobytes. Any headerline can be larger, meaning that any of the header fields (for example, autho-rization, cookie, expect, host, etc.) can be longer, and the larger header sizeis not restricted to allowing only certain fields to be larger.

No additional configuration is needed for this enhancement.

Increased Subnet Support (up to 2 million entries)

ACOS high-end platforms support an increased number of subnet entries inBlack/White lists. The upper limit has been increased from 64,000 subnetentries to up to 2 million entries. The memory for subnet entries is not pre-allocated. Therefore, the real limit will vary depending on how much mem-ory is consumed by other features, but it cannot exceed 2 million entries.

The following platforms support up to 2 million subnet entries:

• AX 3000

• AX 3030

• AX 3200

• AX 3400

• AX 3500

• AX 5100



• AX 5200

• AX 5430

• AX 5630

• AX 6430

Note: This feature only expands the subnet capacity in Black/White Lists. Itdoes not affect host entry capacities.

Support for Dynamically Selected FTP Data Ports

ACOS 2.7.1-P5 extends the flexibility of FTP load balancing with supportfor randomly selected data ports. In active File Transfer Protocol (FTP)mode, the server typically responds to a client’s request from the server’slocal data port, port 20. ACOS allows the user to specify a port range thatcan be used to initiate the data connection. A randomly selected data port isa port that is dynamically selected by an FTP server running in active FTPmode to use as the server's source port for the data connection.

You can configure support for dynamically assigned FTP data ports withinthe FTP template. You can choose to support all valid ports, or you canspecify the range of ports the server can choose from to send to the client.Each template only supports one range of data ports.

The template can be bound to any FTP virtual port; it does not need to bethe port the FTP server is listening on. When the template is bound to a port,it immediately takes effect. It is not advisable to bind a template to a virtualport when there is live traffic.

USING THE GUI

The current release does not support configuration of FTP templates usingthe GUI.

USING THE CLI

To enable support for dynamically assigned FTP data ports, use the follow-ing command at the configuration level for the FTP template:

[no] active-mode-port {any | portnum [to portnum]}



To allow active data connections to any available port number (1-65534),use the any option. To allow only a specific range instead, specify it as fol-lows: starting-portnum to ending-portnum

CLI Example

The following command enables use of protocol ports 1024-2024 for activedata connections to load balanced FTP servers:

ACOS(config-ftp template)#active-mode-port 1024 to 2024

The following command enables use of protocol ports 1-65534 for activedata connections to load balanced FTP servers:

ACOS(config-ftp template)#active-mode-port any

Stateful Request-ID-based DNS Load Balancing

ACOS 2.7.1-P5 enhances DNS load balancing, with support for statefulrequest-ID-based load balancing. Request-ID-based load balancing distrib-utes DNS queries on a request-ID basis. This helps provide even distribu-tion of DNS query traffic behind a DNS proxy.

Without the query-ID-based load balancing option, multiple requestsreceived by a DNS virtual port appear to be from the same source, if thesource IP address and Layer 4 port are the same. For example, withoutquery-ID-based load balancing, if ACOS receives multiple requests from aDNS proxy, the requests can appear to be from the same end-user, if they allhave the same source IP address and Layer 4 port.

Note: This feature applies only to DNS port 53. For other load-balanced DNSvirtual ports, requests are load balanced based on the following: |

– Source IP address and Layer 4 port – Destination IP address and Layer 4 port – Protocol (virtual port type: DNS, DNS-TCP, or DNS-UDP)

This is the same as DNS load balancing without request-ID-based loadbalancing. The feature is “stateful” because ACOS session resources areused, and the sessions can be viewed in the session table.



Configuration

To configure stateful request-ID-based load balancing:

1. Create a real server configuration for each DNS server.

2. Bind the server configurations to a service group. Use separate service groups for IPv4 and for IPv6.

3. Create a DNS template. Within the template, enable the query-id-switch option. The same template can be bound to both IPv4 and IPv6 VIPs.

4. Create a VIP and bind the service group and template to the VIP. Create separate VIPs for IPv4 and IPv6.

This section shows the syntax for enabling the query-id-switch option. Thesyntax for the configuring the other options is the same as in previousreleases.

Note: If a real server will support both IPv4 and IPv6 DNS, create separate realserver configurations for IPv4 and for IPv6. Likewise, use separate ser-vice groups for the IPv4 servers and for the IPv6 servers. (Shown in “CLIExample” on page 167.)

Enabling the query-id-switch Option

To enable stateful request-ID-based load balancing, use the following com-mand at the configuration level for the DNS template:

query-id-switch

Displaying DNS Sessions and Their Request IDs

To display DNS sessions, including their request IDs, use the followingcommand:

show session dns-id-switch

For each stateful DNS session for a load-balanced DNS request, the DNS-ID field lists the query ID.

To display the total count of DNS queries that were load balanced based onquery ID, use the following command:

show slb l4



The count is shown in the following field: DNS query id switch

CLI Example

The following commands configure query-ID-based DNS load balancing.This sample deployment provides load balancing for an IPv4 DNS VIP andan IPv6 DNS VIP:

• VIP “v4dns” - 70.70.70.70

• VIP “v6dns” - 2001:70:70:70::70

Each VIP receives DNS requests on UDP port 53. The requests all comefrom the same proxying local DNS resolver, but actually are not all from thesame end-user.

The following commands add the configurations for the IPv4 DNS servers:

slb server dns1 70.70.70.71

port 53 udp

!


port 53 udp

!


port 53 udp

!


port 53 udp

!


port 53 udp



The following commands add the configurations for the IPv6 DNS servers:

slb server dns1v6 2001:70:70:70::71

port 53 udp

!

slb server dns2v6 2001:70:70:70::72

port 53 udp

!

slb server dns3v6 2001:70:70:70::73

port 53 udp

!

slb server dns4v6 2001:70:70:70::74

port 53 udp

!

slb server dns5v6 2001:70:70:70::75

port 53 udp

The following commands configure the service groups:

slb service-group dnsv4 udp

member dns1:53

member dns2:53

member dns3:53

member dns4:53

member dns5:53

!



slb service-group dnsv6 udp

member dns1v6:53

member dns2v6:53

member dns3v6:53

member dns4v6:53

member dns5v6:53

The following commands configure the DNS template:

slb template dns dns

malformed-query drop

query-id-switch

The query-id-switch command is used to enable stateful query-ID-basedload balancing.

The following commands configure the VIPs:

slb virtual-server v4dns 70.70.70.69

port 53 udp

service-group dnsv4

template dns dns

!

slb virtual-server v6dns 2001:70:70:70::69

port 53 udp

service-group dnsv6

template dns dns



After the ACOS device receives some DNS requests and load balancesthem to the DNS servers, the following command is used to show the state-ful DNS sessions in the session table:

ACOS#show session dns-id-switch

Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags DNS-ID

---------------------------------------------------------------------------------------------------------

Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53 60.60.60.60:12345 120 18 NFe0 15376

Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53 60.60.60.60:12345 120 18 NFe0 63804

Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.75:53 60.60.60.60:12345 120 18 NFe0 45116

Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.74:53 60.60.60.60:12345 120 18 NFe0 41047

Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.73:53 60.60.60.60:12345 120 18 NFe0 57688

Udp 60.60.60.60:12345 70.70.70.68:53 70.70.70.72:53 60.60.60.60:12345 120 18 NFe0 48444

The following command shows the total count of DNS requests that wereload balanced based on query ID:

ACOS#show slb l4

Total

------------------------------------------------------------------

IP out noroute 0

TCP out RST 0

TCP SYN received 0

...

DNS query id switch 596597





TACACS+ Server Monitoring

ACOS 2.7.1-P4 introduces support for TACACS+ server monitoring, whichcan be used to check the status of a pair of TACACS+ authentication serv-ers. While prior releases supported the use of TACACS+ servers to performuser authentication, the ACOS device did not support the ability to monitorthe status of those servers.

In previous releases, TACACS+ deployments typically involve a primaryserver and a secondary server. User authentication requests are sent to theprimary server, and if the primary is not available, then the user’s authenti-cation request times-out and the ACOS device redirects the request to thesecondary server. However, this could cause users to wait too long.

With the new TACACS+ monitoring feature enabled, the ACOS deviceactively checks the status of both the primary and secondary TACACS+servers. The user’s authentication request is sent to whichever TACACS+server is active, regardless of whether it is the primary or secondary. If thereis a problem with the primary server, ACOS quickly discovers that the pri-mary server is down and routes the user’s authentication request to the otherTACACS+ server (assuming it is up and available). In this way, monitoringthe status of the TACACS+ servers helps increase the speed with whichuser’s requests are authenticated.

Details:

• The ACOS device sends a TACACS+ monitor request, which contains the user name and password to the server in order to log into the device and check if the server is available. If it is, then the last_available_time-stamp will be updated with current time.

• If a user login authentication request arrives at the ACOS device, then ACOS will send the request to the TACACS+ server that has the most recent last_available_timestamp value.

• If the user’s login attempt is successful, then timestamp for that server will be updated to the current time.

• However, if the user authentication request fails, then ACOS will send the request to the secondary TACACS+ server.



• To enable this feature, you must configure the user name and password for the TACACS+ server’s administrative account. While a simple server port “ping” could be used to check the status, this is not recom-mended because it could cause the ACOS device to be mistakenly seen as an attacker, thus causing it to be added to the ACL.

USING THE GUI

The current release does not support TACACS+ monitoring configurationusing the GUI.

