Release ACOS 4.1.4-GR1-P10 Issues

1
Release Notes
ACOS 4.1.4 Issues for A10 Thunder Series™ and AX Series™
Select one of the following:

Limitations affecting 4.1.4-GR1-P10 Release
Known Issues affecting 4.1.4-GR1-P10 Release
Fixed Issues in 4.1.4-GR1-P10 Release









Limitations affecting 4.1.4-GR1 Release
593571715.xlsx
2
Known Issues affecting 4.1.4-GR1 Release

Fixed Issues in 4.1.4-GR1 Release
Limitations affecting 4.1.4-P3 Release

Known Issues affecting 4.1.4-P3 Release
Fixed Issues in 4.1.4-P3 Release


Limitations affecting 4.1.4 Release

Known Issues affecting 4.1.4 Release
Fixed Issues in 4.1.4 Release
593571715.xlsx
Release: ACOS 4.1.4-GR1-P10 Limitations
A10 Tracking ID System Area Severity
469261 aFleX Minor
Description Workaround
The maximum length that the command [HTTP::path] can refer to, is up to The path value can be retrieved
2048 bytes. using the 'getfield
[HTTP::uri]' command. For
example, 'set path [getfield
[HTTP::uri] "?" 1]'.
Version Reported
4.1.4-P3
Release: ACOS 4.1.4-GR1-P10 Known Issues
A10 Tracking ID System Area Severity Description
No Known Issues are reported in ACOS 4.1.4-GR1-P10.

Workaround Version Reported
Release: 4.1.4-GR1-P10
A10 TrackiSystem Area Severity
550405 GiFW Infra Major
550342 ConfigMgr Major
550285 Explicit Proxy Major
550237 VCS Major
550213 SSL Major
550120 SLB-L4 Major
550084 SLB-L4 Major
550003 System - platform Major
549967 System - management Minor
549901 SSL Major
549856 CGN-Infra Critical
549661 SLB-DNS Major
549640 System - management Minor
549571 SLB-L4 Major
549499 SLB-NAT Major
549472 AAM Major
549406 GSLB Major
549379 Platform Major

549340 GSLB Major
549268 System - management Major
549265 AXDebug Major
549238 Router - BGP Major
549166 AAM - Kerberos Major

549163 VCS Major
549160 SLB-Config Major
549148 SLB-ICAP Major
549034 Health-Monitor-Infra Major
548935 SLB-HTTP Major
548785 SLB-Conn-reuse Major
548779, L2/L3 Major

547696
548719 VRRP-A Major
548716 VRRP-A Major
548587 Web - ADC CGN Major

548485 aFleX Major
548458 Web3.0 (deprecated) Major
548383 SLB-Logging Major
548377 SLB-L4 Major
548254 SNMP Major
548125 L2/L3 Major
547897 SNMP Major

547828 SLB-L4 Major
547684 SSLi Major
547465 SLB-L4 Major
547342 Firewall Major
546832 VRRP-A Major
546655 Web - ADC CGN Enhancem

ent
546619 AAM Major
546613 aXAPI v3 Major

546256 SLB-L4 Major
546229 Logging Infrastruture Major
546049 CGN-One-to-One-Nat Major
545644 Web - TPS Major
545629 system Major
545416 System - platform Critical
543688 CGN-SCTP Major
541465 aFleX Major
540551 AAA Major
539587 VCS Critical
538717 SNMP Major

535978 Counter-Infra Critical

501559 SSLi Major
498466 SLB-Persist Major
486319 VRRP-A Major
481354 Jazz Platform Enhancem

ent
331927 L2/L3 Major
Description
When shared VLAN was used in an L3V partition with the firewall enabled, only the
first SNMP request to the shared VLAN interface worked as expected, whereas the
following requests timed out.
The 'method radius' configuration of the health monitor disappeared after reload or
reboot if a non-default port number was configured.
ACOS crashed if there were more than 42 events in the dynamic-service epoll event
queue and other modules accessed the overlapped memory space.
The control CPU usage was higher while executing Health Monitor aXAPI calls on the
A10 device.
The 'SSL3_RSA_RC4_128_SHA' cipher could be used with the 2nd-Generation (N3) by
default, even when it was not supported as A10 SSL Cipher Suites List.
The number of connections for the real server exceeded the connection-limt configured
on the TCP virtual port, causing high resource usage.
In the active standby mode, if the options 'extended-stats' or 'conn-limit' were configured
on the virtual port, the current connection counter did not increment in the standby
device even when the standby session was created.
Disk usage issues were encountered for platforms having 32GB or less disk size.
When a string-case-insensitive class-list file was imported, the matching did not work if
the key-string of the class-list contained lowercase letters.
Since the N5 did hot have a hardware SSL context limit, the system performance was
impacted when a high number of server names triggered many SSL context creations.
ACOS would sometimes crash while trying to get a NAT pool using the pool ID.
ACOS did not attempt to requery the response when it received a truncated UDP DNS
response and a malformed packet.
If a file name was not specified while using the 'backup system encrypt' command, the
file was generated with the name '.protected' instead of having a name based on
hostname and time.
In an L2 SSLi single partition deployment, the HTTP and ping traffic did not hit the VIP
if the VE that received the packets did not own an address.
The NAT configuration line disappeared after reboot if the glid was configured before it.
With AAA NTML and WAF configuration, the system crashed when there was a large
amount of traffic.
When the VRRP-A based configuration sync was used to synchronize the configuration
between two ACOS devices, the GSLB group configuration was also synchronized,
causing the receiver to lose its device-specific GSLB group configuration.
ACOS crashed when a NAT logging template with a custom message was applied.
The 'show interface media' command displayed an error for 40G breakout ports when
configured in '4x10g' mode.
When a DNS query was sent to the GSLB VIP with the Z flag set to 1, ACOS did not
set the Z flag of the DNS reply according to the authoritative mode, resulting in an error.
When the VRRP-A floating IP and SLB SNAT IP overlapped, the ICMP error packet
associated with the SLB session was dropped.
On the TH1040, the 'import' command failed to execute if the server port number was
greater than 55536.
The AXDebug files with names having special characters like ':' or '$' could not be
exported from the GUI.
Segmentation fault occurred on the a10cfgmgr if the 'file-url' parameter of the aXAPI
POST '/axapi/v3/web-service/secure' command exceeded the predefined limit.
The BGP log messages were missing from the router logs after 'acos-event' was
implemented.
Large WIA traffic would sometimes cause the device to crash.
The VCS floating IP was not accessible when the management port flapped.
A server-ssl template did not work as expected when it was bound to a dynamic real-
server's port.
The connection would terminate if the request header in the REQMOD response
spanned across multiple packets.
In private L3V partitions, when Health Monitor external programs with filenames
greater than a certain length were created/edited, the 'Transfer to unix format failed' error
message was displayed by the Health Monitor alarm log.
While clearing SSL operations due to unbinding TCP connection, if the order of the
processes was bad, ACOS would crash.
When a large cookie header spanning multiple packets was received from the ICAP
server on a 200 response, the cookie sent to the backend server was broken.
When the admin session on L3V partition of partition user timed out, the generated logs
appear on the shared partition.
If the 'conn-limit' option was configured along with 'conn-reuse', the traffic stopped
when the 'conn-limit' was reached and the SLB server was unable to receive new
connections from the virtual server.
If the IPv6 NAT Pool was added with the same address, connectivity to the IPv6
floating IP would fail and cause the packets to drop.
ACOS could set or decode an AS4_path to include 4-byte ASN only, instead of
including both 2-byte and 4-byte ASN.
Periodic GARPs (30sec) were not sent out for the VIPs when multiple L3Vs and VIPs
were configured.
In the L3V partition, the first GARP was not sent out for the Virtual-server IP address
when the VRRP-A became active.
Hot-swapping of certificates or keys on server-name entries in a client-ssl template
failed and displayed the error message, 'The server name already exists'.
On the TH3230, the BGP threshold warning logs were not generated.
The aFleX command 'HTTP::uri' failed if the URI length was greater than 3840 bytes.
In the GUI, configuring the passphrase for server private keys from the shared partition
in L3V was not possible.
In the case of ADC deployments, the NetFlow-V5 records were sent with incorrect
timestamps (10 to 17 days in the future).
When a TCP-proxy virtual port received a FIN-ACK packet before completing the TCP
backend handshake, the client FIN packet was not forwarded to the backend, causing the
session to remain open until timeout.
On the A10 Thunder device, when the configuration and operational status of the SLB
server port were fetched, the value of the OID 'axServerPortMonitorState' was incorrect.
When the display length of the 'Tagged Vlans configured:' field was greater than 500
bytes, executing the 'show interface' command resulted in a crash.
The OID 'axIpNatLoggingLogPktSent' did not work for L3V partition.
When the 'link startup-config' was set to default profile from GUI/CLI, the profile name
displayed in the log was corrupted.
In the SNAT environment, the TCP timestamp was not removed from the re-transmitted
SYN packet.
When the AC class-list was updated in the GUI, the class-list used by 'client-ssl forward-
proxy-bypass' was updated incorrectly, causing the SSLi bypass check to fail.
On the TH7440-11/TH5840-11, the fiber signal quality would sometimes degrade on

Switching ASIC when the 100G port linked up as 40G. As a result, the input error and
CRC error increased on this link.
The Non-TCP/UDP traffic would match a session that was created by the 'others' virtual
port under a wildcard virtual server even if the traffic did not match the access list
associated with the virtual server. This would cause a loop in the network.
The aXAPI 'delete' method could not delete more than 251 SLB servers with a single
execution due to incorrect message count calculations.
The firewall ALG processing did not support the Trivial File Transfer Protocol (TFTP)
in the L2 mode.
In the firewall L2 mode, since the nexthop of the reverse tuple could not be found
correctly during ALG processing, the data session could not be setup. As a result, the
FTP, SIP and ESP did not work in the L2 mode.
When the SNAT-MSL was configured, the NAT IP was not freed for the MSL period,
causing the 'block-replace-start/end' command to fail.
The error message 'Peer exists already' was displayed while configuring the VRRP-A
peer-group IP address using the aXAPI POST:/axapi/v3/vrrp-a/peer-group.
Log messages greater than 1024 bytes did not have the newline character at the end.
When the restore and reboot commands were issued in the GUI, the 'Bad Request'
message was displayed.
The aFleX command 'AAM::authentication set username' did not work as expected.
When an IPv4 address range was added to an object group, the range was not added
correctly, and 'Bad Request : No such clause configured for this object group' error
message was displayed.
ACOS reloaded when the firewall rule-set had a destination rule with domain list, and
firewall logging was configured with 'include-dest-fqdn' command.
On a device with ADC and CFW products, the command 'fw extended-matching disable'
could not disable the session extended match caused by zone configuration in the
firewall rule, for the SLB session.
The voltage sensor status would sometimes mistakenly appear as under threshold limit,
and then get cleared when ACOS booted.
When WAF, aFleX, and Compression were configured on the same virtual port, the
response was not forwarded correctly.
The software watchdog was not enabled for the AWS vThunder platform.
The 'Packet drops' counter (from the 'show errors' command output) increased during the
TCP handshake for client-side connections.
WAF External logging duplicated the messages with TCP syslog. Additionally, ACOS
also sent the messages to both disabled and lower priority servers in the service-group.
The input errors and CRC kept increasing on 40G ports of 5440/5840/7440/6440/4440,
resulting in unstable traffic.
In the GUI, the 'Valid Days' field was mandatory while creating the CSR although it was
not needed.
When one-to-one SNAT was configured along with NAT64, the source port was set to
zero while transferring IP fragmented UDP packets.
The control plane was not accessible when the client IP was in the 10.16.10.0/24 range.
Thunder 14045 could not boot up because the file system was full of NTP logs.
On the TH4440S, the SCTP HW assisted checksum was invalid for outbound packets
(having a size less than the 64B) from ACOS to the client.
While editing or creating a Firewall Rule in the GUI, multiple lines could be added in
the 'Remark' field, causing a parse error after reloading the configuration.
A10 ADC did not honor the behavior for wildcard VIPs for 'non-syn-initiation', 'drop-
unknown-conn', and 'reset-unknown-conn' options in the virtual port template.
The system reloaded if one of the SCTP chunks, with an invalid length, was larger than
the current packet payload size.
DNS aFleX did not support an underscore '_' for query names in record types SRV,
TSLA, OPENPGPKEY, SMIMEA, TXT, and URI.
The TACACS server could not be accessed if the commands 'ip control-apps-use-mgmt-
port' and 'source ip' (with mgmt IP) were configured simultaneously.
When device 2 configuration referenced device 1 configuration, a bad reference counter

case occurred. This caused configuration management to reload when the corresponding
object was deleted.
The Data CPU usage statistics contained I/O data CPU usage as well.
ACOS crashed when the script 'policy_based_ipsec_vpn' was executed.
The system froze intermittently while accessing the management interface via aXAPI
calls.
Email alerts were not sent when the SMTP stopped working.
After configuring EP, ACOS failed to handle HTTP/HTTPS requests with domain name
lengths greater than or equal to 128 characters.
Since the HTTPS virtual port did not support 'template persist ssl-sid', the persistence
template could not be bound to the virtual server.
ACOS reloaded when the 'sampling-enable' option was configured under VRRP-A
VRID.
Since ACOS could not detect a faulty FPGA, it continued to run in the Active state and
sent out corrupted TCP/UDP packets.
In some cases, the ACOS device took a long time to update the IPv6 neighbor table.
4.1.4-GR1-P9
5.2.1-P3
4.1.4-GR1-P8
4.1.4-GR1-P9
4.1.4-GR1-P10
4.1.4-GR1-P5
4.1.4-GR1-P9
4.1.4-GR1-P9
5.2.1-P2
4.1.4-GR1-P6
4.1.4-GR1-P5
4.1.4-GR1-P6
4.1.4-GR1-P7
4.1.4-GR1-P10
5.2.1-P3
4.1.4-GR1-P9
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P9
4.1.4-GR1-P10
4.1.4-GR1-P8
3.2.5-P5
5.2.1-P4
4.1.4-GR1-P5
5.2.1-P3
4.1.4-GR1-P2
5.2.1-P4
4.1.4-GR1-P9
5.2.1-
4.1.4-GR1-P9
4.1.4-GR1-P8
5.2.1-P2
5.2.1-P2
4.1.4-GR1-P9
4.1.4-GR1-P8
5.2.1-P3
5.2.1-P2
5.2.1-P2
4.1.4-GR1-P9
4.1.4-GR1-P9
2.7.2-P12-SP3
4.1.4-GR1-P5
4.1.4-GR1-P3
4.1.4-GR1-P8
4.1.4-GR1-P8
4.1.4-GR1-P5
5.2.1-P3
5.2.1-P2
4.1.4-GR1-P5
4.1.4-GR1-P9
5.2.1-P2
5.2.1-P3
4.1.4-GR1-P8
5.2.1-P2
5.2.1-P3
5.2.1-P3
4.1.4-GR1-P8
5.2.1-P2
5.2.1-P2
5.2.1-P2
4.1.4-GR1-P5
4.1.4-GR1-P5
5.2.1-P3
5.2.1-P2
5.2.1-P2
4.1.4-GR1-P9
5.2.1-P3
4.1.4-GR1-P8
5.2.1-P3
5.2.1-P2
5.2.1-P2
5.2.1-P4
4.1.4-GR1-P7
4.1.4-GR1-P2
5.1.0-PATCH
4.1.4-GR1-P7
5.2.1-P3
5.1.0-P4
5.2.1-P1
4.1.4-GR1-P4
4.1.4-GR1-P7
4.1.4-GR1-P6
5.2.1-P1
4.1.1-P9
5.2.0
4.1.4-GR1-P2
4.1.4-GR1-P3
5.0.0-P1
4.1.4-GR1-P9
2.7.2-P15
2.7.2-P7-SP3
542125 aFleX Major
544942 L2/3 - Trunks Major

(LACP/Static)
The connection is reset if an incomplete aFleX is applied to a virtual-server on a
proxy-mode v2 (for example WAF, HTTP2).
After configuring the ethernet of a trunk in an L3V partition, if the lead member
is unconfigured first, the non-lead members cannot be removed from the
partition.
Version Reported
4.1.4-GR1-P2
544762 SLB-Config Major A10 ADC does not honor the behavior for wildcard
VIPs for 'non-syn-initiation', 'drop-unknown-conn',
and 'reset-unknown-conn' options in the virtual port
template.
5.2.1-
546226 aFleX Critical
546214 SLB-FTP Major
546136 SNMP Major
545794 SLB-L4 Major

545680 WAF Major
545638 ACL Major
545500 SSL Major
545470 VCS Major
545371 SLB-L4 Major
545365 SSL Major
545356 Router - OSPF Major

545218 SSL Major
545140 L3V Major

545128 VCS Major

544651 VRRP-A Major
544576 SLB-L4 Major

544348 SLB-L4 Major
544330 WAF Major
544222 Scaleout-cgn-data-plane Major
544144 System - snmp Major
544111 system Major
544024 VRRP-A Major
543880 aFleX Major
543793 SLB-L4 Major

543745 Firewall Critical
543697 AAM Major

543553 AAM Major
543388 L2/L3 Major
543274 others Major
543139 SLB-Policy Major
543055 AAM Major
543001 L2/3 VLAN Major
542989 SLB-RADIUS Major
542857 SSL Major
542812 SLB-SIP Minor
542719 L7 Classification Major
542713 Platform Minor
542707 system Major
542689 Harmony-Controller- Major

Integ
542650 Harmony-Controller- Major
Integ
542590 cThunder Enhancem

ent
542419 VRRP-A Major
542212 SLB-TCS Major
542140 SNMP Major
542125 Documentation Major
541168 SNMP Major

540925 Chassis Platform Major
540469 SLB-L4 Major
539159 Web - ADC CGN Critical
500533, Harmony-Controller- Major

472379 Integ
500176 ConfigMgr Minor

Description
When 'dns-cache' and 'extended-stats' were enabled, and aFleX was configured on the
udp or dns-udp virtual ports, the current connection counter for the ports did not
decrement even after deleting the session.
After downgrading from ACOS 5.x to 4.x, the TH4440 device froze when the 'boot-
block-fix hd' command was exected.
After upgrading to ACOS 4.1.4-GR1-P8, the aFleX scripts would override the internal
syn-cookie setting and cause the device to crash.
fw urpf loose will not be shown in Security > Firewall > Configure > Settings page on
GUI
When the aFleX commands [TCP::payload replace] and/or [TCP::respond] were
configured under the FTP virtual-port, the sequence number of the packet with the
PORT command was incorrect, causing the TCP stream to break.
The snmp-server table-timeout value for the ifXTable could not be configured and was
fixed at 60 seconds.
When the server response was chunked and the trailing CRLF was split across packets,
the respmod request to icap server could be incorrect.
ACOS crashed when slb object was deleted while sflow was active.
Thunder did not forward server response to the client when WAF and aFlex was
configured and server response was TCP segmentated.
In the L3V partition, a class-list setting on the firewall rule was not retained after reboot.
The HTTP traffic under the SLB HTTP virtual-port could cause ACOS crash when the
visibility monitor traffic service or the harmony controller were enabled.
Configuring an ACL in the shared partition caused extended VLAN session matching
across the device.
On ACOS 4.1.4-GR1-P5 and later, the NAT worked unexpectedly even if the traffic was
from an inside interface to an inside interface.
Since the default CA bundle in Thunder contained expired 'Let's Encrypt' certificates,
websites using these certificates were blocked.
The startup configuration could not be exported from the vblade using the SCP or CLI.
The session age decreased by 60 seconds when the 'no vrrp-a vrid' command was
executed.
After upgrading from ACOS 4.1.4-GR1-P3 to 4.1.4-GR1-P8, the HTTPS virtual ports
could not process the SSLv2 record layer ClientHello, causing the connection to close.
The size of the router debug log file was almost 10% of the configured size.
In the vThunder instance created using '.ova' image, the 'scep' folder was not present
under the '/a10data/var/log' directory. Since the 'scep' log file could not be created, the
'pki scep-cert' configuration failed.
The device crashed when a partition was deactivated.
When the management port was enabled or disabled, the VCS floating IP, with the same
subnet as the data port, could not be accessed.
In the GUI, a 404 error occurred while editing virtual-server ports with ACL
configuration.
On the TH1030S, when the 'show interface media' command was executed, the first 6
ports that were not hot-pluggable displayed 'No SFP device detected' instead of 'Show
interface media feature is not supported on this port'. Additionally, the 1G SFP ports 7
and 8 also displayed 'No SFP device detected' instead of proper port information.
When SSLi failsafe bypass occurred, the non-ssl bypass service-group in the client-ssl
template, and the service-group in the virtual port were used. However, the bypass failed
if these two service groups were not configured.
ACOS may reload while receiving traffic from a virtual port configured with IP-in-IP
encapsulation.
After migrating from ACOS 2.7.2 to ACOS 4.x, the NAT pool could not be configured
with the same IP address as the floating IP address.
The SYN flood DDoS attacks triggered fast aging due to low session memory.
After upgrading, the router's link-local IPv6 address changed. Although the OSPF
interface information was updated with the new address, the next-hop information in the
OSPF route table pointed to the old IP address, causing traffic failures.
The password type was mishandled by the VCS sync, as a result, the PFX certificate was
not synchronized with the VBlade after being imported onto the VMaster.
The device reloaded while receiving jumbo frames (on the L7 socket) that were split into
IP fragments.
When the WAF was configured with the 'sqlia-check' or 'xss-check sanitize', the system
reloaded if the argument matched one of the policy expressions, and the request
contained arguments on the URL, some POST data, and no Content-Type header.
In a CGN scaleout setup, when the device sent traffic to the destination port 4510, the
messages were treated as IPSec HA messages. Field errors occurred while parsing these
messages that resulted in a crash.
On the chassis system, the SNMP trap messages were not forwarded from the blade to
the master server.
In a chassis system, the blade server issued timeout logs intermittently, and the device
rebooted without any core files.
When the system was configured using the new event logging mechanism, some logs
were not printed for the VRRP-A events.
The RRD files were generated for real servers created according to the Dynamic server
name, resulting in high disk usage.
After upgrading from ACOS 414-GR1-P3 to AOS 414-GR1-P5, a memory leak
occurred in EP when aFleX modified the HOST header.
The udp session which was created by aging short option did not get deleted after
switching to standby.
Since the radius-secret field was changed from clear text to encrypted password,
configuring the health-monitor with method radius resulted in an error in the GUI.
After upgrading to ACOS 414-GR1-P8, the OSPF crashed while initializing.

Missing OSPF routes caused the real servers to be in DOWN state (for 15 minutes), and
all the neighboring servers to be in UP state.
With the basic firewall configuration, the TCP SYN Half Open session count increased
continuously, eventually causing fast aging.
The device would crash sometimes during the Radius Access-Challenge flow.
A blank password led to the creation of a malformed AAM auth session, and also caused
authentication issues.
Interface flaps in BFD sessions sometimes led to the addition and deletion of these
sessions, and also caused the system to freeze.
On the TH6630 platform, the 'show environment' command output displayed incorrect
positions for the upper or lower fan tray.
While adding an AC entry to a huge class-list (over 20k), ACOS reloaded due to the
logging thread failsafe.
When the ICAP RESPMOD received a modified response (in chunked encoding format
that spanned across multiple packets), sometimes the chunked encapsulation headers
were stripped while sending the response back to the client. As a result, some sites could
not be accessed when the 'template respmod-icap' was used on the virtual port.
The usage of the authentication service-group in the OCSP-stapling configuration

caused the device to reload.
When the vThunder was migrated between the two OpenStack environments, the
behavior and configurations were inconsistent across old and new machines.
After rebooting or reloading, the radius health check configuration was missing from the
running configuration. Please note that this change disrupted aXAPI backward
compatibility.
ACOS crashed sometimes when the 'show health monitor <name>' command was
executed with compound health-check configured.
When the client-ssl template and service-group were not configured under the virtual
port, the SSL state machine did not wait to collect all the split CLIENT HELLO packets
and entered the wrong state without parsing the CLIENT HELLO.
When multiple REGISTER messages were received on the same session with 'call-id-
persist-disable' option, the current connection count for the registrar service-group was
incorrect.
In a CGNv6 LSN only deployment, when multiple DNS queries using the same source
IP address and same source port were sent simultaneously, the DNS ALG (enabled by
default) caused the DNS session to be deleted as soon as the first DNS response was
received. As a result, all the subsequent DNS responses received were dropped by
ACOS.
The FAN status would sometimes mistakenly appear as 'failed' status, and then get
cleared when ACOS booted.
When the DNS template parameter 'max-cache-entry-size' was changed during running
traffic, the device reloaded while freeing the memory.
While registering with the Harmony Controller (HC), the Thunder device would crash if
the HC host was set as FQDN.
While establishing a SaaS Tunnel from Thunder to Harmony Controller (hosted in the
cloud), the SaaS tunnel client binary displayed the HC password in cleartext (in the
thunder shell) instead of masking it.
The password policy was enforced incorrectly, and access was granted even for incorrect
passwords.
Although the startup included the timezone configuration, the timezone was not applied
when the startup configuration was replaced using the 'copy <source> startup' command.
Although the VRRP-A tracking option 'gateway' worked with the Gateway mode, it did
not work as expected for the Transparent mode. The 'gateway' status was always 'down'
even when its health status was 'UP' and pingable from Thunder.
When the non-default VRID was used, synchronized sessions for transparent cache
switching were not cleared properly after a VRRP-A switch-over.
When the SNMP Client requested an SLB server that was configured without an SLB
port, NULL address was accessed, causing the device to crash.
The connection was reset if an incomplete aFleX was applied to a virtual-server on a
proxy-mode v2 (for example WAF, HTTP2).
The SNMP OID for 'NAT No Session Drops' was missing.
When SCTP traffic was permitted using rules that were configured with zones, session
synchronization to standby led to a crash as the data to be synchronized exceeded the
sync buffer size.
When the 'ip client' or 'ip server' commands were executed, the DCMSG API did not
work as expected for the fragmented IPv6/IPv4 control plane traffic.
Although the 'conn-limit' parameter was configured under the rport or rserver,
sometimes the number of current connections exceeded the configured limit when
multiple CPUs created connections simultaneously.
On the TH14045, the apache server would timeout when large backup log files were
downloaded in the GUI.
The logs incorrectly displayed, "LSN: Session user-quota exceeded by User" error
instead of displaying the "Session User Quota Exceeded" error.
When the named ACL was selected in the configuration mode, the output of the 'show
run with-default' command was truncated for all ACL rules.
One aFlex was missed in the SLB virtual port after merging the configuration with two
or more aFlex scripts.
Version Reported
5.2.1-P3-SP1
4.1.4-GR1-P8
5.2.1-
4.1.4-GR1-P8
4.1.4-GR1-P8
4.1.4-GR1-P8
5.2.1-P3
4.1.4-GR1-P7
4.1.4-GR1-P8
4.1.4-GR1-P7
4.1.4-GR1-P3
4.1.4-GR1-P9
4.1.4-GR1-P8
4.1.4-GR1-P5
4.1.4-
4.1.4-GR1-P5
4.1.4-GR1-P8
4.1.4-GR1-P8
4.1.4-GR1-P2
4.1.4-GR1-P6
4.1.4-GR1-P5
5.2.1-P2
4.1.4-
4.1.4-GR1-P9
4.1.4-GR1-P5
5.2.1-P2
4.1.1-P12
4.1.4-GR1-P5
5.2.1-P2
4.1.4-GR1-P3
4.1.1-P6
5.2.1-P1
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P7
4.1.4-GR1-P6
4.1.4-GR1-P5
4.1.4-GR1-P2
4.1.4-
4.1.4-GR1-P8
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.1-P11
4.1.4-GR1-P8
5.1.0-P5
4.1.4-GR1-P7
4.1.4-GR1-P5
5.2.1-P1
4.1.4-GR1-P8
4.1.4-GR1-P4
5.2.1-P2
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P3
4.1.4-GR1-P5
4.1.4-GR1-P5
5.2.1-P1
5.2.1-P2
5.2.1-P1
5.2.1-
4.1.4-GR1-P7
5.2.1-P1
4.1.4-GR1-P6
5.2.1-P1
4.1.4-GR1-P4
5.1.0-P6
5.1.0-P5
5.2.1-P2
4.1.4-GR1-P5
5.0.0-P1, 4.1.4-GR1
4.1.4-GR1-SP2
4.1.4-GR1
Bug 541144 SLB-NAT Major
Bug 539692 System Platform Major
NAT pool port overloading option is not supported for IP NAT traffic.
Multi control CPU (multi-ctrl-cpu) is not supported for TH1040/TH940.
Version Reported
4.1.4-GR1-P4
4.1.4-GR1-P7
No Known Issues are reported in ACOS 4.1.4-GR1-P8.

Release: ACOS 4.1.4-GR1-P8 Fixed Issues
542179 CGN-DSLite Critical
541789 L3V Major
541735 SLB-HTTP2 Major

541669 SSLi Critical
541570 system Major
541513 CLI (Deprecated -- Major

Select core component)
540949 SSL Major

540910 SLB-L4 Major
540886 system Major
540745 SSL Major
540562 RBA Major
539791 aFleX Major
539749 SLB-L4 Major
539677 L2/L3 Major

Broadcom/Marvell

Select core component)
539524 system Major
539513 VCS Major

539416 SSLi Major
539291 GSLB Critical
539162 GSLB Major

539149 CGN-DSLite Major
539056 FW-Classifier Major
539048 CM Major
538997 DNSSEC Critical
537070 CGN-NAT64 Major

502027 WAF Major
404168 RBA Major

xed Issues
Description
A hardware issue on the TH940/TH1040 caused an error while starting the secure Web
service (Web GUI).
The A10 CGN device crashed when the port hanged and created a duplicate or invalid
buffer.
The NAT port was not freed if the pool-group was assigned to the 'svm-source-nat'.
A memory leak occurred while registering or deregistering ACOS 5.2.1-P2 with the
Harmony Controller.
The GUI version displayed in the 'show version' command output was different
compared to the installed GUI version.
In the partition, the 'show cpu' command reflected incorrect CPU usage for the SSLi
traffic.
A duplicate cookie in the HTTP/2 request caused a memory leak.
When the client-SSL template was configured with 'forward-proxy-cert-not-ready-action
intercept', the server certificate could not be fetched due to firewall blocks or other
network issues. The continuous attempt to fetch the certificate resulted in buffer spikes,
causing high Data CPU usage.
When 'ip nat inside source class-list' string type was used, the device crashed during
class-list lookup.
An SNMP trap (axHighPrioritySyslog) message was sent out to the SNMP server when
the vThunder located on an AWS platform was rebooted.
In the GUI, changing the name of an SLB service group that was bound to a virtual port
and an HTTP template, caused the device to crash.
The execution of legacy SLB commands was slow and caused high CPU utilization.
The device crashed if the response received from the ICAP server had a header name
greater than 64 bytes.
In the GUI, with a certain VRRP-A configuration, the 'force-self-standby' option did not
work as expected due to 'The vrid lead partition vrid value is required' error message that
was displayed while editing the VRRP-A common.
When the health monitor external program had a blank description, unwanted messages
like, 'The description of <sample.ext> is null' were displayed in the log.
The 'system set-tcp-syn-per-sec' option was not displayed in the 'show run with-default'
command output. Additionally, the 'system set-tcp-syn-per-sec' configuration was not
saved in the startup configuration after reboot.
The error message, 'Cannot find the corresponding xpath according to schema' was
displayed in the GUI, when 'access-list name x source-nat-pool x' was configured on the
virtual port.
While removing a partition with SLB server-group configured, the device crashed.
While configuring the client authentication in the client-SSL template, if the client
accessed the virtual port with a DSA certificate, the system crashed.
In a large-scale SSLi deployment when the 'system same-src-dst-port-ip-hash' option
was enabled to distribute IPSEC VPN traffic, asymmetric forwarding occurred and two
sessions for the same five tuples were found when one side of the flow sent fragments.
ACOS could not log in to the latest Harmony Controller (5.3.0-P1), due to the removal
of some Key Exchange Algorithms from the ssh configure files.
CPU overload and traffic issues were caused when IPV6 fragmentation used the same
source port hash, which was based on the FPGA.
During an SSL handshake, if the DHE public key length was smaller than the prime
length, the device sent a Reset (RST) packet causing the TLS to fail.
In the GUI, under 'ADC' > 'Virtual Services', after searching a virtual service name, '?
unknown' was displayed in the 'Status' field.
Some of the preconfigured RBA Partition roles could not be removed due to the 'RBA
rule not found' error.
In the GUI, the users with partition read-write privileges could not save the
configuration for L3V partitions.
The space allocated for the new proxy cookies was not freed, causing increased system
memory usage.
In the GUI, under 'Security' > 'Access List' > 'Standard', when a new ACL rule
containing the 'deny any' entry was added at an older sequence number other than the
'deny any' entry, an error message was displayed and the ACL rule was deleted.
The connection limit configuration was not checked before applying connection limit
accounting, causing counters to underflow when the RR was triggered for proxy virtual
ports.
The device crashed if the system ran out of memory during aFleX DNS record
allocation.
With wildcard VIP and no-dest-nat configured, if the real server IP didn't match the
client destination IP, the system and packets didn't have the rule to route the packets,
resulting in a failed session if the real server ARP aged out.
The VRRP-A heartbeat status was displayed as 'Disabled' in the GUI when the interface
type was defined as trunk.
When the A10 device entered a 'port-hang' state, duplicate invalid buffers caused the
device to crash.
The 'show log' output did not include a warning when the BGP (Border Gateway
Protocol) prefix exceeded the threshold.
The 'show session dns-id-switch' command output did not display the 'DNS-ID' field.
While performing ccn-mask on the response data, if the length of the number was 17
digits, an invalid copy caused the thunder device to reload.
The running configuration could not be copied after the 'vcs vmaster-take-over'
command was issued.
When 'failover-url' was configured with 'url-switching', if a previously selected server
was disabled, a subsequent HTTP request did not trigger server re-selection even if
additional servers were available in the same service group.
In the case of SSLi in L2 mode topology with reverse tuple setup, the VLAN/port was
incorrectly fetched from the client-side and server-side, causing SSL session failure.
The Data Center Firewall permit logs did not have the 'YEAR' timestamp when 'merged-
style' was enabled.
When the 'dnssec sign-zone-now gslb.a10hk.com' command was executed several times,
one zone record cross-referenced the other and the resources were not released properly,
causing the device to crash.
While creating an SLB service-group, since it was not mandatory to specify the protocol
in the payload, a stale object (that could not be deleted) was created.
The GSLB member did not serve DNSSEC zone records if the member was never a
master of the new zone.
After enabling Telnet on any port, it could not be disabled from the GUI.
In the DS-lite configuration, the 'user-quota exceeded User (Count)' syslog did not show
the correct source IPv4 address, which exceeded the user-quota.
On the KVM vThunder, the firewall dropped ICMP health check response when the
'shared-poll-mode' was enabled.
The device reloaded when a partition with the server-name configuration (in client-SSL
template) was removed.
The key signing key (KSK) changed unexpectedly when the 'dnssec sign-zone-now'
command was executed, resulting in an incorrect DSNSEC setup.
In certain SLB configurations, the IP NAT logging template did not take effect for
Source-NAT.
Thunder could not identify the GEO class list, since the CLI commands were based on
CM-based rendering.
After configuring the SNAT at the forward-proxy action level, if the traffic was
bypassed by the SSLi, server selection occurred again, and the reselected SNAT did not
match the previously configured SNAT.
The IPv6 fragments of the NAT64 hairpin packet did not reassemble correctly.
On some FPGA platforms, the incoming jumbo packets were truncated when AX debug
'capture' command was used.
The WAF 'json-format-check' caused the xml parser to overflow with a negative
number, resulting in an unexpected reload.
Improper RBA permissions were triggered while using mixed case. Consider the
following scenarios:
1. Both admin and RBA user were case sensitive during configuration and login: the
names Abc and ABC designated different users.
2. The same stateless label could not be added when a different version already existed.
For example after adding user Abc, user abc could not be added.
Version Reported
4.1.4-GR1-P7
4.1.4-GR1-P7
4.1.4-GR1-P8
4.1.4-GR1-P8
4.1.4-GR1-P7
4.1.4-
4.1.4-GR1-P5
5.2.1-
5.2.1-P1
4.1.4-GR1-P6
4.1.4-GR1-P7
4.1.4-GR1-P6
4.1.4-GR1-P8
4.1.4-GR1-P7
4.1.4-GR1-P1
4.1.4-GR1-P7
4.1.4-GR1-P5
4.1.4-GR1-P8
4.1.4-
4.1.4-GR1-P7
5.2.1-P2
4.1.4-GR1-P7
4.1.4-GR1-P6
4.1.4-GR1-P6
4.1.4-GR1-P7
5.2.1-P2
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P6
5.1.0-P5
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P6
4.1.4-GR1-P6
4.1.4-GR1-P4
4.1.4-
4.1.4-GR1-P6
4.1.4-GR1-P7
4.1.4-GR1-P5
4.1.4-
4.1.4-GR1-P2
4.1.4-GR1-P6
4.1.4-GR1-P6
4.1.4-GR1-P4
4.1.4-GR1-P6
4.1.4-GR1-P4
4.1.4-GR1-P6
5.3.0-
5.3.0-
4.1.4-GR1-P6
5.2.0-P1
5.2.1-P1
4.1.0-P9
4.1.0-P9
Release: 4.1.4-GR1-P7 Limitations
537905 GSLB Major
530425 Resource Accounting - Major

AXAPI
527276 L2/3 - Trunks Enhancement

(LACP/Static)
512944 STO Major

The server does not exist' error is displayed if the GSLB service-ip uses an IP as GSLB service-ip name should not be an
name and the service-ip is deleted before deleting the vip-server. IP address. Recommend to use a string
plus the IP as the name instead e.g.,
internal-1.1.1.1
A resource template of a partition was removed when applying a template of

lower value setting using GUI.
When 'ports-threshold 2 timer 1 do-auto-recovery' is configured, the LACP cannot Configure timer value 2sec or more
get in sync after the change in the status of port (up/down).
In the vSphere Virtual Machine, the kernel or vThunder becomes unresponsive

when a snapshot is taken.
Version Reported
4.1.4-GR1-P5
4.1.4-GR1-P6
4.1.4-GR1-P4
4.1.4-GR1-P6
Release: 4.1.4-GR1-P7 Known Issues
There are no Known Issues.

Release: 4.1.4-GR1-P7 Fixed Issues
538954 L2/3 - ARP Major

538732 SLB-L4 Major
538726 GSLB Major
538486 Compression Major
538453 system Major
538369 aFleX Major

538096 CGN-Infra Major

538087 SE Reported Bug Major
537913 aFleX Major

537730 Web Category - URL Major

Filtering
537685 VRRP-A Major

537574 FPGA Critical
537571 SNMP Major
537562 SSL Major
537480 Web3.0 (deprecated) Major
537391 L2/L3 Major
537295 AAM Major
537283 GSLB Major
536290 L2/3 - MAC Major
536254 system Major
536218 Firewall Minor

535903 Web - ADC CGN Enhancem

ent
535780 SSLi Major
535645 SLB-L4 Major

535274 SSL Major

532051 SSLi Major
530371 Router - Static v4/v6 Major
528191 VCS Major
527590 System - platform Enhancem

ent
527494 AAM Major
526648 SLB-L4 Major
525301 SNMP Major

524257 Router - OSPFv3 Major
524251 VRRP-A Minor
520585 ConfigMgr Enhancem

ent
509293 Web - ADC CGN Minor
502357 System - management Critical

sues
Description
After configuring static ARP with a specific mac and interface, if a GARP is received
with the same MAC address and VLAN on a different interface, AX changed the
interface to the new interface in which the GARP was received.
With ACOS 5.2.1-P1, hardware error occurred after rebooting TH7445 device.
Device crashed due to high memory usage on block 484.
GSLB device crashed due to bad zone.
A10 may crash when Explicit Proxy receives a request that has absolute URI with a non-
standard scheme.
If http/1.1 response contains replacement feature and HTTP compression was enabled,
the ACOS crashed during processing the http/1.1 response.
aFleX http::collect was not working if client side traffic was chunk encoded. Traffic was
forwarded before all the data was collected.
The mirror-port sends packets with incorrect IP and TCP checksum when vrrp-a is
enabled.
ACOS crashed when one of the SNI entry from a client-ssl template was removed
through an api call.
ACOS may experience a crash if aFleX encoding command is first used to populate the
internal table.
Dynamic-service DNS failure was seen when tried to query absolute FQDN.
The device did not send Gratuitous ARP (GARP) for all the IP addresses in the subnet
virtual server.
Even though ve is disabled, floating-ip responded to icmp echo request.
Feature degradation caused all the ports to be 'UP' in 5.1.0-P5 after system reboot. This
would have caused traffic switchover after the reboot was complete.
ACOS did not send any port-batch freed notifications to logging servers when the
logging template was configured with 'Port Mappings' that was set to 'Creation' under
'NAT Log' section of the template and then was later edited to the default setting.
While detecting a HTTP2 request, the aFleX command HTTP::uri caused a crash as it
did not pre-check the new or old proxy before accessing the request field.
Thunder added 1 octet with value 0 at the end of syslog UDP packet.
Even after an overlapping NAT pool was deleted, the device continued to advertise the
deleted NAT pool and stopped advertising the standby NAT pool.
When the axapi command 'write memory all-partitions' was executed, the parameter
'terminal length' was set incorrectly.
When WEB category cloud lookup timed out, SSL pointer was used without valid
check. This caused the crash due to access to the NULL pointer.
When fifth rule was configured under ACL, an error was returned 'Rule already
configured for this Access List'.
For TH1040 and TH940, two of the fan names of snmp trap, OID:axSystemFanFailure
and axSystemFanRecover, were different from show environment. "Fan 2A" on CLI
was displayed as "FAN 1" and "FAN 3A" was displayed as "FAN 3".
For HTTP::respond 429, the response code header displayed 'Unknown' instead of 'Too
many requests'.
Low-level configuration settings were incorrect when 'same-src-dst-port-ip-hash' was
enabled.
axSysAverageDataCpuUsage returned different values after upgrade from 4.1.2-P4 to
4.1.4-GR1-P4.
After reboot, the VIP service could not be accessed and SSL fatal error occurred in https
proxy-mode.
VRRP-A page was not displayed correctly in GUI when vlan was specified in vrrp-a
interface configuration.
The value of show interfaces ethernet is not updated from the last display before
linkdown.
ECMP flapping occurred every one minute when route-map contained "set origin igp".
Files for 'default-portal' under '/a10data/auth/portal/' are missing from 5.2.0-P1 OVA
image from the Support Portal.
An IPv6 address which is included in the NAT pool and also used by SLB VIP could
not be added to GSLB service-ip.
The HTTP error logs printed the 'log-line ID' in the syslogs instead of the 'log-reason'.
The ICMP server traffic was sent out from default route instead of client side interface
when the client side interface flapped (disabled and enabled).
The message 'Detected problem in Health Monitor DataCPU' was printed in the log
multiple times after executing 'show techsupport' command.
The HW had slow refills from DataCPU due to traffic attack, as each DataCPU dropped
the packets to the capsule.
The firewall active rule-set was recompiled automatically within the 10 seconds idle
period during VCS setup, thereby denying all traffic unexpectedly.
Device crashed when rebinding service-group to VIP.
Ping to VIP does not work when 'use-rcv-hop-for-resp' is added to more than one vports
and then removed from one vport.
When import-periodic is configured, timestamp of 'Configuration last updated' is
updated by GUI show tech.
Could not configure "object network" as source or destination network using GUI option
under Security > Firewall > Rulesets > Rule.
Intermittent SSL handshake failures were observed. HTTPS VPORT sent TCP RST
upon Client Hello reception.
OSPFD crashed when 'distribute-list ospf-filter in' was bound under router OSPF.
The response packet's destination was different between TCP and UDP vPort.
ACOS did not include the ï¿½forwarding addressï¿½ in the LSA when Thunder device
was configured as an OSPF NSSA and redistributed the VIPs and NAT-IPs as Type 7
LSAs.
The device crashed and received 'out of memory error' due to large OCSP-stapling
requests or responses.
Intermittent hang was observed when accessed management interface via axAPI.
When the user sets the Syslog filter to debugging, it is visible even without BGP CLI.
If client specify sigalgs in signature algorithms extension that ACOS doesn't support, the
handshake will be abort.
Logs with content 'a10_rtnl_talk_ipv4_static_route_flush one route' were generated
repetitively.
When the resources and arguments were mentioned in a single tf file, Terraform error
logs were created.
While creating a VRID, the blade-parameters were created automatically. However,
after rebooting, when VCS was re-enabled, an incorrect VCS device was used to create
the blade-parameters, causing the synced configurations to lose their correct blade-
parameters settings.
Accessing the NAT pool after deleting a server port, would cause the box to crash under
certain conditions due to timing issues.
The output of some commands displayed that the tech support page was incomplete.
Setting the IP MTU on the management interface is now supported from ACOS CLI in
KVM/Openstack environment.
The browser received a forbidden webpage when there was a capital letter in service-url
for SAML.
Packets were dropped if MAC/ARP was lost when incoming/outgoing interface were in
the same VLAN and packets were routed through ACOS instead of client/server.
The SNMP sysObjectID for TH940 platform was incorrect.

OSPFv3 show commands are updated so that they are similar to OSPFv2 show
commands. For example, "show ip ospf database" displayed a 'Route' column while
"show ipv6 ospf database" did not display the 'Route' column.
The legacy command 'both' under VRRP-A interface has been removed. This command
is not recommended for new VRRP-A configurations and exists only as an inherited
attribute for legacy High Availability (HA) configurations.
The source IP address for an acos-events server changed after rebooting the box.
Added checksum validation against message received from vblade to ensure there is no
crash
Frequent Imjournal service reloads caused high CPU spikes since the journal was
corrupted.
The certificate and key of SLB template client-ssl on L3V could not be updated to the
certificate and key on the shared partition.
Dynamic real servers could be deleted and recreated again even when the server was in
graceful shutdown mode.
ACOS had stopped working when aFlex executed complex commands for sFlow data
payload manipulation.
After executing write memory all-partitions, the last-saved terminal length was not
getting reflected and was unable to be set in all the partitions.
The CLI configuration commands are enhanced to have an aFleX script editor, that
defines syntax to allow the user to create an aFleX script locally, but it does not follow
the name range limitation in general. This block-replace-start allows aFleX name that
exceeds 63 characters and the long aFleX name causes "no such aFleX" error when
issuing another block-replace in the future.
Version Reported
4.1.4-GR1-P6
5.2.1-P1
4.1.4-GR1-P5
5.1.0-P5
4.1.4-GR1-P6
4.1.4-GR1-P6
4.1.4-GR1-P6
4.1.4-GR1-P5
4.1.4-GR1-P4
4.1.4-GR1-P6
4.1.4-GR1-P7
4.1.4-GR1-P6
4.1.4-GR1-P5
5.1.0-P5
4.1.4-GR1-P5
4.1.4-GR1-P6
4.1.4-GR1-P5
4.1.4-GR1-P7
4.1.4-GR1-P5
5.1.0-P4
4.1.4-GR1-P5
4.1.4-GR1-P6
5.2.1-P1
4.1.4-GR1-P5
4.1.4-GR1-P4
4.1.4-P2
4.1.4-GR1-P6
4.1.4-GR1-P5
5.2.1-P1
5.2.0-P1
4.1.4-GR1-P5
5.2.1-P1
5.1.0-P5
2.7.2-P13
4.1.4-GR1-P3
4.1.4-GR1-P5
5.2.1
4.1.4-GR1-P4
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.1-P13-SP2
4.1.4-GR1-P5
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P5
4.1.1-P9
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P5
4.1.0-P11
4.1.4-P3
4.1.4-GR1-P3
5.2.0
4.1.4-GR1-P2
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P3
5.1.0
4.1.4-GR1
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.0-P11
1
There are no Limitations.
593571715.xlsx
2
Description
593571715.xlsx
3
593571715.xlsx
1
There are no Known Issues.
593571715.xlsx
2
Description
593571715.xlsx
3
593571715.xlsx
1
535621 SSL Major
535138 System - platform Minor

534778 Health-Monitor- Major
Infra
534689 TCPIP Major
534679 GSLB Major
534341 Scaleout- Critical
configuration
534314 Scaleout-control- Major
plane
534127 ACL Major

533926 aFleX Major
533749 L2/L3 Major
533644 GSLB Major
533503 SSL Major

533500 WAF Major
533266 L2/L3 Major
533224 AAM Major

533161 SSLi Major
532810 GSLB Major
532732 Scaleout-slb-data- Major
plane
593571715.xlsx
2
Description
The SACK was not updated. It was copied from the backend stream.
In the GUI, VRRP-A settings received an error when admin account had privilege partition-write.
PSU's serial number and model were not visible post-upgrade.
The system crashed when trying to get the verified result during an SSL renegotiation in the aFleX.
On EP+SSLi+ICAP topology, chunk length number of the encapsulated HTTP message body was displayed as a string on the client
browser screen when an ICAP server blocked server respond and send BLOCKED page (HTTP 403 Forbidden with message body) which
was generated by ICAP server.
On Flexible Traffic Acceleration (FTA) v2 models, CLI displayed a high temperature of 68 degrees celsius while the default temperature
was set at 60 degrees celsius.
ACOS reloaded when the system was in load sharing mode and the box was operating with SSLi as a single box partition.
HTTP switching encountered error when HTTP requests were transferred without host header (HTTP 1.0).
When adding a member to a service-group while waiting for server response, the 'show slb service-group <sg-name>' displayed incorrect
server status while the 'UNK' state was indicated in 'show health status'.
Device crashed when ACOS was in FINWAIT2 state while receiving FIN+DATA from the connection.
The 'health check port' operation displayed inconsistent data.
Logging options in client-ssl template were removed from CLI when template was updated using GUI
In the Ds-Lite with prefix-quota, logs inside the Ipv4 address were 0.0.0.0 while non-zero value was expected.
When RESPMOD-ICAP was enabled, the actual payload was not received.
Election mode was not maintained correctly when there were two scaleout masters in the scaleout cluster.
Reload command failed due to high control CPU after changing SLB resource-usage along with write-memory execution.
The device was not updated within the expected time to update the distribution list on a node. This resulted in sync error.
ACOS crashed when the server modified the SSL ID so that the client can use a new SSL ID/session. This was because of stale references
to old SSL.
ACL matching failed when trunks were used in the ACLs and the ACL was also being used by an application.
An aFlex session switch error occurred due to incorrect switching.
ACOS device was reloaded when traffic hit VIP through NAT interface with only IP NAT range-list configured.
IP FIB tables were out of sync between PU1 and PU2.
After configuring aFLeX and virtual-server (bound to the class-list), when the class-list was imported and the virtual-server configuration
was deleted, an attempt to remove the class-list resulted in 'Class list is in use' error message.
The session was not closed immediately when the server sent FIN to the session after receiving the request and client side had already sent
FIN to close the connection.
The ACOS device console was unresponsive when there were hostname-based SLB servers in the configuration and GSLB configuration.
When a non-default HTTP port was used, the HTTP2 to HTTP1 host header translation failed to insert the port value into the header.
Intermittent reset was sent by A10 VIP when DHE cipher was used.
After upgrading to 4.1.4-GR1-P5, the device crashed due to the multi-threaded issue of re-adding the timer from different threads.
The vThunder crashed if DPDK memory pool was low on resource and the Dplane thread tried to allocate 1024 bytes at a time.
When IP address configuration for management interface was by DHCP, the 'show ip interface management' did not display the interface
management information
Crashes occurred due to incorrect signature header of the allocated memory.
ACOS crashed when aFleX accessed the data and resumed the HTTPS connection.
The prefix 'check' option under cookie persist template was not working as expected.
System crash was observed when malformed packet with bad FQDN was sent.
The snat-on-vip did not work when used with access-list.
The updated admin user account was not synced to vBlade when logged in as another user.
When ICAP was applied inside the partition, it did not forward the FIN to the client.
593571715.xlsx
3
Version Reported
4.1.1-P12
4.1.4-GR1-P5
5.2.1-
4.1.1-P8
4.1.4-GR1-P6
5.2.1-
5.1.0-P4
4.1.4-GR1-P3
4.1.4-
5.2.0-P1
4.1.4-GR1-P5
4.1.4-GR1-P5
5.2.1-
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P5
5.1.0-P3
4.1.4-GR1-P5
5.2.0
4.1.4-GR1-P5
5.1.0-P3
5.2.0-
4.1.4-GR1-P5
4.1.4-GR1-P4
5.2.0
5.1.0-P4
5.2.1-
4.1.4-GR1-P5
4.1.4-GR1-P2
4.1.4-GR1-P5
4.1.4-GR1-P3
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.1-P13-SP2
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P5
593571715.xlsx
4
532201 WAF Major
532123 SLB-L4 Major

532052 L2/3 - ARP Major
531799 Event Encoding Major
(Netflow)
531790 L2/L3 Major
531742 SSL Major
531412 VRRP-A Major

531385 ACT Major
531199 L2/L3 Critical
531013 SSL Major

530665 Logging Major

Infrastruture
530503 SSL Major
530497 SLB-L4 Major
530435 SLB-DNS Critical
530356 GSLB Major

Infra
529858 SLB-L4 Major
529471 System - Major
management
529092 Explicit Proxy Critical
528821 L2/3 - ND6 Major
528730 SSL Major
528085 SSL Major
528037 Web - ADC CGN Enhancement
593571715.xlsx
5
When the WAF template mode was changed from learning to active, the WAF parameters were not synced with the Standby devices.
The device used MAC address of the interface instead of the VRRP floating MAC
The ACOS dropped the packet when the ARP response/request packet received on the ACOS had multicast MAC.
In the past, only some platforms with the specific hardware support could update the sflow interface speed well.
IPv6 issues were observed over virtual appliance in L2 transparent mode.

