A10 5.2.1-P3 Cli-Slb

ACOS 5.2.
1-P3
Command Line Interface Reference
for ADC
December, 2021

© 2021 A10 Networks, Inc.CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED.

Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks, Inc. products are protected by patents in the U.S. and elsewhere. The following website is provided
to satisfy the virtual patent marking provisions of various jurisdictions including the virtual patent marking pro-
visions of the America Invents Act. A10 Networks, Inc. products, including all Thunder Series products, are pro-
tected by one or more of U.S. patents and patents pending listed at:
a10-virtual-patent-marking.
TRADEMARKS
A10 Networks, Inc. trademarks are listed at: a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc.. This document and information
and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc.
without prior written consent of A10 Networks, Inc..
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks, Inc. or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks, Inc. has
made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks, Inc.
assumes no responsibility for its use. All information is provided "as-is." The product specifications and features
described in this publication are based on the latest information available; however, specifications are subject to
change without notice, and certain features may not be available upon initial product release. Contact A10 Net-
works, Inc. for current information regarding its products or services. A10 Networks, Inc. products and services
are subject to A10 Networks, Inc. standard terms and conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific com-
ponent types, please contact the manufacturer of that component. Always consult local authorities for regulations
regarding proper disposal of electronic components in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest
A10 Networks, Inc. location, which can be found by visiting www.a10networks.com.
Table of Contents
Chapter 1: Overview 25
Chapter 2: Config Commands: SLB 27
Global Configuration Mode 28
slb common 28
slb resource-usage 28
slb resource-usage threshold 32
slb server 32
slb service-group 35
slb ssl-cert-revoke sampling-enable 36
slb ssl-expire-check email-address 38
slb ssl-expire-check exception 39
slb ssl-forward-proxy sampling-enable 39
slb ssl-module 40
slb svm-source-nat pool 41
slb template 42
slb transparent-acl-template 42
slb transparent-tcp-template 43
slb virtual-server 44
SLB Common Configuration Commands 48
aflex-table-entry-aging-intreval 50
aflex-table-entry-sync 50
buff-thresh 52
compress-block-size 53
conn-rate-limit src-ip 53
ddos-protection 55
ddos-protection logging 56
ddos-protection packets-per-second 56
disable-adaptive-resource-check 57
disable-server-auto-reselect 57
dns-cache-age 58
dns-cache-enable 59
3
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
dns-cache-entry-size 60
dns-response-rate-limiting 61
dns-vip-stateless 61
drop-icmp-to-vip-when-vip-down 61
dsr-health-check-enable 62
ecmp-hash 62
enable-l7-req-acct 63
extended-stats 63
fast-path-disable 64
gateway-health-check 64
graceful-shutdown 65
honor-server-response-ttl 66
hw-compression 67
hw-syn-rr 67
low-latency 68
l2l3-trunk-lb-disable 68
max-buff-queued-per-conn 69
max-http-header-count 69
msl-time 69
mss-table 70
no-auto-up-on-aflex 71
rate-limit-logging 71
reset-stale-session 72
scale-out 73
service-group-on-no-dest-nat-vports 73
snat-gwy-for-l3 74
snat-on-vip 74
sort-res 75
ssli-sni-hash-enable 77
stats-data-disable 77
stateless-sg-multi-binding 77
use-mss-tab 78
4
Contents
Chapter 3: Config Commands: SLB Templates 79

slb template cache 82
slb template cipher 82
slb template client-ssl 84
slb template connection-reuse 84
slb template dblb 86
slb template diameter 86
slb template dns 94
slb template dns-logging 111
slb template doh 115
slb template dynamic -service 123
slb template external-service 124
slb template fix 129
slb template ftp 131
slb template http 131
slb template http-policy 152
slb template link-cost 161
slb template imap-pop3 163
slb template logging 164
slb template monitor 165
slb template link-probe 167
destination hostname 168
destination hostname target 169
probe-interval 170
probes-per-test 170
rtt-method 171
selection-rule 171
test-interval 172
user-tag 173
expected-status-code 173
url 174
show slb link-probe 174
slb template persist cookie 178
5
Contents
slb template persist destination-ip 184

slb template persist source-ip 189
slb template persist ssl-sid 195
slb template policy 196
slb template port 196
slb template reqmod-icap 197
slb template respmod-icap 197
slb template server 197
slb template server-ssl 197
slb template sip (over UDP) 197
slb template sip (over TCP/TLS) 197
slb template smpp 197
slb template smtp 197
slb template ssli 198
slb template tcp 198
slb template tcp-proxy 198
slb template udp 198
slb template virtual-port 198
slb template virtual-server 198
Chapter 4: Config Commands: SLB Cache Templates 199

Global Configuration Commands 200
SLB Cache Template Configuration Commands 202
accept-reload-req 202
age 203
default-policy-nocache 203
disable-insert-age 204
disable-insert-via 204
max-cache-size 204
max-content-size 205
min-content-size 205
policy 206
remove-cookies 206
6
Contents
replacement-policy LFU 207

template logging 207
verify-host 208
Chapter 5: Config Commands: SLB Client SSL Templates 209

SLB Client SSL Template Configuration Commands 213
auth-username 216
auth-username-attribute 217
authorization 217
certificate 218
cipher 219
client-certificate 220
client-certificate-Request-CA 221
close-notify 222
crl 222
dh-param 223
direct-client-server-auth 223
disable-sslv3 224
early-data 224
ec-name 225
enable-ssli-ftp-alg 226
enable-tls-alert-logging fatal 226
forward-proxy-alt-sign cert 226
forward-proxy-block-message 227
forward-proxy-bypass ad-group-list 228
forward-proxy-bypass case-insensitive 228
forward-proxy-bypass certificate-issuer 229
forward-proxy-bypass certificate-san 230
forward-proxy-bypass certificate-subject 232
forward-proxy-bypass class-list 234
forward-proxy-bypass client-auth 235
forward-proxy-bypass contains 237
7
Contents
forward-proxy-bypass ends-with 237

forward-proxy-bypass equals 238
forward-proxy-bypass exception-ad-group-list 239
forward-proxy-bypass exception-class-list 239
forward-proxy-bypass exception-user-name-list 240
forward-proxy-bypass exception-web-category 240
forward-proxy-bypass exception-web-reputation 241
forward-proxy-bypass require-web-category 242
forward-proxy-bypass starts-with 243
forward-proxy-bypass web-category 244
forward-proxy-bypass web-reputation 244
forward-proxy-ca-certificate 245
forward-proxy-cache-persistence 246
forward-proxy-cert-cache 247
forward-proxy-cert-expiry 248
forward-proxy-cert-ext 249
forward-proxy-cert-not-ready-action 249
forward-proxy-cert-revoke-action 250
forward-proxy-cert-unknown-action 251
forward-proxy-cert-validity 252
forward-proxy-crl-disable 252
forward-proxy-decrypted 253
forward-proxy-esni-action 253
forward-proxy-failsafe-disable 254
forward-proxy-inspect 254
forward-proxy-inspect certificate-issuer 256
forward-proxy-inspect certificate-san 257
forward-proxy-inspect certificate-subject 257
forward-proxy-log-disable 258
forward-proxy-no-shared-cipher-action 258
forward-proxy-no-sni-action 259
forward-proxy-ocsp-disable 259
forward-proxy-require-sni-cert-matched 259
8
Contents
forward-proxy-selfsign-redir 260
forward-proxy-source-nat 261
forward-proxy-ssl-version 261
forward-proxy-trusted-ca 262
forward-proxy-verify-cert-fail-action 263
handshake-logging-enable 263
hsm-param 264
local-logging 264
non-ssl-bypass 264
ocsp-stapling 265
renegotiation-disable 266
server-name 266
server-name-auto-map 267
server-name-regex 268
server-name-bypass 269
session-cache-size 270
session-cache-timeout 271
session-ticket-lifetime 271
session-ticket-disable 272
ssl-false-start-disable 272
ssli-logging 273
sslv2-bypass 273
template 274
version 274
Chapter 6: Config Commands: SLB Server SSL 277

SLB Server-SSL Template Configuration Commands 281
ca-cert 282
certificate 282
cipher 284
close-notify 284
crl 285
9
Contents
dh-param 285
early-data 285
ec-name 286
forward-proxy-enable 287
ocsp-stapling 288
server-certificate-error 288
server-name 289
session-ticket-enable 290
ssli-logging 291
template cipher 291
use-client-sni 292
version 292
Chapter 7: Config Commands: SLB Policy Templates 295

SLB Policy Template Configuration Mode Commands 299
bw-list id 299
bw-list name 301
bw-list over-limit 301
bw-list timeout 302
bw-list use-destination-ip 302
class-list 303
forward-policy 305
geo-location full-domain-tree 316
geo-location overlap 316
geo-location share 317
SLB Policy Template Class-List LID Configuration Commands 318
10
Contents
action 318
bw-rate-limit 320
conn-limit 320
conn-rate-limit 321
over-limit-action 322
request-limit 323
request-rate-limit 323
response-code-rate-limit 324
Chapter 8: Config Commands: SLB Real Port Templates 327

SLB Port Template Configuration Commands 330
bw-rate-limit 330
conn-limit 331
conn-rate-limit 332
dampening-flaps 333
del-session-on-server-down 334
dest-nat 334
down-grace-period 334
dscp 335
dynamic-member-priority 336
extended-stats 337
health-check 337
health-check-disable 338
inband-health-check 338
no-ssl 340
slow-start 342
source-nat 343
stats-data-enable 344
weight 344
11
Contents
Chapter 9: Config Commands: SLB REQMOD ICAP Templates 345

SLB REQMOD ICAP Template Configuration Commands 348
allowed-http-methods 348
disable-http-server-reset 349
fail-close 350
include-protocol-in-uri 350
log-only-allowed-method 350
min-payload-size 351
preview 351
service-group 352
service-url 352
template 353
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates 355

SLB RESPMOD ICAP Template Configuration Commands 358
fail-close 358
preview 360
service-group 360
service-url 361
template 361
Chapter 11: Config Commands: SLB Server Templates 363

SLB Server Template Configuration Mode Commands 366
bw-rate-limit 366
bw-rate-limit-acct 367
12
Contents
conn-limit 368
conn-rate-limit 368
dns-query-interval 369
dynamic-server-prefix 370
extended-stats 370
health-check 370
log-selection-failure 371
max-dynamic-server 371
min-ttl-ratio 372
slow-start 372
spoofing-cache 374
weight 375
Chapter 12: Config Commands: SLB SIP Templates 377

SLB SIP (Over UDP) Template Configuration Mode Commands 380
alg-dest-nat 380
alg-source-nat 381
call-id-persist-disable 381
client-request-header erase 382
client-request-header insert 382
client-response-header erase 383
client-response-header insert 384
dialog-aware 385
exclude-translation 385
insert-client-ip 385
keep-server-ip-if-match-acl 386
registrar service-group 386
server-request-header erase 387
13
Contents
server-request-header insert 387

server-response-header erase 388
server-response-header insert 389
timeout 390
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands 391
alg-dest-nat 392
alg-source-nat 392
client-keepalive 393
dialog-aware 396
failed-client-selection 397
failed-server-selection 398
server-keep-alive 399
server-selection-per-request 402
smp-call-id-rtp-session 403
timeout 404
Chapter 13: Config Commands: SLB SMPP Templates 405

SLB SMPP Template Configuration Commands 407
client-enquire-link 407
server-enquire-link 407
14
Contents
user 408
Chapter 14: Config Commands: SLB SMTP Templates 411

SLB SMTP Template Configuration Commands 414
client-domain-switching 414
command-disable 415
server-domain 416
service-ready-msg 416
starttls 417
Chapter 15: Config Commands: SLB SSLi Templates 419

SLB SSLi Template Configuration Mode Commands 421
type 421
Chapter 16: Config Commands: SLB TCP Templates 423

SLB TCP Template Configuration Mode Commands 426
force-delete-timeout 427
force-delete-timeout-100ms 427
half-open-idle-timeout 428
idle-timeout 429
initial-window-size 429
lan-fast-ack 430
qos 431
reset-follow-fin 431
reset-fwd 432
reset-rev 432
15
Contents
Chapter 17: Config Commands: SLB TCP Proxy Templates 435

SLB TCP Proxy Template Configuration Commands 438
ack-aggressiveness 439
backend-wscale 440
disable-abc 441
disable-sack 441
disable-tcp-timestamps 441
disable-window-scale 442
dynamic-buffer-allocation 442
early-retransmit 443
fin-timeout 443
half-close-idle-timeout 445
idle-timeout 446
init-cwnd 446
invalid-rate-limit 448
keepalive-interval 449
keepalive-probes 450
limited_slowstart 451
maxburst 451
min-rto 452
mss 452
nagle 453
proxy-header 453
psh-flag-optimization 454
qos 454
16
Contents
reassembly-limit 455
reassembly-timeout 455
receive-buffer 456
reno 456
reset-fwd 457
reset-rev 457
retransmit-retries 458
syn-retries 458
timewait 459
transmit-buffer 459
Chapter 18: Config Commands: SLB UDP Templates 461

SLB UDP Template Configuration Mode Commands 463
aging 463
idle-timeout 464
qos 464
re-select-if-server-down 465
stateless-conn-timeout 466
Chapter 19: Config Commands: SLB Virtual Port Templates 467

SLB Virtual Port Template Configuration Commands 471
aflow 471
allow-syn-otherflags 472
allow-vip-to-rport-mapping 472
conn-limit 473
conn-rate-limit 474
drop-unknown-conn 475
dscp 475
ignore-tcp-msl 476
non-syn-initiation 477
pkt-rate-limit 477
17
Contents
reset-l7-on-failover 479
reset-unknown-conn 479
snat-msl 480
snat-port-preserve 480
Chapter 20: Config Commands: SLB Virtual Server Templates 483

SLB Virtual Server Template Configuration Commands 486
conn-limit 486
conn-rate-limit 487
icmp-rate-limit 488
icmpv6-rate-limit 489
subnet-gratuitous-arp 490
disable-when-all-ports-down 491
Chapter 21: Config Commands: SLB Servers 493

alternate 495
clear slb unused-server-ports 495
clear slb virtual-server 497
conn-limit 500
conn-resume 500
disable 501
disable-with-health-check 501
enable 502
extended-stats 503
external-ip 503
health-check 503
ipv6 504
port 504
slow-start 512
spoofing-cache 513
support-http2 513
18
Contents
template server 514
weight 515
Chapter 22: Config Commands: SLB Service Groups 517

backup-server-event-log 518
extended-stats 519
health-check 520
member 521
method 525
min-active-member 537
priority 539
priority-affinity 541
reset auto-switch 541
reset-on-server-selection-fail 542
sample-rsp-time 542
strict-select 543
template 544
traffic-replication-type 544
Chapter 23: Config Commands: SLB Virtual Servers 547

arp-disable 549
description 549
disable 549
disable-when-any-port-down 550
enable 551
extended-stats 551
port 551
redistribution-flagged 555
19
Contents
template client-ssl 556
template policy 556
template scaleout 557
template server 557
template virtual-server 558
vrid 558
Chapter 24: Config Commands: SLB Virtual Server Ports 559

aaa-policy 561
access-list 561
aflex 563
alternate 564
attack-detection 565
bucket-count 566
clientip-sticky-nat 566
conn-limit 566
def-selection-if-pref-failed 568
def-selection-if-pref-failed-disable 569
disable 569
enable 569
extended-stats 570
force-routing-mode 570
ha-conn-mirror 570
ip-map-list 571
ipinip 572
message-switching 572
name 572
no-dest-nat 573
optimization-level 574
rate-limit-pr-log 575
20
Contents
redirect-fwd 576
redirect-rev 576
redirect-to-https 577
reply-acme-challenge 577
rtp-sip-call-id-match 578
service-group 579
skip-rev-hash 579
snat-on-vip 580
source-nat auto 580
source-nat pool 584
source-nat use-cgnv6 585
support-http2 585
syn-cookie 586
template 587
template virtual-port 588
use-default-if-no-server 589
use-rcv-hop-for-resp 589
Chapter 25: Config Commands: Health Monitors 593

disable-after-down 594
dsr-l2-strict 594
health external 594
interval 596
method 596
override-ipv4 619
override-ipv6 620
override-port 620
passive 621
retry 623
ssl-ciphers 623
ssl-ticket 624
21
Contents
ssl-ticket lifetime 624

ssl-version 625
strictly-retry-on-server-error-response 626
up-retry 626
Chapter 26: Config Commands: Web Category 629

web-category 630
Chapter 27: SLB Show Commands 643

show slb aflow 646
show slb attack-prevention 646
show slb cache 647
show slb compression 657
show slb connection-reuse 657
show slb conn-rate-limit 660
show slb ddos-protection l4-entries 661
show slb ddos-protection statistics 662
show slb diameter 663
show slb fast-http-proxy 669
show slb fix 672
show slb ftp 674
show slb ftp-proxy 675
show slb generic-proxy 675
show slb geo-location 676
show slb http-proxy 677
show slb 688
show slb hw-compression 698
show slb icap 699
show slb icap-http 701
show slb l4 703
show slb mlb 719
show slb mssql 719
show slb mysql 722
show slb passthrough 724
show slb persist 724
22
Contents
show slb pop3-proxy 727

show slb rate-limit-logging 728
show slb resource-usage 731
show slb server 732
show slb service-group 750
show slb sip 758
show slb smpp 761
show slb smtp 769
show slb spdy-proxy 773
show slb ssl 775
show slb ssl-cert-revoke-stats 781
show slb ssl-counters 784
show slb ssl-crl 788
show slb ssl-expire-check 789
.. 790
show slb ssl-cert-pinning-candidate-list 790
show slb ssl-forward-proxy-cert 791
show slb ssl-forward-proxy-stats 793
show slb ssl-ocsp cache 794
show slb ssl-ocsp cache detail 795
show slb switch 796
show slb syn-cookie 804
show slb syn-cookie-buffer 805
805
show slb tcp stack 805
show run slb template 807
show slb template policy forward-policy-stats 809
show slb virtual-server 811
show web-category 828
show web-reputation 831
Chapter 28: ADC support on Chassis 835

chassis-application-type 836
Key Considerations 836
23
Contents
24
Chapter 1: Overview
This reference lists the ACOS CLI commands that apply specifically to Application Delivery
Controller (ADC) or Server Load Balancing (SLB) features.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show,
write) are described in the Command Line Interface Reference.
For detailed information about system-level commands or using the CLI, refer the Command
Line Interface Reference guide.
25
Chapter 1: Overview
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
26
Chapter 2: Config Commands: SLB
This section lists the commands and sub-commands to configure SLB common parameters. In
some cases, the commands create an SLB configuration item and change the CLI to the con-
figuration level for that item.
The following topics are covered:
Global Configuration Mode 28
SLB Common Configuration Commands 48
27
Global Configuration Mode

slb common 28
slb resource-usage 28
slb resource-usage threshold 32
slb server 32
slb service-group 35
slb ssl-cert-revoke sampling-enable 36
slb ssl-expire-check email-address 38
slb ssl-expire-check exception 39
slb ssl-forward-proxy sampling-enable 39
slb ssl-module 40
slb svm-source-nat pool 41
slb template 42
slb transparent-acl-template 42
slb transparent-tcp-template 43
slb virtual-server 44
slb common
Description Access the SLB configuration level for system-wide SLB parameters.
Syntax slb common
This command changes the CLI to the SLB common configuration level
for system-wide SLB parameters, where the commands in SLB Common
Configuration Commands are available.
NOTE: Commands in SLB common configuration mode are only avail-

able in the shared partition.
Mode Configuration mode
slb resource-usage
28
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Change the capacity of an SLB resource.
Syntax [no] slb resource-usage resource-type
The following table lists the valid resource types and

values.
Resource Type Description and Acceptable Values
cache-template-count Total number of configurable HTTP

cache templates (32-2048) in the sys-
tem.
client-ssl-template- Total number of configurable client SSL

count templates (32-8192) in the system.
conn-reuse-template- Total number of connection reuse tem-

count plates (32-4096) in the system.
fast-tcp-template- Total number of configuration Fast TCP

fast-udp-template- Total number of configuration Fast UDP

fix-template-count Total number of configurable FIX tem-

plates (32-4096) in the system.
health-monitor-count Total number of health monitors (512-

2048) in the system
http-template-count Total number of configurable HTTP tem-

plates (32-4096).
link-cost-template- Total number of configurable Link-cost

count templates in the system.
nat-pool-addr-count Total number of source IP NAT pools

(500-2000) in the system (deprecated).
29
pbslb-subnet-count Total number of PBSLB subnets in the

system (number depends on the amount
of memory on your system) in the sys-
tem.
persist-cookie-tem- Total number of persistent cookie tem-

plate-count plates (32-4096) in the system.
persist-srcip-tem- Total number of persistent source IP tem-

plate-count plates (32-4096) in the system.
proxy-template-count Total number of configurable proxy tem-

plates (32-4096) in the system.
real-port-count Total number of real server ports (512-

16384) in the system.
real-server-count Total number of real servers (512-8192)

in the system.
server-ssl-template- Total number of server SSL templates

count (32-8192) in the system.
service-group-count Total number of service groups (512-

stream-template- Total number of configurable streaming

count media templates (32-4096) in the sys-
tem.
virtual-port-count Total number of virtual ports (256-8192)

in the system.
virtual-server-count Total number of virtual servers (512-

30
substitute-source- Specifies that the client (source) MAC

mac address of the packet sent to the load
balancing server is replaced with the
MAC address of the outgoing interface
(for example, an ACOS device). This
allows real servers in a load balancing
environment to make web cache or
security device responses to the source
MAC of the ACOS device.
Default The default maximum number for each type of system resource
depends on the specific device model. To display the defaults and cur-
rent values for your device, enter the show system resource-usage
command.
Usage These SLB resources are configurable at the system level and not limited
to the partition level. The maximum number of resources you can con-
figure depends on the resource type and the specific ACOS device. To
display the range of values that are valid for a resource, enter a question
mark instead of a quantity.
• For these SLB templates, the maximum is 256 each, and is not con-
figurable:
• SIP
• SMTP
• Policy (PBSLB)
• For RAM caching templates, the total number allowed is 128 each.
• The maximum number of health monitors is 1024 (not configurable).
• The total number of wildcard VIPs allowed is 200 and is not con-
figurable.
• For every type of system resource that has a default, the ACOS
device reserves one instance of the resource.
For example, the device allows 256 RAM caching templates.

However, the device reserves one RAM caching template for the
default template, which leaves a maximum of 255 additional RAM
configurable caching templates.
31
The substitute-source-mac option is available at the virtual port level

as described in slb virtual-server. It replaces the source MAC of the
client in a L2 setting at the global level.
Example ACOS# slb common

ACOS(config-common)# substitute-source-mac
slb resource-usage threshold

Description Specifies the utilization percentage at which the device issues a log mes-
sage and SNMP notification for SLB resources. The slb resource-usage
command configures capacity of the SLB resources affect by this com-
mand.
Syntax [no] slb resource-usage threshold percentage
Percentage Specifies usage that triggers a log message and SNMP

notification, as a percentage of resource capacity. Value range is 1
through 99.
Default Default value of 0% is applied when command is not imple-

mented.
Example This example configures capacity maximums for virtual ports (2000) and
virtual servers (400), then specifies the number of configured ports
(1200) and servers (240) that triggers a log message and notification.
Example While this example explicitly demonstrates the threshold command

affect on these two resources, it affects device behavior for all resources
controlled by the slb resource-usage command
ACOS(config)# slb resource-usage virtual-port-count 2000
Changes will come into effect next time you reload the Soft-
ware.
ACOS(config)# slb resource-usage virtual-server-count 400
Changes will come into effect next time you reload the Soft-
ware.
ACOS(config)# slb resource-usage threshold 60
ACOS(config)#
slb server
Description Configure a real server. Use the first command shown below in the
example to create or a delete a server. Use the second command to edit a
server.
32
The “no” form of this command removes an existing real server.
Syntax [no] slb server server-name{ipaddr | hostname |use-aam-

server}
Parameter Description
server-name Specify the server name, 1-63 characters.
If you want to rename the server name, then use rename

global configuration command.
hostname Specify the Fully-qualified hostname, for dynamic real

server creation.
ipaddr Specify the IP address of the server (IPv4 or IPv6).
This is required only if you are creating a new server.
ethernet Specify the ethernet interface. This must be an ethernet

virtual wire endpoint or member of a virtual-wire-eth-
ernet-group.
If the server is selected, then the traffic will go out

through the ethernet interface.
33
use-aam- Allow the SLB server to reuse the same AAM

server authentication server (IP address).
The authentication server can be LDAP, OSCP,

RADIUS, and Kerberos. Similarly, the IP can be the
hostname, IPv4 address, or IPv6 address.
NOTE: The real server is cre-

ated after binding the
authentication server
to the authentication
service group. Also,
you must enable health
check on the authen-
tication server.
For more information, refer Application Access

Management guide.
Default N/A
Usage This command creates a new or edits an existing real server and changes
the CLI to the server configuration level. (Config Commands: SLB Serv-
ers).
A new real server is created, if required, by adding a server to a service
group, obviating the need to explicitly create a real server prior to adding
it to a group. The IP address of the server can be in either IPv4 or IPv6
format.
The maximum number of real servers is configurable. See slb resource-
usage.
Example The following example creates a new real server with an IPv4 address:
ACOS(config)# slb server rs1 10.10.10.99
ACOS(config-real server)#
Example The following example creates a new real server with an IPv6 address:
ACOS(config)# slb server rs2 2020:3e8::3
34
Example The following commands configure a hostname server for dynamic

server creation using DNS, add a port to it, and bind the server template
to it.
To create the temp-server template, use the slb template server

command.
ACOS(config)# slb server s-test1 s1.test.com
ACOS(config-real server)# template server temp-server
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
Example The following example creates real server associating the ethernet inter-
face:
ACOS(config)# slb server rs2 ethernet 2
Example The following example allows SLB server to reuse the same AAM authen-
tication server (IPv4 address):
ACOS(config)#slb server 192.168.90.136 use-aam-server
slb service-group
Description Configure an SLB service group.
Syntax [no]slb service-group group-name {tcp | udp}
group-name Name of the group, 1-127 characters.
If you want to rename the server name, then use

rename global configuration command.
tcp | udp Application type of the group.
Default There are no service groups configured by default.
35
Usage The normal form of this command creates a new or edits an existing ser-
vice group. The CLI changes to the configuration level for the service
group. See Config Commands: SLB Service Groups.
Example The following example adds TCP service group “my-service-group”:

ACOS(config)# slb service-group my-service-group tcp
ACOS(config-slb svc group)#
slb ssl-cert-revoke sampling-enable

Description Enable the AXAPI to show sampled SSL revoked certificate statistics.
Syntax [no] slb ssl-cert-revoke sampling-enable counter-type
Counter-Type Para- Statistic Type

meter Value
all all
ocsp_stapling_ OCSP stapling response good

response_good
ocsp_chain_status_ Certificate chain status good

good
ocsp_chain_status_ Certificate chain status revoked

revoked
ocsp_chain_status_ Certificate chain status unknown

unknown
ocsp_request OCSP requests
ocsp_response OCSP responses
ocsp_connection_error OCSP connection error
ocsp_uri_not_found OCSP URI not found
ocsp_uri_https Log OCSP URI https
ocsp_uri_unsupported OCSP URI unsupported
36

meter Value
ocsp_response_status_ OCSP response status good

good
ocsp_response_status_ OCSP response status revoked

revoked
ocsp_response_status_ OCSP response status unknown

unknown
ocsp_cache_status_ OCSP cache status good

good
ocsp_cache_status_ OCSP cache status revoked

revoked
ocsp_cache_miss OCSP cache miss
ocsp_cache_expired OCSP cache expired
ocsp_other_error Log OCSP other errors
ocsp_response_no_ Log OCSP other errors

nonce
ocsp_response_nonce_ Log OCSP other errors

error
crl_request CRL requests
crl_response CRL responses
crl_connection_error CRL connection errors
crl_uri_not_found CRL URI not found
crl_uri_https CRL URI https
crl_uri_unsupported CRL URI unsupported
37

meter Value
crl_response_status_ CRL response status good

good
crl_response_status_ CRL response status revoked

revoked
crl_response_status_ CRL response status unknown

unknown
crl_cache_status_good CRL cache status good
crl_cache_status_ CRL cache status revoked

revoked
crl_other_error CRL other errors
Default Not set

Example ACOS(config)# slb ssl-cert-revoke sampling-enable all
slb ssl-expire-check email-address

Description Configure email notification for certificate expiration.
Syntax [no] slb ssl-expire-check email-address address [...]

[before days] [interval days]
address Specifies the email addresses to which to send

the notifications. You can specify up to 2 email
addresses. Use a space between them.
before days Specifies how many days before expiration to

begin sending notification emails. You can specify
1-60. The default is 5 days.
38
interval Specifies how many days after expiration to con-

days tinue sending notification emails. You can specify
1-5. The default is 2 days.
Default Not set
Usage One notification is sent per day. If a certificate is updated before expir-
ation or at least before the configured interval, no more notification emails
are sent for that certificate.
Example The following command enables certificate notifications to be sent to

email address “admin1@example.com”. Expiration notifications are sent
beginning 4 days before expiration and continue for 3 days after expir-
ation.
ACOS(config)# slb ssl-expire-check email-address
admin1@example.com before 4 interval 3
slb ssl-expire-check exception

Description Exclude specific certificates from expiration notification emails.
Syntax [no] slb ssl-expire-check exception

{add cert-name | delete cert-name | clean}
add cert-name Adds a certificate to the exception list.
delete cert- Removes a certificate from the exception list.

name
clean Removes all certificates from the exception list.
Default Not set
slb ssl-forward-proxy sampling-enable
39
Description Enable sampling of SSL forward-proxy events for display in the GUI or for
query by the AXAPI.
Syntax [no] slb ssl-forward-proxy sampling-enable

{all | cert_create | cert_expr | cert_hit | cert_miss |
conn_bypass | conn_inspect}
all Enable sampling of all forward-proxy event

types.
cert_create Enable sampling of the rate at which cer-

tificates are created.
cert_expr Enable sampling of the rate at which created

certificates are expiring.
cert_hit Enable sampling of the rate at which certificate

requests match cached certificates.
cert_miss Enable sampling of the rate at which certificate

requests di not match cached certificates.
conn_bypass Enable sampling the rate that SSL sessions

bypassed inspection.
conn_inspect Enable sampling the rate that SSL sessions are

inspected.
Default Sampling of SSL forward-proxy statistics is disabled.
slb ssl-module
Description Switch the SSL module modes.
Syntax [no] slb ssl-module
40
software Switch to Software-assisted SSL module.
software- Switch to Software-assisted SSL module with TLS 1.3 sup-

tls13 port.
QAT Switch to Hardware-assisted QuickAssist Technology

(QAT) SSL module.
N5-old Switch to Hardware-assisted Nitrox V (N5) SSL module

with TLS 1.2 support using OpenSSL 0.9.7.
N5-new Switch to Hardware-assisted Nitrox V (N5) SSL module

with TLS 1.2 and 1.3 support using OpenSSL 1.1.1.
NOTE:
l QAT and N5 options are SSL hardware-assisted accel-
eration modules and not on-board SSL processors.
l Reboot the system after configuring the option to take
effect.
Default SSL module is not configured.
Example The following command enables the SSL module.

ACOS(config)#slb common
ACOS(config-common)#ssl-module
ACOS(config-common)#ssl-module QAT
slb svm-source-nat pool

Description Configure the source-NAT pool used in OCSP verification of server cer-
tificates. SVM stands for Server Verification Module.
Syntax [no] slb svm-source-nat pool svm-pool-name
Default None
Mode Global Configuration Mode
41
slb template
Description Configure an SLB template.
Syntax [no] slb template template-type template-name
template- Type of template. For a list, enter the following

type command: slb template ?
(For information about SLB templates, see Config

Commands: SLB Templates.)
template- Name of the template.

name
Default The templates have default settings, and some template types are auto-
matically added to a virtual port depending on its service type. For inform-
ation, see the Application Delivery Controller Guide.
Usage The normal form of this command creates a new or edits an existing tem-
plate. The CLI changes to the configuration level for the template. See
Config Commands: SLB Templates.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See slb resource-
usage.
Example The following command creates a TCP-proxy template named “proxy1”:

ACOS(config)# slb template tcp-proxy proxy1
ACOS(config-tcp proxy)#
slb transparent-acl-template
Description Set the idle timeout value for ACL-related pass-through TCP ses-
sions.
A pass-through TCP session is one that is not terminated by the ACOS
device (for example, a session for which the ACOS device is not serving
as a proxy for SLB).
Syntax [no] slb transparent-acl-template template-name
42
Replace template-name with the name of an existing TCP template (1-63

characters).
To create a TCP template, use the slb template tcp command.
Default The default idle timeout for pass-through TCP sessions is 30 minutes.
The default idle timeout in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300
seconds. This is true even if the idle timeout in the TCP template itself is
set to a higher value. Higher idle timeout values apply only to SLB
sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example The following command configures the default TCP template, setting the
idle timeout value to 15000 seconds. This template (and thus, idle timeout
value) are then applied to ACL-related pass-through TCP sessions:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# idle-timeout 15000
ACOS(config-l4 tcp)# exit
ACOS(config)# slb transparent-acl-template default
Related Commands slb template tcp, slb transparent-tcp-template
slb transparent-tcp-template
Description Set the idle timeout value for pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS
device (for example, a session for which the ACOS device is not serving
as a proxy for SLB).
Syntax [no] slb transparent-tcp-template template-name
Replace template-name with the name of an existing TCP template (1-63

characters).
To create a TCP template, use the slb template tcp command.
Default The default idle timeout for pass-through TCP sessions is 30 minutes.
The default idle timeout in TCP templates is 120 seconds.
43
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300
seconds. This is true even if the idle timeout in the TCP template itself is
set to a higher value. Higher idle timeout values apply only to SLB
sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example The following command configures the default TCP template, setting the
idle timeout value to 15000 seconds. This template (and thus, idle timeout
value) are then applied to pass-through TCP sessions:
ACOS(config)# slb transparent-tcp-template default
Related Commands slb template tcp, slb transparent-acl-template
slb virtual-server
Description Configure a virtual server.
Syntax [no] slb virtual-server name

[use-if-ip {ethernet num | loopback num}] |
[ipv6-addr [ipv6-acl acl-name]] |
[ipv4-addr [/mask-length | subnet-mask] acl acl-name]
[substitute-source-mac [ignore-global]]
[gtp-session-lb]
name Virtual server name, 1-127 characters.
If you want to rename the server name, then use

rename global configuration command.
use-if-ip Use the IP address of the specified interface.
This option is used on vThunder systems only.
44
ipv6-addr IPv6 address of the virtual server.
If you are configuring an IPv6 wildcard VIP, enter

:: as the IP address.
Use the acl acl-id option to specify IP addresses

to be handled as wildcard VIPs. (For more inform-
ation, see the “Wildcard VIPs” chapter in the Applic-
ation Delivery Controller Guide.)
After you have created a virtual server, you can

use this command to change the IP address asso-
ciated with this name.
ipv4-addr IPv4 address of the virtual server.
If you are configuring a wildcard VIP, enter

0.0.0.0 as the IP address.
Use the acl acl-id option to specify IP addresses

to be handled as wildcard VIPs. (For more inform-
ation, see “Wildcard VIPs” chapter in the Applic-
ation Delivery Controller Guide.)
After you have created a virtual server, you can

use this command to change the IP address asso-
ciated with this name.
To configure a contiguous set of IPv4 VIPs, specify

the subnet mask or mask length. The specified
ipv4-addr will be the starting IP address of this
set of VIPs.
45
substitute- Replaces the client (source) MAC address of the

source-mac packet sent to the load balancing server with the
MAC address of the outgoing interface (for
example, an AX). This allows real
servers in a load balancing environment to make
web cache or security device responses to the
source MAC of the ACOS device.
Use the ignore-global option to ignore the global

setting and prevent the virtual port from changing
the source MAC address.
gtp-session- Configure GTP session load balancing for SLB vir-

lb tual server. Enables the stateful parsing of GTP
payload to ensure that multiple requests on the
same 5-tuple can be
correctly load balanced to different virtual servers.
Default N/A
Usage The normal form of this command creates a new or edits an existing vir-
tual server and related load balancing configurations and parameters.
The CLI changes to the configuration level for the virtual server. See Con-
fig Commands: SLB Virtual Servers.
The “no” form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See slb
resource-usage.
Notes on VIP Ranges

• The IP addresses in the specified subnet range can not belong to an
IP interface, real server, or other virtual server configured on the
ACOS device.
• The largest supported IPv4 subnet length is /16.
• Statistics are aggregated for all VIPs in the subnet virtual server.
• The current release supports this feature only for DNS ports on the
default DNS port number (TCP port 53 or UDP port 53).
46
Example The following commands configure a new virtual server named “vs1” and
associate virtual ports, service group, and enable GTP sessions for server
load balancing.
ACOS(config)# slb virtual-server vs1 10.10.2.1
ACOS(config-slb vserver)# port 2123 udp
ACOS(config-slb vserver: vport)# service-group sg1
ACOS(config-slb vserver: svcgrp)# gtp-session-lb
47
SLB Common Configuration Commands

To access SLB common mode, use the slb common command from global configuration mode:
ACOS(config)# slb common
ACOS(config-common)#
Some commands in SLB common configuration mode are only available in the shared par-
tition; commands that are not available in L3V partitions are notes below.
aflex-table-entry-aging-intreval 50
buff-thresh 52
compress-block-size 53
conn-rate-limit src-ip 53
ddos-protection 55
ddos-protection logging 56
ddos-protection packets-per-second 56
disable-adaptive-resource-check 57
disable-server-auto-reselect 57
dns-cache-age 58
dns-cache-enable 59
dns-cache-entry-size 60
dns-response-rate-limiting 61
dns-vip-stateless 61
drop-icmp-to-vip-when-vip-down 61
dsr-health-check-enable 62
ecmp-hash 62
enable-l7-req-acct 63
extended-stats 63
fast-path-disable 64
48
gateway-health-check 64
graceful-shutdown 65
honor-server-response-ttl 66
hw-compression 67
hw-syn-rr 67
low-latency 68
l2l3-trunk-lb-disable 68
max-buff-queued-per-conn 69
max-http-header-count 69
msl-time 69
mss-table 70
rate-limit-logging 71
reset-stale-session 72
scale-out 73
service-group-on-no-dest-nat-vports 73
snat-gwy-for-l3 74
snat-on-vip 74
sort-res 75
ssli-sni-hash-enable 77
stateless-sg-multi-binding 77
use-mss-tab 78
NOTE: From the above list, the following commands are unavailable in
L3V partitions:
l buff-thresh
l disable-adaptive-resource-check
l disable-server-auto-reselect
49
l dns-vip-stateless
l drop-icmp-to-vip-when-vip-down
l dsr-health-check-enable
l fast-path-disable
l gateway-health-check
l hw-syn-rr
l l2l3-trunk-lb-disable
l max-buff-queued-per-conn
l max-http-header-count
l msl-time
l mss-table
l stats-data-disable
aflex-table-entry-aging-intreval
Description Configure aFlex table entry aging interval in seconds. These aFlex tables
will be synchronized with ACOS device via VRRP-A.
Syntax [no] aflex-table-entry-aging-interval <1-3600>
Default Disabled
Mode SLB common configuration mode
Example This following command configures aFlex table entry parameters.

ACOS(config-common)# aflex-table-entry-aging-interval 3000
NOTE: For detailed information about aFlex tables and VRRP-A com-
mands, refer aFleX Scripting Language Reference and Con-
figuring VRRP-A High Availability guides.
aflex-table-entry-sync
Description Configure aFlex table entry parameters. These aFlex tables will be syn-
chronized with ACOS device via VRRP-A.
50
Syntax [no] aflex-table-entry-sync {max-key-len | max-value-len |

min-lifetime}
max-key-len Specify the aFlex table entry maximum key length to

synchronize.
The value can be between 0-1000.
‘0’ means that the key length shall not be used

as a metrics to decide if the sync should hap-
pen or not.
max-value-len Specify the aFlex table entry maximum value

length to synchronize.
‘0’ means that the key length shall not be used

as a metrics to decide if the sync should hap-
pen or not.
min-lifetime Specifies the aFlex table entry minimum life-

time to synchronize.
‘0’ means that the lifetime shall not be used as

a metrics to decide if the sync should happen
or not.
Default Disabled
Usage ACOS supports aFlex table synchronization in the VRRP-A cluster. This
will help you to synchronize and recover aFlex when ACOS is rebooted.
The aFlex message is sent to the ACOS device using the key length, value
length, table name as well as some other parameters. If the sum of this is
less than 1000 then the data is sent to the ACOS standby device.
Example This following command configures aFlex table entry parameters.

51
ACOS(config-common)# aflex-table-entry-sync
ACOS(config-common-aflex-table-entry-sync)#max-key-len 50
ACOS(config-common-aflex-table-entry-sync)#max-value-len 100
ACOS(config-common-aflex-table-entry-sync)#min-lifetime 3600
NOTE: For detailed information about aFlex tables and VRRP-A com-
mands, refer aFleX Scripting Language Reference and Con-
figuring VRRP-A High Availability guides.
buff-thresh
Description Fine-tune thresholds for SLB buffer queues.
Do not use this command except under advisement from A10 Networks.
Syntax [no] buff-thresh

hw-buff num
relieve-thresh num
sys-buff-low num
sys-buff-high num
hw-buff num IO buffer threshold. For each CPU, if

the number of queued entries in the
IO buffer reaches this threshold, fast
aging is enabled and no more IO buf-
fer entries are allowed to be queued
on the CPU’s IO buffer.
relieve-thresh num Threshold at which fast aging is dis-

abled, to allow IO buffer entries to be
queued again.
sys-buff-low num Threshold of queued system buffer

entries at which ACOS begins refus-
ing new incoming connections.
52
sys-buff-high num Threshold of queued system buffer

entries at which the ACOS device
drops a connection whenever a
packet is received for that con-
nection.
Default N/A
compress-block-size
Description Change the default compression block size used for SLB.
Syntax [no] compress-block-size bytes
The bytes option specifies the default compression block size, 6000-
32000 bytes.
Description The default is 16000.
Default 16000
Example The following example sets the compression block size to 16000 bytes:
ACOS(config-common)# compress-block-size 16000
conn-rate-limit src-ip
Description Configure source-IP based connection rate limiting.
All connection requests in excess of the connection limit that are
received from a client within the limit period are dropped. This action is
enabled by default when you enable the feature, and can not be
disabled.
NOTE: For configuring connection rate limits on IPv6 traffic, use class
lists. For more information, see “class-list” in the Command Line
Interface Reference and “Understanding Class Lists” in the DDoS
Mitigation Guide for ADC.
53
Syntax [no] conn-rate-limit src-ip {tcp | udp} conn-limitper {100 |

1000}
[shared] [exceed-action [log] [lock-out lockout-period]]
tcp | udp Specifies the Layer 4 protocol for which the fil-
ter applies.
conn-limit Specifies the connection limit. The connection

limit is the maximum number of connection
requests allowed from a client, within the limit
period. You can specify 1-1000000 (one million).
per {100 | Specifies the limit period, The limit period is the
1000} interval to which the connection limit is applied.
A client is conforming to the rate limit if the
number of new connection requests within the
limit period does not exceed the connection
limit. You can specify 100 milliseconds or 1000
milliseconds.
shared Specifies that the connection limit applies in

aggregate to all virtual ports. If you omit this
option, the limit applies separately to each vir-
tual port.
exceed-action Enables optional exceed actions:
l log - Enables logging. Logging generates

a log message when a client exceeds the
connection limit.
l lock-outlockout-period - Locks out the
client for a specified number of seconds.
During the lockout period, all connection
requests from the cli
ent are dropped. The
lockout period can be 1-3600 seconds (1
hour). There is no default.
54
Example The following commands allow up to 1000 connection requests per one-
second interval from any individual client. If a client sends more than
1000 requests within a given limit period, the client is locked out for 3
seconds. The limit applies separately to each individual virtual port. Log-
ging is not enabled.
ACOS(config-common)# conn-rate-limit src-ip tcp 1000 per
1000 exceed-action lock-out 3
Example The following commands allow up to 2000 connection requests per 100-
millisecond interval. The limit applies to all virtual ports together. Logging
is enabled but lockout is not enabled.
ACOS(config-common)# conn-rate-limit src-ip tcp 2000 per 100
shared exceed-action log
Example These commands allow up to 2000 connection requests per 100-mil-

lisecond interval. The limit applies to all virtual ports together. Logging is
enabled and lockout is enabled. If a client sends more than 2000
requests within a given limit period, to one or more virtual ports, the client
is locked out for 3 seconds.
ACOS(config-common)# conn-rate-limit src-ip tcp 2000 per 100
shared exceed-action log lock-out 3
ddos-protection
Description Enables hardware blocking of VIP traffic that is addressed to an uncon-
figured virtual port.
Syntax ddos-protection {enable | disable}
enable | dis- Enables or disables hardware blocking of VIP

able traffic. Default value is disable.
Default disabled
Example This example enables hardware blocking of traffic to unconfigured virutal

ports.
55
ACOS(config-common)# ddos-protection enable
ddos-protection logging
Description Enables logging of VIP traffic hardware blocking events.
Syntax ddos-protection logging {enable | disable}
enable | dis- Enables or disables hardware blocking. Default

able value is enable.
Default enabled
Example This example disables the logging of hardware blocking of traffic to

unconfigured virutal ports.
ACOS(config-common)# ddos-protection logging disable
ddos-protection packets-per-second
Description Enables logging of VIP traffic hardware blocking events.
Syntax ddos-protection packets-per-second {tcp | udp} packet-rate
tcp | udp Specifies the data type of traffic affected by

command.
packet-rate Specifies data rate on virtual port that triggers

hardware blocking. Value ranges from 0 to
65535. Default value is 200.
Default 200 packets per second for TCP or UDP traffic
Example This example sets the device to begin hardward blocking for any uncon-
figured TCP ports that exceed 1000 packets per second.
56
ACOS(config-common)# ddos-protection enable

ACOS(config-common)# ddos-protection packets-per-second tcp
1000
disable-adaptive-resource-check
Description In cases where data packets smaller than a pre-configured size limit are
received, HTTP sessions may be deleted when the number of such pack-
ets received exceeds a pre-defined threshold. This is the default beha-
vior on an ACOS device.
The disable-adaptive-resource-check command disables the default
behavior.
Syntax [no] disable-adaptive-resource-check
Default Adaptive resource checking is enabled by default.
disable-server-auto-reselect
Description Stop the ACOS device from automatically reselecting a lower priority
server until a server with a higher priority is marked as Down or Disabled.
This is commonly used with inband health monitors.
Syntax [no] disable-server-auto-reselect
Default Server auto-reselection is enabled by default.
Usage When server priority is configured, the ACOS device sends all traffic to the
highest priority server, until that server starts responding slowly or meets
other negative conditions. This feature stops the ACOS device from auto-
matically reselecting a lower priority server until a server with a higher pri-
ority is marked as Down or Disabled.
When a Data CPU reaches 70%, slb disable-server-auto-reselect
will automatically activate and can be seen in the running config. When
the Data CPU goes back down below 50% it will remove itself.
Example Enable the feature.