USING THE CLI

To enable TACACS+ server monitoring on the ACOS device, and to set thefrequency with which status checks are performed, use the following com-mand at the global configuration level:

tacacs-server monitor interval seconds

The seconds option allows you to specify the frequency with which theACOS device will check the status of the TACACS+ server. You can spec-ify a value from 1-120 seconds, and the default is 60 seconds.

Use the following command to specify the name and secret for theTACACS+ server that will be monitored. This command also allows you toset the administrative username and password needed to log into this server(which is required to check the status of the device). This command is usedat the global configuration level:

tacacs-server host hostname secret secret-string monitor username namepassword password

The hostname option allows you to specify the name of the TACACS+server.

The secret-string option allows you to specify the password needed toaccess the TACACS+ server.

The name option allows you to specify the administrative username neededto access the TACACS+ server, without which the status cannot be checked.

The password option allows you to specify password associated with theadministrative username for the TACACS+ server.



When finished with your configurations, use the show tacacs-server CLIcommand to verify your changes. This command provides the configuredvalues for the following parameters:

• current status

• last_available_timestamp

• number_of_failed_attempts after the last health check

• total_number_of_failed connection

• total number of failed authentication

MAC-Based Nexthop RoutingWhen MAC-based nexthop routing in enabled, the ACOS device sends thereply to an inside client’s request back through the same route hop on whichthe request was received. The ACOS device identifies the route hop basedon its MAC address. The device sends the reply to the MAC address insteadof using the route table to select the next hop for the reply. This feature issupported only for ACL-based IPv4 NAT. The feature is not supported forIPv6 NAT, class-list based IPv4 NAT, static IPv4 NAT.

Notes

• To allow replies to be sent to the inside client through the same route hop on which the request was received, the MAC entry of the inside cli-ent on the ACOS device must be valid. When the MAC entry expires, the ACOS device will send the reply using the route table to select the next hop.

• A session on standby will use the route table to select the next hop even when the respond-to-user-mac command is enabled.

USING THE GUI

This ACOS release does not support this feature in the GUI.

USING THE CLI1. Configure an ACL to identify the inside addresses that need to be trans-

lated using either of the following commands at the global configura-tion level of the CLI.

Use a standard ACL to specify the host IP addresses to translate. All host addresses that are permitted by the ACL are translated before traffic is sent to the Internet.



To also specify other information including destination addresses and source and destination protocol ports, use an extended ACL.

Standard ACL Syntax

access-list acl-num {permit | deny}source-ipaddr {filter-mask | /mask-length}

Extended ACL Syntax

access-list acl-num {permit | deny} {ip | icmp}

{any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}}

{any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}}

or

access-list acl-num {permit | deny} {tcp | udp}

{any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}}

[eq src-port | gt src-port | lt src-port | range start-src-port end-src-port]

{any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}}

[eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port]

2. To configure a pool of external addresses to use for translation, use one of the following commands at the global configuration level of the CLI.

To configure an IPv4 pool:

ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length}[gateway ipaddr] [ha-group-id group-id [ha-use-all-ports]]

Note: The ha-use-all-ports option applies only to DNS virtual ports. Using thisoption with other virtual port types is not valid. (For information aboutthis option, see the CLI Reference.)

3. To enable MAC-based nexthop routing for inside source NAT, use the following command:

ip nat inside source list acl-name pool {pool-name | pool-group-name} respond-to-user-mac



CLI Example

ACOS(config)# access-list 1 per 30.30.30.0 /24

ACOS(config)# ip nat pool nat pool 40.40.40.1 40.40.40.10 netmask /32

AX(config)# ip nat inside source list 1 pool nat pool respond-to-user-mac

In the example above, the user configures an ACL to specify the internalhosts to be NATed. They then configure an IPv4 pool of external addressesto use for the NAT translations. Finally, they enable the inside source NATand associate the ACL with the pool in which MAC-based nexthop routingis enabled.

WAF ICSA CertificationA series of minor changes to the WAF behavior in order to complete ICSAcertification.

Log DDoS Attack Detection EventsThis feature introduces three new logging commands to detect and log secu-rity related events. The new commands are as follows:

system anomaly log - will log IP anomalies

system attack log - will log SYN/ACK attacks

system pbslb log - will log sock stress attacks

Each of the new commands can be accessed and enabled from the globalconfiguration level. As a default, ACOS will run system checks every 30seconds. If ACOS detects any changes, the appropriate log will be printed.

CLI Example

The following CLI example shows the log output generated by systemanomaly log.

Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the TCP NO

FLAG profile have been detected. Previous 531, Current 6999

Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the LAND

ATTACK profile have been detected. Previous 531, Current 6999



The following CLI example shows the log output generated by systemattack log.

Jun 23 2013 14:40:45 Warning [SYSTEM]:IP packets matching the TCP SYN ATTACK

profile have been detected. Previous 0, Current 820711

Jun 23 2013 14:39:45 Warning [SYSTEM]:IP packets matching the TCP ACK ATTACK

profile have been detected. Previous 0, Current 2754803

The following CLI example shows the log output generated by systempbslb log

Feb 16 2014 02:38:51 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB ZERO WINDOW profile have been detected. Previous 0, Current 12

Feb 16 2014 02:20:10 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB ZERO WINDOW profile have been detected. Previous 0, Current 11

Support for 16-port Trunks on Thunder 6430/6430SACOS 2.7.1-P4 extends trunk interface support on models Thunder 6430and Thunder 6430S, by increasing the number of data ports an individualtrunk can contain. Beginning in this release, a trunk on either model cancontain up to 16 ports. The maximum in previous releases is 8 ports. This isstill the maximum on other models.

This enhancement applies to static trunks, and to dynamic trunks createdusing Link Aggregation Control Protocol (LACP).

There is no new syntax for this enhancement.

Note: The current release does not support this enhancement in the GUI.

CLI Example

The following commands create a static trunk containing 16 data ports:

ACOS-6430(config)#trunk 1

ACOS-6430(config-trunk:1)#ethernet 1 to 16

Black/White List Group ID for PBSLB IncreaseThis feature increases the Black/White List group ID for PBSLB from 32 to1,000.



CTR SSH Cipher SupportThe ACOS SSH connection extended cipher support to the followingoptions: aes128-ctr, aes192-ctr, and aes256-ctr.






ACOS 2.7.1-P3 includes the following enhancements. These enhancementsapply to Application Access Management (AAM).

Support for Alternate LDAP Login Formats

The following alternate LDAP bind login name formats are supported:

• [email protected]

• Domain\username

If the end-user specifies their login name in either of these formats, ACOS uses the entered form instead of the Bind DN form. This is because the Common Name does not match the account name in AD.

Support for OCSP URI PathIn previous releases, the path provided in a URL for an OCSP server wasnot included in authentication requests. This limitation caused failure of anyauthentication request that used the OCSP server.

Form-based Logon Enhancements

Beginning in this release, the Logon form used for form-based authentica-tion in AAM includes an error message, in cases where a previous attemptto log on fails. In previous releases, the same form would be presented, con-taining only the username and password fields.

You can customize the error message string included in the Logon form ().

Logon Failure Message Enhancements

Beginning in this release, the error page returned by ACOS to a client whenan end-user fails authentication includes entry fields for the end-user to re-enter their username and password.

Figure 1 shows an example of the source code for the page.



FIGURE 1 Login error page for Form-based Logon in ACOS 2.7.1-P3

<form name="logon" action="mylogon-aaa.fo" method="POST">



Username: <input type="text" name="username"><br>

Password: <input type="password" name="pwd">

<input type="submit" value="Submit">

</form>

If the $a10_login_fail_errmsg$ variable is used but commentedout as shown above, ACOS includes the logon failure message in the formonly when applicable. If a client logon failure occurs, ACOS inserts a mes-sage and negates the HTML comment in the form sent to the client, to makethe message visible on the new logon page presented to the client.

The default error message string for login failures is “Invalid username orpassword. Please try again.” You can customize the string, which can be1-127 characters.

Error Message Customization for Form-based LogonYou can customize the generic message string returned in logon forms thatinclude a logon failure message. The message can be up to 127 characters.From the configuration level for the form-based authentication-logon pro-file, the command is as follows:

[no] login-failure-message message-string



Enhancements in ACOS 271-P2


Forward Request Headers to Proxy Servers ACOS 2.7.1-P2 provides an enhancement that enables ACOS to extract par-ticular HTTP headers from client requests and forward the request headersto a proxy server. This can be accomplished using the request-header-for-ward option within the external-service template.

Notes

When using the Request Header Forwarding feature to forward HTTP head-ers to a proxy server, the following caveats apply:

• Up to 16 headers can be extracted from a client request.

• The header-name within the request-header-forward command is not case-sensitive.

• The maximum supported length of one HTTP header is 1,036 bytes (including the HTTP header name and header element).

• If the specified HTTP header contains more than 1,036 bytes, ACOS forwards only the first 1,036 bytes of the HTTP header.

• If there are duplicate headers in the client request, only the first header is forwarded.

• Header modification is not supported when forwarding HTTP header requests to a proxy server.

USING THE CLI

To configure ACOS to forward header requests to a proxy server, use thefollowing command at the external-service template configuration level:

[no] request-header-forward http-header-name […]

CLI Example

The following example enables header request forwarding within an exter-nal-service template for the header “user-agent”.

ACOS(config-external-service)#request-header-forward user-agent



Configurable MSS Source for Proxied SLB Traffic ACOS 2.7.1-P2 provides an option to change the way ACOS determines theTCP MSS value to use in proxied TCP traffic. This option specifies how theMSS value is determined for TCP SYN-ACKs sent by ACOS from a VIP toa client.