Complex aflex usage resulted in the replacement of long URL with short URL.
The session memory for vThunder was extremely low irrespective of the total RAM allocated to the VM.
In the VRRP-a inline mode, the session sync was not working on the dual-blade chassis platform.
Disk space was utilized by ACT templates.
When external IPv6 address could not be pinged it resulted in 'connect: Invalid argument' error.
Upgrading to 414.GR1.P5 from 414.P2-SP1 resulted in higher CPU utilization.
Failsafe was falsely triggered during crypto error handling.

The stack trace in fragment packet process resulted in crashes
Post VRRP config sync, the control CPU was periodically getting stuck at 100%.
On TH7650/CGN mode, when VRRP-A L3-inline mode was enabled, all the traffic was forwarded to PU1.
The log 'Error for ethernetX has exceeded' was not generated due to data type inconsistencies.
When SMTP virtual ports with starttls were enabled, the server sent FIN which crashed the hardware SSL platform.
Fast aging was observed in the following situations:_x000D_
- Total free connections were below the threshold _x000D_
- Memory constraint was reached_x000D_
- The syn check on the threshold was reached _x000D_
- The half-open threshold was reached
The session was RESET during zone transfer request when one DNS response was received with multiple DNS messages (with dns-cache
enabled).
When the SLB server objects were changed for a service from IP to FQDN, the backup-sever option did not work and both entries were
returned in GSLB.
The 'show SLB server config' displayed inaccurate information in dynamic server weight only.
The check command to check the existence of class-list was not available.
The control CPU utilization spiked to 100% when ICMP error message was received and caused destination/port unreachable.
The command 'Terminal history size 0' did not work as expected after logout/reload/reboot.
Generating multiple logs resulted in system reloads.
The route advertisement was going out of the interface with source IPv6 in the packet as the link local address.
The current-connection count incremented incorrectly.
The system crashed due to multiple certificates expiry at the same time.
While creating and updating the virtual port's name, Chinese characters were not supported.
'Last saved configuration' of L3V partition was not updated when saved from GUI.
The real-time current connection statistics were inaccurate while using the alternate virtual port.
When selecting another device context on the GUI, and then navigate to the aFlex page, GUI shows an error_x000D_
_x000D_
GUI displayed an error navigating to the aFlex page when another device context was selected.
The translation function for VCS did not process the 'secure' option correctly when a SSL certificate via GUI was used along with the key
file which could not be synced to the vblade.
In case of GUI for 4.1.4-GR1-Px and 5.x releases, the text box for entering the license key, and other licensing buttons were disabled.
File transfer larger than 50MB displayed an error when GiFW was enabled and the data optimization system was up.
593571715.xlsx
6
4.1.4-GR1-P2
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P4
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P2
5.2.1-
5.1.0-P4
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P5
5.1.0-P5
4.1.4-GR1-P2
5.2.0-P1
4.1.4-GR1-P5
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P5
5.2.1-
5.2.0
4.1.1-P8
5.2.0
4.1.4-GR1-P2
4.1.4-GR1-P6
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P4
5.2.0
4.1.4-GR1-P5
4.1.4-GR1-P2
4.1.4-GR1-P4
5.2.1-
593571715.xlsx
7
527743 CGN-iDDoS Major

527704 SSLi Major
527682 AAM Major

527680 SSLi Major
527677 SSLi Major
527635 SLB-L4 Major
527602 FW-GTP-U Major
527551 SSLi Major
527521 FW-GTP-C Major


plane
527161 CGN-NAT Pool Major
527026 DP-Infra-BW- Major
Class-List
526867 SNMP Major

526853 FW-CGN-ALG- Critical
FTP
526519 IPSec VPN Major

525964 SSL Major
525811 AAM Major
525733 aFleX Major

management
525362 IPSec VPN Critical
525235 SLB-SMTP Major
Infrastruture

524377 AAA Major
593571715.xlsx
8
When CGN iDDoS was triggered, the packet buffers leaked if an attack packet was a jumbo packet.
In case of transparent EP with ssli configuration, if the initial CONNECT request was sent in 3 packets, the device would halt traffic
decryption, and the session would hang until the client sent FIN request.
Intermittent TLS connection issues were visible after upgrading to ACOS 4.1.4-GR1-P4.
During heavy traffic and 512 bytes connection buffer usage, the SVM logic caused the system to crash.
During heavy traffic and 512 bytes connection buffer usage, SVM logic caused the system to crash.
UDP Checksum was incorrect when vport 53 UDP had template policy.
Packets using port 2152 are dropped by GTP FW despite of GTP FW disable.
The standby device was displaying NAT IP.
TCP Ports used were not freed when using source-NAT.
forward-proxy-decrypted dscp' command under Client-SSL Template was missing in ACOS GUI
The MAC address order changed on KVM vThunder after upgrading from ACOS 4.1.4-GR1-P1 to 4.1.4-GR1-P3
Packets using port 2152 were dropped by GTP FW even when GTP was disabled.
The SSLi commands were not recognized because the License backward compatibility check was not working when upgraded from 2.7.x to
4.x release version.
Flapping scaleout did not have the same effect as reload when there was a ZK database issue.
A crash occurred when multiple netflow monitors existed with different service groups with overlapping members.
The crash occurred when SBY received a session sync packet while deleting the NAT pool.
Log thread could not allocate the memory required for forward-policy rebuilding due to multiple logging operations.
Executing a shutdown command sometimes resulted in a reboot of DUT system.
SNMP traps were not sent out after configure-sync.

The source-mac of FTP data session forwarding packets was changed in L2 transparent firewall.
IPsec VPN support was missed in IPv6 SLB L7 traffic processing.

The age of all sessions decreased before expected period after initiating clear sessions ipv4 source-v4-addr or clear cgnv6 lsn data-sessions
inside-user.
Port overload was not supported for standby.
Buffer leaks were observed when using direct-client-server-auth.
Latency was observed with some browsers during HTTP File upload with NTLM Authentication.
The aflex log to syslog server via dataport was limited to 32 messages/sec after upgrade to 4.1.4-GR1-P3 due to the new acos-events
logging infrastructure.
The command 'wr mem sec all' resulted in save config prompt.
The tunnel flapped even after the route to remote-address IP was removed from the route table.
Thunder did not remove the hyphen '-' for SMTP single line responses.
Emails received for logging notifications did not show the timestamp.
When ACOS was reloaded, only some of the SNMP traps were sent from the management port and no traps were sent from the data port.
Whereas, the same traps were sent from both data and management ports after rebooting.
The import-periodic class-list contained '/' in the file path when it was configured using FTP on Shared Object>Class Lists Import>Import.
There were certain issues with the web-pages when the http template was configured and the command 'form-set-no-cache' was enabled in
the WAF
While template.
importing class-list periodically using SCP/SFTP, the GUI did not support port assignment on the 'Remote Import File' page.
While importing class-list periodically via SCP/SFTP, GUI did not support port assignment on the Remote Import File page.
The command 'show cgnv6 lsn user-quota-sessions top 10 udp' returned all sessions instead of the filtered sessions.
When using 'show log', duplicate logs were displayed.
Code Upgrade to 4.1.4-GR1-P4 resulted in radius authentication failure.
It was observed that render commands took a long time on large configurations.
The user could not delete the member with errors when the configuration object slb.service-group.member referenced slb.server and the user
renamed the slb server. The RB tree of slb.service-group.member was not updated accordingly.
593571715.xlsx
9
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P4
4.1.4-GR1-P5
4.1.4-GR1-P5
4.1.4-GR1-P2
4.1.4-GR1-P5
4.1.4-GR1-P1
4.1.4-GR1-P4
4.1.4-GR1-P5
4.1.4-GR1-P3
4.1.4-GR1-P5
4.1.4-GR1-P6
4.1.4-GR1-P1
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P2
5.1.0-P3
5.2.1-
4.1.4-GR1-P5
4.1.4-GR1-P5
5.2.0
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P5
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P4
5.1.0-P5
4.1.4-GR1-P3
593571715.xlsx
10


521074 WAF Major

520816 Documentation Minor
519874 SNMP Major

517860 SNMP Major
506128 DDoS general Major

Infrastruture
management
500398 SNMP Major
475205 SLB-L4 Major

395891 System - Critical
management
528558 Web(3.0) Major

593571715.xlsx
11
When devices were added to a VCS cluster, some "device-context" config for other vBlades was missing from the third vBlade (in some
cases, fourth vBlade).
The imported class-list file could not be displayed but was visible under /a10data/class-list.
When the ACOS device reloaded or crashed, the ECMP route table for the OSPF protocol was not showing the paths for one or more
neighbors after learning routes from multiple neighbors.
Due to false high-temperature readings on rare occasions, the system might shut down.
The a10syscfgd process crashed on the Standby device during config sync from activeto standby.
On old proxies, while handling data from a slow client, if the WAF limit checks on the request were hit, the event logging captured
incorrect data from the response and crashed.
GUI charts of L3V partition are cleared after ACOS reload/reboot.
NAT pool with port-overload is not supported within pool-groups.
When L3V partition was configured, memory leak occurred while polling the oids axGlobalL4ConnectionCps and
axGlobalL7ConnectionCps.
When Class-List was edited using the GUI, high Control CPU utilization was observed if a specific type of IPv4/String/DNS/String Case
Insensitive was edited.
The command 'show slb virtual-server config' was missing since ACOS 4.1.4 release.
SNMP request was getting timed out when axServerPortTable was handled by CM-based rendering.
While using the new HTTP proxy, when multiple POST requests were issued from the client, the entire payload was not sent to the server.
Additionally, the connection was eventually closed.
An exception event caused the TPS to reload due to a larger aXAPI request payload.
The informational log for setting the cfg socket correctly was displayed with the severity of a critical error log.
After executing write memory all-partitions, the last-saved terminal length was not getting reflected and was unable to be set in all the
partitions.
Hard disk monitoring software displayed messages for offline unrecoverable sectors every thirty minutes even if no new offline
unrecoverable sectors were found.
When SNMP was used to poll configuration-specific GSLB zone service assets, memory leak was noticed on the GSLB zone.
When using dynamic-priority, the priority list failed to update.

A TFTP put function failed to transfer large files from client to server. The transfer timed out.
When the timezone was configured using the CLI, the timezone configuration was detected using the aXAPI but it was not reflected using
the CLI.
When TPS was configured to 'import' the class-list periodically, sometimes the request did not come within the 60 seconds interval because
the internal timer for the 'import' job was off.
The partition-write/read user could not access vrrp-a common page from GUI.
Upon initialization of vThunder TPS KVM SR-IOV, and due to an issue with the 82599 10G Ethernet PF driver not forwarding VF driver
commands, causes the vThunder TPS to fail to ping a host.
The interface connection failed when large traffic was sent from RTG for a period of one hour.
593571715.xlsx
12
4.1.4-GR1-P3
4.1.4-GR1-P5
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P4
4.1.1-P12
4.1.4-GR1-P2
4.1.4-GR1-P3
5.2.1
5.1.0-P2
3.2.4-
5.1.0-P5
4.1.4-GR1-P2
4.1.4-GR1-P1
5.1.0-P4
4.1.4-GR1
4.1.4-P3
4.1.0-P9
1.0.0-P1
4.1.4-GR1-P4
5.2.0
4.1.4-GR1-P6
593571715.xlsx
1
520816 Documentation Minor
593571715.xlsx
2
Description
NAT pool with port-overload is not supported within pool-groups.
When Class-List is edited using the GUI, high Control CPU utilization is observed if edited specific type of (IPv4/String/DNS/String Case
Insensitive.
593571715.xlsx
3

4.1.4-GR1-P4
Use CLI instead of GUI. 4.1.4-GR1-P2
593571715.xlsx
1
593571715.xlsx
2
Description
593571715.xlsx
3
593571715.xlsx
1
510070 Scaleout-cgn-data- Critical
plane
523111 Counter-Infra Major
522691 FW-CGN-ALG-SIP Major

522227 aXAPI v3 Critical
522007 SSL Major
521851 L2/L3 Enhancement

521665 Health-Monitor-L7 Major
521656 SSL Major
521614 Web Category - Major

URL Filtering
521233 VRRP-A Major

Infrastruture
520975 AAM Major

520813 SLB-L4 Major
520660 VRRP-A Major
520606 WAF Major

520507 CGN-LSN-Rule- Major
List
520477 aFleX Major
520375 CGN-NAT44 Critical
520319 AAM Major

Infra
520027 SLB-FTP-Proxy Major
519883 aFleX Major
593571715.xlsx
2
Description
A problem was detected in one of the active serving and member nodes of Health Monitor after upgrading the image.
The ACOS crashed when HTTP Post and server responded with status 400.
Counter hung due to 300 sec Input/Output rate.
There was an issue with 'user-quota-prefix-length' configuration, the user-quota was freed quickly causing the thread to wait in the lock
when referenced to the same pointer.
The option 'over-action-limit' was not available in the GUI under policy template of the Class-List section.
The system will reload when executed the API to an FTA device with 4.1.4-GR1-P2 with large configuration.
The command 'show pki cert' displayed only only first certificate and not show chain certificates.
The 'show ip ospf redistributed' was not printing NSSA area.
Using repeat to check against 'show rule-set application' and all the sub commands resulted broken output.
High control CPU was triggered when oracle DB health monitor was down and a lot of log files were written to /var/tmp and filled up a lot
disk space.
The Schannel software encountered an errors on Windows servers when the short DHE public key was used for connecting to the backend
server.
A10lb stopped because of segmentation fault when web-category was updated.
The 'show fsck' command did not work on the Bare Metal with four disk system.
Packet with self-MAC address was dropped during the inline mode check, but no logs were produced.
The debug print did not print reverse packet belonged to identical session for CGNAT traffic.
The ACOS crashed when deleted CGNv6 Server in shared partition from CLI or GUI.
The commands 'ip router isis' and 'ipv6 router isis' configurations were not synced to vBlade after joining the VCS chassis.
When there was insufficient free disk space in a10data file the disk log was taken continuously every one minute.
GUI charts of L3V partition are cleared after ACOS reload/reboot.

The a10authd crashed when high traffic was received during NTLM logon and NTLM authentication.
After reload/reboot, the GSLB 'service-ip' was not available in the running configuration when GSLB 'service-ip' was configured before the
NAT pool with the same IP.
The CGN static NAT changed the content of ICMP reply.
The CGN static NAT changed the content of ICMP reply.
The initial sequence number was randomized after 156 days from the device booting even though 'src-ip/src-port/dst-ip/dst-port' were the
same with the previous connection.
The VRRP GARP was forwarded by SBY caused a short loop on neighboring switches when tested power On/Off the SBY device restarted
in L3 inline environment.
The 'show audit' command threw an error when special characters were used in the command string.
The 'csrf/form-consistency' timer was corrupted.

SA from outside network was dropped when DST NAT with FW rules were configured.
The connection was frozen, waiting for HTTP payload when aFleX HTTP:: collect 0 command was used.
The SIP logic triggered the ACOS crash when the 'User-Quota' session was freed before the 'Full-Cone' session.
After upgrading to 4.1.4-GR1-P4, the OCSP status was not sent to the client when the clientï¿½s SNI did not match the server-name
configuration in the client-ssl template and had used the default cert/key.
The ACOS crashed with very low EP traffic when the EP was configured on the SLB device.
The EP dropped the packet when the Host header contained IP of VIP on the ACOS.
On large health-check configurations, the command 'show health stat' had performance issues. The health statistics took a long time for
rendering.
The ACOS FTP proxy responded incorrectly to the FEAT command.
ACOS crashed if aFleX TCP::close command was used at L4 level event like CLIENT_ACCEPTED
593571715.xlsx
3
Version Reported
4.1.4-GR1-P3
5.1.0-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P5
4.1.4-GR1-P2
5.1.0
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P2
5.2.1-
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P4
2.7.2-P12-SP1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
5.1.0-P4
4.1.4-GR1-P2
4.1.4-GR1-P2
5.2.0-
4.1.4-GR1-P1
4.1.4-GR1-P3
593571715.xlsx
4
519535 SNMP Major




Infra
518285 HW Critical


plane
517675 SLB-NAT Critical

517603 CGN-LSN-Rule- Major
List
517201 SSL Major

Infra
517012 FPGA Major
516794 L2/L3 Major
516563 VRRP-A Major

516505 SSL Major
516013 SLB-L4 Major
593571715.xlsx
5
Enhancement has been implemented to make remove-wait-time configurable with range 0 - 300 seconds and default value of 300 seconds.
The SNMP MIB compiler could not parse certain MIB files.
SNAT allocations failed when 'url-switching' was configured with 'snat-auto'.
There was an issue while updating RRD on the Bare Metal installed by ACOS 4.1.4-GR1-P4 ISO file.
The round-robin crashed on the CGN setup.

The IP NAT subnet stopped advertise when NAT Pool was removed.
In case of tcp and tcp-proxy templates, the session was not deleted even after configuring the option 'del-session-on-server-down'.
The disk usage was increased after the backup log was executed in the GUI.
In the SYSLOG for HTTP proxy, the keywords and their respective values were misaligned due to the 'server-port' keyword being missed.
If the primary and secondary hard disk had the same configuration and the command 'multi-ctrl-cpu' was executed in the secondary hard
disk, the change was reflected in the primary hard disk as well.
There was a delay in resolving the DNS query after reboot/upgrade due to the default configuration setting of 'dns-query-interval'.
In case of vThunder 8G system, the performance of L4 was affected due to the reduction in the number of L4 sessions by half.
Public SNMP MIB did not provide accurate virtual ethernet statistics as compared to the individual interfaces.
When configured aFleX under the radius vPort, A10 will drop the radius packets even if there was logging comment in the aFleX body.
The axdebug file operations became unresponsive and caused VRRP to crash.
Traffic dropped when CPU was busy and failed to prioritize the SO ZK traffic.
If the DNS template is configured with 'query-id-switch' then NAT sessions with fragmented DNS responses are not forwarded to the client.
While verifying the internet server's certificate, SSLi inside would fetch the CRL if OSCP and CRL cache were unavailable. However, if the
CRL was larger than 16MB, the inside box would crash due to longer processing time.
The Auto-map statistics were not updated.
Negative values were displayed by 'showtech' and large values in the 'show' command output when 'lsn-rule-list' hit counters overflowed.
The device crashed when 'non-ssl-bypass' was configured under 'client-ssl template' and ACOS received a client-hello packet on port 443
HTTPs.
Configuring IPv6 ICMP transparent health-checks caused frequent timeouts and affected other health checks configured on the A10 device.
When the FPGA would receive an IP and IP packet with a bad checksum, it would drop the packet with the bad checksum and the
subsequent normal IP packets too.
The charts were not available as per the VIP port
The Search functionality had issues with the service name (It only accepted the VIP name and not the service name defined under the
vPort).
The value of 'total throughput' displayed in the GUI and the CLI had a slight mismatch because the value displayed in the GUI was updated
every 10 seconds.
The trunk sent out heartbeat, even when 'no-heartbeat' was configured on VRRP-a interface trunk.
'Renegotiation_info' extension was available during 'Server Hello' even though it was not supported by software SSL.
The execution of the command 'half-open-idle-timeout' for slb template tcp, would result in the usage of slow path for processing.
While using the new HTTP proxy, when multiple POST requests were issued from the client, the entire payload was not sent to the server.
Additionally, the connection was eventually closed.
If the client was connected to a tcp service (hosted by ACOS) through a data interface, the ACOS device had a low probability of reloading
due to incorrect interpretation of the socket when it was in half-open state.
593571715.xlsx
6
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P3
4.1.4-GR1
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
5.1.0-P3
3.2.5-P1
4.1.4-GR1-P3
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P3
4.1.4-GR1-P1
4.1.4-P2
4.1.4-P3
4.1.4-GR1-P1
4.1.1-P8
5.1.0
1.0.0
4.1.4-GR1-P1
5.1.0-P3
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
5.1.0-P2
5.1.0-P4
593571715.xlsx
7
515293 L2/3 - ARP Major

DSR
514993 ACL Major

Infrastruture
510757 Scaleout-control- Critical

plane

508837 L2/3 - ARP Major

Infrastruture

Class-List
496264 AZURE Major
491152 ConfigMgr Critical

management
469763 aFleX Major


522241 AAM Major
506818 L2/L3 Major
Class-List
480248 SNMP Major
593571715.xlsx
8
The 'show health external-log' command output only printed a limited number of lines.
A10 is intermittently tagging some of the LACP packets with vLAN ID 0 when the uplinks connect to an Arista switch. The switch is
discarding the packets as it failed to understand the packets with tag: 0.
Gratuitous ARP was sent when the command 'disable-vip-adv' was executed impacting traffic during migration.
Frequent timeouts and other health checks configuration were affected on the ACOS device when IPv6 ICMP transparent health-checks
were configured.
The Control CPU utilization went 100% when the '/a10data/var/log/message' log file was rotated.
When A10 received a packet with the wrong destination MAC, A10 responded using the wrong MAC as the source MAC. This caused the
MAC flap on the router/switch, since both ACOS responded with same source MAC.
The DPDK sanity check was failed if the 'mbuf pktlen' was not reset for jumbo list.
The SNMP server cannot load MIB files in an ACOS folder with error.
An overflow crash occurred when the parsing class-list file was terminated without a new line.
When multiple logging servers were configured and the link was disconnected, the Thunder system triggered the log and tried to reconnect
to all the servers. However, during the retry, the connection with all the servers could not be established since some of the sockets failed.
Session Sync did not happen for newly joined node in the cluster for the existing session and session traffic was impacted.
Option to view the system or audit logs of service-partition was not available in the GUI.
The log message was not available when NAT user could not get the port from an IP within the Pool.
Connectivity issues occurred when ARP entries for all partitions were over 8K and the ARP total was brought down below 8K by removing
entries.
The old HM 'ping recvfrom, Resource temporarily unavailable' logs were not deleted.
The slow memory leak was observed in the A10scmd process.
The Power Unit Input Voltage change was observed from 205.000 V to 153.000 V in the TH1040 'show environment debug' command
when upgraded device from 4.1.4-GR1-P1 to 4.1.4-GR1-P2.
Support for the non-dedicated management port mode was disabled.
bgp "network... route-map" command should not do IGP sync.

ACOS was reset while user tried to update an entry in class-list using GUI interface. If that class list was referenced by an aFlex and active
traffic was processed by the VIP of that aFlex.
After the default gateway was added or removed the vThunder on Azure cannot connect to the Azure VPN Gateway.
If you configure the virtual port template under TCP port and later unbind the same template, ACOS drops the non-SYN packets.
The 'restore /?' command displayed hidden files under the '/a10data/tmp/'.
If aFleX selected a server based on a script and the server failed SYN-ACK, ACOS would perform re-selection rather than adhering to the
server.
vMaster improperly indicates blocked status for all interfaces on vblade.
Redistribution of Static NAT IPs by routing protocols like BGP was allowed but this capability was not available earlier.
The option 'expiration' disappeared when the cgnv6 ddos-protection redistribute-route was configured with 'timer-multiply-max'.
The ACOS device crashed when the HTTP Post and server responded with status 400.
The ACOS load balancer crashed when the second user was connected to AAM Kerberos relay.
The BFD flapping was observed when looping BFD packets were passed during L2 redirect from one ACOS system to another.
The ACOS crashed when class-list was updated through the GUI.
The ACOS did not send many traps when ACOS reboots and boot up.
The SIP logic triggered crash when 'User-Quota' session was freed before 'Full-Cone' session.
593571715.xlsx
9
4.1.1-P10
4.1.1-P9
4.1.4-GR1-P3
4.1.1-P13
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P2
5.1.0-P1
4.1.100-P6
4.1.4-GR1-P2
5.1.0-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
3.2.4-
2.7.2-P14
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P4
4.1.0-P9
2.7.2-P10
4.1.4-GR1-P5
5.1.0-P3
4.1.4-GR1-P4
4.1.4-GR1-P1
5.1.0-P5
4.1.4-GR1-P3
4.1.4-GR1-P3
593571715.xlsx
10

Infrastruture
524411 aFleX Major
524408 SSL Major
524549 FW-CGN-ALG- Major
FTP
518285 HW Critical
524941 Overlay Networking Major
- Infrastructure
525677 SNMP Major

522634 System-platform Major
593571715.xlsx
11
The VRRP-a MAC address was used by the TCP keep-alive 'acos-events'.
The ACOS crashed under certain circumstances in the SSL if it encountered an error during the initial SSL handshake.
System crashed when applied the aFleX SSL::template to HTTPS virtual port.
The Chain Certificate from the Shared Partition was not available in the GUI.
There was a sudden reboot of TH14045 due to watchdog not tickling the hardware watchdog.
System reloads, when an invalid buffer address is provided for devcall dump_fpga_buff.
In the L2 transparent firewall the FTP data session was dropped.
Removing entries from AC class list emptied the whole class list with many AC class list nodes (>128K in all the merged AC class list).
Invalid logs as zero are not shown when the system does not establish the access to voltage module.
The packet loss was observed on the ACOS with both IPsec and vxLAN when the IPSec and vxLAN are working at the same time.
Memory leak was observed when performed 'snmpwalk' on GSLB zone configuration.
Disabling the GUI's compress files was required when the disk of /a10 in ACOS Linux was full.
Due to false high temperature reading on rare occasions system may shut down incorrectly.
593571715.xlsx
12
5.1.0-P5
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P2
5.2.0-
4.1.4-GR1-P3
593571715.xlsx
A10
Tracking
ID System Area Severity
488578 Router - Static v4/v6 Major
515543 Web-ADC CGN Minor
519799 ACOS Minor

Unexpected GARP sent out from standby vThunder when the vnic wis re-enabled by
ESXi after failover.
When a management IP address is obtained via DHCP, a default route that overlaps Use ip-default
with the management subnet can be configured. gateway under
interface
management context
instead of ip route
0.0.0.0 /0 command
An access Denied pop up appears when ADC - SLB - Service Groups are cloned with
the RBA role of ADC - Templates - L7 Protocols - HTTP Policy.
LLDP is not supported on TH3040 10G ports
Version Reported
4.1.4-GR1-P1
4.1.4-GR1-P1-SP2
4.1.4-GR1-P4
4.1.4-GR1-P1-SP2
A10 Tracki System Area Severity
Description
The previous user timed out login page appears when trying to for another user.
4.1.4-GR1-P4
514072 AAM Major

511591 L2/L3 Major

510358 SLB-L4 Major
516067 GSLB Major

L7
515382 SLB-HTTP- Major
Cookie

514249 SLB-Config Minor

L7
512476 SSL Critical

plane
511961 AAM Major
511927 CGNNat46- Major

Stateless
511810 SSL Major
511799 SNMP Critical
511798 SNMP Major
511618 SSL Major
511579 TCPIP Major

511450 SLB-L4 Major

Infra
511330 SNMP Major
511294 SSL Major
511259 SLB-Config Critical
511234 SSL Major
509926 AAA Major
509872 Overlay Major

Networking -
VxLAN
Networking -
VxLAN

management
502627 TCPIP Major

management
Infra
497629 SLB-L4 Major

495568 SSLi Major
495166 Web - TPS Major

management
441542 SSL Critical

515927 SLB_DNS Major
516958 Web-ADC CGN Major

488293 Web-ADC CGN Major
511429 Harmony-HCC Major
517945 STO_Radius Major

Description
In the GUI ADC / SLB / Service Groups page, no service-groups were displayed. This was triggered when
'alternate' configured on real servers or real ports.
NTLM authentication crashed due to incorrect multi-thread list operation.
The 'enable' state is the default state of the management port. But the running configuration did not show it.
NAT logs were not sent after reconfiguring NAT pool.

In L2 transparent mode, ACOS sends out neighbor solicitation even if the IPv6 address is not in the same
subnet.
In 5.0.0 and 4.1.4-GR1-P3 when no client-ssl template was in vport, proxy-chaining created a back-end
connection without port translation. This behavior was changed to create a back-end connection according to
the matched server-group policy template.
The VMXNET3 virtual network adapter is not supporting the Maximum Transmission Unit (MTU) check on
vThunder or Bare Metal.
When GSLB protocol 'auto-detect' was enabled, the error 'No such Server' was encountered during
reconfiguring the GSLB service-ip in L3V partition
The certificate cache refresh did not work when certificate expired in MTLS health monitor and refreshed with
valid certificate using the same certificate name.
If setcookie to follow response code as first header and that persist cookie was also configured, the persist
cookie would mistakenly mark it as aFleX modified and in result the template samesite configuration was not
applied.
Back end reported duplicate entries for class-list bound to explicit proxy.
The Vport current connection counter was leaking if SYN packet processed 'hw-syn-rr' option and connection
limit was configured on the virtual port.
Even though the persist source-ip was not supported on reqmod-icap / respmod-icap, it was displayed in help
message of reqmod-icap / respmod-icap template.
When A10 received a packet with the wrong destination MAC, A10 responded using the wrong MAC as the
source MAC. This caused the MAC flap on the router/switch, since both ACOS responded with same source
MAC.
The a10Stat process crashed during remove useless 'rrd' files.
HTTP health check method experienced high CPU utilization when a lot of health-check failures occurred
The DS-Lite packets were going through a slow path if non-default MTU was configured on the incoming
/outgoing interface.
Following were the reported issues: _x000D_
- With the default setting, the /interface/management/oper is not returned correctly resulting in incorrect status
on the GUI._x000D_
- Front Bezel on the management showed DOWN although the management port is disabled.
In the L3V partition, when the cipher template was changed from a shared partition to a local L3V partition in
client-ssl template the ACOS crashed. This was casued when the flag indicated cipher template partition was
set incorrectly.
Default route was not advertised after BGP and scaleout flap.
The OCSP stapling was working with the default cert/key but was not working for cert 'qinghua'. The A10 only
requested certificate status for default cert.
An unexpected reset occurred because of an ICMP error(port unreachable) during a DNS request.
A wrong certificate was served if traffic is sent via server name configured as server-name-regex
The output of 'axInterfaceStatUtilPercentIn' was incorrect for VE interface in L3V partitions, and it was about
60% of one physical interface value.
Incorrect calculation value was observed of an oid:axServiceGroupMemberStatResponseTime.
Partition configuration save failed while executing write memory from aXAPI.
Unprocessed buffer was occasionally seen in enviornment running on 414GR1P1 + EP + SSLi.
SSL traffic with client authentication was failing.
SSH Public Key was working as root admin instead of admin user.
RTT (Round Trip Time)was not incorporated in the re-transmission timer of first data packet.
Performance was dropped on the vThunder due to rx_dropped when the trunk was configured
Due to an underflow timing issue in the accounting, the connection limit logs were seen in even though
connection was not configured.
IP NAT traffic was not used as the pool gateway under the gateway mode.
HM failure occurred with l2-inline multi-net mode and VRRP-a
The SNMP Data type Counter64 was not cumulative.

The 'import-periodic ssl-cert-key' failed when L3V partition was used.
Information from wrong place is dispalyed when thunder analysis was enabled.
The SSL handshake failed when the TLS1.2 was used on Internet Explorer.
DNS TCP request with DNS length field span across two packets was dropped.
Adding entry in the ac class-list blacklist issued a backend error.
HA-Dynamic VIP-based failover didn't work when Harmony Controller was disabled under SLB default
template
The certificate import failed with error 'file format unknown\nFirst import attempt fails' When the certificate
import and the actual file format was PFX.
User was no longer able to authenticate with TACACS if privilege level was not defined in TACACS config
The UDP checksum was missing in the outer VXLAN tunnel packet when the SLB fast-path was enabled
While testing VxLAN on Azure vThunder, it was noticed that all traffic initiated by the client was still sent
without checksums even when the fast-path disabled.
GUI did not accepted '*' chars in the server name Regex list after upgrade.
The long name was truncated, when copying certificate name from the GUI
A status 400 error had occurred unexpectedly after clicking FQDN services on the external partition.
The login user was always 'admin' when logged in with ssh-pub key.
The New line character was not present in message for remote logging over UDP.
HTTP response header with apostrophe caused the headers to disappear from the template on GUI
ACOS had retransmitted TCP segments that were partially acknowledged with incorrect length. The original
length was reused completely and the acknowledged data was not omitted from it.
Commands fail-safe and enable-core are global commands. Therefore, these commands should be prohibited to
be configured in private partitions and allowed only in shared partitions.
When the health check was configured with TCP half-open option, the ACOS incorrectly detected a TCP error
on a wrong port, after the health check received an ICMP type 3 response from the real server.
when padding was added to max HM number, the health-check index table was 8-byte aligned.
In GUI, displaying forge certificate was causing high control CPU. A few new filters were added in the GUI to
allow and retrieve specific certificates which also reduces the control CPU usage.
When ACOS was upgraded to a newer version, the Thunder TPS dashboard failed to display charts.
Terminal editing was enabled by default, whereas the no terminal editing option was not working.
The import/export system got stuck for a long time until the file transfer was finished.
Alternate server configuration was lost after reboot as it had failed to define the server before adding the
alternate server.
High memory usage of SSL session cache resulted in lower CPS or unstable system.
Support for the non-dedicated management port mode was disabled.
When Netflow is configured, axdebug or debug monitor messages '@165546187 i( 0, 0, 0)> returned' will
show up. The debug output could flood and become difficult to parse through actual debug messages.
When system freezes and 'sh trunk' command was executed the system crashed and did not come up after
loading.
Incorrect DNS port was selected when the DNS query switch was present and the destination port 53 was
chosen based on the query ID used.
Error code 404 was received when the partition user logged in on GUI and try to edit vPort.
The FW server could not be enabled/disabled using GUI.
With the Harmony Controller configured, the device froze for about two to three minutes when tried to remove
a VIP service-group consisting of 500+ members.
When configured aFleX under the radius vPort, A10 will drop the radius packets even if there was logging
comment in the aFleX body.
IP NAT traffic was not used as the pool gateway under the gateway mode.
Version Reported
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P4
4.1.4-GR1-P2
4.1.1-P13
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-P3
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
5.0.0-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-SP2
4.1.4-GR1-P2
4.1.4-GR1-SP2
4.1.1-P12
5.0.0-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.1-P11
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-SP2
4.1.4-GR1-SP2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
5.1.0
5.1.0
4.1.4-GR1-P2
4.1.4-GR1-P3
4.1.4-GR1-P2
2.7.2-P12-SP3
4.1.0-P13
4.1.1-P10
3.2.2-P6
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P4
4.1.4-GR1-P3
5.1.0
2.7.2-P12-SP1
4.1.4-GR1-P3
4.1.4-GR1-P2
4.1.4-P9
4.1.4-GR1-P3
4.1.4-GR1-P2
A10
Tracking
ID System Area Severity
plane
plane
509231 Scaleout-cgn-data- Major
plane
For ACOS 4.1.4 GR1 P3, Scaleout cannot be activated with two nodes.
When traffic-map and active node info is mismatching across the member
nodes, the node is unable to join the cluster back after a reboot.
In scaleout, if the Dedicated L2 interface is configured, then the dedicated L2 Remove the VEs or
ethernet interface should be in L2 mode i.e. the interface shouldn't have any IP address under
Virtual Ethernet or the IP addresses configured under it. the dedicated
ethernet interface
Version Reported
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P3
A10 Tracki System Area Severity
510121 BFD for IPv4/IPv6 Major

plane
507442 Scaleout-cgn-data- Major
plane
488578 Router - Static Critical

v4/v6
The BFD Neighborship State is continuously fluttering when ECHO is
configured for the Static Client.
When Scaleout is disabled on both nodes, the first node continues to run in the
single-node mode.
When the Dedicated L2 redirect interface and the data traffic interfaces are
using the same physical ports, bytes are missing from the payload with a
scaleout l2-redirect interface.
When a management IP address is obtained via DHCP, a default route that
overlaps with the management subnet can be configured.
Version Reported
4.1.4-GR1-P3
4.1.4-GR1-P3
4.1.4-GR1-P1
4.1.4-GR1-P1-SP2
platform
510400 GSLB Major
509935 SLB-L4 Major
509821 SLB-L4 Major

Infrastruture

platform
509420 Scaleout-cgn- Major

data-plane
509275 SLB-Diameter Major
509232 AAM Major
508987 Harmony- Major

Controller-Integ
DSR
508783 aXAPI v3 Minor
508751 SSL Major
508367 GSLB Major
508084 RBA Major


platform
507688 L2/L3 Major
507607 SSLi Major

management
507544 AAM Major

management

platform
507388 SLB-Config Enhancement
507331 SNMP Major



platform
507112 GSLB Major

management

platform
506902 L2/3 VLAN Major
506896 RBA Critical
506891 SLB-L4 Critical

platform
506842 CGN-SCTP Critical
506807 VRRP-A Major

platform
506662 SNMP Major
506653 SLB-L4 Major


platform

platform
506536 SLB-L4 Major
506497 HW Critical

management

Cookie

platform
management

Networking -
VxLAN

platform
505576 AAM Enhancement
505540 DHCP Major
505342 aFleX Major
505264 SSL Major
505108 SLB-HTTP Critical
504907 L2/L3 Major

management
503916 AAM Major

platform

(Netflow)
502759 L2/L3 Major

platform
502681 SLB-L4 Major

502627 TCPIP Major

Networking -
VxLAN
502147 SNMP Major

management
502063 AppFW Major

platform

plane
501847 SLB-L4 Major
501772 SSLi Major
501433 VRRP-A Major
501400 SSL Major
501370 Scaleout- Major

operational
501325 SNMP Major

(IPFix)
501133 AAM Major

management
501037 VRRP-A Major
500899 aFleX Major

platform
500782 Router - BGP Minor

500605 RBA Major
500587 AAM Major
500497 AAM Major
500424 AAM Critical


Infra
500398 SNMP Major

management
500311 AAM - Kerberos Major

500077 GSLB Minor
499862 VCS Critical

Infra
499667 SSL Critical

management
management
499273 VCS Major

management
498940 SNMP Minor
498793 VCS Major

Cookie
platform
platform
498511 Harmony- Major
Controller-Integ

Infra

management
497632 GSLB Major


platform

platform
496744 Health-Monitor- Critical
DSR
496654 DHCP Major

platform

DSR
495892 VRRP-A Major
495706 Router Major
495493 Firewall Minor

L7
494977 SLB-L4 Major

platform
492940 WAF Critical

platform

Infrastruture
491278 SSLi Major
489535 aFleX Major

platform
486259 ConfigMgr Enhancement
485419 TCPIP Major

platform
481354 System - Enhancement

platform
481117 L2/L3 Major

platform
platform
475021 SSL Major

457550 WAF Critical
454111 AWS Critical
433141 L2/L3 Major
424370 DNSSEC Critical
398824 SLB-Persist Critical
510868 SSl Major