ACOS(config-common)# disable-server-auto-reselect
57
dns-cache-age
Description Configure the amount of time the ACOS device locally caches DNS
replies.
DNS cache aging is applicable only when DNS caching is enabled, using
the dns-cache-enable command. A DNS reply begins aging as soon as
it is cached and continues aging even if the cached reply is used after
aging starts. Use of a cached reply does not reset the age of that reply.
Server response TTL is the minimum TTL of all resource records in that
response. The honor-server-response-ttl command enables using TTL
in the server response as DNS cache TTL.
Syntax [no] dns-cache-age seconds
Default 300

The DNS cache TTL is calculated as follows:
1. If only the TTL is specified, then the specified TTL is used as DNS
cache TTL.
2. If only the honor-server-response-ttl is enabled, then the TTL in
server response is used as DNS cache TTL.
3. If the TTL is specified and honor-server-response-ttl is enabled,
the minimum TTL between the specified TTL and server response
TTL is used as DNS cache TTL.
4. If the TTL is not specified and honor-server-response-ttl is not
enabled, the default value (300 seconds) will be used as DNS cache
TTL.
Example This example configures the ACOS device to cache DNS replies for 300
seconds.
ACOS(config-common)# dns-cache-age 300
Example This example configures the age of global DNS cache to be the minimum
value between 600 seconds and the server response TTL:
ACOS(config-common)# honor-server-response-ttl
Example This example configures the age of the global DNS cache to be 600
seconds:
58
Example This command configures the server response TTL to be used as the
global DNS cache TTL:
ACOS(config-common)# dns-cache-age
dns-cache-enable
Description Globally enable caching of replies to DNS queries.
Syntax [no] dns-cache-enable

[
round-robin [ttl-threshold seconds] |
single-answer [ttl-threshold seconds] |
ttl-threshold seconds
]
round-robin For DNS replies that contain multiple

IP addresses in the ANSWER section,
the ACOS device rotates the
addresses when replying to cli ent
requests. The DNS transaction ID
(which is random) is used to assist in
the round-robin. This behavior is bet-
ter for heavy traffic, but the side
effect is that it will not strictly follow
the round-robin.
single-answer Caches only replies that have one IP

address in the ANSWER section.
ttl-threshold second Specifies the minimum Time-To-Live

(TTL) a reply from the DNS server
must have, in order for the ACOS
device to cache the reply. You can spe-
cify 1-10000000 seconds.
Default DNS caching is disabled by default. Disabled. When you globally enable
DNS caching, the round-robin and single-answer options are disabled
by default. The default TTL threshold is 0 (unset).
59
Usage When DNS caching is enabled, the ACOS device sends the first request
for a given name (hostname, fully-qualified domain name, URL, and so
on) to the DNS server. The ACOS device caches the reply from the DNS
server, and sends the cached reply in response to the next request for
the same name.
The ACOS device continues to use the cached DNS reply until the reply
times out. After the reply times out, the ACOS device sends the next
request for that URL to the DNS server, and caches the reply, and so on.
Enabling the single-answer option prevents the caching of DNS replies
that have multiple IP addresses. For example, if a DNS response to a
query for “www.example1.com” and the DNS reply has only one IP
address (1.1.1.1), then the reply will be cached on the ACOS device.
However, if the DNS response to a query for “www.example2.com” has
two IP addresses (2.2.2.2 and 3.3.3.3), then the entry would not be
cached on the ACOS device.
If the ttl-threshold option is configured on the ACOS device, then DNS
replies will only be cached if they have a TTL value that is larger than the
TTL threshold configured on the ACOS device. This prevents the ACOS
device from caching DNS entries that will expire shortly thereafter.
For example, if the ACOS device’s TTL threshold is set to 7200 seconds
and the ACOS device receives a DNS response for a domain with a TTL of
only 10 seconds, there would be little benefit in caching that DNS reply,
since it will soon expire. Despite the cached information, subsequent
client requests for that same domain would bypass the “stale”
information cached on the ACOS device to perform another DNS lookup
just 10 seconds later.
DNS caching applies to DNS requests sent to UDP as well as TCP virtual
ports in a DNS SLB configuration.
Example The following example enables DNS caching on the ACOS device with all
the default values.
ACOS(config-common)# dns-cache-enable
dns-cache-entry-size
Description Set the maximum size in bytes for DNS cache entries.
Syntax [no] dns-cache-entry-size num
Replace num with the desired DNS cache entry size, in bytes (1 - 4096).
Default 256
60
Example The following example sets the DNS cache entry size to 3600 bytes:
ACOS(config-common)# dns-cache-entry-size 3600
dns-response-rate-limiting
Description Set the maximum number of table entries for DNS response rate limiting.
Syntax [no] dns-response-rate-limiting [max-table-entries num]
Replace num with the desired maximum number of table entries allowed
for DNS response rate limiting entries, in bytes (1000 - 4194304).
Default Disabled by default.
Example The example below shows how to set the maximum number of table
entries for DNS response rate limiting.
ACOS(config-common)# dns-response-rate-limiting
ACOS(config-common-dns-response-rate-limi...)#max-table-
entries 2000
dns-vip-stateless
Description This command causes the ACOS device to use round-robin to load bal-
ance DNS stateless traffic to CPU threads.
NOTE: This command is only available on FTA-enabled platforms.
Syntax [no] dns-vip-stateless
Example Enable this feature:

ACOS(config-common)# dns-vip-stateless
drop-icmp-to-vip-when-vip-down
61
Description When a virtual IP is down it can still respond to ping (ICMP_ECHO)

requests.
With this enabled, a virtual IP that is down will not respond to ping
requests.
Syntax [no] drop-icmp-to-vip-when-vip-down
dsr-health-check-enable
Description Enable health checking of the virtual server IP addresses instead of the
real server IP addresses in Direct server Return (DSR) configurations.
This feature requires configuration of a Layer 3 health method (ICMP),
with the transparent option enabled, and the alias address set to the
virtual IP address. (See method.) The health monitor must be applied to
the real server ports.
Syntax [no] dsr-health-check-enable
Default Health checking is disabled by default.
Example The following commands configure a Layer 3 health monitor for DSR
health checking, apply it to the real server ports, and enable DSR health
checking:
ACOS(config)# health monitor dsr-hm
ACOS(config-health:monitor)# method icmp transparent
10.10.10.99
ACOS(config-health:monitor)# exit
ACOS(config-common)# dsr-health-check-enable
ecmp-hash
Description The option allows hashing on connection information (source IP, source
port, destination port from forward tuple and real server IP), which would
allow a more balanced (Equal-cost multi-path routing) protocol routing.
For IP based protocols, source IP and real server IP will be used for
hashing. IPv4 to IPv6 or IPv6 to IPv4 routing is not supported.
Syntax [no] ecmp-hash {system-default | connection-based}
62
system-default Uses system default ecmp hashing

algorithm.
connection-based Uses connection information for hashing.
Example The example mentioned below shows how to enable connection-based

hashing:
ACOS(config-common)# ecmp-hash connection-based
NOTE: SSLi_L2 is not supported and smart nat is partially supported.
enable-l7-req-acct
Description Globally enable Layer 7 request accounting.
When using the least-request load-balancing method in a service group,
Layer 7 request accounting is automatically enabled for the service
group’s members, and for the virtual service ports that are bound to the
service group’s members.
To display Layer 7 request statistics, use the show slb service-group
command. See show slb server, show slb service-group, and show slb
virtual-server.
Syntax [no] enable-l7-req-acct
Example The example below shows how to enable Layer 7 request accounting.
ACOS(config-common)# enable-l7-rreq-acct
extended-stats
Description Globally enable collection of extended SLB statistics, including peak con-
nection statistics.
Syntax [no] extended-stats
63
Example This example shows how to enable the collection of extended SLB stat-
istics.
ACOS(config-common)# extended-stats
fast-path-disable
Description Disable fast-path packet inspection.
Fast processing of packets maximizes performance by using all
underlying hardware assist facilities. Typically, the feature should remain
enabled. The disable option is provided only for troubleshooting, in case it
is suspected that the fast processing logic is causing an issue. If you
disable fast-path processing, ACOS does not perform a deep inspection
of every field within a packet.
Syntax [no] fast-path-disable
Default Enabled by default.
Mode SLB common configuration mode.
Example The example below shows how to disable fast-path packet inspection.
ACOS(config-common)# fast-path-disable
gateway-health-check
Description Enables gateway health monitoring.
Syntax [no] gateway-health-check [interval seconds [timeout

seconds]]
interval second Specifies time period between health

check attempts, 1-180 seconds.
The default interval is 5 seconds.
64
timeout seconds Specifies how long the ACOS device

waits for a reply to any of the ARP
requests, 1-360 seconds.
The default timeout is 15 seconds.
Default See descriptions.
Usage Gateway health monitoring uses ARP to test the availability of nexthop
gatew ays. When the ACOS device needs to send a packet through a gate-
way, the ACOS device begins sending ARP requests to the gateway.
• If the gateway replies to any ARP request within a configurable
timeout, the ACOS device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS
device waits for a configurable timeout for a reply to any request. If
the gateway does not respond to any request before the timeout
expires, the ACOS device selects another gateway and begins the
health monitoring process again.
Example The following example enables gateway health monitoring. Health check
attempts will be made every 10 seconds, with a reply timeout of 20
seconds.
ACOS(config-common)# gateway-health-check interval 10
timeout 20
graceful-shutdown
Description Provides time for active sessions to terminate normally before closing a
service after deleting or disabling the real or virtual server or port provid-
ing the service.
Syntax [no] graceful-shutdown grace-period

[server | virtual-server] [after-disable]
65
grace-period Number of seconds existing con-

nections on a disabled or deleted
server or port are allowed to remain
up before being terminated. You can
specify 1-65535 seconds.
server Limits the graceful shutdown to real

servers only.
virtual-server Limits the graceful shutdown to vir-

tual servers only.
after-disable Applies graceful shutdown to dis-

abled servers and ser
vice ports, as
well as deleted servers. Without this
option, graceful shutdown applies
only to deleted servers.
Default Graceful shutdown is disabled by default. When you delete a real or vir-
tual service port, the ACOS device places all the port’s sessions in the
delete queue, and stops accepting new sessions on the port.
Usage When graceful shutdown is enabled, the ACOS device stops accepting
new sessions on a disabled or deleted port, but waits for the specified
grace period before moving active sessions to the delete queue.
Example These commands enable graceful shutdown with a grace period of one
hour:
ACOS(config-common)# graceful-shutdown 3600
honor-server-response-ttl
Description TTL in server response is used as DNS cache TTL.
Syntax [no] honor-server-response-ttl
66
Example The following example configures the ACOS device to cache DNS replies
for 300 seconds.
hw-compression
Description Enable hardware-based HTTP compression.
Syntax [no] hw-compression
Usage Hardware-based compression is available using an optional hardware

module on select platforms. For more information, see “Hardware-Based
Compression” in the Application Delivery Controller Guide.
Example The following example enables hardware-based HTTP compression.

ACOS(config-common)# hw-compression
hw-syn-rr
Description Enable distribution of client SYNs across multiple CPUs. This feature pro-
tects against CPU overload due to SYN floods, a common symptom of
DDoS attacks.
Syntax [no] hw-syn-rr conn-num
The conn-num option specifies the maximum number of connection

requests (TCP SYNs) allowed from the same client (1-500000). If this
threshold is exceeded, ACOS begins using all the CPUs for processing
the SYNs.
Usage Only the control CPU is used for SYN processing.

When the conn-num threshold is exceeded, ACOS begins distributing
the SYNs to the CPUs in round-robin fashion. The control CPU and all
data CPUs are used.
67
Example The following example enables distribution of client SYNs across multiple
CPUs, using 250,000 TCP SYNs as the threshold.
ACOS(config-common)# hw-syn-rr 250000
low-latency
Description Enables low latency mode. The system needs to be rebooted after con-
figuring this option.
Known limitations:
• Basic TCP and FIX IPv4 traffic supported.
• Physical platforms with TCAM hardware supported.
• Only applicable for shared partition.
Syntax [no] low-latency
Default Disabled
Example The following command sets the low-latency:

ACOS(config-common)# low-latency
l2l3-trunk-lb-disable
Description Disable or re-enable trunk load balancing.
Syntax [no] l2l3-trunk-lb-disable
Default Enabled by default.
Usage When trunk load balancing is enabled, the ACOS device load balances
outb ound Layer 2/3 traffic among all the ports in a trunk. The round-
robin method is used to load balance the traffic. For example, in a trunk
containing ports 1-4, the first Layer 2/3 packet is sent on port 1. The
second packet is sent on port 2. The third packet is sent on port 3, and so
on.
If you disable trunk load balancing, the lead port will always used for
outbound traffic, and the other ports will act as standby ports in case the
lead port goes down.
68
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by
default. However, the CLI provides a command to disable trunk load
balancing, in case there is a need to do so. Disabling trunk load balancing
causes the ACOS device to use only the lead port for outbound traffic.
NOTE: Note: Trunk load balancing does not apply to Layer 4-7 traffic.
Example The following commands disable trunk load balancing.

ACOS(config-common)# l2l3-trunk-lb-disable
max-buff-queued-per-conn
Description Set the maximum buffer threshold per connection.
Syntax [no] max-buff-queued-per-conn buffer-value
Specify the desired buffer-value (128-4096).
Example The following commands set the maximum buffer value per connection
to 1024:
ACOS(config-common)# max-buff-queued-per-conn 1024
max-http-header-count
Description Configure the number of headers supported in an HTTP request.
Syntax [no] max-http-header-count num
Replace num with the maximum number of HTTP headers supported

within a request (90-255).
Default 90
Example The following commands configure 90 as the number of headers sup-

ported in an HTTP request.
ACOS(config-common)# max-http-header-count 90
msl-time
69
Description Configure the maximum session life for client sessions. The maximum ses-
sion life controls how long the ACOS device maintains a session table
entry for a client-server session after the session ends.
Syntax [no] msl-time seconds
The seconds option specifies the number of seconds a client session can
remain in the session table after session completion. You can specify 1-
40 seconds.
Default 2 seconds
Usage The maximum session life allows time for retransmissions from clients or
servers, which can occur if there is an error in a transmission. If a retrans-
mission occurs while the ACOS device still has a session entry for the ses-
sion, the ACOS device is able to forward the retransmission. However, if
the session table entry has already aged out, the ACOS device drops the
retransmission instead.
Maximum session life begins aging out a session table entry when the
session ends:
• TCP – The session ends when the ACOS device receives a TCP FIN
from the client or server.
• UDP – The session ends after the ACOS device receives a server
response to the client’s request. If the reply is fragmented, the
maximum session life begins only after the last fragment is received.
NOTE: For UDP sessions, maximum session life is used only if UDP aging
is set to short, instead of immediate. UDP aging is set in the UDP
template bound to the UDP virtual port. The default setting is
short.
Example The following commands configure a maximum session life of 10

seconds.
ACOS(config-common)# msl-time 10
mss-table
Description Configure the TCP Maximum Segment Size (MSS) allowed for client
traffic. This command globally changes the MSS. You also can change
the MSS in individual TCP-proxy templates. (See slb template tcp-
proxy.)
Syntax [no] mss-table num
70
The num option specifies maximum MSS allowed in traffic from clients.
You can specify 128-750.
Default 538
Usage Clients who can only transmit TCP segments that are smaller than the
MSS are unable to reach servers.
Example The following commands configure a TCP MSS of 256.

ACOS(config-common)# mss-table 256
no-auto-up-on-aflex
Description Prevent the health status of virtual ports that are bound to aFleX scripts
from being automatically marked Up.
Syntax [no] no-auto-up-on-aflex
Default This option is disabled by default. Virtual ports that are bound to aFleX
scripts are automatically marked Up.
Example The following commands prevent the health status of virtual ports that
are bound to aFleX scripts from being automatically marked Up.
ACOS(config-common)# no-auto-up-on-aflex
rate-limit-logging
Description Configure rate limiting settings for system logging.
Syntax [no] rate-limit-logging

[max-local-rate msgs-per-second]
[max-remote-rate msgs-per-second]
[exclude-destination {local | remote}]
71
max-local-rate Specifies the maximum number of messages

msgs-per-second per second that can be sent to the local log
buffer. You can specify 1-100. The default is
32 messages per second.
max-remote-rate Specifies the maximum number of messages

msgs-per-second per second that can be sent to remote log
servers. You can specify 1-1,000,000. The
default is 15000 messages per second.
exclude-des- Excludes logging to the specified destination,

tination local or remote. By default, logging to both
destinations is enabled.
Usage Log rate limiting is enabled by default and can not be disabled. The con-
figurable settings have the default values as described in the table
above.
The log rate limiting mechanism works as follows:
• If the number of new messages within a one-second interval
exceeds the internal maximum (32 by default), then during the next
one-second interval, ACOS sends log messages only to the external
log servers.
• If the number of new messages generated within the new one-
second interval is the internal maximum or less, then during the fol-
lowing one-second interval, ACOS will again send messages to the
local logging buffer as well as the external log server.
• In any case, all messages (up to the external maximum) are sent to
the external log servers.
Example The following commands increase the maximum number of log mes-
sages per second sent to remote log servers:
ACOS(config-common)# rate-limit-logging max-remote-rate
30000
reset-stale-session
72
Description Send reset if a session in the delete queue receives a SYN packet.
Syntax [no] reset-stale-session
Example The following command enables this feature.

ACOS(config-common)# reset-stale-session
scale-out
Description Enable the Scaleout feature for SLB.
For more information, see the Configuring Scaleout guide.
Syntax [no] scale-out
Default Not enabled.
service-group-on-no-dest-nat-vports
Description Bind one service-group under multiple virtual-server when 'no-dest-nat'
is enabled.
Known Limitation
Health check operating in DSR mode is incompatible if a user enables
dsr-health-check-enable and binds same service-group on multiple
no-dest-nat virtual ports.
Syntax [no] service-group-on-no-dest-nat-vports [allow-same |

enforce-different]
allow-same Allow the binding service-group on no-

dest-nat virtual ports.
73
enforce-different Enforce that the same service-group can

not be bound on different no-dest-nat
virtual ports.
This configuration is supported in both

shared and L3V partitions
Mode SLB Common
Usage In some cases, there may be a specific requirement where user must
bind one service-group under multiple virtual-server with 'no-dest-nat'
enabled.
Example The following example configures this command:

ACOS(config-common)# service-group-on-no-dest-nat-vports
allow-same
snat-gwy-for-l3
Description Use an IP pool’s default gateway to forward traffic from a real server.
When this feature is enabled, ACOS checks the server IP subnet against
the IP NAT pool subnet. If they are on the same subnet, then ACOS uses
the gateway as defined in the IP NAT pool for Layer 2 / Layer 3
forwarding. This feature is useful if the server does not have its own
upstream router and ACOS can leverage the same upstream router for
Layer 2 / Layer 3.
Syntax [no] snat-gwy-for-l3
Example The following commands enable traffic forwarding using an IP pool’s

default gateway.
ACOS(config-common)# snat-gwy-for-l3
snat-on-vip
Description Globally enable IP NAT support for VIPs.
74
Syntax [no] snat-on-vip
Usage Source IP NAT can be configured on a virtual port in the following ways:
• ACL-based source NAT (access-list command at virtual port level)
• VIP source NAT (slb snat-on-vip command at Configuration mode
level)
• aFleX policy (aflex command at virtual port level)
• Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP
source NAT is configured using an ACL on the virtual port, and the slb
snat-on-vip command is also used, then a pool assigned by the ACL is
used for traffic permitted by the ACL. For traffic not permitted by the
ACL, VIP source NAT can be used instead.
The current release does not support source IP NAT on FTP or RTSP
virtual ports.
Example The following commands enable IP NAT support for VIPs.

ACOS(config-common)# snat-on-vip
sort-res
Description Enable the sort display option for SLB configuration. When this option is
enabled, SLB resources in the configuration are listed in alphabetical
order.
The sort feature takes effect only after you configure at least one SLB
resource, after you enable the sort feature. Before you configure at least
one new SLB resource, the SLB resources still appear in the order they
were configured.
Syntax [no] sort-res
Default This option is disabled by default. With this default behavior, SLB
resources of a specific type appear in the order they are configured.
Example The following command displays the configured SLB servers, before the
sort option is enabled and activated:
75
ACOS(config-common)# show running-config | include slb

server
slb server ee 5.5.5.5
slb server rs20_10 20.20.20.10
slb server Server07 110.20.20.20
slb server MSSQLServer02 110.13.13.21
slb server srv266 10.10.100.10
slb server rs_http 10.1.2.10
slb server ldap-sr 172.16.2.10
slb server s1 20.20.20.30
slb server woo 10.10.99.99
slb server o1 10.10.10.5
slb server http1 20.20.25.10
These commands enable the sort option, configure a new SLB server,
and display the configured SLB servers. The slb server commands are
alphabetically sorted.
ACOS(config-common)# sort-res
ACOS(config-common)# exit
ACOS(config)# slb server s88 4.3.3.3
ACOS(config-real server-node port)# show run | include slb
server
slb server MSSQLServer02 110.13.13.21
slb server ee 5.5.5.5
slb server fsort2 4.3.9.58
slb server fsort88 4.3.9.55
slb server ldap-sr 172.16.2.10
slb server o1 10.10.10.5
slb server rs20_10 20.20.20.10
slb server rs_http 10.1.2.10
slb server woo 10.10.99.99
76
slb server zsort2 4.3.3.9

ACOS(config-real server-node port)#
ssli-sni-hash-enable
Description Supports dynamic-port, single-device, two-partition SSLi and relays SNI
information without the interfering message (A10-FP header).
Syntax [no] ssl-sni-hash-enable
Default Disabled
Usage Dynamic-port SSLi requires proprietary messaging to relay SNI inform-

ation from the inside SSLi virtual service to the outside SSLi virtual ser-
vice. This messaging may interfere with the operation of some inspection
devices that are used to intercept and inspect decrypted traffic.
If this feature is enabled for two-device dynamic port deployment, or the
security device modifies the IP address or port number, the outside SSLi
virtual service does not include the SNI information.
Example The following commands relays SNI information without the interfering
message (A10-FP header).
ACOS(config-common)# ssli-sni-hash-enable
stats-data-disable
Description Globally disables periodic collection of statistical data for system
resources, including CPU, memory, disks and interfaces.
Syntax [no] stats-data-disable
Default Disabled (statistics collection is enabled)
Example The following commands globally disable statistics collection for system
resources.
ACOS(config-common)# stats-data-disable
stateless-sg-multi-binding
77
Description Globally enables the device to allow the binding of stateless service
groups by multiple virtual ports or virtual servers.
After a stateless service group is bound to multiple entities, this
command can be deleted only after all multiple binding instances are
removed.
Syntax [no] stateless-sg-multi-binding
Default Disabled
Example The following commands enable the binding of stateless service groups
to multiple virtual ports or servers.
ACOS(config-common)# stateless-sg-multi-binding
use-mss-tab
Description Configure ACOS to base the MSS in replies from VIPs to clients on the
interface MTU and MSS value received from clients in SYNs.
Syntax [no] use-mss-tab
78
Chapter 3: Config Commands: SLB Templates
This section lists the commands and sub-commands to configure SLB templates.
DNS templates have the highest priority and are used first, followed by policy templates.
Then the other types of templates are used as applicable. To apply a template to a virtual
port, use the template command at the configuration level for the virtual port.
To access SLB Templates mode:

ACOS(config)# slb templates
slb template cipher 82
slb template connection-reuse 84
slb template dblb 86
slb template diameter 86
slb template dns 94
slb template dns-logging 111
slb template doh 115
slb template dynamic -service 123
slb template external-service 124
slb template fix 129
slb template ftp 131
slb template http 131
slb template http-policy 152
slb template link-cost 161
slb template imap-pop3 163
slb template logging 164
slb template monitor 165
slb template link-probe 167
79
destination hostname 168
destination hostname target 169
probe-interval 170
probes-per-test 170
rtt-method 171
selection-rule 171
test-interval 172
user-tag 173
expected-status-code 173
url 174
show slb link-probe 174
slb template persist cookie 178
slb template persist destination-ip 184
slb template persist source-ip 189
slb template persist ssl-sid 195
80
81
slb template cache

Description See Config Commands: SLB Cache Templates.
slb template cipher

Description Configure a template of SSL cipher settings for binding to Client-SSL and
Server-SSL templates.
Syntax [no] slb template cipher template-name
template- Name of the template (1-127 characters).

name
Replace template-name with the name of the template, up to 31

characters long.
This command enters the SLB Cipher Template configuration mode
where the following commands are available.
[no] cipher [priority num]
cipher The cipher can be one of the names listed in the

A10 SSL Cipher Suites List file located on the A10
Networks Support Portal.
You can remove (or re-add) one cipher in the tem-

plate with a single command. Enter separate com-
mands for each cipher to remove or re-add.
priority The cipher priority value can be 1-100. The highest

priority (most favored) is 100. More than one cipher
can have the same priority. In this case, the
strongest (most secure) cipher is used.
82
Platforms containing a second generation or third generation SSL card

support all ciphers. ECDHE and DHE ciphers on the server side are
processed by CPU, resulting in high CPU usage.
Platforms containing a first generation SSL card support only RSA
ciphers.
Use the show hardware command to see your platform’s specifications.
For more information, refer to Technical Support Advisory: Recommend
SSL Templates for PFS (Perfect Forward Secrecy) Ciphers on the A10
Networks website.
Default The default priority is 1. All ciphers within a template are enabled by
default.
Usage A cipher template contains a list of ciphers. A client connecting to a vir-

tual port using the cipher template can use only ciphers that are listed in
the template.
Optionally, you can assign a priority value to each cipher in the template.
It is recommended that users do not leave this blank. The ACOS device
uses ciphers based on priority. If the client supports the cipher that has
the highest priority, that cipher is used. If the client does not support the
highest-priority cipher, the ACOS device attempts to use the cipher with
the second-highest priority.
Notes
• An SSL cipher template takes effect only when you apply it to a cli-
ent-SSL template or server-SSL template.
• When you apply (bind) a cipher template to a client-SSL or server-
SSL template, the settings in the cipher template override any cipher
settings in that client-SSL or server-SSL template.
• Priority values are supported only for client-SSL templates. If a cipher
template is used by a server-SSL template, the priority values in the
cipher template are ignored.
Example The following commands configure a cipher template:

ACOS(config)# slb template cipher cipher_tmplt1
ACOS(config-cipher)# SSL3_RSA_DES_64_CBC_SHA priority 5
ACOS(config-cipher)# TLS1_RSA_AES_128_SHA priority 10
ACOS(config-cipher)# TLS1_RSA_AES_256_SHA
ACOS(config-cipher)# end
This template contains 3 ciphers. The ACOS device attempts to use

TLS1_RSA_AES_128_SHA first. If the client does not support this cipher,
83
the ACOS device attempts to use SSL3_RSA_DES_64_CBC_SHA. If

the client does not support this cipher either, the ACOS device tries to use
TLS1_RSA_AES_256_SHA.
Example The following command binds the cipher template, cipher_tmplt1, to the
client-SSL template, SSLInsight_ClientSide.
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS(config-client ssl)# forward-proxy-ca-certificate Cer-
t123.pem key key123
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# template cipher cipher_tmplt1
ACOS(config-client ssl)# end
slb template client-ssl

Description See Config Commands: SLB Client SSL Templates.
slb template connection-reuse

Description Configure re-use of established connections.
Syntax [no] slb template connection-reuse template-name
Replace template-name with the name of the template, 1-127 characters.

This command enters the SLB Connection-Reuse Template
Configuration mode where the following commands are available.
Command Description
[no] keep-alive- Specifies the number of new reusable con-

conn number nections to open before beginning to
reuse existing connections. You can spe-
cify 1-1024 connections. This option is
applicable for both HTTP and SIP-over-
TCP sessions.
By default, this option is not enabled in

the template, but when activated, the
default value is 100.
84
Command Description
[no] limit-per- Maximum number of reusable con-

server number nections per server port. You can specify
0-65535. 0 means unlimited.
The default is 1000 connections.
[no] timeout Maximum number of seconds a con-

seconds nection can be idle before timeing out.
You can specify 60-3600 seconds; the
value specified must be divisible by 60.
The default is 2400 seconds (40 minutes).
Default “Default” connection reuse template defaults are listed in the command
table.
To display default template settings, use the show slb template
connection-reuse default command. See show run slb template.
Usage The normal form of this command creates a connection reuse template.
The no form of this command removes the template.
You can bind only one connection-reuse template to a virtual port.
However, you can bind the same connection-reuse template to multiple
ports.
Due to the way the connection-reuse feature operates, backend
sessions with servers will not be reused in either of the following cases:
• The limit-per-server option is set to a very low value, lower than
the number of data CPUs on the ACOS device.
• The keep-alive-conn option is set to a lower value than the limit-
per-server option.
Example The following commands configure a connection reuse template named

“conn-reuse1” and set the limit per server to 2000 re-used connections:
ACOS(config)# slb template connection-reuse conn-reuse1
ACOS(config-conn reuse)# limit-per-server 2000
85
slb template dblb

Description Create a template for database load-balancing (DBLB).
Syntax [no] slb template dblb template-name

This command enters the SLB DBLB Template Configuration mode
Command Description
[no] calc-sha1 Displays the SHA1-encrypted version of a

password clear text string.
[no] class-list Applies a class list of username-password

list-name pairs for DBLB client authentication to
access the database server.
[no] server-ver- Specifies the type of database system for

sion type the DBLB server that processes database
requests. For type you can specify one of
the following:
MSSQL2008 – MS-SQL server (version 2008

or 2008 R2)
MSSQL2012 – MS-SQL server (version 2012)
MySQL – Any version of MySQL
Default The configuration does not have a default DBLB template.
slb template diameter

Description Configure Diameter load balancing.
Syntax [no] slb template diameter template-name
86
This command enters the SLB Diameter Template Configuration mode

Command Description
[no] Specifies a custom AVP value to insert into

avp avp-num Capabilities-Exchange-Request messages
{int32 | int64 | sent by the ACOS device to Diameter serv-
string} ers.
value
For each custom AVP value to insert, you
[mandatory]
must specify the following information:
l avp-num – Diameter AVP number.

l int32 | int64 | string – Specifies
the data format of the value to insert.
l value – Specifies the value to insert.
l mandatory – Sets the AVP mandatory
flag on. By default, this flag is off (not
set).
You can configure up to 6 custom AVP val-

ues for insertion. Enter the command sep-
arately for each AVP value.
[no] customize- Replaces the AVPs in Capabilities-Exchange-

cea Answer (CEA) messages with the custom
AVP values you configure before forwarding
the messages.
87
Command Description
[no] duplicate Duplicates Accounting-Request messages

avp-num pattern and sends them to a separate service group.
service-group This option is useful for logging, accounting,
and so on.
To configure message duplication, configure

real servers and the service group, and use
the duplicate command to configure the fol-
lowing parameters:
l avp-num – Diameter AVP number.

l pattern – String pattern within the
message.
l service-group – The duplication ser-
vice group, which is the service group
to which to send the duplicate mes-
sages.
NOTE: To place the message duplication con-

figuration into effect, you must unbind the
Diameter template from the Diameter virtual
port, then rebind it.
A Diameter template in which message

duplication is configured can be bound to
only a single virtual port.
[no] dwr-time ms Specifies the maximum number of seconds

the ACOS device will wait for the reply to a
device-watch-dog message sent to a Dia-
meter server before marking the server
Down. You can specify 0-2147483647 mil-
liseconds (ms), in 100-ms increments.
The default is 10000 ms (10 seconds).
88
Command Description
[no] dwr-up- Specifies the number of Device Watchdog

retry Request and Device Watchdog Answer mes-
sages required to mark a server port as up.
The default is 3.
[no] Disabled by default, which causes the ACOS

forward-to- device to forward a client Diameter message
latest-server with a known session ID to a known server
per info stored in the session table.
When this option is enabled, the ACOS

device updates the session table to the most
recent server in the VIP that responds with
the known session ID, and forwards client
Diameter messages to that new server.
[no] Disabled by default., which causes the ACOS

forward-unknown- device to drop any Diameter message from a
session-id server with an unknown session ID (with the
exception of Re-Auth-Requests, which are
always forwarded).
When enabled, and the message is not a Re-

Auth-Request, the ACOS device picks any cli-
ent-side TCP connection on the same virtual
port for forwarding Diameter server mes-
sages with unknown session IDs.
When enabled, and the message is a Sub-

scribe-Notifications-Request, the ACOS
device picks any available client tuple for for-
warding the SNR, rather than dropping it. A
counter/log message will indicate that the
client-tuple does not exist.
89
Command Description
[no] Specifies the number of minutes a Diameter

idle-timeout session remain idle before the session is
minutes deleted. You can specify 1-65535 minutes.
Default is 5 minutes.
[no] This option enables load balancing of dia-

load-balance- meter sessions (with different session IDs)
based-on-session- across different servers of the service group.
id By default, when there is one client side TCP
connections, these sessions are not load bal-
anced across different servers.
Server selection may fail when service group

is configured for internal load balancing
across "OCC pools".
90
Command Description
[no] Enables load balancing of Diameter message

message-code codes, in addition to those already load bal-
num anced by default. You can enable load bal-
ancing of up to 10 additional message codes:
l Accounting-Request (code 271)

l Accounting-Answer (code 271)
l Credit-Control-Request (code 272)
l Credit-Control-Answer (code 272)
l Capabilities-Exchange-Request (code
257)
l Capabilities-Exchange-Answer (code
257)
l Device-Watchdog-Request (code 280)
l Device-Watchdog-Answer (code 280)
l Session-Termination-Request (code
275)
l Session-Termination-Answer (code
275)
l Abort-Session-Request (code 274)
l Abort-Session-Answer (code 274)
l Disconnect-Peer-Request/Disconnect-
Peer-Answer (code 282)
The ACOS device drops all other Diameter

message codes by default.
91
Command Description
[no] multiple- Prepends the CPU ID onto the origin-host

origin-host string to identify the CPU used for a given
Diameter peer connection.
The ACOS device establishes a separate peer

connection with each Diameter server on
each CPU. The multiple-origin-host option
does not enable or disable this behavior. The
option simply shows or hides the CPU ID in
the origin-host string.
This is disabled by default.
[no] Sets the value of Diameter AVP 264. This

origin-host AVP can be a character string and specifies
host.realm the identity of the originating host for Dia-
meter messages. Since the ACOS device acts
as a proxy for Diameter, this AVP refers to
the ACOS device itself, not to the actual cli-
ents. From the Diameter server’s standpoint,
the ACOS device is the Diameter client.
Specify the origin-host in the following

format: host.realm
The host is a string unique to the client

(ACOS device). The realm is the Diameter
realm, specified by the origin-realm option
(described below).
[no] origin- Sets the value of Diameter AVP 296. This

realm string AVP can be a character string and specifies
the Diameter realm from which Diameter
messages, including requests, are ori-
ginated.
92
Command Description
[no] product- Sets the value of Diameter AVP 269. This

name string AVP can be a character string and specifies
the product; for example, “a10dra”.
[no] session-age Specifies the absolute limit for Diameter ses-

minutes sions. Any Diameter session that is still in
effect when the session age is reached is
removed from the ACOS session table. You
can specify 1-65535 minutes.
The default is 10 minutes.
[no] terminate- Removes Diameter sessions when receiving

on-cca-t the Server CCA-Termination message, rather
than waiting for the Client Session-Ter-
minate-Request (STR).
[no] vendor-id Sets the value of Diameter AVP 266. This

num AVP can be a numeric value and specifies
the vendor; for example, “156”. Make sure to
use a non-zero value. Zero is reserved by the
Diameter protocol.
Default The configuration does not have a default Diameter template. If you con-
figure one, the template has the default values described in the table
above.
Mode Configure
Usage The normal form of this command creates a Diameter template. The no
form of this command removes the template.
You can bind only one Diameter template to a virtual port. However, you
can bind the same Diameter template to multiple ports.
Example For configuration examples, see the “Diameter Load Balancing” chapter
in the Application Delivery Controller Guide.
93
slb template dns

Description Configure DNS caching.
Syntax [no] slb template dns template-name

This command enters the SLB DNS Template Configuration mode where
the following commands are available.
Command Description
[no]add-pad- Adds the EDNS(0) padding to allow client to pad

ding-to-client DNS packets by a variable number of bytes, if
the client-SSL template is configured.
You can specify the following options:
l block-length - Specify the block-length

for padding the message to multiples of
468 octets. This reduces the variety of
message ("fingerprint") sizes significantly.
l random-block-length - Specify the block-
length for padding the message to some
random numbers. This provides more vari-
ety in the resulting message sizes for a
certain individual original message
length.
[no] cache- Enable the caching record response policy to

record- the DNS template, which will allow each service
serving-policy to have its own policy overwriting global policy.
Specify one of the following available options under cache-record-

serving-policy:
global To disable the DNS template (service) level cache

serving policy and follow the global level DNS cache
round-robin policy. This is the default setting.
94
Command Description
round-robin To enable the round-robin serving of the cached DNS

records for the service.
no-change To disable the round-robin serving of the cached DNS

records for the service. This option is useful to over-
write the global round-robin policy for the service.
[no] class- Applies a class list to the template.

list name
[no] default- Specifies default action when a query does not

policy match any class-list entries. The default is
[cache | nocache.
nocache]
[no] disable- Disables template. The template remains in the

dns-template configuration.
By default, template is enabled and takes effect

when bound to a DNS port.
[no] disable- Disables attaching the Start of Authority record (SOA)

rpz-attach-soa due to RPZ.
[no] dns-log- Enables logging for DNS caching. The period

enable period option specifies how often log messages are
minutes generated. You can specify 1-10000 minutes.
[no] dnssec- Use different service group if DNSSEC DO bit

service-group set.
[no] dns64 Enable DNS64.

options
Specify one of the following available options under dns64:
answer-only- Disable only translate the answer section.

disable
auth-data Set AA flag in the DNS response.
95
Command Description
cache Generate response by DNS cache.
change-query Always change incoming AAAA DNS Query to A.
compress-dis- DNS compression is disabled.

able
deep-check-rr- Disable the checking of DNS response records.

disable
enable Enable DNS64. This option must be enabled before any

other DNS64 options are enabled.
ignore-rcode3- Disable Ignore DNS error response (rcode 3).

disable
max-qr-length Maximum question record (QR) length (1-1023);

default 128.
parallel-query Forward AAAA queries; generates A query in parallel.
passive-query- Disable generation of a query upon an empty or error

disable response.
retry retry count (0-15); default is 3.
single- Disable single response which is used to avoid ambi-

response-dis- guity.
able
timeout Timeout to send additional queries (0-15

seconds
seconds); default is 1 second.
trans-ptr Translate DNS PTR records.
ttl seconds Specify maximum TTL in DNS responses in seconds

(1-1000000000), unit: second
96
Command Description
[no] enable- Enables caching of TCP-based DNS queries

cache-sharing along with UDP-based queries.
NOTE: If DNS authen-

tication also is
enabled, the initial
request is not only
redirected to TCP,
but is then cached
so that a second
request is not made
to the DNS server.
97
Command Description
[no] mal- Specifies the action to take for malformed DNS

formed-query queries:
{drop |
l drop – Drops malformed queries.
forward ser-
vice-group- l forward – Sends the queries to the spe-
name} cified service group.
With either option, the malformed queries are

not sent to the DNS virtual port.
The following packets are considered mal-

formed when the:
l Packet length is shorter than DNS header

size (12 byte).
l Packet length is longer than the max-
query-length configuration, if present.
l DNS header QR flag is zero

l DNS header opcode or rcode is non-zero
l Number of queries is zero (qdcount)
l Any of the label length is longer than 64

characters.
[no] max- Specifies the maximum number of bytes each

cache-entry- cache entry can have, 1-4096.
size num
The default is 256.
[no] max- Specifies the maximum number of entries that

cache-size can be cached per VIP. The maximum con-
num figurable amount depends on the amount of
RAM installed on the ACOS device.
98
Command Description
[no] max- Specifies the maximum length for DNS queries,

query-length 1-4095.
num
By default, there is no limit on the length.
99
Command Description
[no] query- Specifies the action to be taken for the DNS

class-filter query class:
{allow | deny}
l allow – Allow only certain DNS query
query-
classquery- classes
class-name l deny – Deny only certain DNS query
classes

By default, all query classes are allowed. When
a list of query classes is specified as allow, the
query classes which are not specified are
dropped. Similarly, when a list of query classes
is specified as deny, these query classes are
dropped.
You can specify any of the following query

classes:
l INTERNET – INTERNET query class, ID: 1

l CHAOS – CHAOS query class, ID: 3
l HESIOD – HESIOD query class, ID: 4
l NONE – NONE query class, ID: 254
l ANY – ANY query class, ID: 255
l num – Other query class value (1-65535)
NOTE:
You cannot configure more that 8 query-class

items.
The query class IDs (mentioned above) are

reserved and should not be used for Other
query class (num).
100
Command Description
[no] query-id- Enables stateful query-ID-based load bal-

switch ancing, which distributes DNS queries on a
request-ID basis. This helps provide even dis-
tribution of DNS query traffic behind a DNS
proxy.
Without the query-ID-based load balancing

option, multiple requests received by a DNS vir-
tual port appear to be from the same source, if
the source IP address and Layer 4 port are the
same. For example, without query-ID-based
load balancing, if ACOS receives multiple
requests from a DNS proxy, the requests can
appear to be from the same end-user, if they all
have the same source IP address and Layer 4
port.
This feature applies only to DNS port 53. For

other load-balanced DNS virtual ports, requests
are load balanced based on the following:
l Source IP address and Layer 4 port

l Destination IP address and Layer 4 port
l Protocol (virtual port type: DNS, DNS-TCP,
or DNS-UDP)
This is the same as DNS load balancing without

request-ID-based load balancing. The feature is
“stateful” because ACOS session resources are
used, and the sessions can be viewed in the ses-
sion table.
101
Command Description
[no] query- Specifies the action to be taken for the DNS

type-filter query type:
{allow | deny}
l allow – Allow only certain DNS query
query-type
query-type- types. The query types which are not spe-
name cified are dropped.
l deny – Deny only certain DNS query types.

The query types are dropped.

By default, all query types are allowed.
You can specify any of the following query

types:
l A – Address record, query type ID: 1

l AAAA – IPv6 Address record, query type ID:
28
l CNAME – Canonical name record, query
type ID: 5
l MX – Mail exchange record, query type ID:
15
l NS – Name server record, query type ID: 2
l SRV – Service locator, query type ID: 33
l PTR – PTR resource record, query type ID:
12
l SOA – Start of authority record, query type
ID: 6
l TXT – Text record, query type ID: 16
l ANY – All cached record, query type ID:
255
l num – Other record type value (1-65535).
102
Command Description
The query type IDs (mentioned above) are

reserved and should not be used for this
record type.
NOTE:You cannot configure more that 16

query-type items.
103
Command Description
[no] recurs- Enable recursive DNS resolver.

ive-dns-res-
olution This feature:
hostnames |
ipv4-nat-pool l Supports dns-udp and dns-tcp type vir-
| ipv6-nat- tual server ports only.
pool
l Supports caching the responses only
when DNS caching is configured globally
using dns-cache-enable command under
'slb common' module.
l Does not support the query-id-switch
command when enabled on any
DNS template in the same L3v partition.
You can configure the following options:
l hostnames - Optional. Bind the AC type

class-list name to perform top-level
domain (TLD) resolution for a subset of
domain names instead of all the DNS quer-
ies.
l ipv4-nat-pool - Mandatory. Bind a IPv4
source NAT pool or pool group to query
the TLD servers.
l ipv6-nat-pool - Mandatory. Bind a IPv6
source NAT pool or pool group to query
the TLD servers.
Note: You can configure:
l Either an IPv4 or an IPv6 NAT pool.

l Both types of NAT pools at the same time.
l An IPv6 NAT pool while the virtual server
104
Command Description
is IPv4 or vice-versa.
[no] redirect- Enables authentication for DNS requests

to-tcp-port received over UDP. When this feature is
enabled, ACOS drops the UDP DNS request from
a client, and sends the client a DNS Truncate
message. To pass DNS authentication, the client
must resend the DNS request over TCP.
By default, this feature is disabled.
[no] remove- Make answers created from cache non-author-

aa-flag itative.
[no] remove- Remove EDNS (0) client subnet from the client
edns-csubnet- queries.
to-server
[no] remove- Removes the EDNS(0) padding to the server.

padding-to-
server
[no] response- Configure the following DNS Response Rate Lim-

rate-limiting iting options:
action – Action to be taken if DNS response

rate limit exceeds.
Specify one of the following available options under response-

rate-limiting:
log-only Only log rate-limiting, but does not actually apply rate
limits. Selecting this option will enable “log only” beha-
vior for rate-limiting. ACOS will behave as if the queries
are being rate-limited. Logs will be sent out and coun-
ters will increment, but this is done without actually
applying rate limits to DNS responses. Enabling this
option also requires selecting the “enable-log” con-
figuration.
105
Command Description
rate-limit Rate-Limit based on configuration (Default).
whitelist This effectively disables DNS rate-limiting.
enable-log Enables “log only” behavior. It enables logs for

rate-limiting entries. Actual actions on traffic
will depend on what the user configures for the
action. This option is disabled by default, due to
possible high log volume. If enabled, this gen-
erates logs which are themselves rate-limited
at a rate of one per minute. The content of logs
indicates if rate-limiting is occurring for a par-
ticular source and FQDN combination.
filter- This is the maximum allowed request rate for the filter
response-rate table. Configure a value from 1 - 1000 queries per
second. This value should match the rate of DNS quer-
ies during normal traffic patterns. This is the first “filter
table” for normal DNS requests. Once a client (source +
FQDN) exceeds this rate, then subsequent requests
are moved to the “rate-limit entry table” to monitor for
potential threats.
response-rate This is the maximum allowed request rate for the filter.
Configure a value from 1 - 1000 queries per configured
window. Responses exceeding this rate will be
dropped. This parameter maps to the second of the
two tables, the “rate-limit entry table”, and is used for
abusive DNS requests. Once a client exceeds the rate in
the filter table, then subsequent requests from that
(source + FQDN) are moved to this “rate-limit entry
table” to monitor them more closely for potential
threats.
106
Command Description
slip-rate Enables some portion of traffic to pass through to the

target (whose IP address is being spoofed) even dur-
ing an attack. If a value is configured for the slip rate,
then every n'th response that would have been rate-
limited will instead be let through. The slip rate must
be set from 2 - 10, and should approximate the retry
count for regular queries. Setting the slip rate to zero
effectively disables this option.
window Configures the rate-limiting-window, which is the time

interval over which rates are measured and during
which memory of rate-limit excesses is retained. If a cli-
ent asks for the same DNS mapping too many times,
then similar queries from that same client will be
dropped for the rest of the window. Default is 1
second. Range is 1 - 60 seconds. This option impacts
response-rate and slip-rate.
107
Command Description
[no] rpz seq_ Specify the Response Policy Zone (RPZ) file to
id file_name be bound with the DNS template. The para-
logging
meters are described below:
{enable action}
l seq_id: Specify the sequential ID (1-8).
l file_name: Specify the name of the RPZ
file, 1-63 characters.
l logging: Use this command to log the RPZ
triggered actions. The logging can be set
to enable and the actions mentioned
below take effort.
l action: When the logging is enabled, you
can specify any of the following actions:
o drop: Log the drop action
o pass-thru: Log the pass-thru action
o nxdomain: Log the nxdomain action
o nodata: Log the nodata action
o tcp-only: Log the tcp-only action
o local-data: Log the local-data
action
NOTE: You cannot bind

more than 8 RPZ on
the same DNS tem-
plate
[no] udp- Specify the policy to retransmit the UDP packet.

retransmit
Specify one of the following available options under udp-retransmit:
108
Command Description
max-trials Specify the total number of times to try DNS

query to the server before closing client con-
nection.
By default, the value is 3.
retry-interval Specify the DNS Retry Interval value. The value

can be 1 - 400 in units of 100ms.
By default, the value is 10 (1000ms/1sec).
Default DNS template options have the default settings described in the table
above.
Mode Configure
Usage The normal form of this command creates a DNS template. The no form of
this command removes the template.
You can bind only one DNS template to a virtual port. However, you can
bind the same DNS template to multiple ports.
For DNS caching, bind the template to virtual port type dns-udp. Virtual
port type dns applies only to DNS security.
DNS templates are not supported with stateless load-balancing
methods.
Example This example configures the age of virtual port DNS cache using DNS
template dns1 will be the minimum value between 600 seconds and
server response TTL:
ACOS(config)# show running-config | section class-list
class-list cl1 dns
dns contains example.com lid 1
ACOS(config)# slb template dns dns1
ACOS(config-dns)# class-list name cl1
ACOS(config-dns)# class-list lid 1
ACOS(config-dns)# remove-aa-flag
ACOS(config-dns-lid)# dns ttl 600 honor-server-response-ttl
Example The following command configures the dns cache round-robin on the
dns1 template.
ACOS(config-dns)# cache-record-serving-policy round-robin
109
Example The following command means the age of the virtual port DNS cache
using DNS template dns1 will be 600 seconds:
ACOS(config-dns-lid)# dns ttl 600
Example The following command means the server response TTL will be used as
the virtual port’s DNS cache TTL using DNS template dns1:
ACOS(config-dns-lid)# dns ttl honor-server-response-ttl
Example The following example configures a list of DNS query-types to be

allowed:
ACOS(config-dns)# query-type-filter allow
ACOS(config-dns-query-type-filter:allow)# query-type ANY
ACOS(config-dns-query-type-filter:allow)# query-type PTR
ACOS(config-dns-query-type-filter:allow)# query-type 7
ACOS(config-dns-query-type-filter:allow)# query-type 8
Example The following example configures a list of DNS query classes to be

denied:
ACOS(config-dns)# query-class-filter deny
ACOS(config-dns-query-class-filter:deny)# query-class ANY
ACOS(config-dns-query-class-filter:deny)# query-class
INTERNET
ACOS(config-dns-query-class-filter:deny)# query-class CHAOS
ACOS(config-dns-query-class-filter:deny)# query-class 5
Example The following example configures a recursive DNS resolver that you can
bind with the SLB virtual server:
ACOS(config-dns)# recursive-dns-resolution
ACOS(config-dns-recursive-dns-resolution)# host1
Example The following command binds the RPZ to the temp1_dns template:
ACOS(config)# slb template dns templ_dns
ACOS(config-dns)# rpz 1 A10.rpz
ACOS(config-dns-rpz)# logging enable
ACOS(config-dns-rpz-logging:enable)# rpz-action drop
ACOS(config-dns-rpz-logging:enable)# rpz-action tcp-only
110
slb template dns-logging

Description Enables DNS query logging for a specified template.
Syntax slb template dns-logging template-name
Default The DNS Query type is the default type. Currently, it is the only supported
DNS type.
This command activates the SLB DNS Template Configuration mode
Command Description
clear Clear or reset functions.
disable-dns-logging-tem- Disable the DNS Logging template.