This option applies to full-proxy SLB configurations, in which the ACOSdevice is acting as a proxy for both ends of the client-server session.

ACOS can use either of the following methods to determine the MSS valuefor TCP SYN-ACKs from a VIP to a client:

• Interface MTU and MSS value received from client in SYN packet

• (Default) Interface MTU and health-check response packet from real server

Note: If ACOS receives different MSS sizes from multiple real servers, ACOSbases the value on the smallest MSS value received.

Note: The current release does not support configuration of this option using theGUI.

USING THE CLI

To configure ACOS to base the MSS in replies from VIPs to clients on theinterface MTU and MSS value received from clients in SYNs, use the fol-lowing command at the global configuration level of the CLI:

[no] slb use-mss-tab



Non-HTTP-bypass Support for Invalid HTTP Versions

ACOS 2.7.1-P2 enhances the Non-HTTP-bypass feature by providingbypass support for HTTP packets that have an invalid HTTP version.

In previous releases, ACOS did not provide this support. For example, inprevious releases, the Non-HTTP-bypass feature did not provide bypasssupport for requests that had the following invalid HTTP versions:

• GET / HTTP/0.8

• GET / HTTP/1.2

• GET / HTTP/1.9

• GET / HTTP/2.1

• GET / HTTP/10.1

• GET / HTTP/a.b

With this enhancement, the Non-HTTP-bypass feature now provides bypasssupport for such traffic.

The feature continues to recognize traffic with valid HTTP versions such asthe following:

• GET / HTTP/0.9

• GET / HTTP/1.0

• GET / HTTP/1.1

• GET / HTTP/1.10

• GET / HTTP/1.1000

If the Non-HTTP-bypass feature is enabled, ACOS still forwards therequests to the real server. However, if the Non-HTTP-bypass feature is dis-abled, ACOS does not send the requests.

Note: HTTP version validation is not performed if an external-service templateis configured.





Additional Changes and Notes

This section describes additional changes not described in previous sectionsand provides clarifications on features supported in previous releases.

Configure Servers to Listen on Same Port (DSR) In Direct Server Return (DSR) configurations, member servers in aService Group must be listening on the same port. Port translation isnot supported in DSR topologies.

SNMP Agent Default Community Name Should BeChanged

To protect from potential vulnerability, the SNMP Agent DefaultCommunity Name (public) should be changed to a non-default name.

Deprecated BGP CommandsThe following commands are not supported in this release and are depre-cated:

[no] bgp nexthop-trigger delay seconds

[no] bgp nexthop-trigger enable

Fail-safe Hardware Monitoring Enabled By DefaultBeginning in ACOS 2.7.1 the fail-safe automatic recovery option for moni-toring hardware errors is enabled by default. The option is disabled bydefault in previous releases.

If hardware error monitoring is already enabled, it will remain enabled fol-lowing upgrade to ACOS 2.7.1. However, as a result of this change, thefail-safe hw-error-monitor-enable command no longer appears in showrunning-config output.



If you prefer to leave hardware error monitoring disabled, you can disable itusing the following new command, at the global configuration level of theCLI:

fail-safe hw-error-monitor-disable

Documentation Errata The following sections clarify or expand on information in the manuals forprevious releases. This information will be incorporated into the manualsfor ACOS 2.7.1.

MTU Applies to Ethernet Interfaces

The CLI description for mtu erroneously indicated that the commandapplied to the management interface and Ethernet data interfaces. This com-mand only applies to the Ethernet data interfaces.

AX 5100 Not Supported in ACOS 2.7.1 and Later

Several documents in the ACOS 2.7.1-GR1 documentation set erroneouslyindicated support for the AX 5100 model. This information was not correct.The AX 5100 model is not supported in ACOS 2.7.1 or later.

NetFlow Supported Over UDP Only

The CLI example for NetFlow shows uses of TCP. However, NetFlow issupported only over UDP.

Default BGP Neighbor Timers

The CLI Reference lists incorrect default values for the following BGPcommand:

[no] neighbor neighbor-id timers {interval holdtime | connect seconds}

The correct default values for this command are as follows:

• interval – 30 seconds



• holdtime – Three times the default keepalive value (90 seconds)

• connect seconds – 120 seconds

TCP-proxy Template Option fin-timeout

The fin-timeout option in TCP-proxy templates is not used. For the closestequivalent functionality, please try using the half-close-idle-timeout optioninstead.

Server-SSL Template Binding

ACOS supports use of a server-SSL template with only one instance of areal port. For example, if the same real server:port member is used in twoservice groups, it is valid to bind each of those service groups to a differentvirtual port. However, if there are server-SSL templates configured for bothvirtual ports, the server-side SSL behavior is not predictable and is not sup-ported. It is recommended to duplicate the real server port configurationwith different names. Then use the different names in each group.

Request-rate Limiting in Real Port Templates

Templates for SLB real ports have a request-rate-limit option. This option issupported only when the real port template is bound to an external-servicetemplate. The option is ignored in real port templates bound to real ports orany other resource.

Access to SNMP Agent in ADP Private Partitions

IPv4 SNMP server access to the ACOS SNMP agent is supported only forthe shared partition, not for any private partitions.





Known Issues in Release 2.7.1

This release has the following issues.

SFP INTERFACE ISSUE

ACOS does not support the use of a copper adapter on a fiber port in thecurrent release across all platforms. (A10 issue 248521)

Inserting a 1 G optical (SFP) transceiver into to a 10 G port can cause theport driver to stop working and may result in report of an incorrect MACaddress (0000.0000.0000) and erroneous statistics for the port. If thisoccurs, the ACOS device must be rebooted to return it to operational state.(A10 issues 80746, 92686)

AAA ISSUE

Source NAT is not supported with RADIUS (A10 issue 88609).

The authentication disable-local option is not supported. (A10 issue 86825)

SHA2 CERTIFICATE ISSUES

In ACOS release 2.7.1-P6 and later, importing SHA2 certificates into theWeb GUI is currently not supported as it may cause instability in existingVCS /VRRP-A environments. (A10 issue 252139)

VTHUNDER ISSUES

• The vThunder for VMware ESXi may reload if only one VMXNET3 virtual interface is configured. This issue happens only with vThunder for VMware ESXi, and does not occur when vThunder is used with other hypervisors. To work around this issue, make sure 2 VMXNET3 virtual interfaces are configured for each vThunder for ESXi instance. This is the default behavior for the shipping version of the vThunder for VMware ESXi image. (A10 issue 190093)

• The show interface brief command incorrectly shows the speed of vThunder Ethernet interfaces as “10000Mbps”.

• The show interface command’s output always shows the utilization for the input and output rates as 0%.



MANAGEMENT INTERFACE ISSUES

• Route cost is not supported in this release for static routes through the management interface. If you configure a cost for a static route through the management interface, the cost does not appear in the configuration.

• If you apply an ACL to the management interface as part of the enable-management feature, the following ACL options are not supported: log, dscp, fragments. If you do use any of these options, the ACL rule does not work. (A10 issue 96668)

LOM (IPMI) INTERFACE ISSUES

• IPv6 is not supported for LOM interface addressing. (A10 issue 94933)

• When the maximum threshold for user accounts is reached and a user account is deleted, the next user account created is disabled by default and has no network privileges. To resolve this issue, add the new user account as disabled and modify the user account to enable access and assign network privileges. (A10 issue 97459)

• If a second user tries to acquire the console while the first one is still on the console, the dialog box requesting the first user to deny or grant access may time out prematurely. If this occurs, the second user is denied access by default. (A10 issue 94852)

ISSUES WITH CONCURRENT CONFIGURATION SESSIONS

• If multiple admins use the GUI to set the ACOS timezone at the same time, the following error message appears: “Failed to set time. error code: 10000.” (A10 issue 100154)

• If multiple admins use the GUI to delete a given admin account at the same time, the following error message appears: “Failed to delete admins. error code: 10000.” (A10 issue 100025)

• If multiple admins use the GUI to upgrade the software image at the same time, the upgrade fails for each of the admins, and the following error message appears: “Access denied: no write privilege. Click to clear existing Config session.” (A10 issue 100223)

PING ISSUES

• Fragmented ping packets to a VIP address or NAT pool IP address are not supported. (A10 issue 94870)

• Fragmented ping packets addressed to a floating IP address are not sup-ported. (A10 issue 96205)



JUMBO SUPPORT ISSUES

• Support for jumbo frames in ACOS 2.7.1 is limited to Layer 4 applica-tions, such as TCP.

• Half-duplex mode is not supported. (A10 issue 86032)

• On Thunder models 6430, 6430S, and 5430S, and AX models 5200-11, 3400 and 3200-12, for any incoming jumbo frame, if the outgoing MTU is less than the length of the incoming frame, the frame is always frag-mented into 1500-byte frames instead of being forwarded using the con-figured MTU. (A10 issue 87709)

• The ACOS device does not fragment UDP packets when the outgoing MTU is 1500. (A10 issue 88225)

To work around this issue, you can do either of the following:

• Use a non-default MTU.

• Disable fast-path processing by entering the following command at the global configuration level of the CLI: slb fast-path-disable

VLAN ISSUE

If you delete all the ports from a VLAN that has a VE and an IP addressconfigured on the VE, the virtual MAC address is removed for the VE.However, if you add ports back to the VLAN, the virtual MAC address isnot re-added. To work around this limitation, do either of the following:

• (Preferred) Delete the VE configuration and reconfigure the VE.

• Delete the entire VLAN and reconfigure the VLAN and VE.

(A10 issue 96901)

VIRTUAL ETHERNET STATISTICS ISSUES

• Virtual Ethernet (VE) interface statistics are supported only on 64-bit ACOS models.