Description
An increasing number of CRC errors were faced on 100G port when QSFP28 100G LR4 type was
used.
When the GSLB group was configured with DNSSEC for signing the GSLB zone in L3V partitions, the
DNSSEC-enabled GSLB zone was not working for GSLB members.
During the CPU round-robin processing, traffic matching the existing session was sent back to the
home CPU, resulting in higher data CPU condition, on the target CPU.
When a graceful-shutdown was combined with TCP reset-rev or TCP reset-fwd with less than 30
second timer, it failed to send out reset packets due to a missing code in the graceful-shutdown
path.
GSLB was not aware of having SLB objects in the shared partition and had sent the GSLB logs to the
service partition instead. The logs could not be viewed in the shared partition.
There was a minor memory leak for every instance when the show disk or show hardware command
was executed on ACOS System Configuration.
The system-reset command was unable to clear the log database.
The connection was aged-out by Data Plane while Control Plane had run the show session
command, due to which the ACOS device stopped working.
The radius packet with one system IP as its destination IP were not being dropped and instead
looped back to the inside-system IP by the scaleout cluster.
After upgrading from 2.7.2-P14 to the current version, the Data CPU Statistics graph was refreshed
to '0' for all CPUs. Since the RRD files were not removed, the update failed to load CPU stats.
ACOS takes over 20 minutes to show the output of grep full cone sessions under traffic and results
in high control-CPU usage.
There was a memory leak in SLB diameter health-check which led to improper server and socket
connections.
With Basic AAM authentication, the second request was truncated when sent to the server and that
resulted in 400 error code.
When an incorrect word was used in the schema, the ACOS device failed to parse the request-rate-
limit 2 per second command, which went missing under the template port.
In VCS environment, when the re-sync analytics is triggered immediately after Harmony Controller
registration, the devices reboot.
In ACOS 4.1.1-P12-SP1, removing the service group from VIP had caused health check failure due to
HTTP time out. The failure was triggered when the service group was unbounded and rebounded to
DSR vPort.
The ACOS event log database was configured across the entire system instead of only in shared
partition. As a result, the acos-events/logdb was unable to support enable-all on L3V.
The SLB device closed the connection after receiving cli-ent hello, which had TLS version 1.1 in the
record layer, but TLS 1.2 in the message.
vThunder encountered Access Denied error message when users with canned, predefined RBA roles
tried logging into the GUI.
Updating geolocation database with ipv6 failed. Therefore, IPv6 dns query was unable to get the
correct record based on geolocation.
To resolve the issue, first load ipv6 file followed by ipv4 file, and then merge the two geolocation
files.
ACOS may reset while processing chunked encoded traffic if VIP has both HTTP compression and
WAF enabled.
"SharedPartViewer" internal role was exposed to the user.
The ip-threat-list entry was not being cleared automatically in some instances. This issue was
getting triggered when the software and the hardware entries gets out of sync.
SPE overflow notifications were not being delivered to the CPU memory due to a FIFO bug in FGPA
and hardware, which stopped the global hit counter of ip-threat-list from getting the actual hit count.
A TH1040 had faced an intermittent traffic loss when the platform buffers were made configurable
within the low range of 256k-1024k.
Next port from NAT pool could not be obtained due to increase in 'Honor Misses' count.
When trunk-group was configured with user-tag and the trunk is assigned to vlan tag, deleting the
user-tag added unexpected tagging config in vlan tagging configuration. This tagging configuration
could be deleted.
To avoid the issue while deleting the user-tag, remove the trunk-group configuration by using no
trunk-group <> and then add all the configuration under the trunk-group except the user-tag.
On the TH6635 TPS hardware platform of the Thunder Series, the activity LED of port 9 was not
blinking, which resulted in the misaligned blinking of the LEDs from port 5 to port 12.
In EP + SSLi, when ACOS does not receive OCSP/CRL response, the certificate cache state was stuck
at "cert verifying".
To release internal cache memory, a cron job was run periodically to drop cache and free up the
memory.
Thunder with AAM/NTLM/cookie-based erased the Cookie header and sent the request to the
servers without Cookie header. Therefore, these requests were handled as non-authorized sessions.
On a vThunder instance with KVM and with 100G Mellanox interface using SR-IOV, a certain type of
IPv4 and IPv6 traffic was not processed correctly causing connectivity issues with neighbor hosts.
A slow memory leak was observed in the a10scmd process used for ACOS license management.
Refreshing queries using multiple DNS servers had failed and the customer was unable to fetch A
records as the RD flags were cached to 0. The issue was triggered when ACOS retries to send out
queries with RD=0 and allows packets to flow on port 53 on the server.
Support was added for sysObjectID on platfrom TH1040s.
When the TCP/UDP packets received were matching with the vPort, the values of cs4 and cs5 in the
CEF log were reversed. Previously, this issue was not occurring when opposite logic was added to
handle ALG and Ful-cone sessions.
Random DSCP values were added in response packets to the client and the server.
Session sync packet received on CPU other than home CPU causes SO unit to crash.
To resolve the issue, disable Round Robin or remove Zone configuration.
TH840 shutdown failed because the reboot command was triggered in the background.
L3V partition did not have the option to add geo-location using GUI.
After aXAPI introduction, the alternate port configuration was not removing virtual port properly and
alternate ports were not added to the vport matching hash.
The a10snmpd agent stopped working when voltage OIDs were polled, the SNMP retrieving failed,
and an SNMP core was generated.
In a GSLB setup, status 400 error had occurred unexpectedly after clicking FQDN services on the
external partition.
In the output of #show cgnv6 ddos-protection ip-entries, PPS displayed is different for TH7445 and
TH7440-11 even though running traffic is the same.
System logs (syslogs) were not enabled for per-vlan-limit or all-vlan-limit drops.
After creating the certificate, users with assigned RBA roles and READ privileges were unable to view
the certificate after exporting because the folder was empty.
Session sync for persist session from a box running on earlier release caused a reload on a standby
device.
AXAPI could not configure the client-ssl template due to AXAPI variable name changes.
In standby mode, high control CPU was noticed due to a cron job spending unnecessary CPU cycles
on temp files. The cron job processing is now updated to avoid CPU impact.
The lb_fast_process_sctp_setup with static NAT had stalled the CPUs when the length of the SCTP
packet s last chunk parameter was not a multiple of 4.
During the inter-partition routing CGN deployment, the session number was not cleared in the output
of show cgnv6 lsn user-quota-sessions due to broken support for hairpin traffic between two clients
from different L3V partitions.
When VRRP-A L3-inline mode was enabled on the active side, the OSPF broadcast packets got
dropped. This issue was triggered when there was a mismatch in the packet configuration and the
specified configurations.
The current connection counter for one member of a service group was not displayed correctly, but
there was no impact on load-balancing methods.
In EP+SSLi configuration, when the server did not respond, the nat port of source nat auto was not
freed for usage.
AXAPI was returning the HTTP 200 OK requests for V3 Restore due to corrupted files or incorrect file
formats.
When traffic was running in L3V partition, the value of Total Current Connections for axAppGlobal
had returned to 0. This inaccuracy was triggered when there was half TCP/UDP traffic on L3V
partitions.
During high-volume traffic, the show session command was displaying the same session twice.
Multiple occurrences of the same session were generated for SLB traffic when ACOS was upgraded
from 4.1.4-P1 to 4.1.4-GR1-P2.
While using virtio driver for management interface and PCI-passthrough data interfaces, vThunder
was unable to connect with the management interface after a reboot.
Under certain scenarios, when we have partitions with FW + CGN and another with CGN alone, some
packets belonging to the CGN only partition may be incorrectly dropped
On the TH14045 blade, the logs "rimacli: Unable to get IO Board id" are always printed and the logs
are marked as critical so it will trigger the SNMP trap. This will now not happen now.
Trunk member of the ADC traffic for wildcard VIPs was down. Despite enabling no-dest-nat, the trunk
load-balancing had concentrated the ADC traffic on lead ports only.
The system restarted due to PCI NOT READY when the physical port was enabled and it caused port
flapping for 4 to 5 minutes.
The system timeout-value SCP was not working when the value was set as 0.
When the incoming port and the outgoing port were different and their extended-matching was
disabled, the ICMP response was dropped.
The UDP/TCP/SCTP was not getting forwarded when received from another interface from the same
zone.
There was a fast memory leak on block 228 due to a set-cookie parsing and header format error.
Size of the dead.letter file kept increasing and was causing the disk-to-full error.
SMTP was unable to send emails when the logs contained non-ASCII or special characters.
When logged into GUI with TACACS, certain pages were unavailable. Editing SLB objects such as
service-group and virtual server with TACACS usernames that contained forward-slash characters
was an additional issue. The format of the usernames was triggering JSON syntax error.
The serial number and model number of PSU were not displayed after being hot-swapped or
replaced correspondingly with those of the new PSU.
Hardware management privileges could not be configured because the administrator username with
an uppercase 'A' letter - Admin - was not being accepted as the root user.
An AXAPI return error had popped up while editing the management interface configurations on
vThunder platforms. Changes in the management interface IP addresses on vThunder GUI were
failing because of the modified schema, which blocked the speed or duplexity for vThunder
platforms.
When VXLAN was used, the Mac Movement counter was counted incorrectly due to LIF index
issues.
When custom RBA role was used via aXAPI, the lineage-map had mishandled its response to the
object s lineage.
An ESXi host issue was causing failover and triggering VMXNET3 adapter to disconnect randomly
for a short time when exposed to link monitoring.
AAM cookie attributes for specifying the value of cookie samesite attribute and for enabling cookie
secure and cookie httponly attributes were missing.
ACOS Config Manager had stopped working when the Access Control List was modified from
Ansible aXAPI. The issue was resolved in ACOS 5.0.0 but existed in the ACOS 4.1.0 build.
When the ethernet interface was down or up, the IP address on virtual ethernet interface was not
immediately assigned by the DHCP. The Dynamic Host-client was able to procure the IP address
from the server correctly, but the same was not reflected on ACOS.
ACOS was unable to parse Same-Site cookie attributes because aFlex failed to process set-cookies
with multiple attributes. aFlex was processing these as separate cookies instead of the same cookie
with multiple attributes.
The log menu for HTTP_Forward_Proxy and SSLi was not hidden and made unauthentically
accessible to SLB Service Administrator, SLB Service Partition Administrator, SLB Service Operator,
and SLB Service Partition Operator.
The SSL traffic processing would stop completely on systems with N5 SSL cards under certain
unknown conditions. Failsafe logic has been added to avoid such a lockup issue.
ACOS had stopped working when aFlex executed complex commands such as http payload replace
or http response for sFlow data payload manipulation.
TH14045 had stopped working on Azure due to a sign extension performed on a returned value of a
bit 0 or 1. This issue was triggered due to a corrupted routing table.
When response headers with apostrophe characters were added to HTTP templates, the headers
were not reflected in the template on GUI due to the presence of those characters. As a result, the
HTTP template configuration page had become unresponsive.
The DRS statistics were incorrectly displayed in the show tech output. There were some unwanted
additions made from hostname server stats to DRS server stats.
When HTTP packets without host headers were transferred, the policy template log was not
generated on ACOS.
When Bare Metal i40e XL710 was used as a management port, the i40e kerner driver encountered a
tx_timeout error due to high usage of the I/O management interface.
Fixed inconsistencies between last 'updated' and 'saved' timestamps for shared and L3V partitions.
ACOS had stopped working in the send code path while accessing the header, which was removed
by aFlex earlier.
The HTTP pipeline process may go on hold or crash when there were pending requests in the queue,
and the server responded with a close connection in the header.
When the configuration of vPort that had shared partition templates were changed in GUI, those
templates got removed and the GUI was not allowing selection of persist shared partition templates
and vport cache.
UDP-specific reserved ports were clogged and the user-quota sessions were not processing UDP
traffic when simultaneous batch allocation was configured.
JWT cannot be removed when it was bound to an aam template.
Permission was denied to rotate /var/log/wtmp.
The rimacli crashed after receiving the break signal via telnet. The telnet break signal had sent a
terminal quit (SIGQUIT) signal, which primacy does not handle, which caused the crash.
When ACOS Template Server was bound under service-group, the configurational changes were not
taking effect.
When an LACP trunk member port was down, the existing traffic session was not uniformly
distributed to active ports but concentrated in the busy lead port.
The LSN session was not ending properly because two NAT44 Netflow logs were being sent out
while clearing the session.
In the CGN inter-partition routing setup, the cgnv6 lsn inbound-refresh disable command works for
UDP and ICMP but does not work for TCP.
When an ACOS device was in standby (SBY) state, the BGP update for VIPs was sent immediately
from the new ACOS device to the peer, followed by a BGP update withdraw message to remove the
VIP after the elapsing of route-adv timer. This issue was caused due to a BGP route UPDATE being
performed prior to route convergence.
Thunder did not send out an ICMPv6 type 3 (hop limit exceeded) message when the next-hop for the
client route was a link-local address.
IP Hash load-balancing, which uses the same source and destination port, was not supported on the
TH7440-010-CFW platform. This feature was not supported because the platform hardware was not
updated with FTA firmware.
TH4430 had stopped working while traversing an SMP table without lock.
ACOS had retransmitted TCP segments that were partially acknowledged with incorrect length. The
original length was reused completely and the acknowledged data was not omitted from it.
When vThunder was configured as vxLAN tunnel endpoint (VTEP), it sent an ICMP Port Unreachable
message and caused traffic failure. Due to the ICMP message, which was sent as a response to the
VTEP-inbound encapsulated vxLAN data packets, vThunder was unable to decapsulate the vxLAN
packets and process the traffic.
A server could not be enabled, disabled or updated using ADC > SLB > ServiceGroups in GUI after the
server name was modified.
Earlier, SNMP community string did not support any special character. The community string was
later supporting some special characters such as '#', '!', and '$'. Even so, it failed to support special
character '#' in several instances.
The show errors command was unavailable for vThunder platform on ACOS 5.1.0 and 4.1.0. This CLI
command was blocked on the platform.
Application firewall (AppFW) had stopped working while encoding the app category information from
the local log because of a misconfiguration in a Common Language Specification-related (APPCLS)
command. The issue had also occurred when the new protobundle, containing new tags, was not
defined in the code while being loaded by Thunder.
Despite deleting vPorts, the virtual-server continued to remain active internally and there was no
effective shutdown after grace-period. Due to this issue, the virtual-server was being used even when
it was not configured through ACOS, the active sessions were not sent into the delete queue and
stayed active until idle-timeout, and the virtual-server could not be deleted after reconfiguration.
In an OpenStack environment, the config-drive configuration was getting reapplied after a vThunder
upgrade. This caused vThunder to lose its existing configuration after upgrade.
The port mirroring of Recieve (Rx) packets was malfunctioning in ACOS 4.1.4-GR1-P2 because it
was mirroring the Transmit (Tx) packets twice.
Scaleout service had stopped working due to multiple template tracking events and was able to
restart only when the device IP address was added back in the scaleout configuration.
When class-list name file command was executed, the class-list disappeared from running
configuration cosmetically, but still functioned. If running configuration was saved and device
rebooted, it became permanent and the class-list no longer existed.
ACOS experienced a software reset if a TCP socket was in time wait state and some data packets
were not flushed out prior to the change in the state.
When a close-notify alert was received from the server on an SSLi server-side connection, where an
SSL renegotiation was triggered, the connection may be closed prematurely, even though all the data
was not acknowledged yet by the client.
ACOS stopped working when the sample, enabled for the service group, was mentioned as sample-
rsp-time rpt-ext-server top-fastest .
After deactivation of the peer-group, the neighbor configuration was lost even when there were
active members inside the group. This caused the ACOS device to reload.
The route tracking on ACOS 4.1.4 with Virtual Router Redundancy Protocol (VRRP) was affected due
to a reduction in VRRP-A priority despite the default route availability. The default route went down
because an old protocol called RTPROT_ZEBRA was not reused in the dynamic route.
The configurations in some sections of an HTTP template went missing when the template was
reviewed on GUI for the first time after its creation. The compound table widget of the HTTP
template encountered a special character error.
The interval option for ssl-expire-check email did not work as expected because the interval option
logic in the codes was broken. A notification email was being sent directly for every instance where
an expired certificate was found.
Service-migration had stopped working for target-floating-ipv6 and was only working for target-
floating-ipv4.
The ACOS, which had over one thousand (1k) CGN partitions and no scale-out configuration, had
caused high data CPU usage during Packet Order Correction (POC). When the show tech command
was run on the ACOS to view tech reports, there was a delay in the DNS processing response time
through the large number of CGN partitions.
TH3030 device had stopped working after removing ssl-sid persist template and adding the source-
ip persist template.
axServiceDown SNMP trap for private partition was not sent even though "snmp-server enable traps
slb all" was configured on the private partition. As a workaround, if "snmp-server enable traps all" is
configured on partition config, traps are sent.
While running the FTP data session with control session on CGN inter-partition routing setup, the
stack trace displayed clear sessions and exhausted the UDP resource.
When configured with NetFlow destination service-group, if all members of the service group went
down, the ACOS reloaded itself.
The ACOS device was getting stalled indefinitely while loading the startup configuration when the
request data being sent from the client-side was blocked due to a particular instance.
In the AAM setup, ACOS stopped working due to an NT LAN Manager (NTLM) relay buffer leak after
receiving the NTLM type-2 server response (401 error).
After executing write memory all-partitions, the last-saved terminal length was not getting reflected
and was unable to be set in all the partitions.
In GUI, per-port-weight was not displayed on the running configuration, despite being a necessary
parameter.
aFlex was unable to pass local variable to ICAP_REQUEST event from HTTP connection.
Despite configuring a strict password aging policy, the pre-configured admin users were able to
access the device as a reboot was required for the password-policy to take effect on the existing
users.
BGP neighbor with remote-as configured cannot be included in peer-group without remote-as set
starting from version 4.1.4-GR1. This may result in BGP configuration loss after the upgrade.
The configuration information displayed by the show json-config command was visible to the
restricted RBA users.
ACOS had stopped working due to a buffer overflow in the form-based logon handle function, which
was triggered when two POSTS were sent in a single connection and the URL of the second POST
was larger than 4096 bytes.
After a successful /axapi/v3/clideploy api call, ACOS returned a 200 response with empty payload.
While creating an SAML Service Provider template in GUI, the usage of special characters in Entity ID
was disabled.
ACOS Load Balancer stopped working with LDAP due to non-ASCII attribute value.
When a dedicated VRRP interface was added, the Heartbeat status section in GUI was displaying it
as disabled whereas the other ports were displayed as enabled.
For multiple request proxy connections, when the original server was down, it was reselected after
receiving a request in keepalive state. The current connection of the server did not decrement after
reselection, which affected the traffic due to the incorrect current connection count.
ACOS had attempted to resolve an FQDN error associated with a FQDN-based SLB server for five
instances. The default interval after each instance was 10 minutes, which caused a delay in DNS
resolution during device bootup. The interfaces were also taking time to get activated and DNS
retries were already exhausted.
When SNMP was used to poll configuration-specific GSLB zone service assets, there was memory
leak noticed on the GSLB zone.
The bandwidth usage for BareMetal capacity license was not saved to the disk or instead reported to
the GLM and the ELM.
RRDs of SLB performance were recorded NaN periodically and NaN data showed zero value on GUI
chart.
When modifications were made in Kerberos relay account prior to the Kerberos relay, vThunder got
reloaded and ACOS load balancer stopped working. The instance was triggered particularly when the
modified username was longer than the configured SPN.
When ACOS 4.1.1-P2 was upgraded to ACOS 4.1.4-GR1-P1, the AXAPI call was only able to link with
primary startup configuration and not the secondary startup configuration, which caused a
production outage.
In GARP, the fixed-NAT IPs were using interface MACs instead of VRRP-A MACs.
The ECMP route table for OSPF protocol on the ACOS device was not showing the paths for one or
more neighbors after the routes learned multiple neighbors and the OSPF adjacency was cleared, or
if the ACOS device was reloaded.
When GSLB configuration on GSLB Member was changed, it was not getting updated on the GSLB
Master when it faced a VCS failover, followed by a failback.
When 1K L3V partitions were added, the VPN daemon process got terminated after executing the
'reboot' command during the boot-up. The partitions had insufficient per-thread resources to support
the VPN daemon, causing the process to end.
aflex cannot be synced via VCS after deleting and adding L3V partition.
During changes in configuration, health-check was being sent out to incorrect override-port and
caused a health-check failure.
The current-connection count got stuck and was not decrementing on the dns-udp vport when
malformed-queries were sent to the vport. If a connection-limit was set on the vport, this stuck count
caused other requests to be dropped.
ACOS experienced a software reset when a 1M file with 50k speed was uploaded for HTTP2 over
SSL.
If a non-administrator had created 'HM' privileges through GUI/AXAPI, then the administrator was
unable to delete the user.
The show log command output was not displaying the multi-byte string, which did not allow checking
the log in GUI and exported the log to the log server.
Under rare conditions, the aFleX and vport configuration settings were out of sync which caused a
NULL pointer to crash.
When VCS was established from a different primary or secondary partition, the vBlade startup
configuration link was rewritten to the wrong partition after getting synced with VCS handshake
configuration.
The session failed to synchronize when the system was upgraded from 4.1.2-P5 to 4.1.4-GR1-P2 and
5.0.0. However, it synchronized when the system was upgraded to 5.0.0-P1.
The settings done by command enable-password persisted even after command erase preserve-
management was executed.
Due to the wrong object name, SNMP Manager was unable to recognize aXServiceGroupMemberUp
correctly.
When management ports were enabled or disabled during the failover/fallback of VCS, there was a
loss in the connectivity and access to the floating IP from outside the management VLAN port.
If the server was in maintenance mode and cookie persist was used along with aFleX pool selection,
the server selection could fail.
An i2c lock contention had caused the internal watchdog daemon from using our HW watchdog chip,
which could have triggered a system reboot for recovery or even created a system lockup.
The TH1040S platform had become unstable due to a memory leak on the rsyslogd process.
After the system was reset, Harmony-related files were not deleted from the Thunder device.
There was no notification to display the session commands when the persist sessions reach an
upper limit of 10,000.
When the health check was configured with TCP half-open option, the ACOS incorrectly detected a
TCP error on a wrong port, after the health check received an ICMP type 3 response from the real
server.
A memory leak was caused on the axInterfaceCount when an L3V partition was configured.
It was observed, when accessed through the console, the session did not get timed out. As a result
of this, even when the session was not used for a long time, the user remained in the logged-in
status. To mitigate this risk it was recommended to either log-in the console to exit or reboot the
box.
The service-group, which was not bound to VIP directly but a part of the VIP-bound template,
stopped working and a syslog message was not generated.
After a failover/fallback of VCS on the GSLB Master, the GSLB group members were unable to return
to Synced state from Ready state.
The command sh cgnv6 nat64 nat-address was not displaying any data in the output.
Bridged traffic was detected when legitimate packets were miscounted as the station-movement on
the HA inline-mode.
The command show system resource-usage has default 14-sessions on TH1040 16 GB, but the
command show session brief showed fewer sessions.
In ACOS 4.1.4-GR1-P1, when an HTTP CONNECT request was rejected by the drop action in the
template policy, the applied TCP Half-Open session was not terminated immediately, despite
receiving the RST/FIN packets from client.
The nodst option for timezone was not visible after reboot.
While initiating VIP or service-group, DSR health-check was being sent out to incorrect override-ports.
When SLB server/member of the SLB service-group was renamed, the A10 URL of the server was not
updated, causing failure for the SLB service-group to retrieve the virtual server.
On OpenStack, management interface was unable to obtain DHCP IP, which prohibited access to
vThunder.
After the reboot in VRRP-A topology, the active and standby Thunder devices had responded to an
ARP request through their respective data interfaces with an unconfigured IP address. The used IP
address was not configured as the default management IP address, which resulted in an IP address
conflict among the devices.
When the virtual server IP address in L2 DSR deployment was updated to a new IP address, the new
IP address was not reflected and traffic was resent to the old IP address.
When VRRP-A was setup in VRRP-A L2 inline-mode, the missed packet count was increasing.
The Network and Security Manager (NSM) had stopped working on ACOS 4.1.100-P5 (build 11).
ACOS had stopped forwarding second-response payload to the client when one single data packet
contained multiple HTTP response codes.
When Firewall was enabled, the ICMP Echo Reply from VRRP-A Floating IP had a physical MAC
address and not a VRRP-A MAC address as its source MAC address.
When import or backup commands were used to transfer files, ACOS was unresponsive and caused
the DDOS device to be unreachable.
When HTTP health monitor was configured, the health-check encountered a failure and displayed the
HTTP Wrong Chunk message, indicating that the server response was chunk-encoded.
Despite configuring aging short in the UDP template, the age timers were updated by subsequent
high-rate packets and the age of UDP session was getting refreshed.
File system check (FSCK) was initiated on the BareMetal platform when there two or more corrupted
partitions that were hard to recover.
When the command no ip access-list <name> was deleted, the configuration between CM module
and IMI module fell out of sync and the ACL changes were no longer being processed by the OSPF
filters.
The ACOS Configuration Manager (a10cfgmgr) had stopped working after the invalid ACL rollback.
The HTTP Policy template with WAF was not enabled after reboot.
On vThunder platform, the Microsoft Azure Linux Agent was creating logs into the standard output,
console as well as the waagent log file by default. This behavior had the potential to cause ACOS
root partition disk space shrinkage over time.
When there was heavy EP and SSLi traffic, the ACOS redundant packet transmission monitor
(a10rptmon) got stuck at 100% despite the traffic being stopped. This issue was triggered due to
incorrect memory operations while handling the messages.
When ssli-sni-hash-enable was implemented on the Dynamic Port, there was no PSH packet sent by
SSLi Inside to SSLi Outside, and the connection with SMTP server was not established.
The log command output of aFlex was being controlled by the acos-events configuration.
A manufacturing install failure for TH5650 was caused by the overlapping partition table between the
boot and the a10data.
When the certificate was uploaded with aXAPI in VCS environment, the error message mentioned
below was displayed:
Communication error with the LB process.
The 'axAppGlobalStats' were getting multiplied when the RBA partition statistics were not added to
the total statistics as they were identical to the shared partition statistics.
When TCP window-scale factor 0 was sent, the debug print did not identify if the 0 is sent or not.
Similarly, when the TCP scale factor 0 was sent, the system did not respond with a window-scale
factor.
Some IPv4 BGP peers with md5 password take a significant amount of time for Peer Up after
booting.
The "show run with-default" command output displays multiple "system resource-usage" with empty
option.
After the rsyslogd memory usage had started increasing for every new TCP connection to a syslog
server, and the remote syslog server was terminating the TCP connections frequently, forcing the
ACOS device to create new connections.
The ACOS could not detect a defected FPGA, kept running in the Active state, and sent out the
corrupted TCP/UDP packets. This resulted in a health monitoring mechanism, which was built
augmenting the fail-safe infrastructure.
When copper SFP (AXSK-CSFP-COP) transceivers were used with LACP, ACOS had sent an incorrect
message for the interface port number based on what came up from the ports-threshold.
A log message indicating the voltage being below threshold had appeared in some instances.
When more than one physical interface was connected with a VLAN, vThunder was required to run in
promiscuous mode for proper packet forwarding. This prerequisite is now removed for Virtual I/O
and SR-IOV installations.
Email notifications were not being sent for SSL certificate expiration.
Alternate server configuration was lost after reboot as it had failed to define the server before adding
the alternate server.
When the import-periodic command was used in the ACOS, the PFX certificate did not get imported
periodically, and not even after 60 seconds, as configured.
The Sanitize Form Request Data had triggered a buffer overflow when a null termination was added.
After booting up, the instance was not accessible due to missing symbolic link to internal system
directory.
In ACOS, the customer found that VLAN is still added to the running configuration when the
maximum number of VLAN is exceeded in Transparent mode.
In a GSLB + dnssec setup, ACOS experienced software reset when 'dnssec sign-zone-now' command
was executed.
Source IP persistence did not select a new server if the preferred server was disabled and VIP had no
def-selection-if-pref-failed. A10 was sending a 504 Gateway Timeout note to new sessions when the
server was disabled while having a Source IP persist session entry. The change allows Source-IP-
Persistence to select a new server and makes it consistent with cookie-persistence behavior.
The Network and Security Manager (NSM) on ACOS had stopped working when the LIF scale was
configured for the first time.
The show ip route command was unable to identify any default route as an exact or best-match for
configuring routes on new networks.
When the ACOS system had received the 554 (Transaction Failed) SMTP error code from the server,
it sent the 421 (Service not available) SMTP error code to the client instead of sending the same
response code.
Redistribution of Static NAT IPs by routing protocols like BGP was allowed but this capability was
not available earlier.
Parsing error when evaluating this feature, they found following 2 issues:
1. Thunder does not parse the DNS record if resource record size of response is big.
2. Thunder cannot process aFlex if the DNS server responds with a fragmented record.
The strongest cipher was not chosen when using default priority.
When traffic was sent to cache server in TCS the vrid 1 vmac was mixed with vrid 0 vmac.
Toggling between the FIPS mode (Enabling/Disabling) does not work as anticipated.
Version Reported
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.1-P9
4.1.4-P1
4.1.4-GR1-P2
4.1.4-GR1
4.1.4-GR1-P2
4.1.1-P12
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.1-P12-SP1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
2.7.2-P11
4.1.4-GR1-P2
4.1.4-GR1-P2
5.1.0
5.1.0
4.1.4-GR1-P2
4.1.0-P12
4.1.4-GR1-P2
3.2.4-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
5.1.0-P2
2.7.2-P10
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P1
5.1.0-P1
4.1.4-GR1-P1
4.1.4-GR1-P2
3.2.2-P1-SP3
4.1.4-GR1-P2
5.0.0-
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2-SP2
5.1.0-P1
4.1.4-GR1-P1
4.1.0-P5
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-SP2
4.1.1-P9
5.1.0
4.1.1-P5-SP2
2.7.2-P15
5.1.0
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
5.1.0
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4
4.1.4-GR1-P2
3.2.3-P1
4.1.4-GR1-P2
4.1.4-P3
4.1.4-GR1-P1
4.1.4-GR1-SP2
4.1.4-GR1-SP2
4.1.4-GR1-P1
4.1.1-P10
4.1.4-GR1-P1
4.1.4-GR1-P2
5.1.0
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-SP2
4.1.4-GR1-P2
4.1.4-GR1-P2-SP2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
5.0.0-P1
4.1.4-GR1-P2
4.1.4-GR1-P1-SP5
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.1-P6
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
2.7.2-P11
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.0-P12
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-P3
4.1.4-GR1-P2
4.1.4-GR1-P2
5.1.0-P2
4.1.0-P13
4.1.4-GR1
4.1.4-GR1-P2
5.1.0
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-P2
4.1.1-P9
4.1.4-GR1-P2
5.0.0-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1
4.1.4-GR1-P2
4.1.4-GR1-P1
5.0.0-P1
4.1.4-GR1-P1
4.1.1-P9
4.1.4-GR1-SP2
2.7.2-P12-SP3
4.1.4-GR1-P2
4.1.1-P8
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
2.7.2-P14
4.1.4
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.1-P9
4.1.4-GR1-P1
5.0.0-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.100-P5
4.1.1-P8
4.1.4-GR1
3.2.3-P1-SP1
4.1.4
2.7.2-P8
4.1.4-GR1
4.1.4-GR1-P1
5.0.0-P1
4.1.4-GR1-P1
5.0.0-P1
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
5.0.0
5.0.0
2.7.2-P14
2.7.2-P5
4.1.4-GR1
3.2.2-P7
4.1.4-GR1-P1
2.7.2-P15
4.1.4-GR1
4.1.1-P9
4.1.4-GR1-P1
4.1.0-P11
4.1.4-P3
4.1.0-P9
4.1.4-P2
4.1.4-P2
2.7.1-GR1
4.1.4
2.7.2-P11
3.2.2-SP6
4.1.2-P1
2.7.2-P8
2.7.2-P10
4.1.4-P3
4.1.4-GR1-P2-SP2
4.1.4-GR1-P3
4.1.4-GR1-P2
64

495424 AAM Major
494473 AAM Major
482677 SLB-L4 Major
419299 GSLB Major
593571715.xlsx
65
Description
The auth-failure-bypass function does not work when you enter the password that is over 128 characters long.
When match-authorize-policy is configured under EP source rule and when you send a request that matches the AAM::bypass
The VRRP-A
condition, thestate cannot be seen
authentication when
request show slb virtual-server command is executed.
is dropped.
In ACOS GUI, when a Geo-Location is created, deleted, and then updated under GSLB, the file with valid IPv4 address and mask
entry disappears unexpectedly. However, in CLI, the show run gsl geo-location command displays the entries correctly.
593571715.xlsx
66

4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4
593571715.xlsx
67

483823 L3V Major
471802 VCS
management Major
414655 AWS Major
593571715.xlsx
68
Description
While running stable traffic, using show cpu may show unstable usage.
When you add a route in partition A and add the gateway for that route as the interface IP in partition B, the system fails to add
ACOS
this stops
route to the telnet
routingaccess
table. to management interface if the value of multi-ctrl-cpu is changed to 2.
The VCS connection breaks when the timezone is changed for a vblade configured on the vmaster.
When multiple clients are deployed, the bandwidth seen is only about 5G with 10Gbps license.
593571715.xlsx
69

4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4
593571715.xlsx
70

497116 Visibility & Major
496765 System -
Analytics Major
496657 Platform
management Major
496204 CGN-MAP Major
496201 GSLB Major
496066 HSM Major
495992 SLB-SQL Major
495889 SSL Major
495784 SLR-DSR Major
495565 SSLi Major
495055 SLB-L4 Major
494610 AAM Critical
494479 FW-SCTP Major
494425 SSLi
Infrastruture Critical
494254 SLB-DSR Major
494140 L3V Major
493546 Web - ADC CGN
DSR Major
493303 Router - BGP Critical
493068 AAM Critical
492382 FW-CGN-ALG-FTP Critical
492316 SNMP Major
492199 SLB-SIP Major
492154 SNMP
management Major
492106 System - platform Enhanceme
nt
491292 Router - OSPF Critical
491027 Health-Monitor-L7
490591 SNMP
plane Major
operational Major
490072 Scaleout-
operational Major
490045 System - snmp
operational Major
489016 Visibility & Critical
Analytics
593571715.xlsx
71
Description
The Lightweight 4over6 (lw4o6) table entry could not be deleted using GUI or AXAPI when the endpoint tunnel parameter was
When Harmony Controller was enabled, deactivating partition caused ADC to crash.
specified.
The Web GUI management access stopped responding with an error FIN_WAIT2.
The show int media output did not display information for a few QSFP.
When
When compression
some TH3040S was enabled
boxes wereunder SLB HTTP
upgraded template, the
to 4.1.4-GR1-P1, thehttp chunked-encoding
Status LED light toggled response
from offcould
to ON,not
butbeitforwarded to the
was blinking
client.
If there is an existing cache entry for MAP-T, ICMP response (TTL Exceeded) is received. This response received from
internally.
MSSQL
To resolvevport crashed
therouter
issue, with any
remove failure (for example,
compression enable tcp errors like failure
If to connect to enable
the server, etc.) Theenable
crashsupport-http2
occurred
When the ACOS
intermediate loadonbalancer rebooted
map outside after
interface a notunder
iscrash, thehttp
FQDNs
translated template.
that are
to ICMPv6 compression
configured
error under
and also notthe isdomain-list
required,
forwarded became
to CPE. unavailable.
because
The softHSMthe failure was not handled correctly.
under theconfiguration
slb virtual-server
To resolve port.was
issue, reboot aborted
the ACOS when
load the password
balancer manually. set included special character like \.$.
When
Ensure syn-cookie was enabled
that TCP failure does not with ftp, during
occur incorrect ACK connection.
MSSQL numbers were transmitted between the client and the server. This
For example,
caused the connection to hang.
slb
The virtual-server
command vip2 57.93.130.102
system shared-poll-mode enable/disable should handling
be available only on Baremetal, vThunder, and cThunder
Cipher priority scenario for CHACHA-POLY failed due to special of patch code for CHACHA-POLY.
port 80 http
platforms. But, it was available even on physical platforms.
Duesupport-http2
to source IP limiting, the connection was placed in the delete queue, and if the half-open timer was flagged, the REXMIT
If the server is defined with FQDN instead of IP address, the service-group member statistics displayed incorrect information in
service-group httpsg
failed.
The command show slb ssl-forward-proxy-cert <name> <port> all took time with high CPU usage causing the packets to drop.
GUI.
To templatethe http iis-common-with-gb
To resolve
resolve the issue,
issue, remove
hide the half-open-idle-timeout from template TCP or
command show slb ssl-forward-proxy-cert add ignore-tcp-msl
<name> <port> all. under template virtual-port.
template tcp-proxy test!
The ACOS SAM lD crashed due to inappropriate internal buffer operation in SAML library causing the memory to overwrite.
Netflow
On Thunder session
4440,start
the time
numberin delete eventCPU
of control was(multi-ctrl-cpu)
incorrect for custom
is set torecords.
two after system reset.
Add a new element ID 323 observationTimeMilliseconds
ACOS crashed due to large chunk size of ASCONF packets.
When retrieving certificate for forging,
ACOS(config)#information-element the source NAT port leaked if the connection setup failed.
event-time-msec?
In GUI, the VRRP-A configuration was disabled,
To resolve the issue, do not use forward-proxy-source-nat. whereas it was enabled on CLI and worked correctly.
When the DSR packet was sent with a wrong
To resolve the issue, use CLI for VRRP-A configuration, MAC address, it triggered
or remove vrrp-ause of IPinIP.
interface For FPGAv2
ethernet devices,
4 and vlan the IPinIP DSR traffic
7 configuration.
When ip nat pools are reconfigured, snat in forward-policy template
cannot be forwarded to the backend servers. DSR worked only with Non-FPGA devices. uses different ip nat pool specified in the policy if the re-
adding order is different from the creating order.
The migration tool failed in regards to health monitor when shared and service partition had the same name.
Some sessions related to forward-to-internet was not closed on the vThunder (1 or 2vcpu) device.
When using BFD
aFleX scripts are reserve
removed3784/3785 as src-port,
after displaying DNS
an error UDP dsr-health-check
message when more thanmay16 become unstable
aFleX scripts weredue
added through GUI.
HTTPD core
to DNS timeout.files are generated and the control CPU gets stuck at 100% while upgrading from 4.1.4-GR1-P1 to 4.1.4-GR1-P1-
SP3. Due to heavy traffic management, ACOS restarted while registering with Harmony Controller.
GUI
The does notnot
link did function correctly
work when in Internet rebooted
the BareMetal Explorer and
and Microsoft
the cablesEdge.
were not connected to the X710 port.
When the BGP peer sent Hostname
Use Google Chrome or Firefox. (FQDN) Capability (73) in the BGP OPEN message, ACOS responded with a NOTIFICATION
message having the error code as Unsupported Capability. As a result, the BGP session with the peer was not established.
The session counter incremented on the shared partition when the traffic was running on L3v partition. This caused wrap
ACOS
When crashed when HTTP
the Jumbo OSPF topackets were received
with aonlarge-size
VThundercookie
(vNIC).
aroundthe client
when thesent
connection requests the ACOS
was terminated. device in the HTTP header through AAM
The
To range of SSL
resolve thethe counters
issue, enable for axSslStatSSLHWRingFull
jumbo packet on vThunder [system-jumbo-global enable-jumbo] and was
and axSslStatSSLFailedCryptoOperation keepnot
MTUaccurate
1500. and could
authorization, ACOS device rebooted.
be negative.
For Firewall FTP traffic, if the data connection is lost before control connection and it is reused by different session, then a
When
To logging
resolve theifemail
issue,failed to send
addvalues
the range email, messages
to thefrom
syntax are queued
to make in dead.letter file which is located under /. This file filled up the
crash is seen garbage are read reused data its value
session unsigned integer.
memory.
root directory and caused various issues on the control plane.
ACOS did not tansfer the SIP packets to Server when the client and the server had the same IP address.
To resolve the issue, create the dead.letter file in /a10data/var/log.
When 1G Copper
The Physical SFPs
System (AXSK-CSFP-COP)
temperature2 SNMP are trapinserted
was notinsent
1G/10G combo ports,
for monitoring when theit Interface
exceededstatus LED willvalue.
the threshold glow green if
copper cable is not inserted on the line-side for 1G/10G combo-ports.
The showtech files did not show the complete log records because the log file size limit was small and the partition limit was
1G/10G
maximum. fiber SFPs will not show up this limitation.
The clear session all command clears the GIFW NAT sessions on the active unit, whereas it keeps running on the standby unit.
If you configured the
Sometimes, virtual port
wastemplate under
dueTCP port, the
anda10lb
later unbinded the the
same template, ACOS dropped theIPnon-SYN
This causes when
spike the device
in the standby booted
unit CPUupusage to crash,
and the HA packets did
arenot send
also redistributed
dropped. NAT/FLOATING to NSM
packets.
correctly.
To resolveDue
the to this manually
issue, issue, theexecute
OSPF was notsession
clear able to all
redistribute
commandthe onNAT/FLOATING
the stanby unit. IP to the OSPF neighbour.
The two stats fields with the same name under the acos-events objects caused failure while processing the generated MIB
The
files.SLB health monitor failed when the stratum value was 15 for NTP protocol.
The scaleout service failed to start on the cluster devices when the database took time for reconvergence.
When the NTP protocol changed the system clock, the SNMP did not restart.
By default, show scaleout outputs did not show the zookeeper state on the scaleout cluster node.
In GUI, option to view or export axdebug capture file was unavailable in service partition.
VIP links that were displayed in the search results of GUI Services Map were not functional.
The same ip-nat prefix was added into the BGP protocol multiple times. When deleting, only one instance of the prefix is
The scaleout status information was not displayed in showtech.
deleted.
The scaleout
To resolve thestatus
issue,information
add the ACOS wasunique
not displayed in showtech.
prefix only once.
SNMP walk did not support routing in L3v partition.
The transparent-acl-template
Execution did notinwork
of a class-list may result crashwith ACL
if tab session.
blank Theadded
(\t) was showto session command
the class-list displayed the default template
in GUI.
timeout.
The graph value was displayed as bytes/second instead of bits/second in GUI.
To avoid connection issues with ACOS Explicit Proxy, 2XX response for the CONNECT method should not include Content-
After
Lengthpowering down TH14045
or Transfer-encoding and booting it back, the unit may take time to reboot due to the constant reloading of vBlade.
header.
High Control CPU was seen in the visibility anomaly detection logs.
593571715.xlsx
72
Version Reported
4.1.2-P4
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-P1
4.1.4-GR1-P1
4.1.1-P9
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.1-P10
4.1.4-GR1
4.1.4-GR1-P1
5.0.0
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.1-P10
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-P3
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-P3
4.1.4-GR1-P1
5.0.0
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-P2-SP1
4.1.1-P8
4.1.4-P3
2.7.2-P14
4.1.1-P8
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.1-P8
4.1.4-GR1
4.1.4-P3
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.1-P11
4.1.4-P2
4.1.4-P2
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
5.0.0-
593571715.xlsx
73
488971 GSLB Major

488569 VRRP
plane Critical
488563 aFleX Major
488325 CGN-NAT Pool Critical
487996 L2/L3 Major
487891 System -
Infrastruture Major
487843 CGN-MAP
management Major
487822 SNMP Major
487546 Router
management Critical
487234 Scaleout-fw-data- Critical
487222 System - platform
plane Critical
487093 System -
management Major
486940 ConfigMgr
management Major
486640 AAM Major
486232 GSLB Major
486187 App Classification Major
486064 Harmony- Critical
Controller-Integ Major
485482 L3V Major
485419 TCPIP Major
485299 GSLB Major
485134 CGN-MAP
Infra Major
484758 RBA Critical
484720 WAF Major
484558 SNMP Major
484495 Router - OSPFv3 Major
484492 L2/L3 Major
484411 SLB-L4 Major
484351 SSLi Major
484009 Platform Minor
483859 SSLi Major
482863 Logging Critical
Infrastruture
593571715.xlsx
74
When the same gslb service IP address exists in multiple L3V partitions, the DNS-a-record bound under a gslb zone service
The DNStoMX
pointed therecord under
service-ip GSLB
with the zone
sameisaddress
not removed from member
in a different device even though it is removed from the GSLB group
L3V partition.
master
To resolveusing
theGUI.
issue, use the same service-ip address in every L3V partition.
To resolve the issue, use CLI to remove the DNS MX record.
a10syscfgd rebooted several times because rrd fetch for virtual server stats failed, and the step returned to 0.
The
When snmp-server
there was aenable
changetraps system
in the power
network, the command
Scaleout L2 enabled trapstable
redirection for Alerts (Severity
was not updatedLevel 1) including visibility Anomaly
correctly.
logs.
The VRRP failover issue in OCI environment is due to the limitation in the API receive message size.
To
Dueresolve the issue, in
to the limitation the command
aFlex is replaced
to insert headers intoby implementing the snmp-server
http content greater than 3832B,enable
largetraps
clientsystem syslog-severity-one
certificates could not be sent
command.
via http headers.
When the large fragmented memory packets were processed, the stack traces were printed in the show log.
To
ACOSresolve the issue,
established increase
logging the maximum
sessions size of the
with overlapped http ports
source header to beFW
when inserted from
and CGN 4KB-256B
logging to 64KB-256B.
templates were configured with
When
There the
is nosystem
optionve-mac-scheme system-mac
to enable or disable command
the fw server using was
GUI.configured in the VRRP inline deployment mode, the active box
the same source address.
in the L3V partition forwarded the ARP packets of the standby box.
The AX
To resolvehandled
Mobox the the packets
terminal
issue, used incorrectly
a remote
configure ifsource
in MAP-E
monitoring
different technology,
script
address to log CGNthe
for into IPv4-in-IPv6
acos
and RIMACLI
FW logging packets
using received
-c option
templates. andfrom CPE are
executed thefragmented
script to at
the IPv4 level.
gather proc file system data.
To resolve the issue, add lw-4o6 inside tag on the interface as map inside.
When the message string in axHighPrioritySyslog was more than 256 characters, then the message would get truncated.
Periodic automatic CGN Dashboard refresh in web GUI caused spikes in the control CPU.
When the Firewall
The black is configured
holes routes were notincleaned
Scaleout
up mode and has a FW rule with "action permit forward listen-on-port" under certain
on reload.
circumstances, it may reload.
The moboxterm
output showedterminal used
port as 40Gainstead
remote of
monitoring
100G when script
the to log interface
show into acos ethernet
rimacli using -c optionwas
X command andexecuted.
executed some script to
gather proc file system data.
The L3V partition sometimes
messages.X.gz files weregot
notcopied
erasedto the /a10data/var/log
from shared partition when
evenconfiguration sync
after executing thewas performedscript.
system-reset while the receiver
executed show backup output.
When ACOS sent the HTTP/2 traffic through an https vport, the ACOS rebooted.
When the log fixed-nat port-mappings both command was configured, and the custom message for port mapping events was
The show session
not configured persist
in the src-ip
logging source-addr-v4
template, the CGN command
rebooted. did not work.
When fixed-nat configuration was removed when there is active FTP traffic, the ACOS device rebooted.
To resolve the issue, configure the custom message for port mapping events.
NTLM relay did not support the large POST request with the OWA exchange server.
When the name
If a named ofbound
ACL is an L3Vunder
partition is greater
a vport, thansettings
the vport or equalcould
to 14not
characters,
be editedits DNSGUI
using server is not functional.
To resolve the issue, define a name for the L3V partition from 1 to 13 characters.
On TH4440/TH5440/TH5840/TH6440/TH7440 platforms, when 1000 Based-T SFP was inserted on a port(for example, eth13),
Null pointerinserted
SFP/SFP+ access into
wastheintroduced duewere
other ports to the new tag
wrongly added by QOSMOS
recognized after rebootprotocol bundle.As a result, the links went down.
or power-on.
The ip_frag_timeout_ms_default
To avoid the high CPU usage on Kafka is set to 60000,
restart, but CLIwere
controls allowed
addedrange is 4-16000.
for the Kafka restart.
To
Theresolve
systemthe issue, change
monitoring for thethe CLI schema
software by setting
resource the work
does not default
onvalue to 60000(1
the Bare minutes) and extending the value range to
Metal platform.
After
4-65535.some operations, the terminal monitor does not work on the AX.
To resolvethe
Executing therepeat
issue, 1reboot
showthe box which
session is not
local CLI working.for
command Alternatively,
a long timeperform
causes arimacli
no terminal monitor in every partition before
to reload.
The following two issues were faced:
exiting the CLI session to avoid the issue.
1. If TCPpersistence
Cookie window scale factor
is not 0 is sent,
supported withdebug print did not print
the support-http2 this. It could not be identified if 0 was sent or not.
command.
In the GSLB Server-Mode, ADC responded without selecting
2. If TCP scale factor 0 is sent, the system did not send the window-scaleany backend server,
factorwhereas the vport stats for fwd/rev bytes and
in the response.
packets were not accounted for. Even after handling requests,
While executing show tech, it failed to get the resource file through aXAPI. the show slb virtual-server name vport command showed 0 for
TCP half-open
bytes/pkts. Health check causes A10 to reuse the same source-port on retransmitting to the server, but changes the
sequence number. Due to this, any devices in the middle understood
On the FPGA platform, high layer modules need to free buffer on their own. it as a different session and dropped the retransmission
to the real server.
After the entry was cached, the outbound fragmentation for MAP-E traffic was not working.
The ca-certificates that have space in the name cannot be deleted.
After system reboot, the RBA configuration object rules created inside the L3V partition are lost.
The
As
When OID
the of sysUpTime
From
WAF isheader
enabled in ininlearning
the traps sent
SIP Ringingfrom
mode, L3V
message
the partition
WAF did notwas
config haveincorrectly defined
an IP address,
form-set-no-cache 180asRinging
0.0. As
terminates a result,
could
WAF notthe trap host
translate
unexpectedly. the was not able
contact IP to
surveil the TH3040.
address. Though the ACOS returned the message as an error, the message is valid.
To resolve the issue, correctly define the OID of sysUpTime as 1.3.6.1.2.1.1.3.0.
In IPv6 ECMP route scenario, ACOS IPv6 FIB has incorrect entries after it is reloaded from crash.
IPv6 address in shared partition could not ping outside IPv6 address through its L3V partition.
An incorrect log entry displayed RPM value for a failed fan 3A as 22080, and the fan recovered after some time.
The virtual server on the service partition did not send the ICMP Echo Reply.
When using
The show slbblock-replace to edit twocommand
ssl-forward-proxy-cert tag-switching
causedservice-groups
unexpected simultaneously, the No
behavior when used suchheavy
during Template error
traffic withmessage was
a high number
displayed.
of cached certificates. In this case, the show slb ssl-forward-proxy-status command is preferable.
The issue was caused due to the removal of the source NAT before the session is completely cleared.
When an aFleX syntax in the VCS setup was wrongly edited, instead of an error message, the GUI output displayed a wrong
The 40G
output asBreakout support
a successful for THxx40 series, TH4440, TH5440, and TH5840 are 4x10G capable platforms.
update.
When ACOS verified client's certificate with OCSP server, it sometimes crashed because of OCSP timeout.
In a CGN VRRP pair, the sessions on the active unit did not identify the MSL setting which is followed by the Standby unit.
In Explicit Proxy + SSLi + proxy-chain topology, when Thunder received content-length header which is divided into multiple
If you runcrash
packets, a large
or amount
unstableofsystem
traffic and performed
occurred AXdebug
sometimes capture
during HTTPbrief, you could encounter high control CPU.
parsing.
When there were large number of radius entries, the Show cgnv6 lsn radius table command raised the CPU control to 100%.
As per the SIP payload, the Thunder creates an SMP session through FW. Due to the counter overflow in the SMP session, the
When
When the logging
using an host partition was configured in the L3V partition, thecookie
logs were notenabled,
sent from
thethe L3V partition
cookietothat
the A10
remote
SIP packets gotaFlex command
dropped. to print all the cookies in HTTP/2 with persist persisted
server.
creates for persistence
The resolve the issue, fixisthe
notpatch
shown.
correctly to handle the counter overflow.
593571715.xlsx
75
4.1.4-GR1
4.1.4-GR1-P2
4.1.4-P3
4.1.4-GR1-P1
4.1.4-GR1-P1
2.7.2-P14
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.0-P10
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.1-P5
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
5.0.0
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1-P2
4.1.4-GR1
4.1.4-GR1-P1
2.7.2-P5
4.1.4-GR1-P1
2.7.2-P15
4.1.1-P9
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-P3
4.1.1-P10
4.1.2-P5
4.1.1-P5
5.0.0
4.1.4-P3
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.1-P9
4.0.3-P1-SP7
2.7.2-P11-SP5
4.1.4-GR1
4.1.4
4.1.4-P2
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
5.0.0
4.1.4-GR1-P1
4.1.4-GR1-P1
593571715.xlsx
76
482860 SLB-Stateless Major