plate
do Run exec commands in the configure

mode.
end Exit the config mode.
exit Exit the config mode or the config-

dns-logging submode.
no Negate any of the supported com-

mands described in this table.
protocol Log the DNS protocol. The following

options are available:
l both – Log DNS over TCP and

UDP.
l tcp – Log DNS over TCP.
l udp – Log DNS over UDP.
111
Command Description
request-section Log the DNS request section. The fol-

lowing options are available:
l all – Log the DNS header and

question sections.
l header – Log only the DNS
header section.
l question – Log only the DNS
question section.
show Show the running system inform-

ation.
type Log the DNS type. This release only

supports the DNS query type.
user-tag Customized tag.
write Write configuration.
Mode Configure
Usage You must remove all CGNv6 configurations before making SLB con-
figurations (including WAF, aFlex, AAM, GSLB, and Overlay).
The normal form of this command creates a DNS template. The no form of
Example The following example logs the DNS queries associated with the dns710
template:
ACOS(config)#slb template dns-logging dns710
The DNS log created by the command uses the following conventions:
• proto – The protocol being used: UDP, TCP, or both
• src – Source IP of the incoming packet
• spt – Source port of the incoming packing
• dest – Destination IP address
• dpt – Destination port of the packet
• type – Query is the only supported type
• queryId – Query ID of the request
112
The header log includes the following:

• Opcode: Query, IQuery, Status, Reserved, Update, and Notify
• Header Flags:
• AA (Authoritative Answer) — This bit is set to 1 when the respond-
ing server is authoritative for the domain name’s zone specified in
the Question section. This bit is set to 0 when the response is not
authoritative.
• CD (Checking Disabled) — This bit requests that the responding
server disable signature validation and not check DNSSEC
records.
• RA (Recursion Available) — This bit is set to 1 or 0 when the
responding server supports recursive queries. This can optionally
be used by the querying device in the future.
• RD (Recursion Desired) — When included in a query, it serves as a
request for the receiving server to respond to the query recurs-
ively if possible. The value of this bit is the same in the query and
the response.
• TC (Truncation) — This bit is set to 1 to indicate that the response
was truncated because it exceeds the maximum length per-
mitted by the transport mechanism. Because TCP has no limit for
messages, and UDP limits messages 512 bytes, this bit also indic-
ates that the message was sent using UDP. It is often possible for
the client to establish a TCP session to avoid truncation.
• Z (Zero) — The three reserved bits are set to 0 (zero).
The following example shows the DNS Request Header (CEF and Syslog)
that results from specifying the header request-section:
Apr 02 2019 20:48:55 Info [ACOS]: vThunder
CEF:0|A10|ADC|4.1.4-adc-420-feat-
238627|486715039831556097|Log DNS Request Header|2|proto=UDP
src=10.1.1.1 spt=39093 dst=30.1.10.1 dpt=53 cs1=Query cs1La-
bel=Query cn1=33511 cn1Label=Query ID cs2=Query cs2La-
bel=Opcode cs3=RD|AD cs3Label=Header Flag cn2=1
cn2Label=Question Count cn3=0 cn3Label=Answer Record Count
cn4=0 cn4Label=Authority Record Count cn5=1 cn5La-
bel=Additional Record Count
238627|486715039831556097|Log DNS Request Header|2|proto=TCP
src=10.1.1.1 spt=42928 dst=30.1.10.1 dpt=53 cs1=Query cs1La-
bel=Query cn1=29521 cn1Label=Query ID cs2=Query cs2La-
bel=Opcode cs3=RD|AD cs3Label=Header Flag cn2=1
cn2Label=Question Count cn3=0 cn3Label=Answer Record Count
cn4=0 cn4Label=Authority Record Count cn5=1 cn5La-
bel=Additional Record Count
Apr 02 2019 20:47:29 Info [ACOS]:UDP 10.1.1.1.50850
30.1.10.1.53 Type=Query QueryId=28245 Opcode=Query Head-
erFlag=RD|AD QDCount=1 ANCount=0 NSCount=0 ARCount=1
113
Apr 02 2019 20:50:28 Info [ACOS]:TCP 10.1.1.1.52597

erFlag=RD|AD QDCount=1 ANCount=0 NSCount=0 ARCount=1
The following example shows the DNS Request Question (CEF and
Syslog) that results from specifying the question request-section:
238627|486715039831556098|Log DNS Request Ques-
tion|2|proto=UDP src=10.1.1.1 spt=42839 dst=30.1.10.1 dpt=53
cs1=Query cs1Label=Query cn1=32748 cn1Label=Query ID dhost-
t=server.pradeep.com cs2=A cs2Label=Query Type cs3=IN cs3La-
bel=Query Class
238627|486715039831556098|Log DNS Request Ques-
tion|2|proto=TCP src=10.1.1.1 spt=38573 dst=30.1.10.1 dpt=53
cs1=Query cs1Label=Query cn1=50512 cn1Label=Query ID dhost-
t=server.pradeep.com cs2=A cs2Label=Query Type cs3=IN cs3La-
bel=Query Class
Apr 02 2019 20:47:43 Info [ACOS]:UDP 10.1.1.1.54170
30.1.10.1.53 Type=Query QueryId=7280 dhost-
t=server.pradeep.com QueryType=A QueryClass=IN
Apr 02 2019 20:50:42 Info [ACOS]:TCP 10.1.1.1.33086
30.1.10.1.53 Type=Query QueryId=37115 dhost-
The following example shows the DNS Request Header and Questions
(CEF and Syslog) that results from specifying the all request-section:
238627|486715039831556099|Log DNS Request Header and Ques-
tions|2|proto=UDP src=10.1.1.1 spt=35419 dst=30.1.10.1 dpt-
t=53 cs1=Query cs1Label=Query cn1=6966 cn1Label=Query ID
cs2=Query cs2Label=Opcode cs3=RD|AD cs3Label=Header Flag
cn2=1 cn2Label=Question Count cn3=0 cn3Label=Answer Record
Count cn4=0 cn4Label=Authority Record Count cn5=1 cn5La-
bel=Additional Record Count dhost=server.pradeep.com cs4=A
cs4Label=Query Type cs5=IN cs5Label=Query Class
238627|486715039831556099|Log DNS Request Header and Ques-
tions|2|proto=TCP src=10.1.1.1 spt=56362 dst=30.1.10.1 dpt-
t=53 cs1=Query cs1Label=Query cn1=44728 cn1Label=Query ID
cs2=Query cs2Label=Opcode cs3=RD|AD cs3Label=Header Flag
cn2=1 cn2Label=Question Count cn3=0 cn3Label=Answer Record
Count cn4=0 cn4Label=Authority Record Count cn5=1 cn5La-
bel=Additional Record Count dhost=server.pradeep.com cs4=A
cs4Label=Query Type cs5=IN cs5Label=Query Class
Apr 02 2019 20:47:57 Info [ACOS]:UDP 10.1.1.1.33912
erFlag=RD|AD QDCount=1 ANCount=0 NSCount=0 ARCount=1 dhost-
114
Apr 02 2019 20:51:28 Info [ACOS]:TCP 10.1.1.1.45824

erFlag=RD|AD QDCount=1 ANCount=0 NSCount=0 ARCount=1 dhost-
slb template doh

Description Configure DNS over HTTP/HTTPs for SLB.
Syntax [no] slb template doh doh_template-name
Replace doh_template-name with the name of the template, 1-127

characters.
This command enters the SLB DNS over HTTP Template Configuration
mode where the following commands are available.
115
Command Description
conn-reuse {enable Specify action to enable or disable con-

| disable} nection reuse.
l source-nat must be enabled with

auto or pool option inside the DoH
template.
l conn-reuse applies to both TCP as
well as UDP connections.
l conn-reuse is slightly different
with TCP and UDP. With TCP, ACOS
maintains a session and retains the
TCP connection to the server alive.
With UDP, only the ACOS session
will be kept alive. no UDP traffic is
sent back and forth to the server
unless there is a DNS query to be
forwarded to the server.
l Connections are established to
each server when server is first
selected for a client request and is
not disconnected immediately, can
be re-used for future client
requests.
l When a connection is used for a
DNS request and is
awaiting a response, it is not eli-
gible for a second request. If a new
client request is received, then a dif-
ferent available connection, or a
new connection to the server will
116
Command Description
be used.
117
Command Description
dns-retry DNS over HTTP(s) template retry policy,

with the following
sub-options in the configure-doh-dns-
retry mode. The dns-retry parameters
are only applicable for DNS server side
traffic based on UDP.
l after-timeout {close | retry-

with-tcp}: Action to take after
timeout. Default is close. Please
include the following notes:
l When "retry-with-tcp" is con-
figured, ACOS connects to a
backend DNS server with TCP serv-
ers configured using the "tcp-ser-
vice-group" command.
l When a backend UDP based DNS

server responds with a DNS
response with TC (truncation) bit
set, ACOS retries to connect to
same server using DNS over TCP
and does not use the
tcp-service-group to select a new
server.
l max-trials <1-5>: Total number of
times to try DNS query to server
before closing client connection.
Default value is 3.
l no: Negate a command or set its
defaults.
118
Command Description
l retry-interval <1-400>: DNS

Retry Interval value 1 to 400 in
units of 100ms. Default is 10
(1000ms).
non-dns-request Specify any one of the action for non DNS

{allow | request:
reject [400 | 500 |
l allow: allow request
501]}
l deny: deny request with the fol-
lowing action codes;
l 400 Status Code 400 BAD Request
(Default)
l 500 Status Code 500 Internal
Server Error
l 501 Status Code 501 Not Imple-
mented
119
Command Description
forwarder DNS over HTTP(s) template forwarding

policy with the following sub-options in
the config-doh-forwarder mode:
l no: Negate a command or set its

defaults.
l tcp-service-group <tcp_sg_
name>: Bind a TCP Service Group
to the template.
l udp-service-group <udp_sg_
name>: Bind a UDP Service Group to
the template.
Note:
l You can configure either udp-ser-

vice-group or
tcp-service-group or both.
l When only one type of service-

group is configured, ACOS will use
that for DNS load balancing.
l When both types of service-groups
(TCP as well as UDP) are con-
figured, ACOS will by default, use
the UDP service-group. TCP ser-
vice-group will be used, only if the
UDP servers are not reachable and
the after-timeout retry-with-
tcp command is configured under
dns-retry parameter.
l forwarding-ipv4 <ipv4 address>:
120
Command Description
This IPv4 can be used to forward

the traffic externally or internally
to another VIP.
l forwarding-ipv6<ipv6 address>:
This IPv6 can be used to forward
the traffic externally or internally
to another VIP.
Additionally, you can also set either or all

the below parameters along with the tcp,
udp or both the protocols:
l internal: Set this to find the IP

(v4/v6) as a VIP in this L3V partition
and forward it internally to the VIP.
l port: Set this to forward to a port
number. By default, the port is 53.
l protocol: Set this for Layer 4 pro-
tocol type. By default, the protocol
is both.
no Negate a command or set its defaults
121
Command Description
source-nat Specify the action to enable or disable

Source NAT. Default is Source NAT Auto
with the sub-options:
l auto: Perform Source NAT Auto

(Default).
l disable: Disable Source NAT for
server side DNS queries.
“conn-reuse” is not supported
when source-nat is “disabled"
l pool: Perform Source NAT with spe-
cific pool.
templatetcp-proxy Apply a TCP-proxy or persist template to

<tcp-proxy-tem- the DoH template.
plate-name> Template name of 1 to 127 characters.
Note: This template configuration is

applicable to DNS over TCP server side
traffic only.
user-tag<tag-name> Customized user tag for DoH template.

Tag name of 1 to 127
characters.
Default DoH template options have the default settings described in the table
above.
Mode Configure
Usage The normal form of this command creates a DoH template. The no form of
You can bind only one DoH template to a virtual port. However, you can
bind the same DoH template to multiple ports.
DoH templates are not supported with stateless load-balancing methods.
Example Configure a new DoH template and set TCP forwarding policy:
122
ACOS(config)# slb template doh doh1

ACOS(config-doh)# forwarder
ACOS(config-doh-forwarder)# tcp-service-group sg-53
Example Configure a new DoH template and set IPv4 address forwarding policy
internally with TCP protocol:
ACOS(config-doh-forwarder)# forwarding-ipv4 10.10.1.10
internal port 53 protocol tcp
Example Configure a new DoH template and set IPv4 address forwarding policy to
external DNS server:
ACOS(config-doh-forwarder)# forwarding-ipv4 10.23.1.1
slb template dynamic -service

Description Creates a template that you can bind to virtual ports to access the DNS
servers specified by the dns server sub-command.
Syntax [no] slb template dynamic-servicetemplate-name
This command changes the CLI mode to dynamic service configuration

mode, where the following command is available:
dns server dns-ip-address
A maximum dns-ip-address of two can be specified.
Default ACOS does not have a default SLB dynamic-service template.
Mode Global Configuration mode
Example The following example creates the dynamic-service template with

the name DNS_service1, and then binds it to the HTTPs vPort of
Inside_VIP virtual server.
ACOS(config)# slb template dynamic-service DNS_service1

ACOS(config-dynamic-service)# dns server 10.10.1.253
ACOS(config-dynamic-service)# dns server 2001:db8::1521:31ac
ACOS(config-dynamic-service)# exit
123
ACOS-Inside(config)# slb virtual-server Inside_VIP

10.10.1.30
ACOS-Inside(config-slb vserver)# port 443 https
ACOS-Inside(config-slb vserver-vport)# service-group FW1_
Inspect_SG
ACOS-Inside(config-slb vserver-vport)# template client-ssl
SSLInsight_ClientSide
ACOS-Inside(config-slb vserver-vport)# template policy Expli-
cit_Proxy
ACOS-Inside(config-slb vserver-vport)# template dynamic-ser-
vice DNS_service1
slb template external-service

Description Configure an External Service template to steer traffic to external servers
for additional processing, based on application.
NOTE: This command is not supported for HTTP/2 virtual port.
Syntax [no] slb template external-service template-name

This command enters the SLB External-Service Template Configuration
Command Description
[no] bypass-ip If configuring for ICAP-based Traffic Steer-

IPv4-address ing, specifies the controller IP address.
{/nn | netmask}
124
Command Description
[no] failure- Specifies the action performed by ACOS

action when any of the following types of events
{continue | drop | occurs:
reset}
l ACOS fails to select an external-ser-
vice server.
l Failure during creation of a new con-
nection to external-service server.
l The response from the external-ser-
vice server does not contain HTTP
status code 200 or 403.
l Exhaustion of memory when creating
a request to external-service server.
The failure action can be one of the fol-

lowing:
l continue – Allows the client’s

request to go to the content server.
l drop – Silently drops connection and
does not send a reset to the client.
l reset – Sends a connection reset to
the client.
NOTE : If a TCP error occurs while ACOS is

waiting for a response, ACOS resets the
connection. For example, this occurs in the
case of a connection reset by a URL fil-
tering server.
The default is continue.
125
Command Description
[no] request- Enable forwarding of additional headers to

header-forward the proxy server. If there are multiple head-
header-name ers with the same name from the client,
then only the first header instance will be
forwarded.
The URL Filter server’s HTTP module parses

the client request and saves the results in
the corresponding data structure. ACOS
then inserts the configured header when it
forwards the HTTP request to the proxy
server. If the response from the proxy
server is good, then ACOS connects to the
destination server. If the response from
the proxy server is bad, then ACOS closes
the connection.
Only GET and POST methods are forwarded

by the SLB “external-service” template, so
only these methods will forward the con-
figured request-headers to the proxy serv-
ers.
A maximum of 16 HTTP headers can be for-

warded. One HTTP header only can be 1036
bytes, including the HTTP header name
and HTTP header element. Anything longer
than that will be truncated at 1036 bytes.
If there are multiple headers with the same

name from the client, then only the first
header instance will be forwarded.
This is not enabled by default.
126
Command Description
[no] service-group Binds the service group that contains the

group-name external-service servers to this template.
Specify the service group that contains
the external-service servers (for example,
ICAP-based Traffic Steering servers or
URL-filtering servers). Do not specify the
service group containing the content serv-
ers (HTTP servers).
If configuring for ICAP-based Traffic Steer-

ing, specify the group of servers here, but
not the controller. Specify the controller
using the bypass-ip command (described
below)
[no] template Applies a template to the external-service

template-type tem- template. Specify one or both of the fol-
plate-name lowing:
l persist source-ip template-name

– Applies a source-IP persistence
template to the external-service tem-
plate.
l tcp-proxy template-name –
Applies a custom TCP-proxy tem-
plate to use for managing the TCP
connections with the servers.
127
Command Description
[no] timeout num Sets the maximum number of seconds

action ACOS waits for a response from the server.
[continue | drop | If the server does not reply before the
reset] timeout expires, ACOS takes the con-
figured action, which can be one of the fol-
lowing:
l continue – Allows the client’s

request to go to the content server.
l drop – ACOS silently drops the con-
nection and does not send a reset to
the client.
l reset – ACOS sends a connection
reset to the client.
The default is 1000ms, continue.
[no] type Specifies the traffic type to redirect:

[icap-traffic-
l icap-traffic-steering – Steers
steering |
url-filter] Internet Content Adaptation Protocol
(ICAP) to external controllers.
l url-filter – Steers HTTP requests
from clients to external URL-filtering
servers.
The default is url-filter.
Default The configuration does not have a default External Service template. If
you configure one, the template has the default values described in the
table above.
128
slb template fix

Description Configure a template for Financial Information Exchange (FIX) load bal-
ancing.
Syntax [no] slb template fix template-name

characters long.
This command enters the SLB FIX Template Configuration mode where
Command Description
[no] insert-cli- Inserts an AVP with the original client IP

ent-ip address to the tag 11447. For example, if the
client IP address is 40.40.40.20, this option
will modify the tag to “11447=40.40.40.20”
when the server receives this client’s PUSH
data.
129
Command Description
[no] tag-switch- Inspects the FIX message header for a Sender-

ing [sender- CompID or TargetCompID tag value and uses
comp-id | a specific service group if the tag matches
target-comp-id] the Equals keyword. The ACOS device can
equals string inspect FIX messages and perform service
service-group group switching with one of the following
name options:
l sender-comp-id – Selects a service

group for FIX requests based on the
value of the SenderCompID tag. This
tag identifies the financial institution
that is sending the request.
l target-comp-id – Selects a service
group for FIX requests based on the
value of the TargetCompID tag. This tag
identifies the financial institution to
which the request is being sent.
If you select the Sender Comp ID or Target

Comp ID radio button, the following options
are displayed:
l equals string – Specifies a keyword

which ACOS matches against the Tar-
getCompID or SenderCompID tag of a
FIX message header.
NOTE: The keyword is case sensitive

and must match exactly with the
SendCompID tag or TargetCompID tag.
For example, “ABC” is different from
“Abc”.
130
Command Description
l service-group name – Selects the ser-

vice-group to use for a client request
when the SenderCompID or Tar-
getCompID tag in the FIX message
header of the request matches the spe-
cified keyword.
Default The configuration does not have a default FIX template.
slb template ftp

Description Configure a template for FTP load balancing.
Syntax [no] slb template ftp template-name

characters long.
This command enters the SLB FTP Template Configuration mode where
[no] active-mode-port
If you plan to use a non-standard FTP port number, use this option to
specify the port number, 1-65535.
Default The configuration does not have a default FTP template.
slb template http

Description Configure HTTP modifications to server replies to clients and configure
load balancing based on HTTP information.
Syntax [no] slb template http template-name
131

characters.
This command enters the SLB HTTP Template Configuration mode
Command Description
[no] 100-cont- When the server receives an HTTP Post

wait-for-req-com- request with an Expect:100 Continue, it
plete considers all subsequent inbound packets
as belonging to the request until it receives
the expected number of packets for the
request.
132
Command Description
[no] compression Offloads Web servers from CPU-intensive

option HTTP compression operations. Options for
this command are:
l auto-disable-on-high-cpu percent
Configures an automatic disable of

HTTP compression based on CPU util-
ization. The percent option specifies
the threshold. You can specify 1-100.
l content-type content-string
Specifies type of content to com-

press, based on a string in the con-
tent-type header of the HTTP
response. The content-string can be
1-31 characters long.
The “text” and “application” types are

included by default.
l enable – Enables compression.
l exclude-content-type content-
string
Excludes the specified content type

from being compressed. The con-
tent-string can be 1-31 characters
long.
l exclude-uri uri-string
Excludes an individual URI from

being compressed. The URI string can
be 1-31 characters. An HTTP template
can exclude up to 10 URI strings.
l keep-accept-encoding enable
133
Command Description
Configures the ACOS device to leave

the Accept-Encoding header in HTTP
requests from clients instead of
removing the header.
When keep-accept-encoding is
enabled, compression is performed
by the real server instead of the
ACOS device, if the server is con-
figured to perform the compression.
The ACOS device compresses the con-
tent that the real server does not
compress. This option is disabled by
default, which means the ACOS
device performs all the compression.
134
Command Description
[no] compression l level number

option (cont)
Specifies compression level. You can
use compression level 1-9. Each level
provides a higher compression ratio,
beginning with level 1, which
provides the lowest compression
ratio. A higher compression ratio res-
ults in a smaller file size after com-
pression. However, higher
compression levels also require more
CPU processing than lower com-
pression levels, so performance can
be affected.
Compression is supported for HTTP,

HTTPS and HTTP/2 virtual ports. Com-
pression is not supported for fast-
HTTP virtual ports.
The default level is 1.
l minimum-content-length bytes
Specifies the minimum length (in

bytes) a server response can be in
order to be compressed. The length
applies to the content (payload) only
and does not include the headers.
You can specify 0-2147483647 bytes.
The default is 120 bytes.
[no] cookie-format Configures the HTTP cookie parser to sup-

rfc6265 ports RFC 6265. By default, the HTTP
cookie parser is compliant only with RFC
2109 and RFC 2965.
135
Command Description
[no] failover-url Specifies the fallback URL to send in an

url-string HTTP 302 response when all real servers
are down.
[no] host-switch- Selects a service group based on the value

ing in the Host field of the HTTP header. The
{starts-with | selection overrides the service group con-
contains | figured on the virtual port.
regex-match
For host-string, you can specify an IP
ends-with}
address or a hostname. If the host-string
host-string ser-
does not match, the service group con-
vice-group
figured on the virtual port is used.
service-group-name
l starts-with host-string – matches
only if the hostname or IP address
starts with host-string.
l contains host-string – matches if
the host-string appears anywhere
within the hostname or host IP
address.
l regex-match host-string – matches
if the host-string matches the host-
name or host IP address.
l ends-with host-string – matches
only if the hostname or IP address
ends with host-string.
136
Command Description
[no] insert-cli- Inserts the client’s source IP address into

ent-ip HTTP headers. If you specify an HTTP
[http-header-name] header name, the source address is inser-
[replace] ted only into headers with that name.
The replace option replaces any client

addresses that are already in the header.
Without this option, the client IP address is
appended to the lists of client IP addresses
already in the header. For example, if the
header already contains “X-Forwarded-
For:1.1.1.1” and the current client’s IP
address is 2.2.2.2, the replace option
changes the field:value pair to “X-For-
warded-For:2.2.2.2”. Without the replace
option, the field:value pair becomes “X-For-
warded-For:1.1.1.1, 2.2.2.2”.
[no] insert-cli- Inserts the source protocol port of the cli-

ent-port ent’s request into the HTTP header. If no
[http-header-name] header name is specified, the X-ClientPort
[replace] header is used.
The replace option allows you to replace

the content of an existing header that
matches the configured name with the cli-
ent’s port number. If no header name is spe-
cified, the X-ClientPort header is used. If
the replace option is not specified, and
there is a header that matches the con-
figured name, the client’s port number is
added to the end of the specified header.
137
Command Description
[no] keep-client- Keeps the session between ACOS and the

alive session up even after the part of the ses-
sion between ACOS and the backend server
is terminated.
[no] log-retry Logs HTTP retries. An HTTP retry occurs

when the ACOS device resends a client’s
HTTP request to a server because the
server did not reply to the first request.
(HTTP retries are enabled using the retry-
on-5xx or retry-on-5xx-per-req com-
mand in the HTTP template.)
[no] non-http- Redirects non-HTTP traffic to a specific ser-

bypass vice group. By default, the ACOS device
service-group will drop non-HTTP requests that are sent
group-name to an HTTP port.
138
Command Description
[no] redirect Automatically sends a redirect response to

[location location | HTTP client requests. You can optionally
secure | specify the following:
[secure] port port-
l location location
num ]
[response-code A static location string to which the
{301 | 302 | 303 | client will be redirected.
307}]
l port portnum
TCP port number to use for the redir-

ect.
l response-code
The response code to apply. 302

Found is used by default. The fol-
lowing response codes can be con-
figured:
o 301 (Moved Permanently)
o 302 (Found)
o 303 (See Other)
o 307 (Temporary Redirect)
l secure
The client will be redirected using

HTTPS.
[no] redirect- Modifies redirects sent by servers by rewrit-

rewrite ing the matching URL string to the spe-
match url-string cified value before sending the redirects to
rewrite-to url- clients.
string
139
Command Description
[no] redirect- Changes HTTP redirects sent by servers

rewrite into HTTPS redirects before sending the
secure redirects to clients.
{port tcp-portnum}
To redirect clients to the default HTTPS
port (443), enter the following command:
redirect-rewrite secure
To redirect clients to an HTTPS port other

than the default, enter the following com-
mand instead: redirect-rewrite secure
port port-num
[no] req-hdr-wait- Sets a request header wait time to prevent

time Slowloris attacks. All portions of a client’s
seconds request header must be received within
the specified amount of time. Otherwise,
ACOS terminates the connection. You can
specify 1-31 seconds. The default is 7.
[no] request- Erases the specified header (field) from

header-erase field HTTP requests.
140
Command Description
[no] Inserts the specified header into HTTP

request-header- requests. The field:value pair indicates the
insert header field name and the value to insert.
field:value
l If you use the insert-always option,
[insert-always |
insert-if-not- the command always inserts the
exist] field:value pair. If the request
already contains a header with the
same field name, the new field:-
value pair is added after the existing
field:value pair. Existing headers
are not replaced.
l If you use the insert-if-not-exist
option, the command inserts the
header only if the request does not
already contain a header with the
same field name.
Without either option, if a request already

contains one or more headers with the spe-
cified field name, the command replaces
the last header.
[no] Parses HTTP request lines with no case

request-line-case- sensitivity.
insensitive
141
Command Description
[no] request- Requests a timeout in seconds if there is

timeout no response from the server. The range is 1
to 120 seconds.
This option is supported only on virtual

port types HTTP and HTTPS. It is not sup-
ported on fast-HTTP or other virtual port
types.
[no] Replaces data in the HTTP response from

response-content- the server. The original-content specifies
replace original- the content to look for in server responses.
content The new-content specifies the content to
new-content use to replace the original content. For
each value, you can specify a string of 1-
127 characters. If a string contains blank
spaces, use double quotation marks around
the string.
NOTE: A maximum of 8 content-replace-

ment rules are supported in a given HTTP
template.
[no] Erases the specified header (field) from

response-header- HTTP responses.
erase
field
142
Command Description
[no] response- Inserts the specified header into HTTP

header-insert responses. The field:value pair indicates
field:value the header field name and the value to
[insert-always | insert.
insert-if-not-
l If you use the insert-always option,
exist]
the command always inserts the
field:value pair. If the response
already contains a header with the
same field name, the new field:-
value pair is added after the existing
field:value pair. Existing headers
are not replaced.
l If you use the insert-if-not-exist
option, the command inserts the
header only if the response does not
already contain a header with the
same field name.
Without either option, if a response already

contains one or more headers with the spe-
cified field name, the command replaces
the first header.
143
Command Description
[no] retry-on- Configures the ACOS device to retry send-

5xxnum ing a client’s request to a service port that
replies with an HTTP 5xx status code, and
reassign the request to another server if
the first server replies with a 5xx status
code. The retry number specifies the num-
ber of times the ACOS device is allowed to
reassign the request.
For example, assume that a service group

has three members (s1, s2, and s3), and the
retry is set to 1. In this case, if s1 replies
with a 5xx status code, the ACOS device
reassigns the request to s2. If s2 also
responds with a 5xx status code, the ACOS
device will not reassign the request to s3,
because the maximum number of retries
has already been used.
[no] retry-on- If you use this command, the ACOS device

5xxnum (cont) stops sending client requests to a service
port for 30 seconds following reas-
signment. If you want the
service port to remain eligible for client
requests, use the following
command instead. An HTTP template can
contain one or the other of these com-
mands, but not both.
NOTE: The 5xx options are supported for

virtual port types HTTP, HTTPS and HTTP/2.
They are not supported for fast-HTTP or
any other virtual port type.
144
Command Description
[no] retry-on-5xx- This command provides the same function

per-req num as the retry-on-5xx command (described
above). However, the retry-on-5xx-per-
req command does not briefly stop using a
service port following reassignment. An
HTTP template can contain one or the other
of these commands, but not both.
[no] Forces the ACOS device to perform the

strict-trans- server selection process anew for every
action-switch HTTP request. Without this option, the
ACOS device reselects the same server for
subsequent requests (assuming the same
server group is used), unless overridden by
other template options.
[no] template log- Specifies a logging template to use for

ging external logging of HTTP events over TCP.
template-name
[no] Enables the ACOS device to terminate

term-11client-hdr- HTTP 1.1 client connections when the “Con-
conn-close nection: close” header exists in the HTTP
request. This option is applicable to con-
nection-reuse deployments that have HTTP
1.1 clients that are not compliant with the
HTTP 1.1 standard. Without this option, ses-
sions for non-compliant HTTP 1.1. clients
are not terminated.
145
Command Description
[no] url-hash-per- Enables server stickiness based on hash val-

sist ues. If this feature is configured, for each
[offset offset- URL request, the ACOS device calculates a
bytes] hash value based on part of the URL string.
{first | last} The ACOS device then selects a real server
bytes based on the hash value. A given hash
[user-server- value always results in selection of the
status] same real server. Thus, requests for a given
URL always go to the same real server.
The offset option specifies how far into

the string to begin hash calculation.
The first and last options specify which

end of the URL string to use to calculate
the hash value.
The bytes option specifies how many bytes

to use to calculate the hash value.
Optionally, you can use URL hashing with

either URL switching or host switching.
Without URL switching or host switching
configured, URL hash switching uses the
hash value to choose a server within the
default service group (the one bound to
the virtual port). If URL switching or host
switching is configured, for each HTTP
request, the ACOS device first selects a ser-
vice group based on the URL or host switch-
ing values, then calculates the hash value
and uses it to choose a server within the
selected service group.
The use-server-status option enables

server load awareness, which allows serv-
146
Command Description
ers to act as backups to other servers,

based on server load.
NOTE: This feature requires some custom

configuration on the server. For inform-
ation, see the “URL Hash Switching” sec-
tion in the “HTTP Options for SLB” chapter
of the Application Delivery Controller
Guide.
147
Command Description
[no] url-switching Selects a service group based on the URL

{starts-with | string requested by the client. The selec-
ends-with | tion overrides the service group configured
regex-match on the virtual port.
url-case-insens-
l starts-with – matches only if the
itive |
url-hits-enable} URL starts with url-string.
url-string l contains – matches if url-string
service-group appears anywhere within the URL.
service-group-name
l ends-with – matches only if the URL
ends with url-string.
l regex-match – matches if the URL
matches url-string.
l url-case-insensitive – enable
case-insensitive matching for URL
switching rules.
l url-hits-enable – enable URL hits.
Each URL matching pattern can be
up to 64 bytes long.
NOTE: You can use URL switching or Host

switching in an HTTP template, but not
both. However, if you need to use both
types of switching, you can do so with an
aFleX script.
NOTE: For a list of media type strings, see the Internet Assigned Num-
bers Authority Web site: http://www.i-
ana.org/assignments/media-types.
NOTE: The order in which content-type , exclude-content-type , and

exclude-uri filters appear in the configuration does not matter.
148
NOTE: You can use URL switching or Host switching in an HTTP tem-
plate, but not both. However, if you need to use both types of
switching, you can do so with an aFleX script.
Default The configuration has a default HTTP template. In the template, most
options are disabled or not set.
Compression is disabled by default. When you enable it, it has the default
settings described in the table above.
To display the default HTTP template settings, use the show slb
template http default command.
Usage The normal form of this command creates an HTTP configuration tem-
plate. The no form of this command removes the template.
You can bind only one HTTP template to a virtual port. However, you can
bind the same HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.
When the keep-client-alive option is enabled, the way ACOS keeps
the session with the client up depends on the way the server session is
terminated:
• Normal TCP/IP connection termination by a TCP RST or FIN – ACOS
does not forward the RST or FIN to the client, and instead leaves the
client session open. (Technically, the session is left in the client-
request-state, wherein ACOS awaits the client’s next request.)
• “Connection: Close” header option in the response – ACOS removes
this header from the server reply before forwarding the reply to the
client.
• Client is using HTTP 1.0, and did not use the “Connection: Keep-Alive”
header option – ACOS inserts this header from the server reply
before forwarding the reply to the client.
Starts-with, Contains, and Ends-with Rule Matching
The starts-with, contains, and ends-with options are always applied
in the following order, regardless of the order in which the commands
appear in the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option
(starts-with, contains, or ends-with) and a host name or URL
149
matches on more than one of them, the most-specific match is always

used. For example, if a template has the following commands, host
"ddeeff" will always be directed to service group http-sgf:
slb template http http-host
host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same

string, the ends-with rule is used, because it has the more specific
match.
If you use the starts-with option with URL switching, use a slash in
front of the URL string. For example:
url-switching starts-with /urlexample service-group http-
sg1
Redirect-Rewrite Rule Matching

If a URL matches on more than redirect-rewrite rule within the same
HTTP template, the ACOS device selects the rule that has the most
specific match to the URL. For example, if a server sends redirect URL
66.1.1.222/000.html, and the HTTP template has the redirect-rewrite
rules shown below, the ACOS device will use the last rule because it is the
most specific match to the URL:
slb template http 1
redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to
66.1.1.202/003.bmp
Example The following commands configure an HTTP template called “http-com-

pression” that enables compression. The minimum length a packet must
be for it to be compressed is set at 120 bytes.
ACOS(config)# slb template http http-compression
ACOS(config-http)# compression enable
ACOS(config-http)# compression minimum-content-length 120
Example The following commands configure an HTTP template called “http-

header” that inserts the client IP address and a Cookie field into HTTP
headers in requests from clients before sending the requests to servers:
ACOS(config)# slb template http http-header
ACOS(config-http)# insert-client-ip
ACOS(config-http)# header-insert Cookie:a = b
150
Example The following commands configure an HTTP template called “http-host”

that selects a service group based on the contents of the Host field in the
HTTP headers of client requests. Requests for hostnames that start with
“Gossip” are directed to service group “http-sg1”. Requests for host-
names that contain “NewsDeskA” are directed to service group “http-
sg2”. Requests for hostnames that end with “weather.com” are directed
to service group “http-sg3”.
ACOS(config)# slb template http http-host
ACOS(config-http)# host-switching starts-with Gossip ser-
vice-group http-sg1
ACOS(config-http)# host-switching contains NewsDeskA ser-
vice-group http-sg2
ACOS(config-http)# host-switching ends-with weather.com ser-
vice-group http-sg3
Example These commands configure an HTTP template to use URL hashing. Hash
values are calculated based on the last 8 bytes of the URL. In this
example, URL switching is also configured in the template. As a result, the
ACOS device uses URL switching to select a service group first, then uses
URL hashing to select a server within that service group. If the template
did not also contain URL switching commands, this template would
always select a server from service group sg3.
ACOS(config)# slb template http hash
ACOS(config-http)# url-hash-persist last 8
ACOS(config-http)# url-switching starts-with /news service-
group sg1
ACOS(config-http)# url-switching starts-with /sports ser-
vice-group sg2
ACOS(config-http)# exit
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group sg3
ACOS(config-slb vserver-vport)# template http hash
Example These commands configure an HTTP template called “http-compress”,

that uses compression level 5 to compress files with media type “applic-
ation” or “image”. Files with media type “application/zip” are explicitly
excluded from compression.
ACOS(config)# slb template http http-compress
ACOS(config-http)# compression enable
ACOS(config-http)# compression level 5
ACOS(config-http)# compression content-type image
ACOS(config-http)# compression exclude-content-type applic-
ation/zip
151
Example These commands configure an HTTP template that replaces the client IP
addresses in the X-Forwarded-For field with the current client IP
address:
ACOS(config)# slb template http clientip-replace
ACOS(config-http)# insert-client-ip X-Forwarded-For replace
Example These commands enter slb-port template configuration mode for the
port name xyz, then configures that port, upon receiving an HTTP
request with an Expect: 100 Continue, assigns all subsequent packets to
that request until it receives an expected number of packets.
ACOS(config)# slb template http abc
ACOS(config-http)# 100-cont-wait-for-req-complete
slb template http-policy

Description Configure an HTTP-policy template to override WAF template application
for different types of client traffic.
Syntax [no] slb template http-policy template-name

characters long.
This command enters the SLB HTTP-Policy Template Configuration
Command Description
[no] cookie- Matches the cookie-name first and then

name matches the cookie value.
cookie-name
152
Command Description
[no] cookie Matches based on cookie values. Descriptions

match-option of the match-options are mentioned below:
URL string
l contains - Matches if the specified
{service-group
group-name | string appears anywhere within the
template-waf cookie value.
template-name} l ends-with - Matches only if the cookie
value ends with the specified string.
l equals - Matches only if the cookie value
completely matches the specified string
l starts-with - Matches only if the cookie
value starts with the specified string.
[no] geo-loc- Matches the traffic source based on its geo-loc-

ation string ation. This condition type is not supported for
{service-group
the multi-match-rule.
group-name [tem-
plate waf tem-
plate-name] |
template waf
template-name
[service-group
group-name]}
153
Command Description
Matches based on the name of the header.

Descriptions of the match-options are men-
[no] header-
tioned below:
name match-
option string l contains - Matches if the specified
{service-group string appears anywhere within the
service-group-
header name.
name | tem-
plate-waf tem-
l ends-with - Matches only if the header
plate-name} name ends with the specified string.
l equals - Matches only if the header

name completely matches the specified
string
l starts-with - Matches only if the header
name starts with the specified string.
[no] header- Matches based on the value of the header.

value match- Descriptions of the match-options are men-
option string tioned below:
{service-group
service-group-
name | tem- string appears anywhere within the
plate-waf tem- header value.
plate-name} l ends-with - Matches only if the header

l equals - Matches only if the header
value completely matches the specified
string
l starts-with - Matches only if the header
154
Command Description
[no] host Matches based on host names. Descriptions of

match-option the match-options are mentioned below:
URL-string {ser-
vice-group ser-
vice-group-name | string appears anywhere within the host
template- waf name.
template-name}
l ends-with - Matches only if the host
name ends with the specified string.
l equals - Matches only if the host name
completely matches the specified string.
l starts-with - Matches only if the host
155
Command Description
multi-match- Matches the rules based on the multiple con-

rule rule-name ditions. Descriptions of the parameters are
sequence-number given below:
parameter type l rule-name: Specifies the name of the

pattern rule.
parameter type l sequence-number: Specifies the unique
pattern number between 1-8192. The multi-
…. match-rule objects are matched accord-
ing to this sequence number. For
{service-group
example, if the incoming HTTP request
service-group-
satisfies two rules, the rule with the smal-
name | template-
waf template- ler sequence number is selected.
name} l parameter: This can be specified as
either host, url, query-param-name,

query-param-value, header-name,
header-value, cookie-name or cookie-
value. The selection of the service
group or waf template is made based on
the priority order; host has the highest
priority and cookie-value has the least.
l type: This can be specified as either con-
tains, starts-with, equals or ends-
with
l pattern: Specifies the pattern to be

matched
NOTE:
l The maximum number of rules supported

are 64.
156
Command Description
l In case of multi-match-rule objects, for

each parameter value, there can only be
one condition. For example, host con-
tains a and host contains b cannot
co-exist under the same template.
l Single-match-rules and multi-match-
rules are mutually exclusive; they cannot
be used together.
Matches based on query name. Descriptions of

the match-options are mentioned below:
[no] query-
param-name l contains - Matches if the specified
match-option string appears anywhere within the
string {ser-
query name.
vice-group ser-
vice-group-name
l ends-with - Matches only if the query
| template-waf name ends with the specified string.
template-name} l equals - Matches only if the query name

query-param-name equals [no-name] is
considered as a condition that matches a
query with an empty name.
l starts-with - Matches only if the query
157
Command Description
[no] query- Matches based on query value. Descriptions of

param-value the match-options are mentioned below:
match-option
string {ser-
vice-group ser- string appears anywhere within the
vice-group-name query value.
| template-waf l ends-with - Matches only if the query
template-name}
l equals - Matches only if the query value
query-param-value equals [no-value] is
considered as a condition that matches a
query with an empty value.
l starts-with - Matches only if the query
158
Command Description
[no] url Matches based on URL strings. Descriptions of

match-option the match-options are mentioned below:
url-string
template waf-
template-name string appears anywhere within the URL.
l ends-with - Matches only if the URL
ends with the specified string.
l equals - Matches only if the URL com-
pletely matches the specified string.
l starts-with - Matches only if the URL
starts with the specified string.
NOTE:
This condition type does not support query

strings. For example, if you set the condition as
url contains /index.html?name=abc, the
request http://<-
domain>/index.html?name=abc will not match.
However, if you set the condition as url con-
tains /index.html, the request will match.
Usage These match options are always applied in the order shown above,
regardless of the order in which the rules appear in the configuration. The
WAF template associated with the rule that matches first is used.
If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than
one of them, the most-specific match is always used.
A template can have a single-match rule or multi-match rules. The
multi-match-rule is used when multiple rules need to be specified. The
multi-match-rule objects are matched according to the given
sequence number. For example, if the incoming HTTP request satisfies
two rules, the rule with the smaller sequence number is selected. The
WAF template associated with this rule is used.
The service group or waf template selection for the single-match-rule
and multi-match-rule is based on the following priority order: host, url,
159
query-param-name, query-param-value, header-name, header-value,

cookie-name, cookie-value and geo-location. The condition type
geo-location is not supported for the multi-match-rule.
NOTE: Different rules specified under the single-match-rule use the OR

relationship. However, multiple rules specified under the multi-
match-rule use the AND relationship.
NOTE: A query-param-name and query-param-value condition match

works only if the query string is included in the url and not in the
request body. Additionally, match with these condition types
does not decode url-encoding. Therefore, to match a space (" "),
you need to specify "%20".
Example The following example demonstrates single-match-rule usage :

ACOS(config)#slb template http-policy http-policy4.2.6
ACOS(config-http-policy)# header-name contains A template
waf http-policy-waf-A
Example The following example demonstrates multi-match-rule usage:

ACOS(config-http-policy)# multi-match-rule A 1024
ACOS(config-http-policy-multi-match-rule)# host contains A1
ACOS(config-http-policy-multi-match-rule)# url contains exdo-
main
ACOS(config-http-policy-multi-match-rule)# cookie-name con-
tains _Sec
ACOS(config-http-policy-multi-match-rule)# template-waf
http-policy-waf-A
Example The following example demonstrates query-param-name condition type

usage:
ACOS(config-http-policy)# query-param-name contains fname
template waf http-policy-waf-A
ACOS(config-http-policy)# query-param-name equals [no-name]
template waf http-policy-waf-B
Example The following example demonstrates query-param-value condition type

usage:
ACOS(config-http-policy)# query-param-value ends-with fname
service-group http-policy-sg-A
ACOS(config-http-policy)# query-param-value equals [no-
value] service-group http-policy-sg-B
160
For more information, see the Web Application Firewall Guide.
slb template link-cost

Description Configure the link-cost template.
Syntax [no] slb template link-cost template-name

characters long.
This command enters the SLB link-cost Template Configuration mode
where the following commands are available:
Command Description
bandwidth-inter- Specify the interval for bandwidth account-

val interval ing. The interval can be from 1 to 60
seconds.
The default is 5 seconds.
overage-band- Specify the overage bandwidth cost per

width-cost number interval. The value can be from 0 to
4294967295.
The default is 0.
prepaid-bandwidth Specify the prepaid bandwidth per interval.

number The value can be from 0 to 4294967295.
The default is 0.
161
Command Description
sampling-enable Enable sampling to display the statistics.