• The packet length listed in VE statistics may not be correct in some cases.



ROUTING ISSUES

This release has the following routing-related issues:

• The ACOS device does not use an alternative static route if an ECMP path is no longer available.

• Not-so-stubby areas (NSSAs) are not supported for OSPFv3.

AVCS ISSUES

• Configuration of certain options in a private L3V partition can result in the configuration changes taking place in the shared partition instead. This behavior has been observed for commands that configure NTP, and that set global health monitoring values. (A10 issues 83543, 86759)

Here is an example:

AX2500[l3v](config)#health global interval 180AX2500[l3v](config)#show run | section health globalAX2500[l3v](config)# (output is blank)...AX2500#show run | section health globalhealth global interval 180

Note: The output of the show run | section health global command at the pri-vate partition level is blank, because the command is still set to its defaultvalue. The change should occur in the private partition’s configuration butinstead occurs in the shared partition’s configuration.

• All devices in the virtual chassis must run the same ACOS Release. Operation using a mix of the current release and earlier releases (for example, 2.6.1 and 2.7.0) is not supported.

• aVCS can not run from Compact Flash. (A10 issue 56415)

• aVCS is not supported in transparent mode. (A10 issue 57699)

• aVCS memory usage is not taken into account in system resources, which could lead to out-of-memory conditions. For guidelines, see the “Memory Requirements for aVCS with Layer 2/3 Virtualization” sec-tion in the “AX Virtual Chassis System” chapter of the AX Series System Configuration and Administration Guide. (A10 issue 52939)

• The device DeviceID option is not supported with global routing show or clear commands. When you are logged onto the virtual chassis float-ing IP address, the commands are supported only on the vMaster. (A10 issue 58348)

For example, the clear ip ospf [process-id] process command does not support the device DeviceID option.



To work around this issue, do either of the following:

• Use the following command to change the context of the CLI ses-sion to the device:

vcs device-context DeviceID

After changing the context to the device, you can enter the show or clear command on that device.

• Establish a new CLI session on the device itself and enter the com-mand.

• It is possible to configure an SLB real server on the vMaster that has the same IP address as a vBlade’s interface. The CLI allows this invalid configuration, which prevents the vBlade from being able to synchro-nize with its vMaster. (A10 issue 58118)

• There are known issues with removing configuration items shared by all devices in a virtual chassis, when those items are referenced by device-specific configuration on a single device. Depending on the command, the removal of the common configuration item may execute success-fully on one or more devices, yet fail on the device on which the item is referenced. (A10 issue 59262)

For example, if you configure an ACL on the vMaster, bind the ACL to an interface on a vBlade, then delete the ACL from the vMaster, the ACL is removed from the vMaster but remains in the vBlade's configu-ration.

LAYER 2/3 VIRTUALIZATION ISSUES

• IPv6 address configuration belonging to the same subnet on physical interfaces in different partitions is not supported.

• Route logging is not supported in private partitions.

• File management operations such as import and export are not supported in private-partition management sessions. (A10 issue 73319)

• SMTP servers can not be configured in private partitions. Thus logging email is not supported for private partitions. This will be fixed in a later release.

• In the GUI, the Monitor > Network > Interface page lists only the inter-faces that belong to the currently selected partition. However, the graphs on this page always show data for the shared partition.

• In the GUI, shared SLB resources (service groups and servers) appear in private partition list menus but should not.

• If you configure a class list in a private partition that has the same name as a class list in the global partition, the system incorrectly creates a



duplicate of the class list in the shared partition. The duplicate class list persists even if you remove it and reload or reboot. (A10 issue 73574)

• If a resource template configured in an L3V partition has bandwidth or SSL throughput limits configured, the limits do not take effect. (A10 issue 85108)

• The config-save command for GSLB groups does not work in L3V par-titions. (A10 issue 96859)

• To use the enable-management service in an L3V partition, the service must be configured on a VE interface. (A10 issue 96959)

PRIVATE PARTITION (ROLE-BASED ADMINISTRATION) ISSUES

• IPv6 OSPF debugging does not work inside private partitions.

• It is not recommended to configure dedicated logging within private partitions. Attempting to configure logging within a private partition will result in global syslog messages being added to the log.

• Imported black/white lists can not be used in private partitions. (A10 issue 79547)

• SIP running on the shared partition may intermittently cause the ACOS device to reload, depending on traffic load.

• If you create a black/white list or class list in the shared partition, then create an RBA partition, a duplicate of the list appears in the configura-tion for the shared partition. This issue is cosmetic only and does not affect operation of features that use the black/white list or class list.

VRRP-A / HIGH AVAILABILITY (HA) ISSUES

• If the configuration on a device you are upgrading from 2.6.1-GR1 (or any of its patches) to 2.7.1-P1 contains the no-dest-nat option, session synchronization between the devices does not work. (A10 issue 128254)

• For the older implementation of HA (not VRRP-A), FTP control ses-sions might not continue after HA failover occurs.

• Config-sync without reload is not supported for merged aFleX scripts. To work around this issue, use config-sync with reload. (A10 issue 88777)

• HA sync is not supported for the following data files (A10 issue 253346):

• class-list

• auth-portal

• dnssec-ds



• ip-map-list

• HA sync is not supported for the following commands (A10 issue 253346):

• GSLB group

• SLB buff-thresh

• SLB template diameter

ROLE-BASED GUI ACCESS ISSUES

• Private partition admins can not access the Config Mode > Service > SLB > Global page. (A10 issue 90988)

• The role-based GUI access feature enables you to configure custom GUI access roles with nearly any combination of read-only, read-write, and hide settings for GUI page access. It is possible to configure settings such that an admin can access a page that requires access to another page that is hidden. In this case, the ACOS web server will drop the request for the hidden page, and display an error stating that the page does not exist.

Note: Shared partition objects cannot be referenced by private partitions whenLayer 2/3 virtualization is enabled. This is not restricted in R2.6 but isrestricted starting from R2.6.1.

DSCP/802.1P MARKING

The current release does not support Layer 2 priority bit marking.

SSL ISSUES

• SSL session-ID persistence is not supported for IPv6.

• SSL session-ID reuse is not supported on ACOS devices that use multi-ple SSL processors. This issue affects ACOS devices in which an add-on SSL accelerator module is installed. The following models, if they contain an add-on SSL accelerator module, are affected: AX 5100, AX 5200, AX 5200-11, AX 3000, and AX 2500.

• Whenever a cipher mismatch occurs, a FIN will be sent without an alert message.

IPV6 PASSIVE FTP / HARDWARE-BASED SYN-COOKIE ISSUES

• On some ACOS models, passive FTP does not work if SYN cookies are enabled. This issue affects models AX 2200, AX 2200-11, AX 3200, AX 3200-11, AX 5100, AX 5200, and AX 5200-11.



• Passive IPv6 FTP data connections are not supported with hardware-based SYN cookies. To work around this issue, use active mode. (A10 issue 96802)

APPLICATION TEMPLATE ISSUE

Unbinding and then rebinding an application template (for example, anHTTP template) on a virtual port can result in incorrect counter values.(A10 issue 85243)

REAL PORT TEMPLATE REQUEST-RATE-LIMIT ISSUE

The request-rate-limit option in real port templates has reset and no-loggingoptions. The reset option cannot be configured. You can configure the no-logging option, but it will not take effect. (A10 issue 118916)

DNS CACHING ISSUE

IPv6 is not supported with system-wide (global) DNS caching. (A10 issue96484)

AFLOW ISSUE

aFlow is not supported in combination with Policy-Based SLB (PBSLB).

W3C LOGGING ISSUE

In RAM Caching deployments, the status code is not included in log mes-sages. The value of “%s” is shown as “-” in the messages. (A10 issue109091)

AUDIT LOGGING ISSUE

Highly active audit logging can result in error messages such as the follow-ing:

Error [SYSTEM]:send audit log failed

This can occur with bursts of about 12 or more audit log messages at a timeor throughput of around 10 K messages or more per minute.



GSLB ISSUE

Depending on the size of the geo-location database, GSLB configurationsynchronization can take up to two minutes to synchronize to each remoteGSLB controller.

GUI ISSUES

• Right-clicking on on a sub-module menu displays an option menu. However, the options on the right-click menu are not supported. For example, opening a configuration page in a new tab or browser window is not valid. The page will appear and you can enter data, but the data will not be written to the configuration. An error also occurs in the pri-mary GUI window.

• The GUI does not support monitoring of virtual-server class-list statis-tics.

• In the GUI, the Monitor > Network > Interface page lists only the inter-faces that belong to the currently selected partition. However, the graphs on this page always show data for the shared partition.

• The GUI Find option does not work on lists containing over 500 items.

• With a few exceptions, GUI pages can not display lists containing a very large number of items. Exceptions are the pages that list virtual servers, service groups, and real servers.

• If you use the GUI to remove the age from a class-list file entry, the orig-inal age remains in effect. The entry is removed within one minute after the original age expires. (A10 issue 94466)

• If a description is configured in the GUI for a VIP, the description is lost following upgrade to 2.7.0.

AXAPI ISSUE

The aXAPI method "slb.server.fetchAllStatistics" does not return any statis-tics for a server if the server is defined with a DNS name. This issue can beavoided by defining the server with an IP address rather than a DNS name.