482830 GSLB Major
482764 SSL Major
482749 SSL Critical
482746 TCPIP Major
management Major
482311 SNMP Major
482281 FW-GTP-C Major
482212 VRRP Major
482098 CGN-LW4o6 Major
482062 ACL Major
481936 SSLi Major
481690 L2/L3 Major
481573 L3V Major
481546 AAA Major
481354 Platform Enhanceme
nt
481237 aXAPI v3
management Critical
Infrastruture Minor
481090 Router Major
481081 Router Enhanceme
nt
480423 AAA Critical
479617 L3V
management Major
479014 WAF Major
478057 Health-Monitor-L7
Infra Major
477826 GSLB Major
477523 ACL Major
477481 CGN-PCP Major
476974 WAF Enhanceme
473971 GSLB Major
nt
469972 aFleX Major
467059 SSLi Major
461572 L2/L3 Major
452701 GSLB Minor
444853 FW-CGN-Logging Enhanceme
441538 SLB-DSR Critical
nt
435674 Web3.0 Critical
593571715.xlsx
77
In the GSLB Server-Mode, ADC responded without selecting any backend server, whereas the vport stats for fwd/rev bytes and
packets were not
When method accounted for. Even after handling
stateless-per-pkt-round-robin requests,
is configured, the show
the UDP slbflow
packet virtual-server
breaks. Thename vportare
packets command showed
sent to port 0 for
65535.
bytes/pkts.
When UTF-8 created a certificate using a common-name or organization, the string was corrupted.
Using the Nagle
The Show SLB SSLoption
ErrorinCounters
the TCP-Proxy
did nottemplate was not effective under https vport as compared to http vport. Under http
work in 4.1.4-GR1-P1.
vport, the server sent small chunks of data, the ACOS combined them and sent full-size segments to the client.
After
A diskupdating
full issuethe waf template
impacted on GUI, the challenge-actions
the /var/log/secure under the waf template were removed in CLI configuration.
log-rotate operation.
The
Add difference between SNMP
these configurations on CLIand CLI values
to use was more than 400M.
the feature.
The packetthe
To resolve dropped
issue,when
change theSNMP
incoming
GUI asvlan
perwasthenot configured
changes on the device for which the packet is being received.
in aXAPI.
To resolve the issue, continue with the tap mode in the shared partition.
The
When value
two range
VRRP of atomic_t(32
interfaces werebits) is lessthe
available, forpreferred-session-sync-port
Fwd_counter and Rev_counter. option was configured for the peer-group usage.
To
Whenresolve thestate
the link issue,ofuse atomic64_t went
preferred-port instead of atomic32_t.
down, the remaining vrrp interface was used as session-sync-port. After the
On an ACOS
preferred portdevice
camewith
backSNMP configurations,
up, the preferred-portwhen a large
should amount
be used. of SNMP
However, traffic
if vrrp-a was seenoption
peer-group on A10,
is it caused a memory
configured, session-
ACOS
ACOS displayed
failed to the wrong
remove message,network
object-group SSL intercept failed,
address and inspite of inspection
displayed the followingsuccess for forward-to-proxy
message: No such clause traffic in thefor this
configured
leak and triggered a crash.
sync-port did not fall back to the preferred-port.
EP+SSLi environment.
object group.
Dynamic priority of DRS does not update after it is changed using CLI.
ip mgmt-traffic web source-interface loopback 1 did not work for httpd, while functioning as a web agent to handle axapi.
When only one DNS query was processed and the server returned an error, the EP and the dynamic service had the
A userrebooting
After with partition-enable-disable
active TH5440on inthe privilege
case was able partition,
to delete server. Ideally, a user with these permissions should only be
Segmentation Fault reloaded EPofwith
1000 private
dynamic service. the VRRP pair broke, and it took significant amount of time to
able toFIB
create enable or disable the server/rport/virtual server/vport.
entries.
ACOS could not detect a defected FPGA and sent out corrupted TCP/UDP packets.
Terminal length 0 command did not work when restore command was executed.
When VCS was enabled, ACOS could not create an IP prefix list on a standby device using aXAPI.
On 4.1.4-P3,
HTTP2 when
did not Harmony
support controller
non-default VRID.was enabled and WAF templates were utilized in a partition, attempting to send a curl to
the virtual-server with significantly long cookie value caused WAF to generate a large log which caused a10logd to crash.
When HTTP/2 virtual server port was used and multiple cookies were sent from the client browser, ACOS read the individual
There were two issues with health monitors being displayed inconsistently:
cookies,
When set L3V
using multiple cookie
partition, headers,
OSPF and sent it to the backend server server
insteadthat
of combining all the failed
cookies to one single
(1) When the health monitor waswith redistribute
viewed flagged,
in GUI after anditafrom
creating virtual
CLI, some is flagged,
strings OSPF
were missing to display
in GUI advertise
of new
the or
cookie header.
re-enabled virtual servers in all the partitions after a L3V partition was deleted and then recreated.
health monitor.
ACOS
(2) did the
When not health
displaymonitor
the partition ID that
is viewed is applicable
in CLI for redistribution
after creating with the commandare show nms client. in CLI.
A resource leak could occur when a service group memberitisinremoved
GUI, additional
from a characters were
service group while displayed
the traffic was running and
A virtual server with an HTTP virtual port using fast-path processing, double counts the total reverse bytes displayed from
new
The connections were created. The resource leak occurred when a new session referred a previously removed service group
showsystem crashed when
slb virtual-server the service
<name> <port> group was modified.
detail command.
member.
The SLB disable-server-auto-reselect was not getting activated automatically even when server priority was configured and
The ip control-apps-use-mgmt-port was configured under the mgmt port and ACOS never used mgmt IP.
The AXAPI
data RIB call
CPU usage did not70%.
reached support ECMP. Paged requests greater than 30 entries for the AXAPI RIB failed.
ACOS always
The AXAPI RIBuses
call the
did data port IP ECMP.
not support that connects to the radius serveroption
The /axapi/v3/ip/rib/oper or the only
default gateway
displayed to be the
thefirst NAS-IP
entry in the AAA
for dynamic radius
(BGP)
request.
ECMP route. Paged requests for more than 30 entries for the AXAPI RIB also failed.
GUI reports zero when a10Stat misses the timing of writing data into rrd file. When accessing GUI Dashboard >> CGN, drop can
Unless the in
be noticed logatflag
leastof one
the hit action
graph. was
Noprimaryenabled, thetraffic
corresponding DNS drop
querywasevent could not
reported. log.response code was not found in varlog.
A disk
40x
When
The ACOSthe migration
DNSDRS server
service
device tool
on
sent was
theran
LACP in the
deleted
server
PDU because
stopped,
from disk,
of TTL
the theexpiry,
an unexpected migration
for DRS didinnot
server
interface. thedecrement.
side secondary
connections from 272
formed to 4.1.x
by the was linked wrongly
connection-reuse featureafter
were
entering
not fully the default
deleted. Thisstartup-configure
resulted in new command.
client connections using existing server-side without
To resolve the issue, manually remove the server hostname from config in order to trigger DRS server removal. using the server state which was
To resolve
deleted. theissue
This issue, when
was seen running
with athe migration
normal non-DRStoolserver
in the assecondary
well. disk, upgrade the secondary disk, or do not use the
When the show cpu
default Startup configure. command was entered on a private partition, the I/O usage was displayed as 0%, even though it should be
displayed in the shared partition.
When
A highahitlotcount
of external health in
was noticed monitor scripts with
the AX3200-12 boxSSLfor are executed, high
uri-blist-check control CPU usage issue occurs.
values.
TCP health-check may be flapped (UP/DOWN) when
External-rate can be reduced by using the health global command. the DUT is receiving the TCP RST (Reset) followed by a Push ACK (PA)
When the
with data. show session commands are limited to 10,000 sessions, there was no warning message to show inconsistency
display in show session commands. Also, the user had no option to check the name using session filters.
When the Standby device was rebooted or its PCP fullcone sessions were cleared, existing PCP fullcone sessions on the active
High memory usage was seen when adding a GSLB group configuration and synchronizing the current session to the group
box
When didremoving
not syncan to ACL
standby.
from the enable-management service binding, the ACL was removed from the back-end. However, it
configuration.
To
wasresolve the issue,
not removed fromsyncthethe PCP fullcone
configuration. sessions
When tryingperiodically
to remove the fromACLactive
fromtothe
standby.
configuration, an error message (No such
Addition
ACL) of HTTP method/verb
is displayed even when thePATCHACL isin allowed-http-methods
present list.
in the configuration.
In GSLB deployments, the Web-GUI may hang when selecting a continent and country in GSLB. The ACOS device remained in
Stack
loadingtrace
statelogs
evenappeared after removing, and subsequently re-adding, a fixed-nat configuration while the device is handling
after rebooting.
Snmpwalk
traffic.failedfailed
dataconnection
The for port slbVirtual-serverPortSTable
when the slb template http was1.3.6.1.4.1.22610.2.4.10.108.23 command.
applied to vPort for response-content Device
replace did not
causing parse or it
chunk-encoding
Enhanced
wrote wrong HTTP
dataURL/header
to flat OID warning messages to include Client and VIP ip address.
file.
issue.
The TCP::close in CLIENT_ACCEPTED did not send ACK to FIN. When the port type was tcp with syn-cookie instead of tcp-
In some special cases, chunk-encode was not handled properly:
When
proxy, ACK"half-open-idle-timeout"
could be sent to FIN, butisthe
configured
ACK numberin a tcp/tcp-proxy template,
of the ACK packet was the configured msl-time is ignored and the
wrong.
1)
GUIWhen next buffer
displayed start and end
communication chunk trailing of \r\n, and current chunk last byte of data was \r.
session is immediately deleted.error with lb process when saving a configuration within a private partition.
2) Code did not handle the case when end of chunk endcoding \r\n\r\n was split into a new packet.
The ACOS device suffered continuous reload due to Jumbo frame flag and port mirror configurations.
For GSLB metric capacity, utilization did not increase dynamically.
The custom format did not support radius, default, compact and binary formats. It only supported port-mappings and interim-
In L2 DSR deployment, when the same service-group was binded to multiple virtual ports, ACOS did not send any health check
update.
A "Page notserver.
to the real found" error was displayed while creating a certificate with the "CSR Generate" option selected.
When the ICMP
It is recommended packet is generated
to enable by theagain.
health check client in response to FIN ACK, ICMP type3, code3 packets sent by the client were
not Source Nat'ed before sending it to the server.
593571715.xlsx
78
4.1.0-P11
4.1.4-GR1-P1
4.1.4-GR1-P2
4.1.4-GR1-P1
4.1.4-GR1
5.0.0
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1-P1
4.1.2-P4
4.1.4-GR1-P1-SP1
4.1.4-P1
4.1.4-GR1-P1
4.1.1-P5
4.1.0-P11
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-P2
2.7.2-P15
4.1.4-GR1
4.1.4-P1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.1-P6
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.1-P11
4.1.1-P8
4.1.4-P3
4.1.2-P3-SP2
4.1.4-GR1-P1
4.1.1-P5-SP2
4.1.4-GR1-P2
4.1.4-P2-SP1
4.1.4-GR1
4.1.4-GR1-P1
4.1.0-P8
4.1.4-GR1
4.1.0-P11
4.1.4-GR1
2.7.2-P12-SP3
4.1.4-GR1
4.1.1-P8
4.1.1
4.1.4-P3
4.1.2-P4
4.1.4-GR1
4.1.0-P11
4.1.4-P2
4.1.4-P3
4.1.1-P9
4.1.4-P3
4.1.1-P8
4.1.4-GR1-P1
4.1.2-P3
4.1.1-P12
4.1.4-P1
2.7.2-P12
593571715.xlsx
79
432250 SLB-RAM-Cache Major

430303 VRRP Enhanceme
nt
366973 GiFW Infra Critical
593571715.xlsx
80
vThunder on KVM could not establish OSPF neighbor through SR-IOV. vThunder could not receive multicast packets on VE
The device failed due to RAM cache issues.
The ACOSvThunder
interface. could notcould
perform source
receive NAT port
multicast preservation
packets when theonly
on L3 interface source NATwere
if there is removed
two and added
vThunders back
on the to the
same KVM, one
When two
Non-rfc VRRP interfaces
compliant clients wereLFavailable,
used \n the
instead ofpreferred-session-sync-port
CRLF\r\n as end of line.But, option
SMTP was
vportconfigured
did not for the
recognize peer-group
LF \n usage.
as the end-of-
configuration.
having VE interface and another having L3 interface.
When
line. the link state of preferred-port went down, the remaining vrrp interface was used as session-sync-port. After the
It is recommended to not remove and add the source NAT again into the configuration.
preferred
To resolveportthe came
issue,back up, new
use the the preferred-port
optional commandshould be used.
which However,
supports if vrrp-acompliant
the non-rfc peer-group optionFor
clients. is configured,
example: session-
The ACOS
sync-port device
did not reloaded
fallsmtp if there was an IPv6
back to the preferred-port. VIP configured with SSL-ID persistence, and if the existing ssl-session-id
slb template smtp
CPU crashed
session due to
matching wascross
not CPU session lookup.
proper.
Some LF-to-CRLF
instances of vThunder running on KVM would receive a [SYSTEM]: Ramdisk is mounted READ ONLY error. This issue
LF-to-CRLF = Change instances
was due to vThunder the LF to CRLF
on KVM(SMTP end oftwo
requiring line) for client
serial ports,request
but the line.
default virtual machine setting may have only been
configured with one.
To resolve the issue, configure a second serial port console on the virtual machine instance.
593571715.xlsx
81
4.1.1-P6
4.1.1-P8
4.1.1-P3
4.1.0-P11
4.1.1-P8
4.1.1-P2
4.1.1-P2
2.7.2-P8
593571715.xlsx
82

480013 AAM Critical
479764 SSLi Major
478607 SLB-L4 Major
472457 Documentation Critical
Release: 4.1.4-GR1 Limitations
475331 L2/L3 Major
470941 Firewall Enhanceme
nt
469967 aFleX Major
469427 ACL Major
467371 AppFW
management Critical
464309 AZURE Critical
464230 SLB-L4 Major
448447 SLB-L4
management Major
448351 SLB-L4 Major
446812 SLB-L4 Major
434708 Health-Monitor-
Infra Major
430735 SLB-Config
Infra Major
430150 SLB-RTSP Major
427699 FW-CGN-ALG- Enhanceme
405311 System
PPTP - Minor
nt
404468 Documentation
management Major
402115 AAM Critical
392467 AAM Major
374647 L2/L3 Major
Release: 4.1.4-P3 Limitations
469361 ACL
management Major
469096 SLB-Config
Infra Major
469061 Web - ADC CGN Enhanceme
nt
468656 SSL
Infra Major
468622 AAM Major
468568 AAM Critical
468161 VRRP
management Major
467708 SSL Major
467371 AppFW Critical
467311 RBA Major
593571715.xlsx
83
Description
Under load, three control CPUs configured along with AAM and LDAPS may result in failure.
Counter displayed by "show slb ssl-forward-proxy-stats" command is incorrect when doing intercept under SSLi - Tranparent
Server-does
Proxy Proxynot respond to established UDP session flag.
Chain.
Upgrade migration fails from Version 2.6.x to Version 2.7.2-P11 to Version 4.1.4-GR1.
When using Cavium Nitrox III for IPsec encryption, the 6 bytes at 8630 ~ 8635 in ICMPv6 JUMBO packet is changed to a
random value. This causes the receiver to get incorrect ICMPv6 packets. This issue only happens with aes-xxx encryption,
Description
NAT, and ICMPv6 protocol.
Device does not support do-auto-recovery ("port-threshold timer" option) configured on both sides of a trunk. The results is that
Source-nat pool doe
the trunk remains not status.
in DN persist in a service partition does not persist when the no partition command keeps the configuration
TCSthe
on does not
disk. function
This resultswhen the cache-server
in losing the source-nat is in
whenthe the
same VLAN as
partition the client/server.
is restored.
HTTP2 traffic with multiple streams is not supported on HTTP2 ports with conn-reuse enabled. NAT pools are not properly
Merging ainnew
released this configuration
configuration.with an invalid "slb template persist" timeout value removes the original configured value.
Old proxy support http2 issue: When sending http2 upgrade traffic, settings is wrong.
Req-hdr-wait-time (slb template http) does not function properly when its value is set to 31.
Slow-start in default port template does not work in certain circumstances.
While L2 SSLi works with FW, traffic cannot pass because the session cannot set up correctly when one of the following is
On AX1030/TH1030s
enabled: platformstatistics,
FW rule log, session (Version or 4.1.4-P3)
TCP windowall buttons
check. are not clickable
Therefore, on GUI Licensing
FW logging, page.
session statistics, and TCP window
Sanitize
check cannotis supported
be usedonly whenforFW standard
is workattributes when the extension is free-format. Adding support for extensions may add
with L2 SSLi.
Migration
overhead for to Version
features4.1.4-P3
that arefrom 2.7.2often.
not used fails for object groups that have a large number of clauses. The "show resource-
Upgrading
accounting"tocommand
Version 4.1.4-P3
displaysfrom Version of
the number 2.7.2-P12
clausesresults
utilized.in lost configuration in some instances. To prevent this, avoid
App FW
using scaleout
"_40" as theconfiguration
profile name with suffix.high
Thetraffic
devicegenerates
uses thisan a10lbcore.
text string when creating updated configuration; user-created
When using
profiles withADC and CGN
the same onmay
suffix Hyper-V,
resultthe "ping"
in lost command does not work.
data.
Single NIC RM vThunder cannot bootup. Device continuously displays "vThunder(LOADING)#" prompt.
SLB vport counters does not match the number of bytes sent. Data indicates that server is selected on the first SYN packet -
CLI restricts
not the usage of
fragmented the "?" (question mark) character to listing available commands. AXAPI needs to be used for entering
one.
Load
commandsbalancingthatconfigurations
contain the "?" with a large(such
character number of real text).
as Banner servers may enable dampening even when a health check does not
When
indicate anflapping.
SLB server is in DIS-DAMP state (dampening is enabled and the server is flapping), the Alternate server is in down
Flap dampening is not supported for FQDN servers.
state.
The "health external create" command fails when script includes the quote (") character.
The device does not have a mechanism to remind the user that "default hm ping" cannot be deleted.
When an alternative server has a long name, attempts to configure a corresponding alternate port fails.
MMS traffic for virtual SLB server cannot pass through an ACOS device. The IP address in URL of RTSP packet is not changed
When
from SLB a PPTP request
virtual was sent
IP to server on a control
IP when ACOS sendssession firewall,
it to the GRE tunnel for call ID was set as 0 to 1280. The PPTP
server._x000D_
"backup-periodic"
connection
The traffic canwasnot file
alive name
and
pass onthat
through, are
resend welonger
of
canthe
seethan
that208
second the characters
callIPIDaddress are
(1-1281), truncated
the
in URL PA without
in control
of RTSP providing
sessions
packet notice. to
updated
is not changed theslb
from new algorithm
vip(20.0.0.100)
GUIserver
to issues
Ports/Call excessive
ID. Thus, the
ip(20.0.0.10) error messages
second
when it isPPTP when to logging
Algorithm
forwarded datain
ACOS after configuring
sessions
server. block-merge-start
in Data Center in CLI.
Firewall for an updated control session
For URI metadata,
algorithm, the newthe ACOS
ports weredevice
set toexpects
unmatched metadata
deny. to come from an external server. ACOS stores the metadata retrieved in
SAML
memory does
andnot
notwork withThe
on disk. ADFS SAMLwhen configured
service on if
may fail virtual port 80.
the device This issuewhile
is rebooted occurs
thebecause
network Active Directory Federation
is down.
After
Servicesconfiguring the admin-key
(ADFS) version 3.0 does fornot
a trunk
supportgroup,
HTTP theprotocol
user cannot
as the remove or edit the
"relying-party's admin-key. An attempt to edit it will fail
assertion-consuming-service".
and will produce the following error message: "All the members of an LACP trunk must have the same admin key." This
Description
limitation is a long-term legacy issue.
Periodic backup settings are lost when migrating from Version 2.7.2 to Version 4.1.4.
When editing the ACL binding on a wildcard vip, if the edited field is a different field, duplicate virtual-servers are created, which
After
causes creating a health monitor, the base show health monitor command only displays basic information without listing the
a bad state.
Netflow monitors are not configurable in the service partition.
attributes.
Certain configurations contain "template waf" commands, even though it is not configurable in service partitions.
Cipher template in client-ssl/server-ssl template that are in the service partition are (improperly) not accessible in the shared
Version 4.x does not support using rserver and rport configured in the Shared partition as service-group members in the
partition.
The "show
service slb server
partition. Thisconfig" command
was supported fordisplays incorrect
RBA partitions in heath
Version check
2.7.2content in the service partition when the health check is
The "respond-to-user-mac"
configured option for the "ip nat inside" command fails when migrating from Version 2.7.2 to version 4.1.4.
in the shared partition.
The default health monitor ping is not supported on 414-P3.
When the "slb ssl-expire-check" command is configured in a service partition, it takes effect in the Shared partition.
HTTP_REQUEST_DATA event is not activated with AAM commands because there is no content data in new proxy HTTP
Sending a union of aam and mssql traffic may cause a device to terminate operations.
requests.
The "slb ssl-ocsp sampling-enable all" command (version 4.0.3) is changed to "slb ssl-cert-revoke sampling-enable" (Version
Low-end
4.1.4-P3).devices do not support "multi-ctrl-cpu".
VRRP-a configuration synchronization fails when the service-partition ID conflicts with the target device L3V partition ID.
ACOS does not send ALPN in the client hello for the backend SSL with HTTP2.
Chassis systems do not support Domain name based rules configured under an lsn-rule-list because DNS lookup is not
After importing
supported on the "ssl-ca-cert"
Chassis Blade.in version 2.7.2 andthe
This includes then upgrading
TH14045 Dualt0Blade
4.1.4-P3, the "show pki ca-cert" does not display the ca-cert.
model.
App FW scaleout
The "show pki cert" configuration
does displays withthehigh traffic generates an a10lbcore.
cert.
When migrating TMO backup files from Version 2.7.2 to 4.1.4-P3, various SLB objects with duplicate names show up in both
An
the auto-imported
shared partition bwandlistservice
cannotpartition.
be deleted from an L3V partition. Deleting the file directly is not correct becuase it removes
the file from the backend but does not touch the file in the directory. The correct update method is to remove the import
command before deleting the file. 593571715.xlsx
84

Use a single control CPU when deploying AAM 4.1.4-GR1-P1
with LDAPS 4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1
No workaround. 4.1.4-GR1

4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
Disable FW's logging, session statistics and TCP 4.1.4-GR1
window check. 4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
2.0.0
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P1
4.1.4
4.1.1-P8
4.1.4
4.1.0-P10
4.1.0-P10
4.1.4
4.1.4
Remove the ports from the trunk until a single port 4.1.2
remains. Then change the admin key.
4.1.4-P3
When changing ACL binding on wildcard vip, 4.1.4-P3
please issue a no command on the original 4.1.4-P3
wildcard vip before binding a new one. 4.1.4-P3
4.1.4-P3
4.1.4-P3
Customer should allocate more IPs on their 4.1.4-P3
servers so that each SP will have an equivalent 4.1.4-P3
server (with different name and IP) to the one in 4.1.4-P3
the shared, and use that locally in the service 4.1.4-P3
group 4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
if customer wants to use, they can downgrade to 4.1.4-P1
4.11. 4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
593571715.xlsx
85

465908 AAM Major
465892 Eventing Major
465766 L2/L3
Infrastructure Major
464944 SSLi Enhanceme
464752 ConfigMgr Enhanceme
nt
463625 CGN-Port Batch Major
nt
463255 SSL Critical
461321 FW-CGN-Logging Major
nt
442925 L2/L3 Major
425134 Router Major
421831 IP anomaly Major
238915 System-Platform Major
Release: 4.1.4-P2 Limitations
458731 L2/L3 Major
456637 SLB-L4 Major
455497 SSLi Major
455462 SLB-FastHTTP Critical
454573 ConfigMgr
management Major
453766 L2/L3 Major
Infra Major
450586 L3V Major
449941 CGN-NetFlow Major
449887 SSLi
(Legacy) Enhanceme
449795 GiFW Major
nt
449335 SSLi Major
449209 SSL Major
448954 SSL Major
593571715.xlsx
86
An SLB cache that is configured in a service partition and triggered by a client will also exist in the shared partition.
The "show pbslb counter" command displays same output regardless of where it is invoked (shared partition or service
After upgrading to 414-P2 from 272-P13, some "show" commands do not work and the CPU continuously displays 100%.
partition).
A data interface fails to send traffic after disabling and enabling the interface.
Some GLM commands generates an "ERROR: License ACOS error" message.
Design limitation prevents changing logon method in "aam authentication logon http-authenticate" on GUI with a single step.
deny-reset-event-fw4/6 record does not display correct flow-direction for traffic from client to server.
The "show interface statistics interval" has been removed. The multiple options aspect of the "show interface statistics
ACOS cannot
ethernet" execute
command "forward-proxy-no-shared-cipher-action
does not work as expected. bypass" in certain TP proxy-chaining scenarios.
When the "show int stat eth 1 eth 2 eth 3" command is executed, only the eth 3 statistics is getting displayed.
ACOS creates only one full-conn session when user quota is less than Port Batch Size. Because this is not a valid
ChaCha-Poly cipher
configuration, is not supported
this requires as an SSL
documentation. health CLI
Validating monitor method. requires excessive overhead because of the large
configuration
Ports doof
number not comeoption
invalid up in PCI-Passthrough
combinations thatmode.can be entered through the CLI.
When a DNS record is "changed" on the DNS server, the previous DRS is not removed.
Prefix quota tracking is not consistent with full IPv4/Ipv6 quota tracking.
A non-root or default admin account is improperly allowed to delete an admin account that has HM write privilege.
A configuration option in the GUI for slb ssl sni-automap-attributes is requested.
ACOS was unable to establish copper links up if configured 100/full or 10/full. The system was working fine with auto/auto,
Versions
1000/full,411 and 414
100/half, andreport a different
10/half. It neededmessage
a manualwhen explicit
option proxy fails to connect
to disable/enable to server
when it was (syn-retry
changing timeout)._x000D_
from Auto > 100M/Full with
BFD echo
Version
private 411
fix cannot be enabled
responds
image. When
with a 504 a link-local
error message ipv6
foraddress
both httpisand
used.
https(connect)._x000D_
If the "metric"
Version and "metric
414 responds withtype"
a 504 values arerequest,
for http configured
but after
cosesexecuting the for
with an RST "default-information
https. originate" command,the values
Anomaly packets However,
are not reflected. reaches the servervalues
if these from devices configured
are configured to adrop
within anomalyit packet
route-map, works. through an "ip anomaly-drop security-
The actual
attack fan command.
layer-3" numbering on the AX5630/TH6630 is consistent from the installation guide.
Description
The show interface brief command displays blk for the state of a trunk that was blocked. Previously, the available interface
With jumbo
states were frames
only disb,enabled,
down, the ACOS device may not respond to fragmented ICMP packets.
or up.
A Virtual Server IP address can be modified without deleting the old address.
The aFlex commond "RESOLVE::lookup" is not allowed for the new proxy.
With [support http2] configuration, some websites may have access problem / experience slowness.
The "show slb fast-http-proxy detail" counter always displays 0.
When using an SMTP template, the device cannot epxort syslog out.
The option "source-nat pool partition shared" in virtual port configurations should be remove when changing the "follow-vrid"
For Thunder7440
option models, enabling "fw application-mempool" with default settings, results in out of memory error.
in service partition.
Admin accounts with mutiple partition privilege are lost after upgrading from 272 to 414P2.
Version 4.1.4-P2 does not support the display of implicit SLB template configuration values.
"show interface ethernet" command executed from an L3V partition does not display information about interfaces that are not
When the vcpu
configured number
within is less than
the partition. This 4,
is the deviceof
a change cannot be pinged.
behavior from previous version.
SSLi page virtual port list differs from ADC page virtual port list. This is because only https vports (along with tcp, udp, and
Log messages
others) are shown are for
notinside
available
SSLifor "ipv4 service-group
service while only httpdisable-after-down" because
vports (along with tcp, the function
udp, and is not
others) are supported
shown at service
for outside SSLi
Assigning
group
service.level.an SRIOV interface to the PCI/pass-through vThunder generatesa an error and prevents the device from booting.
TH940 reloads without generating a core when running 64K Header test.
"Clear DNS" command is not supported in service partitions.
Health tests in service partitions do not work properly. A health tests for a real server generates a "node status DOWN"
Importingeven
message a class
whenlist the
intoserver
a service
can partition
respond.generates an error when the class-list already exists in the shared partition.
"show session persist" displays service partition configurations in the shared partition. An SLB persist template that is applied
When
to sending
a virtual traffic
server to VIP
in the in service
service partitionpartition, the shared
is displayed partition
when the showcounter
sessionispersist
updated.
command is executed in the shared
On a vThunder, after the physical port of Host changes from down to up, pinging the port from the client fails.
partition.
Session persist uie configured in the service partition is also displayed in the shared partition and all service partitions.
The "system template-bind monitor" command does not bind the template monitor to the device. The "slb template monitor"
When
commandserver-ssl
shouldandbe client-ssl
used when templates
visible. are configured (in the service partition) with the partition shared option - shared
Events triggered
partition admins by Class-lists
cannot see theinpartition
a serviceshared
partition are printed to the shared partition.
option.
"sflow setting local-collection" is intentionally auto-configured.
L2-SSLi does not support proxy chaining with IP-less SSLi and proxy chaining.
On firewalls configured with ipv6 rule that permit cgnv6 and dest zone with outbound interface. LW4o6 traffic for the config
NAT pools configured
destination in the shared
zone with outbound partition
interface cannot be used in the L3V partition.
is denied.
In certain L2 SSLi configurations with traffic flowing only through the shared partition, displayed throughput in the shared
"show bw-list"
partition is halfcommand
of the displayin a service partiton displays inconsistent information for the CLI and GUI.
global throughput.
Health monitor statistics is not service partition aware. This is demonstrated by logging into the GUI and displaying statistics
When
(ADC >>using Direct
Health Client-server
Monitors auth, Session ID reuse doesn't work. This is because sessions cannot be saved for direct-
>> Statistics).
In the Web GUI Dashboard, ADC Info not service-partition aware.
client-server-auth.
ACL logs are printed in the shared partition even when triggered in the service partition.
Client Renegotiation fails in the direct client-server authorization feature.
When servers are created in the shared and L3V partitions with the same name and the server in the L3V partition is
subsequently deleted, the corresponding server does not show up in the shared partition.
593571715.xlsx
87
4.1.4-P3
4.1.4-P3
reboot should work, but some profile may not 4.1.4-P3
migrate. suggest customer check how many 4.1.4-P3
profiles before upgrade to 4.1.x. If there are many 4.1.4-P3
Changing logon
profiles, they canmethod
remove(for instance,
some old andfrom
unused 4.1.4-P3
"basic"
ones. to "ntlm") on GUI requires two 4.1.4-P3
steps:_x000D_ 4.1.4-P3
a) edit "aam authentication logon http- 4.1.4-P3
No
authenticate" on GUI, enable "ntlm" method, and 4.1.4-P2
work around.
4.1.4-P3
submit_x000D_
4.1.4-P3
b) edit "aam authentication logon http- 4.1.4-P3
authenticate" on GUI again, disable "basic" 4.1.4-P3
method, and submit 4.1.4-P3
4.1.4-P3
4.1.4-P2
4.1.4
4.1.4-P1
2.7.2-P12
4.1.4
4.1.4
2.7.2-P8

4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
Avoid using "fw application-memory" command 4.1.4-P2
on the Thunder 7440 models. 4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
593571715.xlsx
88

446812 SLB-L4
management Major
445820 L3V Major
Release: ACOS 4.1.4-P1
Infra Limitations
Release: ACOS 4.1.4 Limitations
430459 aFleX Enhanceme
nt
429392 SLB-L4 Major
427463 Web3.0 Critical
(deprecated) Major
426380 SLB-Config
DSR Enhanceme
nt
425134 Router Critical
424975 AppFW Major
424942 AppFW Minor
424801 AppFW Major
422998 AppFW Enhanceme
nt
422062 AppFW
Class-List Enhanceme
nt
421990 Acos Major
421934 AWS Major
management Enhanceme
421331 IPV6 Transition Major
nt
421028 SLB-L4 Major
nt
421015 AAM Major
420980 VCS Major
420382 Scaleout-slb-data- Critical
420374 System
plane - Major
management Enhanceme
nt
593571715.xlsx
89
Files generated by the showtech command does not include Hardware information.
Alternate server support does not include host name (FQDN). The dilemma with hostname type servers is that one such
In certain server
alternate configurations,
can pointthe resolve-to-ipv6
to multiple server servers.
real dynamic cannot be used as an alternate server for ipv6 server.
When a class-list is imported in the shared partition first. then an L3V partition is created and a service partition is added to the
Flap partition,
L3V dampening is not supported
importing for FQDN
the class-list servers.
to a service partition fails.
The "show ip" command in the service partition does not display any routes.
Creating an L3V partition after a block-merge-start command generates a "no such file or directory" message, after which the
Import datafile
command cannotcommands
be loaded. into a service partition are unable to import bw-lists.
The 'stateless-per-pkt-round-robin' load balancing method selects servers "per-CPU per-packet" round robin basis. This may
CGN port-overloading
give the appearance offailed for inter-partition
selecting the same servertraffic when
with eachthe port was configured to batch version 2 using command "cgnv6
request.
When more than 5000 lines were added to CGNv6 NAT exclude-port TCP/UDP with many port lines using scripts, the control
lsn port-overloading".
When configuring:
CPU usage increased"cgnv6 nat exclude-port"
to 99~100%. while
Use a port thewith
range portstart
is occupied
and endbyasport-reservation,
appropriate. the port reservation is released
HTTP system
without log was not
being cleared. When sending a request
the port out for
reservation TCP-proxycleared,
is eventually for SLBthe
Layer 7 returns
port sessions on CGN for IPv6.
"exclude-port" state and cannot be used
In
by the 4.x port-reservation.
a new release, when ACOS is run in CGN mode, executing the "show ip nat translation" command causes the Control CPU
When
usage running ddos-protection automation on CGN during an "inside_attack", if normal traffic uses odd ip address and attack
to be 100%.
Counters
traffic usesforeven
rule-set permit/deny
ip address, bytes are not
ddos-protection increased
does not not because theand
take effect device increments
is unable thesessions
to block byte count only when
between "log"
master is in
and
When
the the
rule
blade. Health
under themonitor
rule-set.isThis
configured with behavior.
is expected "disable-after-down", running-config does not display the "disable" state for the real
server or real port if the health monitor status is down.
Description
The ACOS device reloaded twice while running L3V suite. The partition creation failure was due to the reload happening at the
Starting
same time. with ACOS 4.1.4-P1 the ACOS system can be rolled back to the previous version. In aVCS deployments, the ACOS
Starting
device will with ACOS 4.1.4-P1
synchronize the ACOS the ACOS system system
image can be rolled
during upgradebackwithout
to the previous
staggered version.
mode fromIn aVCS thedeployments,
vMaster to allthe ACOS
vBlades.
ACOS
device
However, does
willthisnotsynchronization
support the
synchronize the ACOS
ability to read
system
currently the
not media
isimage during
supported information
upgrade
for rolling onback.
withoutTH3040 10G
staggered
Thus, ports.
mode
if ACOS Therefore,
is from
rolledthe
backthe "show
vMaster
on interface
thetovMaster, media"
all vBlades.
there will
CLI
be acommand
However,discrepancy does
this synchronization
in thenot ACOS
displaysystem transceiver
currently is not
images information
supported
among for
nodes forthis
in specific
rolling
the back.device
aVCS Thus,
set and release.
if ACOS
because thatis image
rolled back on the
will NOT be vMaster,
synchronized there will
Description
be a discrepancy
automatically to the in the ACOS In
vBlades. system images among
such situations, nodes in the aVCS
it is recommended set because
to upgrade the ACOSthat to image will NOT
a previous be synchronized
version from the
VRRP-A
automatically will disconnect
to oftheusing if the firewall
vBlades. In such is dynamically
situations, it is disable/enabled
recommended tomultiple upgradetimes. the ACOS to a previous version from the
vMaster instead rollback.
ACOS does not support the ability to use the aXAPI to create, get, or change the aFleX script. Therefore, the URI will have no
vMaster instead of using rollback.
If an HTTP
valid key since requesttherewith is no no-cache
end-point. header matches the cache policy and hits the cache, the ACOS device uses the cache to
The snat-port-preserve
respond to the client regardless command ofis"accept-reload-req".
not effective for virtual ports with source-nat auto configured.
When upgrading from 2.7.2-Px to 4.1.4, the following templates (with partition shared option) get parsed out after upgrading,
When
because using4.1.4OVS does DPDK not on KVM host,
support due to the limitation from DPDK on the upper bound MTU, the ACOS device can support a
them:_x000D_
The idle-timeout
maximum
1. Diameter_x000D_of 1496 setting (tcp or udp
byte frames. templates)
Anything more displayed
than that may by the getshow running-config
dropped. This issuecommand is rounded
will be addressed to a multiple
as soon of 60.
as the greater
If
Useyou
DPDK
2. theaccess
Persist show
community the GUI
template takes
(cookie/src/dst)_x000D_bycommand
public
care ofIP,it. sometimes
to view the actual client sends
value of thetherequest with a setting.
idle-timeout different IP, which is treated as an invalid request,
Disabling
and returned
3. Virtual DSRwith (dest-nat
port_x000D_ the note command)
'RESP HTTP removes
statusservice-group
403 Forbidden: control
Loginoffrom DSCP. In this instance,
untrusted host'. As DSCP settings
a result, mustthe
it impacts beGUI
applied on
normal
An
each SLB server configured
appropriate
display._x000D_ port insteadwithof a hostname
relying on does
a not get resolved
service-group to an IPv6 address. This issue is seen if the DNS server only
configuration.
4. Policy_x000D_
HTTP/2
has
For a AAAA
example,is onlyrecord
onlysupported
the the for
forcurrent client-side
hostname.
partition Asis data sessions.
a workaround,
shown, and theServer
use an to
partition IPv6 ACOS device
listaddress
is not HTTP/2
instead
shown thesessions
in of apartition
hostname. isdrop-down
not supported.
list in top banner
5.
GSLBAuthentication_x000D_
group status was not updated correctly when the priority was changed in the group topology.
on
6. the GUI. Often or sometimes, it returns with the 500 error or Page 'Not Found' error.
Cache_x000D_
When RBA is enabled or disabled, partition-enable-disable for users functionality works in CLI only.
7. Connection-reuse_x000D_
If the "metric" and "metric type" values are configured after executing the "default-information originate" command,the values
8.
BGP
are Dynamic-services_x000D_
routing
not doesHowever,
reflected. not function correctly
if these valueswhen are Application
configured within Firewall is enabled. it works.
a route-map,
When an SLB SIP virtual port was configured with application firewall, the "show session application" command output did not
9. External-services_x000D_
If there
show
10. SIP is sessions
not enough
Http-policy_x000D_ even memory,
thoughadding they were a partition
correctly in aclassified.
VCS environment causes the vBlade to stop functioning.
Inter-partition
11. WAF_x000D_ routing did not function correctly between Layer 3 application firewall on Partition 1 and GiFW with CGN on
Within
Partition
12. DNS an2._x000D_
SLB policy template, configuring a service-group action to a class list LID (Limit ID) requires the assignment of a
The optioninter-partition
threshold,
However, "alive-if-active"
such as a connection has been
routing limitdeprecated
or request
functioned in
correctly ACOS
limit. 4.1.4.partitions
Otherwise,
between If traffic
the "tcp P1force-delete-timeout-100ms"
will be directed
and P2 (Shared)to another
only whenserviceis configured
CGN group.
was active in the
on both
Health-check
firewall
interfaces. session rate limiting any
template, helps to ensure
devices thathealth
have this check can configured
option be processed willsuccessfully. However, for
lose the "alive-if-active" largeafter
option SLB upgrading
deployments from
For
with
ACOS ACOS
a 4.1.1-P6
large systems
number with diskto
of health
or 4.1.0-P10 size smaller
checks,
4.1.4. it isthan
There 20functional
possible
is no GB,
forwhen
a serverconfiguring
impact.or port tolarge scale
fail its SLBcheck
health resources,
becausesuch theasACOS
SLB servers,
device is service
In VRRP-A
groups,
unable to deployments
virtual
completeservers orwith
processingvPorts,anof Active
usethethe and a check
Standby
following
health ACOS
command
before it device,
to disable
times issues
out. may scenarios,
Ingenerating
some occurtheduring theconfiguration
control CPU sync,
rrd file:_x000D_ causing
utilization ratethe
could
Local
aFleX
!_x000D_
spike up logging
sequence
to 100%.uses number persistent
Therefore, in the itstorage
virtual
may on the device.
beservice
necessary to not When
to match.
tune theenabled
This on the rate
is because
health-check firewall
ACOS and when
does
limiting. traffic pattern
not currently support exhibits a high
the ability to re-
When
order a userentries
connections
aFleX
slb common_x000D_ imports
per second,anda class-list
the diskfile
changes andbackend
utilization
to the the will
imported
increase
can only filequickly.
hasappended.
be no keyword "file", then the class-list file cannot be shown. A user
AppFW
evaluates withthisCGNfile
stats-data-disable_x000D_ is
with not supported.
"show class-list" command and cannot see the file type as class-list, it is a known behavior in the CLI
In WAF deployments, request and response headers would appear using the debug monitor command when debug waf was
mode._x000D_
!_x000D_
If the length
enabled.
When a userThisoflogstheinpersist
behavior thenow GUI UIEmode key in
requires andaFlex
that
selectsexceeds
"debug the internal
http-proxy" also
"ADC-SLB-Classlist-Import", limit of 63 characters,
be enabled theforfile typeaFlex
request andtruncates
class response
list can be the keyon
header
seen to an appropriate
information
the sheet. toBut,
Otherwise,
If AWS is the disk
configured may
with betwofull._x000D_
data interfaces with DHCP, the AWS instance has two default routes. Configure static IP
length
appear
if for
fromuse. debug monitor.
selecting "Entries" of a specific class-list file, the error message "404 page not found" is reported, and the GUI starts hanging
_x000D_
In ACOS 4.1.4,
addressing when
on the the transient
incoming Linux process memory theistraffic.
low, the user cannot log into the device using SSH and must reload
on
As the loading
adevice.
recommendation, data. This adata
theishigher
interface
limitation
thethe
compute
to maintain
of this set-up.
andnot storage power of the ACOS system, the traffic.
more the number of resources that
In Application
the Firewall deployments, GUI does support display of local-logs for IPv6
can
In be created.
CGN deployments, the NAT IP added to a ddos entry can still be used if this NAT IP is configured with port-reservation, since
When
the NAT application
IP cannotfirewall be changed. was enabled, "open" system logs were not provided for short-lived sessions whose app classification
When
is still configuring
pending, only a half-open-idle-timeout
"close" logs were provided valuetoofindicate
30, the the half-open
session. session age remains at 60 on the standby device.
AAM authentication service-group is a type of slb _x000D_
If a CFW license
service-group, is imported
hence the "slbto an ACOS
template device with
port/server a VCS setting
default" setup and an ADC
affects the license, the "import
health monitor stateweb-category license" to
of AAM authentication
Since
serverthe
remote vSwitch
devices
when the results is incompatible
default in with typical
an error._x000D_
health monitor L2 switch
check method is on
used.vThunder KVM/VMware platforms, ACOS fails to learn all scaleout
The
MAC ACOS
_x000D_ addressesdevicesent does bynot supportTherefore,
vThunder. user names thecontaining
configuration "/" for ofremote
l2-redirectauthentication.
does not work on vThunder KVM/VMware
When
platforms.displaying the Application Firewall using
Workaround: Manually switch over the VCS virtual master using the CLI command the GUI, the dashboard does not show "vcsdot-plot query data. and switch back.
vmaster-take-over"
Reload the device after importing the license.
593571715.xlsx
90
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4
4.1.2-P1
4.1.1
4.1.0

When L3V partition and rate limit log are set, let 4.1.4-P1
the traffic be removed first._x000D_Then, let the 4.1.4-P1
rate limit log age out gracefully. Only then should 4.1.4-P1
you remove the partition. 4.1.1

Clear session manually to fix this issue. 4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
Disable local-logging. 4.1.4
4.1.4
4.1.4
4.1.4
4.1.3
4.1.4
Login on Telnet or GUI. 4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
Manually switch over then manually switch back 4.1.4
by using the CLI command "vcs vmaster-take- 4.1.4
Use other
over". username
Next, reload the ACOS device after 4.1.4
importing the license. 4.1.4
593571715.xlsx
91
419717 GiFW Major

nt
419299 GSLB Major
418825 Counter-Infra
management Major
418645 Shared VLAN - Critical
418429 AppFW
Data Plane Critical
418180 AAA Major
417718 ACL Enhanceme
nt
operational Major
413890 AppFW
Class-List Critical
411856 L2/L3 Major
411244 License Manager Major
nt
nt
406324 AAM Major
nt
405112 Shared VLAN - Enhanceme
Data Plane Major
nt
403468 AAM Critical
402115 AAM Critical
399235 AAM
Infra Major
395278 L2/L3 Major
395083 L2/L3 Major
392467 AAM Major
nt
593571715.xlsx
92
For NAT64 traffic, the destination address is a configured NAT64 prefix and the server address. ACOS does not perform
Application
destination zone protocols
lookup associated with multiple
for CGN traffic destined categories
to a NAT64 areprefix.
accounted for by each category type. This may result in duplicate
The
datapartition ID may becategory
in the application truncated for longer names under Flags in the output of the "show session" command. This issue is
charts.
In
onlyACOS
seenGUI for when a Geo-Location
the reverse traffic. was created, deleted and then updated under GSLB, the file with valid IPv4 address and
HVA isentry
mask not supported
disappeared forunexpectedly.
ACOS 4.1.4. However in CLI, the "show run gsl geo-location" command displayed the entries
In aVCS deployments, the ACOS cannot render the stats/oper/clear for the aVCS blade. If the user goes into device-context-2
correctly.
The "allowable-ip-range"/"allowable-ipv6-range"
(for the blade) and tries to run the "show command", mustthen be configured
this issue on willthe
be vMaster
seen. and vBlade ACOS devices before enabling
QOSMOS
VCS. If not, traffic from anonymous networks was classified only
the "allowable-ip-range"/"allowable-ipv6-range" cannot as besecure HTTP and
configured on the notVCS classified according to the application
blade system.
If the LDAPexcept
protocols, Serverfor Hostsome is aapplications
domain name, likethen the authentication
Dropbox, and Appstore.fails.
When a user wants to upgrade the ACl with the rule of "ICMPv6 time-exceeded" type, it needs to be supported along with the
In Firewall deployments,
Management port. The ACl whenwithapplying
a rule ofa "ICMPv6
class-listtime-exceeded"
to the firewall ortype explicit
valueproxy,
matches the class-list
the Managementhit counter does not
packets, for increase
which type
In
for amatching
value node deployed
traffic.withdoes
"time-exceeded" scaleout, changing
not consist of thetheconfiguration.
system time might cause scaleout
This command breakage.
also requires theIfbackend
scaleoutsupport,
reformation
whenoccurs,
this ACl
After
the launching
time taken a
can software
vary upgrade
between
is applied to the Management port._x000D_ 4 - and
5 checking
minutes. the system prompt, the message erroneously indicates that the system is
ACOS gives
"rebooting". priority
The to
proper keywords
status equals,
message startswith,
should contains,
instead display,ends-with,
"System in
is the
now order, when
upgrading".
This is a legacy issue and it requires full support for all the types of ICMPv6. It is also noted that the same issue persisted for one template
_x000D_ matches multiple
TOP-10
rules. connections
Class-list data and statistics inwere recorded only after the
thatapplication firewall sessions closed.rules,
Falsethe
data was
_x000D_
another ICMPv6string type, suchmatching worksicmp
as "permit a similar behavior,
type param-prob such
any any when
log". It one
can bestring matches
considered multiple
as a common issue first
for any
The output
displayed
matched
This issue oneis seen when initiating a software upgrade from the ACOS GUI, and it only occurs when the language for the GUIthis
from
relatedwins.the
to CLI
time,
Users "show
for access-list"
connections
expecting multiple command
that were
rule hits does
alive for
should not
abe include
long
awaretime. the
of counter
this for
limitation "Management
and revise hit
their count".
class-list However,
as needed. is
ICMPv6
The producttype. typebe that is displayed by ACOS is not adjusted after applying
information can
switched to Japanese. obtained by using the more granular command: "showaaccess-list
GLM license for a different
ipv4/v6 <name>" product. For example, if
The
a show rule-set
Thunder device isrules-by-zone
running ADC,does and notGLMdisplay
is usedthe to "application"
acquire a CFW column.
license, then one might expect the Thunder device to
The rule-set
display "CFW" statistics
after applyingfor application firewall license,
the new feature did not update
but thiswhendoesaction
not happen.permitItoption was set.
still shows the The value was
previously showing
configured as 0.
"ADC"
1 Gb SFP
product type. transceivers were not recognized by 10 Gb ports upon insertion._x000D_
Only application protocols using TCP and UDP are detected.
_x000D_
The metadataUse
Workaround: file the
which reloads
disable andusing
enable thecommand
URL will not appear
in the in thesub-configuration
interface output of the "show aam authentication
to re-initialize the port, sosamlthatmetadata"
the
Source
command. NAT pool
Since
transceiver is recognized. is required
this command for http2
is for or http2s
imported virtual
The port.
metadata file which reloads using the URL will not appear in the output of
An
the SLB
"show virtual
aamserver cannot besaml
authentication configured
metadata" in the shared partition with an IP address covered by an allowable-ip-range address
command.
When
space awithinnon-FPGA an L3V platform
partition. is in jumbo state, it is recommended not to switch to any profile or running config that could
The
changeMetadata
the status that ofis the
retrieved
ACOSby the URI
system towill not be stored
non-jumbo support. in the
This disk when there
limitation is a failover.
is especially In this
true with case, the
VRRP-A andStandby
aVCS device
When
retrieves memory
configurations. usage goes
the Metadata to a high value, if the user tries to open another SSH terminal, it will fail. However, when the memory
independently._x000D_
For
usage URIismetadata,
_x000D_ low, the user the canACOS device
login again. expects
This ismetadata
expectedtobehavior.
come from an external server. ACOS stores the metadata retrieved in
The health-check-disable
memory
Expected and not on Ifdisk.
Behavior: option
the The
Standby will
SAML not take
service
device fails effect
may failfor
to get slb
if the
the service-group.
device
Metadata, isSAML
rebooted while the
exchange network is down.
failed.
In SAML configurations the following limitations apply:_x000D_
ACOS
~ If thedoes not support the is
"max-session-time" ability to clear the(set
not configured management
to 0), the tokenneighborlifetimeentries using
is not used the toCLI command
age-out "clearauthentication
the SAML IPv6 neighbor" with
A misleading
more
session. specific
_x000D_ error
options,messagesuch as appears when using
MAC address "clear
or IPv6 IPv6 neighbor
address option. entry" (with a VE interface that belongs to another
SAML
~ If thedoes
partition). Innot
such work
"max-session-time" withthe
cases, ADFS when configured
isdisplayed
configured, error
thenmessage
ACOSon virtual port
says,this
uses 80. ve
"Invalid
setting This issue
(virtual
only when occurs
ethernet) because
the Identitydevice", Active Directory
but it should
Provider does not Federation
instead
providesaya "This
The "Memory
Services
ve (virtual (ADFS) Usage"
ethernet) version
is chart3.0
owned
session or token lifetime in the assertion. in the
does
by "System"
not
another support Dashboard
HTTP
partition." displays
protocol as incorrect
the time
"relying-party'srange when it is set to Last
assertion-consuming-service". 1 day and Last 7
From the ACOS GUI, when on the Security / WAF / Reporting page, the displayed time range should be the same as the
days.
After
selectedPOAP process
period, completes
but there is a one and system
hour boots up,
discrepancy "poap_startup_40"
between the specifiedfile is auto-generated
time and what appears andinlinked as startup-config
the chart.
The weight
profile, if thesetting of the default
"poap_startup" file inSLB
POAP portpackage
template is takes precedence
272 build version. over the weight configuration of individual ports.
If the POAP weights
Configuring packageon is not downloaded
a individual or if the
port basis download
requires failed:_x000D_
the removal of the default port template setting.
1. For vThunder in VMware/KVM/Hyper-V platform, DHCP is enabled by default when startup-config doesn't have mgmt port
config. The IP address is_x000D_
obtained by DHCP server after the reboot._x000D_
2. For vThunder in VMware platform and all its interface(mgmt port + data port) using VMXNET3 network adaptor, it reboots
and enter the_x000D_
Non-dedicated Management Port Mode._x000D_
3. For hardware Thunder/ACOS, DHCP is not enabled by default. The DHCP network config is removed.
593571715.xlsx
93
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
Go to the vBlade to get the statistics for a 4.1.4
particular device. 4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
Use "show access-list" to display "Management 4.1.4
hit count" of management bound access-list. 4.1.4
4.1.4
4.1.4
4.1.3
If users need to permit or deny any IP protocols 4.1.4
other than TCP and UDP, they must configure 4.1.4
rules with "service proto-id". 4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.3
4.1.3
4.1.3
4.1.3
593571715.xlsx
94