The following parameters can be selected:
l all: Display all the parameters (men-

tioned below)
l link_total_fwd_bytes: Total number
of bytes forwarded for a link
l interval_fwd_bytes: Total number of
bytes transferred in the forward dir-
ection per interval
l link_total_conn: Total link cost for
the connection
l interval_avg_throughput: Average
throughput per interval
l interval_max_throughput: Maximum
throughput per interval
Default The configuration has a default logging template.
Usage This template can be configured under an slb server object.
NOTE: The average throughput and maximum throughput is calculated

based on interval set during configuration and may not match ISP
calculations. Additionally, the cost estimated based on interval
provided may not reflect which ISP is used to calculate the cost.
Example The following example configures a link-cost template:

ACOS(config)# slb template link-cost ln1
ACOS(config-rserver)# bandwidth-interval 10
ACOS(config-rserver)# prepaid-bandwidth 10
ACOS(config-rserver)# overage-bandwidth 5
162
slb template imap-pop3

Description Configure an IMAP/POP3 template.
Syntax [no] slb template imap-pop3 template-name

characters long.
This command enters the SLB IMAP Template Configuration mode where
the following commands are available:
Command Description
logindisabled When used, the server will expect the login

to be in an encrypted format.
This option is only valid for IMAP con-

figuration.
starttls Configure whether or not STARTTLS is

{disabled | used.
optional |
l disabled - the ACOS device will not
enforced}
support STARTTLS.
l optional - the ACOS device will not
expect STARTLS and can function
without using SSL.
l enforced - for IMAP., only the
CAPABILITY command can precede
STARTTLS; all other commands are
rejected. For POP3, no commands are
allowed before STARTTLS; all com-
mands are rejected.
Default The configuration does not have a default logging template.
163
Example The following example configures an IMAP template with STARTTLS

enforced, then applies the template to a virtual port:
ACOS(config)# slb template imap-pop3 imap-temp
ACOS(config-imap-pop3)# logindisabled
ACOS(config-imap-pop3)# starttls enforced
ACOS(config-imap-pop3)# exit
ACOS(config)# slb virtual-server imap-vserver
ACOS(config-slb vserver)# port 143 imap
ACOS(config-slb vserver-vport)# template imap-pop3 imap-temp
slb template logging

Description Configure external logging over TCP.
Syntax [no] slb template logging template-name

characters long.
This command enters the SLB Logging Template Configuration mode
Command Description
[no] format Configures a log string. Web logging is

string described in detail in the “Web Logging for
HTTP and RAM Caching” section of the
Application Delivery Controller Guide.
[no] local-logging Enables or disables local logging:

{0 | 1}
l 0 – Disables local logging.
l 1 – Enables local logging.
The default is 0 (disabled).
164
Command Description
[no] pcre-mask pat- Mask matched Perl Compatible Regular

tern Expression (PCRE) pattern in the log.
[keep-end num |
l Use keep-end to specify the number
keep-start num |
mask char of unmasked characters to keep at
] the end (0-65535); the default is 0.
l Use keep-start to specify the num-
ber of unmasked characters to keep
at the start (0-65535); the default is
0.
l Use mask to specify a character to
use as the mask for the matched pat-
tern; the default is “X”.
[no] service-group For remote logging, specifies the name of

group-name the service group that contains the log
servers.
[no] template Binds a TCP-proxy template to the logging

tcp-proxy template.
template-name
Default The configuration does not have a default logging template.
Usage Logging over TCP also requires some additional configuration. See the
slb template monitor

Description Configure a link monitoring template.
Syntax [no] slb template monitor num
Replace num with the identification number of the template. This can be
a number between 1 to 16.
165
This command enters the SLB Monitor Template Configuration mode

Command Description
[no] action options Specifies the action to perform

when a monitored event is detected.
l clear sessions {all |

sequence portnum}
l link-disable eth portnum

sequence portnum
l link-enable eth portnum

sequence portnum
[no] monitor options Specifies the events and links (Eth-

ernet data ports) to monitor. The
sequence number assigned to mon-
itoring entries specify the order in
which to check the monitored ports
for the specified event type.
l link-down eth portnum [eth

portnum ...]
sequence order
l link-up eth portnum [eth

portnum ...]
sequence order
[no] monitor-and Uses the logical operator “AND” for

link monitoring. The actions are per-
formed only if all of the monitored
events are detected. This is selected
by default.
[no] monitor-or Uses the logical operator “OR”. The

actions are performed if any of the
monitored events are detected.
166
Default The ports within a given monitor entry are always ANDed. If you specify
more than one port (eth portnum option) in the same monitor entry, the
specified event must occur on all the ports in the entry. For example, if
you specify link-down eth 9 eth 11, the link must go down on ports 9 and
11, for the link-state changes to count as a monitored event.
Usage The logical operator applies only to monitor entries, not to action entries.
For example, if the logical operator is OR, and at least one of the mon-
itored events occurs, all the actions configured in the template are
applied.
You can configure the entries in any order. In the configuration, the
entries of each type are ordered based on sequence number.
Example The following commands configure monitor template 1:

ACOS(config)# slb template monitor 1
ACOS(config-monitor)# monitor-or
ACOS(config-monitor)# monitor link-down eth 5 sequence 1
ACOS(config-monitor)# action clear sessions sequence 1
ACOS(config-monitor)# action link-disable eth 5 sequence 2
Example The following example shows how to use the SLB link monitoring com-
mand in a CGN shared partition:
ACOS(config)# allow-slb-cfg enable
ACOS(config)# slb template monitor 1
ACOS(config-monitor)# monitor-or
ACOS(config-monitor)#
slb template link-probe

Description Configure a global command with link-probe settings.
Syntax [no] slb template link-probe <template-name>
167
slb template Creates a template that can be applied under a ser-

link-probe vice-group when method "next-hop-link" is con-
figured.
template- Specify the name of the template, up to 127 char-

name acters long.
Default The configuration does not have a default link-probe template.
Usage This command enters the SLB Template Configuration mode where
additional commands are available.
Example To configure an SLB template:

ACOS(config)#slb template link-probe IpTemplate
ACOS(config-probe template)#?
destination hostname
Syntax Configure a destination hostname for link probe template.
Default destination hostname <host_name> {resolve-to-ipv4 | resolve-
to-ipv6 | static-ipv4-addr | static-ipv6-addr}
host_name Replace host-name with the name of the template,

1 to 127 target characters long.
Mode Link-probe template mode
Example The following example configures a slb template link-probe with des-
tination hostname and static/dynamic ip address (ipv4/ipv6). Only one
hostname+ip combination is allowed inside a template:
ACOS(config-probe template)# destination hostname www.probe-
template-dest.com resolve-to-ipv4
template-dest.com resolve-to-ipv6
168

template-dest.com
static-ipv4-addr 172.16.213.94
template-dest.com
static-ipv6-addr 172::94
destination hostname target

Description Configure destination hostname with static or DNS resolution type
Syntax destination hostname <host_name>

{resolve-to-ipv4 | resolve-to-ipv6 |
static-ipv4-addr | static-ipv6-addr}
Command Description
destination host- Configure destination hostname with

name <host_name> static or DNS
resolution type. Replace host-name with
the name of the template, 1 to 127 char-
acters long.
resolve-to-ipv4 Use a query only to resolve the configured

hostname.
resolve-to-ipv6 Use AAAA query only to resolve the con-

figured
hostname.
static-ipv4-addr Target IPv4 address.
static-ipv6-addr Target IPv6 address.
Example The following example configures a slb template link-probe with des-
tination hostname and static/dynamic ip address (IPv4 or IPv6). Only one
hostname +IP combination is allowed inside a template:
ACOS(config-probe template)# destination hostname
www.probe-template-dest.com resolve-to-ipv4
www.probe-template-dest.com resolve-to-ipv6
www.probe-template-dest.com static-ipv4-addr 172.16.213.94
169

www.probe-template-dest.com static-ipv6-addr 172::94
probe-interval
Description Configure a probe-interval for the link probe.
Syntax [no] probe-interval <time_in_seconds>
probe-interval Configure probe-interval, that is the time

<time_in_ between two
seconds> successive probes. Replace seconds with the
values in seconds 1 to 2147483647. The
default is 5 seconds.
Default Default interval is 5 seconds.
Mode Link Probe Template mode.
Example The following example configures the probe-interval:

ACOS(config-probe template)# probe-interval 5
probes-per-test
Description Configure number of probes-per-test.
Syntax [no] probes-per-test <number>
probes-per-test Total number of probes that need to be sent

<int-probes- out for each test. The test value is 1 to 10.
per-test>
Default The default is 5.
Mode Link probe template mode
Example The following example configures the probes-per-test parameter.
170
ACOS(config-probe template)# probes-per-test 3
rtt-method
Description Configure a rtt-method type for link probe.
Syntax [no] rtt-method {http rtt | tcp rtt}
http rtt Calculate Round Trip Time between HTTP

request and response.
tcp rtt Use the TCP Smoothed round trip time in the
HTTP connection. TCP SRTT is calculated for
the TCP connection up to the point of receiv-
ing an expected HTTP response.
Default This is the default rtt-method.
Mode Link probe template mode.
Usage Round-trip time (RTT) is the duration in milliseconds it takes for a network
request to go from a starting point to a destination and back again to the
starting point.
RTT sample will be marked as error, if an unexpected HTTP status code or TCP
status is received or a network error occurs.
Example Calculate Round Trip Time between HTTP request and response. RTT
sample will be marked as error, if an unexpected HTTP status code is
received or a network error occurs.
The following example configures the rtt-method to be used inside the

link-probe template:
ACOS(config-probe template)# rtt-method http-rtt
ACOS(config-probe template)# rtt-method tcp-srtt
selection-rule
Description Specify the link selection strategy for link-probe template.
Syntax [no] selection-rule {fastest-link-always | threshold}
171
fastest-link- Specify the option to always use the link with

always the lowest average latency.
threshold Specify the option to use all links below a

threshold before selecting the fastest link.
Numerical value within a range of 1-65534
should be specified for the threshold para-
meter. For example, selection-rule
threshold 10.
Default If selection-rule is not specified, the default parameter is the fastest-

link-always.
Example The following examples configure the selection-rule:

ACOS(config-probe template)# selection-rule fastest-link-
always
ACOS(config-probe template)# selection-rule threshold 10
test-interval
Description Configure a test-interval for link-probe template.
Syntax [no] test-interval <test_interval>
<test_interval> The time interval between subsequent tests,

the values in
seconds 1 to 2147483647. It is the time inter-
val between
subsequent tests. Configuring a larger test-
interval then the
probe-interval will result in a more stable link
selection.
Default The default is 60 seconds.
172
Example The following example configures the test-interval:

ACOS(config-probe template)# test-interval 60
user-tag
Description Configure a user-tag and associate it to link probe template.
Syntax [no] user-tag <name>
user-tag <name> Name of the template 1 to 127 characters long.

The character length is 1 to 127.
Default The default is 60 seconds.
Usage This is very useful method of creating and managing website or mod-
ule
permissions. You can customize the tags to the users.
Example The following example configures a user-tag:

ACOS(config-probe template)# user-tag 1
expected-status-code
Description Configure an expected-status-code.
Syntax [no] expected-status-code <value>
value Name of the template 1 to 31 characters long.

The format is xx, xx-xx.
Default Default value is 200.
173
Example This is the code that is delivered when a web page or resource acts
exactly the way it's expected to load.
Success codes returned when browser request was successfully

received, understood, and processed by the server.
The following example configures the expected status-codes to look for

in a probe http connection in order to record RTT measurement:
ACOS(config-probe template)# expected-status-code 200, 201-
299,
301-302
ACOS(config-probe template)# expected-status-code 200, 201
ACOS(config-probe template)# expected-status-code 301
url
Description Configure an URL for link probe. Specify URL to which probes should be
sent out.
Syntax [no] url <name>
name Replace name with the name of the template 1

to1023 characters long.
Default Default is /
Example The following example configures the url:

ACOS(config-probe template)# url www.123xyz.com
show slb link-probe

Description Display options for the show slb link-probe command.
Syntax show slb link-probe {entry | statistics} [server [<server_

name> |<service_group_name>] detail]
174
entry Display link probe entries. Display statistics

for
information about SLB link-probe entries
currently
created in the system.
statistics Display all link probe statistics.
server <server_ Display information about slb link-probe

name> entries
currently created in the system associated
with a
specific server.
<service_group_ Display information about slb link-probe

name> entries
currently created in the system associated
with a
specific service-group
detail Display detailed information about slb link-

probe entries currently created in the sys-
tem associated with a
specific server or service-group.
Default NA
Mode All
Example
ACOS(config)# show slb link-probe entry
Next-Hop SLB Server IP Type Probe Dest IP Address Domain-

Name URL Average RTT
------------------------------------------------------------
---------------------------rs212 Static 172.16.213.93
test1.example.com / 33
175
------------------------------------------------------------
--------------------------- Next-Hop SLB Server IP Type
Probe Dest IP Address Domain-Name URL Average RTT
------------------------------------------------------------
---------------------------rs211-3 Static 172.16.213.93
------------------------------------------------------------
---------------------------
------------------------------------------------------------
---------------------------rs211 Static 172.16.213.93
ACOS(config)# show slb link-probe entry server rs211
------------------------------------------------------------
---------------------------
------------------------------------------------------------
---------------------------
rs211 Static 172.16.213.93 test1.example.com / 10
ACOS(config)# show slb link-probe entry server rs211 detail
Next-Hop SLB Server : rs211

Probe Template Name : a
Domain-Name : test1.example.com
URL : /
IP Type : Static
Probe Dest IP Address : 172.16.213.93
Current Probe in Test : 1
Probes Per Test : 10
Probe Interval (Seconds) : 2
Test Interval (Seconds) : 1
RTT Method : HTTP Req - Resp Latency
Last HTTP Status Code : 200
Average RTT : 11
RTT Individual Samples :
------------------------------------------------------------
---------------------------
Sample# | #1 | #2 | #3 | #4 | #5 | #6 | #7 | #8 | #9 | #10 |
------------------------------------------------------------
---------------------------
ms | 15 | 9 | 15 | 13 | 9 | 10 | 12 | 13 | 12 | 11 |
ACOS(config)# show slb link-probe entry service-group sg1
176
------------------------------------------------------------
---------------------------
------------------------------------------------------------
---------------------------
------------------------------------------------------------
---------------------------
------------------------------------------------------------
---------------------------
rs211-3 Static 172.16.213.93 test1.example.com / 1
------------------------------------------------------------
---------------------------
------------------------------------------------------------
---------------------------
ACOS(config)# show slb link-probe entry service-group sg1
detail
Next-Hop SLB Server : rs212
Probe Template Name : a
Domain-Name : test1.example.com
URL : /
IP Type : Static
Probe Dest IP Address : 172.16.213.93
Current Probe in Test : 10
Probes Per Test : 10
Probe Interval (Seconds) : 2
Test Interval (Seconds) : 1
RTT Method : HTTP Req - Resp Latency
Last HTTP Status Code : 200
Average RTT : 32
RTT Individual Samples :

------------------------------------------------------------
---------------------------
Sample# | #1 | #2 | #3 | #4 | #5 | #6 | #7 | #8 | #9 | #10 |
------------------------------------------------------------
---------------------------
ms | 35 | 35 | 33 | 33 | 32 | 32 | 30 | 36 | 36 | 27 |
177
The following command displays slb link probe statistics commands:

ACOS(config)# show slb link-probe statistics
Counter Name Total
------------------------------------------------------------
------------------
Total TCP Conn Sent 0
Total HTTP Probes Sent 0
Total HTTP responses rcvd 0
Total HTTP expected status code rcvd 0
Total HTTP bad status code rcvd 0
Total TCP Errors in Probe connections 0
Smart NAT Alloc Failures 0
Smart NAT Port Alloc Failures 0
L4 Session Alloc Failures 0
TCP Connection Start Failed 0
slb template persist cookie

Description Configure session persistence by inserting persistence cookies into
server replies to clients.
Syntax [no] slb template persist cookie template-name

characters long.
This command enters the SLB Persist Cookie Template Configuration
Command Description
[no] domain Adds the specified domain name to the

domain-name cookie.
178
Command Description
[no] dont-honor- Ignores connection limit settings con-

conn-rules figured on real servers and real ports. This
option is useful for applications in which
multiple sessions (connections) are likely to
be used for the same persistent cookie.
By default, this is disabled; the connection

limit set on real servers and real ports is
used.
[no] expire Specifies the number of seconds a cookie

expire-seconds persists on a client’s PC before being
deleted by the client’s browser. You can
specify from 0 to 31,536,000 seconds (one
year). (Do not enter the commas.) If you
specify 0, cookies persist only for the cur-
rent session.
The default value is 10 years.
NOTE: Although the default is 10 years

(essentially, unlimited), the maximum con-
figurable expiration is one year.
[no] httpOnly Sets the HTTP-only flag in the persistence

cookie.
179
Command Description
[no] insert-always Specifies whether to insert a new per-

sistence cookie in every reply, even if the
request already had a persistence cookie
previously inserted by the ACOS device.
This is disabled by default; the ACOS

device inserts a persistence cookie only if
the client request does not already contain
a persistence cookie inserted by the ACOS
device, or if the server referenced by the
cookie is unavailable.
180
Command Description
[no] match-type Changes the granularity of cookie per-

{server [service- sistence.
group] |
l server – The cookie inserted into the
service-group}
HTTP header of the server reply to a
[scan-all-members]
client ensures that subsequent
requests from the client for the same
VIP are sent to the same real server.
(This assumes that all virtual ports of
the VIP use the same cookie per-
sistence template with match-type
set to server.)
Without this option, the default beha-

vior is used: subsequent requests
from the client will be sent to the
same real port on the same real
server.
l server service-group – Sets the

granularity to the same as server,
and also enables cookie persistence
to be used along with URL switching
or host switching. Without the ser-
vice-group option, URL switching or
host switching can be used only for
the initial request from the client.
After the initial request, subsequent
requests are always sent to the same
service group.
l service-group – This option enables
support for URL switching and host
switching, along with the default
181
Command Description
cookie persistence behavior.

l scan-all-members – This option
scans all members bound to the tem-
plate. This option is useful in con-
figurations where match-type
“server” is used, and where some
members have different priorities or
are disabled. (For more information
about this option, see the “Scan-All-
Members Option in Persistence Tem-
plates” chapter in the Application
Delivery Controller Guide.)
NOTE: To use URL switching or host switch-

ing, you also must configure an HTTP tem-
plate with the host-switching or url-
switching command.
The default match type is port. (There is no

port keyword. See “Usage” for more inform-
ation.)
[no] name cookie- Specifies the name of the persistence

name cookie, 1-63 characters.
The default name is “sto-id”.
[no] pass-thru Enables pass-through mode for passive

cookie persistence.
182
Command Description
[no] path path- Adds path information to the cookie, 1-31

name characters.
The default path is “/”.
[no] secure Enable secure attribute.
Default The configuration does not have a default cookie-persistence template. If

you create one, it has the defaults described in the table above.
Usage The normal form of this command creates a cookie-persistence template.

You can bind only one cookie-persistence template to a virtual port.
However, you can bind the same cookie-persistence template to multiple
ports.
When cookie persistence is configured, the ACOS device adds a
persistence cookie to the server reply before sending the reply to the
client. The client’s browser re-inserts the cookie into each request.
For security, address information in the cookie is encrypted.
The format of the cookie depends on the match-type setting:
• match-type (port) – This is the default setting. Subsequent
requests from the client will be sent to the same real port on the
same real server. URL switching or host switching can be used only
for the first request.
The cookie that the ACOS device inserts into the server reply has this
format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
The port option is shown in parentheses because the CLI does not
have a “port” keyword. If you do not set the match type to server
(see below), the match type is automatically “port”.
• match-type server – Subsequent requests from the client for the
same VIP will be sent to the same real server, provided that all virtual
ports of the VIP use the same cookie persistence template with
183
match-type set to server. URL switching or host switching can be

used only for the first request.
The cookie that the ACOS device inserts into the server reply has this
format:
Set-Cookie: cookiename=rserverIP
• match-type (port) service-group – Subsequent requests from

the client will be sent to the same real port on the same real server,
within the service group selected by URL switching or host switch-
ing. URL switching or host switching, if configured, is still used for
every request.
The cookie that the ACOS device inserts into the server reply has the
following format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_
rport
• match-type server service-group – Subsequent requests from

the client for the same VIP will be sent to the same real server, within
the service group selected by URL switching or host switching. URL
switching or host switching, if configured, is still used for every
request.
The cookie that the ACOS device inserts into the server reply has the
following format:
Set-Cookie: cookiename-servicegroupname=rserverIP
Example The following commands configure a cookie persistence template

named “persist-cookie”. The template inserts a cookie named “MyCookie”,
containing the real server’s IP address and protocol port in encrypted
form, into server responses before sending the responses to clients. The
template also sets the cookie to persist on client PCs for only 10 minutes
(600 seconds).
ACOS(config)# slb template persist cookie persist-cookie
ACOS(config-cookie persist)# name MyCookie
ACOS(config-cookie persist)# expire 600
slb template persist destination-ip

Description Configure the granularity of load balancing persistence (selection of the
same server resources) for clients, based on destination IP address.
Syntax [no] slb template persist destination-ip template-name
184
This command enters the SLB Persist Destination-IP Template

Configuration mode where the following commands are available.
Command Description
[no] Ignores connection limit settings configured

dont-honor-conn- on real servers and real ports. This option is
rules useful for applications in which multiple ses-
sions (connections) are likely to be used for
the same persistent destination IP address.
This is disabled by default; the connection

used.
[no] hash-per- Enables hash-based persistence. Hash-based

sist persistence provides the persistence and per-
formance benefits of hash-based load bal-
ancing, while allowing use of advanced SLB
features that require stateful load balancing.
(For more information, see “Hash-based IP

Persistence” in the Application Delivery Con-
troller Guide.)
185
Command Description
[no] match-type Specifies the granularity of persistence:

{server | ser-
l server – Traffic to a given destination
vice-group}
IP address is always sent to the same
[scan-all-mem-
real server, for any service port.
bers]
By default (without the server option),
traffic to the same destination IP
address and virtual port is always sent
to the same real port. This is the most
granular setting.
l service-group – This option is applic-

able if you also plan to use URL switch-
ing or host switching. If you use the
service-group option, URL or host
switching is used for every request to
select a service group. The first time
URL or host switching selects a given
service group, the load-balancing
method is used to select a real port
within the service group. The next time
URL or host switching selects the same
service group, the same real port is
used. Thus, service group selection is
performed for every request, but once
a service group is selected for a
request, the request goes to the same
real port that was selected the first
time that service group was selected.
l scan-all-members – This option scans
all members bound to the template.
186
Command Description
This option is useful in configurations

where match-type “server” is used,
and where some members have dif-
ferent priorities or are disabled. (For
more information about this option, see
the “Scan-All-Members Option in Per-
sistence Templates” chapter in the
Application Delivery Controller Guide.)
To use URL switching or host switching, you

also must configure an HTTP template with
the host-switching or url-switching com-
mand.
For SLB, by default, traffic to a given des-

tination IP address and port is always sent to
the same real port. This is the most granular
setting. (There is no port keyword.)
187
Command Description
[no] netmask Specifies the granularity of IPv4 address

ipaddr hashing for initial server port selection.
You can specify an IPv4 network mask in dot-

ted decimal notation.
To configure initial server port selection to

occur once per destination VIP subnet, con-
figure the network mask to indicate the sub-
net length. For example, to select a server
port once for all requested VIPs within a sub-
net such as 10.10.10.x, 192.168.1.x, and so on
(“class C” subnets), use mask 255.255.255.0.
SLB selects a server port for the first request
to the given VIP subnet, the sends all other
requests for the same VIP subnet to the
same port.
To configure initial server port selection to

occur independently for each requested VIP,
use mask 255.255.255.255. (This is the
default.)
[no] netmask6 Specifies the granularity of IPv6 address

mask-length hashing for initial server port selection. (See
above for more information.), The default is
128.
[no] timeout Specifies how many minutes the mapping

timeout-minutes remains persistent after the last time it is
used. You can specify 1-2000 minutes.
The default is 5 minutes.
Default The configuration does not have a default destination-IP persistence tem-
plate. If you configure one, it has the defaults specified in the table above.
188
Usage The normal form of this command creates a destination-IP persistence

template. The “no” form of this command removes the template.
You can bind only one destination-IP persistence template to a virtual
port. You can bind the a destination-IP persistence template to multiple
ports.
Use of the service-group match-type option scan-all-members is not
useful in conjunction with destination-IP persistence templates, and is
not supported.
Example The following command creates a destination-IP persistence template

named “persist-dest”:
ACOS(config)# slb template persist destination-ip persist-
source
slb template persist source-ip

Description Configure the granularity of load balancing persistence (selection of the
same server resources) for clients, based on source IP address.
Syntax [no] slb template persist source-ip template-name

This command enters the SLB Persist Source-IP Template Configuration
Command Description
[no] Ignores connection limit settings con-

dont-honor-conn- figured on real servers and real ports. This
rules option is useful for applications in which
multiple sessions (connections) are likely to
be used for the same persistent client
source IP address.
This is disabled by default; the connection

used.
189
Command Description
[no] Enables Source-IP Persistence Override and

enforce-higher- Reselect. When this feature is enabled, the
priority ACOS device continually checks for the pres-
ence of higher-priority servers, even if
source-IP persistence is enabled and ses-
sions are already established between client
and server.
[no] hash-persist Enables hash-based persistence. Hash-

based persistence provides the persistence
and performance benefits of hash-based
load balancing, while allowing use of
advanced SLB features that require stateful
load balancing.
[no] incl-dst-ip Used to support the ALG protocol firewall

load balancing feature for protocols such as
FTP. This option helps ensure that special
persistent session will be matched on both
the source IP and destination IP addresses.
[no] incl-sport Includes the source port in persistent ses-

sions.
190
Command Description
[no] match-type Specifies the granularity of persistence:

{server [scan-
l server – Traffic from a given client to
all-members] |
the same VIP is always sent to the
service-group}
same real server, for any service port
requested by the client.
By default (without the server

option), traffic from a given client to
the same virtual port is always sent to
the same real port. This is the most
granular setting.
The scan-all-members option scans

all members bound to the template.
This option is useful in configurations
where match-type “server” is used,
and where some members have dif-
ferent priorities or are disabled.
l service-group – This option is applic-

able if you also plan to use URL switch-
ing or host switching. If you use the
service-group option, URL or host
switching is used for every request to
select a service group. The first time
URL or host switching selects a given
service group, the load-balancing
method is used to select a real port
within the service group. The next
time URL or host switching selects the
same service group, the same real
port is used. Thus, service group selec-
tion is performed for every request,
191
Command Description
but once a service group is selected

for a request, the request goes to the
same real port that was selected the
first time that service group was selec-
ted.
NOTE: To use URL switching or host switch-

ing, you also must configure an HTTP tem-
plate with the host-switching or url-
switching command.
NOTE: The match type for FWLB is always

server, which sets the granularity of
source-IP persistence to individual fire-
walls, not firewall groups or individual ser-
vice ports.
For SLB, by default, traffic from a given cli-

ent to the same virtual port is always sent
to the same real port. This is the most gran-
ular setting. (There is no port keyword.)
For FWLB, the default is server and none of

the other match-type options are applic-
able.
192
Command Description
[no] netmask ipaddr Specifies the granularity of IP address hash-

ing for server port selection.
To configure server port selection to occur

on a per subnet basis, configure the net-
work mask to indicate the subnet length.
For example, to send all clients within a sub-
net such as 10.10.10.x, 192.168.1.x, and so on
(“class C” subnets) to the same server port,
use mask 255.255.255.0. SLB selects a
server port for the first client in a given sub-
net, the sends all other clients in the same
subnet to the same port.
To configure server port selection to occur

on a per client basis, use mask
255.255.255.255. SLB selects a server port
for the first request from a given client, the
sends all other requests from the same cli-
ent to the same port. (This is the default.)
The default is 255.255.255.255.
[no] netmask6 mask- Specifies the granularity of IPv6 address

length hashing for initial server port selection. (See
above for more information.)
The default is 128.
[no] timeout Specifies period the mapping remains per-

minutes sistent after the last time traffic from the
client is sent to the server. You can specify
1-2000 minutes (about 33 hours).
The default timeout is 5 minutes.
Default The configuration does not have a default source-IP persistence tem-
plate. If you configure one, it has the defaults described in the table
above.
193
Usage The normal form of this command creates a source-IP persistence tem-
plate. The “no” form of this command removes the template.
You can bind only one source-IP persistence template to a virtual port.
However, you can bind the same source-IP persistence template to
multiple ports.
If you use the incl-sport option, the IP address in the Forward Source
column of show session output is modified to include the source port.
For example, “155.1.1.151:33067” is shown as “1.151.129.43”.
Using the Same VIP and Port Number for TCP and UDP Ports
When applying the source-IP persistence template to two virtual ports
with the same VIP and protocol port number but different Layer 4
protocols (TCP or UDP), member lists for the ports must be identical in
both TCP and UDP service groups.
For example, the following configuration works because service groups
5060-tcp and 5060-udp have the same member list although their
protocols are different.
slb virtual-server vip2 13.0.0.100
port 5060 sip-tcp
service-group 5060-tcp
template persist source-ip per-sip
port 5060 sip
service-group 5060-udp
template persist source-ip per-sip
!
slb service-group 5060-tcp tcp
member s1 5060
member s2 5060
!
slb service-group 5060-udp udp
member s1 5060
member s2 5060
The configuration will not work if the member lists in the service groups
are different. For example, the configuration will not work if the TCP
group's member list is changed to either of the following:
member s3 5060
member s4 5060
or
member s1 5061
member s2 5061
194
Example The following commands configure a source-IP persistence template

named “persist-source” and set the granularity to service-group:
ACOS(config)# slb template persist source-ip persist-source
ACOS(config-source ip persist)# match-type service-group
slb template persist ssl-sid

Description Direct clients based on SSL session ID.
SSL session-ID persistence directs all client requests for a given virtual
port, and that have a given SSL session ID, to the same real server and
real port. For example, with SSL session-ID persistence configured, all
client requests for virtual port 443 on virtual server 1.2.3.4 that have the
same SSL session ID will be directed to the same real server and port.
The persistence is based on the SSL session ID, not on the client IP
address.
Syntax [no] slb template persist ssl-sid template-name
Replace template-name with the name of the template, 1-127

characters.
This command enters the SLB Persist SSL-SID Template Configuration
NOTE: When multiple ssl-sid persist sessions are created by same tuple
(same source IP address and same source port) exist, and data
session's age with the same source IP and same source port is
updated, then the age of the ssl- sid persist sessions are also
refreshed.
Command Description
[no] Ignores connection limit settings configured

dont-honor-conn- on real servers and real ports. This option is
rules useful for applications in which multiple ses-
sions (connections) are likely to be used for
the same persistent SSL session ID.
Disabled by default; the connection limit set

on real servers and real ports is used.
195
Command Description
[no] timeout Specifies how many minutes the mapping

minutes remains persistent after the last time traffic
with the SSL session ID is sent to the server.
You can specify 1-250 minutes. The default
is 5 minutes.
Default The configuration does not have a default SSL session-ID persistence
template. If you configure one, it has the defaults described in the table
above.
Usage The normal form of this command creates an SSL session-ID persistence
template. The “no” form of this command removes the template.
You can bind one SSL session-ID persistence template to a virtual port.
However, you can bind the same SSL session-ID persistence template to
multiple ports.
To display SSL session-ID persistence statistics, use the show slb l4
command.
Example The following commands configure an SSL session-ID persistence tem-

plate named “ssl-persist” and apply it to virtual port 443 on virtual server
“vip1”:
ACOS(config)# slb template persist ssl-sid ssl-persist
ACOS(config-ssl session id persist)# exit
ACOS(config)# slb virtual-server vip1 1.2.3.4
ACOS(config-slb vserver)# port 443 tcp
ACOS(config-slb vserver-vport)# service-group https-sg1
ACOS(config-slb vserver-vport)# template persist ssl-sid
ssl-persist
slb template policy

Description See Config Commands: SLB Policy Templates.
slb template port

Description See Config Commands: SLB Real Port Templates.
196
slb template reqmod-icap

Description See Config Commands: SLB REQMOD ICAP Templates.
slb template respmod-icap

Description See Config Commands: SLB RESPMOD ICAP Templates.
slb template server

Description See Config Commands: SLB Server Templates.
slb template server-ssl

Description See Config Commands: SLB Server SSL.
slb template sip (over UDP)

Description See Config Commands: SLB SIP Templates.
slb template sip (over TCP/TLS)

Description See Config Commands: SLB SIP Templates.
slb template smpp

Description See Config Commands: SLB SMPP Templates.
slb template smtp

Description See Config Commands: SLB SMTP Templates.
197
slb template ssli

Description See Config Commands: SLB SSLi Templates.
slb template tcp

Description See Config Commands: SLB TCP Templates.
slb template tcp-proxy

Description See Config Commands: SLB TCP Proxy Templates.
slb template udp

Description See Config Commands: SLB UDP Templates.
slb template virtual-port

Description See Config Commands: SLB Virtual Port Templates.
slb template virtual-server

Description See Config Commands: SLB Virtual Server Templates.
198
Chapter 4: Config Commands: SLB Cache Tem-
plates
This section lists the commands and sub-commands to configure SLB cache templates.
SLB Cache Template Configuration Commands 202
199
Chapter 4: Config Commands: SLB Cache Templates
Global Configuration Commands

slb template cache

Description Configure the ACOS device to perform transparent Web caching.
Syntax [no] slb template cache template-name

characters long.
This command enters the SLB Cache Template Configuration mode
where the commands in SLB Cache Template Configuration
Commands are available.
Usage The normal form of this command creates a RAM caching configuration
template. The no form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However,
you can bind the same RAM caching template to multiple ports.
If a URI matches the pattern in more than one policy command, the
policy command with the most specific match is used. For example, if a
template has the following commands, content for page122 is cached
whereas content for page123 is not cached:
policy uri /page12 cache 300
policy uri /page123 nocache
Wildcard characters (for example: ? and *) are not supported in RAM

Caching policies. For example, if the string pattern contains “*”, it is
interpreted literally, as the “*” character.
Matching is performed based on containment; all URIs containing the
pattern string match the rule. For example, the following policy matches
all URIs that contain the string “.jpg” and sets the cache timeout for the
matching objects to 7200 seconds:
policy uri .jpg cache 7200
200
Example The following commands configure a RAM caching template. In this

example, all the default RAM cache settings are used.
ACOS(config)# slb template cache ramcache
ACOS(config-ram caching)#
Example The following commands configure some dynamic caching policies. The
policy that matches on “/list” caches content for 5 minutes. The policy
that matches on “/private” does not cache content.
ACOS(config)# slb template cache ram-cache
ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
Example The following commands configure a RAM caching template that will
only cache content from www.xyz.com/news-clips.
ACOS(config)# slb template cache ramcache
ACOS(config-ram caching)# default-policy-nocache
ACOS(config-ram caching)# policy uri www.xyz.com/news-clips
cache
201
SLB Cache Template Configuration Commands

To access these commands at the SLB cache template level, enter the slb template cache
command.
accept-reload-req 202
age 203
default-policy-nocache 203
disable-insert-age 204
disable-insert-via 204
max-cache-size 204
max-content-size 205
min-content-size 205
policy 206
remove-cookies 206
replacement-policy LFU 207
verify-host 208
accept-reload-req
Description Enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the
ACOS device to reload the cached object from the origin server.
Syntax [no] accept-reload-req
Default Disabled.
Mode SLB cache template configuration mode
202

ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# accept-reload-req
age
Description Specifies how long a cached object can remain in the ACOS RAM cache
without being requested.
NOTE: NOTE: his value is used if the web server specifies that the object is
cacheable but does not specify for how long. If the server does
specify how long the object is cacheable, then the server value is
used instead.
Syntax [no] age seconds
seconds Number of seconds (1-999999, about 11.5 days).
Default 3600 seconds (1 hour), if the server specifies that the object is cacheable
but does not specify for how long.
Example Set the age to 7200 seconds (2 hours):

ACOS(config-ram caching)# age 7200
default-policy-nocache
Description Changes the default cache policy in the template from cache to
nocache. This option gives you tighter control over content caching.
When you use the default no-cache policy, the only content that is
cached is cacheable content whose URI matches an explicit cache
policy.
Syntax [no] default-policy-nocache
Default Default policy is cache.
Example Set the default policy to nocache:
203

ACOS(config-ram caching)# default-policy-nocache
disable-insert-age
Description Disables insertion of Age headers into cached responses.
Syntax [no] disable-insert-age
Default Insertion of Age headers is enabled by default.
Example Disable the insertion of Age headers into cached responses:

ACOS(config-ram caching)# disable-insert-age
disable-insert-via
Description Disables insertion of Via headers into cached responses.
Syntax [no] disable-insert-via
Default Insertion of Via headers is enabled by default.
Example Disable the insertion of Via headers into cached responses:

ACOS(config-ram caching)# disable-insert-via
max-cache-size
Description Specifies the size (in MB) of the RAM cache.
Syntax [no] max-cache-size num
num Maximum size (in MB) of the RAM cache (1-4096).
Default 80MB.
Example Set the maximum RAM cache size to 256MB:
204

ACOS(config-ram caching)# max-cache-size 256
max-content-size
Description Specifies the maximum object size that can be cached. The ACOS device
will not cache objects larger than this size. If you specify 0, no objects can
be cached.
Syntax [no] max-content-size num
num Maximum object size in Bytes, 0-268435455 bytes

(256MB).
Default 81920 bytes (80 KB).
Example Set the maximum object size to 256MB:

ACOS(config-ram caching)# max-content-size 268435455
min-content-size
Description Specifies the minimum object size that can be cached. The ACOS device
will not cache objects smaller than this size. If you specify 0, all objects
smaller than or equal to the maximum content size can be cached.
Syntax [no] min-content-size num
num Minimum object size in Bytes, 0-268435455 bytes

(256MB).
Default 512 bytes.
Example Set the minimum object size to 1024 bytes:

205
ACOS(config-ram caching)# min-content-size 1024
policy
Description Configure a policy for dynamic caching.
Syntax [no] policy {

local-uri pattern |
uri pattern {cache seconds | invalidate inv-pattern |
nocache}
}
local-uri Specifies the portion of a local URL string

to match on (1-63 characters).
uri Specifies the portion of the URL string to

match on (1-63 characters).
cache Caches the content.
By default, the content is cached for the

number of seconds configured in the tem-
plate (set by the age command). To over-
ride the aging period set in the template,
specify the number of seconds with the
cache command
invalidate Invalidates the content that has been

cached for inv-pattern.
nocache Does not cache the content.
Example The following commands configure some dynamic caching policies. The
policy that matches on “/list” caches content for 5 minutes. The policy
that matches on “/private” does not cache content.
ACOS(config)# slb template cache ram-cache
ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
remove-cookies
206
Description Removes cookies from server replies so the replies can be cached. RAM
caching does not cache server replies that contain cookies. (Image files
are an exception. RAM caching can cache images that have cookies.)
Syntax [no] remove-cookies
Default By default, cookies are not removed.

ACOS(config-ram caching)# remove-cookies
replacement-policy LFU
Description Specifies Least Frequently Used (LFU) policy is used to make room for
new objects when RAM cache is full. When RAM cache is more than 90%
full, ACOS device discards least-frequently used objects to ensure room
for new objects.
Syntax [no] replacement-policy LFU

ACOS(config-ram caching)# replacement-policy LFU
template logging
Description Specifies a logging template to use for external logging of RAM caching
events over TCP.
Syntax [no] template logging {v-log | name}
v-log
name Name of an existing logging template.
Default 512 bytes.
207
Example Specify a logging template “extlog1” that should be used for logging RAM
caching events:
ACOS(config-ram caching)# tempalte logging extlog1
verify-host
Description Enables the ACOS device to cache the host name in addition to the URI
for cached content. Use this command if a real server that contains
cacheable content hosts multiple host names (example: www.abc.com
and www.xyz.com).
Syntax [no] verify-host
Default By default, this is disabled. Host names are not cached along with URIs
for cached content.

ACOS(config-ram caching)# verify-host
208
Chapter 5: Config Commands: SLB Client SSL
Templates
This section lists the commands and sub-commands to configure SLB client SSL templates.
SLB Client SSL Template Configuration Commands 213
209
Chapter 5: Config Commands: SLB Client SSL Templates

slb template client-ssl

Description Names an SSL client template and enters the configuration mode where
you can enable SSL client services, such as validation of SSL clients.
Syntax [no] slb template client-ssl template-name

characters long.
This command enters SLB Client-SSL Template Configuration mode
where commands in SLB Client SSL Template Configuration
Default If none of the SSL Client template sub-commands in the preceding table
are configured, the default action of the SSL Client template is the com-
bined default actions of the individual SSL C;lient sub-commands.
Usage The normal form of this command creates a client-SSL configuration tem-
plate. The no form of this command removes the template.
For the forward-proxy-bypass option, match rules are always applied in
the following order:
• equals sni-string
• starts-with sni-string
• contains sni-string
• ends-with sni-string
A client-SSL template can contain up to 128 certificates or certificate

chains. They must be imported onto the ACOS device. To import a
certificate or certificate chain, see the import command or slb common.
You can bind only one client-SSL template to a virtual port. However, you
can bind the same client-SSL template to multiple ports.
210
The close-notify option can not be used along with the TCP-proxy
template force-delete-timeout option. Doing so may cause
unexpected behavior
Example The following commands configure a client-SSL template named “client-

ssl1” that uses imported CA certificates and requires clients to present
their certificates when requesting connections to servers:
ACOS(config)# slb template client-ssl client-ssl1
ACOS(config-client ssl)# ca-cert ca-bundle.crt
ACOS(config-client ssl)# client-certificate require
Example These commands configure a client SSL template to use an imported CA

certificate and key, and an imported Certificate Revocation List (CRL)
from the CA:
ACOS(config)# slb template client-ssl client-ssl1
ACOS(config-client ssl)# ca-cert ca-cert.pem
ACOS(config-client ssl)# ca-cert ca-crl.pem
ACOS(config-client ssl)# client-certificate require
Example The following example shows how the certificate drop action is enabled
in the SSL Client template named, ClientSide_vRouter. Specifically, the
drop action occurs when OCSP reports the certificate is not currently
valid.
ACOS-Inside(config)# slb template client-ssl ClientSide_
vRouter
ACOS-Inside(config-client ssl# forward-proxy-verify-cert-
drop
Example This example demonstrates the forward-proxy-inspect command. In

this example of an AC class-list, all URLs ending with private.abc.com
are bypassed, while all URLs ending with public.abc.com will go
through SSLi processing.
ACOS# show config class-list
!Section configuration: 77 bytes
!
class-list my_class_list ac
ends-with abc.com
user-tag Security
!
ACOS# config
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# slb template client-ssl SSLi_vip_
001_client_ssl
211
ACOS(config-client ssl)# forward-proxy-inspect class-list

my_class_list
ACOS(config-client ssl)# forward-proxy-bypass contains
private.abc.com
212
SLB Client SSL Template Configuration Commands

To access these commands at the SLB client SSL template level, enter the slb template cli-
ent-ssl command.
auth-username 216
auth-username-attribute 217
authorization 217
certificate 218
cipher 219
client-certificate 220
client-certificate-Request-CA 221
close-notify 222
crl 222
dh-param 223
direct-client-server-auth 223
disable-sslv3 224
early-data 224
ec-name 225
forward-proxy-alt-sign cert 226
forward-proxy-block-message 227
forward-proxy-bypass ad-group-list 228
forward-proxy-bypass case-insensitive 228
forward-proxy-bypass certificate-issuer 229
forward-proxy-bypass certificate-san 230
forward-proxy-bypass certificate-subject 232
213
forward-proxy-bypass class-list 234
forward-proxy-bypass client-auth 235
forward-proxy-bypass contains 237
forward-proxy-bypass ends-with 237
forward-proxy-bypass equals 238
forward-proxy-bypass exception-ad-group-list 239
forward-proxy-bypass exception-class-list 239
forward-proxy-bypass exception-user-name-list 240
forward-proxy-bypass exception-web-category 240
forward-proxy-bypass exception-web-reputation 241
forward-proxy-bypass require-web-category 242
forward-proxy-bypass starts-with 243
forward-proxy-bypass web-category 244
forward-proxy-bypass web-reputation 244
forward-proxy-ca-certificate 245
forward-proxy-cache-persistence 246
forward-proxy-cert-cache 247
forward-proxy-cert-expiry 248
forward-proxy-cert-ext 249
forward-proxy-cert-not-ready-action 249
forward-proxy-cert-revoke-action 250
forward-proxy-cert-unknown-action 251
forward-proxy-cert-validity 252
forward-proxy-crl-disable 252
forward-proxy-decrypted 253
forward-proxy-esni-action 253
forward-proxy-failsafe-disable 254
forward-proxy-inspect 254
forward-proxy-inspect certificate-issuer 256
214
forward-proxy-inspect certificate-san 257
forward-proxy-inspect certificate-subject 257
forward-proxy-log-disable 258
forward-proxy-no-shared-cipher-action 258
forward-proxy-no-sni-action 259
forward-proxy-ocsp-disable 259
forward-proxy-require-sni-cert-matched 259
forward-proxy-selfsign-redir 260
forward-proxy-source-nat 261
forward-proxy-ssl-version 261
forward-proxy-trusted-ca 262
forward-proxy-verify-cert-fail-action 263
hsm-param 264
local-logging 264
non-ssl-bypass 264
ocsp-stapling 265
server-name 266
server-name-auto-map 267
server-name-regex 268
server-name-bypass 269
session-ticket-lifetime 271
session-ticket-disable 272
ssl-false-start-disable 272
ssli-logging 273
sslv2-bypass 273
215
template 274
version 274
auth-username
Description Specifies the field to check in SSL certificates from clients in order to find
the client name.
Syntax [no] auth-username {

[common-name]
[subject-alt-name-email]
[subject-alt-name-othername]
}
common-name Configuring this option causes the ACOS

device to extract the client’s common
name from the certificate.
subject-alt-name- Configuring this option causes the ACOS

email device to extract the Email address from
the client’s certificate. For example, if the
client name is “user@example.com” then
the entire string “user@example.com”
would be extracted with this option
subject-alt-name- Configuring this option causes the ACOS

othername device to extract the UPN information
from the certification. For example, if the
client name is “user@example.com” then
the string “user” would be extracted with
this option.
Default The default is common-name.
Mode SLB client SSL template configuration mode
Usage Multiple options can be specified, but you must specify at least one.
216
If multiple options are specified, the ACOS device will attempt to extract
the username from the options in the order they are specified. For
example:
auth-username subject-alt-name-email subject-alt-name-
othername
This command causes the ACOS device to first attempt to extract the
username from subject-alt-name-email, and only if not found, will it
then attempt to extract the username from subject-alt-name-
othername.
Example Configure the ACOS device to extract the Email address from the client
certificate:
ACOS(config-client ssl)# auth-username subject-alt-name-
email
auth-username-attribute
Description Specify attribute name of username for client SSL.
Syntax [no] auth-username-attribute string
string Attribute name (1-31 characters).
Default None.
Example Configure “username” as the username attribute name:

ACOS(config-client ssl)# auth-username-attribute username
authorization
Description Specify an LDAP server to user for client SSL authorization.
Syntax [no] authorization {server-name | service-group service-

group-name}
[ldap-base-dn-from-cert]
[ldap-search-filter filter-string]
217
server-name Specifies the name of a previously

configured ACOS LDAP authorization
server.
service-group service- Specifies the name of a previously

group-name configured ACOS LDAP service group.
ldap-base-dn-from-cert Specifies that LDAP authorization pro-

cess uses the Subject DN as the LDAP
search base DN.
ldap-search-filter fil- Provides the LDAP filter used in the

ter-string authorization process. The syntax
rules for this filter string are provided
in RFC 4515.
Example Configure an LDAP server for client SSL authorization:

ACOS(config-client ssl)# authorization ldap1 ldap-base-dn-
from-cert
certificate
Description Specifies the name of the certificate to use for terminating or initiating an
SSL connection. The certificate must be installed on the ACOS device.
A second certificate can be assigned to a template by using the alternate
option. Two certificates assigned to a template must be of different types
(RSA, ECDSA). A major (first) certificate must be assigned before an
alternate (second) certificate is accepted by the template.
NOTE: The certificate command is used to replace the old cert/cert-

alternate/key/key-alternate/chain-cert command. The new cer-
tificate configuration cannot co-exist with these commands.
Syntax [no] certificate <cert-name> key <key-name> [pass-phrase

<pass-phrase-str>] [chain-cert <chain-cert-name>] [partition
shared]
218
cert-name Specifies the CA certificate name (1-

245 characters).
key-name Specifiesthe CA certificate key name (1-

245 characters).
pass-phrase Specifies the password phrase (1-128

characters).
chain-cert-name Specifies a certificate-key chain. (1-245

characters).
partition shared Bind shared partition’s alternate cer-

tificate in private partition’s client-SSL
template.
Example Example configuration:

ACOS(config-client ssl)# certificate Cert123.pem key key123
pass-phrase Pass123
cipher
Description Specifies the cipher suite to support for certificates from clients.
Syntax [no] cipher cipher-name
cipher- CA certificate name (1-255 characters).

name
By default, all supported ciphers are enabled. The
supported cipher are listed at axseries.
You can remove (or re-add) one cipher in the tem-

plate with a
single command. Enter separate commands for each
cipher to remove or re-add.
219

ACOS(config-client ssl)# cipher SSL3_RSA_DES_64_CBC_SHA
client-certificate
Description Specifies the action that the ACOS device takes in response to a client’s
connection request.
Syntax [no] client-certificate {Ignore | Require | Request}
Ignore The ACOS device does not request the client to send
its certificate.
Require The ACOS device requires the client certificate. This

action requests the client to send its certificate.
However, the SSL handshake does not proceed (it
fails) if the client sends a NULL certificate or the cer-
tificate is invalid.
Request The ACOS device requests the client to send its cer-
tificate. With this action, the SSL handshake pro-
ceeds even if either of the following occurs:
The client sends a NULL certificate (one with zero

length).
The certificate is invalid, causing client verification

to fail.
Use this option if you want the request to trigger an

aFleX policy for further processing.
Default Ignore.

220
ACOS(config-client ssl)# client-certificate Require
client-certificate-Request-CA
Description Specifies the name of a CA certificate used in requests for client authen-
tication.
Syntax [no] client-certificate-Request-CA cert-name [partition

shared]
cert-name
Specifies a second (or alternate) certificate (1-
255 characters).
partition
shared
Bind shared client-certificate-Request-CA in
private partition’s client-SSL template.
Default No default.
Usage Multiple CA certificates can be configured as described in the following

example.
Example The following commands configure the ACOS device to request the cli-
ent certificate and to send the list of more than 10 CAs in the certificate
request. This is achieved by configuring a chain cert (named
LargeExample.chain below) that contains multiple CA certificates:
ACOS(config)#slb template client-ssl client-ssl-example-name
ACOS(config-client ssl)#client-certificate-Request-CA
ca1.crt
ca2.crt
ca3.crt
ca4.crt
ca5.crt
ca6.crt
ca7.crt
ca8.crt
221
ca9.crt
LargeExample.chain
The following commands bing shared partition alternate certificate:

ACOS[partition1](config)#slb template client-ssl client-ssl-
example-shared
ACOS[partition1](config-client ssl)#client-certificate-
Request-CA ca1.crt partition shared
close-notify
Description Enables closure alerts for SSL sessions. When this option is enabled, the
ACOS device sends a close_notify message when an SSL transaction
ends, before sending a FIN. This behavior is required by certain types of
client applications, including PHP cgi. For this type of client, if the ACOS
device does not send a close_notify, an error or warning appears on the
client.
Syntax [no] close-notify

ACOS(config-client ssl)# close-notify
crl
Description Specifies the names of the Certificate Revocation Lists (CRLs) to use for
verifying whether server certificates have been revoked. The CRLs must
be installed on the ACOS device first. (Use the import command for more
details). The CA certificate relevant to the CRL must also be specified.
When you add a CRL to a server-SSL template, the ACOS device checks
the CRL to confirm whether or not the servers’ certificates have been
revoked or not by the issuing Certificate Authority (CA).
Syntax [no] crl file-name [partition shared]
222
file-name CRL file name (1-255 characters).

partition
shared
Bind shared client-certificate-Request-CA in
private partition’s client-SSL template.
Example This example shows how to add CRL and CA certificates to a client-SSL
template.
ACOS(config-client ssl)# client-certificate Require
ACOS(config-client ssl)# crl 10_ca.crt_crl.pem
ACOS(config-client ssl)# crl 20_ca.crt_crl.pem
ACOS(config-client ssl)# crl root-ca.pem.crl.pem
ACOS(config-client ssl)# ca-cert 10_ca_crt
ACOS(config-client ssl)# ca-cert 20_ca.crt
ACOS(config-client ssl)# ca-cert root-ca.pem
NOTE: NOTE: If you plan to use a CRL, you must set the client-cer-
tificate mode to Require . The CRL should be signed by the
same issuer as the CA certificate. Otherwise, the client and ACOS
device will not be able to establish a connection.
dh-param
Description Specify Diffie-Hellman parameters.
Syntax [no] dh-param {1024 | 1024-dsa | 2048}

ACOS(config-client ssl)# dh-param 1024
direct-client-server-auth
Description Allow the backend server to perform SSL client authentication directly.
223
Syntax [no] direct-client-server-auth

ACOS(config-client ssl)# direct-client-server-auth
disable-sslv3
Description Disables support for SSLv3 in client-SSL templates.
NOTE: NOTE: If you disable SSLv3 support, when ACOS receives an SSL
Hello message from a client, ACOS responds by sending a TCP-
FIN to the client to end the session.
Syntax [no] disable-sslv3
Default SSLv3 support is enabled by default.