AXAPI DOCUMENTATION ISSUE

In the error messages list in the manual for aXAPI version 1, the messagecode and text are incorrect for all messages with IDs higher than 1032. Forhigher-numbered messages, the code and text in the manual actually belongto the next higher-numbered message. For example, the manual lists text



“The server already exists” for message number 1045. The text actuallybelongs to message number 1046. (A10 issue 59210)

HARDWARE ISSUE

Currently copper adapters are not supported on fiber ports on all platforms.(A10 Issue 248521).



Upgrade Instructions

This chapter describes how to upgrade the software image on your ACOSdevice.

Notes

• If you are configuring a new ACOS device, see the Installation Guide for your model.

• If you are upgrading from a 2.6.0 release, please upgrade from 2.6.0-P4 or later. If you are running a 2.6.0 release older than 2.6.0-P4, it is recommended to upgrade to 2.6.0-P4 first, then upgrade to 2.6.1.

• If you are upgrading an aVCS virtual chassis from 2.6.0, you must use the CLI.

• This chapter may contain references to “AX Release” versions. The term “AX Release” is an older term for “ACOS”, which now also runs on A10 Thunder devices, beginning in ACOS 2.7.1.



Image File Names

Make sure to use the correct image file for your A10 Thunder or AX model.The image files are named as follows:

TABLE 7 ACOS Image File Names

Flexible Traffic ASIC Model? Model Image Name

Yes.

These models feature the Flexible Traffic ASIC (FTA).

Thunder 6630

Thunder 6435

Thunder 6430S

Thunder 6430

Thunder 5630

Thunder 5435

Thunder 5430S

Thunder 5430S-11

Thunder 5430-11

Thunder 4435

Thunder 4430S

Thunder 4430

AX 5630

AX 5200-11

AX 5200

AX 5100

AX 3400

AX 3200-12

ACOS_FTA_version.tgz

No.

These models do not use FTAs.

Thunder 3030S

Thunder 1030S

Thunder 930

AX 3530

AX 3030

AX 3000-11-GCF

AX 3000

AX 2600

AX 2500

AX 1030

vThunder

ACOS_non_FTA_version.tgz



CautionsBefore you upgrade, please carefully read the following cautions. Somecautions also apply to downgrade.

As a best practice, save the configuration, then copy the startup-config to aremote server, before you upgrade.

While command name changes between releases are not common, saving abackup avoids the need to re-enter the older syntax following a downgrade.

Note: If you are upgrading ACOS devices that run aVCS, also see “Upgradingthe Software Image (aVCS virtual chassis)” on page 217.

HTTP Compression Modules

If you are upgrading an ACOS device that contains an HTTP compressionmodule, the module will not work after you upgrade to AX Release 2.6.1.Likewise, an HTTP compression module installed in an ACOS device con-figured at the factory with AX Release 2.6.1 or later will not work with ear-lier software versions. If this this affects your ACOS device, please contactA10 Networks.

ADP (L3V / RBA)

If ADP is configured on the ACOS device and you plan to upgrade ordowngrade to an ACOS release that does not support it, A10 Networks rec-ommends that you first delete all the private partitions before installing thenew software. Otherwise, resources such as aFleX policies, SSL certificatesand keys, or external health monitoring programs in the private partitionswill be visible and therefore can pose a security risk.

RADIUS Server Commands in Startup-Config

If the startup-config on the ACOS device you are planning to upgrade con-tains a radius server or radius port command, these commands are auto-matically converted to their new formats after you upgrade and save theconfiguration.

However, if you later downgrade to a release earlier than AX Release 2.4,the new commands are converted into their older forms. You will need to re-enter the older forms of the commands to re-add the RADIUS server. Like-wise, support for more than one RADIUS server (new in AX Release 2.4)will not be available after the downgrade.



RADIUS / TACACS+ Shared Secret Strings Longer than 15 Char-acters

AX Release 2.6.1-P2 increases the maximum shared-secret length forRADIUS and TACACS+ from 15 characters to 128 characters. If you con-figure a shared secret longer than 15 characters in this release or later, thendowngrade to an earlier release where the longer string length is not sup-ported, the shared secret string will be incorrect and will need to be recon-figured.

NAT Pool-Group Commands in Startup-Config

In AX Release 2.4.3, if the startup-config on the ACOS device you are plan-ning to upgrade contains pool groups for IP NAT, the commands for thepool groups are automatically converted to the new syntax after youupgrade. However, if you later downgrade the ACOS device to a releaseearlier than 2.4.3, the software will not recognize pool groups that containmore than 5 pools.

HA Interfaces

Beginning in AX Release 2.7.0, in deployments that use the older imple-mentation of High Availability (HA), if an HA interface is a tagged memberof a VLAN, it is required to specify the VLAN ID when configuring theinterface be an HA interface.

GSLB Groups

It is possible for GSLB configuration items to be lost on GSLB group mem-bers following upgrade. To avoid this issue, see “Upgrading Devices inGSLB Groups” on page 209.



HA Session Synchronization

When you upgrade ACOS devices that are deployed in High Availability(HA) mode, the ACOS version running on the active device briefly differsfrom the version running on the standby device.

Notes

• If the configuration on a device you are upgrading from 2.6.1-GR1 (or any of its patches) to 2.7.1-P1 contains the no-dest-nat option, session synchronization between the devices does not work.

• Session synchronization applies only to TCP and UDP Layer 4 virtual ports. Session synchronization does not apply to other types of virtual ports, such as HTTP/HTTPS VIPs.

• Depending on the versions you are upgrading from and to, session syn-chronization may not work until all devices are running the same ver-sion. For example, if you are upgrading from 2.6.1-GR1 to 2.7.0, session synchronization does not work while one of the ACOS devices is running 2.7.0 but the other device is still running 2.6.1-GR1.

Due to the behavior summarized in the table, existing sessions that wouldnormally be mirrored may be lost. Typically, this means clients will need toretransmit or re-establish their connections. This should occur only onetime. Once both ACOS devices are running the same software version, ses-sion synchronization will operate normally again.

TABLE 8 HA Session Synchronization Support During Upgrade

Version Running on Standby ACOS Device

Version Running on Active ACOS Device 2.7.1 2.7.0 2.6.1 2.4.3 2.2.5

2.7.1 Supported Supported No session sync

No session sync

No session sync

2.7.0 Supported Supported No session sync

No session sync

No session sync

2.6.1 No session sync

No session sync

Supported No session sync

No session sync


No session sync

No session sync

Supported No session sync


No session sync

No session sync

No session sync

Supported



Note: On each ACOS device, enable SSH on the HA interface used for configu-ration synchronization.

• Using the GUI – Config Mode > System > Access Control

• Using the CLI – enable-management service ssh command at global configuration level

Save the change to the startup-config.

HA Upgrade Example

Here is an example of a typical upgrade scenario:

1. Both ACOS devices are running AX Release 2.7.0

2. Upgrade the HA standby ACOS device to 2.7.1 and reboot.

Note: As part of the upgrade process, make sure to copy the configuration to theimage area (primary or secondary) where you plan to install the upgrade,before uploading the upgrade. Each image area has its own separatestartup configuration.

3. After rebooting, the HA standby ACOS device resumes HA standby operation.

4. The HA active ACOS device sends session synchronization packets to the HA standby ACOS device.

5. If you are upgrading from 2.6.x to 2.7.x, The HA standby ACOS device will detect a synchronization version mismatch and ignore the synchro-nization packets. As a result, existing connections are not mirrored.

Refer to Table 8 for supported session synchronization upgrade paths between different ACOS versions.

6. Upgrade the HA active ACOS device to ACOS 2.7.1 (optionally trigger-ing HA failover first) and reboot. Since existing connections were not mirrored, clients will need to retransmit or re-establish their connec-tions.

7. After the HA active ACOS device reboots, both devices are now run-ning ACOS 2.7.1. HA session synchronization operates normally.



Boot Order—How ACOS Gets the Image To Boot

Note: If you are upgrading ACOS devices that run aVCS, skip this sectionand go to “Upgrading the Software Image (aVCS virtual chassis)” onpage 217.

Each ACOS device has four locations in which software images can beplaced:

• Disk (hard disk or Solid State Drive), in the primary image area

• Disk, in the secondary image area

• Compact flash (CF), in the primary image area

• CF, in the secondary image area

FIGURE 2 Software Image Locations on the ACOS device

At the factory, the current generally available release is loaded into all fourareas before the device is shipped. When you upload a new image onto theACOS device, you can select the image device (disk or CF) and the area(primary or secondary) on the device.

When you power on or reboot the ACOS device, it always attempts to bootfrom the disk, using the image area specified in the configuration (disk pri-mary, by default). If a disk failure occurs, the device attempts to boot fromthe same image area on the backup disk (if applicable to the A10 ThunderSeries or AX Series model).

Caution: A10 Networks recommends that you install the new image into onlyone disk image area (primary or secondary) and leave the image youare upgrading from in the other area. If you need to downgrade or anissue occurs when rebooting with the new image, leaving the oldimage on the device will make it easier to restore the system.



In ACOS 2.7.1, when you save the configuration in the current imagearea, ACOS displays a prompt asking whether you also want to savethe configuration to the other area. Syntax that is new or changed inACOS 2.7.1 may not be compatible with your older ACOS version.

Note: Allow up to five minutes for the reboot to complete. (The typical reboottime is 2-3 minutes.) During the reboot, the system performs a full resetand will be offline. The actual time may vary depending on systemparameters.

Note: Copying the configuration does not provide a complete system backup.For example, copying the configuration does not include aFleX policies,SSL certificates and keys, or class lists. For a complete system backup,use the backup option as described in the procedure later in this section.