477523 ACL Critical
Release: 4.1.4-GR1 Known Issues
475576 SSLi Enhancement
475255 CGN-DNS64/ Major
475174 CGN-DNS64/
DNSALG Major
475168 CGN-DNS64/
DNSALG Major
475084 L2/L3
DNSALG Major
474647 CGN-Port Batch Major
473324 SLB-RAM-Cache
data-plane Major
470641 SLB-Config
plane Critical
470513 Scaleout-control- Enhancement
469034 SLB-Config
plane Major
management Major
Release: 4.1.4-P3 Known
Infra Issues
467465 SSLi
management Major
467359 SLB-L4 Major
464309 AZURE Critical
464261 GiFW Major
463634 ACL Critical
463052 SSL Major
462931 SSLi Enhancement
462844 L2/L3 Major
462718 Scaleout-fw-data- Critical
452899 Firewall
plane Major
439930 L1-L4
data-plane Major
Classification
Release: 4.1.4-P2 Known Issues
457621 SLB-L4 Major
456253 ACL Critical
data-plane
593571715.xlsx
95
Description
Some device-specific configurations are lost after a vBlade device joins a vcs chassis.
Clear full-cone-session requires executing "clear" command twice.
The chassis blade syslog includes superfluous BGP (and possibly other routing) error logs.
VE interfaces are unreachable when using Mellanox card on ESXi+SRIOV vThunder.
Multiple OSPF instances may not be able to select a router-id if the configuration does not have sufficient interfaces with IP
Device should drop TCP packets (without triggering a reset) that match an implicit deny rule or an action deny rule.
addresses.
When removing an ACL from the enable-management service binding, the ACL is removed from the back-end. However, it is
Stack trace logs
not removed frombegin appearing after
the configuration andremoving, and subsequently
hence, when re-adding,
trying to remove the ACLaagain
fixed-nat
fromconfiguration while the
the configuration, device
an error is
message,
handling
"No such data
ACL"traffic.
is displayed even when the ACL is present in the configuration.
Description
When a corrupted CRL file is configured, ACOS crashes with server-ssl context creation failures.
The "show dns cache" command only displays DNS records from the master. The command should also display records from
Theblades.
the "clear dns cache statistics" command fails to clear statistics in the blade.
The "show dns cache entry" command fails to clear the blade's dns64 cache.
Upgrading to 414-GR1 (from 272-P11) causes interfaces to go "Up" to "Disb" (disabled).
Configuring the maximum NAT address with port-batch-v1 enabled results in memory usage greater than 90%.
The min-active-member status reported through the "show slb service-group" command is not correct. When the active-
The "shownumber
members sessionispersist
less thanfull-width" command does
min-active-member, thenot display
service groupcomplete
status IPv6 addresses.
displays "Functional Up" and then sends "504
When more
Gateway than 1000
Timeout" aftergslb service-ips
receiving are configured, some random gslb service-ips cannot "protocol up".
GET request.
Hair-pin traffic with source ip that is not in same user group is not redirected to the active node.
In service partitions, the device was unable to bind a cache template with local-uri to a vport.
Enabling system-jumbo-global without setting the interface mtu to a jumbo value (greater than 1500) causes the interface to
Reachability table has incorrect entries after certain device operations (including enabling or disabling a VE interface). This
drop regular packets.
Policy
resultsbased source
in packets notNATbeing(acl-src-nat)
redirecteddoesto thenot function
active node.on vports where acl source-nat is configured. Having two NAT pools
Layer 2 redirect
configured redundancy
together causes the for IPv6
problem doesn't
and work
ACOSwell. The
gives current
higher scaleout
priority infrastructure
to SNAT with ACL. works only with the ipv4 address
Version
present.4.x does of
Support notIPv6
support
aloneusing rserver
requires and rport
support configured
for the in the Shared
IPv6 infrastructure. Thepartition
current as service-group
limitation members
is that for an IPv4inaddress
the to
Thepresent
be "respond-to-user-mac"
service partition. This
with the option
was supported
matching subnetfor in
the
for "ip
allRBA nat
nodes inside"
for thecommand
partitions in trafficfails
Version
IPv6 2.7.2 when migrating from Version 2.7.2 to version 4.1.4.
redirection.
When user changes timezone setting, device removes the rrd files that store statistics data. When the CPU is busy and there
Synchronizing
are many rrd filesNAT pools that
(20,000) the have
removalthe of
samethesename
filesand different
blocks the forIPup
addresses across multiple ACOS devices is not supported.
to two minutes.
Modifying gslb service-ip from "auto-detect" setting generates "No such Server" error.
When the ARP table does not include a next-hop entry for the Server's IP address, packers are forwarded to the default next-
ACOS
hop does not
instead of asupport
service 100Mbs/Full,
group. 10Mbs/Full speed, duplex settings with Cisco switch as peer.
After adding or removing a secondary IP address in the ACOS device, the device becomes unable to ping directly-connected
Startup
networks configuration intentionally displays the health monitor twice. providing the initial listing of health monitor names with
in L3V partitions.
their exit-modules allows the declaration of references those health monitors before other object configurations are listed. This
Description
ensures object configurations that depend on a particular health monitor can refer to the earlier reference to verify the health
FIRMWARE stacktrace
monitor is properly caused by IPV6 BFD packets when 1) a peer device is reloader or rebooted; 2) all ports of a VE interface
configured.
Device
are down.cannot export axdebug file generated in service partition.
The "forward-proxy-cache-persistence" option recovers forged certs in vport after an ACIS reload. However, the "show slb ssl-
Some UDP vport range
forward-proxy-stats" tests generate
command does not unrealistically
calculate the large "totalofsession"
number recovered counter
certs.values. Closing the sessions does not clear
When
the using ADC and CGN on Hyper-V, the "ping" command does not work.
counters.
Enabling the "hit counter for domain-list" only records the first tcp/udp traffic match.
CLI permits a maximum of 128 HTTP templates through resource usage. However, the device generates a "Number of HTTP
Single NICexceeds
template RM vThunder cannot
limit" error bootup.
upon Devicethe
configuring continuously displays "vThunder(LOADING)#" prompt.
128th template.
The "show geoloc-list" displays an "Error" message when the configuration includes over 1000 geo-loc lists where each
The fw geolocation
includes the maximum filternumber
does not support
(1024) number"default". The default
of includes action is achieved through configuration fw rules.
and excludes.
ACOS does not send "dns query" for CNAME to the secondary dns server after receiving a response from the primary dns
Traffic fails "No
server with in ports
suchwith
name" a template
flag. that includes "direct-client-server-auth" option (slb client-ssl template). The failure
Sending traffic
generates to match
"Unknown SSLon port 0 ssl-proxy
protocol is not supported.
error in connection" error.
Static route configs are not added to route table on L3V partition. This is an IPv6 limitation.
Existing session traffic is impacted after taking over an established active role after reboot.
Certain VRRP-VCS mode configurations with various TCP/UDP traffic results in a btdump due to A10lb thread issue.
The scaleout statistic counter reports an incorrect number of packets on the active device. Because drop counters are more
LED continues
useful to blinkthis
for debugging, after SFPwill
issue is removed
not be fixed.from SFP port.
The serial number is not correct for a specific vThunder. When an existing v1 license is imported or an existing PAYGO license
is applied, the serial number is set to values specified by the licenses.
Description
The "ve-stats enable" command does not work properly. When the option "use-recv-hop" is used on the virtual port, the ACOS
Cannot create
device does notancount
object-group network
the ve-stats withcorrectly
packets the IPv6 for
default route
reverse (::/0).
traffic on the ve interface. Without this "use-recv-hop" option
After importing a certificate and key to
enabled, the packet counter looks correct. a service partition, configuring the certificate-key in the server-name of a client-ssl
With threefails.
template scaleout nodes, one node cannot establish full adjacent relationship with OSPF designated router (DR) or border
designated router (BDR).
593571715.xlsx
96

4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1-P1
Use the router-id configuration command when 4.1.4-GR1-P1
user is running multiple OSPF instances:_x000D_ 4.1.4-GR1-P1
AX2500(config-ospf)#router-id ?_x000D_ 4.1.4-GR1
when
A.B.C.D OSPF router-id in IPv4 address format 4.1.2-P4
need reconfigure the same NAT IP, please
wait for at least 2 minutes after remove the same
NAT IP configuration.
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
Remove all devices from the cluster and add them 4.1.4-GR1
back. This way the reachability table will get reset 4.1.4-GR1
and with the right information this time. 4.1.4-GR1
Customer should allocate more IPs on their 4.1.4-P3
servers so that each SP will have an equivalent 4.1.4-P3
server (with different name and IP) to the one in 4.1.4-P3
We shared,
the need to and
release
use note this limitation
that locally in the service 4.1.4-P3
group 4.1.4-P3
4.1.4-P2
4.1.4
4.1.4
4.1.1

4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P2
4.1.4-P2
4.1.4
4.1.4

4.1.4-P1
4.1.4-P2
4.1.4-P2
4.1.4-P2
593571715.xlsx
97

451999 AWS
Class-List Major
451103 Router Major
450385 VRRP Major
448486 SLB-L4 Minor
448447 SLB-L4 Major
448351 SLB-L4 Major
447320 CGN-Radius
Infra Enhancement
423466 L2/L3 Major
333961 L3V Enhancement
Release: ACOS 4.1.4-P1 Known Issues
440647 SLB-Fix Major
435457 L2/L3 Major
434839 SLB-L4 Major
430300 SSL Major
414022 L2/L3 Major
306910 L2/L3 Major
Release: ACOS 4.1.4 Known Issues
430342 Chassis Platform Critical
429025 SLB-L4 Major
428695 Online Help Major
428567 VCS Critical
427768 AppFW Enhancement
425039 GSLB
plane Major
422453 L2/L3 Major
421459 AppFW
management Critical
421207 GSLB Major
420722 Scaleout-control-
management Major
plane Major
419446 SLB-Diameter Critical
418093 ACL Minor
414436 Platform Enhancement
593571715.xlsx
98
The "clear slb conn-rate-limit src-ip locked-out-ips" command does not remove the lock-out. The associated statistics are
The user found that when they issued a shutdown command, the Kernel behavior was panic, reproducibility was low, it took a
cleared.
When using
long time and the GUI tofor
waited import a class-listtriggered
the processing, into a service partition,
a watchdog the logand
timeout, is displayed in thecommand
the shutdown shared partition
did notinstead
work onofACOS:
the
Under certain
service
414-P1 AWS
partition.
version. As conditions, information
a result, instead displayed
of shutdown afterwas
the box a system-reset
rebooting and is was
not correct.
again started backing-up.
The "show/clear cgnv6 fixed-nat full-cone-sessions" command has inconsistent options when compared to the Version 2.7
IPv4 BFD (Bidirectional
command.
This issue is resolved inForwarding Detection)
Version 4.1.4-P3. See cannot be enabled in a BGP configuration. In an OSPF configuration, BFD can be
issue 456440.
After executing scripts that program IPv4 and IPv6 spe entries in parallel, the counters may indicate the availability of entries
enabled.
IN a are
that configuration withThe
not available. 2vCPU, oneinData
results CPU isof
the action always
addingutilized, even without
IPv6 entries traffic
failing even and with
though the data interfaces
device indicatesdisabled.
ten IPv6 entries
The command "configure sync all all-partitions auto-authentication x.x.x.x" does not sync the spe profile configuration to the
are available.
The MSS (maximum segment size) setting on a TCP-proxy template does not enable jumbo frames. This only sets the
standby.
Templatessize
maximum withand
the does
samenot name cannot be
necessarily simultaneously
set the frame size.configured in the shared
Enabling jumbo requirespartition and asettings
proper MTU service on
partition.
interfaces.
When viewing ADC statistics for a service partition through the GUI, the display includes shared and service partition data.
When switching from jumbo config to non-jumbo config, jumbo should be disabled after the switch. However, if an original
Issuingconfiguration
jumbo a "show slb server
has anstats" or "show
interface slb compress
with jumbo stats" command
MTU, disabling jumbo failsgenerates
becausean error.cannot be disabled if any MTU is
jumbo
Load
largerbalancing
than 1500. configurations with a large number of real servers may enable dampening even when a health check does not
When anflapping.
indicate SLB server is in DIS-DAMP state (dampening is enabled and the server is flapping), the Alternate server is in down
Importing a health external/postfile from an L3V partition to ACOS generates a "Transfer to unix format failed" log error.
state.
Using IPv6 prefix in RADIUS stop to delete entries and sessions generates multiple CGN NAT64 user-quota-sessions with
Changing ingress and egress ports from "untagged trunk" to "tagged trunk" can result in request failures because it erases the
identical prefix-quotas.
The show
dummy macslbentry
server config
from the command displays aasMax
mac-address-table, Conn
shown byofthe
64000000 even for services configured
"show mac-address-table" command.for 80000000.
The BFD neighbor goes down for a few seconds when the trunk’s working lead port is disabled. This can occur on both FTA
The default "current
and non-FTA devicesvalue"
basedofon real
theservers, real ports, service groups, and GSLB Geo-locations shows inaccurate values, while
configuration.
the actual current value is zero with no related configuration. The "clear" command also does not clear it.
Description
With "insert-client-ip" configuration, traffic sent through the "virtual port of type fix" will fail.
In previous releases, the ACOS device does not support "interface loopback 0". However, in this release, the CLI indicates that
Subnet-based
the loopback number VIPs docan notbegin
work correctly.
starting from The 0-10,
ACOSinstead
deviceof does
from not send a Gratuitous ARP for VIPs that fall within the
1-10._x000D__x000D_
The Thunder
subnet._x000D_
However, if the TH3040S
For example,
user device if
attempts may
to drop
aconfigure
VIP packets
is configured during
a loopback SSL handshake.
as such:
interface _x000D_
that begins Such intermittent
with handshake
"0", it will fail, and willfailures
create an may occur
error on
message
When
ECDHE capturing
ciphers. This
slb virtual-server
saying "Non-existent packets with axdebug,
behavior
v1 physical
2.2.2.222 is/24_x000D_
seen with
port". a display
simpleissue occurred,scenarios
client/server causing erroneous
and handshake valuesfailures
to appear mayinhappen
the axdebug
randomly output
andfor on
On
VLAN
an TH3040
numbers.
infrequent
_x000D_Then running
theThis
basis. 4.1.4
issue
_x000D_
ACOS code,
device enable
wasshould
seen for orincoming
senddisable flow
a G-ARP IP forcontrol
packets undernon-zero
with a disconnected
2.2.2.0/24_x000D_ DSCP values10G interface
on tagged causes
interfaces."Backend Error". This
Telnet
is a valid
_x000D_The is disabled
_x000D_However, clienton
behavior as
was
the ACOS
per thedevices
sending
ACOS Scenario.
device by
TLSonly default.
alerts However,
against
sends G-ARP theto TH-N5by applying certain
not toaccess
server-hello:_x000D_
2.2.2.222, and the othercontrol
IPs in lists
that(ACLs)
subnet. this default
This may Telnet
result in
In
If aApplication
1
behavior GB SFP
may Firewall
transceiver
be enabled
overwritten. is HAcould
inserted
This deployments,
into a 10 GB
potentially application
port while
compromise sessions
the system
the classified
is already
security of on
up
the the
and
ACOS Active
running,
device,ACOSthe device
1
because GB aretransceiver
SFP
after synced to the
configuring isthe
tlsv1
traffic alert decrypt error
failure. 22
Standby.
not
ACLs, theHowever,
recognizedACOSuntil deviceduring
thewas port session
accessible synchronization,
is disabled, then enabled
through Telnet onlybutclassified
again. theIn"show application
earlier releases,
mgmt" information
the 1 GBstill
command gets
SFP synched,
transceiver
indicates thatwas and some internal
immediately
Telnet services are
Description may be lost. When HA failover happens and the Standby starts receiving packets in the middle of the session, the
information
recognized
turned off. without having to disable and enable the port. Only Non-FTA models have this limitation.
Standby drops packets and sends a RST packet because it behaves as if the session is not yet classified.
Templates with shared partition option in L3V partition and without space in their names do not get migrated correctly and
The ACOS
gets parseddeviceout. may reboot after running the "clear session" command for SSLi traffic.
The blade loses connection when upgrading the ACOS build.
NAT64 sessions are not synced to the original active ACOS device in a VRRP-A setting, if that ACOS device is reloaded and
Server
then becomesgroup membersstandby.(real servers) that are deleted and subsequently re-configured are not necessarily added back into the
NOTE: The online help that appears in the ACOS GUI may contain some broken links and pointers to incorrect help pages. In
server group.
In a VCS cluster,
addition, the helpcreating VCS by using
may be missing the VE port
descriptions is notconfiguration
for some supported. options. A10's Content Development Team is aware of
When issues
these upgrading andfrom
should ACOS
have2.7.x them version to the
fixed prior tolatest
release 4.1.4 version,
of the parsepatch.
next 4.1.4 error log is generated for the admin role.
Accessing the application firewall Top-10 reports through the GUI may cause CLI to pause temporarily while retrieving the data.
Configuring an L3V partition on vThunder systems with the maximum number of all supported parameters such as ports,
When
templates, the user
serviceupgrades
groups, the ACOSmonitors
health from 2.7.x andversion to the latest impacts
so on significantly 4.1.4 version, object-access-control
the performance of the system. Parse error log is
The ACOS device
generated. In general,enablesif thecreation
parse error of duplicate NTP servers
log is generated, using that
it implies the same
someIPv6 address, once
configuration is notinparsed
condensed in thenotation
ACOS 4.1.4 andand
Batch
once
so inmodifying
it must not bethe
expanded IP addresses
notation.
visible in the ACOS of 4.1.4
the scaleout
startup servers for all cluster
configuration. This issuenodes cause issues
is observed whenfor establishing
the user configures scaleout.
the ACOS
GSLB group does
2.7.2 version, which nothasfunction
the "slb correctly when it is removed using
disable-server-auto-reselect" the "clear admin
configuration session"
parameter. Aftercommand and then
verifying both added back.
startup-config files,
While
The performing
devices with SI
low profile
priority testing
are in
not the
added ACOSback 4.1.4,
again. assert log is generated for
it is always observed in the startup-config parameter, after its upgrade to the ACOS 4.1.4, and not before upgrading from the buffer mismatch. This is a known issue.
When session idle timeout for firewall IP is equal to or less than 30 seconds the TCP, UDP, or UNK sessions are not synced to
ACOS 2.7.2. All the visible configurations in the ACOS 2.7.x files are migrated into the ACOS 4.1.4 startup-config as well.
Due
standby.to the timing of BFD packet processing and trigger to protocols bringing sessions up/down, in some cases, it is observed
_x000D_
After
that adding
BFD
Workaround: andor removing
protocols
Please flap
configurea secondary
andidletake IP address
some
timeout time
to in the
be (can
greatertakeACOS from
than device,
60 few the
aseconds. devicetobecomes
seconds unable to
a few minutes) to converge.
ping directly-connected
Because
networksof in the
L3Vextra processing requirements for DPI, CPU utilization will increase significantly when App FW is enabled.
partitions.
It is not possible to configure maximum and minimum values for GSLB service IP configurations. The maximum configurable
AAM fails
service IPstoare import
1024.a However,
CA certificate if the name
all service of thebe
IPs cannot fileutilized
is more onthan
VM 245 characters.
partitions because GSLB shares resources with SLB
All devices in the cluster should have their local-device configured. When follow-vcs is configured under the Scaleout
services.
When attempting
configuration, do notto launch
configure a new thevThunder instanceunder
"id" and "priority" on ESXi version 6.5,
local-device the installation
configuration. Theprocess fails. However,
cluster nodes should have the similar
Server
installationselection
cluster-device processmaywas
configuredfail successful
ifon"load-balance-on-session-id"
all cluster when using ESXi version
devices. is configured
5.1. Thisinbehavior
the Diameter
was seentemplate
with an andiso
if the
file service group also
HideMyAss
has internal VPN load service
balancing
"ACOS_vThunder_4_1_4_141.iso" is classified
across "OCC as Avast
pools"and hidemyass hence cannot connect to the VPN server.
configured.
The hit counter values included in the output of the "show access-list" for the management port is not consistent with the
When
informationaccessing the ACOS
that appears forGUIthewith
log Internet
numbersExplorer, you must
in the output of theuse version
"show log"11 or later. _x000D_
command. This discrepancy is due to the log
The application
Background:
messages being When protocol
rateattemptingclassification is not supported for traffic
limited. to use IE 10 (or earlier) to access the ACOS GUI, some received with a localpages
(to thefail device)
to load. destination
_x000D_ such as a
Although Jumbo
loopback/physical/virtual Frames
This issue can be seen by interface. is not enabled,
navigatingAn the
as exampleMTU can be set to more than 1500.
of having local traffic would be if SSH is enabled on a data interface. Avoid
follows: _x000D_
defining
Security firewall rules using specific application match or track application for local traffic. Create a zone with `local-type` and
>> Firewall_x000D_
set
Then, it as `destination
click one of thezone' in a rule.
following tabs:The rule must
Ruleset, Zones,be Objects.
above any of rules with application criteria.
593571715.xlsx
_x000D_
99
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.4
Configure higher BFD interval with the "system 2.8.2-P6
ports link-detection-period" config, similar to the 4.1.1
below configuration. _x000D_
_x000D_
bfd interval 200 min-rx 200 multiplier 3_x000D_ 4.1.4-P1
4.1.4
system ports link-detection-period 50_x000D_
4.1.4
_x000D_ 4.1.1-P6
Note: This work around has a limitation of high 4.1.1-P5-SP2
control CPU. 4.1.4
4.1.0

4.1.4
4.1.4
4.1.4
4.1.4
4.1.100-P3
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
Configure idle timeout bigger than 60 seconds. 4.1.1-P6-SP1
3.2.2-P4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
Use IE11 and above version 4.1.4
Create a zone with `local-type` and set it as `dest 4.1.4
zone`, with other criterion if necessary, in a 4.1.4
rule._x000D_
The rule should be above any of rules with
593571715.xlsx
100
404674 NetFlow/SFlow Major

402908 NAT-CGN Major
392936 SLB-RTSP Critical
389099 SLB-L4 Major
593571715.xlsx
101
When a user configures and brings-up the system tcp/udp sessions in VRRP active-standby mode, duplicate Netflow records
For tunneled packets,
for 'sesn-event-fw4 the Customer
deletion' Edge (CE)
are generated. router
They decrements
are forwarded theboth
from Timethe
to Live (TTL)
active and for
thethe inner nodes,
standby packet along
and drops
with the
RTSP load
packet
forward balancing
ifconfiguration
TTL does
is exceeded not work
prior
in NetFlow when using
tomonitoring
encapsulation Windows
in thefor
enabled media
tunnel. service.
The devicedeletion'
'sesn-event-fw4 acts as the Border
events andRelay
same(BR)
flowand terminates
delete event forthe
the
DCFW
tunnel does
and not
will support
not SLB
decrement PPTP.
the TTL for the inner packet.
deleted session to the configured collector. These duplication events were not seen for flow creation events but were observed
Server template
with flow settings
deletion events do not take effect when template is bound to a service-group.
only.
A service-group's port template settings overrides the real port configuration
If the attribute of the incoming set-cookie string in aFlex does not conform to RFC6265 standard, ACOS treats the string as an
extension variable. However, if there is more than one of such attributes, only the last variable is stored and the previous ones
are discarded.
593571715.xlsx
102
4.1.4
4.1.4
4.1.4
4.1.4
4.1.3
4.1.3
4.1.3
593571715.xlsx
103

480592 others Critical
480313 ACL Major
480157 System -
plane Major
479968 SLB-HTTP
management Critical
479695 SLB-L4 Major
479401 ConfigMgr
management Major
479038 SSL Major
478900 SSL Major
478858 aFleX Major
478819 AAM Major
478624 WAF Critical
478621 SLB-L4 Major
478354 GSLB Major
478267 SNMP Major
478243 ConfigMgr
management Major
478192 System -
management Major
478177 System - snmp
management Major
477847 SLB-New Proxy Major
477757 AAM Major
477708 SLB-RADIUS Critical
477592 TCPIP Major
477529 Eventing Major
477379 Platform
Infrastructure Major
477316 CGN-NAT44
management Major
477124 HW Critical
476848 VRRP Major
476839 Explicit Proxy Enhancement
593571715.xlsx
104
Description
The "support-http2" option did not take effect on slb-virtual-ports created through web GUI.
Vports of type radius with stateless-per-pkt-round-robin method randomly dropped radius responses.
Using a tracking template may have caused a Failover problem.
Show logs display logs that state "ACL rule permitted this packet" even when no acl rules are configured with "accept" and "log"
When scaleout
option. This cantracking is configured
be triggered by ACLs and withthe threshold
"log" enabledisandtriggered,
a "Deny"control
rule is CPU utilization spikes and stays at 100%.
configured.
The import command using management port did not work when the DNS server is not in the directed connected subnet.
When the http server response has neither "content-length" nor "transfer-encoding" and the http template "response-content-
VE interface
replace" on is
option "enable-management
configured, ACOS uses service
chunkedtelnet" could not
encoding butbedoes
deleted
not through
send thethelastGUI.
chunk to the client because it does not
SNMP trap
support thiswas
case.sent for events that are transparent to user (ACOS internal port creation).
Japanese GUI error message is not correct for when errors generated by deleting an ACL bound to a VIP port.
ACOS was unable to send SMTP logging notification through the management port when the log originates on an L3V partition.
SNMP requests generate a 400 error with message "Access Denied" after "opsadmin4" logs in. Because one global partition
In servervariable
relative SSL configurations,
is set to L3V SSL connection
partition could not SNMP
by "opsadmin4", be establish
requestswhen forthe server
"share" uses certificate
partition without
are rejected by RBAsubject
due toand SAN
Chassis crashes
section.
accessing acrosswhile creating
partitions. whenCGN DDOS entries
"showtech" while attacked
is subsequently by a specific
launched, trafficvariable
the global stream.is reset and successive SNMP
The trafficdofails
requests notwhen
generateGCMancipher
error.is selected on the backend server side with client-ssl template.
When RPort and VPort both had ranges, the RPorts were not lopped with different VPorts in the given pool._x000D_
When
_x000D_ using aFlex on L4 TCP VPort which has TCP::respond statement under SERVER_CONNECTED event, buffers could be
A stack
stuck
When trace
when
RPort wasconfigured
used
was encountered
together with when0 removing
(wildcard),AAM
as syn-cookie._x000D_
port authentication
the RPort selected wasserver member
different from
from service-group.
the client's dest-port.
When
_x000D_ a query ID was set for DNS, the extension match was not performed correctly. The check was performed only for ACL
ACOS
and blank
BothVLAN,
SW and session
butHWnotsyn forcauses
Radiussystem
cookie and DNS.
exhibits tothestop functioning. As a workaround, disable session-check or waf-sid.
behavior.
ACOS command "show session virtual-server" is not restricted to specified virtual-server sessions but displays all sessions
The
with port with
output forexplicit
different speed and duplexity
forward destination configurations does not
sessions, utilizing link up.
different The _x000D_
ports, trigger is to reload the box. The customer has to
System Voltage
reconfigure
real-server CPU1 VCORE
the different
and speed/duplexity (1V)
after
service-groups. displays as not tested on ACOS Thunder device.
each reload.
When prefix-quota is set to "user-quota-prefix-length", the rsvd counter could not be reverted when there is no current user.
The "rename other" command triggered the following error: "Rename scope is limited to slb.[server|service-group|virtual-
When "compression enable" is configured on an http template, the vport will not select protocol http2 even with "support-http2"
server]".
when aFlex is configured under vport, the vport did not select protocol http2 even when "support-http2" option is enabled.
option.
Show session with an IPv4 subnet did not work properly.
Memory leak on a10snmpd was caused by snmpwalk multiple OIDs.
Console access was not available in Version 4.1.4. Serial over LAN (SOL) was available prior to Version 4.1.4 through IPMI,
When three or more partitions are configured, the "write terminal all-partitions" CLI command only displayed two partitions: the
Loggingand
shared wastheonly
firstsent to one email
configured address even when multiple email addresses are configured.
partition.
Customers could not enable management services like ssh, telnet, or disable ping on data ports.
SNMP is displaying a negative value for a few OIDs with 32 bit counters.
If the device has no SSLi license installed, the error "No license Purchased for this feature (object ssli-logging)" is displayed
Devicecreating
when should drop TCP packets
or editing (without on
an SSL template triggering
GUI. a reset) that match an implicit deny rule or an action deny rule.
The fw tcp reset-on-error command incorrectly included the "outbound" keyword. The command works for traffic in both
When the switch ID of the DNS query and aging server are bound to the DNS/UDP virtual IP (VIP) at the same time, the Thunder
directions.
A system
device willfailure no longer
not terminate occurs
DNS when aFlex traffic encounters non-aFleX traffic.
sessions.
Search bar in the Client Certificate section of the SSL templates page (GUI) did not work as expected.
The HTTP OPTIONS method is supported for Security Assertion Markup Language (SAML) authentication on the virtual port.
When RADIUS traffic enters an interface configured with "IP NAT outside" and a RADIUS virtual server port exists in the
X710 SR-IOV specific
configuration, Layer 3 driver
RADIUS issues:
trafficobserved
is dropped. error codes on host while adding mac-add entries.
The timer value for aging out UDP sessions greater than 30 seconds is not available for the slb UDP template with the "aging
When
short" modifying
parameter.the client-ssl template using the GUI after the template was created with the CLI using the command option
The aXAPI does not work properly
"forward-proxy-no-sni-action bypass" to import
removes thethe
SSL key. condition from the client-ssl template.
bypass
The GUI is not accessible when traversing a NAT device with port forwarding, and accessing the Thunder device data port.
ACOS sends a window-scale of 2, regardless of the receive buffer-size configuration of the TCP proxy template.
When an acos-events server is configured with the same name as a real server, the real server is put in an error condition in the
The
SLB 'Cannot open when
environment, environment data file'server
the acos-event warning message prints at every techreport interval (15 minutes). This message is
is deleted.
After a reload
printed after theor entering
reboot, import-periodic
the "show version" doescommand.
not work if using data plane.
After reboot, synced long CGN session aysloga continue using the wrong time stamp.
When we are calculating the top10 fastest and slowest servers, it is possible under certain race conditions that the response
When
time andrebooting
rport are the device,
not theThis
in sync. 40Gig can Ethernet
potentially 27/28 withaspecific
cause crash QSFPs goes down. Remedy was to add SWDM4 QSFP+ and
The
100Gchunk-length
SWDM4 optics in http response is removed by ACOS under these conditions: 1) The original HTTP response has content-
support.
When
lengthpointing
header; 2) theICAPClient proxyrespmod
server setting to Explicit
with Proxycode
response and 200;
ACOS andconfigures SSLi EP
3) ICAP server chain, AX
removed theunexpectedly
content-lengthreload when
and inserted
Changing
Client sends thenon-HTTP
GUI unexpectedly
the chunked-encoding removes
SSL traffic.
header. No other
if the settings
One example
impact previously
is joining
original httpZoom
server applied
meetings.
response in CLI. Options
already for "Transfer-Encoding:
has the disabling TLS 1.1 and 1.0 are not
chunked"
In scaleout mode for Fixed-NAT, non-contiguous inside user-ranges led to a crash when the inside ip-list is bound to NAT IPs.
available.
header.
In scaleout mode for Fixed-NAT, non-contiguous inside user-ranges led to a crash when the inside ip-list is bound to NAT IPs.
Within the new logging infrastructure, device reverted to using syslog server when "evt activate template" was not enbled.
When ACOS configures an SSLi EP chain while the client proxy setting is "Explicit Proxy", device unexpectedly reloads when
When
Client DNS
sendslookup
non-HTTP fails for
SSLforward-to-xxx
traffic. One exampleaction, is wejoining
log a "DNS
Zoomfail" log. However, there was no log entry defined for dns
meetings.
lookup failures when trying to resolve "IP" type class-list during action selection.
593571715.xlsx
105
Version Reported
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.1-P8
4.1.4-GR1
4.1.4-P2
4.1.4-GR1
4.1.4-GR1
4.1.4-P1
4.1.4-GR1
4.1.4-GR1-P1
2.7.2-P12-SP3
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
4.1.4-P1
4.1.4-GR1
4.1.4-P3
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-P1
4.1.4-GR1
4.1.4-GR1
4.1.4-P3
4.1.4-GR1
4.1.100-P5
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
4.1.1-P8
4.1.1-P9
2.7.2-P12
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1-P1
4.1.4-GR1
4.1.4-P3
4.1.2-P4-SP1
4.1.4
4.1.1-P9
4.1.4-GR1
4.1.4-P3
4.1.4-P3
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
593571715.xlsx
106

476540 Firewall
management Major
476539 GSLB Major
476461 ACL Major
476296 GiFWFiltering
URL Infra Minor
476152 WAF Major
476047 TCPIP Major
475939 TCPIP Major
475741 System - Minor
475738 SLB-L4
management Major
475597 ACL Major
474994 Scaleout-control- Enhancement
plane Major
474633 AAM Major
472279 WAF Major
471685 L2/L3 Major
471178 SNMP Major
470913 L2/L3
Infra Major
469393 Harmony-HOC
management Major
468283 Explicit Proxy Enhancement
Class-List Major
460406 HW
458431 SSL Critical
451804 WAF Critical
436378 SLB-L4 Major
414913 SLB-Config
management Major
399196 FW-CGN-Logging Major
Release: 4.1.4-GR1 Fixed Issues
474175 ACL
Management Major
593571715.xlsx
107
When pointing the Client proxy setting to Explicit Proxy and ACOS configures SSLi EP chain, AX unexpectedly reload when
When the
Client sends browser
non-HTTP is in aSSLdfferent
traffic.timezone
One example as theisThunder device,
joining Zoom the time of chart may display incorrectly.
meetings.
SCP with SSH forwarded agent did not work for running-config.
FW session age was not correct when "tcp half-open-idle-timeout" is configured. This option no longer affects firewall
When disable
established is omitted from dns record commands under zone->service, the disabled service was not reset properly.
session.
Using an ACL under the enable-management option in shared partition, possibly led to ACL config in L3V partition.
With forward-proxy-bypass require-web-category configured under client-ssl template, device may have unexpectly reloaded
FW
when GREthesessions
connection of PPTP ALG were not
of web-category counted
lookup fails,as "Data Session
timeouts, Created" by the "show counters fw global" command. only
or terminates.
Memory
TCP control wassessions
corrupted ofor device
PPTP was crashed
counted with
as corrupted
"Data Session stackCreated".
trace when remove-comments or remove-selfref is enabled (url-
No TCS session
options) and andwas created are
arguments for sent
wildcardwithVIP withor
self-ref ACL, resultingthat
comments in an unable
cross over toargument
establish parsing.
TCP session condition.
HTTPS vPort problem caused fragmentation, which originally appeared when sending larger POST data to the backend server.
Adding
It probably interface
happened added as any
with a member
jumbo frame of LACP trunk
sent resulted
through SSL.in "show log" command displaying a "[L3]:LACP: Parse error for
ACOS
message Server-side
NSM LACP TCPAggregator
handshakeConfig" advertises lower interface
message; initial window
remainedsize when
in BLKinitial-window-size
state. The issue was parameter
incorrectis removal
configuredof aunder
The
tagged "show
tcp-proxy ip interfaces"
template.
interface from ancommand
This causes delay
L3V partition. displays same IP
in response fromaddresses even though
the application these interfaces belong to_x000D_
for users.
When
differenta short
VLANaging and getvalue is configured
different (1-30 seconds),
IP addresses, when theand no response
IP addresses areisconfigured
received, the session
through age turns to 2 seconds if
DHCP.
Parsing
ACOS UDP error whenport
virtual evaluating
receivesthis feature,queries
duplicate they found following
in a short time.2 issues:_x000D_
A
1. file a10scm_bitmap.dat
Thunder does not parseappears the DNSinrecord /tmp if folder on ACOS
resource recordrunning
size offor long time,
response more than around 40 days creating variable
is big._x000D_
The
log "show access-list"
messages
2. Thunder cannot without output
any
process is not
operations.
aFlex displayed
if the The
DNSperiodiccorrectly
server on the ACOS
systemd-tmpfiles-clean
responds with configuration
a fragmented program when
wasan
record._x000D_ object-group
deleting the is used in the ACL.
Reload
_x000D_ or rebooting
/tmp/a10scm_bitmap.dat the system without
file._x000D_ explicitly
3. The DNS_RESPONSE event is not moved if it comes in as an IP fragment. _x000D_closing scaleout could have broken scaleout clusters. This resulted in long
You
After cannot
convergence
The show
an ACOS
4. Thunder usetimes
access-list
cannot the
reload IP address
after the
output
this file
process 169.254.0.0/16
reload
displays
did not
aFlex /
if thereboot.
the
get DNS positionto
recreated. configure
of a subnet
destination-port
This made
server responds theamessage
with on an interface.
incorrectly.
fragmented appearThe This
output address
displays is
repeatedly. The _x000D_
record. reserved.
the object-group
AAM authentication
destination port before
systemd-tmpfiles-cleaner fails
the when using
destination
timer a object.
configured service group.
onceThis
_x000D_
to run everyoccurs
24 hoursbecause cleansa different
up unused server
files is
in used
/tmp after the initial
for more than 10request,
days.
The
but output
the
_x000D_ secondfrom "show
server interfaces
cannot recognizetransceiver"
the command
value for the displays
state incorrect
attribute. transceiver Tx/Rx power and threshold values for
Some a10scmd files and license bitmap file were getting cleared. Once the file was deleted, the error message, "Cannot open
A random1G
FINISAR route
and is missing from IP FIB table after OSPF redistribution.
10G.
_x000D_
file /tmp/a10scm_bitmap.dat" was displayed
Qualys SSL Scan may cause a TH840 crash. in the logs. This also affected other files or folders with root "write" permission
Config1:_x000D_
under /tmp directory.
Stack trace logs begin appearing after removing, and subsequently re-adding, a fixed-nat configuration while the device is
access-list
After version
handling 199
data permit the
4.1.4-P2,
traffic. tcp "show
any eq interface"
80 object-group command permit_acl001
displays "loadeq 80_x000D_
interval" data (bits per second) that appears incorrect.
_x000D_
100G QSFP28 ports are disabled when a TH7440-11 is reboobted and has a system mon-template setting that disables links.
show
SNMP:access-list:_x000D_
Fan speed OID is not supported for Blade on TH14045 dual device configuration.
Health-check-disable
access-list 199 4 permit doestcpnot anyworkeq 80 wheneq 80 a Dynamic
object-group Real permit_acl001
Server has portData 0 tcpplane
and port
hits: 00_x000D_
udp.
The
_x000D_device does not utilize the configured value for the bw-limit-cfg command (system resource-accounting template), This
The "gslb
results
_x000D_ protocol
in an inaccuratemsg-format-acos-2x"
bandwidth counter command
as displayedrequires GUI"show
by the support. resource-accounting" command.
Snmpwalk fails for "port slbVirtual-serverPortSTable 1.3.6.1.4.1.22610.2.4.10.108.23"
In the following 2 cases, the added configuration commands are different, but both output command;
become device doesfor
identical not(a)parse
and or it
TH14045-11
writes wrong management
data to flat OIDport cannot access NTP server. This results in NTP sync with "ip control-apps-use-mgmt-port" not
file.
(b)._x000D_
After upgrading
functioning ACOS, an attempt to register Harmony Controller because the device uses the old script for heartbeat.
properly.
_x000D_
Editing a "no url-switching regex-match" command within an HTTP slb template causes a system crash under certain
_x000D_
A proxy-layer v2 can change an original URI when it contains an illegal pattern.
conditions.
Config2:_x000D_
When re-enabling rate-limit per flow, certain customers indicate that the dynamic-service dns lookup always use the same
access-list
aFlex
source-port 199
andpermit
may sometimes hits the tcp
reloadanywhen
rate-limit.object-group
dynamically
They permit_acl001
request updating
a workaround a eq 80_x000D_
class-list
to spread and the
using the aXAPI.for
source-port This
DNS issue only occurred if aFleX is
lookup.
_x000D_
The axdebug
running file did notThis
CLASS:match. download
issue occurs in the ACOS GUI if the
infrequently, andfile has
only a "+" sign
seems in the when
to happen file name.
the control plane is deleting (freeing)
The
show
the user found that whenever
access-list:_x000D_
string and aFlex (on the data thereplane was a failed
side) login, the
is querying theACOS
samedid not entry
string send log IP address
at the same time. of the remote host, for the GUI
The
usage. user
access-list found
Instead,
199 4 that thea display
it permit
sent brief
tcp any one ofeq #show
line
80of interfaces
log message
object-group transceiver
without the
permit_acl001 details
Datawas
source IP, incorrect
plane from
hits:whichforthe
0 ----- tx/rx power
host
(a)_x000D_ wasand low threshold values
from.
When
of the spoofing-cache port is a member of a tagged VLAN, ACOS is using the physical MAC address which is the incorrect
temperature.
_x000D_
SSL
source
_x000D_handshake
MAC address. errors were
ACOSseen should with bethe hardware
using the VEring MAC counter also incrementing.
or the Floating MAC address as the source MAC address.
Axdebug did not display Data Plane throughput packets for 1vcpu vThunder.
Config3:_x000D_
The user found that while config nat pool-group instead of nat pool, clientip-sticky-nat did not work.
access-list 199 permit tcp any eq 80 object-group permit_acl001_x000D_
ACOS system sometimes rebooted if you enabled the WAF "form-set-no-cache" option in learning mode.
_x000D_
The IP address of a VIP and a real server are of a different length so a sequence adjustment is expected. However, the
show
sequence access-list:_x000D_
The standby ACOSwas
number device in a VRRP-A
adjusted incorrectly pair shows
for the the status
Passive of Transfer
File a virtual server
Protocol as (PASV)
"unknown" mode rexmit.
access-list
In version 4.1.4,199 4output permitdoestcp anynot eq 80 object-group
include permit_acl001
real server information when Data plane
using thehits:
"show0 -----
slb(b)
virtual-server bind | sec vip"
The existing connection client source port matching a newly created service port is resulting in client packet drop.
command.
After reload a10lb mutliple times sshd process attempted to running when sshd.pid file was not available, which resulted in
Virtual Server and Virtual Port updates were not in sync. This led to a situation where, when vserver and vport were disabled
sshd errors.
The
and thehealth monitor
device droppedfor MySQL
to standby database mode,leaves
the vportan erroneous
would staylog message
disabled evenonafter
the server when to
box returns theactive
TCP socket
mode. for the health
ACOS
monitor does not reset
is closed the interface
without a "QUIT" after 3 unsuccessful
or "Exit" command. attempts.
FW Permit and Deny Logs truncated the zone, rule and rule-set names. The issued was fixed by logging the entire length of
these fields as per the configuration.
Description
When multiple CPUs running simultaneously attempt to send system packets, a process reset occurs.
The ACOS GUI and SSH sessions froze after deleting a VIP. No new SSH/CLI connections could be initiated. This management
The GUI dashboard
interface for Application
lockup occurred Firewallthe
after upgrading is empty
device.for Connections and CPS. This can be seen by accessing the ACOS GUI,
System template-bind
navigating to Security >monitor
Firewall. did notConnections
The work as expected.
and CPS graphs on the dashboard page are empty, even if the device is
The
underCLI hangs load
a heavy for approximately
with many TCP 3 minutes
and UDPwhen trying to display output from the "show access-list ipv4 <acl-num>"
sessions.
When the ports-threshold
command. is configured
This issue happens on ACOS,an
after configuring ACOS will notand
access-list send the LACPDU
applying with
it to the Out-of-syn flag
management to a peer device if the
interface.
An EP configuration resulted
port threshold is triggered. in an excessive number of "TCP Half Open" sessions. When a) "reset-unknown-conn" is configured
on the EP virtual port; and b) client request is "CONNECT method" which is processed by "forward-to-internet", even after both
TCP sessions are closed (server - Thunder and client - thunder), instead of deleting the session, it remains as "TCP Half Open"
593571715.xlsx
108
4.1.4-GR1
4.1.1-P9
4.1.4-P3
4.1.1-P10
4.1.1-P8-SP1
4.1.4-P3
4.1.4-GR1
4.1.4-P2
4.1.0-P8
4.1.4-P2
4.1.4-GR1
4.1.1-P6
4.1.1-P8
4.1.4-P3
4.1.1-P9
4.1.4-P3
4.1.4-GR1
4.1.4-P1
4.1.4-GR1
4.1.4-GR1
4.1.1-P5
4.1.4-P3
4.1.2-P2
4.1.4-GR1
4.1.2-P4
4.1.4-P2
4.1.4-P3
4.1.2-P4
4.1.1-P9
4.1.4-P2
4.1.4-GR1
4.1.4-GR1
4.1.2-P5
4.1.1-P8
4.1.4-GR1-P1
4.1.4-P2
4.1.4-P3
2.7.2-P12
4.1.4-GR1-P1
4.1.1-P8
2.7.89
4.1.4-P3
4.1.0-P9
4.1.4-P2
4.1.1-P5
4.1.1-P5
2.7.2-P12
2.7.2-P12
4.1.4-P1
4.1.4-P2
4.1.1-P7
2.7.2-P9
2.7.2-P11
4.1.0-P9
4.1.1-P3
Version Reported
4.1.0-P11
4.1.4-P3
4.1.4-GR1
4.1.4-GR1
4.1.4-GR1
4.1.1-P6-SP1
4.1.4-GR1
593571715.xlsx
109
473617 CGN-SFW Major

473425 FW-CGN-ALG-DNS Major
473392 GSLB Major
472996 SLB-ES Major
472990 SLB-ES Major
472984 SLB-ES Major
472342 CGN-DSLite
management Major
471685 L2/L3 Major
471613 SLB-FIX Major
471478 ACL
management Major
470896 Web Category - Enhancement
470413 Harmony-
URL Filtering Critical
470407 VRRP
470332 GSLB Major
470320 SLB-SIP Major
470104 Report Major
470050 L2/L3 Major
470047 SLB-L4 Major
469480 WAF Major
469405 Router Major
469393 Harmony-HOC Major
469081 Report Major
468330 CGN-NAT64
Analytics Critical
468325 aFleX Major
465490 aFleX
Analytics Major
464974 AWS Major
463772 FW-CGN-ALG-FTP Critical
460658 SNMP
plane Major
458422 Router Major
456253 ACL Major
451804 WAF Major
451717 L2/L3 Major
management
593571715.xlsx
110
DNS sessions are removed upon receiving a response. In case CPUs go into Round Robin mode due to high load, response
When
packetDNS mayage is configured
be processed on in age template,
non-home CPU. the config
Freeing applies
session ontonon-home
DNS session. CPU When
leads toDNS age is not explicitly configured in
crash
GSLB
the age geo-location
template, DNS objects
sessiondefined by special
applies fast DNS characters
aging. cannot be configured by the CLI and the GUI hangs when the object is
An alert message or configuration restriction is required for when "resume" in an slb template port or server is specified voer
saved.
Non-HTTP
the traffic triggers HTTP-bypass in a wildcard VIP when ACOS receives headers larger than 64 KB.
conn-limit.
Non-HTTP traffic triggers HTTP-bypass in a wildcard VIP when ACOS receives more than 90 headers in the request.
When a client sends 64K HTTP REQUESTLINE, ACOS closes the connection by sending RST to the client and server. Sending
Request
FIN to merge
for each request theisGUI Webroot
a more license
graceful tab in System > Licensing.
method.
Import-periodic process (scp and sftp) does not support <:port> parameter in the URL. This requires use of the default port.
In DS=Lite
The importConfiguration,
process does ACOS support maythecrash when receiving fragmented IPv4 SIP packets in IPv6 form from client.
parameter.
When an A10 TH14045 100G interface is disabled (or the peer router interface is shut down), the "show interfaces transceiver
Service-IP
detail" outputhealth checkTX
displays data
andthatRX is displayed
power even on whenthethe
GUIcurrent
differsindicates
from the zero.
data shown by the CLI.
Service-ip Health status, as displayed by the GUI, is not consistent with the status as displayed by the CLI.
The system-reset command should not reset the multi-ctrl-cpu setting. However, the default multi-ctrl-cpu 2 setting on high-
Client-side
end Thunder sessions
models(Thunder)
incorrectlymay not close
reverts properly when
to multi-ctrl-cpu 1 bydisable-http-server-reset
system-reset. is enabled (reqmod-icap template).
After version 4.1.4-P2, the "show interface" command displays "load interval" data (bits per second) that appears incorrect.
"Current SSL connections" count does not decrement correctly in some cases; in these cases, the counter increases correctly.
The "write memory primary/secondary partition <partition name>" incorrectly saves the partition configuration as the shared
The a10lb startup-configuration.
partition's crashes with no core when an ACL with the "log" field is bound to the management interface.
Issue that misses sanity check on routing code may result in crash upon 1) OSPF redistributes default route; or 2) use default-
The "show slb
information service-group" command displays incorrect service_group priority affinity.
originate.
GUI requires excessive time when navigating to ADC > SLB > Service-Group. The root cause is that the service groups have too
CFW
manysearch
members. feature in Version 4.1.4-P3 does not include option to search CFW rules based on rulename, src zone, src type, dst
The system-reset
zone, or dst type command does not remove the license of the web-category.
Thunder experienced memory leak when it cannot reach the host address configured in the Harmony Controller profile.
when removing or adding-back the inline-mode configuration, while the VRRP-a active - standby is running normally, the set-
The "show
back counters
of inline mode doesgslb dns" command
not update generates
the flag correctlya parsing error.
in internal logic, so the box does not run in correct standby inline mode
After upgrading from 1030S (2.7.2-P4) to 1040S (4.1.4-P2), the device device drops SIP INVITE messages with headers larger
status.
CGN units that respond with TCP RST due to traffic not hitting any sessions, always respond with the the default (vrid0) VMAC
than 15.
Thunder14045
address and cause running
routeron flips.
4.1.4-P2-SKT-232622 does not display CPS and Current Connections data even when processing
On Version 4.1.1-P6-SP1, (build 21) a physical interface flap issue caused an LACP member flap.
traffic.
The "show interface ethernet" command sometimes displays Input and Output utilization of 0% or greater than 100%, even
The
whenidle timer
traffic expires
flows within
through the60interface.
sec when half-open-idle-timeout is configured upon the tcp-proxy. The causes a session to not
The the
use "destination
idle timerclass-list"
even when command does not display
a client connection the "Hits"As
is established. counter when
a result, tcp the
proxycommand specifies
applications andwhen
age-out individual list.not
they do
Snat-on-vip
contact the does
back-endnot work
server when a) L3then
for more NAT30 is configured
seconds. as Static NAT, and b) Explicit Proxy.
The "CGN template logging" mode includes a device-context option. When configuring multiple device-context, the device only
The maximum
stores WAF cookie
the source-IP address limit
thatneeds to increase
is configured last.from 127 to at least 1000.
Accounting for an inbound connection in the case of port-reservation is incorrect, which causes the show command to display
incorrect/additional
incorrect values. Thecharacters
data session showalsoupdoes
in HTTP Proxywhen
not print Logging.
using the "show cgnv6 lsn inside-user x.x.x.x" command.
A scenario where CGN advertises a default-route by redistributing floating static route when it loses default-route from upper
After upgrading
router works when ACOS,
ACOS anloses
attempt theto register Harmony
default-route Controller
advertised because
from upper the device
router uses default-route
– the static the old script floats
for heartbeat.
on its routing
After upgrading
table from Version
and is advertised to lower 4.1.1-P5
routers.toHowever,
Version 4.1.4-P2
when the(without rebooting),
upper router recoversa10rptmon cannot
and the static initiate.
route is deleted on the routing
Harmony
table, ACOS controller status and
still advertises the statistics are missing in the periodic showtech. "Showtech" should include "show harmony-
route in OSPF.
Under certain
controller conditions,
status" output to Thunder
facilitate6430 configured
verifying actualfor as CGN reboots
registration status itself
instead after
of a crash.on running-config.
relying
"TCP::payload replace" may not work correctly when data is piggbacked with ACK during client three-ways
When "low-latency" is configured, the state of the service group is displayed as "unknown" using the command "show slb
handshakes._x000D_
The description
command "configure
service-group".
See section forsync" can cause
the aFleX script.a system crash.
ACOS is unable to send audit logs from a private partition through a data interface in the shared partition. The "partition
The Block-replace
shared" option does APInotcall is failing
appear whenand producing"logging
configuring the following error:
auditlog" in "Service
the private group is currently
partition. used.
However, Please
the remove
"partition binding
shared"
In
andthe
tryAWS
option environment,
again."
appears when sending a rarepartition
race condition
syslogsisfromobserved when partition.
the shared the vThunder instances with the VRRP configuration boot up
An issue
at the same created
time.aThe badissue
statemanifests
object-group when athe
by having new object-group
elastic IP addressis created
incorrectlywithassociated
an existingto
object-group
the Standbyname
VRRPon the
node.
In the TCS
Standby configuration,
unit, and the manual if theconfiguration
server response is IP fragment,
synchronization the Ping-Pong
is performed. Theissue occurs
ACL entry between the
associated withThunder
the baddevice and the
state object-
When the
cache
group "show
server.
does int stat
not work andeth 1 ethbe
cannot 2 eth 3" command
removed throughisCLIexecuted,
or GUI. only the eth 3 statistics is getting displayed.
Policy based port that is disabled can be internally considered incorrectly to be up. The trigger for this issue appears to the
FTP
policyActive
based mode does
disable not work inincluding
commands, L2 bridge mode. FTP ALG edited the outgoing
disable-when-any-port-down PORT packet with the NAT pool IP address
or disable-when-all-port-down.
Existing
and port session
but the SYNtraffic is impacted
from after taking
the FTP server over an established active role after reboot.
was dropped.
SNMP cannot be counted after the a10lb process restarts subsequent to killing the process. While a10lb restarts, all processes
The static
should management
restart; however, IP address was lost
a10snmp_trapd afterrestart,
did not rebooting
which theinhibits
device.the ability for processes ot sync on shared memory.
Cannot create an object-group network with the IPv6 default route (::/0).
The user found that the ACOS was crashing when tried to parse bad or invalid Set-Cookie headers sent by the server.
Due to a MySQL vport issue related to a long username, the ACOS system was rebooting multiple times.
ACOS system sometimes rebooted if you enabled the WAF "form-set-no-cache" option in learning mode.
The interface with system template-bind monitor did not link up after the unit was rebooted.
CLI restricts usage of the "?" (question mark) character to listing available commands. AXAPI needs to be used for entering
commands that contain the "?" character (such as Banner text).
593571715.xlsx
111
4.1.4-P3
4.1.4-P2-SP1
4.1.4-P3
4.1.4-GR1
4.1.4-P1
4.1.4-P1
4.1.4-P1
4.1.4-P2
4.1.4-P3
4.1.2-P4
4.1.2-P4
4.1.4-P3
4.1.4-P3
4.1.1-P10
4.1.4-P3
4.1.4-P2
4.1.1-P8
4.1.1-P5
4.1.4-P3
4.1.4-P1
4.1.4-P3
4.1.1-P10
4.1.4-P3
4.1.4-P3
4.1.4-GR1
4.1.1-P8
4.1.4-P2
4.1.4-P2
4.1.2-P4
4.1.4-GR1
4.1.1-P6-SP1
4.1.4-P2
4.1.4-P2
4.1.4-P3
4.1.4-P2
4.1.1-P8
4.1.4-P1
4.1.2-P4
4.1.4-P3
2.8.2-P6-SP1
4.1.1-P8
4.1.4-P3
4.1.1-P8
4.1.1-P6-SP1
4.1.0-P11
4.0.3-P1-SP6
4.1.4-P2
4.1.4-P2
4.1.1-P9
4.1.4-P2
4.1.1-P8-SP2
2.7.2-P8
4.1.4-P2
4.1.1-P8
4.1.1-P6-SP1
4.1.4-P3
4.1.1-P9
2.7.2-P13
4.1.4-P2
2.7.2-P11
2.7.2-P11
4.1.1-P5
4.1.4-P1
4.1.4-P2
593571715.xlsx
112