ACOS(config-client ssl)# disable-sslv3
early-data
Description Enables the early data (0-RTT) for SSL version TLSv1.3.
Additionally, you must configure session-cache-size to do PSK
resumption.
NOTE: - Supported on new N5 module, QAT module, and Software TLS 1

.3.
- Maximum value is set to 16384 once enabled and is non-edit-
able.
Syntax [no] early-data [no-anti-replay]
224
early-data no- Enable 0-RTT with no-anti-replay to pre-

anti-replay, vent replay attack.
Additionally, you must configure either ses-

sion-cache-size or session-ticket-
enable to do PSK resumption.
Usage This allows the TLS client to send encrypted data in the same packet as
the Client Hello during the handshake for resumed sessions.
Example The following commands configure a cipher template:

ACOS(config)# slb template cipher cipther_tls_1.3
ACOS(config-cipher)# tls1_3 TLS_AES_256_GCM_SHA384
ACOS(config-cipher)# tls1_3 TLS_CHACHA20_POLY1305_SHA256
ACOS(config-cipher)# tls1_3 TLS_AES_128_GCM_SHA256
ACOS(config-cipher)# end
Example The following command binds the cipher template, cipher_t1s_1.3, to

the client-SSL template, clnt-0rtt-test:
ACOS(config)# slb template client-ssl clnt-0rtt-test
ACOS(config-client ssl)# ec-name secp384r1
ACOS(config-client ssl)# close-notify
ACOS(config-client ssl)# template cipher cipther_tls_1.3
ACOS(config-client ssl)# session-cache-size 50000
ACOS(config-client ssl)# version 34 33
ACOS(config-client ssl)# early-data
ACOS(config-client ssl)# certificate ecdhe-ecdsa.pem key
ecdhe-ecdsa.key
ec-name
Description Specifies the Elliptic Curve name.
Syntax [no] ec-name {secp256r1 | secp384r1}
Default secp256r1
225

enable-ssli-ftp-alg
Description Enables FTP passive mode over TLS support for the specified port num-
ber. The port number value can between 1-65535.
NOTE: This configuration is applicable for implicit FTPS.
Syntax [no] enable-ssli-ftp-alg port-num {<1-65535>}
Default Disabled.

ACOS(config-client ssl)# enable-ssli-ftp-alg 990
enable-tls-alert-logging fatal
Description Enables logging of TLS alerts that include the flow information such as
source IP address.
Syntax [no] enable-tls-alert-logging fatal

ACOS(config-client ssl)# enable-tls-alert-logging fatal
forward-proxy-alt-sign cert
Description Configure the forward proxy alternate signing certificate, certificate key,
and chain cert. Optionally, sets a password phrase and bind a shared par-
tition's certificate.
226
If the SSL site requested by the client is not on the trusted list (set by the
forward-proxy-trusted-ca command), the inside ACOS device signs
the cert with the key specified by this command.
Syntax [no] forward-proxy-alt-sign cert <cert-name> key <key-name>

[pass-phrase
<pass-phrase>] [chain-cert <chain-cert-name>] [partition
shared]
cert-name Specifies the certificate name (1-245

characters).
key-name Specifies the certificate key name (1-

245 characters).

characters).

characters).

template.
Example Example configuration.

ACOS(config-client ssl)# forward-proxy-alt-sign cert cer-
tificate Cert123.pem key key123 pass-phrase Pass123 chain-
cert exampleCA partition shared
forward-proxy-block-message
Description Sets a block message that is displayed on a webpage if a user encoun-
ters an invalid SSLi certificate issue.
Syntax [no] forward-proxy-block-message custom_message
227
custom_message A custom message. A string
Example The following command configures a custom block message for a cer-
tificate revocation error.
ACOS(config-client ssl)# forward-proxy-cert-revoke-action
block
ACOS(config-client ssl)# forward-proxy-block-message “This
website cannot be displayed as there is a certificate
issue.”
forward-proxy-bypass ad-group-list
Description Bypasses SSLi inspection if AD group name matches a class list entry.
Syntax [no] forward-proxy-bypass ad-group-list
ad-group-list- Name of the AD group list. A string.

name
Default None.
Usage Use this command to bypass SSLi inspection by matching an AD group

name in the group list name. The group list must already be configured.
Example The following example configures forward-proxy-bypass for all mem-

bers of the AD group lisr USERS. The group list must be preconfigured:
forward-proxy-bypass case-insensitive
Description Disables case sensitivity for string matching in SSLi bypass.
Syntax [no] forward-proxy-bypass case-insensitive
Default By default, matching is case sensitive.
228
Usage Use this command to disable case sensitivity for matching strings in SSLi
bypass. By default, matching is case sensitive. For example, the for-
ward-proxy-bypass contains aa rule searches for matches on SNI
strings that contain “aa” but not on strings that contain “AA”. You can also
enable or disable case-sensitive matching. In this case, the rule shown
above matches SNI strings that contain any of the following: “aa”, “AA”,
“aA”, or “Aa”.
You can disable case sensitivity on a template-wide basis. The setting
applies to all match rules in the template.
Example The following example configures forward-proxy-bypass as case-insens-

itive for all matches in the client-ssl template of clientssl:
ACOS(config-client ssl)# forward-proxy-bypass case-insens-
itive
forward-proxy-bypass certificate-issuer
Description Configures SSLi bypass based on the string from a certificate issuer.
Syntax [no] forward-proxy-bypass certificate issuer { class-list {

class_list_name | multi-class-list multi_class_list_name } |
contains certificate_issuer_name | ends-with certificate_
issuer_name | equals certificate_issuer_name | exception-
class-list exceptionclass-list_name | starts-with cer-
tificate_issuer_name }
certificate_ Name of the certificate issuer. A string.

issuer_name
class-list Bypasses SSLi if the certificate issuer matches

the class-list.
When enabled, the multi-class-list command

option allows you to enter up to 16 file-type
class lists for each slb template client-ssl
instance. If not enabled by the multi-class-
list command option, you can enter only one
class list name.
contains Bypasses SSLi if certificate issuer contains a

string that matches the configured string.
229
ends-with Bypasses SSLi if certificate issuer ends with a

equals Bypasses SSLi if certificate issuer equals a

exception- Exception class-list to forward-proxy-bypass.

class-list
starts-with Bypasses SSLi if certificate issuer starts with a

Default None
Usage Use this command to enable SSLi bypass based on certificate issuer. To
determine the Certificate Authority that issued your certificate, open the
website in a browser and click on the certificate information.
The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a value matches on more than one of them,
the most-specific match is always used.
Example The following example configures a condition for bypassing SSLi if the
certificate-issuer contains the string Norton:
ACOS(config-client ssl)# forward-proxy-bypass certificate-
issuer
contains Norton
forward-proxy-bypass certificate-san
230
Description Configures SSLi bypass based on the string from a certificate SAN.
Syntax [no] forward-proxy-bypass certificate-san { class-list {

contains certificate_san_name | ends-with certificate_san_
name | equals certificate_san_name | exception-class-list
exceptionclass-list_name | starts-with certificate_san_name
}
certificate_ Name of the certificate SAN. A string.

san_name
class-list Bypasses SSLi if the certificate SAN matches

the class-list.

class list name.
contains Bypasses SSLi if certificate SAN contains a

ends-with Bypasses SSLi if certificate SAN ends with a

equals Bypasses SSLi if certificate SAN equals a string

that matches the configured string.

class-list
starts-with Bypasses SSLi if certificate SAN starts with a

Default None
Usage Use this command to enable SSLi bypass based on certificate SAN. Sub-
ject Alternative Name (SAN) certificates can secure a number of fully
231
qualified domain names with a single certificate. The SAN field enables
you to specify additional host names such as sites, IP addresses, com-
mon names, and so on, to be protected by a single SSL Certificate.
string.
the value.
certificate-SAN contains the string a10:
san
contains a10
forward-proxy-bypass certificate-subject
Description Configures SSLi bypass based on the string from a certificate subject.
Syntax [no] forward-proxy-bypass certificate-subject { class-list {

contains certificate_sub_name | ends-with certificate_sub_
name | equals certificate_sub_name | exception-class-list
exceptionclass-list_name | starts-with certificate_sub_name
}
certificate_ Name of the certificate subject. A string.

sub_name
232
class-list Bypasses SSLi if the certificate subject matches

the class-list.

class list name.
contains Bypasses SSLi if certificate subject contains a

ends-with Bypasses SSLi if certificate subject ends with a

equals Bypasses SSLi if certificate subject equals a


class-list
starts-with Bypasses SSLi if certificate subject starts with a

Default None
Usage Use this command to enable SSLi bypass based on certificate subject.
string.
the value.
233

certificate-subject contains the string a10:
subject contains a10
forward-proxy-bypass class-list
Description Configures SSLi bypass when the SNI of the outside server matches
based on the specified class list or class-lists.
Syntax [no] forward-proxy-bypass class-list { class_list_name |

multi-class-list multi_class_list_name }
class-list Name of the class-list.

class_list_
name
multi-class- Name of the multi-class-list.

list multi_
class_list_
name
class list name.
Default None
Usage Use this command to enable SSLi bypass when the SNI of the outside
server matches based on the specified class list or class-lists. The fol-
lowing match options are used by the rules that you configure:
string.
the value.
234

SNI of the outside server matches any entry in two multiple-class-lists:
ACOS-(config-client ssl)# forward-proxy-bypass class-list
multi-class-list my-classlist-name1
ACOS(config-client ssl)# forward-proxy-bypass class-list
multi-class-list my-classlist-name2
forward-proxy-bypass client-auth
Description Configures the SNI attributes and/or class-lists that determine whether
or not a client is enabled for client-authentication SSLi bypass. These
attributes and class-lists are bound to a SSL client template which itself is
bound to the the ACOS decrypt device
Syntax [no] forward-proxy-bypass client-auth { case-insensitive |

class-list { class_list_name | multi-class-list multi_class_
list_name } |
contains sni_string | ends-with sni_string | equals sni_
string | exception-class-list exception-class-list_name |
starts-with sni_string }
class-list Bypasses SSLi if the certificate SAN matches the

class-list.

class list name.
contains Bypasses SSLi if certificate SAN contains a

235
ends-with Bypasses SSLi if certificate SAN ends with a

equals Bypasses SSLi if certificate SAN equals a string

that matches the configured string.

class-list
starts-with Bypasses SSLi if certificate SAN starts with a

Default None
Usage Some HTTPS servers might require client certificate authentication

(CAC/PKI) when the server authenticates incoming requests based on
the certificate in the client’s certificate store. The ACOS decrypt device
detects whether the remote server requires client certificate authen-
tication. If the server requires client authentication, the ACOS device
checks whether the the configuration matches a condition to bypass this
traffic. If a match is found, ACOS_decrypt stops SSLi processing and
switches from HTTPS processing to basic TCP proxy processing.
string.
the value.
Example The following example configures three conditions for client-authen-

tication bypass:
236
ACOS-(config-client ssl)# forward-proxy-bypass client-auth

class-list testclass
ACOS(config-client ssl)# forward-proxy-bypass client-auth
contains jsmith
ACOS(config-client ssl)# forward-proxy-bypass client-auth
equals test.hello.com
forward-proxy-bypass contains
Description Configures SSLi bypass if SNI string contains the configured string.
Syntax [no] forward-proxy-bypass contains sni_string
sni_string Name of the SNI.
Default None
Usage The following match options are used by the rules that you configure:
string.
the value.
Example The following example configures a condition for SSLi bypass:

ACOS-(config-client ssl)# forward-proxy-bypass contains A10
forward-proxy-bypass ends-with
Description Configures SSLi bypass if SNI string ends with the configured string.
Syntax [no] forward-proxy-bypass ends-with sni_string
237
Default None
string.
the value.

ACOS-(config-client ssl)# forward-proxy-bypass ends-with A10
forward-proxy-bypass equals
Description Configures SSLi bypass if SNI string equals the configured string.
Syntax [no] forward-proxy-bypass equals sni_string
Default None
string.
238

the value.

ACOS-(config-client ssl)# forward-proxy-bypass equals A10
forward-proxy-bypass exception-ad-group-list
Description Configures exceptions to SSLi bypass if AD group name matches an
entry in the exception AD group list.
Syntax [no] forward-proxy-bypass exception-ad-group-list

exception_ad_group_list_name
exception_ad_group_ Name of the exception AD group list.

list_name
Default None
Usage Use this command to configure exceptions for SSLi bypass.
Example The following example configures an exception class list for exceptions
for SSLi bypass:
ACOS-(config-client ssl)# forward-proxy-bypass exception-
class-list mylist
forward-proxy-bypass exception-class-list
Description Configures exceptions to SSLi bypass if SNI string matches an entry in
the exception class list.
Syntax [no] forward-proxy-bypass exception-class-list

exception_class_list_name
239
exception_class_list_ Name of the exception class list.

name
Default None
Usage Use this command to configure exceptions for SSLi bypass.
Example The following example configures an exception class list for exceptions
for SSLi bypass:
class-list mylist
forward-proxy-bypass exception-user-name-list
Description Configures an exception to SSLi bypass if a user name matches an entry
in the user name exception class list.
Syntax [no] forward-proxy-bypass exception-user-name-list

exception_user_list_name
exception_user_list_ Name of the exception user name list.

name
Default None
Usage Use this command to configure exceptions for SSLi bypass based on
user names.
Example The following example configures an exception user name list of mylist:
user-name-list mylist
forward-proxy-bypass exception-web-category
Description Configures SSLi intercept decision making based on web URL category.
240
Syntax [no] forward-proxy-bypass exception-web-category web-cat-

egory-name
Default None
Usage ACOS connects with third-party servers (specifically, Webroot’s

BrightCloud servers), to obtain web-category for enhanced protection.
To access theseservers, a URL Classification license is required.
When the web category matches the setting exception category list, the
request would be intercepted.
NOTE: A client-ssl template can have multi entries of exception-web-cat-

egory at a time, like web-category.
Example The following example configures web category exception for sports
URLs:
ACOS(config)# slb template client-ssl SSL_web-
categoryexception
web-category sports
forward-proxy-bypass exception-web-reputation
Description Configures SSLi intercept decision making based on web URL reputation
scope.
Syntax [no] forward-proxy-bypass exception-web-reputation{repu-

tation-scope}
trustworthy To intercept URLs scores under 100. These are clean

URLs and do no impose security risk.
low-risk To intercept URLs scores under 80. These are

benign URLs and exhibit very low security risk.
moderate- To intercept URLs scores under 60. These are

risk benign URLs and exhibit potential security risk.
suspicious To intercept URLs scores under 40. These are sus-

picious URLs and exhibit predictive security risk.
241
malicious To intercept URLs scores under 20. These are high

risk URLs and exhibit high security risk.
<1-100> To intercept URLs scores under the customized

value (1-100).
Default None
Usage When the web-reputation score is less than or equal to the level set or
customized score, the request would be intercepted. Otherwise, SSLi will
check other bypass criteria, and then make the decision. However, it does
not bypass immediately.
NOTE: A client-ssl template can only have one entry of the exception-
web-reputation at a time.
Example The following example configures web reputation exception for mali-
cious URLs:
ACOS(config)# slb template client-ssl SSL_webrepu-
tationexception
web-reputation malicious
forward-proxy-bypass require-web-category
Description Enables Web Category Lookup Enforcement for both the web-category
and web-reputation based SSLi bypass policies under that template.
Web category lookup enforcement resolves the category and reputation
of the unknown (first request) URLs by pausing the data plane
connection. When the result is known and the URL is categorized or
reputed, the connection is resumed.
Syntax [no] forward-proxy-bypass require-web-category
Default Disabled
242
Example The following example enables Web Category Lookup Enforcement for
web-category based SSLi bypass policies under the BLUE client-ssl tem-
plate.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-category
financial-services
ACOS(config-client ssl)# forward-proxy-bypass web-category
health-and-medicine
ACOS(config-client ssl)# forward-proxy-bypass require-web-
category
Example The following example enables Web Category Lookup Enforcement for
web-reputation based SSLi bypass policies under the BLUE client-ssl
template.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-reputation
financial-services
ACOS(config-client ssl)# forward-proxy-bypass require-web-
category
forward-proxy-bypass starts-with
Description Configures SSLi bypass if the SNI string starts with the configured string.
Syntax [no] forward-proxy-bypass starts-with sni_string
Default None
string.
the value.
243


ACOS-(config-client ssl)# forward-proxy-bypass starts-with
A10
forward-proxy-bypass web-category
Description Configures SSLi bypass based on URL Classification. When URLs are cat-
egorized, this information can be used to filter out unwanted content to
add an additional layer of security, or it can be used to determine which
URLs should bypass SSLi decryption in compliance with privacy laws.
Syntax [no] forward-proxy-bypass web-category web-category-name
NOTE: For more information on the web-category-name refer web-cat-

egory.
Default None
Usage ACOS connects with third-party servers (specifically, Webroot’s

BrightCloud servers), to obtain web-category for enhanced protection.
To access these servers, a URL Classification license is required.
Example The following example configures SSLi bypass for websites related to
sports and real-estate:
ACOS-(config-client ssl)# forward-proxy-bypass web-category
sports
real-estate
Example The following example configures SSLi bypass for websites related to
child abuse material (CAM):
illegal-pornography
nudity-artistic
forward-proxy-bypass web-reputation
244
Description Configures SSLi bypass decision making based on web URL reputation
scope.
Syntax [no] forward-proxy-bypass web-reputation {reputation-scope}
trustworthy To bypass URLs scores above 81. These are clean

URLs and do no impose security risk.
low-risk To bypass URLs scores above 61. These are benign

URLs and exhibit very low security risk.
moderate- To bypass URLs scores above 41. These are benign

risk URLs and exhibit potential security risk.
suspicious To bypass URLs scores above 21. These are sus-

picious URLs and exhibit predictive security risk.
malicious To bypass URLs scores above 1. These are high risk

URLs and exhibit high security risk.
<1-100> To bypass URLs scores above the customized value

(1-100).
Default None
Usage When the web-reputation score is greater than or equal to the level set or
customized score, the request would be bypassed. Otherwise, SSLi will
check other intercept criteria, and then make the decision. However, it
does not intercept immediately.
NOTE: A client-ssl template can only have one entry of web-reputation

at a time.
Example The following example configures web reputation for trustworthy URLs:
ACOS(config)# slb template client-ssl SSL_webreputation
ACOS-(config-client ssl)# forward-proxy-bypass web-repu-
tation trustworthy
forward-proxy-ca-certificate
245
Description Configure the forward proxy CA-signed certificate, certificate key, and
chain cert. Optionally, sets a password phrase and bind a shared par-
tition's certificate.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in the SSLi configurations.
Syntax [no] forward-proxy-ca-certificate<cert-name> key <key-name>

[pass-phrase
<pass-phrase>] [chain-cert <chain-cert-name>] [partition
shared]
cert-name Specifies the certificate name (1-245

characters).
key-name Specifies the certificate key name (1-

245 characters).

characters).

characters).

template.

ACOS(config-client ssl)# forward-proxy-ca-certificate Cer-
t123.pem key key123 pass-phrase Pass123 chain-cert myCAcert
forward-proxy-cache-persistence
Description Specifies an Aho-Corasick (AC) class-list of SNIs of forged certificates
that are to be retained in the cache when ACOS is rebooted or whenever
the ACOS forward-proxy process is restarted. If an SNI in the certificate
matches an entry in this class list, it is retained; otherwise, it is dropped.
246
device for the interception of SSL sessions in SSLi configurations.
Syntax [no] forward-proxy-cache-persistence class-list name
name Class-list name (1-63 characters).
Default If a persist class list is not bound to a client-SSL template, the cached
forged certificates do not persist.

ACOS(config-client ssl)# forward-proxy-cache-persistence
class-list cl1
forward-proxy-cert-cache
Description Configures forward proxy certificate cache options.
Syntax [no] forward-proxy-cert-cache {limit bytes | timeout

seconds}
limit Specifies the certificate cache size limit in bytes (0-

2147483647).
The default is 524288. Set the limit to 0 for unlim-

ited size.
247
timeout Specifies the certificate cache timeout value in

seconds (0-2147483647).
The default is 1 hour.
Set the timeout to 0 for the certificate cache to

never timeout. A Certificate can remain in the cache
up to the value set in cache timeout. When a cer-
tificate exceeds that time, it is removed.

ACOS(config-client ssl)# forward-proxy-cert-cache timeout
7200
forward-proxy-cert-expiry
Description The number of hours that the forward proxy certificates will be valid.
Shortening the lifetime of the forged forward-proxy certs reduces the
security risk if any are stolen. From 1 to 168 hours can be specified.
If the expiry occurs after the validity end-date, then this command will
adjust the validity end date.
Syntax [no] forward-proxy-cert-expiry hours hours
hours Number of hours (1-168).
Default By default, the forged forward proxy certs have the same expiration as
the original certificates.
248

ACOS(config-client ssl)# forward-proxy-cert-expiry hours 48
forward-proxy-cert-ext
Description Specify the certificate extension for a Certificate Revocation List Dis-
tribution Point (CRLDP) or an Authority Information Access extension for
Online Certificate Status Protocol (OCSP) or Certificate Authority (CA)
Issuer for certificate validation.
Syntax [no] forward-proxy-cert-ext {crldp | aia {ca-issuers |

ocsp}} URI
Example Example configuration to add a distribution point extension for a

CRL.
ACOS(config)#slb template client-ssl SSL-Client
ACOS(config-client ssl)#forward-proxy-cert-ext crldp
http://www.example.com/example.crt
forward-proxy-cert-not-ready-action
Description Configures the action of the client connection if ACOS does not have the
proxied cert ready.
Syntax [no] forward-proxy-cert-not-ready-action {intercept | bypass

| reset}
• bypass - ACOS bypasses SSL proxy services and forwards the client
packets to the actual SSL server.
• reset - ACOS requests an SSL connection reset. If the proxied cert is
ready after the reset, the SSL proxy session is negotiated.
• intercept - ACOS intercepts SSL proxy services.
Default By default, SSL proxy session is bypassed when the proxied cert is not ready.

ACOS(config-client ssl)# forward-proxy-cert-not-ready-action
reset
249
forward-proxy-cert-revoke-action
Description Configures the action of the client connection if OCSP or CRL verification
determines the certificate is irreversibly revoked.
Syntax [no] forward-proxy-cert-revoke-action {bypass | continue |

drop
| block }
bypass Bypasses the connection.
continue Continues the connection.
drop Drops the connection.
block Blocks the connection.

Use the forward-proxy-block-message
command to draft a custom message to
display when the connection is blocked.
Default By default, SSL proxy is bypassed if OCSP or CRL verification determines

any certificate in the chain is unknown.
Usage This command applies only to the certificates that are forged on the
ACOS device for the interception of SSL sessions in SSLi configurations.
The options available are bypassing SSL Proxy, continuing with the con-
nection, dropping the connection, or blocking the connection with a cus-
tomizable mesage to the user.
Example The following example configures an SSLi connection as continued after

a certificate revocation.
continue
Example The following example configures an SSLi connection as blocked and dis-
palys a custom blocked message:
block
250
ACOS(config-client ssl)# forward-proxy-block-message “This

website cannot be displayed as there is a certificate
issue.”
forward-proxy-cert-unknown-action
Description Configures the action of the client connection if OCSP or CRL verification
determines the certificate status is ‘unknown.’
Syntax [no] forward-proxy-cert-unknown-action {bypass | continue |

drop
| block }
continue Continues the connection.
block Blocks the connection.

Use the forward-proxy-block-message
command to draft a custom message to
display when the connection is blocked.
Default By default, SSL proxy is bypassed if OCSP or CRL verification determines

any certificate in the chain is irreversibly revoked.
Usage This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations. The
options available are bypassing SSL Proxy, continuing with the con-
nection, or dropping the connection.
Example The following example configures an SSLi connection as dropped after a

certificate unknown error:
ACOS(config-client ssl)# forward-proxy-cert-unknown-action
drop
Example The following example configures an SSLi connection as blocked and dis-
palys a custom blocked message:
251
ACOS(config-client ssl)# orward-proxy-cert-unknown-action

block
Example ACOS(config-client ssl)# forward-proxy-block-message “This web-

site cannot be displayed as there is a certificate issue.”
forward-proxy-cert-validity
Description Specify the starting and ending certificate validation period in which the
certificate status and information will be maintained.
Syntax [no] forward-proxy-cert-validity {notafter | notbefore} day

month year
day Set the day of the month (1-31).
month Set the month (1-12).
year Set the year (2005-2035).
Default None.
Mode SLB Client SSL Template Configuration Mode
Example The following example shows how to add the starting validation time
of November 1, 2005 for proxied certificates from the ACOS device.
ACOS(config)#slb template client-ssl SSL-Client
ACOS(config-client ssl)#forward-proxy-cert-validity not-
before 1 11 2005
forward-proxy-crl-disable
Description Disable Certificate Revocation List (CRL) services for SSLi (forward-
proxy).
Syntax [no] forward-proxy-crl-disable
Default By default, CRL for SSLi is enabled.
252

ACOS(config-client ssl)# forward-proxy-crl-disable
forward-proxy-decrypted
Description Sets DSCP value for decrypted and bypassed traffic for SSLi con-
figurations.
Syntax [no] forward-proxy-decrypted dscp dscp_value_decrypted

dscp_value_bypassed
dscp_value_decrypted DSCP value for decrypted traffic.

The value ranges from 1 to 63.
dscp_value_bypassed DSCP value for bypassed traffic.

The value ranges from 1 to 63.
Default None.
Usage Use this command to set the DSCP value for encrypted and bypassed
traffic in an SSLi client template. If the service group has a template with
DSCP configured, this command takes precedence.

ACOS(config)# slb template client-ssl SSLi
ACOS(config-client ssl)# forward-proxy-decrypted dscp 6 1
forward-proxy-esni-action
Description Specify the action taken if the encrypted server name indication (ESNI) is
recieved in ClientHello extension.
This command applies only to SSLi configurations.
Syntax [no] forward-proxy-esni-action {drop | bypass }
253

ACOS(config-client ssl)# forward-proxy-esni-action drop
forward-proxy-failsafe-disable
Description Forward proxy (SSLi) failsafe enables SSLi traffic interception to be
bypassed when there is a handshake failure. The most common hand-
shake failures are due to servers only accepting elliptical ciphers.
Syntax [no] forward-proxy-failsafe-disable
Default This feature is enabled by default; use this command to disable SSLi
failsafe.

ACOS(config-client ssl)# forward-proxy-failsafe-disable
forward-proxy-inspect
Description Perform SSL Insight only if the traffic matches an entry in the specified
class list. and is not bypassed by any other matching criteria. Only Aho-
Corasick class-lists are supported by this command.
The forward-proxy-inspect criteria are applied first before any forward
proxy bypass matching criteria. If forward-proxy-inspect is not
configured, all SSL sessions are inspected for the other bypass matching
criteria.
Syntax [no] forward-proxy-inspect class-list name
254
name Class-list name (1-63 characters).
Example The following example shows how the forward-proxy-inspect com-

mand works. In this example of an AC class-list, all URLs ending with
private.abc.com will be bypassed, while all URLs ending with pub-
lic.abc.com will go through SSLi processing.
ACOS# show config class-list

!
class-list my_class_list ac
ends-with abc.com
user-tag Security
!
ACOS# config
ACOS(config-client ssl)# slb template client-ssl SSLi_vip_
001_client_ssl
ACOS(config-client ssl)# forward-proxy-inspect class-list
my_class_list
ACOS(config-client ssl)# forward-proxy-bypass contains
private.abc.com
Example The following example displays request processing under a combination

of bypass and inspection configuration conditions.
Configuration
#sh run slb template client-ssl oym1
!
slb template client-ssl oym1
forward-proxy-ca-certificate ca1 key ca1
forward-proxy-enable
forward-proxy-bypass class-list b-class
forward-proxy-inspect class-list i-class
!
Class list contents

class-list b-class equals b.sample-a.ma
class-list i-class equals b.sample-a.ma
request is b.sample-a.ma, the request is bypassed.
255
Selection Results
forward-proxy- forward-proxy- Actual Decision

Inspect class- bypass class-list request
list b-class i-class
b.sample-a.ma b.sample-a.ma b.sample- Bypass

a.ma
sample-a.ma b. sample-a.ma b.sample- Bypass

a.ma
sample-a.ma b.sample-a.ma a.sample- Inspected

a.ma
b.sample-a.ma sample-a.ma b.sample- Inspected

a.ma
forward-proxy-inspect certificate-issuer
Description Configures SSLi inspect based on the class-list from a certificate issuer.
Syntax [no] forward-proxy-inspect certificate issuer class-list

class_list_name
class-list Inspects SSLi if the certificate issuer matches

class_list_ the class-list name.
name
Default None
Usage Use this command to enable SSLi inspect based on class-list from a cer-
tificate issuer. To determine the Certificate Authority that issued your cer-
tificate, open the website in a browser and click on the certificate
information.
Example Example Configuration:

256
ACOS(config-client ssl)# forward-proxy-inspect certificate-

issuer class-list Nortan
forward-proxy-inspect certificate-san
Description Configures SSLi inspect based on the class-list from a certificate Subject
Alternative Name (SAN).
Syntax [no] forward-proxy-bypass certificate-san class-list class_

list_name
class-list Inspects SSLi if the certificate SAN matches the

class_list_ class-list name.
name
Default None
Usage Use this command to enable SSLi inspect based on class-list from a cer-
tificate SAN. This can secure a number of fully qualified domain names
with a single certificate. You can specify additional host names such as
sites, IP addresses, common names, and so on, to be protected by a
single SSL Certificate.

san class-list xyzbank
forward-proxy-inspect certificate-subject
Description Configures SSLi inspect based on the class-list from a certificate subject.
Syntax [no] forward-proxy-inspect certificate-subject class-list

class_list_name
class-list Inspects SSLi when the certificate subject

class_list_ matches the class-list name.
name
You can enter only one class list name.
257
Default None
Usage Use this command to enable SSLi inspect based on the class-list from a
certificate subject.

subject class-list Nortan
forward-proxy-log-disable
Description Disable SSL forward proxy (SSLi) logging.
Syntax [no] forward-proxy-log-disable
Default SSLi logging is enabled by default; use this command to disable SSLi log-
ging.

ACOS(config-client ssl)# forward-proxy-log-disable
forward-proxy-no-shared-cipher-action
Description Specify the action taken if the handshake fails due to no shared cipher.
Syntax [no] forward-proxy-no-shared-cipher-action {bypass | drop}
Default drop
258

ACOS(config-client ssl)# forward-proxy-no-shared-cipher-
action bypass
forward-proxy-no-sni-action
Description Specify the SSL forward proxy action in case of no SNI.
Syntax [no] forward-proxy-no-sni-action {intercept | bypass |

reset}
intercept Intercepts the connection.
reset Resets the connection.
Default Intercept

ACOS(config-client ssl)# forward-proxy-no-sni-action bypass
forward-proxy-ocsp-disable
Description Disable OCSP Stapling for SSL forward proxy (SSLi).
Syntax [no] forward-proxy-ocsp-disable

ACOS(config-client ssl)# forward-proxy-ocsp-disable
forward-proxy-require-sni-cert-matched
259
Description Enable to match SNI in ClientHello message and subject CN/SANs in

server certificate to prevent spoofing.
Syntax [no] forward-proxy-require-sni-cert-matched {no-match-

action-inspect | no-match-action-drop}
no-match-action- If client SNI does not match one of

inspect server certificate subject CN or DNS
fields in SAN, then inspect the action.
no-match-action- If client SNI does not match one of

drop server certificate subject CN or DNS
fields in SAN, then drop the action.
Default Disabled
Usage Use this command to match SNI in ClientHello message and subject
CN/SANs in server certificate to prevent spoofing.

ACOS(config-client ssl)# fforward-proxy-require-sni-cert-
matched no-match-action-drop
forward-proxy-selfsign-redir
Description With this option enabled, ACOS redirects traffic away from the self-
signed site and to a warning page in which the client sees “The page you
have tried to reach uses an untrusted certificate, please contact your
administrator.”
Syntax [no] forward-proxy-selfsign-redir

ACOS(config-client ssl)# forward-proxy-selfsign-redir
260
forward-proxy-source-nat
Description To provision the SSL-Client template for source NAT, enter this com-
mand with either the auto or pool pool-name option.
Syntax [no] forward-proxy-source-nat {pool pool-name [precedence] |

auto [precedence]}
• pool pool-name
When a fetched SSL session is connected and the source NAT pool
option is configured, the ACOS device replaces the client source IP
address of forwarded SSLi traffic with an address from the specified
NAT pool.
• auto
When a fetched SSL session is connected and the source NAT auto
option is configured, the ACOS device replaces the client source IP
address of forwarded SSLi traffic with the address of the real server
that is forwarding traffic to the SSL server.
• precedence
Enables source NAT configuration that is defined in the client SSL

template to have a higher priority than the source NAT defined in the
SLB policy template.
Default Source-NAT is disabled by default.
Usage This command applies only to SSLi configurations.
Example The following example configures dynamic IP addresses for source NAT
in the SSL-Client template:
ACOS(config-client ssl)# forward-proxy-source-nat auto
Example The following example configures static IP addresses for source NAT in
the SSL-Client template with precedence set for source NAT:
ACOS(config)# slb template client-ssl c-ssl2
ACOS(config-client ssl)# forward-proxy-source-nat pool p3
precedence
forward-proxy-ssl-version
Description Specify the version of SSL to be used with SSL Insight.
261
Syntax [no] forward-proxy-ssl-version {31 | 32 | 33 | 34}
31 SSL/TLS v1.0.
32 SSL/TLS v1.1.
33 SSL/TLS v1.2. (default)
34 SSL/TLS v1.3.
Default 33

ACOS(config-client ssl)# forward-proxy-ssl-version 34
forward-proxy-trusted-ca
Description File in PEM format listing all the trusted CA certificates. When server veri-
fication is configured using this list, the action is to drop client con-
nections if the certificate of the outside server is not on the trusted list.
This command applies only to the CA certs that are proxied for on the
ACOS device for the interception of SSL sessions in SSLi (that is, forward-
proxy) configurations.
NOTE: Additionally, you can update the 'a10_autoupdate_ca' CA

bundle file for shared partition from the GLM server using the auto-
matic-updatecommand. For more information, refer to Com-
mand Line Reference Guide.
Syntax [no] forward-proxy-trusted-ca file[partition shared]
file Trusted CA file name (1-255 characters).
partition Bind shared partition’s certificate in private par-

tition’s client-SSL template.
shared
262

ACOS(config-client ssl)# forward-proxy-trusted-ca new_
self.crt
ACOS(config-client ssl)# forward-proxy-trusted-ca trus-
tedCAs.pem
forward-proxy-verify-cert-fail-action
Description Configure the action of the client connection if CRL verification of any cer-
tificate fails. The options available are bypassing SSL Proxy, continuing
with the connection, or dropping the connection.
Syntax [no] forward-proxy-verify-cert-fail-action

{block | bypass | continue | drop}
Default By default, the client connection is dropped if CRL verification of any cer-
tificate in the chain is not successful.

ACOS(config-client ssl)# forward-proxy-verify-cert-fail-
action bypass
handshake-logging-enable
Description Enable SSL handshake logging.
Syntax [no] handshake-logging-enable
Mode SLB client-SSL template

ACOS(config-client ssl)# handshake-logging-enable
263
hsm-param
Description Specify HSM parameters.
Syntax [no] hsm-param {thales-embed | thales-hwcrhk}
thales-embed Thales embed key.
thales- Thales hwcrhk key.

hwcrhk

ACOS(config-client ssl)# hsm-param thales-embed
local-logging
Description Enables local loggin.
Syntax [no] local logging
Default Disabled
Mode SLB Client SSL configuration mode
Example The following command sets the low-latency:

ACOS(config)# slb template client-ssl clientSSL
ACOS(config-client ssl)# local-logging
non-ssl-bypass
Description Specifies that non-SSL session traffic is redirected to the specified ser-
vice group.
Syntax [no] non-ssl-bypass service-group name
name Service group name (1-127 characters).
264

ACOS(config-client ssl)# non-ssl-bypass service-group Non_
SSL_sg1
ocsp-stapling
Description Configure OCSP Stapling support.
Syntax [no] ocsp-staplingca-certcert-nameocsp

{auth-server-name | service-groupgroup-name}
[period [daysnum | hoursnum | minutesnum]
[timeoutminutes]
cert-name CA certificate name.
auth-server- OCSP authentication server name (1-63 char-

name acters).
group-name OCSP authentication service-group name (1-

127 characters).
period Specifies how often ACOS contacts the server

or service group for updates.
Default is 1 hour.
timeout Specifies the timeout for server retries, 1-

65535.
Default is 30 minutes.

ACOS(config-client ssl)# ocsp-stapling ca-cert MyCACert ocsp
AuthServerName period hours 2
265
renegotiation-disable
Description Disable automatic TLS/SSL renegotiation.
ACOS allows for renegotiation of SSL connections over previously
secured channels to help speed up the re-establishment of previous SSL
connections with known clients. Disabling TLS/SSL renegotiations can
help prevent vulnerabilities that may lead to SSL/TLS renegotiation Man-
In-TheMiddle Attacks.
Syntax [no] renegotiation-disable
Default TLS/SSL renegotiations are enabled by default.
server-name
Description Configure Server Name Indication (SNI) in the client Hello extension.
A second certificate can be assigned to the server with the alternate
When the command includes a chain cert, the SNI SSL ctx is configured
with the cert and chain cert. When a default chain cert is defined for the
template, the default chain cert is used in place of the configured chain.
[no] server-name server-name cert cert-name [chain chain-name]
key key-name [pass-phrase string [alternate | partition
shared]
server-name Server name string (1-63 characters).
cert-name Server certificate associated to SNI (1-255

characters).
chain-name Chain certificate associated to SNI
key-name Server private key associated to SNI (1-255

characters).
266
string Help password phrase (1-128 characters).
alternate Specifies a second (or backup) certificate and

key.
partition Bind shared partition’s alternate certificate in

shared private partition’s client-SSL template.

ACOS(config-client ssl)# server-name SNIServer cert SNICert
key SNIKey pass-phrase SNIHelp
server-name-auto-map
Description Enables dynamic SNI extension support. When this option is enabled,
SNI-based ctx creation (SSL context) is enabled. The SSL context is cre-
ated based on the SNI in the client hello if a cert and key was previously
imported to the device.
The no server-name-auto-map command disables dynamic SNI
extension support.
Syntax [no] server-name-auto-map [enable-log]
enable-log Logging of SNI auto mapping failures is enabled.

When this parameter is not included, SNI auto map-
ping failure logging is disabled
Default Disabled
Usage When dynamic SNI extension support is enabled, a matching cert and
key is required for inbound client hello SNI contents. For example, for the
sni www.a10networks-black.com, then the following files are required:
• Imported cert: www.a10networks-black.com.crt
• Imported key: www.a10networks-black.com.key
267
Example This example imports a cert and key file for the www.a10networks-green.-
com file, then enables dynamic SNI extension support.
ACOS(config)# import key www.a10networks-green.com.key
scp://10.1.1.1/green.key
ACOS(config)# import cert www.a10networks-green.com.cert
scp://10.1.1.1/green.cert
ACOS(config)# slb template client-ssl CLIENT-1
ACOS(config-client ssl)# server-name-auto-map
ACOS(config-client ssl)# exit
ACOS(config)# show run | sec slb template client-ssl
slb template client-ssl CLIENT-1
server-name-auto-map
ACOS(config)#
server-name-regex
Description Configure Server Name Indication (SNI) in the ClientHello extension with
regular expressions. The wildcard support includes the following regular
expression symbols:
^ $ . | * + [ {
Usage of the following symbols is not supported:

? ( ) \
When a new connection request is made from client, the SNI from TLS
extension in ClientHello is captured and first checked against “server-
name” config with existing hash method. If no match found, it is
compared with the compiled regex string configured by server-name-
regex. When multiple server-name-regex entries match, the cert/key
associated with the best match is used.
A second certificate can be assigned to the server with the alternate
When the command includes a chain cert, the SNI SSL ctx is configured
with the cert and chain cert. When a default chain cert is defined for the
template, the default chain cert is used in place of the configured chain.
Syntax [no] server-name-regex server-name cert cert-name [chain

chain-name] key key-name [pass-phrase string] [alternate |
partition shared]
268
server-name- Server name string with regular expression (1-

regex 63 characters).
cert-name Server certificate associated to SNI (1-255

characters).
chain-name Chain certificate associated to SNI.
key-name Server private key associated to SNI (1-255

characters).
string Help password phrase (1-128 characters).
alternate Specifies a second (or backup) certificate and

key.
partition Bind shared partition’s alternate certificate in

shared private partition’s client-SSL template.

ACOS(config-client ssl)# server-name SNIServer cert SNICert
key SNIKey pass-phrase SNIHelp
Example These commands configure a client-SSL template that uses a wildcard

entry as the fully qualified domain name, thereby binding many server
names in client hello extensions with one certificate and key con-
figuration. In this example, the regex characters allow a match on
www.exaple.com or www.exmple.com.
ACOS(config-client ssl)# server-name-regex www.ex[am]ple.com
cert cert1 key cert1
server-name-bypass
Description Enable SNI bypass.
This command is available only if one of the below commands are
configured:
269
• server-name
• server-name-regex
• server-name-auto-map
Syntax [no] server-name-bypass {missing-cert | expired-cert | expli-

cit-class-list class-list | enable-log}
missing- Bypass the SSL traffic when the SNI does not match
cert with any of the configured server names.
expired- Bypass SSL traffic when SNI matches one of the server-
cert names, but the certificate is expired.
explicit- Bypass SSL traffic when the SNI is specified in the

class-list class-list.
class-list
This command only accepts the AC type class-list.
enable-log Generate the log when the SNI bypasses.
Default Disabled
Usage When the server-name is configured under client-SSL template, and you
want to bypass SSL traffic in the following scenarios:
• Missing cert/key, i.e., client SNI does not match
• Client SNI matches one of the configured server-name, but the cer-
tificate is expired
• Client SNI matches the configured SNI bypass class-list
Example This example enables SNI bypass.

ACOS(config)# slb template client-ssl clissl
ACOS(config-server ssl)# certificate Cert123.pem key key123
pass-phrase Pass123
ACOS(config-client ssl)# server-name-auto-map enable-log
ACOS(config-client ssl)# server-name-bypass missing-cert
ACOS(config-client ssl)# server-name-bypass expired-cert
ACOS(config-client ssl)# server-name-bypass explicit-class-
list sni_bypass
ACOS(config-client ssl)# server-name-bypass enable-log
session-cache-size
270
Description Maximum number of cached sessions for SSL session ID reuse.
Syntax [no] session-cache-size entries
entries Number of entries.
The range of values allowed is from 0 to a max-

imum dependent on the platform on which
ACOS is running. The value 0 disables session
ID reuse.
Default The default is 0; session ID reuse is disabled.

ACOS(config-client ssl)# session-cache-size 1000
session-cache-timeout
Description Sets the maximum number of seconds a cache entry can remain unused
before being removed from the cache. Cache entries age according to
the ticket age time. The age time is not reset when a cache entry is used.
Syntax [no] session-cache-timeout seconds
seconds Number of seconds (0 - 604800 seconds).
Default The default is 0; session cache timeout is disabled.

ACOS(config-client ssl)# session-cache-timeout 5400
session-ticket-lifetime
271
Description Sets the lifetime for stateless SSL session ticketing. After a client’s SSL
ticket expires, they must complete an SSL handshake in order to set up
the next secure session with ACOS.
NOTE: This option is only supported on vThunder systems, and is not sup-
ported on hardware A10 Thunder Series or AX Series devices
Syntax [no] session-ticket-lifetime seconds
seconds Number of seconds.
Setting the lifetime to 0 disables the feature.
Default The default is 0; session ticket lifetime is disabled.

ACOS(config-client ssl)# session-ticket-lifetime 7200
session-ticket-disable
Description Disables client side SSL session ticketing.
Syntax [no] session-ticket-disable
Default By default, this is not set.

ACOS(config-client ssl)# session-ticket-disable
ssl-false-start-disable
Description SSL False Start support for Google Chrome browser.
NOTE: The following ciphers are not supported for SSL False Start in the
current release:
272
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
If no other ciphers but these are enabled in the client-SSL tem-

plate, SSL False Start handshakes will fail.
Syntax [no] ssl-false-start-disable
Default SSL false start is enabled by default.

ACOS(config-client ssl)# ssl-false-start-disable
ssli-logging
Description Enables or disables SSLi logging for all SSLi events.
Syntax [no] ssli-logging { disable | all }
disable Disables SSLi logging for all events, includ-

ing success and failure.
all Enables SSLi logging for all events, including

success and failure.
Default By default, without this configuration, SSLi logging is enabled only for fail-
ure events.

ACOS(config-client ssl)# ssli-logging all
sslv2-bypass
Description Redirects clients who request SSLv2 sessions to the specified service
group.
273
Syntax [no] sslv2-bypass service-group service-group-name
service-group- Name of the service group (1-127 char-

name acters).

ACOS(config-client ssl)# sslv2-bypass service-group SSLv2_SG
template
Description Name of a cipher or HSM template to bind to client-SSL and server-SSL
templates. In this case, the settings in the cipher template override any
cipher settings in the client-SSL template.
Syntax [no] template {cipher template-name | hsm template-name}
cipher SLB cipher template name (1-63 characters).
hsm HSM template name (1-63 characters).