Recommendations (for non-aVCS deployments)

You can upload a new image into any of the areas listed above and you canconfigure the boot profile to try booting from those areas in any order youchoose. However, to simplify the upgrade process and ensure that the sys-tem always has a backup image in case a problem occurs, A10 Networksrecommends that you use the following process to upgrade.

Note: the ACOS device always tries to boot using the disk first. The CF is usedonly if the disk is unavailable.

Note: If the ACOS devices are running AX Virtual Chassis System (aVCS), thisrecommendation is not applicable. Instead, see “Upgrading the SoftwareImage (aVCS virtual chassis)” on page 217.

Alternate Loading of the New Image into the Primary and SecondaryHD Areas

1. Save the configuration to the current image area (the area from which the device was most recently booted).

2. Back up the system. (A complete system backup is needed, so that all files, in addition to the configuration files, are included.)

3. Leave the factory-installed images in the CF and never replace them.

4. The first time you upgrade, upload the new image into the primary disk area. Leave the current image (the image you are upgrading from) in the secondary disk area.

5. The next time you upgrade, save the startup-config in the image area you upgraded last time. Also save the same startup-config to the other image area, where you plan to install the upgrade. You must save the startup-config that is in the image area you booted from into the image



area you will upgrade, so that the system will be running the correct configuration following the upgrade.

6. Leave the current image (the image to which you upgraded previously) in the primary disk area, and upload the new image into the secondary disk area.

7. For each subsequent upgrade, alternate by saving the startup-config into, and uploading the new image into, the disk area that has the oldest image. Generally, the oldest image will be two images back.

For example, if your system is shipped with 2.7.0 installed and you upgrade to 2.71, 2.7.1 will go into the primary image area and 2.7.0 will stay in the secondary image area. When you upgrade again, 2.7.1 will stay in the primary image area and the newer image will go into the sec-ondary image area.

Note: Make sure to copy the configuration to the image area where you plan toinstall the upgrade, before uploading the upgrade. Each image area has itsown separate startup configuration.

8. Modify the boot profile to first attempt to boot from the disk area that has the newest image.

Note: If you plan to reboot immediately following the upgrade (an option youcan select when you upgrade), modify the boot profile before youupgrade.



FIGURE 3 Upgrade Process (non-aVCS only)



Upgrading Devices in GSLB GroupsIf you use GSLB groups, GSLB configuration items can be lost followingupgrade, unless you use the following procedure.

Note: For group members that are members of an aVCS virtual chassis, performthese steps on the vMaster.

1. On each member device of the GSLB group, save the configuration.

2. On each member device in the group, disable the GSLB group and save the configuration.

3. Use the procedures in this chapter to upgrade the GSLB group members, one group at a time.

For example, if there are 2 GSLB groups, 1 and 2, upgrade all the mem-ber devices in group 1 first, then upgrade all the member devices in group 2. After all members come up in the GSLB group 1, upgrade each member of GSLB group 2.

4. After all members in the last group finish booting with the new software version, enable the GSLB group on each device. Make sure all members join the group successfully.

5. On each member device of the GSLB group, again save the configura-tion.

CLI Example

The following commands perform step 1 through step 4:

AX-gslb:Member(config)#write memory

AX-gslb:Member(config)#gslb group shared

AX-gslb:Member(config-gslb group)#no enable

AX-gslb:Member(config-gslb group)#exit

AX-gslb:Member(config)#write memory

The following commands perform step 5:

AX-gslb:Member(config)#gslb group shared

AX-gslb:Member(config-gslb group)#enable



Upgrading the Software Image (non-aVCS deployment)

To upgrade the software image, use either of the following methods.

Note: Use this procedure only to upgrade an ACOS device that is running stand-alone (not in an aVCS virtual chassis). To upgrade ACOS devices in a vir-tual chassis, see the following section instead: “Upgrading the SoftwareImage (aVCS virtual chassis)” on page 217.

USING THE GUI

Save the Configuration

Click on the Save button.

FIGURE 4 Save the Configuration

Save the Configuration to the Image Area Where You Plan to Install the Upgrade

Note: This step requires the CLI. You cannot perform this step using the GUI.

1. Log onto the CLI.

2. Access the global configuration level:

a. Enter the enable command. If prompted for the enable password, enter the password. The command prompt changes from hostname> to hostname#

b. Enter the configure command. The command prompt changes from hostname# to hostname(config)#

3. Use the following command:

write memory {primary | secondary}[all-partitions | partition partition-name]

If you plan to install the upgrade into the primary image area, specify primary. Otherwise, specify secondary.



The all-partitions and partition partition-name options apply only if you are upgrading an ACOS device with RBA/L3V configured. These options do not appear unless you are logged on with root or super user (global read-write) privileges.

4. Exit the configuration mode, by entering the following command:

exit

5. End the CLI session, by entering the following command:

exit

Create a Full System Backup

A full system backup includes the startup-config file, aFleX files, and SSLcertificates and keys.

1. Select Config Mode > System > Maintenance.

2. Select Backup > Config on the menu bar.

3. Select the backup location:

• Local – Saves the backup on the PC or workstation where you are using the GUI.

• Remote – Saves the backup onto another PC or workstation.

4. If you selected Local:

a. Click Apply.

b. Click Save and navigate to the save location. Optionally, you can edit the filename.

c. Click Save.

5. If you selected Remote:

a. In the Protocol drop-down list, select the file transfer protocol: FTP, TFTP, RCP, or SCP.

b. If using FTP and the remote device does not use the default FTP port, change the port.

c. In the Host field, enter the hostname or IP address of the remote device.

d. In the Location field, enter the pathname. To change the backup file from the default (“backup_system.tar”), specify the new name at the end of the path.



e. In the User and Password fields, enter the username and password required for write access to the remote device.

f. Click OK.

6. To also back up the system log files (and core files, if any):

a. Select Backup > Syslog on the menu bar.

b. Select the backup location: Local or Remote. (See above for descriptions.)

FIGURE 5 Config > System > Maintenance > Backup > System

Change the Boot Order

1. Select Config > System > Settings.

2. Select Boot on the menu bar. The boot settings are displayed.

3. If the Hard Disk image area where you plan to install the new image is not selected, select it and click OK. For example, if Primary is selected but you plan to install the image into the secondary image area, select Secondary.

FIGURE 6 Config > System > Settings > Boot

Note: Although the Boot Image tab allows selection of an image area in thecompact flash, the ACOS device always tries to boot using the hard diskfirst. The compact flash is used only if the hard disk is unavailable.



Upload the New Image

1. Select Config Mode > System > Maintenance > Upgrade.

2. For Media, leave Hard Disk selected.

3. For destination, select the area that contains the oldest image. If both areas contain the same image version, select Primary.

Note: The image area you select here needs to be the same area selected above,in the "Change the Boot Order" section.

4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later. The new image takes affect only after a reboot.

5. For Upgrade from, select the location where you saved the upgrade image:

• Local – Uploads the image from the PC or workstation where you are using the GUI.

• Remote – Uploads the image from another PC or workstation.


a. Click Browse and navigate to the image location.

b. Click Open.

c. Click Apply.


a. In the Protocol drop-down list, select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.



d. In the Location field, enter the pathname and image file name.

e. In the User and Password fields, enter the username and password required for access to the remote device.

f. Click Apply.



FIGURE 7 Config > System > Maintenance

USING THE CLI

All the commands described in this section are available at the global Con-fig level of the CLI.

1. To save the configuration, enter the following command:

write memory

This command saves the configuration to the current image area, from which the device was most recently booted.

2. To save the configuration to the other image area, where you plan to install the upgrade, use the following command:

write memory {primary | secondary}[all-partitions | partition partition-name]

If you plan to install the upgrade into the primary image area, specify primary. Otherwise, specify secondary.

The all-partitions and partition partition-name options apply only if you are upgrading an ACOS device with ADP configured. These options do not appear unless you are logged on with root or super user (global read-write) privileges.

3. To create a full system backup, use the following command:

backup system [use-mgmt-port] url

The url specifies the file transfer protocol, username (if required), direc-tory path, and filename. The following types of URLs are supported:

• tftp://host/file

• ftp://[user@]host[:port]/file

• scp://[user@]host/file

• rcp://[user@]host/file

• sftp://[user@]host/file



You can enter the entire URL on the command line or press Enter to dis-play a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password.

The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data interface is used.

A full system backup includes the startup-config file, aFleX files, and SSL certificates and keys. To also back up system log files (and core files, if any), use the following command:

backup log [use-mgmt-port] url

4. To verify and change the boot order (if required), use the following com-mands:

show bootimage

bootimage hd {pri | sec}

The {pri | sec} option specifies whether the ACOS device first tries to boot using the image in the primary image area or the secondary image area.

Note: You only need to change the boot order if you plan to upload the newimage into an image area that is not the first image area the ACOS deviceuses when it boots.

Note: The bootimage command also allows selection of an image area in thecompact flash; however, this syntax is not shown above. The ACOSdevice always tries to boot using the hard disk first. The compact flash isused only if the hard disk is unavailable.

5. To upload the new image onto the ACOS device and reboot, use the fol-lowing command:

upgrade hd {pri | sec} [use-mgmt-port] url

The url specifies the file transfer protocol, username and password (if required), directory path, and filename. (See above in the description for the url option of the backup system command.)

The CLI displays a prompt asking you whether to reboot. Enter yes to reboot now, or no if you prefer to reboot later. The new image takes affect only after a reboot.

To verify the upgrade after the ACOS device reboots, use the following command:

show version



Upgrade Example

The following commands upgrade an AX 5200 from AX Release 2.7.0 toACOS 2.7.1:

AX(config)#write memory

Building configuration...