450017 SSL Major
442531 ACL Major
441253 TCPIP Major
435706 GSLB Major
435514 VRRP Major
430303 VRRP Enhancement
423466 L2/L3
DSR Major
392011 SLB-L4 Major
384730 AAA Major
374647 L2/L3 Major
372097 SLB-L4 Major
267040 SLB-ICAP Minor
192616 SNMP Major
Release: 4.1.4-P3 Fixed Issues
469027 CGN-Infra
468538 Platform
management Major
468529 SLB-L4 Major
468385 aFleX Major
467950 ConfigMgr
(Netflow) Major
467827 WAF Critical
467515 GiFW Infra Critical
467071 SLB-ICAP Critical
466753 CGN-One-to-One- Major
Nat Major
466714 SSLi Major
466432 SSL Major
466393 others Critical
466243 Explicit Proxy
management Major
465928 VRRP Major
465709 Router Major
465093 SSL Major
Controller-Integ Critical
593571715.xlsx
113
The IP address of a VIP and a real server are of a different length so a sequence adjustment is expected. However, the
When using
sequence CRL towas
number check the client
adjusted certificate,
incorrectly for a thesystem
Passive crash
File occurred
Transfer when
Protocolthere was an
(PASV) existing
mode SSL session.
rexmit.
SLB service group status is not available for groups created on the GUI ADC >> Service Group >> Create page that uses non-
Configuring
default options.same host for multiple AAM service groups generates "Address specified is used by a real server" error.
L2 forwarding is not working as expected when ACL session match happens.
In an inter-partition route where the VIP in the L3V partition was accessing the server in a shared partition, the re-transmitted
Underflags
SYN a certain
sent tocondition
the server ACOS
were did not send a RST
inconsistent. The to there-transmission
first client when thewent clientout
should
of thehave received
shared (eth3)one.
partition as expected,
On
but GUI, when
the rest ofathe
member is added for
re-transmission the firstthe
followed time
L3Vwith priority
default or template
route (eth2). under service-group, the priority or template does
When
not work"virtual-port
even afterdefaultrefresh. template" with "aflow" option is created and when L4 vPort is created, a warning message is not
In SLB deployments,
displayed indicating that the "conn-limit"
"aflow" is only option is not working
applicable as expected
for L7 (http/https) when bound to service-group members. ACOS does not
vPorts.
ACOS may respond
allow more to an FQDN matching
than 4 simultaneous connections an auto-map
across theGSLB box, service-ip with an A/AAAA
but the expectation query,
is that it shouldeven when
allow the user
a total of 6 query type
Received
is IPv6 connections.
not A/AAAA.
simultaneous VRRP-A packets were treated as "missed" packets.
The user found that the preferred-session-sync-port does not fall-back for vrrp-peer. In the current implementation, in the case
Disabling
when there DSR are(dest-nat
two VRRP command)
interfacesremoves
available,service-group
and the customer control of DSCP.preferred-session
configures In this instance, DSCP settings
sync-port must
option forbe
theapplied
'peer- on
The
each
group'BFD neighbor
appropriate
usage. goes
port
However, down
instead
if for few seconds
ofpeer-group
vrrp-a relying on aoptionwhen is trunk's
service-group working lead sync
configuration.
configured, session port is disabled.
port does not This
fallcan
backoccur
to the onpreferred-port.
both FTA and non- The
ACOS
FTA incorrectly
devices based starts
on the
the server side
configuration. connection
"Peer IP" address does not get reselected back to the preferred port. at the moment when the client side connection is established. For slow
GUI issues
clients, thisexcessive
can require error
more messages when logging in after configuring block-merge-start in CLI.
ACOS resources
The GUI does not properly display object information if the object name exceeds 80 characters.
When the access-list is configured on VE interface, CPU-LS is not working properly._x000D_
The
This"show
issue is ip seen,
route"onlycommand
when cpu-rrtriggers a searchICMP
is enabled, for antraffic
exactistonot
therouted
route specified
by non-home by the command.
CPUs, and thereWhen is ananincident
exact match
of is
If
notmore than
ACLone
available,
(permit) the TACACS underserver
command
applied shouldwas configured
perform
interface._x000D_ a "beston match"
the ACOS device for
to routing command
table coneents, authorization
then enhance andtheif output
"tacacs-server
to providemonitor"
After
was configuring
configured
"Reachability
It results via:"
in TCP/UDP the
for theadmin-key
TACACS
information
packets tofor
theabest
servers,
getting trunk group,
then ACOS
matched
forwarded the
and user
was
route. cannot
ACLremove
switching
creating between
sessions orthe
edit
as theTACACS
two admin-key.
expected. An attempt
servers. This, intoturn,
editcaused
it will fail
The will
and ACOS device
produce
authorization sent
the
to fail. packetserror
following to the wrong next-hop.
message: This issueofcould
"All the members an LACPoccurtrunk
during failover
must have if the
the next-hop
same admin arp MAC
key." Thischanged.
Chain Certificate
limitation file in Client-SSL
is a long-term legacy issue. template may not get correctly synchronized to the standby device when using Configure
The "action link-enable" command (slb monitor template) does not work on interfaces that are LACP members.
Sync.
Removed source-ip persist for reqmod and respmod templates. It did not function in these templates and is currently not a
Pool address
necessary part- port allocation failure on standby device triggered by stuck sessions.
of ICAP.
SNMP statistics for axInterfaceStatTable were refreshed only once every 60 seconds. The default refresh rate for other traffic
and CPU statistics is one second.
Description
Class lists generated through the CLI are stored in configuration mode. The import command or GUI import (local or remote)
In a rarenot
should case, afterto
be able a reboot/powercycle,
write over these ACLs. the Bare metal or TH1040S platform may boot up with wrong environmental
A device may
parameters experience
and a system reset when it receives an HTTP request with random characters in the user-agent field while
trigger a reload.
The
it "clear cgnv6
is registered to lsn data-sessions"
harmony controller.with filter option does not work properly.
TH7440-11 has a different default environment temperature threshold setup from other Thunder models
"axAppGlobalBufferCurrentUsage" does not work for non-FTA models that run DPDK mode.
The "clear slb virtual-server" command that specifies a specific virtual server improperly clears stats from all virtual-servers.
System may crash when it parses DNS record type 10 with content string longer than 300 bytes.
The "record sesn-event-dslite" command logged incorrect dslite counters.
Invalid AXAPI body caused the configuration manager to crash.
If WAF was enabled, the ACOS device reloaded upon receiving a client's invalid chunked request with 100-Continue.
The configuration of half-close-idle is being depreciated.
When running UDP DNS traffic in a CGN configuration, if an ACL is bound to the IP NAT Inside interface, the GUI dashboard
Firewall log
displays messages
inaccurate contain
session invalid notation of IPv6 address.
statistics.
When a client sends NAT64 traffic, the command "show cgnv6 lsn system-status" will properly display the TCP NAT Ports Used
Under high
counter traffic load
increasing. with ICAP
However, whenenabled, sessions
the traffic stopswere not sessions
and the freed properly and may
and ports sometimes
are released, thetrigger a reload.
TCP NAT Ports Used counter
When
does not Static Mappings
refresh back to (port-reservation)
zero. is configured and traffic is sent from an outside host to an inside host, the command
On TH3040,
"show cgnv6the lsn1G ports are<inside
inside-user up onlyclient
if duplexity
ip>" doesis configured.
not show the session and the LSN port-reservation sessions in the user-
After
quotareplacing the client SSL-template which is bound to the virtual server ports, running the command, config-sync, and after
are not counted.
If the A10scenario,
a failover Thunder devicethe activeboots withdoes
device a copper (AXSK-CSFP-COP)
not bypass SFP inserted,
SSL traffic identified in thethe command, show interface
forward-proxy-bypass media, displays
class-list.
Migration
an error. Iflimitation
the SFP is forinserted
the same glidthe
after between the shared
A10 Thunder and
device RBA there
boots partitions.
will be no error displayed using the command, show
When an ECDSA
interface media. certificate is installed, using the CLI command show pki cert, does not display the certificate list.
Ping does not work properly using Thunder Bare Metal with Mellanox Network Interface Controllers.
A class-list import was not reflected on customer's ACOS device. This could happen under a very rare timing event when the
In Explicit Proxy deployments,
reboot/shutdown command isifexecuted the first request
while theis"import
"drop", ACOS closes the
xxx" command is connection with "Connection:
trying to update the bwlist. close" header.
ACOS
However is unable to sync
if the first config
request files
is to between
forward andvThunders
the secondinrequest
a VRRP-A deployment
is to using the
"drop" the packet, config
then ACOS sync option.
does The receiver
not close the
In Explicity
shows
connection. Proxy
the following deployments,
In addition, message: the SSLi
"Please
if the second module
don't
request is areloaded
sync while
to self.then
POST, Sync updating
will
ACOS be the
notclass-list.
cancelled."
does wait for all the data from the client before
The
sendingvThunder
the blockinstance
messagecannot andconfigure
ACOS seems moreto than
try 1024 static
to parse theroutes,
POST dataevenas though 4000
the next routesThis
request. appeared
could under
causethe "Max-
some corrupt
The trap
allowed" "axIpNatLoggingLotPktSent"
field in
HTTP/proxy log messages.the output of the CLI (OID:
"show 1.3.6.1.4.1.22610.2.4.3.18.101.1.1)
resource-accounting" command. does not support aggregation for the TH14045
"Erase"
blade, and command generates
it only supports a "backendfor
aggregation error" message.
all L3v partitions. Further, The stats only include those from the vMaster not from
show
the environment
vBlade. This OIDcommand
should beimproperly displayedon
properly supported "Not
thesupported in BareMetal!!!"
Thunder TH14045 message.
dual-blade platform.
Version 4.1.4-P3 removes the limitation of not providing shared partition support for chain certs in client-ssl and server-ssl
In the large scale SSLi setup, high data CPU is observed on the LAN/WAN interfaces of the Load Balancer due to Harmony
templates.
When a request matches, and if the action was configured to 'drop' the request, then it was dropped as expected. However,
configuration.
some flags were not correctly reset, and this caused the request to "have a change to make explicit proxy reload."
593571715.xlsx
114
2.7.2-P13
4.1.4-P2
4.1.4-GR1
4.1.4-P1
4.1.1-P8
2.7.2
4.1.1-P8
4.1.1-P8
4.1.0-P10
2.7.2-P11
2.7.2-P11
4.1.4-P1
4.1.1-P8
4.1.4
2.8.2-P6
2.7.2-P11
4.1.0-P10
4.1.4
2.7.2-P11
4.1.2-P1
4.1.0-SP2
4.1.2
2.7.2-P12
4.1.1-P1
2.7.1-GR1
4.1.4-GR1
2.7.2-P3-SP5
2.6.1-GR1-P12
Version Reported
4.1.4-P2
4.1.4-P3
4.1.1-P8
4.1.4-P2-SP1
4.1.4-P2
4.1.4-P2
4.1.1-P6
2.7.2-P3-SP3
4.1.4-P3
4.1.1-P8
4.1.1-P8
4.1.4-P1
4.1.4
4.1.1-P5-SP2
4.1.4-P2
4.1.4-P3
4.1.4-P2
4.1.4-P3
4.1.1-P8-SP2
4.1.4-P2
4.1.4-P3
4.1.4-P2
4.1.4-P3
4.1.4-P2
4.1.4-P2
4.1.4-P2
4.1.1-P10
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.2-P2
4.1.4-P2
593571715.xlsx
115

464506 L2/L3 Major
464330 Scaleout-fw-data- Major
464152 SLB-Config
plane Major
463990 Counter-Infra Minor
463486 SSL Major
463276 SSL Major
463225 VCS Major
463192 SSLi Major
463105 Router Major
462721 Chassis Platform Major
461911 aFleX Major
461905 SLB-L4 Major
461710 VRRP Critical
461572 L2/L3 Major
461224 CGN-NAT44
460764 TCPIP Critical
460406 HW
Controller-Integ Critical
460402 SSLi Major
460396 CGN-DNS64/ Critical
460330 SSLi
DNSALG Major
460090 VRRP Major
460018 WAF Major
459631 VRRP Major
459163 CGN-MAP Major
458710 aFleX Major
457621 SLB-L4 Major
457234 VRRP Major
457174 SLB-L4 Minor
456022 CGN-Logging Major
455809 AAA Major
453367 ConfigMgr
Infra Major
452995 SSL Minor
452917 SSL Critical
593571715.xlsx
116
Template logic had an error. This was manifested by a link-disable command that did not disable all linked 100G interfaces
When
when one using the FEAT
interface command,
became the device
disabled. The logicexpects a success response from the server and, upon receipt, changes the state
was corrected.
When the most recently
from server_response toadded rport under
client_request. In aanspecific
rserver configuration,
was not boundthe to FTP
a service
servergroup, the ato"graceful-shutdown
responds the FEAT command after-disable"
with a 500
Linux
did
Error.notkernel
function
This hadproperly
results arp refresh
in the after
state interval
disabling
machine setnever
to 300changing
rserver. sec and fromipv6 neighbor refresh interval
the server_response set to 30 sec. This caused Kernel to
state.
The "scaleout-cgn
trigger the neighborenable" is deprecated
solicitation for everyand 30 secshouldand have generated
set neighbor an error
state whenduring
to STALE tryingthat
to configure
time. Theitipv6
fromneighbor
the CLI. refresh
When
interval"half-open-idle-timeout"
is now also set to 300 is configured in a tcp/tcp-proxy template, the configured msl-time is ignored and the session is
sec.
A non-existent
immediately event ("CLIENT_CONNECTED") is described in the "drop" command sample. The "CLIENT_ACCEPTED" event
deleted.
The
should interval option of the "show interfaces statistics" does not display statistics. It only indicates the port number and time
be described.
FW REV UDP traffic unexpectedly did not refresh the session. Patch was provided to refresh session for UDP REV traffic.
(once).
Revert partition shared for cert/key in client-ssl/server-ssl templates.
Some high-end Thunder models were shipped with multi-ctrl-cpu improperly set to 1. On these systems, multi-ctrl-cpu should
"Priority
be set toaffinity"
2. unexpected did not appear on the "#show slb service-group NAME" output.
When there is an SNI CTX in cach and a corresponding cert/key was deleted, all new connections should subsequently create
The use
and "vcsaadmin-session-connect"
new ctx instead of the cached command ctx. may
Thisnot work was
process as expected
failing, butwhen the target
is now fixed. device changes SSH Key.
ACOS device stopped functioning due to Page Table Corruption on the outside SSLi Device and ATP setup running with a
In prior releases,
domain controller,the VIPsdecryption-encryption
when and static NAT couldwas not have
enabled.the same IP address, but now they can.
The device was stuck for unknown reason. An enhancement was required to use IPI processes for generating pid files in
In SSLi deployments, the "forward-proxy-cache-persistence" option does not work in IPv4 scenarios.
system.
After a reload, Bw_list did not print error log message for all entries. There were a set of conditions can trigger this behavior.
The "show interface" command suddenly displays wrong bytes counter on ACOS device for both input/output bytes counters.
The control CPU usage reaches 100%. When the commands "web-service secure-server disable" and "web-service server
When
disable" VRRP is configured
are run together tofrom stopGUI without a on
web-service device
ACOS ID,version
VRRP is414P2.
not enabled. When device ID is entered, VRRP is still non-
Removal
functionalofuntil Fixed NAT CGNv6
VRRP-A has been pool in a CGN-Scaleout
disabled cluster caused unexpected software reload and ACOS device/instance
then enabled._x000D_
Sometimes
got stuck in the
Workaround: ToTCP::payload
VCS LOADING
resolve this, inside
state.
an errora message
loop statement"Pleasemight be blocked
configure VRRP-A due to a runtime
device error._x000D_
ID first before enabling VRRP-A." has been
The
As a
added. "show slb
workaround, service-group"
use commands
TCP::payload outside displayed
the loop.an incorrect value when the ACL with VLAN option was configured for a
The
virtualslbserver.
resource-usage threshold
The "total_count" and command
"Rev-p" countwas improperly available inmember
for the service-group private partitions.
was incorrect Thisfor
command should hitting
the first packet be available
the
Multiple
only
wildcardin theVRIDs
shared
with andpartition.
ACL subnet
and VLAN. masks on a VIP caused incorrect ARP response from the standby unit.
ACOS configured as EP and FTP must select the next hop based on service group.
When the command "graceful-shutdown 5 after-disable" was run and the command was waiting for the grace-period to disable
Theports,
the ACOSCFG devicegotsuffered
removedcontinuous
and ACOS reloads
restarted. due to Jumbo frame flag and port mirror configurations.
A vthunder N5 with one vm supporting 16 VFs generates a segmentation fault crash when ssl VIPs starts receiving traffic.
SNAT-on-VIP did not work for the command "ip nat range-list".
The a10snmpd memory increased on a CGN configuration.
Counters of "CGN PC topic counter from acos to harmony " did not increment after some hours.
The time it took to delete a session in "timeout fast" mode (by default port 53 UDP) was different across the ACOS 2.8.2 and
The user
ACOS found
4.1.4 that streams.
release IPv6 "packet too big" caused A10 to reload, as it sent back the A10 VIP https vport.
The user found that while removing the "topk sources" command, it resulted in a crash. This issue is being addressed.
The user found that the display of #show interfaces transceiver details was incorrect for tx/rx power and low threshold values
The user found that when running the EP+SSLi configuration with HC analytics SGW, enabled crash was observed at A10kk
of temperature.
The user
corp found that the few of the DNS responses did not get converted from A to AAAA.
w/TH5430S.
The user found that the virtual-server was sending malformed Extension: ALPN on Server Hello with EP+HTTPS.
When using the CLI command, config sync all all-partitions, a high CPU condition can occur if there are many axdebug pcap
Whenstored
files the WAF in anis L3V
in passive
partition.or learning mode, an ACOS crash can occur if the WAF successfully parses XML related checks.
If the transmit-buffer is configured in an HTTPs virtual port, some packets may be queued and some were not forwarded. This
On
couldThunder
cause 1040,
content thepast
active VRRP-A
a certain member
size to become incorrectly forwards the standby VRRP-A ARP requests to other interfaces even
truncated.
GUI
thoughDashboard
VRRP-A page of ThunderisBareMetal
L3-inline-mode configured, shows some
resulting in cyclic
loss ofbumpy graphs,tosuch
connectivity as Memory
the standby Usage,
VRRP-A Sessions,
Thunder 1040.and NAT
Opening or reloading
Ports, in spite the GUI
of no traffic Dashboard
going through page
it. of Thunder BareMetal stops some CLI output for about a minute until it finishes
The cgnv6 resource-usage stateless-entries command is displayed by "show running-config with-default", which indicates that
reloading.
Packet
it and byte
is a default counts Usually,
condition. by aflex this
IP::stats
optioncommand are notbycorrect.
is not enabled default and is enabled when customer uses MAP-T or Lw4o6.
EP SSLi single partition uses wrong source MAC.
The "ve-stats enable" command does not work properly. When the option "use-recv-hop" is used on the virtual port, the ACOS
Some
deviceEthernet
does notinterfaces
count the were unable
ve-stats to send
packets out packets
correctly whentraffic
for reverse the control
on theplane traffic has
ve interface. a mixture
Without of "og" jumbo and
this "use-recv-hop" non-
option
When
jumbo
enabled, VRRPthe configuration
traffic. packet counter synchronization
looks correct. is changed from active to standby, the 'smtp mailfrom <email-id>" and 'lldp system-
The
name aging
<name>'shortcommands
does not work correctly when idle-timeout is less than 31 seconds and re-select-if-server-down is configured.
are overwritten.
The PBSLB class-list configured for vport 53 does not work.
vThunder node generates kernel panic core after executing a vcs reload.
In this patch, When there are multiple active templates then some specific configurations serves only single template. This
In
The this
leads patch,
to TCP NAS
resolution IP field
connection
of this issue in also
radius
timeout ofpacket concludes
syslog452455.
resovles serversSee that
associatedall management
withinother
description Known plane packets
templates.
Issues are using default management IP.
(4.1.4-P2).
CGN
Hence, or even
FixedifNAT always uses VRRP
the management MAC. _x000D_
IP is disabled, it still uses its default IP as nas ip field._x000D_
When
However,
_x000D_ ICAP theandSYN SSLi are enabled
packet uses theoninterface
ACOS Ethernet
VE MACport, fromICAP
AX torequest for modification
the server, the source MAC stopsisforward-proxy
used with VRID logging for
0, or interface
Health-check
decoded
VE MAC. HTTP
Solution: We forrequest.
For need
other databases
apackets
new APIfrom(Oracle,
which mysql,
AXwill
to the mssql,
server,
be able postgresql)
the
to resolveVRIDthe0 isdid
used.
SRC notaddress
IP functiontoas beexpected. ACOS was
used for sending outnot sending
radius database
request packet.
The "rename" command is not working if the object name includes special characters in it.
packets.
The user found that the ACOS did not send the message Close Notify and instead sent a message FIN/ACK with 1s delay when
ACOS may reload while processing
the half-open-idle-timeout was enabled. heavy SSL traffic due to invalid memory access. This issue is more prevalent on systems
with 8GB memory or less.
593571715.xlsx
117
4.1.4-P2
4.1.4-P3
4.1.4-P2
4.1.4-P3
4.1.4-P3
4.1.4-P2
4.1.4-P2
4.1.4-P3
4.1.4-P3
4.1.4-P3
4.1.2-P1
4.1.4-P2
4.1.4-P2
4.1.4-P3
4.1.0-P11
4.1.1-P9
4.1.2-P5
4.1.4-P3
4.1.4-P3
4.1.2-P4
4.1.4-P2
4.1.4-P3
4.1.4-P3
4.1.4-P2
4.1.4-P2
4.1.4-P3
4.1.4-P1
4.1.4-P1
4.1.4-P2
4.1.1-P8
4.1.4-P3
4.1.4-P2
4.1.4-P2
4.1.4-P3
4.1.4-P2
4.1.4-P1
3.2.3
2.7.89
4.1.4-P2
4.1.4-P1
4.1.4-P1
4.1.4-P1
4.1.1-P8
4.1.4-P2
4.1.4-P1
4.1.4-P2
4.1.4-P2
4.1.4-P1
4.1.1-P8
4.1.4-P2
4.1.4-P1
4.1.1-P8
4.1.4-P2
4.1.1-P5
4.1.4-P1
4.1.4-P2
4.1.2-P3
4.1.4-P2
4.1.0-P11
4.1.1-P1
4.1.4-P2
4.1.1-P8
2.7.2-P10
4.1.0-P9
593571715.xlsx
118

451675 SNMP Major
449140 SLB-FIX Critical
448450 SLB-Logging Enhancement
445276 Router Enhancement
443452 SSL Major
443417 SNMP Major
441454 HW Major
441328 VRRP Major
441100 ACL Major
438316 CGN-NAT44 Enhancement
436117 SLB-L4 Major
434939 Web3.0 Major
434257 AXDebug
(deprecated) Major
432958 ACL
Infra Major
430126 SNMP Major
429289 L2/L3 Major
427159 SSL
(Netflow) Minor
425546 CGN Major
423466 L2/L3 Major
422974 SSL Major
422677 SSL Major
420829 SSLi Major
408298 aFleX
Infra Enhancement
407953 SSL Major
389800 SLB-L4 Major
372721 AAM
management Critical
349051 GSLB Major
348822 L2/L3 Minor
296836 SSL Major
137419 SLB-L4 Major
136246 TCPIP Major
Release: 4.1.4-P2 Fixed Issues
458071 VRRP Major
593571715.xlsx
119
The user found that the Traffic-replication did not work when the pool was selected with aFlex.
The MySQL virtual port and a long username of over 32 characters caused unexpected software restart. Configuring a long
There
username was (exceeding
an inconsistency between on
32 characters) theMySQLSNMP virtualgenerated portMIB and buffer
caused the implementation.
state change reload The implementation changed to
after the login was rejected,
SNMP
be
when query
consistent
the for
buffer withMIB
was SNMPobject,
freed. MIB axAppGlobalTotalCurrentConnections,
by using Counter64 instead of Integer. returns value = 0 when traffic is running in L3V partitons
An error is displayed while migrating to class-list due to ip-map-list not being re-enabled.
only.
Client IP header insert fails when the body length of FIX (Financial Information Exchange protocol) has 3 leading zeros.
Editing an ICAP template bound to one VIP causes traffic failure on another VIP that is pointing to the same ICAP server (even
The
whenACOS device
different ICAP didtemplates
not provide are logs for "system session resource exhaustion". Therefore, to provide more proactive
used).
Configuring ainpolicy
notifications local-uri
the future, ACOS maywill generate
send aasyslog "local message
cache entry can't
when be created"
fast-aging error.
is triggered.
Enhancement Multiple Interface Flap messages generated for log-neighbor-change. Enhancements include displaying the
In Dynamic-Port
reason, such as link SSLidown,deployments,
connect route non-ssl traffic
down, or was
L3V processed
related. as L4 if non-ssl-bypass feature is configured. This change
SNMP
was mib cannot
introduced load to the
in 4.1.1-P8 mib browser
to optimize because ofThis,
performance. the however,
duplicatedaffecteddefinedprocessing
object. of certain protocol traffic such as FTP,
In
SMTPthe CPU where load-sharing
server initiates scenario, the L3
first data traffic is not being processed by the non-home CPU when the home CPU experiences
packet._x000D_
Data
high
In this Interfaces
CPU usage.
release, thatbehavior
the are connectedrevertedback-to-back
to that of 4.1.1-P7 do not or come up releases,
earlier when theand device is rebooted.
by default, all traffic is processed as L7. Also, a
The standby device in a VRRP-A configuration displayed
new config option is added under client-ssl template to help user enable optimization and parsing errors such as "Parse error when executing
process command:
non-ssl traffic as pki ssl-
The
update 'Rule already configured
certificate", when the for thisdevice
active ACL' message
ran the may be displayed
"configure sync incorrectly
running when permitting
all-partitions a subnet that
auto-authentication" contains a
command.
L4._x000D_
CGN logging
smaller subnet with
forL3Vwhich partitions
a deny ruledid not workexisted.
already in ACOS_x000D_ under when shared group is removed and added in shared partition.
_x000D_Configuration:_x000D_
Specific UPD and TCP ports remained open in ACOS, although the ports were not assigned any function.
_x000D_
non-ssl-bypass
In service-group <sg_name> [bypass-proxy]_x000D_
AsGiFW deployments,
a workaround, define if athe
packet
subnets to ainnat-pool is matchedand
the object-groups against
referthe "permit
to the forward" rule,
object-groups in thethenACL thestatements.
packet is not counted for
_x000D_~
On
DDOS A10Selective With the
load balancer, bypass-proxy
Filtering theFeature. configured
crash license
However, ifunder
information
the packet Dynamic
is not Port Intercept,
reloaded
matches and thenon-SSL
a DENY/UNMATCHEDbandwidth sessionsthe will
onDENY, thebepacket
license processed
is reset toas
theL4
is counted. default
ACOS
traffic._x000D_
The
does"clear
value. sessionsthe
not examine all"packet
command against is not working
selective when rate-limit,
filtering the client is but sending
it should UDPdopackets
so. from the same IP address and port
The status
~ Without
every for bypass-proxy
the
1 second. an ip source nat itemconfigured
option created in (default),
the CLI was theneither
behavior enabled
will benorsame disabled.
as thatThis was fixed
of 4.1.1-P7, by having
where the CLI
the traffic is being
Certain
maintain
processed flow asmay
only one be saved
object
L7 traffic. and display
(combining even when
enable it did not
and disable) to match
reflect the AXDebug filter. This
enable / disable happens on TCP proxy based
status.
The server health
applications involvingmonitormultipleping flows.
"disable-after-down" is not marking the server as "Down" when the server is not Up/working.
Unable to add a rule back into an ACL after deleting the rule, in certain instances.
TH3040 10G ports do not function correctly after reboot when it is connected to Brocade ICX7450 SFP+ 10G ports.
If multi-ctrl-cpu is configured, ACOS shows incorrect value of the CPU usage counter for the added ctrl-cpu.
After performing an upgrade, ports configured for monitor action are not reachable.
When capturing packets with axdebug, a display issue occurred, causing erroneous values to appear in the axdebug output for
The
VLAN data packet This
numbers. duration
issuethat wasrecorded
seen forthe time a particular
incoming IP packetsdata withsession
non-zero wasDSCPopen displayed
values incorrect
on tagged values. This field was
interfaces.
In
of SSLi
4 bytes deployments,
and showed the ACOS
value device occasionally
in milliseconds. The maximum does notvalue closewas the TCP connection
4294967295 when ACOS fails
in milliseconds to verify a server in
and 49.71026961806
When
days. RBAby
certificate is disabled,
server-sslintemplate CLI, login withusers with role "PartitionSlbServiceOperator" can configure other objects, except role
ca-cert.
The BFD neighbor goes down for
"PartitionSlbServiceOperator". On fewGUI,seconds
login users when with trunk's working lead port is disabled. can
role "PartitionSlbServiceOperator" Thisaccess
can occur on both
objects FTA and
or pages thatnon-
are
Afterdevices
FTA
under upgrade
the rolebasedto 411P6-Sp1, ACOS reset while serving SSL traffic using DHE ciphers.
on the configuration.
"PartitionSlbServiceOperator".
The device formerly sent FIN to close tcp for an SSL error. The revised process is using "reset tcp session" to indicate SSL
Dynamic-SSL by-pass sessions were processed by Layer 7 instead of Layer 4. However, the dynamic-SSL by-pass sessions
error.
Telnet
now goisthrough disabled theonL4 ACOSpath devices
to improve by default.
latency However,
in the traffic.by applying certain access control lists (ACLs) this default Telnet
The health
behavior maycheck was not sentThis
be overwritten. outcould
on thepotentially
correct interface compromise _x000D_ the security of the ACOS device, because after configuring the
A fast-aging
when
ACLs, 'ip
thenatACOS kicked
pool' in when
with
device was the
gateway currentwas
option
accessible connections
through configured.
Telnet surpassed 1 million
but the "show mgmt" connections
commandwith stillaFleX.
indicates that Telnet services are
The SSL
turned off.cps counter on the ADC dashboard displayed the value for only server-side SSL connections.
When an interface is enabled and disabled from a L3V partition, its status on the shared partition displays as "enabled".
The health monitor for MySQL database leaves an erroneous log message on the server when the TCP socket for the health
ACOS
monitor didisnot
closedadjust the sequential
without a "QUIT" or acknowledge
"Exit" command. numbers in the SACK option when the SSL-SID template was used under the
When
TCP virtualtrafficport.
hit theWhen ACOS thefirewall,
TCP virtual the session
port wasage used information
with _x000D_ for non-PPTP GRE traffic was not updating in the output of the
When
"show
SSL-SID using
session" the command.
persist "export fixed-nat
template, Instead
the ACOS <filename>"
of increasing
device command
functioned astoaexport
over time, the value
TCP a fixed-nat
proxy, foranthese port-mapping
error "Unknown"
occurred when file appended
sessions did not
the client with aaTCP
longpacket
change.
sent ip-list
Output
name,
with SLE from
the the
SRE"show
export
and failed
options management"
since
to theonlyserver. CLI command
63 characters weredid not display
supported. It isthe correct statestoofuse
recommended theamanagement
shorter ip-listservice
name. after using
A
thememory leak occurred during
"enable-management" command Kerberos with relay when multiple
the "all-data-intf" requests were sent on a single connection. This issue could
key-word.
From the
occur if theGUI, export of contained
connection Fixed-NATmany port mapping
request or files is not
if the supported.
connection requests were created or cleared frequently.
When a new peer node was added and started to preempt quickly, not all RADIUS session entries were synchronized to the new
GSLB
active server-mode
peer node. To returns
work aroundall service-ip for ANY
this issue, records.
manually Whenthe
change "dns servertime
standby any" tois more
configured,
than 1ACOS minute responds
to allow with all records
all RADIUS
It
by isdefault.
sessionpossible to to
However,
entries first
beconfigure
an optionawas
synchronized. portneeded
under aso VLAN,
that the and"any"
thenresponse's
add the VLAN to thewould
records trunkbe (thus
senthaving
basedthe on port belongcheck.
the health to both A the
For
newacommand
VLAN CGN
and thedevicetrunk).withThis
option VRRP-A
("dns configured,
behavior
server should anot full-cone
any-with-metric") be allowed. session
has entry for
been added thatanwill
FTPenable
data session (in FTPto"active
GSLB metrics be usedmode")
whenwas serving an
The query.
any wildcard
erroneously The in"dns
transparent
created on the any"
server mode
standbyand did notserver
ACOS
"dns trigger
device, SLB
insteadcode.
any-with-metric"of being created
options on thebeactive
cannot usedACOS
together, device. Then,
as they arethe full-cone
mutually
DNS
session service
exclusive. on timeout
the standby is not
devicehonored
timed-outfor non-default
shortly ports.
thereafter. Port 53 is default port.
Device was unable to properly parse ZIP or address OIDs properly for x509 log statements.
The duplexity and speed on the management interface are not accurately reflected in the "show int management" output if the
Virtual
duplexity servers
or speedimproperly
is modified sendinSYN the to a server on port 65335 when the VIP is configured with 1) port 80 (HTTP) and 2) a
configuration.
When
serviceACOS groupreceives
that includesa 403 port error0.from a backend server, it forward 200 OK to the frontend client. With MSL 20 and reset-
MSL is not usedAfter
unknown-conn. whenACOS 1) a session
resets the goes into half-close
frontend server, itstate
did notthen 2) receives
reset (RST) any last
PAFIN fromthat
packet client.
arrives afterwards.
SLB servers registered by FQDN do not show up in "show slb virtual-server bind" output when at least one server is configured
with the alternate option.
Description
The "cgnv6 ddos-protection packets-per-second tcp/udp" command does not work. When the number of packets-per-second is
The
at orexistence of two
above 65536, themethod
"cgnv6 for creating or updating
ddos-protection a user password
packets-per-second caused
tcp/udp" problems
option shouldwhen
work,a but
password
it does is updated
not. through
An "l4-entries"
different methods.
is not created, evenAfter thisthe
though problem
numberwas fixed, multiple change
of packets-per-second methods worked properly, as does the confiugre sync
is exceeded.
command. 593571715.xlsx
120
4.1.1-P8
2.7.2-P13
4.1.1-P8
2.7.2-P12
4.1.4-P1
4.0.3-P1-SP6
4.1.1-P8
4.1.1-P8
4.1.1-P6
4.1.4-P1
4.1.4-P3
4.1.4-P2
2.7.2-P10
4.1.4-P2
4.1.1-P6
4.1.1-P6
4.1.2-P4
4.1.4-P2
4.1.4-P1
4.1.1-P3
4.1.1-P6
4.1.4-P1
4.1.0-P9-SP3
4.1.1-P5
4.1.1-P6
4.1.1-P7
4.1.2-P3
4.1.1-P8
4.1.1-P5-SP2
4.1.0-P10
4.1.1-P5
4.1.4
2.8.2-P6
4.1.1-P6-SP1
4.1.0
4.1.0-P10
4.1.0
2.7.1-P5
4.1.1-P6
4.1.1-P3
4.1.3
2.7.2-P11
2.7.2-P8
4.1.4
2.8.2-P6
4.1.1-P2
4.1.1-P1
4.1.1-P2
2.8.2-P5
4.1.0-P6
2.7.2-P8
4.1.2-P1
4.1.0
4.1.0
4.1.1-P3
3.1.3
2.7.1-P4
2.7.1-P1-SP2
2.7.1-P2
4.1.4
Version Reported
4.1.4-P1
4.1.4
593571715.xlsx
121
457612 SNMP Major

457090 aFlex Major
management Major
456229 AAM Major
455953 Router Major
455423 GSLB Major
454801 ACL Major
454699 RBA Major
454652 SLB-SMTP Critical
454537 NAT-NATPT Major
454084 SNMP Major
453919 VRRP Major
453655 AAM Major
453277 GiFW Major
453214 SLB-FIX Major
453100 L2/L3 Major
452815 SSL Major
452158 aFleX Major
452080 VCS Critical
452029 SLB-L4 Major
451924 CGN-NetFlow Major
(Legacy) Critical
451807 SLB-L4 Major
451441 SSLi
management Major
451219 GiFW Major
449965 AAM - Kerberos Critical
449835 AAM Major
449635 CGN-ALG-SIP Major
448881 Firewall
Infrastruture Major
448798 SSL Critical
448595 L2/L3 Major
448207 SLB-L4 Major
447844 CGN-HTTP Major
447783 SSL
Logging Critical
447230 Firewall Enhancement
447127 SNMP Major
593571715.xlsx
122
The process "a10snmpd" reloaded multiple times. The issue reloaded with "snmpbulkget" at "show_voltage_status", and it
Inserting awhile
happened 10G Copper
enabling SFPsnmpon aservices.
10G fiberThe port results
root cause in was
portsthat beingthedown
hardware eventableafterpointers
disablinghad andnot enabling them.
yet initialized.
Malformed DNS packets with incorrect data length in the rdata section of DNS OPT header causes high CPU usage or CLI to
When the selected server fails, the persist uie session was not synchronized with the standby session as expected.
hang.
In this patch, when backup system is restored via interface management, the ip control-apps-use-mgmt-port of mgmt. port
In this patch, the customer impact should be minor - when vlan is tagged without jumbo enabled, TH3040 drops packets with
disappears.
In
size this patch,than
greater Thunder or equalcrashesto 1496when destination class-list is configured in policy template and "OPEN" command is executed
bytes.
In
with this patch release
a hostname. if the active unit is before 4.1.4, and standby unit is 4.1.4 or later,then "show aam authentication session"
_x000D_
In this patch,
command
_x000D_ some_x000D_
shows: management services became unreachable from devices on connected subnet of management, thus
A patch
breaking
_x000D_ fixes the
The cause of this crashmanagement
things. following
If the multicast/broadcast
is that EP doport not "flaps"
handleand SMP
FTPgoes match
"OPEN" down problem: Configuring
once, everything
command correctly,gets dest
so an zone
sent tomay
invalid result
default
hostname inisan
route SMP_x000D_
next-hop
used. match
instead of
An
problem
getting lsn-rule-list
for
sent configured
mulitcast
directly to and with
connected
- password is displayed in "User" field_x000D_
_x000D_ a
broadcastdomain-name
peer. traffic.
This Whe does
happens a not
permit retain
because rule its
for
the domain-ip list
multicast/broadcast
connected after
route is a reload
is
missing or
configured,
froma reboot.
packets
table fail
200._x000D_ to match
Configuration
SMP
_x000D_
-Solution:
usernamebut match syncthe
is "SITE"
displayed failure
rule and generates
FW
in "VPort" creates "Peer
field_x000D_ does
another not
SMP exist"
(with message
the same when
IP selecting
addresses running-configuration
and ports) for it. Because on the
theseshared
duplicated
Use command instead of "OPEN" command to avoid the crash.
The user
partition.
SMPs
The usewas
following the not
same
commandable to can
ports-IPuse addresses,
CLIused
be filters forwith
they the
areoutput
a temporary of "show
in thefix:_x000D_
same hash. access-list"
This results in long traverse times for the list and causes
_x000D_
RBA
unexpecteduser who did
behavior. not have permission to access the showtech file was able to export the complete showtech file through the
# ip route add
_x000D_ a.b.c.d/e dev eth0 table mgt scope link <----------- add missing route_x000D_
DeviceGUI.
ACOS crashed when real server closes SMTP service while using codenomicon to this the SMTP virtual port.
_x000D_
This
WhenisTCP a limitation of the system
time-wait-interval and a security
is configured risk for the user,
with port-batching, since user
it causes password
increased "HA is NAT shownPort by ACOS command.
unavailable" errors and _x000D_
session
This
_x000D_
In
drop theonissue
HAthe will be
environment, fixed
standby device. permanently in next release.
if the configuration synchronization is performed periodically using the external health monitor, the
Solutions/fix:
When sendingon
configuration _x000D_
a GET request device
the Standby via http-proxy tunnel and using Telnet, this caused the ACOS device to reload.
was cleared._x000D_
When an existing VIP is enabled and a new v-port is added to the VIP, the new v-port was not accepting the traffic.
_x000D_
_x000D_
Snmpwalk
-Block
Note: Itaam to A10-AX-MIB::axServerNameInPort
authentication
is recommended session
not to performSync config
when Active returned
sync and error.
Standby versions are different.
frequently.
SSL traffic crashes device with one configured CPU with N5 installed.
The ARP request was dropped when the Standby device rebooted and the VRRP-A was in the initialization (init) state.
In the Form-based Relay, if the user password contains the percentage (%) character followed by 2 digits, the back-end
On AWS cloud,
application serverHAauthentication
session sync requires will fail. configured security group rules that allow UDP ports starting from 22272 to (22272 +
When NTLM
number of data wasCPUs configured, uploadingthat
- 1) for sessions large files toofSharePoint
consist two vThunder 2016 was failing.
nodes in VRRP mode (one active, one standby). Failure to
Interfacethese
provide ICMPrules rate causes
limit was thenot
HAworking
sessionwhen sync Firewall
to fail and (FW) was enabled.
standby node to not show sessions.
The user found that the Block-merge could not handle the changes to fix templates which were bound to fast-fix vports. This
The
issueuser wasfoundnot seen that:_x000D_
when it was modified to fix the template which was bound to fix vport.
ACOS
- The LLDP does Portnot freevalue updidthenotmemory blockslike
have space, used an for parsingname._x000D_
Interface HTTP responses 2xx coming from an ICAP server. This could
Device
cause
- The LLDP actspacket
memory abnormally and inafter
exhaustion creating
while
the PCAP, in 539
processing which configuration
ICAP trafficwas
the port-id files. Configuration
overinteracting,
time. hadManagement
no space._x000D_ internal error pops up when the
-The
Theuser
upgrade/showtech
port-idfound thatpage
in LLDP the TH
packet crashed
is opened,
with sub-typeitwhen
cannot the aam and
show
interface the
name thedidEPnot
cpu/memory, arehaveconfigured
and with icap
it cannot
whitespace open and
a new
in between aam authentication
ssh connection.
interface name and succeed when
The
all user
icap
number._x000D_ found
servers that
were aFlex
in memory
downstate. leak
The was
crash seen
did with
not CLI
happen deploy
if the block-replace.
icap template It
waswas found
removed while
from running
vpot or the
icapaXAPI
serverscalls
andwith
The
were user
block-replace
in up found
and andthat a
running aFlex
memory stack
state. leak trace
in thewas aFlexseen 256 withand CLI1024deployblocks.block-replace. It was found while running the aXAPI calls with
- As in the description, the port-id did not start with uppercase letters._x000D_
The user found
block-replace andthat there
aFlex was trace
stack a key generated.
parse errorThe on the user vBlade when the
was required tovMaster
recreateimported
the sameaand key runwiththetheaxAPI
special character
calls in a while
This
The was found
user apparently that causing
the an issue for thewere
reset-fwd/reset-rev validation from the vendor when thefailing.
user tried toworkaround,
deploy ACOS.
through
and loop the
forGUI.
a few It minutes
was noticedto seewhiletheimporting
stack traces. a incorrect
key with the actions
special andcharacter
they were through the As a GUI process, there if anwasaddition of "IP
a parse
The status
nat"
error aswhich LED on theon
a configuration
occurred Thunder
onthethe 3040This
system,
vBlade. system
it started
issue did not blinkcorrectly.
working
happened when
only runningthe
through ACOS version 4.1.4-P1.
GUI process and the CLI mode was working fine. The
When
users are configured
advisedas to anuseExplicit
the CLIProxy,
method theto ACOSimport system crashed on deleting
the certificate/key for the the AC entry
optimum in a class-list while a request hit the
result.
The templates rule.
forward-proxy used for NetFlow logging have different fields across different ACOS releases but the template ids stay
The ThunderThis
unchanged. 3230S system
creates could
issues whennot forward
differentbridge ACOS protocol
releasesdata are usedunitsto (BPDU)
exportwhen NetFlow the spanning
data to thetree samemode was Per-VLAN
collector.
An incorrect
Spanning Tree VRRP-A
(PVST)MAC on aaddress
peer Cisco from the shared
switch. Whenpartition
ACOS received was used thetoBPDUroutepackets,
traffic initthe partition.
dropped them at HW forwarder level
Database rotation of Messages file randomly stops under long periods (days) of heavy traffic.
incorrectly.
ACOS crashed if you ran the clear session command while running HTTPS + ICAP traffic sessions. The issue was timing-
Under
related,certain CGN-NAT64
so it happened configurations,
intermittently. The sendissuetraffic
happened to match morenat64 prefixon
frequently and check
large full-conesessions.
concurrent session. Then change the
Bypass
source natpoolport does and not comethe
resend up traffic.
when attempting
Instead of to enabledropping
properly it throughthe specific
traffic,patterns.
the full-cone When the device
sessions withisnew
rebooted,
natpool the port
appears.
For ICMPcomes
properly sessions, up. the reverse route back to the client might not be updated dynamically even if there was a route change. The
A memory
packets wereleakforwarded
occurred out in deployments
to the old route withfor heavy
the sameSSLi traffic.
session. ThisForoccurred
TCP/UDP, whenthe running
route was large https requests,
updated correctly for andexisting
the
When upgrading
trigger
sessions. was TP + from AAM version 2.7.2 to Version
+ SSLi processing. 4.1.4-P2, generated
This scenario RBA partitions may not
10K SSLi forgedmigrate correctly
certificates, andto 200
service partitions.
ip-based auth-
A system crashed occurred using Explicit Proxy and AAM with SP-NEGO negotiation mechanism.
sessions.
When sending two WIA-wildcat-redirect-1 requests in a single connection, the second request receives a "400 bad request".
A system crash occurred when a malformed SIP packet was introduced when the command, cgnv6 lsn alg sip enable, is
In Version 4.x, a NAT pool was not configurable with same IP address as the floating IP address. Version 2.7.2 supported this.
configured.
New logging infrastructure was implemented; customers should investigate adding the new acos-events config to properly
During
supportathe system-reset,
infrastructure. ACOS Evendisplays
with the false-positive
new logginglog messages
infra, indicating
the old logging an error
config works, whilebutattempting
the logs aretosent access onlytheoverlocal log
control
Periodic
plane andimport
database. Theremote
the fixofresults
CRLlogs was failing
inrate-limiting
the if theisof
removal CRL thebeing
not falseimported
supported, positivewhich was
error not in PEM
messages.
prevents recordingformat. With this
interface fix, if the
up-down CRL being imported is
messages.
Enabling
in DER format, the default
ACOSenabled will convert services
it to PEMfor management
format during port and then
import. turning them off or vice versa shows an incorrect state
_x000D_
For
when
Note: a given
If the SLB
show import configuration
management occurs ipv4 when that
theuses
and show
device the "traffic-replication-type
management
has high rates ipv6 traffic, mirror-ip-repl"
ofcommands are run.process
the import option,will thedemand
ACOS device should:
significant _x000D_
computing
The
1) load ACOS
resources, device
balance
causing will
themark
traffic to
CPUthethe HTTP
higher-priority
usage healthservice-group
to spike tomonitor
high levels."down" if the combined
members, AND _x000D_ response headers are larger than 2kB.
As part of HTTP
2) replicate trafficlogging,
to the lowerthe ACOS priority device allocates
members. several buffers for each request to cache the various headers. The buffers
_x000D_
Using
are
_x000D_laterSecure
freedICAP can cause
up. However, memory
this process leakof of SSL blocks.
allocating memory Workaround
and thenislater to use ICAPitwithout
freeing seems to SSL.be causing memory
The "no-reverse-route-for-session"
fragmentation. This causes the in
memory the output
allocator of the
to "show
take
However, instead of this expected behavior, the ACOS device is mirroring traffic to all service-group longer cgnv6 to l4"
do command
its job and kept increasing
eventually causes if the
the IPv6
HRX neighbor
members, queue to table
including overflow.
the
In
agedcertain
out configurations,
and if the auto-refreshpackets drop when
option was sending
also enabled. jumbo If udp CGN
new traffic throughwere
sessions CGN beingNAT64 or NAT44 after
continuously enabling
created, this jumbo
caused
erroneous replication of traffic to the higher-priority members.
Under
MTU
packets oncertain
A10.
to drop configurations,
The drop240
every is terminating
ratesecondsaround 500 the
because 10lb
packet/min
of theprocess
IPv6 may initiate
forneighbor
20Gbps traffic.
table multiple a10snmpd which causes SNMP traps to stop
refreshment.
Session
working. hanging state is caused by not immediately passing the FIN-ACK to the client side when the server-side is active-close
In version 4.1.4,
on a ftp-proxy virtual port. output does not include real server information when using the "show slb virtual-server bind | sec vip"
command.
593571715.xlsx
123
4.1.4-P1
4.1.4-P2
4.1.0-P5
4.1.4-P1
4.1.1-P8
4.1.4-P1
4.1.4-P1
4.1.4-P1
4.1.4-P1
4.1.1-P8
4.1.4-P2
4.1.4-P2
4.1.4-P1
4.1.4-P1
4.1.4-P2
2.8.2-P9
4.1.1-P8
4.1.4-P2
4.1.4-P1
4.1.4-P2
4.1.4-P2
4.1.1-P5
4.1.1-P8
4.1.4-P2
4.1.1-P9
4.1.4-P1
4.0.3-P1-SP6
4.1.1-P9
4.1.1-P8
4.1.4-P2
4.1.4-P1
4.1.0-P11
4.1.0-P11
4.1.0-P11
4.1.4-P1
4.1.4-P1
4.1.1-P8
4.1.4-P2
4.1.1-P8
4.1.1-P8
4.1.4-P2
4.1.1-P8
4.1.4-P2
4.1.4-P2
4.1.1-P5-SP2
4.1.4-P2
4.1.4-P2
4.1.4-P1
4.1.4-P2
4.1.4-P1
4.1.4-P2
4.1.4-P1
4.1.4
4.1.1-P8
4.1.4-P1
2.7.1-GR1-P2
2.7.2-P13
4.1.1-P5-SP2
4.1.1-P8
4.1.4-P2
4.1.4-P2
4.1.1-P9
4.1.4-P1
4.1.4-P1
593571715.xlsx
124