ACOS(config-client ssl)# template cipher SLB_Cipher_Template
version
Description Specifies the security version and minimum allowable security version
that can be used when communicating with SSL clients.
In SSLi configurations, the security version from this template must
match the security version configured under the client-SSL template
through the forward-proxy-ssl-version command.
Syntax [no] version {version-num} [downgrade-version-num
274
version-num Select one of the following:
l 30 - Secure Sockets Layer (SSL)

v3.0
l 31 - Transport Layer Security (TLS)
v1.0
v1.1
v1.2
v1.3
downgrade-version- Specifies the minimum SSL/TLS version

num to which a session can be downgraded.
To disable downgrading, specify the

same version number for both the ver-
sion-num and downgrade-version-num
Default 34
Usage See also the sslv2-bypass command in SSL-client template con-

figuration mode and the version command in the SSL-server template
configuration mode.
Example The following example configures TLS version 1.1 for use in SSL com-
munication with the clients. Depending on the response received from
each client, TLS version 1.0 may also be used.
ACOS(config)# slb template client-ssl SSL
Example The following example disables downgrade; only TLS version 1.2 can be
used to communicate with clients. If the client is using a lower (less
secure) version of TLS, the session will not be created.
ACOS(config)# slb template client-ssl SSL
275
276
Chapter 6: Config Commands: SLB Server SSL
This section lists the commands and sub-commands to configure SLB Server-SSL templates.
SLB Server-SSL Template Configuration Commands 281
277

slb template server-ssl

Description Configure the ACOS device to validate real servers based on their cer-
tificates.
Syntax [no] slb template server-ssl template-name
template- Template name (1-127 characters)

name
This command enters the SLB Server-SSL Template Configuration Mode

for the specified server-ssl template. See SLB Server-SSL Template
Configuration Commands for more information.
Default The configuration does not have a default server-side SSL template.
Usage The normal form of this command creates a server-SSL configuration

template.
You can bind only one server-SSL template to a virtual port. However,
you can bind the same server-SSL template to multiple ports.
Usage Server-SSL Template Binding

ACOS supports use of a server-SSL template with only one instance of a real port. For example, if the same
real server:port member is used in two service groups, it is valid to bind each of those service groups to a
different virtual port. However, if there are server-SSL templates configured for both virtual ports, the
server-side SSL behavior is not predictable and is not supported. It is recommended to duplicate the real
server port configuration with different real servers in each group.
278
In the following example, an ACOS system is configurred with two virtual-servers, SSL_Internet_vip_
001 and SSL_Internet_vip_003. And, each of these virtual servers are configured with an HTTP virtual
port, port 8080 http.
A different SSL-template and a different service group is applied to each virtual port.
The SSL-template, SSL_Internet_vip_001_server_ssl, and the service group, sg2, are applied to
port 8080 http on SSL_Internet_vip_001.
slb virtual-server SSL_Internet_vip_001 0.0.0.0 acl 1

user-tag Security
port 8080 http
service-group sg2
use-rcv-hop-for-resp
template server-ssl SSL_Internet_vip_001_server_ssl
no-dest-nat port-translation
The SSL-template, SSL_Internet_vip_003_server_ssl, and the service group, sg1, are applied to
port 8080 http on SSL_Internet_vip_003.
slb virtual-server SSL_Internet_vip_003 0.0.0.0 acl 3

user-tag Security
port 8080 http
service-group sg1
template server-ssl SSL_Internet_vip_003_server_ssl
no-dest-nat port-translation
The preceding configuration is supported when each service group specifies a different real
server. Service group sg1 specifies real server, rs1, and service group, sg2, specifies real
server, rs2:
slb server rs1 192.168.1.10

port 80 tcp

port 80 tcp
slb service-group sg1 tcp

member rs1 80
template tcp1
279

priority-affinity
member rs2 80
However, the configuration in step 1 is not supported when both service groups specify the
same real server, rs1, as shown in the following:

port 80 tcp

member rs1 80
template tcp1

priority-affinity
member rs1 80
280
SLB Server-SSL Template Configuration Commands

To access these commands at the SLB Server-SSL template level, enter the slb template
server-ssl command.
ca-cert 282
certificate 282
cipher 284
close-notify 284
crl 285
dh-param 285
early-data 285
ec-name 286
forward-proxy-enable 287
ocsp-stapling 288
server-certificate-error 288
server-name 289
session-ticket-enable 290
ssli-logging 291
template cipher 291
use-client-sni 292
version 292
281
ca-cert
Description Specifies the name of a CA certificate. A server-SSL template can have
multiple CA-signed certificates.
You can add the CA certificates to the server-SSL template in either of
the following ways:
• As separate files (one for each certificate)
• As a single file containing multiple certificates
Syntax [no] ca-cert cert-name [partition shared]

[ocsp {ocsp-server-name | service-group ocsp-service-group-
name}]
ca-cert-name Name of the CA certificate (1-255 char-

acters)

template.
ocsp-server-name Name of the OCSP server (1-255 char-

acters)
ocsp-service-group- Name of the OCSP service-group (1-255

name characters)
Mode SLB server-SSL template
Usage Note: If validation of the ca-cert fails, the connection to the server is
terminated.
Example Specify “example.pem” as the name of the certificate:

ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# ca-cert example.pem
certificate
Description Specifies the name of the certificate and key name pair with optional
pass-phrase setting, to use for terminating or initiating an SSL
282
connection. The certificate and key must be installed, and available on

the ACOS device.
NOTE: The certificate command is used to replace the old cert/cert-

alternate/key/key-alternate/chain-cert command. The new cer-
tificate configuration cannot co-exist with these commands.
Syntax [no] certificate <cert-name> key <key-name> [pass-phrase

<pass-phrase-str>] [chain-cert <chain-cert-name>] [partition
shared]
cert-name CA certificate name (1-245 characters).
chain-cert-name Specifies a certificate-key chain. Chain

certificate name (1-245 characters).
NOTE: If chain-
cert para-
meter is
required,
then make
sure to con-
figure it in
the same line
of certificate
and key.

characters).

template.
Example Specify “example.pem” as the name of the certificate:

ACOS(config-server ssl)# certificate Cert123.pem key key123
pass-phrase Pass123
283
cipher
Description Specifies the cipher suite to support for certificates from servers.
You can remove (or re-add) one cipher in the template with a single
command. Enter separate commands for each cipher to remove or re-
add.
Syntax [no] cipher name
name Name of the cipher.
The supported cipher are listed a axseries.
or enter cipher ? from the command line.
Mode SLB server SSL template
Example Specify “ SSL3_RSA_RC4_128_SHA ” as the cipher:

ACOS(config-server ssl)# cipher SSL3_RSA_RC4_128_SHA
close-notify
Description Enables support for close notification (close_notify) alerts. When this
option is enabled, the ACOS device sends a close_notify message when
an SSL transaction ends, before sending a FIN. This behavior is required
by certain types of applications, including PHP cgi.The close notification
option may not work if connection reuse is also configured on the same
virtual port. In this case, when the server sends a FIN to the ACOS device,
the ACOS device will not send a FIN followed by a close notification.
Instead, the ACOS device will send a RST.
NOTE: This command can not be used along with the TCP-proxy tem-
plate force-delete-timeout option. Doing so may cause unex-
pected behavior.
Syntax [no] close-notify
284

ACOS(config-server ssl)# close-notify
crl
Description Specifies the names of the Certificate Revocation Lists (CRLs) to use for
verifying whether server certificates have been revoked. The CRLs must
be installed on the ACOS device first. (Use the import command for more
details). The CA certificate relevant to the CRL must also be specified.
Syntax [no] crl crl_name [partition shared]
crl_name CRL name (1-255 characters).

partition Bind shared partition’s CRL in the private partition’s server-
shared SSL template.
Mode SLB server SSL template configuration mode

ACOS(config)# slb template server-ssl serverssl
ACOS(config-server ssl)# crl 10_ca.crt_crl.pem partition
shared
ACOS(config-client ssl)# ca-cert 10_ca_crt
dh-param
Description Specify Diffie-Hellman parameters.
Syntax [no] dh-param {1024 | 1024-dsa | 2048}
Default Not enabled

ACOS(config-client ssl)# dh-param 1024
early-data
Description Enable the early data (0-RTT) for SSL version TLSv1.3.
285
Additionally, you must configure either session-cache-size or

session-ticket-enable to do PSK resumption.
NOTE: - Supported on new N5 module, QAT module, and Software TLS 1

.3.
- Maximum value is set to 16384 once enabled and is non-edit-
able.
Syntax [no]early-data
Default Not Enabled.
Usage This allows the server to respond immediately by including the requested
data in the Server Hello or Finished message.
Example The following command configures early data for server-SSL template,
svr-0rtt-test:
ACOS(config)# slb template server-ssl svr-0rtt-test

ACOS(config-server ssl)# ec-name secp384r1
ACOS(config-server ssl)# close-notify
ACOS(config-client ssl)# session-ticket-enable
ACOS(config-client ssl)# early-data
ec-name
Description Specify elliptic curve name.
Syntax [no] ec-name {secp256r1 | secp384r1}
Default secp256r1

enable-ssli-ftp-alg
Description Enables FTP passive mode over TLS support for the specified port num-
ber. The port number value can between 1-65535.
NOTE: This configuration is applicable for implicit FTPS.
286
Syntax [no] enable-ssli-ftp-alg port-num {<1-65535>}
Default Disabled.

ACOS(config-client ssl)# enable-ssli-ftp-alg 990
enable-tls-alert-logging fatal
Description Enables logging of TLS alerts that include the flow information such as
source IP address.
Syntax [no] enable-tls-alert-logging fatal

ACOS(config-server ssl)# enable-tls-alert-logging fatal
forward-proxy-enable
Description Enables SSL Insight support.
Syntax [no] forward-proxy-enable

ACOS(config-server ssl)# forward-proxy-enable
handshake-logging-enable
Description Enable SSL handshake logging.
Syntax [no] handshake-logging-enable
287

ACOS(config-client ssl)# handshake-logging-enable
ocsp-stapling
Description Enable OCSP stapling support.
Syntax [no] ocsp-stapling

ACOS(config-client ssl)# ocsp-stapling
renegotiation-disable
Description Disables TLS/SSL renegotiation.
Syntax [no] renegotiation-disable
Default TLS/SSL secure renegotiation is enabled.
Usage TLS/SSL secure renegotiation is disabled if the renegotiation-dis-

able command is entered in both the SLB server-SSL and SLB client-
SSL templates. The no renegotiation-disable command entered in
both templates re-enables secure renegotiation.
Usage TLS/SSL secure renegotiation is enabled if the no renegotiation-dis-

able command is entered in both the SLB server-SSL template and the
SLB client-SSL template.
Example Disable TLS/SSL renegotiation:

ACOS(config-server ssl)# renegotiation-disable
server-certificate-error
Description Specifies the ACOS response if there is a server certificate error.
288
Syntax [no] server-certificate-error {email | ignore | logging |

trap}
email Send an Email.
ignore Ignore the error and allow traffic.
logging Generate a log message.
trap Generate an SNMP trap.
Default Not set; the connection is refused without any notification.
Example Send an SNMP trap when there is a server certificate error:

ACOS(config-server ssl)# server-certificate-error trap
server-name
Description Configure a user-defined server name to the server side of an SSL proxy
configuration.
Syntax [no] server-name <server_name>
Default User defined name is not passed through to the server-side.
Example The following example shows the server side template in an ACOS SSL
proxy configuration where the user-defined server name is passed
through to the SSL server:
ACOS(config)# slb template server-ssl test
ACOS(config-server ssl)# server-name www.test.com
ACOS(config-server ssl)# no server-name www.test.com
session-cache-size
Description Sets the maximum number of session-ID entries.
Syntax [no] session-cache-size num
289
num Number of session-ID entries.
Specify 0 to disable caching.
Example Specify 5000000 entries:

ACOS(config-server ssl)# session-cache-size 5000000
session-cache-timeout
Description Sets the maximum number of seconds a cache entry can remain unused
before being removed from the cache.
Cache entries age according to the ticket age time. The age time is not
reset when a cache entry is used. After a client’s SSL ticket expires, they
must complete an SSL handshake in order to set up the next secure
session with ACOS.
Syntax [no] session-cache-timeout num
num Number of seconds.
Example Specify 5000 seconds as the timeout value:

ACOS(config-server ssl)# session-cache-timeout 5000
session-ticket-enable
Description Enables stateless SSL session ticketing features.
Syntax [no] session-ticket-enable
Default Feature is not enabled.
290
Example Enable stateless SSL session ticketing features:

ACOS(config-server ssl)# session-ticket-enable
ssli-logging
Description Enables or disables SSLi logging for all SSLi events.
Syntax [no] ssli-logging { disable | all }
disable Disables SSLi logging for all events, includ-

ing success and failure.
all Enables SSLi logging for all events, including

success and failure.
Default By default, without this configuration, SSLi logging is enabled only for fail-
ure events.

ACOS(config-server ssl)# ssli-logging all
template cipher
Description Name of a cipher template to bind to the server-SSL template. In this
case, the settings in the cipher template override any cipher settings in
the server-SSL template.
Syntax [no] template cipher name
name Name of the cipher template (1-63 characters).
Default Not set; the ciphers enabled in the server-SSL template are used.
291
Example Bind the cipher template “cipher-tmp1” to this server-SSL template:

ACOS(config-server ssl)# template cipher cipher-tmp1
use-client-sni
Description Pass the client domain name to the server side of an SSL proxy con-
figuration.
Syntax [no] use-client-sni
Default Client domain name is not passed through to the server-side.
Example The following example shows the server side template in an ACOS SSL
proxy configuration where the client domain name is passed through to
the SSL server:
ACOS(config-server ssl)# use-client-sni
version
Description Specify the security version.
Syntax [no] version num1 num2
num1 This is the default security version.
num2 This is the lowest security version. You can down-

grade the security version.
The available versions are 30, 31, 32, 33 and 34.
30 Secure Sockets Layer (SSL) v3.0.
31 Transport Layer Security (TLS) v1.0.
292
32 Transport Layer Security (TLS) v1.1.
33 Transport Layer Security (TLS) v1.2
34 Transport Layer Security (TLS) v1.3
Default 34
Example Use TLS v1.1 security:

ACOS(config-server ssl)# version 32 32
293
294
Chapter 7: Config Commands: SLB Policy Tem-
plates
This section lists the commands and sub-commands to configure SLB policy templates.
SLB Policy Template Configuration Mode Commands 299
SLB Policy Template Class-List LID Configuration Commands 318
295
Chapter 7: Config Commands: SLB Policy Templates

slb template policy

Description Configure a template of Policy-Based SLB (PBSLB) settings.
Syntax [no] slb template policy template-name

name
This command enters the SLB Policy Template Configuration Mode

Commands for the specified policy template.
Default The configuration does not have a default SIP over UDP template.
Usage The normal form of this command creates a PBSLB template. The no form
of this command removes the template.
You can bind only one PBSLB template to a virtual port. However, you
can bind the same PBSLB template to multiple ports.
PBSLB configuration on a virtual port can be set either using a template
or by configuring the individual settings on the port. Individual PBSLB
settings and a PBSLB template can not be configured on the same virtual
port.
Apply the Policy Globally or on Individual Virtual Ports
The ACOS device also allows policy templates to be applied at the virtual-
server level. However, PBSLB does not take effect if you apply the policy
template at the virtual-server level. Only class lists are supported at the
virtual-server level. To use PBSLB, apply the policy template globally or
on individual virtual ports.
Comparing TCP and HTTP Template Application
296
For HTTP virtual servers:

• Connection limits are only applied at the Layer 4 TCP level.
• For Layer 7 HTTP, either configure request limits or request-rate lim-
its.
Consider the following example, with “example-clist” class list applied to
the “example-policy” template:
ACOS(config)# class-list example-clist
ACOS(config-class list)# 100.1.0.0/16 lid 1
ACOS(config-class list)# exit
ACOS(config)# slb template policy sample-policy
ACOS(config-policy)# class-list example-clist
ACOS(config-policy-class-list:example-cl...)# lid 1
ACOS(config-policy-class-list:example-cli...)# conn-limit 5
ACOS(config-policy-class-list:example-cli...)# over-limit-
action forward log
ACOS(config-policy-class-list:example-cli...)# exit
ACOS(config-policy-class-list:example-cl...)# exit
ACOS(config-policy)# exit
This template can be applied to the following virtual server at Layer 4

TCP:
ACOS(config)# slb virtual-server example-vs-tcp 30.1.1.100
ACOS(config-slb vserver-vport)# template policy sample-
policy
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# exit
However, for the following virtual server, the “example-policy” template

does not take effect, since connection limits are not applied at Layer 7
HTTP level:
ACOS(config)# slb virtual-server example-vs-http 40.1.1.100
ACOS(config-slb vserver-vport)# template policy sample-
policy
For the “example-vs-http” virtual server, you must configure request

limits and request rate limits. For example:
ACOS(config)# slb template policy sample-policy-2
ACOS(config-policy)# class-list example-clist
ACOS(config-policy-class-list:example-cl...)# lid 1
297
ACOS(config-policy-class-list:example-cli...)# request-limit
10
ACOS(config-policy-class-list:example-cli...)# over-limit-
action forward log
Example These commands configure a PBSLB template and bind it to a virtual

port:
ACOS(config)# slb template policy bw1
ACOS(config-policy)# bw-list name bw1
ACOS(config-policy)# bw-list id 2 service srvcgroup2
ACOS(config-policy)# bw-list id 4 drop
ACOS(config-policy)# exit
ACOS(config)# slb virtual-server PBSLB_VS1 10.10.10.69
ACOS(config-slb vserver-port)# template policy bw1
Example The following example configures a bandwidth limit per source IP, using
a policy template and class list.
Configure the class list:

ACOS(config)# class-list clist1
ACOS(config-class list)# 100.100.1.1/24 lid 1
ACOS(config-class list)# exit
Configure the PBSLB template:

ACOS(config)# slb template policy p1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
Configure the bandwidth limit (1 MB per second), and reset the

connection when the limit is exceeded.
ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit
1000 per 10
ACOS(config-policy-class-list:clist1-lid:1)# over-limit-
action reset
298
SLB Policy Template Configuration Mode Commands

To access these commands at the SLB policy template level, enter the slb template policy
command.
bw-list id 299
bw-list name 301
bw-list over-limit 301
bw-list timeout 302
bw-list use-destination-ip 302
class-list 303
forward-policy 305
geo-location full-domain-tree 316
geo-location overlap 316
geo-location share 317
bw-list id
Description Specifies the action to take for clients using a Black/White list ID.
Syntax [no] bw-list id id {service-group name | drop | reset}

[logging [minutes] [fail]}
id Group ID in the Black/White list (0-1023).
name Sends clients to the SLB service group with the spe-
cified name on the ACOS device.
299
drop Drops connections for IP addresses that are in the

specified group.
reset Resets connections for IP addresses that are in the

specified group.
logging Enables logging. The minutes option specifies how

often messages can be generated. This option
reduces overhead caused by frequent recurring
messages.
For example, if the logging interval is set to 5

minutes, and the PBSLB rule is used 100 times
within a five-minute period, the ACOS device gen-
erates only a single message. The message indicates
the number of times the rule was applied since the
last message. You can specify a logging interval
from 0 to 60 minutes. To send a separate message
for each event, set the interval to 0.
PBSLB rules that use the service-group name

option also have a fail option for logging. This
option configures the ACOS device to generate log
messages only when there is a failed attempt to
reach a service group. Messages are not generated
for successful connections to the service group. The
fail option is disabled by default.
The fail option is not available for rules with the

drop or reset option, since any time a drop or reset
rule affects traffic, this indicates a failure con-
dition.
Logging is disabled by default. If you enable it, the

default is 3 minutes.
Mode SLB policy template
Example Drop connections for clients matching Black/White list 3.
300

ACOS(config-policy)# bw-list id 3 drop
bw-list name
Description Binds the specified Black/White list to the virtual ports that use this tem-
plate.
Syntax [no] bw-list name name
name Black/White list file name.
Example Bind the Black/White list “example-bw-list” to virtual ports using this tem-
plate.
ACOS(config-policy)# bw-list name example-bw-list
bw-list over-limit
Description Specifies the action to take for traffic that is over the limit.
Syntax [no] bw-list over-limit {lockup lock-min | logging log-min |

reset}
lock-min Do not accept any new connections for the specified

number of minutes (1-127).
log-min Generates a log message when traffic goes over the

limit. This option specifies the log interval and can
be 1-255 minutes.
reset Resets new connections until the number of con-

current connections on the virtual port falls below
the connection limit.
Default Drop
301
Usage The over-limit rule in a system-wide PBSLB policy includes an optional

lockup period. If the lockup period is configured, the ACOS device con-
tinues to enforce the over-limit action for the duration of the lockup.
For example, if the over-limit action is drop, and a client exceeds the
connection limit that is specified in the Black/White list, the ACOS device
continues to drop all connection attempts from the client until the lockup
expires.
By default, the lockup option is disabled. To enable it, you must specify a
lockup period of 1-127 minutes.
The dynamic Black/White-list entry for a client does not age while the
client is locked up. After the lockup ends, the timeout for the entry is reset
to its full value and begins decreasing.
Example When traffic goes over the limit, do not accept any new connections for
five minutes.
ACOS(config-policy)# bw-list over-limit lockup 5
bw-list timeout
Description Number of minutes dynamic Black/White-list client entries can remain
idle before aging out.
Syntax [no] bw-list timeout num
num Number of minutes (1-127).
Default 5 minutes
Example Configure the timeout to 7 minutes.

ACOS(config-policy)# bw-list timeout 7
bw-list use-destination-ip
302
Description Matches Black/White list entries based on the client’s destination IP

address, instead of matching by client source address. Generally, this
option is applicable when wildcard VIPs are used.
Syntax [no] bw-list use-destination-ip
Default Disabled by default; the ACOS device matches by client source IP

address.
Example Enable this feature.

ACOS(config-policy)# bw-list use-destination-ip
class-list
Description Create a class-list or geo-location class-list within the template.
Syntax [no] class-list name
name Name of the class-list (1-63 characters).
This command places you in a sub-configuration mode, where the

following additional commands are available:
303
Command Description
[no] client-ip Specifies the IP address to use for match-

{l3-dest | l7- ing entries in an IP class list.
header [name]} l3-dest
Matches based on the destination IP

address in packets from clients.
l7-header [name]
Matches based on the IP address in the

specified header name in packets from cli-
ents. If you do not specify a header name,
the X-Forwarded-For header is used. This
is available only with request-limit and
request-rate-limit.
By default, the client’s IP address is used.
[no] lid num Adds a Limit ID (LID) entry to the class

list, to specify traffic limits for client
traffic. Value of num ranges from 1 to
1023.
This command enters another con-

figuration sub-mode, where the com-
mands described in SLB Policy Template
Class-List LID Configuration Commands
are available.
Usage The class-list request-limit and request-rate-limit options apply

only to HTTP, fast-HTTP, and HTTPS virtual ports.
These options, when configured in a policy template, are applicable only
in policy templates that are bound to virtual ports. These options are not
applicable in policy templates bound to virtual servers (rather than
individual ports).
The over-limit-action log option, when used with request-limit or
request-rate-limit, always lists Ethernet port 1 as the interface.
304
forward-policy
Description Configure a forward policy of an slb policy template to specify permitted
traffic destinations and sources along with the actions to apply. Forward
policy is a required component when configuring an explicit HTTP proxy.
Syntax [no] forward-policy
This command changes the CLI to forward-policy configuration mode,

where the commands in Commands in the forward-policy
Configuration Mode are available:

TABLE 7-1 : Commands in the forward-policy Configuration Mode
Command Description
acos-event-log Enable ACOS event logging.
action action-name Specify the action policy name. This command places you in
a sub-configuration mode, where the commands in Sub-
Commands in the forward-policy action Configuration Mode
are available.
local-logging Enable local logging.
no-client-conn-reuse Inspects only first request of a connection. Command in for-

ward-policy configuration mode that dictates that the
HTTP/HTTPS client will not send multiple requests to dif-
ferent destinations over the same TCP connection between
the client and the ACOS device.
NOTE: In the case of transparent proxy with SSL or SSLi, the

no-client-conn-reuse command is not supported.
305
Command Description
require-web-category Command in forward-policy configuration mode that

enables Web Category Lookup Enforcement web-category
and web-reputation.
Web category lookup enforcement resolves the category

and reputation score of the unknown (first request) URLs by
pausing the data plane connection. When the result is
known and the URL is categorized or reputed, the con-
nection is resumed.
source source-name Command in forward-policy configuration mode to specify

match rules for traffic sources and destination rules to
define what destinations clients are allowed to access. Mul-
tiple source rules may be defined, but only a single source
rule of match-any may be defined. This command places you
in a sub-configuration mode, where the commands in Sub-
Commands in the forward-policy source Configuration
Mode are available.
306
Command Description
ssli-url-filtering Command in forward-policy configuration mode to change

{bypassed-sni-disable | default actions related to the ACOS device being used as a
intercepted-sni-enable transparent proxy in SSLi.The following options are avail-
| able for this command at this level:
intercepted-http-dis-
l bypassed-sni-disable
able | no-sni-allow}
By default, an SNI extension inspection is done on
bypassed transparent proxy SSLi traffic. Use this
parameter to disable SNI inspection on bypassed
traffic.
l intercepted-sni-enable
By default, intercepted traffic is inspected only at

the HTTP header level. Use this parameter to
enable SNI matching for intercepted transparent
proxy SSLi traffic.
l intercepted-http-disable
By default, intercepted transparent proxy SSLi

traffic has the HTTP header inspected. Use this
parameter to disable http header inspection for
intercepted transparent proxy SSLi traffic.
l no-sni-allow
By default, if SNI filtering is enabled for bypassed

or intercepted connections, and an SNI extension
is not present, the packet is dropped. Use this
parameter to allow requests to be forwarded if SNI
extension is not found for transparent proxy SSLi
traffic.
307
Command Description
ssli-url-filtering-san Command in forward-policy configuration mode to con-

{enable-san | figure a SAN filtering on transparent proxy in SSLi.The fol-
bypassed-san-disable | lowing options are available for this command at this level:
intercepted-san-enable
l enable-san
|
no-san-allow} In the absence of SNI, if the no-sni-allow command
is configured, the SAN filtering is enabled for
bypassed or intercepted connections. Use this para-
meter to enable SAN filtering on transparent proxy
SSLi traffic.
l bypassed-san-disable
By default, a SAN extension inspection is done on

bypassed transparent proxy SSLi traffic. Use this para-
meter to disable SAN inspection on bypassed traffic.
l intercepted-san-enable
By default, the intercepted traffic is not inspected

for transparent proxy SSLi traffic. Use this para-
meter to enable SAN matching for intercepted
transparent proxy SSLi traffic.
l no-san-allow
By default, if SAN filtering is enabled for bypassed

or intercepted connections, and there is no SAN
extension present, the packet is dropped. Use this
parameter to allow requests to be forwarded if
SAN extension is not found for transparent proxy
SSLi traffic.
308
TABLE 7-2 : Sub-Commands in the forward-policy action Configuration Mode
Command Description
[no] drop Sub-command in forward-policy-action configuration

mode to drop traffic.
[no] drop-message text Sub-command in forward-policy-action configuration

mode. Following the drop command, specify a mes-
sage to appear. A default “Access to this site is
blocked by administrator” message appears if nothing
is specified.
Commands drop-message and drop-redirect-url are

mutually exclusive actions. If both are entered, the
prior command will be overwritten by the more
recent one.
The command drop-message is not supported with

SNI filtering.
[no] drop-redirect-url url Sub-command in forward-policy-action configuration

http-status-code mode. Following a drop command, specify a url to
http-status-code] redirect to after a client’s request is dropped. The
http-status-code default is 302 Found.
Commands drop-message and drop-redirect-url are

mutually exclusive actions. If both are entered, the
prior command will be overwritten by the more
recent one.
The command drop-redirect-url is not supported

with SNI filtering.
[no] drop-response-code Specify response code for drop action. The code
range <100-599>.
[no] log Sub-command in forward-policy-action configuration

mode to provide log of actions taken.
309
Command Description
[no] sampling-enable {all | Sub-command in forward-policy-action configuration

hits} mode. Specify sampling-enable to enable baselining
for all requests or for requests that match the des-
tination rule.
[no] forward-to-internet fwd-sg Sub-command in forward-policy-action configuration

[snat snat-pool-name] mode to specify the service-group name to send inter-
[fallback fallback-sg [snat net traffic to. The following options are available in
fb-snat-pool-name] this command:
l snat snat-pool-name
Parameters that apply a configured source

NAT.
l fallback fallback-sg
Parameters that specify a service-group to

send requests to for approved destinations
that the ACOS device device cannot resolve .
l snat fb-snat-pool-name

NAT for fallback requests.
[no] forward-to-service- Sub-command in forward-policy-action configuration

group fwd-sg [snat snat- mode to specify the service-group to send service-
pool-name] group traffic to. The following options are available in
this command:

NAT.
310
Command Description
forward-to-proxy fwd-sg Sub-command in forward-policy-action configuration

[snat snat-pool-name | mode to specify the service-group to send HTTP
bypass | proxy server traffic. This chains an ACOS device to an
support-cert-fetch] upstream proxy server when ACOS acts as a proxy.
The following options are available in this command:

NAT.
l bypass
Set this option to send all the https traffic to

upstream proxy directly.
l support-cert-fetch
Set this option for the server certificate to

fetch the traffic and forward it through the
explicit proxy instead of the real server as the
original SSLi.
311
TABLE 7-3 : Sub-Commands in the forward-policy source Configuration Mode
Command Description
[no] destination any {action Sub-command in forward-policy-source con-

action-name | sampling-enable figuration mode to specify the destination rule to
{all | hits}} default to for requests. The following options are avail-
able in this command:
l action action-name
Specify the action to take for requests not

defined.
l sampling-enable {all | hits}
Specify sampling-enable to enable baselining

for all requests or for requests that match the
destination rule.
312
Command Description
[no] destination {class-list Sub-command in forward-policy-source con-

class-list- name | web-category- figuration mode to specify the destination to send
list web-category-list-name | Internet traffic to, based on a the following options:
web-reputation-scope repu-
l class-list class-list-name
tation-scope}
{action action-name} {host |ip | Specify the allowed class-list to apply your
url} {priority priority-num} action to. An Aho-Corasick or IP type class
[sampling-enable {all | hits}] list may be used.
l web-category-list web-category-list-name
Specify the web-category-list to apply your

action to.
l web-reputation-scope reputation-scope
Specify the web-category reputation-scope

for destination matching.
l action action-name
Specify the action to take for the previously

defined class-list, web-category-list, and
web-reputation.
l host | ip | url
Define if a match should be based on the HTTP

host header, or layer 3 IP address, or HTTP
URL.
The ip parameter is not applicable to web-cat-
egory-list and web-reputation con-
figuration.
l priority priority num
Define the priority by providing a number for

priority num. The number determines what
rule to use when multiple matches occur.
313
Command Description
l sampling-enable {all | hits}
Specify sampling-enable to enable baselin-

ing for all requests or for requests that
match the destination rule.
[no] match-any Sub-command in forward-policy-source con-

figuration mode for specifying a rule to when there is
no class-list or web-category list or web-reputation
scope match from defined sources.
[no] match-authorize-policy Specify an aam authorization policy template to

authoriz-policy-name determine membership of users.
[no] match-class-list class- Sub-command in forward-policy-source con-

list figuration mode for specifying the IPv4 or IPv6 class-
list name to use with the matching source rule.
Specify the class-list to match the source rule; mul-

tiple class-lists can be specified by using one com-
mand per class-list.
[no] priority num Specify a source’s priority for aam authorization

policy checking. The highest priority that may be
defined is 1024. Each priority must have a unique
value.
314
Command Description
[no] sampling-enable {all | Sub-command in forward-policy-source con-

destination-match-not-found | figuration mode to specify baselining. The following
hits | no-host-info}... options are available in this command at this level:
l all
Gather the number of all requests.
l hits
Gather the number of requests that match the

defined source rule.
l destination-match-not-found
Gather the number of requests with no

matching destination rule.
l no-host-info
Gather number of requests that failed to

parse ip or host information.
Usage The forward policy action command defines actions that can be
taken, and is normally used in conjunction with forward-policy source
rules that link destination and matching rules for an slb template
policy.
forward-to-internet fw-sg is just a placeholder.
Example Configure the action list Default_Deny to drop packets

ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# action Default_Deny
ACOS(config-policy-forward-policy-action)# drop
Example Configure the source list Any_Source to apply the Default_Deny action
for any requests that are not defined by a class-list or web-category-list
or web-reputation-scope.
ACOS(config-policy-forward-policy)# source Any_Source
ACOS(config-policy-forward-policy-source)# match-any
315
ACOS(config-policy-forward-policy-source)# destination any

action Default_Deny
Example Configure the source s1 to match IPs from class-list Src-List and links
the destinations from class-list dest with rules to apply from the a1
action sub template, using a url check with a priority of 10.
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# source s1
ACOS(config-policy-forward-policy-source)# match-class-list
Src-List
ACOS(config-policy-forward-policy-source)# destination
class-list dest action a1 url priority 10
geo-location full-domain-tree
Description Checks current connection count for the client’s specific geo-location
and for all geo-locations higher up in the domain tree.
It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Syntax [no] geo-location full-domain-tree
Default Disabled by default; when a client requests a connection, the ACOS

device checks the connection count only for the specific geo-location
level of the client. If the connection limit for that specific geo-location
level has not been reached, the client’s connection is permitted.

ACOS(config-policy)# geo-location full-domain-tree
geo-location overlap
Description Enables overlap matching mode. If there are overlapping addresses in
the Black/White list or class list, use this option to enable the ACOS device
to find the most precise match.
Syntax [no] geo-location overlap
Default Disabled
316

ACOS(config-policy)# geo-location overlap
geo-location share
Description Enables sharing of PBLSB statistics counters for virtual servers and vir-
tual ports that use the template. This option causes the following coun-
ters to be shared:
• Permit
• Deny
• Connection number
• Connection limit
It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Syntax [no] geo-location share
Default Disabled

ACOS(config-policy)# geo-location share
317
SLB Policy Template Class-List LID Configuration Com-

mands
This section lists the commands available at the SLB policy template class-list LID con-
figuration level. Below is an example of how to access this level:
ACOS(config)# slb template policy pol1
ACOS(config-policy-class-list:clist1-lid:1)#
action 318
bw-rate-limit 320
conn-limit 320
conn-rate-limit 321
over-limit-action 322
request-limit 323
response-code-rate-limit 324
action
Description Specifies the ACOS behavior when a request matches the class list entry
for servers using the template.
Syntax [no] actionMATCH-ACTION [LOG-TYPE]
318
MATCH-ACTION Specifies the behavior. Valid options

include:
l service-groupgrp-name-request is for-
warded to specified service group.
l reset- ACOS sends RST to the
l drop- ACOS drops the request
LOG-TYPE Specifies the log messages generated when

a request matches the class list. Valid
options include.
l <no parameter> - no entries are

logged
l logging 0 actions are immediately
logged
l logging <1 to 60> event are logged at
the specified interval (minutes).
Default value is three.
l logging fail only unsuccessful con-

nections are logged.
Mode SLB policy template class-list LID
Example This example configures the device to forward matching requests to the
service group gp1 and create a log entry every 15 minutes.
ACOS(config-policy-class-list:clist1-lid:1)# action service-
group group1 logging 15
ACOS(config-policy-class-list:clist1)# end
The show class-list command provides a hitcount parameter that

displays the number of times a class list LID is matched:
ACOS# show class-list clist1
Name: clist1
319
Total single IP: 2

Total IP subnet: 1
Content:
1.1.1.1/32 lid 3 hitcount 0
1.1.1.2/32 lid 2 hitcount 0
13.13.13.0/24 lid 1 hitcount 3
bw-rate-limit
Description Configure the bandwidth rate limit for servers that use this template.
Syntax [no] bw-rate-limitnum-bytespernum-100ms
num-bytes Rate limit in bytes (1-2147483647).
num-100ms Rate interval in number of 100ms increments (1-

65535).
Example This example configures a bandwidth rate limit of 1,024,000 bytes per
second (10 100ms intervals):
ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit
1024000 per 10
conn-limit
Description Specifies the maximum number of concurrent connections allowed
for a client.
Syntax [no] conn-limit num
320
num Maximum number of concurrent connections

allowed (0-1048575).
Connection limit 0 immediately locks down match-

ing clients.
Example This example configures a connection limit of 10000 concurrent con-

nections.
ACOS(config-policy-class-list:clist1-lid:1)# conn-limit
10000
conn-rate-limit
Description Specifies the maximum number of new connections allowed for a cli-
ent within the specified limit period.
Syntax [no] conn-rate-limit num-conn per num-100ms
num-conn Maximum number of new connections allowed (1-

2147483647).
num-100ms Interval in number of 100ms increments (1-65535).
Example This example configures 1,000,000 new connections allowed per second
(10 100ms intervals):
ACOS(config-policy-class-list:clist1-lid:1)# conn-rate-limit
1000000 per 10
321
over-limit-action
Description Specifies the action to take when a client exceeds one or more of the
limits. The command also configures lockout and enables logging.
Syntax [no] over-limit-action [forward | reset] [lockout minutes]

[log minutes]
drop The ACOS device drops that traffic. If log-

ging is enabled, the ACOS device also gen-
erates a log message.
NOTE: There is no drop keyword; this is the

default action.
forward The ACOS device forwards the traffic. If log-

ging is enabled, the ACOS device also gen-
erates a log message.
reset For TCP, the ACOS device sends a TCP RST

to the client. If logging is enabled, the
ACOS device also generates a log message.
lockout Specifies the number of minutes during

which to apply the over-limit action after
the client exceeds a limit. The lockout
period is activated when a client exceeds
any limit. The lockout period can be 1-1023
minutes.
322
log Generates log messages when clients

exceed a limit. When logging is enabled, a
separate message is generated for each
over-limit occurrence, by default. You can
specify a logging period where the ACOS
device holds the repeated messages for the
specified period, then sends one message
at the end of the period for all instances
within the period. The logging period can
be 0-255 minutes.
The default is 0 (no wait period)
request-limit
Description Specifies maximum number of concurrent Layer 7 requests allowed
for a client.
Syntax [no] request-limit num
num Number of concurrent Layer 7 requests (1-

1048575).
request-rate-limit
Description Specifies the maximum number of Layer 7 requests allowed for the
client within the specified limit period.
Syntax [no] request-rate-limit num-req per num-100ms
323
num-req Maximum number of new requests allowed (1-

4294967295).
num-100ms Interval in number of 100ms increments (1-65535).
response-code-rate-limit
Description Configure a limit for the number of times a specified range of server
response codes is received in a specified period of time.
NOTE: This feature only works for SMTP virtual ports. See the example
below.
Syntax [no] response-code-rate-limit

start-code-range-end-code-range num perseconds
start-code- Start rage of server response codes (100-600).

range
end-code-range End range of server response codes (100-600).
num Number of times there is a match on the spe-

cified response code(s).
seconds Time limit interval, in seconds.
Example This example configures a policy template with a response code rate limit
and then applies the template to an SMTP virtual port. The response code
rate limit will be exceeded when there are:
• 2 matches every 20 seconds for response codes numbered 500-590

• 15 matches per 127 seconds for response codes numbered 300-390
If either limit is exceeded, the reset action is applies fro 10 minutes and
logged.
324

ACOS(config-policy-class-list:clist1-lid:1)# over-limit-
action reset lockout 10 log
ACOS(config-policy-class-list:clist1-lid:1)# response-code-
rate-limit 500 - 590 2 per 20
ACOS(config-policy-class-list:clist1-lid:1)# response-code-
rate-limit 300 - 390 15 per 127
ACOS(config-policy-class-list:clist1-lid:1)# end
ACOS# configure
ACOS(config)# slb virtual-server VS_SMTP1 10.5.5.10
ACOS(config-slb vserver)# port 25 smtp
ACOS(config-slb vserver-vport)# template policy pol1
325
326
Chapter 8: Config Commands: SLB Real Port
Templates
This section lists the commands and sub-commands to configure SLB real port templates.
SLB Port Template Configuration Commands 330
327
Chapter 8: Config Commands: SLB Real Port Templates

slb template port

Description Configure a template of SLB settings for service ports on real servers.
Syntax [no] slb template port {default | template-name}
default Edit the default port template. This template can

be modified in the same way as any custom tem-
plate-name you specify.

name
This command enters the SLB Port Template Configuration Commands

for the specified port template.
Before changing a default template, make sure the changes you plan to make are applicable
to all virtual ports that use the template.
Usage The normal form of this command creates a real port template. The no
You can bind only one real port template to a real port. However, you can
bind the real port template to multiple real ports.
Some of the parameters that can be set using a template can also be set
or changed on the individual port.
• If a parameter is set (or changed from its default) in both a template
and on the individual port, the setting on the individual port takes pre-
cedence.
328
• If a parameter is set (or changed from its default) in a template but is

not set or changed from its default on the individual port, the setting
in the template takes precedence.
Example The following example configures a real port template named “common-
rpsettings”, enables slow-start in the template, and binds the template to
a real port:
ACOS(config)# slb template port common-rpsettings
ACOS(config-rport)# slow-start from 256
ACOS(config-rport)# exit
ACOS(config-real server-node port)# template port common-
rpsettings
329
SLB Port Template Configuration Commands

To access these commands at the SLB port template level, enter the slb template port com-
mand.
bw-rate-limit 330
conn-limit 331
conn-rate-limit 332
dampening-flaps 333
dest-nat 334
down-grace-period 334
dscp 335
dynamic-member-priority 336
extended-stats 337
health-check 337
inband-health-check 338
no-ssl 340
slow-start 342
source-nat 343
weight 344
bw-rate-limit
Description Configure the bandwidth rate limit for ports that use this template.
330
Syntax [no] bw-rate-limit limnum resume resnum duration durnum [no-

logging]
limnum Bandwidth rate limit number in Kbps (1-16777216).
resnum Resume port selection after bandwidth drops below

this threshold, in Kbps (1-16777216).
durnum Time period the rate limit needs to honor to both

exceed bw-rate-limit number and drop below
resume number, in seconds (1-250).
no-logging Do not log bandwidth rate limit related state trans-

itions.
Default Not set
Mode SLB port template
conn-limit
Description Maximum number of connections allowed on the port using this tem-
plate.
Syntax [no] conn-limit max-num [resume resume-num] [no-logging]
max-num Maximum number of concurrent connections (1-

8000000).
resume-num Maximum number of connections the port can have

before the ACOS device resumes use of the port (1-
1048575).
no-logging Disables logging for this feature.
Default 8000000 (8 million)
331
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
Example Configure 7 million as the maximum number of connections, with no log-

ging:
ACOS(config)# slb template port default
ACOS(config-rport)# conn-limit 7000000 no-logging
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to
ports that use this template. When a port reaches its connection limit, the
ACOS device stops selecting the port for client requests.
Syntax [no] conn-rate-limit connections [per {100ms | second}] [no-

logging]
connections Maximum number of new connections

allowed on a port. You can specify 1-1048575
connections.
per {100ms | Specifies whether the connection rate limit

1sec} applies to one-second intervals or 100-ms
intervals. The default is one-second intervals
(1sec).
no-logging Disable logging when this feature is enabled.
Default By default this is not set; when enabled, the default sampling rate is per
1sec.
332
Example Configure 1 million as the maximum number of new connections per

second, with no logging:
ACOS(config-rport)# conn-rate-limit 1000000 per second no-
logging
dampening-flaps
Description Specifies parameters for taking a port or service group out of service
when they report flaps. A flap is consecutive down and up status reports.
When the template is bound to a port or service-group and that entity
reports more flaps than specified by the max parameter over the period
specified by flap-time, the entity is forced down and remains out of the
rotation for the period specified by down-time.
Syntax dampening-flaps max flap-period flap-time restore-svc-time

down-time
max the number of flaps an entity can report during

the flap period and remain in service. Flaps in
excess of this number trigger a dampening event
flap-time time period for counting flaps. Upon flap-time

expiry, the flap count reset to zero.
down-time time period the entity remains out of service
Default By default this is not set
Example This example configures the template to force a port down if it exper-
iences more than 3 flaps within 20 seconds. The entity remains out of ser-
vice for 40 seconds.
ACOS(config)# slb template port PORT1
ACOS(config-rport)# dampening-flaps 3 flap-period 20
restore-svc-time 40
ACOS(config-rport)#
333
del-session-on-server-down
Description This command clears a port protocol session within 2 to 3 seconds if a ses-
sion server is disabled by ACOS command or the server fails an ACOS
health check at the service group level.
If a one or more real servers in a service group fails the health check and
this command is enabled for the session, ACOS clears the session.
Active sessions, (receiving client-side packets) are cleared within 2 to 3
seconds. Idle sessions may continue to exist for more than a minute after
the command is issued.
Syntax [no] del-session-on-server-down
Default This feature is disabled by default.
Example This example shows how the command is applied:

ACOS(config-rport)# del-session-on-server-down
dest-nat
Description Enables destination Network Address Translation (NAT) on ports that use
this template.
Destination NAT is enabled by default, but is automatically disabled in
Direct Server Return (DSR) configurations. You can re-enable destination
NAT on individual ports for deployment of mixed DSR configurations,
which use backup servers across Layer 3 (in different subnets).
Syntax [no] dest-nat
Default Disabled.
Example Enable destination NAT on ports that use this template:

ACOS(config-rport)# dest-nat
down-grace-period
Description Number of seconds the ACOS device will continue to forward packets to
a port that is down. This option is useful for taking servers down for
334
maintenance without immediately impacting existing sessions on the

servers. You can specify 1-86400 seconds.
NOTE: The service group must contain 2 or more servers for this feature
to work.
This feature supports stateless and stateful load balancing.

However, the feature is not supported for stateful hash load-bal-
ancing methods, such as source- IP- based or destination- IP-
based hashing.
Syntax [no] down-grace-period num
num Number of seconds (1-86400).
Example Set the grace period to 3600 seconds.

ACOS(config-rport)# down-grace-period 3600
dscp
Description Sets the differentiated services code point (DSCP) value in the IP header
of a client request before sending the request to ports that use this tem-
plate.
Syntax [no] dscp num
num DSCP value (1-63).
Default By default, DSCP is not set by the ACOS device.
Example The following example illustrates how this feature works:
1. Configure a port template named t1 that marks DSCP 4 on outgoing

packets.
slb template port t1
335
dscp 4
2. Configure a virtual-port template named vp1 that marks DSCP 6 on
outgoing packets.
slb template virtual-port vp1

dscp 6
3. Bind t1 to both port 80 tcp and port 443 tcp.

port 80 tcp
template port t1
port 443 tcp
template port t1
4. Configure a virtual server named vip2 with virtual port 80 http

and port 443 tcp. Although the vp1 template is bound to both
ports, outgoing packets are marked with DSCP 4, because real ports
take precedence over virtual ports.
slb virtual-server vip2 fd5a:bfc:563c:bcda::100
port 80 http
source-nat pool s2
service-group sg-80-6
template virtual-port vp1
port 443 https
source-nat pool s2
template server-ssl s1
template client-ssl cl-ssl1
dynamic-member-priority
Description Configure service-group priority settings for ports on dynamically cre-
ated servers. When configuring the service group, add the port template
to the member.
Syntax [no] dynamic-member-priority num decrement delta
336
num Initial TTL for dynamically created service-group

members (1-16).
The default is 16.
delta Amount to decrement the TTL if the IP address is

not included in the DNS reply (0-7).
The default is 0.
Example Set the initial TTL to 12 and decrement value to 1.

ACOS(config-rport)# dynamic-member-priority 12 decrement 1
extended-stats
Description Enables collection of SLB peak connection statistics for the port.
Default Disabled.

ACOS(config-rport)# extended-stats
health-check
Description Enables health monitoring of ports that use this template.
Syntax [no] health-check name
name Name of a configured health monitor.
Default By default, health checking is disabled.
337
Usage If you omit this command or you enter it without the monitor-name
option, the default TCP or UDP health monitor is used:
• TCP—Every 30 seconds, the ACOS device sends a connection
request (TCP SYN) to the specified TCP port on the server. The port
passes the health check if the server replies to the ACOS device by
sending a TCP SYN ACK.
• UDP—Every 30 seconds, the ACOS device sends a packet with a
valid UDP header and a garbage payload to the UDP port. The port
passes the health check if the server either does not reply, or replies
with any type of packet except an ICMP Error message.
Example Create health monitor “hm-dad” the enable health monitoring for ports
using this template, using “hm-dad” as the health monitor.
ACOS(config)# health monitor hm-dad
ACOS(config-health:monitor)# disable-after-down
ACOS(config-rport)# health-check hm-dad
health-check-disable
Description Disable health checking for the port.
Syntax [no] health-check-disable
Default By default, health checking is disabled.
Example Disable health checking:

ACOS(config-rport)# health-check-disable
inband-health-check
Description Supplements the standard Layer 4 health checks by using client-server
traffic to check the health of service ports.
Syntax [no] inband-health-check [down-timer seconds] [resel-on-

reset]
[retry max-retries] [reassign max-reassigns]
338
seconds Amount of time in seconds to bring up the server

or port that is marked down (0-255).
The default is 0; the server or port is never

brought up.
resel-on- When receiving a reset from server, also re-select

reset the server and port.
max-retries Each client-server session has its own retry

counter. The ACOS device increments a session’s
retry counter each time a SYN ACK is late. If the
retry counter exceeds the configured maximum
number of retries allowed, the ACOS device sends
the next SYN for the session to a different server.
The ACOS device also resets the retry counter to
0. You can set the retry counter to 0-7 retries.
The default number of retries is 2.
339
max-reas- Each real port has its own reassign counter. Each
signs time the retry counter for any session is
exceeded, the ACOS device increments the reas-
sign counter for the server port. If the reassign
counter exceeds the configured maximum num-
ber of reassignments allowed, the ACOS device
marks the port down.
In this case, the port remains down until the next

time the port successfully passes a standard
health check. Once the port passes a standard
health check, the ACOS device starts using the
port again and resets the reassign counter to 0.
You can set the reassign counter to 0-255 reas-
signments.
The default is 25 reassignments.
Default Disabled.
Usage It is recommended that you continue to use standard Layer 4 health mon-
itoring even if you enable in-band health monitoring. Without standard
health monitoring, a server port marked down by an in-band health
check remains down.
Example Enable inband health checking.

ACOS(config-rport)# inband-health-check down-timer 5 resel-
on-reset
no-ssl
Description Disables SSL for server-side connections. This command is useful if a
server-SSL template is bound to the virtual port that uses this real port,
and you want to disable encryption on this real port.
Using the double-negative form of the command (no no-ssl) enables
SSL for server-side connections..
340
Syntax [no] no-ssl
Default Encryption is disabled by default, but it is enabled for server-side con-

nections when the real port is used by a virtual port that is bound to a
server-SSL template.
Example Disable SSL for server-side connections:

ACOS(config-rport)# no-ssl
request-rate-limit
Description Limits the number of new requests that can be received by the port.
NOTE: This command applies only to configurations that use an

external-service template.
Syntax [no] request-rate-limit num

[per {100ms | second}] [reset] [no-logging]
num Maximum number of new connection requests

allowed per the specified interval (1-1048575).
per Interval for the rate:
100ms—Up to num new connection requests are

allowed per one-tenth second (100-ms).
second—Up to num new connection requests are

allowed per second.
reset Sends a RST to a client that sends a new request dur-

ing an interval in which the request rate has been
exceeded. By default, requests that are received
after the limit is exceeded are dropped with no RST.
no-logging Disable logging for this feature.
Example Set the request rate limit to 500,000 per 100ms.
341

ACOS(config-rport)# request-rate-limit 500000 per 100ms
slow-start
Description Provides time for real ports that use the template to ramp-up after
TCP/UDP service is enabled, by temporarily limiting the number of new
connections on the ports.
Syntax [no] slow-start

[from start-conn-limit]
[times scale-factor | add conn-increment | every interval]
[till end-conn-limit]
start-conn- Maximum number of concurrent connections

limit to allow on the service port after it first
comes up. You can specify from 1-4095 con-
current connections. The default is 128.
scale-factor Number by which to multiply the starting con-

nection limit. For example, if the scale factor
is 2 and the starting connection limit is 128,
the ACOS device increases the connection
limit to 256 after the first ramp-up interval.
The scale factor can be 2-10. The default is 2.
conn-increment Number of additional concurrent connections

to allow. You can specify 1-4095 new con-
nections.
interval Number of seconds between each increase of

the number of concurrent connections
allowed. For example, if the ramp-up interval
is 10 seconds, the number of concurrent con-
nections to allow is increased every 10
seconds. The ramp-up interval can be 1-60
seconds. The default is 10 seconds.
342
end-conn-limit Maximum number of concurrent connections

to allow during the final ramp-up interval.
After the final ramp-up interval, the slow
start is over and does not limit further con-
nections to the server. You can specify from
1-65535 connections. The default is 4096.
Example Configure ramp-up for ports; 128 connections to start, increase every 15
seconds, until 4096 connections are reached.
ACOS(config-rport)# slow-start from 128 every 15 till 4096
source-nat
Description Specifies the IP NAT pool to use for assigning source IP addresses to cli-
ent traffic sent to ports using this template. When the ACOS device per-
forms NAT for a port that is bound to the template, the device selects an
IP address from the pool.
Syntax [no] source-nat name
name Name of the configured NAT pool.
Example Use “np1” as the source NAT pool.