[OK]

AX(config)#write memory secondary


[OK]

AX(config)#backup system tftp:

Address or name of remote host []?192.168.1.144

Destination file name [/]?ax5200-backup

System files backup successful

AX(config)#show bootimage

(* = Default)

Version

-----------------------------------------------

Hard disk primary 2.7.0 (*)

Hard disk secondary 2.6.1

Compact flash primary 2.4.3 (*)

Compact flash secondary 2.4.3

AX(config)#bootimage hd sec

Secondary image will be used if the system is booted from hard disk

AX(config)#upgrade hd sec tftp://192.168.1.144/ACOS_FTA_2_7_1-P1_57.64.tgz

Do you want to reboot the system after the upgrade?[yes/no]:yes

After the ACOS device finishes rebooting, verify the upgrade:

AX>show bootimage

(* = Default)

Version

-----------------------------------------------

Hard disk primary 2.7.0

Hard disk secondary 2.7.1 (*)





AX>show version

AX Series Advanced Traffic Manager AX2500

Copyright 2007-2013 by A10 Networks, Inc. All A10 Networks products are

protected by one or more of the following US patents and patents pending:

7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,

20070283429, 20070271598, 20070180101

64-bit Advanced Core OS (ACOS) version 2.7.1-P1, build 57 (May-31-2013,01:17)

Booted from Hard Disk primary image

...

Upgrading the Software Image (aVCS virtual chassis)

The following upgrade procedures are provided. Use the procedure that ismost applicable to your deployment.

• Full chassis upgrade – This procedure upgrades the software on the vMaster. The vMaster loads the upgrade image onto each of the vBlades, then reboots the vBlades to place the new software into effect. Service is briefly interrupted during the reboot.

The procedure for full chassis upgrade applies to VRRP-A deployments and to deployments that do not use VRRP-A. See “Full Chassis Upgrade (with or without VRRP-A)” on page 225.

• Staggered upgrade in VRRP-A deployment – This procedure avoids ser-vice disruption but has more steps than full chassis upgrade. “Staggered Upgrade (with VRRP-A)” on page 225.

• Staggered upgrade with no VRRP-A – This procedure is the same as the staggered upgrade with VRRP-A, except there are no steps related to VRRP-A. “Staggered Upgrade (with VRRP-A)” on page 225.

Note: Allow up to five minutes for a reboot to complete. (The typical reboottime is 2-3 minutes.) During a reboot, the system performs a full reset andwill be offline. The actual time may vary depending on system parame-ters.



Using the GUI

This section describes how to upgrade an aVCS chassis using the GUI.

Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. Afull system backup includes the startup-config file, aFleX files, and SSLcertificates and keys.

1. Select Config Mode > System > Maintenance.

2. Select Backup > Config on the menu bar.

3. Select the backup location:

• Local – Saves the backup on the PC or workstation where you are using the GUI.

• Remote – Saves the backup onto another PC or workstation.


a. Click Apply.

b. Click Save and navigate to the save location. Optionally, you can edit the filename.

c. Click Save.





d. In the Location field, enter the pathname. To change the backup file from the default (“backup_system.tar”), specify the new name at the end of the path.

e. In the User and Password fields, enter the username and password required for write access to the remote device.

f. Click OK.



6. To also back up the system log files (and core files, if any):

a. Select Backup > Syslog on the menu bar.

b. Select the backup location: Local or Remote. (See above for descriptions.)

FIGURE 8 Config > System > Maintenance > Backup > System

Full Chassis Upgrade (with or without VRRP-A)

Note: This procedure requires a reboot of each ACOS device in the virtual chas-sis. In this case, the vMaster sends the new image to all vBlades andreboots all devices in the virtual chassis, including itself. This can takeseveral minutes, during which a service outage will occur.

Perform the following steps on the vMaster.



3. For destination, leave it unchanged.

4. For Reboot, Select Yes to reboot now, or No if you prefer to reboot later. The new image takes affect only after a reboot.








b. Click Open.

c. Click Apply.







f. Click Apply.

8. Leave Staggered Upgrade Mode unselected.

9. Click OK.

Staggered Upgrade (with VRRP-A)

Note: Staggered upgrade using the GUI is supported only in AX Release 2.7.0and later. This section is inapplicable to performing staggered upgradefrom 2.6.1 using the GUI.



3. Next to Destination, select the image area.

Note: All devices in the virtual chassis use the same image area (primary or sec-ondary). For example, if the software running on the vMaster is in the pri-mary image area, all the vBlades also are running their software fromtheir own primary image areas.

4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you prefer to reboot later. The new image takes affect only after a reboot.








b. Click Open.

c. Click Apply.







f. Click Apply.

8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the device to reboot.

9. Click OK.

10. After the ACOS device reboots, set the priority value of each VRID on the device to a lower value than on the backup ACOS device:

Note: Do not use the Force Self Standby option.

a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.

b. Next to Preempt Mode, select Enabled, if not already selected.

c. Select all the VRIDs.

d. Edit the value in the Priority field to a value that is lower than the priority value(s) for the VRIDs on the backup ACOS device.

e. Click Edit.

f. Click OK.



11. Go to the vBlade device and force failover in order to take over the vMaster role:

a. Select Config Mode > System > aVCS > General.

b. In the vmaster-take-over field, enter 255.

c. Click OK.

During failover, the vBlade becomes the vMaster. vMaster becomes a vBlade device. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of the upgrade, the vMaster will reboot the vBlade.

12. Optionally, force failover back to the original vMaster.

13. Take over the vMaster role:



14. Click OK.

15. For each VRID, reset the VRRP-A priority to its previous value:

a. Select Config Mode > VRRP-A > Setting > VRRP-A Interface.

b. Next to Preempt Mode, select Enabled, if not already selected.

c. Select all the VRIDs.

d. Edit the value in the Priority field to a value that is lower than the priority value(s) for the VRIDs on the backup ACOS device.

e. Click Edit.

f. Click OK.

Staggered Upgrade (no VRRP-A)

Note: Staggered upgrade using the GUI is supported only in AX Release 2.7.0and later. This section is inapplicable to performing staggered upgradefrom 2.6.1 using the GUI.



3. Next to Destination, select the image area.

Note: All devices in the virtual chassis use the same image area (primary or sec-ondary). For example, if the software running on the vMaster is in the pri-



mary image area, all the vBlades also are running their software fromtheir own primary image areas.

4. For Reboot, Select Yes to reboot as soon as you click OK, or No if you prefer to reboot later. The new image takes affect only after a reboot.






b. Click Open.

c. Click Apply.







f. Click Apply.

8. Select Staggered Upgrade Mode, and specify the aVCS device ID of the device to reboot.

9. Click OK.

10. Go to the vBlade device and force failover in order to take over the vMaster role:



c. Click OK.

During failover, the vBlade becomes the vMaster. vMaster becomes a vBlade device. The new vMaster will detect that the vBlade



device is running old software, and it will upgrade the vBlade. As part of the upgrade, the vMaster will reboot the vBlade.


12. Take over the vMaster role:



13. Click OK.

Using the CLI

This section describes how to upgrade an aVCS chassis using the CLI.

Backing Up the System

Before you begin the upgrade, it is recommended to back up the system. Afull system backup includes the startup-config file, aFleX files, and SSLcertificates and keys.

To do so, use the following command:


The url specifies the file transfer protocol, username (if required), directorypath, and filename. The following types of URLs are supported:

• tftp://host/file

• ftp://[user@]host[:port]/file

• scp://[user@]host/file

• rcp://[user@]host/file

• sftp://[user@]host/file

You can enter the entire URL on the command line or press Enter to displaya prompt for each part of the URL. If you enter the entire URL and a pass-word is required, you will still be prompted for the password.

The use-mgmt-port option uses the ACOS device’s management port asthe source interface. Otherwise, a data interface is used.



Full Chassis Upgrade (with or without VRRP-A)

Note: This procedure requires a reboot of each ACOS device in the virtual chas-sis. In this case, the vMaster sends the new image to all vBlades andreboots all devices in the virtual chassis, including itself. This can takeseveral minutes, during which a service outage will occur.

Perform the following steps on the vMaster.

1. Save the startup-config to a new configuration profile:

write memory all-partitions

2. Upload the new image onto the vMaster and reboot:

upgrade hd {pri | sec} [use-mgmt-port] url

The CLI displays a prompt asking you whether to reboot. Enter yes to reboot now, or no if you prefer to reboot later. The new image takes affect only after a reboot.

3. To verify the upgrade after the ACOS device reboots, use the following command:

show version

Staggered Upgrade (with VRRP-A)

In this procedure, the vBlades are upgraded first, followed by the vMaster.

Note: These steps assume that when you begin the procedure, the vMaster isalso the active VRRP-A device for all VRIDs.

Perform step 1 through step 5 on the vMaster:

1. On the vMaster, verify the currently running software version and the image area currently in use.

show bootimage

show version

All devices in the virtual chassis use the same image area (primary or secondary). For example, if the software running on the vMaster is in the primary image area, all the vBlades also are running their software from the primary image areas on those devices.



2. Save the configuration to the other image area:

write memory {primary | secondary}[all-partitions]

Note: Make sure to use the all-partitions option, if RBA/L3V private partitionsare configured.

3. Upgrade the vBlade, by loading the new software image into the image area currently in use by the vBlade:

upgrade hd {pri | sec} [use-mgmt-port] url staggered-upgrade-mode device DeviceID

• The device DeviceID specifies the vBlade’s aVCS device ID.

• The url specifies the file transfer protocol, username and password (if required), directory path, and filename.

• The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data interface is used.

This step reboots the vBlade. The vMaster continues to operate.