446032 SSL Major
445895 SLB-HTTP-Cookie Major
Broadcom/Marvell
445618 SSL Critical
445240 SLB-HTTP-Cookie Minor
443221 Router Major
442525 SSLi Major
441805 DDoS detection Major
441652 Content- Critical
441574 SSL
Insepection Major
441454 HW Major
441262 HA Major
440929 TCPIP Major
440743 SSL Major
440140 SNMP Major
439957 SLB-L4 Major
439390 L2/L3 Minor
436898 AAM Major
436636 SNMP
management Major
435457 L2/L3 Major
434881 SNMP Major
433379 VRRP-A Critical
431665 ACL
management Major
430927 GSLB Major
430921 GSLB Major
430633 aFleX Major
430300 SSL Major
593571715.xlsx
125
When compression is enabled, ACOS sends the HTML body twice for small page-like redirection. This can cause problems with
For Encapsulating
browsers that startSecurity
to resetPayload
connections. (ESP) traffic, the packets kept hitting the firewall rule-set even though the session already
VCS improperly reloads after making changes to the interfaces panel (GUI). The following steps to recreate the issue:_x000D_
existed.
A large
1. Go toSNI GUIininrequest
Vmaster (more than 128 configuration_x000D_
and interface characters) causes a failure in handling the string causing crash. It is fixed now.
Errored
2. Enable packets(giants/runts)
interface 5 and 6_x000D_ caused the internal memory recovery conditions which caused the ASIC software reload.
When
3. Setup using
trunk anunder
http template to insert(probably
both interfaces header while in thisusing
stepcookie
it shouldpersist, the cookie assemble fails if the traffic has a "content-
be crashed)_x000D_
ACOS
type" might
header. crash
The if destination
failure
4. Assign a name to each interface generates rules
an are
errorconfigured with both
(lb_http_assemble_cookie AC and -IP class-list
insert header forfailed).
the same target (host/url/ip) and
The "show
periodic slb ssl
import is error"
performed command output includes
for class-list bound toduplicated
a destination counter information.
rule. When a class-list is imported, ACOS compiles all class-
When
list intousing cookie class-list
an internal format rfc6265 with server
in background basedsideoncookie
targetinsert, the cookie
and class-list header
type. namethere's
However, is incorrectly
a defectset to incompatible
that Set-Cookie2.
Sending a normal request when "use-rcv-hop-for-resp" is configured
type of class-list would be compiled such as compiling AC class-list into internal IP class-list. can result in an EP storm loop that generates 300k
A TFTP put function failed to transfer large files from client to server. The transfer timed out.
sessions.
We use a new character set that complies with rfc 6265. Cookies from clients with the old character are accepted. While
Explicit Proxy TP-Chain
persist works, a new setstopped cookie isfunctioning
sent and "no when SOCK5 traffic
insert-always" was received.
is required for this.When traffic passed through explicit proxy
The device
virtual IP withcrashed
SOCK5 when
traffictheandcontrol
with CPU deleted a DNSoption
"non-http-bypass" recordenabled.
while the data CPU is searching the DNS record (searching the
Sending
same linker a normal
list). request when "use-rcv-hop-for-resp" is configured can result in an EP storm loop that generates 300k
Processing long 4-byte as-path generated an overrun issue that crashed BGP.
sessions.
ICMP error messages was suppressed on Non FPGA platforms on packets with TTL equal to 0
When two (2) Thunder 3040(S) were deployed in the VRRP-A high availability environment, load balancing stopped working on
The
both"IPthenat port-overloading"
devices during Explicit command
Proxy loop. exists in the Startup Config Profile, but the command is not being displayed in the
High
Runningcontrol
Config.CPU utilization while processing SSL traffic and checking the forward-proxy certificate_x000D_
The helpon
counter display
AppCentricfor theTemplates
command SSLi "disable-vip-adv"
Dashboard may incorrectly displayed
cause system as disabling
to stop processing virtual server route
data-plane advertisements.
traffic and management
In an SLB
Instead,
plane the
(GUI, configuration
command
SSH withdisabled
only
and Console) a to
NAT pool, selective
virtual
become_x000D_ filtering for CGN was enabled by default.
server GARP.
The ACOS versions starting from 4.1.x no longer had the GUI option of copying and viewing startup configuration files.
unresponsive.
Connection goes to time-wait for file inspection (HTTP 1.0) and the payload is not sent back to the client. However, the
If a DNS query
operation works wason sent
new overproxyTLS withandno the
file vport was DNS-TCP,
inspection. The clientACOS restarted.
is expected to send a FIN after receiving the payload; because
The ACOS Bare
the complete Metal installation
payload is not received, by using PXE boot
the client does failed
not send withthe
theFINfollowing
and theerror message:
response Not enough memory to load
is chunked.
One 10G port
specified image. (SFP+) does not come up.
If you ran the "configure sync" command on ACOS 4.x systems or the "ha sync" command on ACOS 2.7.x systems, some
In SLB configuration,
unexpected files wereon the activeindevice,
generated the hard there
diskwasandaafter
mismatch
running inthe
output
syncfor the "Concurrent
many times, the processuser-session"
slowed counter
down due under the
to these
The idle-timeout
"show
files. The session did
controldiameter"
CPU not work
also commandas expected
spiked upandduringtheif the
the reset-rev
output
periodforof option
the
the"show
sync.wasslbconfigured for the TCP proxy.
diameter" command.
When evaluating ACOS version 4.1.1-P6 in the same SSLi topology as ACOS version 2.7.2-Px, the most recent ACOS version
After upgrading
encountered from ACOS
significant drops version 4.1.1-P6 to
in throughput. 4.1.1-P8,
When running when performing
Layer-7 packet static NATainlarge
statistics, SLB number
for ALG of traffic,
out ofthere was
order an error
packets
Operational
obtaining
were seen.anThe status
address
issuewas or
wasnot
port available when
number across
persistent from the creating a fixed-NAT
NAT pool.
TCP-proxy, ACOSand
HTTP, port
then mapping
restarted.
HTTPs file. CGNAT Fixed-NAT port mapping files are
vports.
When anand
created invalid TLS handshake
maintained through was received,
a "cgnv6 ACOS
fixed-nat responded with a blank command.
create-port-mapping-file" SSL recordCreating
instead of thea file
close_notify message.
typically requires
The SNMP
minutes trap (axPartitionResourceUsageWarning)
depending on the size of the IP lists used. When is not sent writes
ACOS to the SNMP host when
file contents, thenot
it does L3Vprovide
partition exceedstothe
a method indicate
When Thunder
threshold.
the end ADC receives
of the process - neither a packet
by issuingwithouta showa TCP session nor
command entrybyand virtual-port
looking template
at the file with "reset-unknown-conn" is
contents.
The server port
confgured, configuration
the Thunder is limited with
ADC responds to 8M theconcurrent
incorrect VRID connections.
MAC address.
When exporting a certificate in GUI, an option to specify the format of the exported certificate is missing.
High CPU Utilization is seen in 4.1.2 P3 when L3 forwarded traffic is processed between two "ip nat inside" interfaces.
On GUI, under ADC, the "Forward-Policy" tab under "Security" is hidden in the absence of CFW license.
The management interface status is always up (Green) on Web GUI >> Dashboard >> System >> Front Bezel.
Customers was unable to save private partition configuration changes into startup-config through the GUI. When PartitionWrite
ACOS executed
users reloaded when "write heavy
memory" userinquota
private exceeded
partition,logssuccessthat were beingwas
message generated.
displayed without saving the configuration in
Under certain circumstances, some packets may be miss-classified if the incoming packet payload data matches the VXLAN
startup-config.
Sending
UDP portDDOSnumber attack
(4789) traffic
at theto fixed-nat NAT IP (used
UDP destination for SIP ALG) may have caused a device failover.
port offset.
Port mirroring and monitoring functionality will not work properly for ports which are members of the trunk group.
When a client sent two HTTP requests in one TCP connection, EP selected the wrong dst port when the first request is not 80
In ip-based-mode,
and second request someis 80. addresses can still generate multiple auth-session.
This makes sure that kernel IPMI daemon stays disabled._x000D_
The MIB text
To make file failed
the IPMI workto load power
again, into ancycle
SNMP the manager
box. (JP1 or NNMi) due to duplicated OID definitions. This issue appears to
When a pptp browser
be an SNMP server repliedissue with
and ita was
different
not seencall IDonfor the MIB
every same pptp call, CGN pptp ALG user-quota setting was stuck
browser.
In previous releases, the ACOS device does not support "interface loopback 0". However, in this release, the CLI indicates that
"on"._x000D_
Auto-authenticate
the
For loopback
example:_x000D_number option
canfor beginconfigure-sync
starting fromis0-10, missinginsteadfromofWebfrom user interface for VRRP-A.
1-10._x000D_
The "snmptranslate
_x000D_
Client request (call id ACOS-SLB-STATS-MIB::acosSlb
1) -> server_x000D_ -On" command improperly exposed a bad object.
In the Virtual
However,
Server if the
-> reply Router Redundancy
user attempts
(server call id 100, Protocol
peer call (VRRP)
to configure a loopback
id configuration
interface that
1) -> client_x000D_ of ACOS,
begins if the
with"get-ready-time" is set
"0", it will fail, and will and thean
create preempt-mode
error message is
The
set
saying"multi-ctrl-cpu"
to disable, CLI
preemption
"Non-existent command
is is
happening disabled
before for
thevThunders.
"get_ready_time" countdown timer completes.
Server -> reply (serverphysical call id 101, port".
peer call id 1) -> client
ACL log was not generated when IPv6 packets of the "IPv6 No Next header" type are sent to the management port.
Control cpu usage rises and stays at 100% by snmp polling .1.3.6.1.4.1.22610.2.4.
The syn cookie had an on-threshold value of 0 and an off-threshold value of 0. Instead, the range starts from the minimum
The
valueGSLB
of 1.FQDN record order for rearranging the definitions was missing from the GUI in this release. _x000D_
The
Also,ACOS 2.7.2 allowing
the option GUI offered users a way to search
to see GSLB Geo-Location
if the Admin-IP is enabled on configurations
the record was using
also the "Find" to
missing locate
from: the IP address and
_x000D_
The user
location.
GSLB foundfeature
This
>> FQDN that
>> there
FQDN had>> is a memory
been
DNS removed
Records usage
fromissue4.1.x when running the DIAMETER traffic. When the user is encountering this
and later.
The
issue,user
thefound that the
concurrent useraFlex DNS logging
sessions do not is not working
match with theproperly
difference when multiple
between theDNS
count requests
and thepromptly
feed. Thecoming to the
user also same
found that
The Thunder
connection.
this issue happens TH3040S
The server device
evenresponses may drop packets
started coming
when the DIAMETER during
back are
sessions SSL handshake.
as back Such intermittent handshake failures
to back to the same connection. It is resulting in a scenario,
cleared. may occur on
ECDHE
where only ciphers.
the firstThisresponse
behaviordata is seen with simple
is being handledclient/server
properly andscenarios
the second and handshake
response failures
packet is notmay happen randomly and on
processed.
an infrequent basis. _x000D_ 593571715.xlsx
126
4.1.4-P2
4.1.4-P1
4.1.4-P1
2.8.2-P6-SP4
4.1.4-P1
4.1.4-P1
4.1.1-P8
4.1.4-P1
4.1.4-P2
4.1.4-P2
2.7.2-P11-SP6
4.1.1-P8
4.1.1-P5
4.1.4-P2
2.7.2-P7-SP4
4.1.4-P2
4.1.1-P6
4.1.4-P2
4.1.1-P8
4.1.4-P1
4.1.1-P8
4.1.4
4.1.4-P2
4.1.4-P2
4.1.4-P1
4.1.4-P2
4.1.1-P2
2.7.2-P11
4.1.1-P8
4.1.1-P8
4.1.1-P8
4.1.2-P4
4.1.1-P8
4.1.1-P8
4.1.4
4.1.1-P8
4.1.4
4.1.2-P3
4.1.1-P6
4.1.4
4.1.0-P11
4.1.2-P3
4.1.2-P4
4.1.1-P5
4.1.1-P6
4.1.1-P6
4.1.4-P1
2.8.2-P6-SP4
4.1.1-P6
4.1.2-P3
4.1.4
4.1.1-P8
4.1.4
2.7.2-P11
4.1.4
4.1.4
4.1.4-P2
4.1.1-P6
4.1.3
4.1.3
2.7.2-P11
2.7.2-P11
4.1.1
593571715.xlsx
127

429289 L2/L3 Major
427204 SLB-DSR Major
418291 SNMP Major
414874 VCS Major
management
411604 GiFW Major
403180 HW
plane Major
402686 ACL Critical
402544 Router Major
397873 L3V Major
395599 DDoS general Critical
395242 VRRP Major
394405 SLB-L4 Major
394033 SSL Major
387376 GiFW Major
386560 GiFW Major
365098 Firewall
Broadcom/Marvell Minor
357991 L2/L3 Major
355684 ACL Major
348822 L2/L3 Minor
249916 L2/L3 Major
202999 WAF Major
Release: ACOS 4.1.4-P1 Fixed Issues
437302 L2/L3 Major
437254 aFleX Major
436670 VCS Critical
436636 SNMP Major
436279 SNMP Major
436030 DP-Infra-BW-CL Major
435394 SLB-FTP Critical
593571715.xlsx
128
GUI receives a "failed to get data from axapi" error message after renaming a service group multiple times. The GUI is then
After performing
enable to receive an upgrade,
service group ports configured
information fromforaxapi.
monitor action were not reachable.
When the VE interface belonging to the bridge-vlan-group is disabled and enabled, ACOS displays the "Backend Error" message.
L2DSR requires a TCP template option for "reset-follow-fin" that enables ACOS to close a connection with RST on the first FIN
On
of aTH3040
connection. running 4.1.4 code, enable or disable flow control under a disconnected 10G interface causes "Backend Error". This
The
is A10 config
a valid behavior manager
as per process
the Scenario.was restarting while reading NULL index data.
If the "respond-to-user-mac" option was enabled in ACOS, the CGN session went into Slow-Path. For ACOS 2.8.2-P8, the
The console
sessions stayedon ainTH1040
Fast-Path.device previously displayed an irrelevant bpctl error message when booting.
The wildcard IPv6 VIP did not ignore IPv6 HSRP hello packets. The issue is not seen with IPv4 wildcard VIPs.
When using SNMP MIBs, ACOS did not display the interface descriptions of interfaces in the shared partition.
In a VCS environment, in either a shared or private partition, aFlex failed to recognize changes to an existing aFlex script.
When TH1030 Management Interface was set to duplexity 100/ speed Full, the interface showed Half Duplex and remained in
On a vThunder
"Down" state even instance,
after aifreboot.
a crash occurred involving the a10lb process, the bandwidth value of an existing license would not
Rerouting
take effectfailure
and becausedreset to packet drop when
the default value.the TCP "half-open-idle-timeout" option was configured on a firewall session. This
The ACOS
issue was due device to atruncates
reroute and the DST
hostname
mismatchto 20withcharacters
the newwhen
and oldsending
RADIUS syslog
zones.messages to an external syslog server.
Source IP address persistence with the "match-type server" configuration did not work as expected, when same ports with
Cannot start
different traffic were
protocols with Single
enabled Node.
under Not an issue, it is by design.
vPort.
On the TH940 and TH3040 models, the output of the show log command displays a non-existent fan failure.
Unexpected conflict was observed when the "permit ip any any" and "deny ip any any ethernet x" commands were executed.
When the DHCP configuration is removed, the static routes configured on the ACOS system are deleted. Also, the traffic for
Explicit proxy
static route did not take
does forward packets properly
precedence over Dynamicwhen route.
policy template option "forward-to-internet" was configured and there was
In earlier releases,
a medium or largerACOS transfer usedof to debounce if the values received were invalid. For example, a value of 0 or -1 was used to
packets.
In slowpath
indicate code,toVLAN
a failure read checks
or SMBUS drop packetshad
timeouts arriving with aThis
occurred. wrong VLANadds
release tagged on a tagged
debounce port. However,
to indicate if ACOS hasan ACL session
received is
values
A TH3030S
that are validCGN-CPS
established that mighttest
butsends be case
the packet
above indicated
belowathe
orthrough 60% performanace
same degradation.
wrongthreshold
acceptable VLAN and port. The subsequent session is establihsed through
limits.
When configuring
fastpath, which does an application
not have any logging
VLAN template
checks that using theincorrectly
block "slb template logging"
tagged command with the option "1 - Enables local
packets.
On the Thunder
logging" selected, 14045 devices, the
log messages arefans and voltages were getting "debounced" infinitely. This meant that if a fan failed, the
missing.
A VRRP-A would
customer interface notdoes not work properly when "both" (router and server) and "vlan" are configured for the interface.
be notified.
This feature adds a pkt-rate parameter to the rate-limit-for-reset-unknown-conn command to limit the rate of TCP resets the
The
ACOS device
device didsends
not properly
as a resultdecrypt
of the server response whencommand.
reset-unknown-con using ECDHE When on reset-unknown-con
server side connection. This issue
command wasport
(virtual seen every
template)
Receipt
few
is time
requests
enabled, (RT)
a TCP valuewhen
and reset
only in firewall
packet using logging
is sentserver messages
side
to the ECDHE.
client should
when There have
was No
a non-SYN indicated
TCPissue a more
when
packet meaningful
using
from weaker
the value.not match any existing
client ciphers.
does
The ACOS device was not responding after upgrading from 2.7.2 to 4.1.X. This issue could be triggered by upgrading the
session.
When
compact upgrading
flash (CF) from and2.8.2-Px
hard disk to 4.1.1-P2,
(HD) fromthe AX-5630
2.7.2 remained
to 4.1.X on a new in device,
a LOADING state.
and the This
issue issue appears
became apparenttofollowing
have been caused
reboot.
TheACOS
by unit of Response
checking for times in show
a resource slbbefore
value service-group <sg-name>
the system resourceisnumbers
consolidatedwereto msec or
created. usec.
The issue only seems to happen
Whenthe
upon configuring
first-timeabooting,
firewall after
logging templatefrom
upgrading that2.8.2
enabled HTTP logging, IPv6 fragmented HTTP traffic was dropped.
to 4.1.1-P2.
An incorrect checksum calculation for ICMPv6 error messages caused the client to drop packets.
If a CGN session was created in the fast path, then the "ip nat reset-idle-tcp-conn" command did not work.
Enabling or disabling a 100 Gbps port that had live traffic flowing at a moderate rate caused all outbound traffic to be dropped
The
at the"Data
XAUISessions
level. Once Used"thiscounter
issue was in the output of
triggered, thethe "show
only way fw system-status"
to recover displayed
the device was to incorrect
reload. large values shortly after
If the "keep-client-alive"
packets were sent. option was configured, the ACOS device did not remove session entries upon receiving a RST/FIN
If the user
packet from didthetheclient.
following:_x000D_
This caused the connection with the client to remain open even after the FIN packet.
When IPv6 ACLa with
1) Configure trunkobject-group::/128
group in two ethernet was ports_x000D_
configured using the command "object-group network ipv6-0", it behaved like "::/0"
It is possible
traffic
2) reached
Create to"::/128"
first configure
bpdu-fwd-group instead <>aand
ofport under
explicit a VLAN,
deny.
attempted to addand thenports
those add inthegroup.
VLAN_x000D_
to the trunk (thus having the port belong to both the
ACOS and
VLAN
_x000D_ maythe allow multiple
trunk). Thissimultaneous
behavior should upgrade
not berequests
allowed.from the API, CLI, and GUI.
IMIX traffic
Only the lead crashed
member after increasing
of the trunk was theallowed
high rate tois
befixed on top of 307537. 307537 is no longer needed.
added._x000D_
Adding static IPv6 neighbor entries to Link local addresses failed.
Upon doing a write memory and reload, the trunk configuration of the non-lead member was missing, but it was present in the
When a request was sent from the client to match on the "b-list" the upper cases were not interpreted correctly.
lead member where the configuration appeared in the start-up for both lead and non-lead ports.
Description
If using GUI Rollback with "enable reboot after rollback" option, the ACOS device did not reboot after rolling back the system.
Explicit Proxy(EP) sometimes takes around 100-1000 msec to send a DNS query after receiving an HTTP request from the
The ACOS
client. Thisdevice was not able
issue happened to request
if the ping its own VIP even
rate was though
very low anditthere
was was
marked as UP.
no DNS This was resolved by binding an "a10-
cache.
After applying
special thisloopback
IP" to the patch, the Thunderwhich
interface, deviceallowed
would not send ato
the kernel request
handlewith
the user
"ping"credentials in proxy-chaining
from the ACOS device back bypass
to itself.cases.
If a global array was used under RULE_INIT and the number of elements reached the maximum number allowed, then the script
aVCS
wouldcould
abort not
even establish if there the
after removing wasextra
an existing firewall session, but there were no issues after clearing the firewall session.
elements.
Configuring
This appearsaVCS to haveandbeen
VRRP-A does not
the result of anwork correctly.issue
integration If you configure
that aVCS
occurred withand VRRP-A
Explicit in two
proxy, ACOS devices,
proxy-chaining, andand then
Kerberos.
The MIB text
configure file failed
a firewall to loadsame
on those into an SNMPthe
devices, manager (JP1 orcommand
"VCS enable" NNMi) due to duplicated
fails if there areOID definitions.
firewall This
sessions. issue appears
However, to
there are
If
nothe
be an system
SNMP
issues with clock
browser is issue
the VCS changed and(manually/NTP/timezone)
command it was
afternot seenfwonsession"
"clean while
every MIB the SNMP process is running, the values returned for SLB
browser.
is used.
The
objectoutput
typesfrom
maythe notCLI
get"show
updated class-list" command does not display the whole class-list and only displays the first 100 items
correctly.
FTP
in thevirtual port for IPv6 does not work for fragmented packets.
class-list.
Harmless ACPI errors were seen on the console while starting up the following Thunder devices: TH3030S/TH1030S/TH930
Unable to clear the information on one-to-one NAT Mappings page in the GUI.
When DNS entry expired suddenly, ethernet port used to delete the back-end connection. Now the ethernet port checks host
When
name andrunning
portExplicit
to avoidProxy with ICAP, the ACOS device reloaded multiple times after upgrading from ACOS 4.1.1-P6 to 4.1.4.
this scenario.
ACOS accepts standard "227
This issue could occur if the client Entering
POSTPassive Mode"
a request message
with a long URIor messages length
and a payload >=27. 3000 bytes.
exceeding
593571715.xlsx
129
4.1.4-P2
4.1.1-P8
4.1.1-P7
4.1.0-P7
4.1.4
3.2.2-P2-SP1
4.1.2-P3
4.1.3
2.7.2-P9
4.1.2-P2
4.1.1-P5
4.1.1-P5
4.1.1-P1
4.1.1-P5
4.1.1-P5
2.7.2-P4-SP2
4.1.2-P2
4.1.1-P5
4.1.1-P1
2.7.2-P11
2.7.2-P10
4.1.3
2.7.1-GR1-P2
4.1.3
4.1.0-P9
3.2.2-P1
4.1.0-P9
4.1.0-P9
2.7.2-P7
4.1.2-P2
4.1.0-P9
4.1.1-P2
2.7.2-P9
4.1.1-P2
4.1.1-P2
2.8.2-P6
2.8.2-P5
4.1.1-P2
2.7.1-GR1
4.1.0-P7
2.7.2-P9
2.7.2-P8
4.1.0-P5
2.8.2-P3-SP3
3.2.2-SP5
2.7.2-P10
Version Reported
4.1.4-P1
4.1.1-P7
4.1.4
4.1.4
2.7.2-P11
4.1.4
4.1.4-P1
4.1.1-P6
2.7.2-P11
4.1.4
4.1.4-P1
4.1.4
4.1.2-P1
4.1.1-P5
4.1.4
4.1.1-P8
593571715.xlsx
130
434299 L2/L3 Major

433687 SNMP Major
433144 aFleX Major
433027 SSL Major
432916 SLB-HTTP2 Critical
432604 GSLB Major
432286 SLB-HTTP
Infra Major
432118 SSL Major
431986 L2/L3 Major
431917 aFleX Major
431855 VRRP Major
431212 SLB-IMAP Major
431197 SLB-Conn-reuse Major
431116 VCS Major
430909 SNMP
management Major
430303 VRRP Major
425749 SSL Critical
425618 SLB-FTP Critical
424703 SLB-Policy Critical
419932 L1-L4 Major
418963 SNMP
Classification Major
418654 ACL Major
418229 SLB-L4 Major
414037 aFleX Enhancement
403966 SLB-L4 Major
377212 CGN-LOGGING
Broadcom/Marvell Major
365683 System - Platform Critical
351220 SLB-L4 Major
Release: ACOS 4.1.4 Fixed Issues

429079 SLB-L4 Major
593571715.xlsx
131
The default configuration of "forward-ip-traffic" forwards only IP/IPv6 unicast traffic across all VLANs in the "bridge vlan group".
In the auto-generated
It does not forward IP/IPv6 MIB file: "ACOS-FW-OPER-MIB.mib",
multicast traffic across all VLANs the in last
theindex of the
"bridge vlanobjects include an additional comma, which is
group"._x000D_
When class-list
preventing
As a workaround, fromfile is imported
loading
use thethe MIBfrom
"forward the outside
fileall-traffic"
to_x000D_ source for the Lightweight 4over6 (lw-4o6) NAT Prefix List,_x000D_
option.
The/32
the GUIroutes
page for
NMS/Browser. areGSLB FQDN redistributed
not getting does not display any
in the entry
first time if the large However,
binding. number ofthe services
routes are
are added
gettingunder the zone.with the same
redistributed
The aFleX script
configuration aftercaused connection
the unbind and rebindissues during the "virtual IP bonding process" which performed HTTP logging. This, in turn,
operation.
The
causedhandshake
the SLB was server failing
to stopfor functioning.
N5+ TLS1_ECDHE_RSA_AES_128_GCM_SHA256 cipher ONLY during SSL renegotiation + client-
HTTP/2 does not function on a port when both support-http2 and use-rcv-hop-for-resp are each configured on the port/under a
auth.
The "show
vport. This cmslb" and "showincmpki"
is not supported 4.1.4. CLI commands should be hidden for Thunder devices.
HTTP retry option caused a malformed request._x000D_
Sometimes
When a server thesent
explicit
a POSTproxy configuration
response, deliveredPOST
the complete requestsrequest to the
was incorrect
not sentport outeven whenresulting
correctly, the ACOS indevice
a "Badchose the
Request".
A DNS packet
correct HTTPSarriving on the same
service-group in the data
server CPU as a previous
selection process. DNS query with the dnsec DO bit set in the OPT header might be
If "min-active-member"
incorrectly processed. was applied to a service group with at least one member, then 484 memory block allocation was
"* hm_jiffies" was replaced by a system api's "acos_ujiffies()". libplat. So exported this "acos_ujiffies()" function
increased.
When HTTP pipeline traffic was passed through an SLB server with HTTP keep-alive disabled, it resulted in the system to stop
(system/lib/plat/plat_sys.c).
When an SSL renegotiation was initiated to enable client authentication through aFleX, the browsers closed the connection
functioning.
A checkpoint
with an "unexpected firewallextension
rebroadcast the ARP reply back to the ACOS device.This was due to a check for source MAC address for
error".
Application
an L3 interface. running against a TCP vport on the ACOS system is failing randomly in between the packet flow, and forwarding
OSPF
the NAT redistribution
packets with the incorrect is notsequence
working after number.the reload/reboot
This is causing operation.
duplicate ACKs from the server side and re-transmissions
When
from the configuring
client side, VRRP-A, if attempting
which eventually to remove
is causing resetall from
VRRP-A thetracking
client. options and reconfiguring VRRP-A priorities, ACOS
When the client
erroneously sends data
continues to show to ACOSVRRP-A while it is still
priority connecting,
is reduced to 1, itdue
triggers an error
to tracking without consuming the buffer.
options.
As the default round robin-method is optimized for high performance, over time, this optimization can result in an imbalance in
HTTP::header
server selection waswhennot template
working ifconnection-reuse
there was proxy chaining of explicit proxy with SSLi and if requests were SSLi bypassed
is also configured.
When
HTTPSthe Thunder system is upgraded from the 2.7.2-P6 version to 4.1.1-P6 version, the "vcs failure-retry-count -1" is changing
(CONNECT).
When
to "vcs"ip mgmt-traffic all source-interface
failure-retry-count 0" instead of changing loopback it to1""vcs
is configured, since loopback
failure-retry-count forever". 1 is used to connect to the blade, the
A segmentation
device fails. _x000D_ fault was generated by a10snmp_trapd when there was a configuration change performed on SNMP.
The useraround
To work found that this the preferred-session-sync-port
issue, remove "ip mgmt-traffic all does not fall-back for
source-interface vrrp-peer.
loopback 1". In the current implementation, in the case
The TCP
when there based
are twoapplication did not release
VRRP interfaces available,the and
connection
the customerlimit count.
configures preferred-session sync-port option for the 'peer-
If the configuration
group' usage. However, for "max-http-header-count"
if vrrp-a peer-group option under "slb common"
is configured, was sync
session changed, and ifnot
port does there
fallwas
backlive
to traffic running on the
the preferred-port. The
The ACOS
device,
"Peer IP" device
it address
could did
cause
does not function
memory
not correctlyback
get corruption,
reselected upontocaused
which booting. It reloaded
the
the preferred system
port.to after booting the device.
reload.
In SSLi deployments, client-side and Server-side renegotiation was not working on vThunder instances. When trying to do
In some long-lasting
client-side or Server-side FTP renegotiation,
data sessions,ACOS the FTP control
gives session can
a "Handshake sometimes
failure" age out
notice from thebefore the FTP
client-side, andsession has
for server-side
Zone information
completed
renegotiation data included
was an in
transfer.
there Log messages
"Empty reply fromisthe based
server"on the direction
message. which
There wereinitiates the connection.
no issues seen when running similar scenarios
When the system memory
on hardware-based SSL. was around 85%, clicking "save" multiple times from the GUI caused the Thunder 1030S device to
Traffic is incorrectly forwarded to alternate server when primary server is UP when method src-ip-only hash is used. This
hang/freeze.
If an SA packet
happens arrivedison
when server upan orIP NAT inside interface and if it matched a class-list, then in ACOS version 4.1.0, the SA packet
down.
A
wasport remainedHowever,
forwarded. down after in replacing
ACOS version the copper
4.1.1, an SFP RSTwith SFP+ inwas
message casesent.
the case of TH4440 devices. Similarly, the issue also
Turning
happened off/on
if thetheSFP+ACOS wassystem
removed on and
the left powerSFP
a copper supply
wasunit (PSU), displays the wrong error message "System Lower Power
inserted._x000D_
When
Unit"
_x000D_ ACOS was
instead configured
of "System Leftin L2 mode
Power with an ACL, unknown unicast packets were dropped and the following error message
Units".
LLB
was forward
Note: incoming
generated:_x000D_
The behavior of therequest
LED in with ICMPSFP
copper packethas and generate
changed fromsession affects
4.1.4 build 208.IPInserting
SLB. TTL is not decremented
a copper SFP into the before
port of creating
the
aFleX
a
"No macTCP
session or
to data
dest was
packetfor not forwarded
handling.
transparent L2 from the
session."
TH4440 device (without a copper cable) causes the LED to become green. ACOS
This device
message whenis a server
displayed connection
to provide was
the MACbeing established.
entry information in the
The "show cgnv6
transparent lsn statistics"
L2 session, and does counted
not impacteachthe hit functionality.
of "No Class-List Match" as two hits.
SNMP-based load balancing did not work as expected. While the script polls the server correctly, and the servers come up fine,
Due to a missing
the server weightsinitialization,
did not come theupPSU status
under showed
the real an Absent state in the "show environment" command output on
servers.
FTP ALG active mode failed
TH930/TH1030/TH3030 if the FTP PORT message was fragmented.
platforms.
An unexpected "timeout of draining packets issue" on the 100G interface caused the 100G interface to lockup, and the admin
When
could no using the "export
longer managefixed-nat <filename>"
this interface. command
The lockup to export
condition couldaonlyfixed-nat
be fixedport-mapping file appendedthe
by rebooting/reloading with a long
ACOS ip-list
device.
Memory
name, theusage
export is failed
highersinceunderonly default session count
63 characters wereconditions
supported.than It is when the l4 session
recommended to usecount is higher
a shorter ip-listthan the default value
name.
After send the EHLO command to a server, if the server response did not have STARTTLS, ACOS should not have sent EHLO
When
again to thetheoptions
server"idle-timeout
because the20" and "slb
second EHLO msl-time
was only 10", were used,
required afterthe
thesession age-out
server-side SSL output
sessionwas wasincorrect.
established.When the short
Changing
idle age was theless
IP address
than 30of an existing
seconds, virtual-server
the connection isnot
did notenter
allowed.MSLThe virtual
cycle. Theserver must be
connection was deleted
removed firstafter
and the
added
idleagain
age
Under
with the
expired. certain
new IP conditions,
address._x000D_session management could take a long time. This delay caused a "watchdog" to occur, which then
The
The others
caused the action
workaround set-dscp
ACOSisdeviceto removeto under
reboot. the lsn-rule-list
the virtual-server onworks
the peerfor the
before Espinitiating
packet but thedid not work under
configuration similar conditions for the Gre
sync-up.
If the "max-hw-entries" option is not configured, the default value for hardware entries should be 262144, but for software there
packet.
There was However,
is no limit. a noticeable delayindicates
testing of 300-1000ms the default when HTTP
value Explicit
is not Proxyorwas
an exact fixedused to browse internet. The DNS response was
value.
The first attempt for the showtech download from the GUI fails after a reboot. An error note "Fail to download showtech files.:
slow.
[Errno 2] No such file or directory:" is noted by the user. But, subsequent attempts for the same tasks are successful. This is a
design issue and a known issue/open limitation in this release version.
Description
When a user performs 1G ports for the fiber/copper sfps, it displays "Show interface media feature is not supported on this
If a user
port" tries
under thetoshow
remove a server/port,
interface an alternate
media. There is a needserver/port
to display configuration
the media for still exists
these which
ports. is issue
This a conflict
waswith the rule
not seen on that
ACOSthe
The
2.7.2ACOS
unexisted
P12 and 4.1.4 version
server/port
associated is fails to send
forbidden
releases. the
toThis decompressed
be configured._x000D_
changed behavior payload
is duetotoICAP for inspection
the limitation of theand
DPDKfails
in to
thedecompress the http The
ACOS 4.x versions.
The
The
ACOS online
compressed
show help
filecontent
2.7.xrunning before
versions shows isthe
notmissing
do sending for
it to
alternate
use the "Auth
ICAP
DPDK ininFailure
portand respmod.
the Message",
case
hence This asexpected
of limitation
this the seen
isremoval
an bythe
of
is not navigating
behavior,
old server
present asand
as
there. follows:
there is no
then _x000D_
a need tohappens.
reload decompress
This the
In
AAMtheand
data /ACOS
Auth
observationICAP 4.1.4
Client
is version
server
due / Logon
to must
the supports
Form
be able CGN,
Based
to
initialization, /GiFW,
Create
handle
which and TPS,
this.
happens whereas it does not support ADC. In this version, slb is not supported
before._x000D_
When
for theconfiguring
Although,chassis, 2048 IPv6
resulting
it is forbidden into
to ACL entries
not sending
configure orthe
changes
an unexisted in the
showalternate
slb Access
commands, Controlbutpage
a parse
server/port, alsoon
error forGUI,
the userthe
'show setting/admin
slb
can template
remove pageforward-policy-
policy responses
a server/real-port are
which
slow,
stats',and
andthe
is configured GUIanhangs.
printing
as the logThis
alternate is because
details for every
server/port of15
to the
make limitation
minutes. on the
Although,
the alternate maximum number
this is a known
server/port of IPv6
issue,
configuration but ACl a(AClv6).
not
becoming customerTheaffecting
unexisted GUI drop-down is
the issue,
server/port. Also,
limited to 128 for
and a limitation ofperformance reasons,ADC
the license showing as loading, a higher
enhancement. number of IPv6 ACls generally results in a GUI pause with a sub-
593571715.xlsx
132
4.1.2-P4
4.1.1-P6
4.1.2-P3
4.1.1-P6
4.1.0-P8
4.1.4-P1
4.1.4
4.1.4
4.1.0-P10
4.1.1-P6
2.7.1-GR1
4.1.0-P10
4.1.4-P1
4.1.0-P10
4.1.4
4.1.1-P5
4.1.0-P10
4.1.4-P1
4.1.1-P8
4.1.0-P10
4.1.0-P9-SP3
4.1.4-P1
4.1.1-P6
4.1.2-P3
4.1.2-P2
4.1.1-P8
4.1.1-P5
4.1.0-P9-SP1
4.1.1-P6
4.1.4
4.1.1-P7
4.1.1-P6-SP1
4.1.1-P5
4.1.1-P6
4.1.1-P8
4.1.1-P6
3.2.2-P4
4.1.0-P10
4.1.1-P6
4.1.1-P5
4.1.1-P6
4.1.0-P9
2.8.2-P8
4.1.2-P1
2.8.2-P6-SP2
2.8.2-P6
2.7.2
2.7.2-P9
2.7.2-P8
4.1.0-P7
2.7.2-P7-SP8
4.1.1
2.8.2-P5
4.0.1-SP1
4.1.4
Version Reported
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
593571715.xlsx
133

426085 SSLi Major
424816 SSL Critical
424813 SSL Critical
424156 SNMP Major
422974 SSL Major
422815 NAT-CGN
configuration Critical
421090 Platform Enhancement
418012 SSLi
Infrastruture Major
417937 VCS Critical
417907 ACL Enhancement
417020 SLB-L4
plane Major
416671 ACL Major
416668 NAT-CGN Critical
416047 ACL Major
414859 SSL Enhancement
414499 Content- Critical
414490 Content-
Insepection Critical
413638 Content-
Insepection Major
Insepection Critical
407758 License Manager Critical
403712 AAM Major
403318 Scaleout-slb-data- Critical
plane Major
Class-List Major
390340 AWS Major
429590 SSL Critical
428971 Router
management Major
427198 AAM Major
management
593571715.xlsx
134
The local log messages are lost when a heavy SSLi traffic is running through the box. This is a log service issue and a known
ACOS sends a "Reset to the client", if the ICAP server is not reachable, during a POST request Inspection. This is a known
limitation.
The user is able to see the Show logs, which show up "OCSP Revoked - Bypass", when the revoked status is retrieved from the
limitation.
User is unable to
CRL response. change
These show over-limit-action
logs display "OCSP from Revoked
forward to a lockout.
- Bypass" whenThethe user cannot
actual modify is
response the over-limit-action
from CRl and not from forward
OCSP.log
User
under
This is gets
this gslb session
template
a known policy,
limitation. && gslb service-group-session
directly to the over-limit-action totallockout.
numberThis wrong. is aThis
known is an expected
issue [transitory] behavior and it
and a limitation.
The source-address
exists for performance is areasons.
common configuration and not specific to a VCS device.
In ACOS 4.1.4, the users found that the cost specified in command "distribute-internal" does not take effect when the default
In
costACOS 4.1.4, the users found
for distribute-internal, that the
the route same-src-dst-port-ip-hash
metric on receiver cost is entered, cannot andsupport
there areuntagged
no further VLAN. The client
changes. Thisinterface
is a knowntype and
issue,
In
asACOS
the server
the 4.1.4,
issue the users
interface
exists type
for allfound
contain that
the items for
theunder thecommand
untagged POST:
VLAN, Object:a10loopb
and the results Instance
"distribute-internal". of these Index:0,
cases it returned
fail. This iswith an error
a known issue message as
and a limitation.
In ACOSto4.1.4,
"Failed handle theobject
users\"a10loopb\".
found that forCM theJSON
VIPs attached with route-map do not get redistributed. This is due to the limitation
internal error."_x000D_
In
of
Thisthe isACOS
shared an4.1.4,
for VLAN, theusage
which
internal users found
is configured
with that
forthere
Trigger: is a difference
partition
"a10loopb", P1, configured
which is of for
overan40%
VIPs for and
in P1,
internal the data CPU it utilization,
the attached
usage, but route-map
generates withwhich
and without
correspondingmatches thefrom
JSON
In the ACOS
server-name-auto-map
any to some 4.1.4, the
VIPs._x000D_ users
in the found that
client-ssl the dynamic
template._x000D_ context creation fails even
schema and provides aXAPI. The API "/axapi/v3/interface/a10loopb/" causes issues as the CM does not support a multi-though there are hundreds of inactive dynamic
Traffic
contexts
This
These
object could
is VIPs not
anavailable.
expected
without come pass
This through
behavior
from includes
P1
key-field._x000D_ thethe
to and aIPsec
Shared L3V,tunnel
devcall
known thiswith
output
limitation.
as is asyn-cookie
and the are
There
shared logs enabled
showing
few
VLAN for
thevPort
workarounds
matched forof
failure
for vThunder
this
VIP._x000D_ context systems
creation. running
limitation:_x000D_ This is anonexpected
Azure.
The license
behavior
1. With theand was
a lost
known
configuration,if the Azure
limitation. VM running
server-name-auto-map, vThunder was upgraded from ACOS version 4.1.1-P7 marketplace image to ACOS
If
Thethe fixVIPS
is notin L3V
to on shared
generate JSONVLANschema for objectthe
are configured withcontrol
"a10loopb" CPU
route-map,andstays
the atnot
user
it does 100%
must along
definewith
influence high data CPU._x000D_
the route-map
customer, in shared
as partition.
it is only for the
When
version
2. SNMP
While CTX 4.1.4. service was
Downgrading enabled
the on
Azure ACOS
VM and
from a
ACOS request was
version sent
4.1.4 for
to "sysObjectid"
any other the
previous object
release ID was
is not not functioning.
supported.
Otherwise,
internal thecreation, Data CPU
redistribution needs
of the VIPstofails
lockintothecheck whether
shared the as
partition, context is available
it is unaware of theor not. But the CTX create in control
route-maps._x000D_
If DPDK usage.mode was enabled for vThunder with 1 CPU, 8 GB memory, and one each of management and data port, the data port
CPU
The also needs
default this lock._x000D_
operation of undefined route-maps is "deny"._x000D_
Afterlost
was upgrade to 411P6-Sp1,
after boot up. ACOS reset while serving SSL traffic using DHE ciphers.
3.
As
In aData
ascaleoutCPU utilization
workaround, setupconfigure with server-name-auto-map
of eight the same named
vThunders, scaleoutroute-mapconfigured
becomes from in the
P1 client-ssl
in the
non-active if Shared template
partition.for
all the device-ids 40K
twocps
Itonimplies is configuration
the morewere
vThunders than removed.
90%.of On
removing
redistributable the configuration,
Prior to configuring VIP under
"map OSPF server-name-auto-map
and BGP, finding
inside/outside", removethe from
anyVIPs
map the
withclient-ssl
route-map
translation template, the utilization
info displayed,
inside/outside whichdrops
configuration are not toredistributed.
sinceabout
these 50%.
commands are
GUI health monitor configuration failed after changing only timeout in the default parameters.
deprecated.
The jumbo packets with trunk were dropped.
Firewall Local-logs are not supported for IPv6 traffic.
VMware tools interface configuration failed if subnet with prefix length was provided.
VMware vSphere webclient displayed a warning message "VMware Tools is not installed on this VM" though vThunder had
A log is comprised
VMtools support. of the following parts: time + module + partition + filename + log content that is limited to a maximum of
The Layer
1024 2 SSLi was
characters, and anynot working
log content withthatnewexceeds
proxy, but theworked
log length correctly on old proxy.
is cut off.
It takes about 50 minutes to bulk import 2 Million security certificates when VCS is enabled.
The ACl with a rule of TCP and an option of "established" matches with the TCP RST packets and it needs to be supported by
When a user wants
the Management to upgrade
port the IPv4 ACl with the option "fragments", it needs to be supported along with the Management
as well._x000D_
When
port.
WhenThe a
a user
AClwants
user with ato
configures configure
rule withthe
of fragments
ACl IPv4/IPv6
a rule of TCP ACl
matches thewith the option
Management
established, "dscp",
it mustpackets,
be applieditwhich
needs to Management
must
to the benot
supported alongand
be fragmented.
port, with the
This
the Management
command
user must also
send
When
port.
requires
TCP RST a user
The the
packetwants
AClbackend
withtoathe to upgrade
rule of IPv6
support,
Management the
dscp
when ACl withofthe
matches
this
port ACl rule
is the
the of ICMPv6
Management
applied
device to
from code, it needs
packets,
theclient._x000D_
Management to be
which
port. dscp supported
value does alongnotwith the Management
consist with the port.
The interface
ACl with
configuration. index
a rule
This was
of
commandnot
ICMPv6 correctly
code
also displayed
matches
requires thethe when
backend traffic
Management was
support, transmitted
packets,
when which
this
The ACl with a rule of TCP and the options "dscp" or "fragments" are also not supported when it comes to the ACl applied on under
ACltype
is 'scaleout
value
applied does
to l2-redirect
the not interface
consist
Management of the trunk'
configuration.
port.
An l3v
environment
This partition
command and TCPdebug
also connection thewas
was monitored.
requires backendin slow path when
support, whenTCP thistemplate
ACl is applied was with idle-timeout.
to the Management port.
the Management port._x000D_
The ACl hit counter for the Management port resets when access-list is changed dynamically. These hit counts are read from
The
When expectation
configuring is of the ACl is to "respond-to-user-mac"
restrict or allow traffic from a specific host for these options and the failed
log generation when
the Kernel and thestateful firewall
Kernel resets these counts every time when without a configured
there is a change route
in theto the
ACL. client,
This ACOS
is as per the to process
design and a
log
The field
inbound is configured
logissue/open
for
ICMPv6ACl ispackets.
not for the Management
generated for Management port, but porttheforresult is that the non-supported
enable-management service ssh commands do not restrict
with ACl option. The ACL traffic andfor
logging
known limitation.
do
this not generate
App configuration any
FW supports disabling logs._x000D_
and clear aisspecific protocol orincategory.
not yet supported the current release ACOS 4.1.4 and will be added to the upcoming fixes.
This
The is
is a
ThisThunderasknown thelimitation.
per1030S has low
design andfree memory
a known upon bootup,
issue/open so any big configuration such as configuring 32 partitions may lead to
limitation.
Dynamic
kernel panic context
due to cannot
out ofbe released
memory for theAsstatic
issues. configuration.
a workaround, Staticless
configure contexts
than 16should be created before performing static
partitions.
The CPU percentage remains high (> 70%) during the initialization of the Cylance service.
configuration.
Known Issue or Limitations: The connection with the Cylance internal server is done on the shared partition, so these
Incorrect classification
connections are seen both is displayed
from private fromand Cylance
shared when the files are merged.
partition.
This issue causes the change in the Admin Distance (AD) of the DHCP learned default routes. The value of the routes for the
Known
AD wasIssuechanged or Limitations:
from 254 toQOSMOS 250 fromlicense revocation
the previous displays
releases "License
or builds to the retrieval failed" although
latest release the license
or build. This remains is arevoked.
non-
Extended-filter cannot be supported for EP user group based authorization. The reason for not supporting is: There could be
configurable value._x000D_
The change
The "respond-to-user-mac"
multiple authorization
in the value does command
policies not areisbound
not supported
thatfunctionally impact onfor
to the policy theCGN Scaleout
template,
behavior and when
it is not
of these LSN and
possible
routes. Fixed-Nat
to aggregate
Instead, are configured.
it helps allaextended-filters
as user flexibility
The
when "clear aam
querying authentication
the server. statistics" CLI command does not clear aam authentication
mode, wherein the user can configure a static route with a higher AD if there is a preference for DHCP learned default route. global counters._x000D_
Giant counters are not supported on vThunder.
_x000D_
On
Forthe ACOS the
example, 4.1.4 release version,
following counterswhen a user deletes
are considered aamthe "import-periodic"
authentication globalclass from the class-list, the ACOS is unable to
counters._x000D_
In earlier
import
Total releases,
it again.
Authentication This ACOS
is usednumber
a design
success toissue
debounce
and a ifknown
the values
_x000D_ received
issue/open were invalid.
limitation in thisFor example,
release a value of 0 or -1 was used to
version.
IPv6
indicateis not
a supported
failure to
Total Authentication failure number on
read Microsoft
or SMBUS Azure
timeouts vThunder
had
_x000D_ devices.
occurred. This release adds debounce to indicate if ACOS has received values
In
thattheareACOS
valid system,
but might whenbe the user
above or creates
below theacceptable
the ike-sa, the threshold
configuration limits.of dpd and lifetime command under ike-gateway do
Total Authorization success number _x000D_
Thetake
not username
effect for showInstead,
at once. aam authentication
it works when session
the user does not support
updates the ike-sa,special characters.
during the next time. No dpd packets are sent for an
Total
The Authorization failure number _x000D_
IPv6AWS IPsecmarketplace
tunnel, evendoes whennot support
there is an AMIs
interval with cloud formation
configuration of dpd. templates
This is a(CFTs).
design issue and a known issue/open limitation
_x000D_
If
in some of the version.
this release certificates in the certificate chain does not have OCSP/CRL URI, the status of the certificate chain presented by
To
the clear
In rare
client these
conditions, global
is marked A10 counters,
"GOOD" anduse
configured "clear
for
the CGNcounters
request may aamtoauthentication
experience
is allowed a system
pass through. global".
reset when processing packets with TTL of 0.
As different encoding's are used for different types of certificates in different areas, CA certificate verification may fail when
The
usingadmin user cannot
the hardware SSLexecute
module.the "backup-periodic system" command if the user forgets the password. _x000D_
The
_x000D_IP RIB table was not properly updated when one of the ECMP BGP Default paths was withdrawn. This issue could happen
SLB
if buff-thresh
there configuration
was a combination
Workaround:_x000D_ was not(0.0.0.0)
of Default applied whenECMPthe pathssystemlearnedwasfrom reloaded/rebooted,
BGP neighbors, but anddisplayed
if there was in running
also theconfig.
existence of
ACOSneighbors
BGP
Configure doesanother
not with
allow thedefault
the tcp-proxy
ï "backup-periodic client,
originate servercommand,
and the common
configuration.
systemïc" so that to co-exist. the previous one.
it overwrites
The ACOS device may sometimes lose CLI access, requiring a reboot of the device to gain access. This issue is the result of
aFleX
new code authorization
that was added does not work when
to support used control
multiple in conjunction
CPU. The withnew "GWTR"
code may and sometimes
AAM authorization.cause incorrect CPU affinity for the
A recent change in the design for shell root access (with
"kworker thread", which then caused the CLI sessions to terminate at the wrong times. AAA login) impacted the original design. This may cause guest shell
access to to fail in 411-Px releases.
593571715.xlsx
135
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.1-P3
4.1.4
4.1.1-P6-SP1
4.1.4
4.1.4
4.1.0-P10
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.4
4.1.3
4.1.4
4.1.4
4.1.4
4.1.3
4.1.1-P4
4.1.1-P2
4.1.1-P6
4.1.0-P7-SP2
3.2.2-P4
4.1.1-P7
4.1.4
4.1.2-P3
4.1.4
4.1.1-P6
593571715.xlsx
136
426973 WAF Major