ACOS(config-rport)# source-nat np1
stats-data-disable
Description Disables statistical data collection for ports that use this template..
Syntax [no] stats-data-disable
Default Stats collection is enabled by default.
343
Example Disable statistical data collection:

ACOS(config-rport)# stats-data-disable
stats-data-enable
Description Enables statistical data collection for ports that use this template..
Syntax [no] stats-data-enable
Default Stats collection is enabled by default.
Example Enable statistical data collection:

ACOS(config-rport)# stats-data-enable
weight
Description Specifies the load-balancing preference for ports that use this template.
A higher weight gives preference to the server and port relative to other
servers and ports.
This option applies only to the service-weighted-least-connection
load-balancing method. This option does not apply to the weighted-
least-connection or weighted-round-robin load-balancing methods.
Syntax [no] weight num
num Weight (1-1000).
Default 1
Example Configure 3 as the weight.

ACOS(config-rport)# weight 3
344
Chapter 9: Config Commands: SLB REQMOD
ICAP Templates
This section lists the commands and sub-commands to configure SLB Request Modification
Mode, Internet Content Adaptation Protocol (REQMOD ICAP) templates.
SLB REQMOD ICAP Template Configuration Commands 348
345
Chapter 9: Config Commands: SLB REQMOD ICAP Templates

slb template reqmod-icap

Description Creates a template that you can apply to ACOS virtual servers to enable
ICAP REQMOD message capability on the virtual server.
Syntax [no] slb template reqmod-icap reqmod-template-name
This command changes the configuration mode to a new sub-level,

where the commands in SLB REQMOD ICAP Template Configuration
Default ACOS does not have a default SLB REQMOD ICAP template.
Usage See the “Redirection of SSLi Sessions to ICAP Servers” section of the SSL
Insight Configuration Guide for an overview of ICAP and usage
guidelines.
Example The following example creates a REQMOD ICAP template with the
name REQMOD_abcd, and then binds it to the HTTP vPort of a wild-
card SLB virtual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11
ACOS(config-real server-node port)# health-check-disable
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config-slb svc group-member:1344)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template reqmod-icap REQMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/reqmod_
abcd
ACOS(config-reqmod-icap)# exit
346
ACOS(config)# slb virtual-server wildcard_VIP 0.0.0.0 acl 100

ACOS(config-slb vserver-vport)# template reqmod-icap REQMOD_
abcd
347
SLB REQMOD ICAP Template Configuration Commands

To access commands at the SLB REQMOD ICAP template level, enter the slb template req-
mod-icap command.
allowed-http-methods 348
fail-close 350
preview 351
service-group 352
service-url 352
template 353
allowed-http-methods
Description List of allowed HTTP methods.
Syntax [no] allowed-http-methods methods
The allowed methods that can be specified are GET, POST, HEAD, PUT,
OPTIONS, TRACE, DELETE, PURGE, PROPFIND, PROPPATCH, MKCOL,
COPY, MOVE, LOCK, UNLOCK.
Default If no methods are specified, the default is to allow all HTTP methods.
Mode SLB REQMOD ICAP template
Usage See RFC 3507 for further information on methods.

ACOS(config)# slb template reqmod-icap Reqmod_Template
ACOS(config-reqmod-icap)# allowed-http-methods GET
348

ACOS(config-reqmod-icap)# allowed-http-methods “MKCOL GET”
ACOS(config-reqmod-icap)# show config slb template reqmod-
icap Reqmod_Template
!
slb template reqmod-icap Reqmod_Template
allowed-http-methods "MKCOL GET"
!
Example Use the no form of the command to return to the default where all HTTP
methods are allowed. The following example removes the restrictions of
the previous example that allowed only MKCOL and GET, and returns to
the default where all HTTP methods are allowed::
ACOS(config-reqmod-icap)# no allowed-http-methods “MKCOL

GET”
ACOS(config-reqmod-icap)# show config slb template reqmod-
icap Reqmod_Template
!
slb template reqmod-icap Reqmod_Template
!
Example If ACOS does not recognize or allow the methods you enter in the com-
mand, you will get the following error message listing the all allowed meth-
ods:
ACOS(config-reqmod-icap)# allowed-http-methods ALL
Unsupported HTTP method in list, Supported methods are: GET
POST HEAD PUT OPTIONS TRACE DELETE PURGE PROPFIND PROPPATCH
MKCOL COPY MOVE LOCK UNLOCK
disable-http-server-reset
Description Prevents the HTTP server from resetting.
Syntax [no] disable-http-server-reset
Default Enabled

ACOS(config-reqmod-icap)# disable-http-server-reset
349
fail-close
Description Mark the virtual port down when the template service group is down.
Syntax [no] fail-close

ACOS(config-reqmod-icap)# fail-close
include-protocol-in-uri
Description Include the protocol and port in the HTTP URI sent to the ICAP server.
Syntax [no] include-protocol-in-uri
Usage See RFC 2396 for further information on URIs.

ACOS(config-reqmod-icap)# include-protocol-in-uri
log-only-allowed-method
Description Configures device to print ICAP logs for only HTTP requests sent to the
ICAP server that are designated as "allowed" by the "allow-http-meth-
ods" command. Logs are printed for all requests that the device forwards
to ICAP or receives from ICAP.
When this option is not enabled, logs are printed for all HTTP requests
sent to ICAP. By default, this option is not enabled.
Syntax [no] log-only-allowed-method
350

ACOS(config-reqmod-icap)# log-only-allowed-method
ACOS(config-reqmod-icap)#
min-payload-size
Description Set the minimum payload size sent to the ICAP server.
Syntax [no] min-payload-size num
num Set the minimum payload size. You can specify 1-

65536.
Default 4096

ACOS(config-reqmod-icap)# min-payload-size 8192
preview
Description Specifies the number of bytes that ACOS forwards to the ICAP server at
the beginning of a transaction.
If you do not configure a preview value, the ACOS device uses the
preview value obtained from the ICAP server.
Syntax [no] preview num
num The number of bytes that ACOS forwards to the ICAP

server at the beginning of a transaction. This number
applies only to the encapsulated body (the HTTP payload).
Default 32768
351
Usage If you enter the default value of the command or use the no form of the
command to remove the setting (no preview num), ACOS uses the pre-
view value obtained from the ICAP server. See RFC 3507 for further
information.

ACOS(config-reqmod-icap)# preview 8192
service-group
Description Specify the names of the ICAP service groups.
Syntax [no] service-group service-group-name
service-group- Name of a configured service-group.

name

ACOS(config-reqmod-icap)# service-group SSLi_SG1
service-url
Description Specify the URLs of the ICAP servers.
Syntax [no] service-url url
url URL to send to the ICAP servers.

ACOS(config-reqmod-icap)# service-url icap://ExampleURL.com
352
template
Description Apply an ACOS template to this ICAP template.
Syntax [no] template type name
type The following templates can be applied:
l logging—apply the specified logging tem-

plate. See the slb template logging com-
mand for information on configuring a
logging template. Web logging is described in
detail in the “Web Logging for HTTP and RAM
Caching” section of the Application Delivery
Controller Guide.
l server-ssl—apply the specified server-SSL
template. Enables a secure SSL connection to
the ICAP server.
l tcp-proxy—apply the specified TCP proxy tem-
plate.
name Name of the desired template.
Example Apply a logging template:

ACOS(config-reqmod-icap)# template logging SSLi_Logging_Tem-
plate
353
354
Chapter 10: Config Commands: SLB RESPMOD
ICAP Templates
This section lists the commands and sub-commands to configure SLB Response Modification
Mode (RESPMOD) ICAP templates.
SLB RESPMOD ICAP Template Configuration Commands 358
355
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates

slb template respmod-icap

Description Creates a template that you can apply to ACOS virtual servers to enable
ICAP RESPMOD message capability on the virtual server.
Syntax [no] slb template respmod-icap respmod-template-name
This command changes the configuration mode to a new sub-level,

where the commands in SLB RESPMOD ICAP Template Configuration
Default ACOS does not have a default SLB RESPMOD ICAP template.
Usage See the “Redirection of SSLi Sessions to ICAP Servers” section of the SSL
Insight Configuration Guide for an overview of ICAP and usage
guidelines.
Example The following example creates a RESPMOD ICAP template with the
name RESPMOD_abcd, and then binds it to the HTTP vPort of a wild-
card SLB virtual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11
ACOS(config-real server-node port)# health-check-disable
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config)# slb template respmod-icap RESPMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/respmod_
abcd
ACOS(config-reqmod-icap)# exit
356
ACOS(config)# slb virtual-server wildcard_VIP 0.0.0.0 acl 100

ACOS(config-slb vserver-vport)# template respmod-icap RESPMOD_
abcd
357
SLB RESPMOD ICAP Template Configuration Commands

To access these commands at the SLB RESPMOD ICAP template level, enter the slb template
respmod-icap command.
fail-close 358
preview 360
service-group 360
service-url 361
template 361
disable-http-server-reset
Description Prevents the HTTP server from resetting.
Syntax [no] disable-http-server-reset
Default Enabled
Mode SLB RESPMOD ICAP template

ACOS(config)# slb template respmod-icap Respmod_Template
ACOS(config-respmod-icap)# disable-http-server-reset
fail-close
Description Mark the virtual port down when the template service group is down.
Syntax [no] fail-close
358

ACOS(config-respmod-icap)# fail-close
include-protocol-in-uri
Description Include the protocol and port in the HTTP URI sent to the ICAP server.
Syntax [no] include-protocol-in-uri

ACOS(config-respmod-icap)# include-protocol-in-uri
log-only-allowed-method
Description Configures device to print ICAP logs for only HTTP requests sent to the
ICAP server that are designated as "allowed" by the "allow-http-meth-
ods" command. Logs are printed for all requests that the device forwards
to ICAP or receives from ICAP.
When this option is not enabled, logs are printed for all HTTP requests
sent to ICAP. By default, this option is not enabled.
Syntax [no] log-only-allowed-method

ACOS(config-respmod-icap)# log-only-allowed-method
ACOS(config-respmod-icap)#
min-payload-size
Description Set the minimum payload size.
Syntax [no] min-payload-size num
359
num Set the minimum payload size. You can specify 1-

65536.
Default 4096

ACOS(config-respmod-icap)# min-payload-size 8192
preview
Description Command to allow the ICAP server to preview to RESPMOD messages.
If you do not configure a preview value, the ACOS device uses the
preview value obtained from the ICAP server.
Syntax [no] preview num
num The number of bytes the ACOS device forwards to the

ICAP server at the beginning of a transaction. This number
applies only to the encapsulated body (the HTTP payload).
Default 32768

ACOS(config-respmod-icap)# preview 8192
service-group
Description Specify the names of the ICAP service groups.
Syntax [no] service-group service-group-name
360
service-group- Name of a configured service-group.

name

ACOS(config-respmod-icap)# service-group SSLi_SG1
service-url
Description Specify the URLs of the ICAP servers.
Syntax [no] service-url url
url URL to send to the ICAP servers.

ACOS(config-respmod-icap)# service-url icap://ExampleURL.com
template
Description Apply an ACOS template to this ICAP template.
Syntax [no] template type name
361
type The following templates can be applied:
l logging—apply the specified logging tem-

plate. See the slb template logging com-
mand for information on configuring a
logging template. Web logging is described in
detail in the “Web Logging for HTTP and RAM
Caching” section of the Application Delivery
Controller Guide.
l server-ssl—apply the specified server-SSL
template. Enables a secure SSL connection to
the ICAP server.
l tcp-proxy—apply the specified TCP proxy tem-
plate.
name Name of the desired template.
Example Apply a logging template:

ACOS(config-respmod-icap)# template logging SSLi_Logging_Tem-
plate
362
Chapter 11: Config Commands: SLB Server
Templates
This section lists the commands and sub-commands to configure SLB server templates.
SLB Server Template Configuration Mode Commands 366
363
Chapter 11: Config Commands: SLB Server Templates

slb template server

Syntax [no] slb template server {default | template-name}
default Edit the default real server template. This tem-

plate can be modified in the same way as any cus-
tom template-name you specify.

name
This command enters the SLB Server Template Configuration Mode

Commands for the specified real server template.
to all real ports that use the template.
Usage The normal form of this command creates a real server template. The no
You can bind only one real server template to a real server. However, you
can bind the real server template to multiple real servers.
or changed on the individual server.
and on the individual server, the setting on the individual server
takes precedence.
not set or changed from its default on the individual server, the set-
ting in the template takes precedence.
364
Example The following commands configure a real server template called “rs-
tmplt1” and bind the template to two real servers:
ACOS(config)# slb template server rs-tmplt1
ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
ACOS(config-rserver)# exit
ACOS(config-real server)# template server rs-tmplt1
Example The following commands configure hostname server parameters in a

server port template and a server template:
ACOS(config)# slb template port temp-port
ACOS(config-rport)# dynamic-member-priority 12
ACOS(config-rport)# exit
ACOS(config)# slb template server temp-server
ACOS(config-rserver)# dns-query-interval 5
ACOS(config-rserver)# min-ttl-ratio 3
ACOS(config-rserver)# max-dynamic-server 16
365
SLB Server Template Configuration Mode Commands

To access these commands at the SLB server template level, enter the slb template server
command.
bw-rate-limit 366
bw-rate-limit-acct 367
conn-limit 368
conn-rate-limit 368
dns-query-interval 369
dynamic-server-prefix 370
extended-stats 370
health-check 370
log-selection-failure 371
max-dynamic-server 371
min-ttl-ratio 372
slow-start 372
spoofing-cache 374
weight 375
bw-rate-limit
Description Configure the bandwidth rate limit for servers that use this template.
Syntax [no] bw-rate-limit l-num resume r-num duration d-num [no-log-

ging]
366
l-num Bandwidth rate limit number in Kbps (1-16777216).
r-num Resume port selection after bandwidth drops below

this threshold, in Kbps (1-16777216).
d-num Time period the rate limit needs to honor to both

exceed bw-rate-limit number and drop below
resume number, in seconds (1-250).
no-logging Do not log bandwidth rate limit related state trans-

itions.
Default Not set
Mode SLB server template
bw-rate-limit-acct
Description Configure the bandwidth rate limit accounting for servers that use this
template.
Syntax [no] bw-rate-limit-acct TRAFFIC
TRAFFIC Specifies data limited by command. Options

include:
l to-server-only – Account for traffic sent to

the real server.
l from-server-only – Account for traffic
received from the real server.
l all – Account for all traffic sent to/received
from real server (default).
Default Not set
367
conn-limit
Description Maximum number of connections allowed on real servers using this tem-
plate.
Syntax [no] conn-limit max-num [resume resume-num] [no-logging]
max-num Maximum number of concurrent connections (0-

8000000).
resume-num Maximum number of connections the server can

have before the ACOS device resumes use of the
server (1-1048575).
Default 8000000 (8 million)
Example Configure 7 million as the maximum number of connections, with no log-

ging:
ACOS(config)# slb template server default
ACOS(config-rserver)# conn-limit 7000000 no-logging
conn-rate-limit
servers that use this template. When a real server reaches its connection
limit, the ACOS device stops selecting the server for client requests.
Syntax [no] conn-rate-limit connections [per {100ms | 1sec}] [no-

logging]
368
connections Maximum number of new connections allowed on

a server. You can specify 1-1048575 connections.
per Specifies whether the connection rate limit

{100ms | applies to one-second intervals or 100-ms inter-
1sec} vals. The default is one-second intervals (1sec).
Default By default this is not set; when enabled, the default sampling rate is per
1sec.
Example Configure 1 million as the maximum number of new connections per

second, with no logging:
ACOS(config-rserver)# conn-rate-limit 1000000 per 1sec no-
logging
dns-query-interval
Description Specifies how often the ACOS device sends DNS queries for the IP
addresses of dynamic real servers.
Syntax [no] dns-query-interval minutes
minutes DNS query interval in minutes (1-1440 minutes, or one day).
Default 10 minutes
369
Example Configure 30 minutes as the DNS query interval:

dynamic-server-prefix
Description Specifies the prefix added to the front of dynamically created servers.
Syntax [no] dynamic-server-prefix string
string Prefix string (1-3 characters).
Default The default string is “DRS”
Example Configure “MDS” as the server prefix string:

ACOS(config-rserver)# dynamic-server-prefix MDS
extended-stats
Description Enables collection of peak connection statistics for a server.
Default Disabled by default
Example Enable the feature:

ACOS(config-rserver)# extended-stats
health-check
Description Enables health monitoring of ports that use this template.
Syntax [no] health-check [name]
370
name Name of a configured health monitor.
Usage If this command is not used, or is used without a specific monitor name,
the default ICMP health monitor is used; a ping is sent every 30 seconds.
If the ping fails 2 times consecutively, the ACOS device sets the server
state to DOWN.
Example Use the health monitor named “hm1”:

ACOS(config-rserver)# health-check hm1
Description Disables health monitoring of servers that use this template.
Example Disable server health monitoring:

ACOS(config-rserver)# health-check-disable
log-selection-failure
Description Enables real-time logging for server-selection failures.
Syntax [no] log-selection-failure
Example Enable the logging of server-selection failures:

ACOS(config-rserver)# log-selection-failure
max-dynamic-server
371
Description Maximum number of dynamic real servers that can be created for a given
hostname.
Syntax [no] max-dymanic-server [num]
num Maximum number of servers (1-1023).
Default 255
Example Allow a maximum of 500 dynamic real servers to be created:

ACOS(config-rserver)# max-dynamic-server 500
min-ttl-ratio
Description Minimum initial value for the TTL of dynamic real servers. The ACOS
device multiplies this value by the DNS query interval to calculate the min-
imum TTL value to assign to the dynamically created server.
Syntax [no] min-ttl-ratio [num]
num Initial value (1-15).
Default 2
Example Configure a DNS query interval of 30 minutes and minimum initial value
of 3; this will set the TTL of dynamic real servers to 90:
ACOS(config-rserver)# min-ttl-ratio 3
slow-start
372
Description Provides time for real ports that use the template to ramp-up after
TCP/UDP service is enabled, by temporarily limiting the number of new
connections on the ports.

[from starting-conn-limit]
[times scale-factor | add conn-incr]
[every interval]
[till ending-conn-limit]
starting-con- Maximum number of concurrent connections to

limit allow on the server after it first comes up. You can
specify from 1-4095 concurrent connections.
The default is 128.
scale-factor Number by which to multiply the starting connection

limit. For example, if the scale factor is 2 and the start-
ing connection limit is 128, the ACOS device increases
the connection limit to 256 after the first ramp-up
interval. The scale factor can be 2-10.
The default is 2.
conn-incr As an alternative to specifying a scale factor, you can

instead specify how many more concurrent con-
nections to allow. You can specify 1-4095 new con-
nections.
interval Number of seconds between each increase of the

number of concurrent connections allowed. For
example, if the ramp-up interval is 10 seconds, the
number of concurrent connections to allow is
increased every 10 seconds. The ramp-up interval
can be 1-60 seconds.
373
ending-conn-limit Maximum number of concurrent connections to

allow during the final ramp-up interval. After the final
ramp-up interval, the slow start is over and does not
limit further connections to the server. You can spe-
cify from 1-65535 connections.
The default is 4096.
Default Slow-start is disabled by default.
Usage If a normal runtime connection limit is also configured on the server (for
example, by the conn-limit command), and the normal connection limit
is smaller than the slow-start ending connection limit, the ACOS device
limits slow-start connections to the maximum allowed by the normal con-
nection limit.
Example Enable slow-start using the default values:

ACOS(config-rserver)# slow-start
spoofing-cache
Description Enables support for a spoofing cache server. A spoofing cache server
uses the client’s IP address instead of its own as the source address
when obtaining content requested by the client.
Syntax [no] spoofing-cache
Default Disabled.

ACOS(config-rserver)# spoofing-cache
stats-data-enable
Description Enable statistical data collection for servers that use this template.
374
Syntax stats-data-enable
Default Statistical data collection is enabled by default.
Example Enable stats data collection:

ACOS(config-rserver)# stats-data-enable
stats-data-disable
Description Disable statistical data collection for servers that use this template.
Syntax stats-data-disable
Default Statistical data collection is enabled by default.
Example Disable stats data collection:

ACOS(config-rserver)# stats-data-disable
weight
Description Assigns an administrative weight to the server, for weighted load bal-
ancing.
num Administrative weight assigned to the server. You can spe-

cify 1-1000.
Default 1
Example Assign an administrative weight of 5:

ACOS(config-rserver)# weight 5
375
376
Chapter 12: Config Commands: SLB SIP Tem-
plates
This chapter describes the commands and subcommands for configuring SLB Session Ini-
tiation Protocol (SIP) templates.
SLB SIP (Over UDP) Template Configuration Mode Commands 380
SLB SIP (Over TCP/TLS) Template Configuration Mode Commands 391
377
Chapter 12: Config Commands: SLB SIP Templates

slb template sip (over UDP)

Description Configure separate load balancing of Session Initiation Protocol (SIP)
registration traffic and non-registration traffic for SIP clients.
Syntax [no] slb template sip template-name

name
This command enters the SLB SIP (Over UDP) Template Configuration
Mode Commands for the specified SIP (over UDP) template.
Default The configuration does not have a default SIP over UDP template.
Usage The normal form of this command creates a SIP configuration template.
You can bind only one SIP template to a virtual port. However, you can
bind the same SIP template to multiple ports.
The header-erase and header-insert options apply to both traffic
directions, client-to-server and server-to-client traffic.
Example The following commands configure a SIP template named “Registrar_

template”:
ACOS(config)# slb template sip Registrar_template
ACOS(config-sip)# registrar service-group Registrar_gp
ACOS(config-sip)# client-request-header insert max-For-
wards:15
ACOS(config-sip)# client-request-header erase Contact
378
slb template sip (over TCP/TLS)

Description Configure separate load balancing of Session Initiation Protocol (SIP)
registration traffic and non-registration traffic for SIP over TCP/TLS.
Syntax [no] slb template sip template-name

name
This command enters the SLB SIP (Over TCP/TLS) Template

Configuration Mode Commands for the specified SIP (over UDP)
template.
Default The configuration does not have a default SIP over TCP/TLS template.
Usage The normal form of this command creates a SIP configuration template.
You can bind only one SIP template to a virtual port. However, you can
bind the same SIP template to multiple ports.
Example The following commands configure a SIP over TCP/TLS template:

ACOS(config)# slb template sip siptls-tmplt
ACOS(config-sip)# insert-client-ip
ACOS(config-sip)# client-keep-alive
ACOS(config-sip)# failed-client-selection "480 Temporarily
Unavailable"
ACOS(config-sip)# failed-server-selection "504 Server Time-
out"
ACOS(config-sip)# exclude-translation header Authentication
379
SLB SIP (Over UDP) Template Configuration Mode Com-

mands
The following commands apply to only SIP over UDP, with the exception of timeout, alg-
dest-nat, and alg-source-nat commands, which apply both to SIP over UDP and SIP over
TCP/TLS.
To access these commands at the SLB SIP Over UDP template level, enter the slb template sip
(over UDP) command.
alg-dest-nat 380
alg-source-nat 381
dialog-aware 385
keep-server-ip-if-match-acl 386
registrar service-group 386
timeout 390
alg-dest-nat
380
Description Translates the VIP address into the real server IP address in SIP mes-
sages, when destination NAT is used.
Syntax [no] alg-dest-nat
Mode SLB SIP template

ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# alg-dest-nat
alg-source-nat
Description Translates source IP address in to the NAT IP address in SIP messages,
when source NAT is used.
ALG support status does not affect IP layer address translation. IP layer
address translation is still performed, if applicable, even when ALG
support is disabled.
Syntax [no] alg-source-nat

ACOS(config-sip)# alg-source-nat
call-id-persist-disable
Description Disables call-ID persistence.
Syntax [no] call-id-persist-disable
Default Call-ID persistence is enabled by default.
Example Disable call-ID persistence.

ACOS(config-sip)# call-id-persist-disable
381
client-request-header erase
Description Erases the specified header.
Syntax [no] client-request-header erase string [all]
string Specify the header to erase.
all Erase all instances of the specified header. If not

specified, only the first instance is erased.
Default All instances of the specified header are erased.
Example Erase the first instance of the “Max-Forwards” header:

ACOS(config-sip)# client-request-header erase Max-Forwards
client-request-header insert
Description Inserts the specified header into requests.
Syntax [no] client-request-header insert field:value

[insert-always | insert-if-not-exist]
field:value Header field name and the value to insert.
Use a colon between the header name and the

value. To use a blank space between the
header name and the value, use double quo-
tation marks.
Examples:
client-request-header insert Max-For-
wards:15
client-request-header insert “Max-For-
wards: 15”
382
insert-always Always inserts the field:value pair. If the

request already contains a header with the
same field name, the new field:value pair is
added after the existing field:value pair.
Existing headers are not replaced.
insert-if-not- Inserts the header only if the request does not

exist already contain a header with the same field
name.
Without either insert-always or insert-if-not-exist option, if a

request already contains one or more headers with the specified field
name, the command replaces the last header.
Example Insert the “Max-Forwards: 15” header:

ACOS(config-sip)# client-request-header insert “Max-For-
wards: 15”
client-response-header erase
Syntax [no] client-response-header erase string [all]


ACOS(config-sip)# client-response-header erase Max-Forwards
383
client-response-header insert
Description Inserts the specified header into responses.
Syntax [no] client-response-header insert field:value


tation marks.
Examples:
client-response-header insert Max-For-
wards:15
client-response-header insert “Max-For-
wards: 15”


name.

response already contains one or more headers with the specified field

ACOS(config-sip)# client-response-header insert “Max-For-
wards: 15”
384
dialog-aware
Description Enables multiple active client instance support with the same end-user
login.
Syntax [no] dialog-aware

ACOS(config-sip)# dialog-aware
exclude-translation
Description Disables translation of the virtual IP address and virtual port in specific
portions of SIP messages.
Syntax [no] exclude-translation {body | header string | start-line}
body Does not translate virtual IP addresses and virtual

ports in the body of the message.
string Does not translate virtual IP addresses and virtual

ports in the specified header.
start-line Does not translate virtual IP addresses and virtual

ports in the SIP request line or status line.
Default Not set; the ACOS device does not translate addresses in any header
except the top Via header.
Example Do not translate virtual IP addresses and virtual ports in the message
body:
ACOS(config-sip)# exclude-translation body
insert-client-ip
385
Description Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets

from the client to the SIP server. The header contains the client IP
address and source protocol port number. The ACOS device uses the
header to identify the client when forwarding a server reply.
Syntax [no] insert-client-ip

keep-server-ip-if-match-acl
Description Disables reverse NAT based on the IP addresses in an extended ACL. This
command is useful in cases where a SIP server needs to reach another
server, and the traffic must pass through the ACOS device.
Syntax [no] keep-server-ip-if-match-acl

ACOS(config-sip)# keep-server-ip-if-match-acl
registrar service-group
Description Specifies the name of a service group of SIP Registrar servers.
Syntax [no] registrar service-group name
name Service group name (1-127 characters).
Example Specify “sip-sg1” as the service group:

386
ACOS(config-sip)# registrar service-group sip-sg1
server-request-header erase
Syntax [no] server-request-header erase string [all]


ACOS(config-sip)# server-request-header erase Max-Forwards
server-request-header insert

387

tation marks.
Examples:
server-request-header insert Max-For-
wards:15
server-request-header insert “Max-For-
wards: 15”


name.


ACOS(config-sip)# server-request-header insert “Max-For-
wards: 15”
server-response-header erase
Syntax [no] server-response-header erase string [all]
388


ACOS(config-sip)# server-response-header erase Max-Forwards
server-response-header insert
Syntax [no] server-response-header insert field:value


tation marks.
Examples:
wards:15
wards: 15”
389


name.


ACOS(config-sip)# server-response-header insert “Max-For-
wards: 15”
timeout
Description Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates the session.
Syntax [no] timeout num
Default 30 minutes
Example Configure the timeout for 5 minutes:

ACOS(config-sip)# timeout 5
390
SLB SIP (Over TCP/TLS) Template Configuration Mode

Commands
The following commands apply to only SIP over TCP/TLS, with the exception of timeout, alg-
dest-nat, and alg-source-nat commands, which apply both to SIP over UDP and SIP over
TCP/TLS.
To access commands at the SLB SIP Over TCP/TLS template level, enter the slb template sip
(over TCP/TLS) command.
alg-dest-nat 392
alg-source-nat 392
client-keepalive 393
dialog-aware 396
failed-client-selection 397
failed-server-selection 398
server-keep-alive 399
smp-call-id-rtp-session 403
391
timeout 404
alg-dest-nat
Description Enables SIP ALG support for the destination IP address.
Syntax [no] alg-dest-nat

ACOS(config-sip)# alg-dest-nat
alg-source-nat
Description Enables SIP ALG support for the source IP address.
ALG support status does not affect IP layer address translation. IP layer
address translation is still performed, if applicable, even when ALG
support is disabled.
Syntax [no] alg-source-nat

ACOS(config-sip)# alg-source-nat
call-id-persist-disable
Description Disables call-ID persistence.
Syntax [no] call-id-persist-disable
Default Call-ID persistence is enabled by default.
Example Disable call-ID persistence.

392
ACOS(config-sip)# call-id-persist-disable
client-keepalive
Description Enables the ACOS device to respond to SIP pings from clients on behalf
of SIP servers. When this option is enabled, the ACOS device responds to
a SIP ping from a client with a “pong”. This option is disabled by default.
If connection reuse is configured, even if client keepalive is disabled, the
ACOS device will respond to a client SIP ping with a pong.
Syntax [no] client-keepalive

ACOS(config-sip)# client-keepalive
client-request-header erase
Syntax [no] client-request-header erase string [all]


ACOS(config-sip)# client-request-header erase Max-Forwards
client-request-header insert
393


tation marks.
Examples:
client-request-header insert Max-For-
wards:15
client-request-header insert “Max-For-
wards: 15”


name.


ACOS(config-sip)# client-request-header insert “Max-For-
wards: 15”
client-response-header erase
394
Syntax [no] client-response-header erase string [all]


ACOS(config-sip)# client-response-header erase Max-Forwards
client-response-header insert
Syntax [no] client-response-header insert field:value


tation marks.
Examples:
wards:15
wards: 15”
395


name.


ACOS(config-sip)# client-response-header insert “Max-For-
wards: 15”
dialog-aware
Description Enables multiple active client instance support with the same end-user
login.
Syntax [no] dialog-aware

ACOS(config-sip)# dialog-aware
exclude-translation
Description Disables translation of the virtual IP address and virtual port in specific
portions of SIP messages.
Syntax [no] exclude-translation {body | header string | start-line}
396
body Does not translate virtual IP addresses and vir-

tual ports in the body of the message.
string Does not translate virtual IP addresses and vir-

tual ports in the specified header.
start-line Does not translate virtual IP addresses and vir-

tual ports in the SIP request line or status line.
Default Not set; the ACOS device does not translate addresses in any header
except the top Via header.
Example Do not translate virtual IP addresses and virtual ports in the message
body:
ACOS(config-sip)# exclude-translation body
failed-client-selection
Description Specifies the response when selection of an SIP client fails.
This option is applicable only if the configuration includes a connection-
reuse template.
Syntax [no] failed-client-selection {string | drop}
string Message string to send to the server; for

example:
“480 Temporarily Unavailable”
If the message string contains a space, use

double quotation marks around the string.
drop Drop the traffic.
Default Not set; the ACOS device resets the connection when selecting an SIP
server fails
397
Example Configure a response for failed client selection:

ACOS(config-sip)# failed-client-selection “480 Temporarily
Unavailable”
failed-server-selection
Description Specifies the response when selection of an SIP server fails.
Syntax [no] failed-server-selection {string | drop}
string Message string to send to the client; for example:

“504 Server Time-Out”
If the message string contains a space, use

double quotation marks around the string.
drop Drop the traffic.
Default Not set; the ACOS device resets the connection when selection of an SIP
server fails
Example Configure a response for failed server selection:

ACOS(config-sip)# failed-server-selection “504 Server Time-
Out”
insert-client-ip
Description Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets
from the client to the SIP server. The header contains the client IP
address and source protocol port number. The ACOS device uses the
header to identify the client when forwarding a server reply.
398

server-keep-alive
Description For configurations that use a connection-reuse template, this option spe-
cifies how often the ACOS device sends a SIP ping on each persistent
connection. The ACOS device silently drops the server’s reply. If the
server does not reply to a SIP ping within the connection-reuse timeout,
the ACOS device closes the persistent connection.
The connection-reuse timeout is configured by the timeout command at
the configuration level for the connection-reuse template. For more
information, see slb template connection-reuse.
Syntax [no] server-keep-alive num
Example Configure the keep-alive for 10 seconds:

ACOS(config-sip)# server-keep-alive 10
server-request-header erase
Syntax [no] server-request-header erase string [all]

399

ACOS(config-sip)# server-request-header erase Max-Forwards
server-request-header insert


tation marks.
Examples:
server-request-header insert Max-For-
wards:15
server-request-header insert “Max-For-
wards: 15”


name.

400

ACOS(config-sip)# server-request-header insert “Max-For-
wards: 15”
server-response-header erase
Syntax [no] server-response-header erase string [all]


ACOS(config-sip)# server-response-header erase Max-Forwards
server-response-header insert
Syntax [no] server-response-header insert field:value

401

tation marks.
Examples:
wards:15
wards: 15”


name.


ACOS(config-sip)# server-response-header insert “Max-For-
wards: 15”
server-selection-per-request
Description Forces the ACOS device to perform the server selection process anew for
every SIP request. Without this option, the ACOS device reselects the
same server for subsequent requests (assuming the same server group
is used), unless overridden by other template options. This option applies
402
to SIP-TCP and SIPS virtual ports. The option is unnecessary for SIP over
UDP. Strict transaction switching is automatically used for SIP over UDP.
Syntax [no] server-selection-per-request

ACOS(config-sip)# server-selection-per-request
smp-call-id-rtp-session
Description Create a cross-CPU call-ID RTP session.
This feature enables your ACOS device to monitor RTP and SIP traffic.
This command creates a cross-CPU RTP session which can be matched
by RTP traffic.
Use this command with rtp-sip-call-id-match to configure this feature.
Syntax [no] smp-call-id-rtp-session

!
slb template sip test
!
!
slb virtual-server vv 0.0.0.0
port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
rtp-sip-call-id-match
port 5060 sip
message-switching
force-routing-mode
403
service-group winms
template sip test
!
timeout
Description Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates the session.
Syntax [no] timeout num
Default 30 minutes
Example Configure the timeout for 5 minutes:

ACOS(config-sip)# timeout 5
404
Chapter 13: Config Commands: SLB SMPP
Templates
This section lists the commands and sub-commands to configure SLB Short Message Peer-
to-Peer (SMPP) templates.
SLB SMPP Template Configuration Commands 407
405
Chapter 13: Config Commands: SLB SMPP Templates

slb template smpp

Description Configure SMPP 3.3 protocol load balancing template.
Syntax [no] slb template smpp template-name

name
This command enters the SLB SMPP Template Configuration

Commands for the specified SMPP template.
Default The configuration does not have a default SMPP template.
Usage The normal form of this command creates an SMPP template. The no
406
SLB SMPP Template Configuration Commands

To access these commands at the SLB SMPP template level, enter the slb template smpp com-
mand.
client-enquire-link 407
server-enquire-link 407
user 408
client-enquire-link
Description When enabled, ACOS replies to clients directly with an ENQUIRE_LINK
message. The ENQUIRE_LINK message prevents the client connection
from timing out and serves the same purpose as a keepalive message.
Syntax [no] client-enquire-link
Mode SLB SMPP template

ACOS(config)# slb template smpp smpp-tmp1
ACOS(config-smpp)# client-enquire-link
server-enquire-link
Description Prevents reusable connections to the SMPP server from aging out. When
this option is enabled, ACOS regularly sends an ENQUIRE_LINK message
to the SMPP server to maintain the client-to-server connection.
Syntax [no] server-enquire-link num
num Number of seconds at which the keepalive message

is sent (5-300).
407
Default 30 seconds.
Example Set the interval to 15 seconds.

ACOS(config-smpp)# server-enquire-link 15
server-selection-per-request
Description Forces ACOS to perform server selection process for each SMPP request.
Without this option, ACOS device selects same server for subsequent
requests, assuming same server group is used, unless overridden by
other template options.
This command works only in conjunction with a connection-reuse
template. In addition, this command requires that a username-password
pair is configured in the SMPP template, so that ACOS can immediately
authenticate SMPP clients for every instance of server selection.
Syntax [no] server-selection-per-request
Example Enable this feature and configure a username-password pair.

ACOS(config-smpp)# server-selection-per-request
ACOS(config-smpp)# user exampleuser password examplepassword
user
Description Sets a username and password which the ACOS device uses to authen-
ticate SMPP clients.
If you configure a user and password, you must configure the same
username-password pair for all SMPP clients and servers. Otherwise, the
ACOS device will never open a TCP connection between the clients and
servers.
Syntax [no] user username password password
408
username User name to use for SMPP client authentication (1-

63 characters).
password Password to use for SMPP client authentication (1-

63 characters).
Example Create “exampleuser” and “examplepassword”.

ACOS(config-smpp)# user exampleuser password examplepassword
409
410
Chapter 14: Config Commands: SLB SMTP
Templates
This section lists the commands and sub-commands to configure SLB Simple Mail Transfer
Protocol (SMTP) templates.
SLB SMTP Template Configuration Commands 414
411
Chapter 14: Config Commands: SLB SMTP Templates

slb template smtp

Description Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP) cli-
ents.
Syntax [no] slb template smtp template-name

name
This command enters the SLB SMTP Template Configuration

Commands for the specified SMTP template.
Usage The normal form of this command creates an SMTP template. The no form
of this command removes the template.
You can bind only one SMTP template to a virtual port. However, you can
bind the same SMTP template to multiple ports.
Example The following commands configure an SMTP template named “secure-

mail”. The template enforces use of STARTTLS by mail clients, disables cli-
ent use of certain SMTP commands, and directs clients to a service group
based on client domain.
ACOS(config)# slb template smtp secure-mail
ACOS(config-smtp)# starttls enforced
ACOS(config-smtp)# command-disable expn turn vrfy
ACOS(config-smtp)# client-domain-switching contains hq ser-
vice-group smtp-sg1
ACOS(config-smtp)# client-domain-switching contains north-
dakota service-group smtp-sg2
412
Example The following commands configure an SMTP template called “smtp-

domain”. The template uses client domain switching to select a service
group based on the email client’s domain. Clients from any domain that
starts with “smb” are sent to service group “smtp-sg1”. Clients whose
domain name does not start with “smb” and whose domain name con-
tains “company1” are sent to service group “smtp-sg2”. Clients whose
domain name does not match on the starts-with or contains strings and
ends with “.com” are sent to service group “smtp-sg3”.
ACOS(config)# slb template smtp smtp-domain
ACOS(config-smtp)# client-domain-switching starts-with smb
service-group smtp-sg1
ACOS(config-smtp)# client-domain-switching contains company1
ACOS(config-smtp)# client-domain-switching ends-with .com
413
SLB SMTP Template Configuration Commands

To access these commands at the SLB SMTP template level, enter the slb template smtp com-
mand.
client-domain-switching
Description Selects a service group based on the domain of the client. You can spe-
cify all or part of the client domain name. This command is applicable
when you have multiple SMTP service groups.
Syntax [no] client-domain-switching {starts-with | contains | ends-

with}
stringservice-groupname
starts- Matches only if the client’s domain name starts

with with string.
contains Matches if the string appears anywhere within the

domain name of the client.
ends-with Matches only if the client’s domain name starts

with string.
name Name of the service group to use for matches.
Default Not set; all client domains match, and any service group can be used.
Mode SLB SMTP template
Usage The starts-with, contains, and ends-with options are always applied
in the following order, regardless of the order in which the commands
appear in the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
414
If a template has more than one command with the same option
(starts-with, contains, or ends-with) and a client domain matches on
more than one of them, the most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same
string, the ends-with rule is used, because it has the more specific
match. Here is an example of a set of client-domain-switching rules in an
SMTP template. The numbers to the right indicate the precedence of the
rules when matching on client domain name “localhost”. In this case, the
last rule is the best match and will be used.
client-domain-switching contains localhost service-group sg-
a (4)
client-domain-switching contains local service-group sg-b
(5)
client-domain-switching ends-with host service-group sg-c
(6)
client-domain-switching ends-with localhost service-group
sg-d (3)
client-domain-switching starts-with local service-group sg-e
(2)
client-domain-switching starts-with localhost service-group
sg-f (1)
Example This example directs clients to service group “smtp-sg1” if their domain
contains the string “hq”:
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# client-domain-switching contains hq ser-
vice-group smtp-sg1
command-disable
Description Disables support of the specified SMTP commands. If a client tries to
issue a disabled SMTP command, ACOS sends the following message to
the client:
502 - Command not implemented
Syntax [no] command-disable {expn | turn | vrfy}
expn Disable SMTP EXPN commands.
turn Disable SMTP TURN commands.
415
vrfy Disable SMTP VRFY commands.
Default EXPN, TURN, and VRFY are all enabled.
Example Disable SMTP EXPN commands:

ACOS(config-smtp)# command-disable expn
server-domain
Description Specifies the Email server domain. This is the domain for which the ACOS
device provides SMTP load balancing.
Syntax [no] server-domain name
name Name of the Email server domain (1-31 characters).
Default “mail-server-domain”
Example Set “exampledomain” as the Email server domain.

ACOS(config-smtp)# server-domain exampledomain
service-ready-msg
Description Specifies the text of the SMTP service-ready message sent to clients. The
complete message sent to the client is constructed as follows:
200 - smtp-domain service-ready-string
Syntax [no] service-ready-msg string
416
string Service-ready message (1-127 characters).
Default “ESMTP mail service ready”
Example Set “Your ESMTP mail service is ready” as the service-ready message.
ACOS(config-smtp)# service-ready-msg “Your ESMTP mail ser-
vice is ready”
starttls
Description Specifies whether or not use of STARTTLS by clients is required.
Syntax starttls {client | server} {optional | enforced}
client Configure client-side STARTTLS.
server Configure server-side STARTTLS.
optional Client or server can use STARTTLS but are not

required to do so.
enforced Before any mail transactions are allowed, the client

must issue the STARTTLS command to establish a
secured session. If the client does not issue the
STARTTLS command, ACOS sends the following mes-
sage to the client:
530 - Must issue a STARTTLS command first
Default Disabled.
Example Make STARTTLS use mandatory for the client.

ACOS(config-smtp)# starttls client enforced
417
418
Chapter 15: Config Commands: SLB SSLi Tem-
plates
This chapter describes the commands and subcommands for configuring SLB Secure Sockets
Layer Insight (SSLi) templates.
SLB SSLi Template Configuration Mode Commands 421
419
Chapter 15: Config Commands: SLB SSLi Templates

slb template ssli

Description Configures a virtual server template that specifies the accepted protocols
that the virtual server can provide SSLi services. The type sub-com-
mands specify the accepted protocols running over SSL.
Syntax [no] slb template ssli template-name

name
This command enters the SLB SSLi Template Configuration Mode for the
specified SSLi template. For additional commands, see SLB SSLi
Template Configuration Mode Commands.
Default SSLi on HTTPS sessions is enabled by default.
Example Create an SLB SSLi template for SMTP:

ACOS(config)# slb template ssli smtp_insight
ACOS(config-ssli)# type smtp
420
SLB SSLi Template Configuration Mode Commands

To access these commands at the SLB SSli template level, enter the slb template ssli com-
mand.
type 421
type
Description Specifies the service that is intercepted by SSLi.
Syntax [no] type {http | xmpp | smtp | pop | ftp| ldap}
http HTTP service.
xmpp XMPP service.
smtp SMTP service.
pop POP service.
ftp FTP service.
ldap LDAP service.
Default HTTP
Mode SLB SSLi template
Example Create an SLB SSLi template for SMTP:

ACOS(config)# slb template ssli ssli-tmp1
ACOS(config-ssli)# type smtp
421
422
Chapter 16: Config Commands: SLB TCP Tem-
plates
This section lists the commands and sub-commands to configure SLB Transmission Control
Protocol (TCP) templates.
SLB TCP Template Configuration Mode Commands 426
423
Chapter 16: Config Commands: SLB TCP Templates

slb template tcp

Description Create or modify a template for configuring TCP connection settings.
Syntax [no] slb template tcp {default | template-name}
default Edit the default TCP template. This template can

be modified in the same way as any custom tem-

name
This command enters the SLB TCP Template Configuration Mode

Commands for the specified TCP template.
Usage The normal form of this command creates a TCP configuration template.
You can bind only one TCP template to a virtual port. However, you can
bind the same TCP template to multiple ports.
Example The following commands configure a TCP template named “test” that
sets the TCP window size to 1460 bytes, and bind the template to virtual
service port 22 on virtual server vs1:
ACOS(config)# slb template tcp test
ACOS(config-l4 tcp)# initial-window-size 1460
424

ACOS(config-slb vserver-vport)# template tcp test
Example The following commands configure a TCP template that quickly ter-
minates half-open sessions while allowing active sessions to continue.
ACOS(config)# slb template tcp halfopen-tcp
ACOS(config-l4 tcp)# force-delete-timeout 3 alive-if-active
ACOS(config-l4 tcp)# reset-fwd
ACOS(config-l4 tcp)# reset-rev
425
SLB TCP Template Configuration Mode Commands

To access these commands at the SLB TCP template level, enter the slb template tcp com-
mand.
idle-timeout 429
lan-fast-ack 430
qos 431
reset-follow-fin 431
reset-fwd 432
reset-rev 432
Description This command clears a TCP session within 2 to 3 seconds if a session
server is disabled by ACOS command or the server fails an ACOS health
check at the service group level.
Active sessions, (receiving client-side packets) are cleared within 2 to 3
seconds. Idle sessions may continue to exist for more than a minute after
the command is issued.
426
Mode SLB TCP template

ACOS(config)# slb template tcp tcp-tmp1
ACOS(config-l4 tcp)# del-session-on-server-down
force-delete-timeout
Description Specifies the maximum number of seconds a session can remain active,
and forces deletion of any session still active after the specified number
of seconds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the reset-
fwd and reset-rev options, the force-delete-timeout option can help
clean up user connections with RSTs instead of allowing the connections
to hang.
This command can not be used with the client-SSL or server-SSL
template close-notify option. Doing so may cause unexpected
behavior
Syntax [no] force-delete-timeout num [alive-if-active]
alive-if-act- Terminates half-open TCP sessions on the vir-

ive tual port while allowing active sessions to con-
tinue without being terminated.
Default Not set.
Example Set the timeout to 10 seconds.

ACOS(config-l4 tcp)# force-delete-timeout 10
force-delete-timeout-100ms
427
Description Specifies the maximum time (milliseconds) a session can remain active.
Forces deletion of any session still active after the specified number of mil-
liseconds.
Syntax [no] force-delete-timeout-100ms num [alive-if-active]
num Number of 100ms units (1-31).
alive-if-act- Terminates half-open TCP sessions on virtual

ive port while allowing active sessions to continue
without being terminated.
Default Not set.
Example Set the timeout to 10 100-milliseconds (1 second).

ACOS(config-l4 tcp)# force-delete-timeout-100ms 10
half-open-idle-timeout
Description Enables the configuration of half-open TCP sessions. A half-open refers
to the TCP session in which the client receives a SYN-ACK, but does not
reply with an ACK.
This mode is supported only for client side data streams.
Syntax [no] half-open-idle-timeout num
Default Not set.

ACOS(config-l4 tcp)# half-open-idle-timeout 60
428
idle-timeout
Description Specifies the number of minutes that a connection can be idle before the
ACOS device terminates the connection.
Syntax [no] idle-timeout num
num Number of seconds (1-2097151, about 24 days).
l For values less than 31, ACOS uses the

entered value.
l For values between 31 and 60, ACOS
rounds up to 60 seconds.
l For values greater than 60, ACOS rounds
down to the closest multiple of 60 seconds.
Default 120 seconds
Example Set the idle timeout to 60 seconds.

initial-window-size
Description Sets the initial TCP window size in SYN ACK packets to clients. The TCP
window size in a SYN ACK or ACK packet specifies the amount of data
that a client can send before it needs to receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the
client. After the SYN ACK, the ACOS device does not modify the TCP
window size for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client
or server:
Syntax [no] initial-window-size num
429
num Window size in bytes (1-65535).
Example Set the initial TCP window size to 256.

ACOS(config-l4 tcp)# initial-window-size 256
insert-client-ip
Description Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client
IP address, but that do not use HTTP or another protocol such as
Financial Information eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a
TCP option field of type 0x1c, with a length of 7 bytes. For example, the
value placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
Default Not enabled

ACOS(config-l4 tcp)# insert-client-ip
lan-fast-ack
Description Increases performance of bidirectional peer sessions by acknowledging
receipt of data on behalf of clients and servers.
Syntax [no] lan-fast-ack
Default Not enabled
430

ACOS(config-l4 tcp)# lan-fast-ack
qos
Description Marks DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server
SLB traffic.
Syntax [no] qos num
num Values range between 1 to 63. Based on the value

you specify, ACOS marks the traffic as follows:
l Layer 3 marking – ACOS sets Diffserv Control

Point (DSCP) value in IP header to specified
value.
l Layer 2 marking – ACOS sets 802.1p value in
MAC header to the value you specify, divided
by 9.
Example Set the QOS value to 63:

ACOS(config-l4 tcp)# qos 63
reset-follow-fin
Description enables closing a client or server connection with a reset (RST) on the
first FIN received from the client or server.
Syntax [no] reset-follow-fin
Usage This option alleviates the situation where a backend server receives the
client FIN, ACKs the FIN, enters CLOSE_WAIT but does not close the
431
connection (no-FIN behavior), which can result in a build-up of CLOSE-

WAIT sessions and the subsequent resource exhaustion on the server.