4. For each VRID that is active on the device, force failover from the vMaster to the vBlade:

vrrp-a vrid {num | default}

This command changes to the configuration level for the VRID. At this level, use the following command:

priority 255 device DeviceID

Note: Do not use the vrrp-a force-self-standby command.

5. Validate that the load-balanced services are working. (The show com-mands or other techniques depend on your deployment. The show slb virtual-server command is useful in almost any deployment.)

Perform step 6 on the vBlade, to take over vMaster role:

6. On the vBlade that is running the new software image, enter the fol-lowing command:

a. At the Privileged EXEC level (AX#), use the following command to force the vBlade to take over the vMaster role:

vcs vmaster-take-over 255

During failover, the vBlade becomes the vMaster, and the vMaster becomes a vBlade. The new vMaster will detect that the vBlade device is running old software, and it will upgrade the vBlade. As part of this upgrade, the vMaster will reboot the vBlade.



(Optional) Perform step 7 on the new vBlade (former vMaster), to resume the vMaster role and again become the active device for the VRID:


a. At the Privileged EXEC level (AX#), use the following command to take over the vMaster role:


b. For each VRID, use the following commands to reset the VRRP-A priority to its previous value.

vrrp-a vrid {num | default}

priority previous-value device DeviceID

CLI Example

The commands in this example perform a staggered upgrade of a virtualchassis containing 2 devices (ACOS1 and ACOS2). Before the procedurebegins, and after it is completed, ACOS1 is the vMaster and ACOS2 is thevBlade. The devices are running the software image located in the primaryimage area.

The following commands are entered on the ACOS1 (the vMaster):

ACOS1-vMaster-Active(config)#show bootimage

(* = Default)

Version

-----------------------------------------------

Hard disk primary 2.7.1-P1 (*)

Hard disk secondary 2.6.1-GR-P2



ACOS1-vMaster-Active(config)#show version

AX Series Advanced Traffic Manager AX2500

Copyright 2007-2012 by A10 Networks, Inc. All A10 Networks products are

protected by one or more of the following US patents and patents pending:

7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,

20070283429, 20070271598, 20070180101

64-bit Advanced Core OS (ACOS) version 2.6.1-GR1-P2, build 57 (May-07-2012,02:04)

Booted from Hard Disk primary image

Serial Number: AXxxxxxxxxxxxxxx

aFleX version: 2.0.0

aXAPI version: 2.0

Hard Disk primary image (default) version 2.6.1-GR1-P2, build 57



...

ACOS1-vMaster-Active(config)#write memory secondary all-partitions


Write configuration to default startup-config

[OK]

ACOS1-vMaster-Active(config)#upgrade hd pri use-mgmt-port ftp://[email protected]/Ax52_upg_2_7_1-P1_57.64.tgz staggered-upgrade-mode device 2

Password []?********

ACOS1-vMaster-Active(config)#vrrp-a vrid default

ACOS1-vMaster-Active(conf-vrid)#priority 255 device 2

ACOS1-vMaster-Standby(conf-vrid)#exit

On ACOS2 (the upgraded vBlade), the following commands access thePrivileged EXEC level of the CLI, and take over the vMaster role:

ACOS2-vBlade-Active>enable

Password:enable-password

ACOS2-vBlade-Active#vcs vmaster-take-over 255ACOS2-vMaster-Active#

Optionally, the following commands on ACOS1 return that device to thevMaster role, and reset the the VRID priority so that ACOS1 is again theactive VRRP-A device for the VRID.

ACOS1-vBlade-Standby(config)#vcs vmaster-take-over 255ACOS1-vMaster-Standby(config)#vrrp-a vrid default

ACOS1-vMaster-Standby(conf-vrid)#priority 100 device 2

ACOS1-vMaster-Active(conf-vrid)#

After this final set of commands, device 1 is again the aVCS vMaster, aswell as the active VRRP-A device for the VRID. Device 2 is again thevBlade, as well as the standby device for the VRID.



Staggered Upgrade (no VRRP-A)

In this procedure, the vBlades are upgraded first, followed by the vMaster.

Perform step 1 through step 4 on the vMaster:

1. On the vMaster, verify the currently running software version and the image area currently in use.

show bootimage

show version

All devices in the virtual chassis use the same image area (primary or secondary). For example, if the software running on the vMaster is in the primary image area, all the vBlades also are running their software from the primary image areas on those devices.

2. Save the configuration to the other image area:

write memory {primary | secondary}[all-partitions]

Note: Make sure to use the all-partitions option, if RBA/L3V private partitionsare configured.

3. Upgrade the vBlade, by loading the new software image into the image area currently in use by the vBlade:

upgrade hd {pri | sec} [use-mgmt-port] url staggered-upgrade-mode device DeviceID

• The device DeviceID specifies the vBlade’s aVCS device ID.

• The url specifies the file transfer protocol, username and password (if required), directory path, and filename.

• The use-mgmt-port option uses the ACOS device’s management port as the source interface. Otherwise, a data interface is used.

This step reboots the vBlade. The vMaster continues to operate.

4. Validate that the load-balanced services are working. (The show com-mands or other techniques depend on your deployment. The show slb virtual-server command is useful in almost any deployment.)



Perform step 5 on the vBlade, to take over vMaster role:

5. On the vBlade that is running the new software image, enter the fol-lowing command:



During failover, the vBlade becomes the vMaster and the vMaster becomes a vBlade. The new vMaster will detect that a vBlade device is running old software and it will upgrade that vBlade. As part of the upgrade, the vMaster will reboot the vBlade.

(Optional) Perform step 6 on the new vBlade (former vMaster), to resume the vMaster role and again become the active device for the VRID:




Management GUI RequirementsTable 9 lists the browser versions supported by the ACOS management GUIin this release.

The browser used to access the GUI must support encryption keys of 128bits or longer. Beginning in AX Release 2.4.2, shorter encryption keys (forexample, 40 bits) are not supported. The browser also must support TLS1.0. Beginning in AX Release 2.6.1-P1, browsers that support only SSL arenot supported.

TABLE 9 GUI Browser Support

Platform

Browser Windows Linux MAC

IE 6.0 and higher Supported N/A N/A

Firefox 3.5 and higher Supported Supported N/A

Safari 3.0 and above Not Supported N/A Supported

Chrome 5.0 and above Supported Supported Supported



A screen resolution of at least 1024x768 is required for the GUI to be dis-played correctly.

After you upgrade the ACOS device, clear the browser cache to ensureproper display of the GUI.

Disabling HTTP-to-HTTPS Redirection

By default, redirection of HTTP to HTTPS is enabled for access to the man-agement GUI. As a result, even if both HTTP and HTTPS web access areenabled on an AX interface, HTTP requests sent to the interface will beredirected to HTTPS.

To disable redirection of HTTP to HTTPS for web management access,enter the following command at the global configuration level of the CLI:

no web-service auto-redir

If you are already logged into the GUI and want to change the setting for thenext login, you can disable redirection from within the GUI:

1. Select Config > System > Settings.

2. On the Web tab, click on the Re-direct HTTP to HTTPS checkbox to deselect the option.

3. Click Apply.

Trunk and Layer 2/3 Virtualization SupportIf you are upgrading from a release earlier than 2.6.1, the trunk configura-tion enhancements in this release are not automatically supported. Likewise,the startup-config is not automatically modified to match VE numbers toVLAN IDs, which is required for Layer 2/3 virtualization.

• By default, ACOS does not automatically change VE numbers to match their VLAN IDs following upgrade from an earlier release to 2.6.1. Matching of VE number to VLAN ID is not enforced by default.

• If you attempt to enable Layer 2/3 virtualization on a private partition, the device prompts you to back up the system, then use the write mem-ory upgrade-startup-config-l3v command to change VE numbers in the startup-config to match the VLAN IDs. After this, matching of VE number to VLAN ID is enforced.

• For new ACOS devices (no pre-existing config running on earlier soft-ware version), matching of VE number to VLAN ID is enforced by



default. The write memory upgrade-startup-config-l3v command is not required.

To enable the trunk enhancements and modify the startup-config to makesure VE numbers match their VLANs:

1. Upgrade the image to 2.6.1. See the section in this chapter that is appli-cable to your deployment:

• “Upgrading the Software Image (non-aVCS deployment)” on page 210

• “Upgrading the Software Image (aVCS virtual chassis)” on page 217

2. Back up the startup-config and system files. To do so, use the following command:


3. Use the following command:

write memory upgrade-startup-config-l3v

The upgrade-startup-config-l3v option is not listed in the CLI help and is not supported by command completion. You must type the entire option name as shown.



Common Criteria

The following configuration information applies only to ACOS models thatare validated and certified for Common Criteria, an International Standardfor Computer Security Certification:

• The High Availability feature is not a part of the validation process.

• The Data Plane shall have open ports serviced by applications.

• No routing (either external of internal) is supported between the man-agement plane and the data plane. Therefore, AX data plane users can not access the management plane.

On the ACOS device, when all FIPS self-tests have been passed, the follow-ing message appears in the log:

All FIPS power on self test have passed.

Any FIPS self-test failures are indicated in the command prompt. For exam-ple:

AX3000(FIPS FAIL MODE)#



Performance by Design 235 of 236Document No.: D-030-02-00-0003 - ACOS 2.7.1-GR1 10/23/2015


236

Performance by Design

© 2014 A10 Networks Corporation. All rights reserved.

Documents

A10 Thunder Series & AX Series Release Notes - BLCR · A10 Networks products including all Thunder Series products are protected by one or more of the following U.S. patents: 8977749,