424684 SLB-L4 Major
424120 NAT-CGN
Infra Major
423757 WAF Major
423319 Report Major
422938 SNMP Major
422833 SSLi Major
422515 SSLi Major
422404 DDoS DNS Cache Major
421834 SSLi Major
420844 TCPIP Major
420373 aFleX Major
420157 L2/L3 Major
419848 TCPIP Major
419197 L2/L3 Major
418972 NAT64 Major
418708 SSL Major
418058 SSL Critical
418057 SNMP Major
417949 AAM Major
417724 NAT-CGN Critical
417052 AAA Major
416806 GSLB Major
416518 HA
management Major
416134 AAM Major
415657 L2/L3 Major
415093 GiFW
Infra Major
414892 SLB-L4 Major
414073 VRRP
Infra Major
413908 GSLB Major
413905 GSLB Major
413857 GiFW Critical
413732 VRRP Major
413584 aFleX Major
413461 SSLi Major
412937 AAM Major
412295 SSL Major
593571715.xlsx
137
In WAF deployments, when running xss-check in "sanitize" mode, the ACOS device could sometimes reload, producing error
On the TH3040
message: "Invalid devices
Bufferwith state VRRP-A inline mode, the device dropped some packets sent to certain MAC addresses if the
change."_x000D_
Client
device
_x000D_ FIN
waswas in agetting
standby dropped.
mode. This Issue caused
could occur by if"simultaneous"
the packets were close, where
sent to the FIN
MACpacket doesof
address not acknowledge
Ethernet ports 11 the SND.UNA
and 12.
In
of ACOS
the deployments
receiving TCP involving
stack. Explicit Proxy used with SSLi, ACOS did not
The root cause is that any modification to the HTTP data that reduces the size of the data could cause ACOS to release the support a fail-safe bypass when the "cert-fetch"
If the peer
failed
most during
recent (second)
the SSLi
buffer, unit in the
phase.
possibly cluster
Plain
leading tohad
SSLi the virtual
aalready contained
"double-free" IPofaddress of the bypass,
the buffer.
that fail-safe same name but different
so support for this IPsame
address, the configuration
function will be added
If multiple
synchronization
to Explicit ProxyHTTP failed.requests
for are in same connection,
both "forward-to-internet" the ICAP request header
and "forward-to-proxy" cases. is corrupted.
When the system memory was around 85%, clicking "save" multiple times from GUI caused Thunder 1030S hang/freeze.
When aFlow was configured in a virtual port template and bound to an HTTP virtual port, too many concurrent connections
In SLBcause
could configurations,
a memoryaleak traffic-replication
on 36 blocks. related This could reloadhappenoccurred
underafter using the
scenarios GUIatomemory
where disable block
a VIP.wasThisnotissue could freed.
correctly
In the TH3040
sometimes and BareMetal
happen if a health X710 check10G andport,
trafficthereplication
traffic waswere stopped when an
configured unconnected or link down port was disabled or
together.
System configuration
enabled. This issue may was nothappen
also workingwhen due to thesome
device issue and the Thunder 14045 on Microsoft Azure was getting restarted.
is rebooted.
While on the real server health check port 3389, the user could not SSH/HTTP A10 from the Windows (the real server). It was
If the "respond-to-user-mac"
identified that AX started TCPoption was enabled
connections to Windowsin ACOS, the CGN
server whensession
Health went
Monitorintowas
Slow-Path.
UP, and For the ACOS 2.8.2-P8,
TCP packets hadthe
There wasstayed
sessions
Timestamp. a In
duplicate
this object
in Fast-Path.
case, new wafTemplateFormCsrfTagSucc
Kernel required any next TCP SYN in ACOS-WAF-STATS-MIB.mib.
from the Windows server and must have Timestamp. This was
One
a of thesecurity
stricter UI internal process failed
requirement in the tonew recover
kernelafter when a "sysctl_tw_recycle"
fatal error. This caused was some CLI "show" commands to fail.
enabled._x000D_
A
As a workaround, the health check on 3389 was disabled and after few seconds SSHencountered
GUI process (a10rtpmon) that collects data in the background for charting display was reconnected. an issue withit allocating
Later, was
In rare cases,
excessive systemSNMP MIB "acosFwSystemStatus
resources. This caused TPS to dataSessionUsed"
enter its self-recoverydisplays incorrectwith
mechanism data.a proactive reload.
recommended to run "netsh int tcp set global timestamps=enabled" in Windows server, which made Windows more sufficient
forward-proxy-cert-revoke-action doesn't work correctly. Configure this option as drop, SSLi traffic would be bypassed even if
with
ACOS the security
reboots whencheck theinalternate
new Kernel serverandisitmodified
resolvedthrough this bug.CLI. Workaround: To ensure that ACOS reboot does not occur,
destination https server's certificates would be revoked.
If software
please define SSL the wasname configured
for alternateand there
serverwas a CA certificate
(alternate failure followed
1) and subsequently, theby a verify-cert-fail-action
primary bypass, ACOS
SLB server in alphabetical or ascending
When
order. distributing
suffered a system
"alternate 1"process
crash. resource among
will be recognized first andcontrol
set as CPUs and data
pre-defined andCPUs,
ACOS race condition
reboot will notoccurred
occur. and caused high control CPU
VRRP get-read-time was not available on GUI.
usage.
Under certain conditions, the connection to the server was not established in SSLi deployments after the cert-fetch and OCSP
ICAP didThis
checks. not work when thecertain
was because disable-default-vrid
procedures inoption was enabled for affected
forward-proxy-inspect VRRP. the client packets and caused the bypass to
Some aXAPIv3 objects were not returned on query if they had oper-only fields.
fail.
The transmit buffers were not released even after data was transferred and sessions were cleared, as displayed in the "show
aFlex
slb tcpdid not detail"
stack generate a DNS log if the DNS response included a domain name with more than 250 bytes. The maximum
output.
Statically length
readable configured of anmanagement
ASCII DNS name IPv6isaddress is lost after reboot, if an IPv6 peer sends the router advertisements.
253 characters.
TCP proxy applications such as HTTP and HTTPS did not close properly on the client-side if the closed state of the ACOS
If an interface
system was created
was FIN-WAIT1 dueand added as a non-lead
to re-transmission issues member
when the of connection
a trunk group, was the output of the "show interface brief"
freed.
The
command ACOS did 4.x.xnot releases
displaydid thenot support
interface configuring
name. The issue both IPv4
was notandseenIPv6onNAT
a leadpools
portatorthe same
if the trunktime foronly
had dns64-virtrualserver.
one member.
ACOSfeature
This stopped forwardingindata
is supported the to ACOSthe back-end
2.8.x releases.server when it encountered packet loss.
For copper SFP, all link-up ports went down when one data port was disabled on TH4440/5440/5840/6440/7440s.
SSL/SSLi module logged all cryptographic operations in addition to SSL logs, sometimes making other modules to stop
Two extra zero bytes were included in the partition name when a trunk was configured, and the interface was up. However, this
functioning.
The ACOS
issue was not deviceseen failed
when over afterEthernet
Virtual trying towas addup. a VLAN and during VRRP synchronization.
Software is reloaded when processing IPv6 packet with offset=0 and MF=No in the fragment header.
The 'show slb ssl-forward-proxy-stat, did not_x000D_
In RADIUS configurations,
decrement correctly for counter the RADIUS NAS-IP-Address
"Certificates in cache". attribute was incorrectly using a value of 127.0.0.1
In explicit proxy deployments, Thunder ADC processing a CONNECT request deletes the session immediately when it receives
When
a FIN from GSLBserver-side.
service IP was configured with the same name in two or more partitions on Thunder 1030S, the web GUI in all the
The ACOSwhere
partitions devicethe didIPnot wascorrectly
configured tag egress
displays frames
the statuswith the 802.1q
of the highest VLAN ID after
number using the
partition "remove-vlan-tag" command and
ID. _x000D_
Asymmetric
then
Use aremoving
different routing was
itService-IP
from thenot working.
config.
name in each partition to overcome this limitation.
When using the "import-periodic" feature, CRL files in the private partition were not being updated correctly. This issue was not
GARPwith
seen mayCRL be sent
files from
in thestandby box immediately after standby box is rebooted or reloaded.
shared partition.
If an OCSP check failed on an IPv6 address, it did not fallback to the IPv4 address to continue checking. _x000D_
When
_x000D_ configuring an interface trunk, if a name was configured prior to the trunk group being added to the VLAN as untagged,
Thunder
the
Work TH1040
configuration
around: and
was TH940
_x000D_ permitted, onlybut support
wouldACOS versions
not persist after4.1.3 and above. Downgrade
a reload/reboot, to anywas
but if the trunk version
added prior
to atoVLAN4.1.3aswas not
untagged,
This
possible.
and then
Remove bugthe was
a name caused
IPv6 was
defaultby agateway.
added raceforcondition
the interface within ACOS
trunk, theinternal. The effect
configuration wouldwas notthat the packets originated from the host such
be allowed.
Radius
as attributes
the health monitorwerecaused
not logged memory correctly for Application
corruption that led toLevel Gateway
the device traffic for Gi/SGi firewall radius logging feature.
crash.
Low throughput was observed for UDP traffic when using Advanced Traffic Replication. If the packet replication option was
The "health-check-follow-port"
configured, and if the transmit option port was didpart
notof work as expected
a trunk, the ACOS whendevicethere
didwere multiple
not use server
all ports portsout
to send configured.
packets. For TCP
Instead,
The VRRP-A
health
ACOS sent "CONFIG
monitoring,
the packetsACOS SYNC still
out : tried
of Completed"
to send
the first port.message
the HM toisthe displayed
originalas error on standby device.
port.
The gslb member's log message included the string "Communication error with LB".
GSLB group member did not save the configuration intermittently after the 'write memory' operation on the master GSLB
Header when
device, value the was'Default'
getting startup
truncated in http
profile was logused.
for fragmented IPv6 requests.
In VRRP-A deployments, the a10lb process reloaded after configuration sync if it was using aFleX, which was included in the
aFlex
class-list traffic
with force-through
file option. was not functioning correctly._x000D_
In Explicit
When aFlex Proxy
was deployments,
configured onthe portIP
Virtual number of the source
and a member NAT pool for CONNECT
of a service-group was configuredrequests within"disable-health-check"
the proxy log was incorrect. the
The
clients ACOS devicea sent
received HTTP/1.1HTTP504 1.0 Gateway
OCSP requests,Timeout but if the_x000D_
error. OCSP server expected HTTP 1.1, then it would not work. The reason
Server
for
Even this sends
though reply
was with many headers.
failure'disable-health-check'
that some OCSPwas Headers
servers will span
configured deny and over
theaFleXtwo_x000D_
request
selectsif there is no host
the same header
server, ACOS incontinued
the OCSP to request. This release
send traffic to that
On
tcp
adds a vThunder
segments.
a new instance,
command
server with health check enabled. if a
option crash
to occurred
enable HTTP involving
1.1 OCSP the a10lb
requests. process, the bandwidth value of an existing license would not
The pki-certificates created
take effect and be reset to the default value. in a private partition were not displayed in the showtech log on a shared partition.
The log for service-group member up/down message did not provide_x000D_
reason for the service-group member up/down such as admin disable/enable, health-check or disable-with-health-check.
593571715.xlsx
138
4.1.0-P11
4.1.1-P8
4.1.4
4.1.1-P8
4.1.1-P5
4.1.1-P8
4.1.1-P5
4.1.1-P6
4.1.1-P5
4.1.2-P3
3.2.2-P2-SP1
4.1.1-P6
4.1.2-P3
4.1.1-P6
3.2.2-P4
4.1.4
4.1.1-P5
4.1.1-P8
4.1.1-P6
4.1.1-P6
3.2.2-P3
4.1.3
4.1.1-P7
4.1.1-P6
4.1.2-P3
4.1.4
2.7.2-P7-SP3
2.7.2-P9
4.1.1-P6
4.1.1-P6
4.1.1-P6
4.1.3
4.1.1-P6
2.7.2-P11-SP1
4.1.1-P5
4.1.1-P5
4.1.1-P6
4.1.0-P10
4.1.1-P6
4.1.1-P6
4.1.0-P9
4.1.1-P5
2.7.2-P11
4.1.1-P6
2.7.1-GR1
4.1.0-P9
3.2.1-P3
4.1.3
4.1.0-P9-SP3
4.1.1-P6
4.1.1-P6
4.1.1-P5
4.1.1-P3
4.1.0-P9
4.1.0-P9
4.1.1-P5
4.1.1-P6
4.1.0-P10
4.1.1-P3
4.1.0-P9
2.7.2-P10
4.1.1-P1
4.1.4
4.1.1-P5
593571715.xlsx
139

411719 SSL Major
410497 SNMP Major
409997 GiFW Critical
409744 L2/L3 Major
409666 SSL Major
409534 VRRP Major
409183 TCPIP Major
408748 SSL Major
408301 GiFW Major
408236 NAT64 Major
408070 L3V Major
407794 FPGA Major
407779 SLB-NAT Minor
407596 NAT64 Critical
407137 TCPIP Major
406579 NAT-NATPT Major
406279 L2/L3 Major
406219 SLB-L4 Major
405739 Router
management Major
405353 SNMP Major
404959 VRRP Critical
403828 Router Major
403618 VCS Major
402287 SLB-HTTP
plane Critical
401881 aFleX Major
401875 aFleX Major
401242 SSL
DSR Major
400573 SLB-Stateless Major
400294 VRRP Major
399943 aFleX Major
399823 VRRP Major
593571715.xlsx
140
When system log data contained non-ascii characters, the "show log" command failed to correctly display output.
ACOS displayed an error when a PKI certificate was created using the PKI CLI options.
When "rba enable" is configured, there is no GUI support for switching partitions.
In some rare case when the client sent an encrypted cookie with no value, system experienced a crash.
If a manual reboot was initiated while an aXAPI "write mem" operation was occurring, ACOS could lose partial configuration.
Ftp-proxy virtual port type configuration was not forwarding ftp site commands to the server.
The MIB axSysFanStatusTable was not working for FAN5A and FAN5B for the Thunder model TH3040.
A new enhancement to track and adjust TCP MSS on GiFW was initiated.
When an IPv6 address was removed from a VE address, ACOS sent an admin down BFD packet.
Do not remove the SNI configuration from a client-SSL template by using the CLI as ACOS experiences a crash. Instead, import
In
and GiFW deployments,
overwrite the same the Thunder device
configuration did not
without the successfully create an
SNI in the client-SSL ICMP/ICMPv6 session while pinging the floating IP in
template.
FW
a Session
VRRP-A Close
pair. TheLogpingcontained
succeeded, incorrect
but theRADIUS
Thunderinformation
device did not for sessions
create thematching Fullcone sessions.
data session.
ACOS was sending a larger packet (segment length) than the client was advertising (calculated window).
ACOS with a "fw dest zone" configuration was unable to resolve certain cases for multicast traffic.
Occasionally, in a CGN configuration, when ACOS was performing Round Robin and received a fragmented TCP reset packet,
The
ACOS certificate
would require revocation
a reset. list (CRL) check does not work in software SSL for AOCS version 4.1.1 and later. OpenSSL limits the
In
size GiFW
of thedeployments,
CRL file to 1the MB. user needed
If the size of to the
be able
CRL to filetoggle
is more (turn
than on/off)
1 MB,the theextended
CRL check matching
fails. Asfor firewall rule-sets.
a workaround, reduceTothe size
When the MSS-clamp
address
of CRLthis to 1isMB
fileissue, configured,
the less. the
following
or newMSS CLI value
command is changed
has been onlyadded
in outgoing
to this SYN packets,
release: but not outgoing SYNACK
"fw extended-matching disable"packets.
If shared partition and L3V partition are connected in the same L2/L3 subnet, when VRRP status becomes active for all-
ASIC initialization
partitions at once, timing the sharedtook partition
longer than expected,sends
sometimes causingGARP ACOS to boot slowly.
for floating/NAT IP addresses configured in the L3V partition.
When two VIPs use auto source-nat (also known as Smart NAT) in a configuration where VRRP-A is enabled, deleting the
The
VRRP-A GUI floating
on the TH6440 IP address andmayTH7400 cause failed
an IP totraffic
show failure
ethernet thatinformation
persists even and ifdisplayed a totaladdress
the floating-IP throughput value of 0._x000D_
is restored.
SIP ALG was not supported in 464XLAT.
_x000D_
Updating
Note: In theanGUI,ACLnavigate
bound totoa Dashboard(CGN)>>Performance>>Throughput
wildcard VIP is improperly prohibited from being modified.
When typed, the Web SMTP password was not displayed as encrypted.
For SLB auto-reselect in ACOS version 2.7.x, the actual retry number is calculated as the value of the number of syn-retries
The 1G portinLED
configured the glowed
template green
dividedeven byafter being disabled
the number of active when inserting
server members.the 1G SFP into 1G port.
_x000D_
Syslog messages were reporting non-existing port entries that also contained incorrect priority levels.
_x000D_
The "showinsession
However, ACOS version persist"4.x, CLIthecommand
actual retry doesnumber
not display complete
was equal to theIPv6 addresses.
number of syn-retries configured in the template. The
Sessions are not removed when FIN is
value was not dependent on the number of active server members. followed by RST.
When starting up, the Thunder 3430 model, running ACOS 4.1.1-P1, raises some critical system voltage logs. For example:
On deleting the server port, the associated RRD files were not automatically deleted from the ACOS device.
_x000D_
If
Sep a VRRP
20 2017 pair09:10:50
is established
Info between a dual-bladeVoltage
[SYSTEM]:System chassisVBAT configured
3.3V isas the master and a single-blade chassis configured as
OK._x000D_
DRS server
the slave,
Current the
value is VRRP
deleted after DNS
session
is 3119_x000D_ synctimeout,
packetsthe fromdatathethreads
masterand arethenotCLI server get
recognized bystuck whichThese
the slave. leadsunrecognized
to device crash. It requires
packets are a
The
reboot
pushed callback
to
to recover.
the function
Sep 20 2017 09:10:50 Info kernel. for
The regular
flow of expression
the VRRP handles
session the
sync last
packets
[SYSTEM]:System Voltage AVCC 3.3V is OK._x000D_character
to the of log
kernel messages
may flap incorrectly
the LACP by
session.ignoring it._x000D_
When
Matching the will
TPSfail device
if thereceives
keyworda is default
the last route
word through
of the thelog BGP
message.protocol from the directly connected upstream routers, TPS is
Current value is 3243_x000D_
Enabled
unable toHealth updateMonitors the process that correctly.
use port 500, The4500, or 4510
CPU usage as the source
becomes 100%. port will fail because its response packet is consumed
...
CPS and Throughput
by the daemon. ThereOIDs is nowere not supported.
workaround.
In cases with the active unit as a dual-blade chassis and the standby unit as a single-blade chassis, when the active unit
Auto-incident sessions
synchronized creation required using either
to the standby the TPS
unit, parts of theGUIsession
or aGalaxy.sync packets were dispatched to Linux kernel. This impacted
When an A10 device
the performance of thesends
box.a full payload (window probe) packet in response to a TCP zero window, some firewalls drop the
Some
connection.objectThe descriptors
window probe in the generated
is changedMIB files for interoperability.
to improve ACOS version 4.1.1-P5 contained the underscore character "_", which is
The BGP "aggregate-address"
prohibited to be used for SNMP. command did not work after reloading or rebooting the ACOS device.
When enabling source-NAT pool for use by the ACOS Server Verification Module (SVM) daemon, the slb svm-source-nat pool
If a FTP session
command was not is initiated to Static NAT IP, then the FTP payload is not NAT-ed. This leads to failures in data connection in
device-specific.
After active
both the device reloadedmodes.
and passive or rebooted, the port stayed on even though it was disabled in the startup configuration.
By default, CFW creates local sessions for the outgoing BGP connections to remote a peer. However, the age of the local
When
sessions a deployment
are not updated has many servers
properly and and virtual servers,
the sessions time outretrieving data using
if they exceed the aXAPIAs
60 seconds. fails because
a result, theofRXtheBGPlarge chunkare
packets size.
In CGN
older scaleout
dropped due to adeployments,
releases 4.1.1-P2 the trafficthe
and 4.1.1-P3,
session mis-match._x000D_ map maysize
chunk become out ofHowever,
was 8192. sync withbeginning
the statuswith of the scaleout
release device,
4.1.1-P4, alland
datadisabled
is sent in
The
devices
one
_x000D_ ACOS may
chunk, device
appear
thus may
causingin reload
thethe if the
traffic
clientmap.HTTP
to This
send cookie
RST header
aissue could be
packet, from the
triggered
which client
resets bytheincludes
disabling something
connection,scaleout tolike
theABC=\r\n
due functionalityreduced and
onwindowif the
all devices client
size using
0. the
Occasionally,
request
"disable" is also
command, on a
usingdual
under blade
aFleX to
the 14045,
retrieve interface
this
"cluster-devices" value.flapping caused
sub-configuration.
As a workaround, explicitly configure a rule to match the BGP connections with the remote peers. static
When routes
this to disappear.
issue occurs, it could cause traffic to get mapped
The
to theTCL "encoding
wrong node inconvertto"
the scaleout returned
cluster, a runtime
and thiserror.may cause traffic to get dropped.
The current HTTP::respond implementation automatically encodes the data to the default utf-8 character set. If the data is
When
encoded theto ACOSanother system encountered
character set, the"Crypto
response board inaccessible"
content gets corrupted.error, the non-FPGA systems were not getting rebooted. This
ACOS
issue was did notnotcloseseen for TCPFPGA health monitor sockets gracefully in a DSCP-based L3-DSR setup. FIN from server was not
systems.
If the ACOS device
acknowledged. failed over
Additionally thefrom
RSTasent box out
withbyN3 to a box
ACOS withhave
did not N5, the N5 box crashed.
correct DSCP bit The set so trigger
it waswas high traffic,
ignored N5, a
by server. This
In ICAP the
client-ssl
caused deployments,
template
socket to withthe
stay ACOS
server-name
open on device may
configured.
server and sometimes
resulted inreload when enabling
connection issues when the "icap
ACOSreqmod" and sending
tried to reuse the post file.
the source-port for
The ACOS device
subsequent healthreloaded
monitor after configuring stateless UDP with the "stateless-src-dst-ip-only-hash" option configured on an
connections.
CGN wildcard
IPv6 performance degradation
VIP. This issue was occurred
causedon byAX an5630
issuedevices after upgrading
in the TTL/hop-limit from 4.1.1-P3
decrement code, to and 4.1.1-P4
the bug(build 8 and later).
was triggered when
In
theCGN Fixed-NAT
hop-limit or TTLconfigurations,
value was equal thetoACOS0. device sometimes reloaded. This reload was caused by an internal issue in the
"ping floating
calculation of IP"thecannot
End IPv6 work for L3V
address in partitions
the IP-list.withThe ID 46 and
issue above.if the prefix count number was greater than 256.
occurred
In the earlier releases, in some cases, when the client performed DNS request with aFleX, the system was experiencing a
VRRP-A
reload orstoppeda rebootsending out theThere
consistently. VRRP-A washeartbeat negotiation packet. This issue happened if the VRRP-A interface was a
no workaround._x000D_
The
VLAN various
The error member ACOS
was fixed, templates
and ifand anytheof thewere
bugoptionsspread
was closed. were removed fromareas
across different in the CLI
the "vrrp-a configuration.
interface" section ofNow, thethey are grouped in a more
configuration.
intuitive way.
593571715.xlsx
141
4.1.2-P1
4.1.4
4.1.1-P5
2.7.2-P11
4.1.0-P9-SP1
4.1.1-P5
4.1.1-P5
4.1.1-P5
4.1.2-P3
4.1.1-P5
4.1.1-P5
4.1.1-P5
4.1.0-P10
4.1.1-P6
4.1.0-P3
4.1.1-P3
4.1.1-P5
4.1.1-P5
4.1.1-P3
4.1.1-P6
4.1.0-P5-SP1
4.1.2-P1
4.1.4
4.1.1-P1
4.1.1-P6
4.1.1-P5
4.1.1-P5
4.1.1-P4
4.1.2-P3
4.1.1-P2
4.1.1-P6
4.1.0-P9-SP1
4.1.2-P2
4.1.0-P5
4.1.1-P6
2.0.0
4.1.0-P9
4.1.2-P2
4.1.2-P2
3.2.2-P2
4.1.0-P6
4.1.2-P3
4.1.2-P1
4.1.0-P9-SP4
4.1.1-P2
4.1.2-P2
4.1.1-P5
4.1.1-P4
4.1.2-P2
2.7.2-P11
3.2.2-P2
4.1.1-P3
2.7.2-P11
2.8.2
4.0.3-P4
4.1.1-P2
4.1.0-P9-SP2
4.1.1-P3
4.1.1-P4
4.1.1-P4
2.7.2-P10
2.7.2
4.1.0-P9
4.1.0-P9
593571715.xlsx
142
399655 VRRP Major

397951 SSL Filtering
URL Major
397936 CGN-LOGGING Major
397453 SLB-ES Major
397414 SSLi Major
397252 VCS Major
396076 SSL Major
395452 aFleX Major
394726 SLB-L4 Major
392902 SLB-Diameter
Select core Critical
392650 ConfigMgr
component) Critical
391570 SSLi Major
388072 AAM Major
387967 L2/L3 Major
387457 SLB-L4 Major
386539 L2/L3 Major
379291 VRRP Major
376516 SSL Major
374887 DNS64/DNSALG Major
368806 SSL Major
368803 SSL Major
367342 L2/L3 Major
593571715.xlsx
143
In VRRP-A deployments, the new certificate was not used after the ACOS device performed an "ha sync" operation from the
Missing space
standby in the "200
to the active device. OK"However,
HTTP response the GUI causes and CLIissues with opening
erroneously indicated a page
that theon certain
ACOS devicebrowsers.
was using the new
ACOS fails to process a POST request and sends FIN to client if the request arrives in same TCP segment which is carrying
certificate.
On
payloadixgbe-based
from previous NIC, a change
POST request.in link status
This can from occurup towhen
downa was clientnot detected
receives 401immediately.
for first POST It took longer
request but than expected to
still continues
The
sendsystem
detect thePOST
the crashed
link after
bodythe when
andlink aFleX
thenpartner command
resends portthe was "DIAMETER::avp
POST request withinsert
disabled. <code> <value>
Authorization <flags>" was used and <value> was an
information.
The
empty ciphers
string.TLS1_RSA_AES_128_GCM_SHA256 and TLS1_RSA_AES_256_GCM_SHA384 are removed by ACOS upgrade from
With
someHTTP of 2.7.2explicit proxy, an
to 4.1.1-Px incorrect
before URL was sent to the server. This issue was caused by an incorrect copy operation. This
4.1.1-P6.
When a NAT pool
issue occurred wasthe
while configured
ACOS device in the was shared partition
attempting toand beinganused
convert in an URL
absolute L3V partition,
to a relative usingURLaxAPI
beforewith the pool name
forwarding the as
The
a ACOS
filter
request to CLI
failed orget
thetoserver.GUIuserwouldquota sometimes
session for hang theifL3V network connectivity issues occurred while ACOS was downloading RTU (Real
partition.
When sending IMAP
Time Updates) from the overBrightCloud
STARTTLS,server. the ACOS In suchIMAP proxythe
cases, received a separate two
RTU background threadbytes
was"\r\n" after SSL decryption.
not terminated when the "no However,
When SYN
ACOS
enable" did packets
not
option, support
under werethere-transmitted
ability to parse
"web-category" was on the the session, CGN
"APPEND"
invoked. command.loggingTherefore,
doubly counted the length
the "APPEND" of re-transmitted
message SYN packets.
was split across multiple
When ICAP
packets, andreqmod
the second is enabled
packetand wasa not
postforwarded
file larger to thanthe15 MB is sent, the session hangs.
server.
The SSLi device intermittently intercepts domains defined in web-category. As a workaround, define domain under class-list.
Doing a backup system restore, followed by rebooting the ACOS device, did not restore the original config sync number, which
Thunder
was captured 4440 when devicethe (with
backupN5 xsystem
2 core) was was taken.gettingThe a hardware
VCS config ringsequence
full counter that was
numbers didincrementing
not match, and intermittently
this causedand the
If the content-length
unexpectedly.
vMaster and vBladeThis could header have
configurationswas nottopresent
caused performance
become indesynchronized.
the HTTP response
degradation packet
if there (fortoo
were example,
many badchunked-encoding),
requests. with the logging
Given
template, twothe mutually
packetexclusive
length was fields where
logged asthe firstlarge
a very field number
is set and the second
instead of "-". field is implicitly (unconfigured) set to the default
If cookie
value. persistence
Configuring and aFleX
(explicitly) are both
setting used at field
the second the same
to its time,
default then aFleX
value wins.reset
should While this
the is field
first the expected behavior
to its default value;for
thethe
Wildcard
action hasVIP
match-type traffic
service
no is unexpectedly
effect.group, it is not the forwarded
correct behavior to default forroute
server fororL4port.
traffic
Thewhen user has
behavior configures
been fixed an ipsuch
nat that
pool cookie
command that
persist
An
nowissue takesmay
explicitly occur
configures
priority withfor ICAP response
a gateway
match-type (ip nat request
pool
server orxyzport, lines
andthat
10.1.1.10 aFleX cross multiple
netmask/24
takes packets,
gateway
priority wherein the
10.10.15.15).
with match-type port numberThe
service-group. maybehavior
be added is twice
The
on the min-active-member
corrected REQMOD
to be the samecommand
packet. as the ACOS (slb2.7.2
common release. configuration mode) should mark the status of the entire service group as
In
DOWN ICAPwhendeployments,
a minimum if attempting
number ofto POSTmembers
active a large file, is nottheavailable
connection andmay failare
there andnoyou may get an
designated error servers.
backup messageThis indicating
status is
With
that
available a relevant
the in the Fixed
"connection output NAT
proxy
of the configuration,
queue
showdepth when cgnv6
exceeds
slb service-group fixed-nat
the limit
command. create-port-mapping-files
(60001)". TheThis issue appears tois
min-active-member beconfigured,
command bythe
thecorresponding
causedconfigures ACOS thedevice
minimum fixed-
After
nat
running
number running
port of ofseveral
mapping
out primary file
buffer commands,
contains
space
servers that the
forincorrect
larger
can CLI
packets,
still be was
line reloaded.
breaks.
activebecause _x000D_
the
(available) device
beforemust first send
the backup all packets
servers are used. to the I
The
To stop orig-host
the CLI configured
from getting on one VIP may sometimes
a consistent reboot or reload, be used runfortheanother
command VIP,"show
when cgnv6
"forward natDiameter
pool-group messages" from the
xxx statistics"
In aVCS
server
followed toenvironments,
client
by the are when
received.
command some
This
"show "clear" natcommands
notification
cgnv6 occurs
pool ifwere
statisticsthe top executed
VIP xisused".
deleted on the
andvMaster
then added underbacktheat device-context
a later time. of a vBlade, the
In SSLi configurations,
"a10cfgmgr" process crashed. if the signature algorithm used by the real server was not recognized, the forged certificate would use
ACOS
SHA1 as experienced
the signature highdigest
control CPU utilization rates if the device had more than 10,000 services and if the user attempted to
algorithm.
On Thunder
use the GUI to 840 models,toswitching
navigate the following between the menu tabs on the GUI caused the Control CPU usage to spike unexpectedly.
page:_x000D_
In
ADC Explicit
>> SLB Proxy deployments,
>> Virtual Servicesan issue occurred when the server was attempting to redirect HTTP requests to HTTPS, and the
When
client senta show tech file was
a "CONNECT forexported
HTTPS" requestto a remote on the site,
same_x000D_connection. The CONNECT request should have been forwarded to
Attempts
the
port aflex to uplodd
443, script
but was contentcomplete
mistakenly was not certificate
included.to
forwarded chainportfrom80. the GUI results in sending only the server certificate.
Enhancement to increase the aflex attr size for AAM.
Since concurrent session count was not freed for fragmented IP-NAT traffic, it was observed that the resource-usage exceeded
In
itsFirewall
limit even deployments,
though not many the TCP Handshake
sessions werewas shown getting
on the dropped
session if counter.
the Explicit Congestion Notification (ECN) was enabled. If
Theclient
the traffichadwasthe notTCPloadECN balanced
featurewhen (see min-active-member
RFC 3168) enabled, 1the was configured.
client's SYN packet had the ECE and CWD flags set. However,
When
the SYN+ACKusing aXAPIv3response to configure
only had the syncECN with bitauto-authentication,
flagged, so the ACOS thedevice
command wronglyexecuted
dropped twice
these butpackets,
failed towhich
execute the second
caused the
ACL
TCP does
time. not correctly
handshake to fail. sync under the following condition: 1) updated ACL is bound to wildcard VIP; 2) original ACL has VLAN
AXAPIv3 and
settings; does3)not support configuring
configuration sync with
sync is required auto-authentication.
to updated ACL sequence. Workaround is to manually erase service-config and
Afterattempt
then reloading toor rebooting a Thunder TH3040 model, the 10GB back-to-back interface sometimes did not come up.
resync.
The link local address of an interface could not be configured as the next hop of a static route via a different interface on the
The X-Frame-Options
same box. header was not being included in HTTP responses to protect against 'ClickJacking' attacks.
If a partition on the ACOS device was in block mode, multiple user sessions should have been prevented. However, multiple
When
users were usingallowed
aXAPIv3totomake sendsimultaneous
a "write memory request", the
modifications to ACOS device returns
the configurations in an
theerror message:
blocked "Communication error with
partition.
Theprocess".
LB Anti-MIME-Sniffing
This issue header occurs X-Content-Type-Options
under the following conditions:_x000D_ was not set to "nosniff".
The
- if thecache-control
destination is and pragma HTTP headerare did not set properly or were missing, allowing the browser and proxies to
local_x000D_
RBA
-cache
if the logic accessed
content.
profile is not ''NULL or does pointer and caused
not exist in the saved a10cfgmgr
startuptoprofilefail.
The connection counters were not properly updated when the strict transaction switching was triggered. This resulted in
In VRRP-Athe
breaking deployments,
"conn-limit" the "enable" command (under "vrrp-a common") was not synced to the standby ACOS device if the
feature.
For non-FPGA devices,
"disable-default-vrid" whenwas
option configuring
configured interface
on the ethernet
Active device.with "speed" of 10 or 100 and "duplexity" full, the data interface
New option for digest is added for cert create.
failed.
For an ACOS device with VRRP-A configured, using the aXAPI method "cli.deploy+D237" to force self-standby correctly pushes
The ACOSdevice
the ACOS deviceinto was"Forced
exporting sFlow Mode".
Standby packetsHowever, with incorrect the aXAPIsequencegeneratesnumbers. Therefore,
an error message. the sFlow collector reported that
When
duplicate the packets
responseand of a DNS serverpackets
out-of-order to an AAAA werequery exported.was delayed for approximately 1 second or more, upon receiving the
There is AAAA
delayed a vulnerability
responsewhere a cookie
that could is missing
be blank, instead the ofHttpOnly
sendingflag. a DNS A query to the server, ACOS sent the query to the client.
This fix addresses the issue where the Content Security Policy (CSP) Header was not set.
There is a vulnerability where a cookie is set without the SameSite attribute.
There is a vulnerability where a cookie is set without the Secure flag.
This fix addresses the issue where the Strict-Transport-Security Header was not set.
This fix addresses a vulnerability resulting in buffer overflows.
OpenSSL publishes vulnerability update.
OpenSSL published vulnerability update.
When using a virtual port configured for port-based HTTP cookie-based persistence, a cookie submitted to the virtual port with
When migrating
the correct namean wasL3Vtrusted
interface configuration
without validatingfrom that athe 2.7.2 ACOS towas
IP provided a 4.1.X
partACOS system the
of a mapped migration process
service-group. The onlyfailed due to
restriction
the
wasexistence of certain
that the illicit targetinterface
must be definedconfigurationsas a server that inwerethepresent
same partitioninside an L3V interface
configuration assuch as MTU, name, flow-control,
the VIP.
speed, duplexity, LLDP, monitor, and load-interval. This is593571715.xlsx due to the new behavior in ACOS 4.1.X regarding L3V port ownership.
144
2.7.2-P11
4.1.0-P5
4.1.0-P9-SP1
4.1.1-P6
2.7.2-P9-SP2
4.1.1-P3
4.1.0-P9
4.1.4
4.1.0-P9
4.1.1-P3
4.1.1-P3
4.1.0-P9-SP2
4.1.1-P1-SP1
4.1.0-P9
4.1.3
4.1.1-P3
4.1.0-P9
4.1.1-P4
2.7.1-GR1
4.1.0-P9
4.1.0-P9
4.1.0-P9
4.1.1-P2
4.1.1-P3
2.7.2-P9-SP2
4.1.0-P10
4.1.0-P9
4.1.1-P2
4.1.1-P3
4.1.1-P2
4.1.3
4.1.1-P2
4.1.0-P4
4.1.1-P3
4.1.0-P9
2.7.2-P9
4.1.1-P2
4.1.0-P7
4.1.1-P2
4.1.4
4.1.1-P2
4.1.0-P9
4.1.0-P9-SP1
4.1.1-P2
4.1.0-P9
4.1.0-P9
4.1.0-P8
2.7.2-P10
4.1.1-P2
4.1.1-P2
4.1.1-P2
4.1.1-P2
4.1.1-P1
2.8.2-P6
4.1.0-P9
3.2.2-P1
3.2.2-P1
4.1.0-P9
4.1.0-P9
4.1.0-P8
4.1.1-P2
4.1.1-P2
4.1.1-P6
4.1.0-P8
593571715.xlsx
145

362449 SNMP Major
358510 AAM
Infra Major
350398 SLB-L4 Major
349387 SLB-DNS Critical
347248 L3V Major
347005 L2/L3 Major
339874 aFleX Major
260567 L2/L3 Major
195940 ACL Major
593571715.xlsx
146
If more than 8 NAT pools were configured, the source-NAT resources used to provide Diameter services were not being
Some
releasedinstances
back to of thevThunder
NAT pool. running on KVM
Eventually would
all NAT receive
pool a "[SYSTEM]:
resources were used Ramdisk
up. is mounted READ ONLY" error. _x000D_
The GUI statistic for total throughput had no equivalent OID for use via aXAPI. The following object was added:
_x000D_
The DatabaseConfigure
Workaround: Health Monitor
axGlobalThroughputPerSecond a second (Oracle)
that does
adds
serial port not workon
throughput
console in any
ofthe L3V partition,
all Ethernet
virtual but
interfaces.
machine the shared partition has no issues.
instance._x000D_
ACOS
_x000D_ closed connection and back-end server displayed 401 response if NTLM relay configured was 4099 bytes or greater.
The Alternate Server feature is not working as expected. If
Note: This issue was due to vThunder instances on KVM requiring two serial ports, the primary server is disabled
but the atdefault
the service-group level setting
virtual machine (and thenmay
When ACOS
rebooted), received
the alternate a TCP packet
server is withchosen.
never payloadHowever,
length more if thethan the expected
primary server is DNS payload
disabled at size,
the a reset
server levelwas
(andsent
thento the
have only been configured with one.
Deleting
client andanserver.
rebooted), L3Vbehavior
this partitionisaffected
NOT seen, the and
trunk theports on theserver
alternate ACOSisdevice.
chosen, This
as issue occurred under the following conditions:
expected.
The LACP trunk interfaces could flap when the system clock was updated via NTP or configuration._x000D_
_x000D_
If
1)the
While client
there
Create sent
was no
multiple a L3V
Patch requestfor
workaround to this
partitions._x000D_ the ACOS
issue, device, the device
the interface wastypically
flapping stalling and
lasted didfor
nota initiate
short timea new server-side
while connection.
the system clock was
You may
_x000D_
changing. not be able to delete a service group if
2) For each partition, create one or more interface VLANs._x000D_ it was used in an aFleX script that was later deleted.
The License
_x000D_
3) Tag Manager
all of the VLANsAPI oncall
eachdoes not correctly
partition populate
to bind them to thesome
trunkofinterface.
the "show_x000D_
license-manager" fields. For example, the
For a CGN
"interval"
This and
behavior device with VRRP-A
"instance-name"
was configured,
fields may bea conditions: The client sent a POST data
full-cone
missing session
values entry
after for
posting an FTP
the to thesession
aXAPI. However, (inthe
FTP "active
two fieldsmode") was the
may display
4) Delete one of theseen underpartitions.
network the following _x000D_ ACOS device and the packet was
The ACOS
erroneously
correct
forwarded device
values created
after
to thedid wason continually
the
using
server. standby
the write
The server sending
ACOS
memory
responded"pipelined
device,
command
with requests"
instead and
a "400 of to
being back-end
reloading created
bad request" the servers,
on
ACOS the even
active
device. if
ACOSthe response
device. from
Then, the
the service
full-cone
HTTP status code (indicating that the client's request
While
Defunctthis issue
a10class_list_l not (classlist)
impact traffic, the output
process from
is not thereafter.
reaped the
or"show
cleaned varlog"
up. command shows that deleting the L3V partition
indicated
session
was on
somehowthat
thethe connection
standby
corrupted). device
The was
ACOS closed.
timed-out shortly
device reset the server connection
impacted
The physical theinterface
trunk ports, MTU resulting in unexpected
configuration log messages,
is lost after device reload. such asand the forwarded the 400 message to the client. At this
following:_x000D_
point,
Oct the
Load7balancerclient
22:40:15fails sent
AX2600 the Patch
a10dcs:
to parse and
header the
begin ACOS
handling
of empty device was stalling.
__dcs_vnp_part_own_routing
cookies for cookies not used for_x000D_ persistence.
Oct
When7 an
22:40:15
accessAX2600
list wasa10dcs:
createdend
withhandling __dcs_vnp_part_own_routing
a host address _x000D_
0.0.0.0, but the mask is not zero, the ACOS device interpreted this
Oct 7 22:40:15
configuration asAX2600
"any". a10lb: WARN IPInfusion LACP DEBUG: Action: Block/Unblock Port, LAG name: _x000D_
Oct 7 22:40:15 AX2600 a10lb: WARN IPInfusion LACP DEBUG: LAG Port: aten3, Blocked?: 0 _x000D_
Oct 7 22:40:15 AX2600 a10lb: WARN IPInfusion LACP DEBUG: Action: Delete LAG, LAG name: po1
593571715.xlsx
147
2.7.2-P9
4.1.1-P2
2.8.2-P6
4.1.1-P1
4.1.1-P1
2.7.2-P9
4.1.0-P5
4.1.1-P3
2.8.2-P6
4.1.0-P5
4.1.1-P3
4.1.0-P2
4.1.2-P1
2.7.2-P8
3.1.3
4.0.2
2.7.2
2.7.2-P2
593571715.xlsx

Release ACOS 4.1.4-GR1-P10 Issues

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Release ACOS 4.1.4-GR1-P10 Issues

Uploaded by

Copyright:

Available Formats

1

Select one of the following:

Limitations affecting 4.1.4-GR1-P9 Release

Limitations affecting 4.1.4-GR1-P8 Release

Limitations affecting 4.1.4-GR1-P7 Release

Limitations affecting 4.1.4-GR1-P6 Release

Limitations affecting 4.1.4-GR1-P5 Release

Limitations affecting 4.1.4-GR1-P4 Release

Limitations affecting 4.1.4-GR1-P3 Release

Limitations affecting 4.1.4-GR1-P2 Release

Limitations affecting 4.1.4-GR1-P1 Release

Limitations affecting 4.1.4-GR1 Release

Known Issues affecting 4.1.4-GR1 Release

Limitations affecting 4.1.4-P3 Release

Limitations affecting 4.1.4-P2 Release

Limitations affecting 4.1.4-P1 Release

Limitations affecting 4.1.4 Release

No Known Issues are reported in ACOS 4.1.4-GR1-P10.

550342 ConfigMgr Major

550285 Explicit Proxy Major

550237 VCS Major

550213 SSL Major

550120 SLB-L4 Major

550084 SLB-L4 Major

550003 System - platform Major

549967 System - management Minor

549901 SSL Major

549856 CGN-Infra Critical

549661 SLB-DNS Major

549640 System - management Minor

549571 SLB-L4 Major

549499 SLB-NAT Major

549472 AAM Major

549406 GSLB Major

549394 CGN-Infra Critical

549379 Platform Major

549280 SLB-NAT Major

549268 System - management Major

549265 AXDebug Major

549247 ConfigMgr Major

549238 Router - BGP Major

549166 AAM - Kerberos Major

549148 SLB-ICAP Major

549034 Health-Monitor-Infra Major

548935 SLB-HTTP Major

548929 SLB-ICAP Major

548809 System - platform Major

548785 SLB-Conn-reuse Major

548779, L2/L3 Major

548719 VRRP-A Major

548716 VRRP-A Major

548587 Web - ADC CGN Major

548578 Router - BGP Major

548383 SLB-Logging Major

548377 SLB-L4 Major

548254 SNMP Major

548125 L2/L3 Major

547897 SNMP Major

547828 SLB-L4 Major

547696 SLB-NAT Major

547684 SSLi Major

547558 System - platform Major

547465 SLB-L4 Major