ACOS(config)# slb template TCP TCP-TEMP
ACOS(config-l4 tcp)# reset-follow-fin
ACOS(config-l4 tcp)#
reset-fwd
Description Sends a TCP RST to the real server after a session times out.
Syntax [no] reset-fwd

ACOS(config-l4 tcp)# reset-fwd
reset-rev
Description Sends a TCP RST to the client after a session times out.
This command does not send an RST if a server selection failure occurs.
To do this, use the reset-on-server-selection-fail option at the
configuration level for the service group or virtual port.
Syntax [no] reset-rev [STATE]
STATE l disable - Send the TCP RST only when the

server is Disabled.
l down - Send the TCP RST only when a
server is Down.
When no option is specified, TCP RST is sent for

any error.
432
Usage If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
When using reset-rev disable with the disable-with-hm command under
SLB server configuration, the server is not treated as “disabled” since
persist sessions continue to use the “disabled” server.
When using reset-rev disable with the slb graceful-shutdown Global
configuration command, state of enabled is also not treated as disabled
but as UP since existing sessions need to be drained and not reset.

ACOS(config-l4 tcp)# reset-rev
433
434
Chapter 17: Config Commands: SLB TCP Proxy
Templates
This section lists the commands and sub-commands to configure SLB TCP Proxy templates.
SLB TCP Proxy Template Configuration Commands 438
435
Chapter 17: Config Commands: SLB TCP Proxy Templates

slb template tcp-proxy

Description Configure TCP/IP stack parameters.
Syntax [no] slb template tcp-proxy {default | template-name}
default Edit the default TCP proxy template. This tem-


name
This command enters the SLB TCP Proxy Template Configuration

Commands for the specified TCP-Proxy template.
NOTE: Before changing a default template, make sure the changes you
plan to make are applicable to all virtual ports that use the tem-
plate.
Usage The normal form of this command creates a TCP-proxy configuration

template. The no form of this command removes the template.
You can bind only one TCP-proxy template to a virtual port. However, you
can bind the same TCP-proxy template to multiple ports.
Example The following commands create a TCP-proxy template named “rst” and
set the idle timeout to 3000 seconds: When the idle timeout occurs, the
ACOS device will send an RST to the client. In cases where the server
goes down, the ACOS device will reset the connection.
ACOS(config)# slb template tcp-proxy rst
436
ACOS(config-tcp proxy)# idle-timeout 3000

ACOS(config-tcp proxy)# reset-rev
ACOS(config-tcp proxy)# server-down-action RST
437
SLB TCP Proxy Template Configuration Commands

To access these commands at the SLB TCP proxy template level, enter the slb template tcp-
proxy command.
ack-aggressiveness 439
backend-wscale 440
disable-abc 441
disable-sack 441
disable-tcp-timestamps 441
disable-window-scale 442
dynamic-buffer-allocation 442
early-retransmit 443
fin-timeout 443
half-close-idle-timeout 445
idle-timeout 446
init-cwnd 446
invalid-rate-limit 448
keepalive-interval 449
keepalive-probes 450
limited_slowstart 451
maxburst 451
438
min-rto 452
mss 452
nagle 453
proxy-header 453
psh-flag-optimization 454
qos 454
reassembly-limit 455
reassembly-timeout 455
receive-buffer 456
reno 456
reset-fwd 457
reset-rev 457
retransmit-retries 458
syn-retries 458
timewait 459
transmit-buffer 459
ack-aggressiveness
Description Specifies the cases in which the ACOS device sends an ACK to the client.
A high ACK aggressiveness helps reduce the delay of interactive client-
server applications, but at a cost of more ACKs.
Syntax [no] ack-aggressiveness {high | medium | low}
high Send ACK for each packet.
medium Delayed ACK, with ACK on each packet with PUSH

flag.
low Delayed ACK.
439
Default low
Mode SLB TCP proxy template
Example Set the ACK aggressiveness level to medium:

ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# ack-aggressiveness medium
backend-wscale
Description Specifies the TCP window scaling factor for backend connections to serv-
ers.
The TCP window scaling factor is applicable to virtual ports for which the
ACOS device acts as a TCP proxy.
The TCP window scaling factor is used to calculate the TCP receive
window, which is the maximum amount of data (in bytes) the receiver on
a TCP connection will buffer. The sender is not allowed to send more than
this amount of data before receiving an acknowledgement that the data
has arrived.
Syntax [no] backend-wscale num
num Scaling factor (1-14).
Default Disabled
Example Set the scaling factor to 3.

ACOS(config-tcp proxy)# backend-wscale 3
Description This command clears a port protocol session within 2 to 3 seconds if a ses-
sion server is disabled by ACOS command or the server fails an ACOS
health check at the service group level.
440
Active sessions, (receiving client-side packets) clear within 2 to 3

seconds. Idle sessions may continue to exist for over a minute after the
command is issued.

ACOS(config-tcp proxy)# del-session-on-server-down
disable-abc
Description Calculates the Congestion Window based on appropriate counting of the
bytes (ABC). It is recommended that ABC is enabled.
Syntax [no] disable-abc
Default This feature is enabled by default.

ACOS(config-tcp proxy)# disable-abc
disable-sack
Description Disables flows to use Selective Ack options, which are sent by the
receiver to inform the sender of missing data segments to enhance TCP
fast recovery.
Syntax [no] disable-sack

ACOS(config-tcp proxy)# disable-sack
disable-tcp-timestamps
441
Description Disables the TCP Timestamps option. Disabling this option stops the TCP
Protection Against Wrapping Sequence (PAWS) and causes retrans-
mission timeout (RTO) calculations to use relative receive time for round-
trip time (RTT) calculations.
Syntax [no] disable-tcp-timestamps

ACOS(config-tcp proxy)# disable-tcp-timestamps
disable-window-scale
Description Disables the TCP Window-Scale option. Disabling the Window-Scale
option prevents an increase in the amount of data that the receiver can
accept before sending an acknowledgement to the sender.
Syntax [no] disable-window-scale

ACOS(config-tcp proxy)# disable-window-scale
dynamic-buffer-allocation
Description Optimally adjusts the transmit and receive buffer sizes of TCP-proxy
while maintaining a constant sum of combined values.
Syntax [no] dynamic-buffer-allocation
Default Not enabled
Example Enable the feature.

ACOS(config-tcp proxy)# dynamic-buffer-allocation
442
early-retransmit
Description Specifies the number of packets that an ACOS device sends when it
retransmits lost data.The recommended setting is 3. This allows prob-
lematic networks time to recover from data loss before attempting
another transmission.
Syntax [no] early-retransmit num
num Number of data packets (1-3).
Default 3
Example Set the size of retransmitted packets to 3:

ACOS(config-tcp proxy)# early-retransmit 3
fin-timeout
Description Specifies the number of seconds that a connection can be in the FIN-
WAIT or CLOSING state before the ACOS device terminates the con-
nection.
Syntax [no] fin-timeout num
num Timeout in seconds (1-60).
Default Disabled

ACOS(config-tcp proxy)# fin-timeout 7
force-delete-timeout
443
Description Specifies maximum number of seconds a session can remain active, and
forces deletion of any session that is still active after the specified num-
ber of seconds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the
reset-fwd and reset-rev commands, this option can help clean up user
connections with RSTs instead of allowing the connections to hang.
Syntax [no] force-delete-timeout num [alive-if-active]
alive-if- Terminates half-open TCP sessions on the virtual

active port while allowing active sessions to continue
without being terminated.

ACOS(config-tcp proxy)# force-delete-timeout 10
force-delete-timeout-100ms
Description Specifies the maximum number of milliseconds a session can remain act-
ive, and forces deletion of any session that is still active after the specified
number of milliseconds.
Syntax [no] force-delete-timeout-100ms num [alive-if-active]
num Number of 100ms units (1-31).
alive-if-act- Terminates half-open TCP sessions on the vir-

ive tual port while allowing active sessions to con-
tinue without being terminated.
Example Set the timeout to 10 100-milliseconds (1 second).
444

ACOS(config-tcp proxy)# force-delete-timeout-100ms 10
half-close-idle-timeout
Description Enables aging of half-closed TCP sessions. A half-closed refers to the
TCP session in which the server sends a FIN but the client does not reply
with an ACK.
The ACOS device keeps half-closed sessions open indefinitely.
Syntax [no] half-close-idle-timeout num
Default Not set.

ACOS(config-tcp proxy)# half-close-idle-timeout 60
half-open-idle-timeout
Description Enables aging of half-open TCP sessions. A half-open TCP session is one
in which the client receives a SYN-ACK, but does not reply with an ACK.
This command is supported only on the client side.
NOTE: The half-close-idle-timeout command is deprecated. Hence,

instead of this command you can use fin-timeout command.
Syntax [no] half-open-idle-timeout num
445

ACOS(config-tcp proxy)# half-open-idle-timeout 60
idle-timeout
Description Specifies the number of minutes that a connection can be idle before the

entered value.
down to the closest multiple of 60
seconds.
Default 600 seconds
Usage See keepalive-interval for more information about how the idle timeout
and keepalive values are related.
Example Set the idle timeout to 60 seconds.

ACOS(config-tcp proxy)# idle-timeout 60
init-cwnd
Description Specifies the maximum number of unacknowledged packets that can be
sent on a TCP connection. A large initial congestion-control window size
helps reduce HTTP response latency, especially for short web pages.
Syntax [no] init-cwnd num
446
num Number of unacknowledged packets (1-15)..
Default 10
Example Set the initial congestion-window size to 12.

ACOS(config-tcp proxy)# init-cwnd 12
initial-window-size
Description Sets the initial TCP window size in SYN ACK packets to clients. The TCP
window size in a SYN ACK or ACK packet specifies the amount of data
that a client can send before it needs to receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the
client. After the SYN ACK, the ACOS device does not modify the TCP
window size for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client
or server:
• If the virtual port is one of the service types that is proxied by the
ACOS device, initial TCP window size applies to SYN ACKs generated
by the ACOS device and sent to clients. By default, the ACOS device
uses the TCP window size in the client’s SYN. The following service
types are proxied by the ACOS device: HTTP, HTTPS, Fast-HTTP,
SSL-proxy, and SMTP.
• If the virtual port is not one of the service types that is proxied by the
ACOS device (for example, the tcp service type), initial TCP window
size applies to SYN ACKs generated by servers and forwarded by the
ACOS device to clients. By default, the ACOS device uses the TCP
window size in the server’s SYN ACK.
If SYN cookies are enabled, either globally or on the virtual service port,
the ACOS device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the ACOS device
Syntax [no] initial-window-size num
447
num Window size in bytes (1-65535).
Example Set the initial TCP window size to 256.

ACOS(config-tcp proxy)# initial-window-size 256
insert-client-ip
Description Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client
IP address, but that do not use HTTP or another protocol such as
Financial Information eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a
TCP option field of type 0x1c, with a length of 7 bytes. For example, the
value placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
Default Not enabled

ACOS(config-tcp proxy)# insert-client-ip
invalid-rate-limit
Description Limits the rate at which responses are sent (in milliseconds) for sus-
picious or invalid packets.
Syntax [no] invalid-rate-limit num
448
num Limit invalid packet responses in milliseconds

(0-60000000).
Default 500 ms

ACOS(config-tcp proxy)# invalid-rate-limit 700
keepalive-interval
Description Number of seconds a TCP-proxy session can remain idle before the
ACOS device sends a TCP ACK to the devices on both ends of the ses-
sion.
Syntax [no] keepalive-interval num
num Keepalive interval in seconds (60-12000).
Default Not set
Usage The keepalive feature, which for TCP-proxy templates, periodically veri-
fies that a TCP-proxy session is still up on both ends of the session. The
keepalive feature uses keepalive interval to establish the number of
seconds a TCP-proxy session can remain idle before the ACOS device
sends a TCP ACK to the devices on both ends of the session, and the
keepalive probe count allows you to set the maximum number of times
the ACOS device sends a keepalive ACK, before deleting the session.
The ACOS device sends the first keepalive ACK if a session remains idle
for the duration of the keepalive interval:
• If both devices respond with an ACK before the next keepalive inter-
val expires, the ACOS device resets the keepalive time to 0. This
starts a new keepalive interval.
449
• If either device does not respond with an ACK before the next
keepalive interval expires, the action taken by the ACOS device
depends on the setting of the keepalive probe count.
• Keepalive probe count set to value greater than 1 – The ACOS
device sends another ACK to each device.
- If both devices respond, the ACOS device resets the keepalive

time to 0, to begin a new keepalive interval.
- If either device does not respond, the ACOS device sends

another ACK to each device. This action can be repeated up to the
configured maximum number of probes (the probe count).
• Keepalive probe count set to 1 – The ACOS device does not send
new probe ACKs. Instead, the ACOS device deletes the session.
Relation of Keepalive to Idle-timeout
The keepalive and idle-timeout options work independently of one
another.
By default, the keepalive interval is shorter than the idle timeout. In this
case, keepalive probes are triggered before the idle timeout expires.
• If both devices respond with an ACK before either of the following
occurs, the keepalive interval time and the idle time are both reset to
0.
• Idle timeout expires – If this occurs, the session is deleted, even if
the maximum number of keepalive probes have not been sent.
• Maximum number of keepalive probes are sent, but at least one of
the devices still does not respond – In this case, the session is
deleted even if the idle timeout has not expired.
• If you change the keepalive or idle-timeout settings so that the idle
timeout is shorter than the keepalive interval, the keepalive mech-
anism is never triggered. The idle timeout always expires first, caus-
ing the session to be deleted. No keepalive probes are ever sent.
Example Set the keepalive interval to 120 seconds.

ACOS(config-tcp proxy)# keepalive-interval 120
keepalive-probes
Description Maximum number of times the ACOS device sends a keepalive ACK,
before deleting the session.
Syntax [no] keepalive-probes num
450
num Number of keepalive probes (2-10).
Default Not set
Example Send 5 keepalive ACKs before deleting the session:

ACOS(config-tcp proxy)# keepalive-probes 5
limited_slowstart
Description Specifies the maximum amount of data the ACOS device initially trans-
mits in an effort to promote a healthy network connection and avoid con-
gestion.
Syntax [no] limit-slowstart num
num Amount of data transmitted during a TCP slow

start (0-2147483647 bytes).
Default 0
Example Set the size of the TCP slow start to 500 bytes:
ACOS(config-tcp proxy)# limit-slowstart 500
maxburst
Description Limits that number of data segments that can be transmitted for each
TCP window the ACOS device sends.
Syntax [no] maxburst num
451
num Number of segments transmitted (1-100).
Default 25
Example Set the number of segments transmitted 100:

ACOS(config-tcp proxy)# maxburst 100
min-rto
Description Specifies the minimum length of time for an ACOS device to transmit
data and receive acknowledgement that the data was received. This con-
figuration is particularly helpful in networks with low bandwidth. Increase
the length of time for low bandwidth.
Syntax [no] min-rto num
num Length of time (in milliseconds) to complete

data transmission and ACK (100-1000 mil-
liseconds).
Default 200 milliseconds
Example Set the length of time (in milliseconds ) for round-trip data transmission to
500:
ACOS(config-tcp proxy)# min-rto 500
mss
Description Change the minimum supported TCP Maximum Segment Size (MSS).
Syntax [no] mss num
452
num TCP maximum segment size in octets (128-

1460).
Default 1460
Example Set the MSS to 1460:

ACOS(config-tcp proxy)# mss 1460
nagle
Description Enables Nagle congestion compression (described in RFC 896).
Syntax [no] nagle
Default Not enabled
Example Enable the feature:

ACOS(config)# slb template tcp-proxy PROXY1
ACOS(config-tcp proxy)# nagle
proxy-header
Description Configures proxy protocol header insertion only. For more information on
proxy protocol, refer HAProxy.
Syntax [no] proxy-header insert {v1 | v2}]
v1 Specifies the header in human-readable (ASCII string)

format.
v2 Specifies the header in binary format.
Default Not configured.
453
Mode SLB TCP Proxy template mode
Example This command configures tcp-proxy template with version 1, then bind it
to vport.
ACOS(config)# slb template tcp-proxy TP
ACOS(config-tcp proxy)# proxy-header insert v1
ACOS(config-tcp proxy)# exit
ACOS(config)# slb virtual-server VIP-10 10.1.1.1
ACOS(config-slb vserver)# port 80 tcp-proxy
ACOS(config-slb vserver-vport)# template tcp-proxy TP
Related Commands
• Under SLB SIP template: insert-client-ip
• Under SLB TCP template: insert-client-ip
• Under SLB TCP proxy template: insert-client-ip
psh-flag-optimization
Description Enables PSH flag optimization on the configuration mode TCP-Proxy tem-
plate.
The PSH (PUSH) flag is a TCP option that allows an application to start
sending the data even if the buffer is not full. By default, the PSH flag
uses the PSH setting on every data segment. To limit its use for SSL flows,
the ssl flush routine is modified to mark the last buffer within the queue
with a psh marker. When PSH Flag Optimization is enabled, TCP reads the
PSH marker and sets the PSH flag on packets based on that marker..
Syntax [no] psh-flag-optimization
Default Not enabled
Example This example enables the feature:

ACOS(config-tcp proxy)# psh-flag-optimization
qos
Description Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-
server SLB traffic.
Syntax [no] qos num
454
num You can set a value between 1 to 63. Based on

the value you specify, ACOS marks the traffic as
follows:
l Layer 3 marking – ACOS sets the Diffserv

Control Point (DSCP) value in the IP
header to value you specify.
l Layer 2 marking – ACOS sets the 802.1p
value in the MAC header to the value you
specify, divided by 9.

ACOS(config-tcp proxy)# qos 63
reassembly-limit
Description Specifies the maximum number of TCP segments allowed in the
assembly queue for each flow.
Syntax [no] reassembly-limit num
num Number of segments allowed (1-500).
Default 25
Example Limit number of reassembly segments to 100:

ACOS(config-tcp proxy)# reassembly-limit 100
reassembly-timeout
455
Description Specifies the length of time (in seconds) that the ACOS device waits for
progress to be made in the reassembly of TCP segments before it
removes segments from the assembly queue.
Syntax [no] reassembly-timeout num
num Number of seconds before TCP segments are

removed if reassembly does not occur suc-
cessfully (1-300 seconds).
Default 30 seconds
Example Set reassembly limit to 120:

ACOS(config-tcp proxy)# reassembly-timeout 120
receive-buffer
Description Specifies the maximum number of bytes addressed to the port that the
ACOS device will buffer.
Syntax [no] receive-buffer num
num Number of bytes to buffer (1-2147483647).
Default 200000 (200KB)
Example Set the buffer size to 51200:

ACOS(config-tcp proxy)# receive-buffer 51200
reno
Description Enables the TCP Reno congestion control algorithm, and disables Cubic.
456
Syntax [no] reno
Default Not enabled; Cubic is used by default
Example Enable TCP Reno congestion control algorithm:

ACOS(config-tcp proxy)# reno
reset-fwd
Description Sends a TCP RST to the real server after a session times out.
Syntax [no] reset-fwd

ACOS(config-tcp proxy)# reset-fwd
reset-rev
Description Sends a TCP RST to the client after a session times out.
Syntax [no] reset-rev [STATE]
STATE l disable - Send TCP RST only when the

server is Disabled.
l down - Send the TCP RST only when a
server is Down.
When no option is specified, TCP RST is sent for

any error.
Usage If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
457
When using reset-rev disable with the disable-with-hm command under

SLB server configuration, the server is not treated as “disabled” since
persist sessions continue to use the “disabled” server.
When using reset-rev disable with the slb graceful-shutdown Global
configuration command, state of enabled is also not treated as disabled
but as UP since existing sessions need to be drained and not reset.

ACOS(config-tcp proxy)# reset-rev
retransmit-retries
Description Specifies the maximum number of times the ACOS device can retransmit
a data segment for which the ACOS device does not receive an ACK.
Syntax [no] retransmit-retries num
num Number of retries (1-20).
Default 5
Example Configure 3 retry attempts:

ACOS(config-tcp proxy)# retransmit-retries 3
syn-retries
Description Specifies the maximum number of times the ACOS device can retransmit
a SYN for which the ACOS device does not receive an ACK.
Syntax [no] syn-retries num
num Number retries (1-20).
458
Default 5
Example Configure 7 retry attempts:

ACOS(config-tcp proxy)# syn-retries 7
timewait
Description Specifies the number of seconds that a connection can be in the TIME-
WAIT state before the ACOS device transitions it to the CLOSED state.
Syntax [no] timewait num
Default 5 seconds
Example Set the timewait interval to 7 seconds:

ACOS(config-tcp proxy)# timewait 7
transmit-buffer
Description Specifies the maximum number of bytes sent by the port that the ACOS
device will buffer.
Syntax [no] transmit-buffer num
num Number of bytes to buffer (1-2147483647).
Default 200000 (200KB)
Example Set the buffer size to 51200 bytes:

459
ACOS(config-tcp proxy)# transmit-buffer 51200
460
Chapter 18: Config Commands: SLB UDP Tem-
plates
This section lists the commands and sub-commands to configure SLB User Datagram Pro-
tocol (UDP) templates.
SLB UDP Template Configuration Mode Commands 463
461
Chapter 18: Config Commands: SLB UDP Templates

The following global configuration mode command is available to configure SLB UDP tem-
plates:
slb template udp
slb template udp

Description Configure UDP connection settings.
Syntax [no] slb template udp {default | template-name}
default Edit the default SLB UDP template. This template

can be modified in the same way as any custom
template-name you specify.

name
This command enters the SLB UDP Template Configuration Mode

Commands for the specified UDP template.
Usage The normal form of this command creates a UDP configuration template.
You can bind only one UDP template to a virtual port. However, you can
bind the same UDP template to multiple ports.
Example The following commands create a UDP template named “udp-quickterm”

and set session termination to occur immediately after a response is
received:
ACOS(config)# slb template udp udp-quickterm
ACOS(config-l4 udp)# aging immediate
462
SLB UDP Template Configuration Mode Commands

To access these commands at the SLB UDP template level, enter the slb template udp com-
mand.
aging 463
idle-timeout 464
qos 464
re-select-if-server-down 465
stateless-conn-timeout 466
aging
Description Specifies how quickly sessions are terminated when the request is
received.
Syntax [no] aging {immediate | short [seconds]}
immediate l Response Received—Session is terminated

within 1 second.
l No Response—Idle timeout value in UDP tem-
plate is used.
short l Response Received—Session is terminated

within 1 second.
l No Response—Session is terminated after con-
figured short aging period (1-30 seconds).
NOTE: Best Practice is to explicitly set aging in UDP templates used by

DNS virtual ports.
Default Not set by default; the default behavior is:
463
• Response Received—Behavior depends on the port number:

• Port 53 (default DNS port)—Session terminates within 1 second.
• Any other port number—Session terminates after idle timeout
expires.
• No Response— Idle timeout value in UDP template is used.
Mode SLB UDP template
Example Configure immediate aging:

ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# aging immediate
idle-timeout
Description Specifies the number of seconds a connection can remain idle before the

entered value.
down to the closest multiple of 60 seconds.
The maximum idle timeout supported for TFTP virtual ports is 15300
seconds (255 minutes).
Default 120 seconds
Example Set the idle timeout to 300 seconds (5 minutes):

ACOS(config-l4 udp)# idle-timeout 300
qos
464
Description Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-
server SLB traffic.
Syntax [no] qos num
num Sets a value between 1 to 63. Based on the value

you specify, ACOS marks the traffic as follows:
l Layer 3 marking – ACOS sets Diffserv Control

Point (DSCP) value in IP header to specified
value.
l Layer 2 marking – ACOS sets 802.1p value in
MAC header to the specified value divided by
9.

ACOS(config-l4 udp)# qos 54
re-select-if-server-down
Description Configures the ACOS device to select another real server if the server
that is bound to an active connection goes down. Without this option,
another server is not selected.
By default, the device clears all UDP sessions from the server that goes
down.
Syntax [no] re-select-if-server-down [disable-clear-session]
disable-clear- When this option is enabled, the device does

session not immediately clear sessions from a server
that goes down.
465
Example These commands configures the device to select another real server
when a server bound to an active connection goes down and clears all
UDP sessions for the disabled server.
ACOS(config-l4 udp)# re-select-if-server-down
stateless-conn-timeout
Description Set the stateless current connection timeout value in seconds.
Syntax [no] stateless-conn-timeout num
num Stateless connection timeout value in seconds (5-

120).
Default 120 seconds
Example Set the stateless connection timeout to 60 seconds.

ACOS(config-l4 udp)# stateless-conn-timeout 60
466
Chapter 19: Config Commands: SLB Virtual
Port Templates
This section lists the commands and sub-commands to configure SLB virtual port templates.
SLB Virtual Port Template Configuration Commands 471
467
Chapter 19: Config Commands: SLB Virtual Port Templates

The following global configuration mode command is available to configure SLB virtual server
templates:

Description Configure a template of SLB settings for virtual service ports.
Syntax [no] slb template virtual-port {default | template-name}
default Edit the default virtual port template. This tem-

plate can be modified similar to any custom tem-

name
This command enters the SLB Virtual Port Template Configuration

Commands for the specified Virtual-Port template.
Usage The normal form of this command creates a virtual service port template.
You can bind only one virtual service port template to a virtual service
port. However, you can bind the virtual service port template to multiple
virtual service ports.
or changed on the individual virtual port.
and on the individual virtual port, the setting on the individual virtual
port takes precedence.
468
• If a parameter is set (or changed from its default) in a template but

not set or changed from its default on the individual virtual port, the
template setting takes precedence.
Example These commands configure a virtual service port template named “com-
mon-vpsettings”, set the connection limit, and bind the template to a vir-
tual port:
ACOS(config)# slb template virtual-port common-vpsettings
ACOS(config-vport)# conn-limit 500000
ACOS(config-vport)# exit
ACOS(config-slb vserver-vport)# template virtual-port com-
mon-vpsettings
Example The following commands create real servers “s1” at 5.5.5.1 (with a real port
range of 10), real server “s2” at 5.5.5.2 (with a range of 25), and real server
“s3” at 5.5.5.3 (which does not have a range configured and will not be
used for this feature). These real servers are then bound to a service
group “sg1”, which is in turn, bound to a VIP (“vip3”) at 10.10.10.0 /24. A vir-
tual port template “vport1” is created, and the allow-vip-to-rport-map-
ping option is used, and the template is bound to the “vip3”.

ACOS(config-real server)# port 80 tcp range 10
ACOS(config-real server)# port 80 tcp range 25
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member s1 80
ACOS(config)# slb template virtual-port vport1
ACOS(config-vport)# allow-vip-to-rport-mapping
469
ACOS(config)# slb virtual-server vip3 10.10.10.0 /24
ACOS(config-slb vserver-vport)# template virtual-port vport1
ACOS(config-slb vserver-vport)# template virtual-port
vport1
470
SLB Virtual Port Template Configuration Commands

To access these commands at the SLB virtual-port template level, enter the slb template vir-
tual-port command.
aflow 471
allow-syn-otherflags 472
allow-vip-to-rport-mapping 472
conn-limit 473
conn-rate-limit 474
drop-unknown-conn 475
dscp 475
ignore-tcp-msl 476
non-syn-initiation 477
pkt-rate-limit 477
reset-l7-on-failover 479
reset-unknown-conn 479
snat-msl 480
snat-port-preserve 480
aflow
Description Enables aFlow control. aFlow helps avoid packet drops and retrans-
missions when a real server port reaches its configured connection limit.
aFlow control is triggered when either of the following occurs:
• If connection limit is configured on the real server or real port – The
backend real server or real port reaches its configured connection
limit.
• If connection limit is not configured on the real server or real port –
The response time of the backend real server or real port increases
dramatically. The response time is the time between when the ACOS
471
device forwards a request to the server, when the ACOS device

receives the first reply packet from the server.
NOTE: In the current release, it is recommended to use the first method

for triggering aFlow, by configuring connection limits on the real
servers or real ports. The second method of triggering aFlow is still
being refined and is considered to be in Beta status.
When aFlow is enabled, the ACOS device queues HTTP/HTTPS packets

from clients when a server port reaches a configured connection limit,
instead of dropping them. The ACOS device then monitors the port, and
begins forwarding the queued packets when connections become
available again. To prevent flooding of the port, the ACOS device
forwards the queued packets at a steady rate.
aFlow applies only to HTTP and HTTPS virtual ports.
Syntax [no] aflow
Mode SLB virtual-port template

ACOS(config)# slb template virtual-port vport-tmplt1
ACOS(config-vport)# aflow
allow-syn-otherflags
Description Allows initial SYN packet with other flags.
Syntax [no] allow-syn-otherflags

ACOS(config-vport)# allow-syn-otherflags
allow-vip-to-rport-mapping
Description Enables the VIP to Real Port Mapping feature for a subnet VIP.
472
The virtual port template containing this option must be bound to the VIP,
and the VIP itself must use a subnet for the last octet (for
example,10.10.10.0 /24), or the feature will not work.
Syntax [no] allow-vip-to-rport-mapping

ACOS(config-vport)# allow-vip-to-rport-mapping
conn-limit
Description Specifies the maximum number of connections allowed on virtual ports
that use this template.
Syntax [no] conn-limit connections [reset] [no-logging]
connections Maximum number of concurrent connections, 0-

8000000.
reset Specify the action to take for connections after the

connection limit is reached on the virtual port. By
default, excess connections are dropped. If you
change the action to reset, the connections are
reset instead. Excess connections are dropped by
default.
Default Not configured by default.
473
Example Configure a connection limit of 10000 connections per second, and dis-
able logging:
ACOS(config-vserver)# conn-limit 10000 no-logging
conn-rate-limit
virtual ports that use this template. When a virtual port reaches its con-
nection limit, the ACOS device stops selecting the port for client requests.
Syntax [no] conn-rate-limit connections

[per {100ms | 1sec}] [reset] [no-logging]
connections Maximum new connections allowed on a server.

You can specify 1-1048575 connections.

1sec} applies to one-second intervals or 100-ms inter-
vals. The default is one-second intervals (1sec).
reset Send a reset (RST) to a client after the con-

nection rate has been exceeded. By default
(without this option), the ACOS device silently
drops the request.
If you configure a limit for a virtual server and

also for an individual port, the ACOS device
uses the lower limit.
template bound to the virtual server or virtual port, the connection
474
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any act-
ive connections.
Example Configure a connection rate limit of 10000 connections per second, and
disable logging:
ACOS(config)# slb template virtual-port vport-tmply1
ACOS(config-vserver)# conn-rate-limit 10000 no-logging
drop-unknown-conn
Description Drop the connection a TCP packet without a SYN or RST flag is received,
and the packet does not belong to any existing connections.
Syntax [no] drop-unknown-conn

ACOS(config-vport)# drop-unknown-conn
dscp
Description Sets the Differentiated Services Code Point (DSCP) value in client
requests before forwarding them to the server.
Syntax [no] dscp num
num You can set the DSCP value to 1-63.
Example The following example illustrates how this feature works:
1. Configure a port template named t1 that marks DSCP 4 on outgoing

packets.
slb template port t1

dscp 4
475
2. Configure a virtual-port template named vp1 that marks DSCP 6 on

outgoing packets.
slb template virtual-port vp1

dscp 6
3. Bind t1 to both port 80 tcp and port 443 tcp.

port 80 tcp
template port t1
port 443 tcp
template port t1
4. Configure a virtual server named vip2 with virtual port 80 http

and port 443 tcp. Although the vp1 template is bound to both
ports, outgoing packets are marked with DSCP 4, because real ports
take precedence over virtual ports.
slb virtual-server vip2 fd5a:bfc:563c:bcda::100

port 80 http
source-nat pool s2
port 443 https
source-nat pool s2
template server-ssl s1
template client-ssl cl-ssl1
ignore-tcp-msl
Description Immediately reuse TCP sockets after session termination, without waiting
for the SLB Maximum Session Life (MSL) time to expire.
Syntax [no] ignore-tcp-msl

ACOS(config-vport)# ignore-tcp-msl
476
non-syn-initiation
Description Enables a TCP session to be created when the initial TCP packet is non-
SYN.
This feature is useful in VRRP-A topologies where, after a failover, a non-
SYN packet from the existing connection arrives at the new active device
and a session can be created on the new active device without having to
configure haconn- mirror under the virtual port.
Syntax [no] non-syn-initiation
Usage To guarantee the same backend server is selected after failover, use the
src-ip-only method.
This feature is only supported on TCP virtual ports and not supported
when:
• source-nat is configured on the virtual port.
• syn-cookie is configured on the virtual port.
• A conn-limit is configured on a real server or real port
pkt-rate-limit
Description Configure packet rate limit for the virtual port.
Syntax [no] pkt-rate-limit TYPE rate pkt-rate [SAMPLE] [THOLD]

[LOG] [RR]
TYPE Specifies the rate limited source. Options

include:
l src-ip-port — configure source IP and

port rate limit.
l src-port — configure source port limit
pkt-rate Specifies the packet rate (per second). Value

range is 1 to 1048575.
477
SAMPLE Specifies packet rate sampling interval. Options

include:
l <no parameter> — packet rate sampling is

measured in one second intervals.
l per second — packet rate sampling is
measured in one second intervals.
l per 100ms — packet rate sampling is meas-
ured in 100 ms intervals
THOLD Specifies a packet rate threshold for sending a

TCP reset that terminates sessions that exceeds
the threshold. Options include:
l <no parameter> — threshold is not set and

TCP reset is never sent.
l reset rst-rate — TCP reset is sent
when packet rate exceeds rst-rate (range
is 1 to 1048575). The reset rate should be
greater than the packet rate (pkt-rate).
LOG Specifies event logging frequency when packet

rate is exceeded. Options include:
l <no parameter> — Log rate is once per

minute (default).
l no-logging — log entries are not created
when packet rate limit is exceeded.
l no-repeat-logging — event is logged
once.
478
RR Specifies use of round robin distribution to trig-

ger rate limiting. Options include:
l <no parameter> — CPU distribution

algorithm not considered.
l when-rr-enable — Packets are rate limited
only when CPU round-robin is triggered.
Example These commands configure a template with a packet rate limit such pack-
ets are dropped when the rate from a source port exceeds 500 packets
per second; a TCP reset is sent to terminate the session when the
source’s packet rate exceeds 1000 packets per second.
ACOS(config)# slb template virtual-port vsettings
ACOS(config-vport)# pkt-rate-limit src-port rate 500 reset
1000
ACOS(config-vport)#
reset-l7-on-failover
Description Resets a Layer 7 connection upon failover.
Syntax [no] reset-l7-on-failover

ACOS(config-vport)# reset-l7-on-failover
reset-unknown-conn
Description Enables sending TCP Reset (RST) in response to a session mismatch,
which occurs when the ACOS device receives a TCP packet for a TCP ses-
sion that is not in the active session table on the ACOS device.
479
Syntax [no] reset-unknown-conn

ACOS(config-vport)# reset-unknown-conn
snat-msl
Description Set the Maximum Segment Life (MSL) for source-NAT connections. This
option is useful for servers that have older TCP/IP stacks, which wait up
to 240 seconds (4 minutes) after a FIN before the endpoint can enter a
new connection.
Syntax [no] snat-msl seconds
seconds You can set the MSL to 1-1800 seconds.
Example Set the source-NAT MSL to 45 seconds.

ACOS(config-vport)# snat-msl 45
snat-port-preserve
Description Attempts to preserve the client’s source port for traffic destined for the vir-
tual port.
Syntax [no] snat-port-preserve
Usage Note:
• Port preservation is not always guaranteed and is performed on a
best-effort basis.
• Port preservation depends on the number of Platform CPUs. Hence,
in some cases, the ports from 1024 - <xxxx> will not be preserved.
480
• Port preservation does not work for FTP active mode sessions.
• Port preservation works only if source NAT is enabled for the virtual
port.

ACOS(config-vport)# snat-port-preserve
481
482
Server Templates
This section lists the commands and sub-commands to configure SLB virtual server tem-
plates.
SLB Virtual Server Template Configuration Commands 486
483
Chapter 20: Config Commands: SLB Virtual Server Templates

slb template virtual-server

Description Configure a template of SLB settings for virtual servers.
Syntax [no] slb template virtual-server {default | template-name}
default Edit the default virtual server template. This tem-


name
This command enters the SLB Virtual Server Template Configuration

Commands for the specified Virtual-Server template.
Usage The normal form of this command creates a virtual server template. The
no form of this command removes the template.
You can bind only one virtual server template to a virtual server. However,
you can bind the virtual server template to multiple virtual servers.
or changed on the individual virtual server:
and on the individual virtual server, the setting on the individual vir-
tual server takes precedence.
484

not set or changed from its default on the individual virtual server,
the setting in the template takes precedence.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting and bind the template to a virtual
server:
ACOS(config)# slb template virtual-server vs-tmplt1
ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config-slb virtual server)# template virtual-server vs-
tmplt1
485
SLB Virtual Server Template Configuration Commands

To access commands at the SLB virtual-server template level, enter the slb template virtual-
server command.
conn-limit 486
conn-rate-limit 487
icmp-rate-limit 488
icmpv6-rate-limit 489
subnet-gratuitous-arp 490
conn-limit
Description Specifies the maximum number of connections allowed on virtual serv-
ers that use this template.
Syntax [no] conn-limit connections [reset] [no-logging]
connections Maximum number of concurrent connections,

0-8000000.
reset Specify the action to take for connections after

the connection limit is reached on the virtual
server. By default, excess connections are
dropped. If you change the action to reset, the
connections are reset instead. Excess con-
nections are dropped by default.
486
Mode SLB virtual-server template
Example Configure a connection limit of 10000 connections per second, and dis-
able logging:
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# conn-limit 10000 no-logging
conn-rate-limit
servers that use this template. When a real server reaches its connection
limit, the ACOS device stop selecting the server for client requests.
Syntax [no] conn-rate-limit connections

[per {100ms | 1sec}] [reset] [no-logging]
connections Maximum of new connections allowed on a

server. You can specify 1-1048575 connections.

1sec} applies to one-second intervals or 100-ms inter-
vals. The default is one-second intervals (1sec).
reset Send a reset (RST) to a client after the con-

nection rate has been exceeded. By default
(without this option), the ACOS device silently
drops the request.
If you configure a limit for a server and also for

an individual port, the ACOS device uses the
lower limit.
487
Example Configure a connection rate limit of 10000 connections per second, and
disable logging:
ACOS(config-vserver)# conn-rate-limit 10000 no-logging
icmp-rate-limit
Description Configures ICMP (v4) rate limiting for the virtual server, to protect against
denial-of-service (DoS) attacks.
Syntax [no] icmp-rate-limit normal-rate [lockup max-rate lockup-

time]
normal- Maximum number of ICMP packets allowed per

rate second. If the virtual server receives more than the
normal rate of ICMP packets, the excess packets are
dropped until the next one-second interval begins.
The normal rate can be 1-65535 packets per
second.
max-rate Maximum number of ICMP packets allowed per

second before the ACOS device locks up ICMP
traffic to the virtual server. When ICMP traffic is
locked up, all ICMP packets are dropped until the
lockup expires. The maximum rate can be 1-65535
packets per second. The maximum rate must be lar-
ger than the normal rate.
488
lockup- Number of seconds for which the ACOS device

time drops all ICMP traffic to the virtual server, after the
maximum rate is exceeded. The lockup time can be
1-16383 seconds.
Default By default, this is not set. When enabled, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
Example Configure ICMP rate limiting to allow 5000 packets per second.
ACOS(config-vserver)# icmp-rate-limit 5000
icmpv6-rate-limit
Description Configures ICMPv6 rate limiting for the virtual server, to protect against
denial-of-service (DoS) attacks.
Syntax [no] icmpv6-rate-limit normal-rate [lockup max-rate lockup-

time]
normal-rate Maximum number of ICMPv6 packets allowed per

second. If the virtual server receives more than
the normal rate of ICMP packets, the excess pack-
ets are dropped until the next one-second inter-
val begins. The normal rate can be 1-65535
packets per second.
489
max-rate Maximum number of ICMPv6 packets allowed per

second before the ACOS device locks up ICMPv6
traffic to the virtual server. When ICMPv6 traffic
is locked up, all ICMPv6 packets are dropped until
the lockup expires. The maximum rate can be 1-
65535 packets per second. The maximum rate
must be larger than the normal rate.
lockup-time Number of seconds for which the ACOS device

drops all ICMPv6 traffic to the virtual server,
after the maximum rate is exceeded. The lockup
time can be 1-16383 seconds.
Default Not set by default. When enabled, specifying a maximum lockup rate and
lockup time is optional. When they are not specified, lockup does not
occur.
Example Configure ICMPv6 rate limiting to allow 5000 packets per second.
ACOS(config-vserver)# icmpv6-rate-limit 5000
subnet-gratuitous-arp
Description Enables gratuitous ARPs for all VIPs in subnet VIPs. A subnet VIP is a
range of VIPs created from a range of IP addresses within a subnet.
This option applies only to VIPs created using a range of subnet IP
addresses. The option has no effect on VIPs created with a single IP
address.
Syntax [no] subnet-gratuitous-arp
Default This is disabled by default; the ACOS device sends gratuitous ARPs for
only the first IP address in a subnet VIP.
Example Send a gratuitous ARPs for every IP in the subnet virtual server.
490
ACOS(config-vserver)# subnet-gratuitous-arp
disable-when-all-ports-down
Description Disable virtual server when all member ports are down.
Syntax [no] disable-when-all-ports-down
Default Not set by default.
Example To disable when all ports down.

ACOS(config-vserver)# disable-when-all-ports-down
ACOS(config-vserver)# no disable-when-all-ports-down
Description Disable virtual server when all member ports are down.
Default Not set by default.
Example To disable when any port down:

ACOS(config-vserver)# disable-when-any-port-down
ACOS(config-vserver)# no disable-when-any-port-down
491
492
Chapter 21: Config Commands: SLB Servers
This section lists the commands and sub-commands to configure SLB servers.
These commands apply to real servers, not virtual servers, described in Config Commands:
SLB Virtual Servers.
To access this configuration level, enter the slb server server-name command at the global
Config level.
ACOS(config)# slb server s1
alternate 495
clear slb unused-server-ports 495
clear slb virtual-server 497
conn-limit 500
conn-resume 500
disable 501
disable-with-health-check 501
enable 502
extended-stats 503
external-ip 503
health-check 503
ipv6 504
port 504
slow-start 512
spoofing-cache 513
support-http2 513
493
template server 514
weight 515
494
alternate
Description Assign an alternate server as a dedicated backup for a primary
server.
Syntax [no] alternate sequence-num server-name
sequence- Priority of the server as a backup. You can specify

num 1-16.
server- Name of the alternate server.

name
Default Not set
Mode Real server
Usage You can assign up to 16 alternate servers to a primary server. Only 1

alternate server for a given primary server can be active at a time.
This feature places an alternate server into service only if the primary
server goes down. Other features such as connection limiting or
connection-rate limiting can not cause an alternate server to be used. Do
not add alternate servers to the service group.
For more information, see the “Alternate Servers for Server-specific
Backup” chapter in the Application Delivery Controller Guide.
clear slb unused-server-ports

Description Deletes real server ports that are not assigned to at least one service
group by removing the corresponding port statements from slb real
server configurations.
The system log displays ports that are deleted by the clear command.
Syntax clear slb unused-server-ports [all-partitions]
The command is available in all partitions. The all-partitions option is only

available in the shared partition and extends the command influence to
495
all partitions on the device. When the all-partition option is not specified,
the clear port action is effective only within the partition where it is
invoked.
Block merge and replace modes do not support the removal of ports
through this clear command. The system log provides a Warning
message when the clear slb unused-server-port command is not
successful.
Mode Privileged EXEC mode
Example The clear slb unused-server-ports command removes a tcp port

(78) and udp port (98) from the s1 real server. The show commands
demonstrate the effect of the clear command.
ACOS(config)# show running-config slb
!
port 78 tcp
port 88 tcp
port 88 udp
port 98 udp
port 98 tcp
!
member s1 88
member s1 98
!
slb service-group sg2 udp
member s1 88
!
ACOS(config)# clear slb unused-server-ports
ACOS(config)# show running-config slb
!
port 88 tcp
port 88 udp
port 98 tcp
!
member s1 88
member s1 98
!
496
slb service-group sg2 udp

member s1 88
!
ACOS(config)#
clear slb virtual-server

Description Clear information for SLB virtual servers.
Syntax clear slb virtual-server [

virtual-server-name
[vport-num
{
port-type [service-group-name] |
[application-statistics] |
[detail] |
[dns-cache {entry {dns-class string | dns-type string
| domain-name {dns_domain_name | fqdn_domain} name}}] |
host-hits-counter {host-name | all} |
url-hits-counter {url-string | all}
}
]
[all]]
497
Option Description
virtual- Clear information only for the specified virtual

server-name server.
l The vport-num port-type option clears

information only for the specified virtual
port on the virtual server.
l The service-group-name option further
restricts the output, to clear information
only for the specified service group.
l The option application-statistics
clears statistics related to an application.
l The detail option clears connection and
packet statistics. Specifying detail also
clears the connection rate per virtual port
for each virtual server.
l The option dns-cache along with entry
clears DNS cache entries for one of the fil-
ters given below:
o dns-class - You can specify one of
the following DNS classes:
o IN – INTERNET class
o CH – CHAOS class
o HS – HESIOD class
o NONE – NONE query class
o ANY – ANY query class
o num - Other class value (1-65535)
o dns-type - You can specify one of the
following DNS types:
o A – Address type
498
Option Description
o AAAA – IPv6 Address type

o CNAME – Canonical name type
o MX – Mail exchange type
o NS – Name server type
o SRV – Service locator
o PTR – PTR resource type
o SOA – Start of authority type
o TXT – Text type
o ANY – All cached type
o num - Other type value (1-65535)
o domain - You can specify either one
of the following
o dns_domain_name – Domain name
o fqdn_domain – Fully qualified
domain name
l The host-hits-counter option clears
rule-matching statistics for host switch-
ing.
l The url-hits-counter option clears rule-
matching statistics for URL switching.
all Clear information for all
Mode Privileged EXEC mode
Usage To clear the virtual-server information for a specific partition, use the par-
tition option; use partition shared for the shared partition, or par-
tition name, where name is a specific L3V partition.
Example The following command clears the virtual port DNS cache based on
FQDN:
ACOS(config)# clear slb virtual-server vip1 53 dns-udp dns-
cache entry domain-name fqdn_domain foo.com
499
Example The following command clears the virtual port DNS cache for DNS type
ANY:
ACOS(config)# clear slb virtual-server vip1 53 dns-tcp dns-

cache entry dns-type ANY
Example The following command clears the virtual port DNS cache for DNS class
66:
ACOS(config)# clear slb virtual-server vip1 53 dns-tcp dns-
cache entry dns-class 66
conn-limit
Description Specify maximum number of concurrent connections allowed on a real
server.
Syntax [no] conn-limit max-connections
Replace max-connections with the maximum number of concurrent

connections allowed on the server. You can specify 1-8000000 (eight
million).
Default 8000000
Mode Real server
Usage If you set a connection limit, it is recommended that you also set the
conn-resume interval. (See conn-resume.)
You also can set the connection limit on individual protocol ports. In this
case, the limit specified for the port overrides the limit set at the server
level.
Example The following command sets the connection limit to 10,000:

ACOS(config)# slb server rs123
ACOS(config-real server)# conn-limit 10000
conn-resume
Description Specify the maximum number of connections the server can have
before the ACOS device resumes use of the server. Use does not resume
until the number of connections reaches the configured maximum or
less.
Syntax [no] conn-resume connections
500
Replace connections with the maximum number of connections the

server can have before the ACOS device resumes use of the server. You
can specify 1-1000000 (1 million) connections.
Default By default, this option is not set. The ACOS device is allowed to start send-
ing new connection requests to the server when the number of con-
nections on the server falls below the connection limit threshold set by
conn-limit.
Mode Real server
Usage You also can set the conn-resume value on individual protocol ports.
In this case, the value specified for the port overrides the value set at
the server level.
Example The following command sets the conn-resume option to 500,000 con-
nections:
ACOS(config-real server)# conn-resume 500000
disable
Description Disable a real server.
Syntax [no] disable
Default Enabled
Mode Real server
Example The following commands disable a server named “rs123”:

ACOS(config-real server)# disable
disable-with-health-check
Description Disable a service-group member from normal server selection, but still
maintain the health of the server.
This feature is ideal if you periodically need to take active servers out of
service pools for maintenance, but this maintenance is done through a
remote client. The feature allows you to access these servers using the
501
same front-end VIP in the presence of a persistent cookie template or

LB::reselect aFleX command.
This feature is available in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 and
later.
Syntax disable-with-health-check
Default This feature is not enabled be default.
Mode Real server
Usage In addition to real server configuration mode, this command is also avail-
able from the following modes:
• Real server port configuration (see port)
• Service -group member (see member)
Example This example configures health monitor “hm1” to use ICMP transparent
health method and apply the monitor to a TCP port on real server
“realserver1”. Disable-with-health-check is enabled at the SLB server
configuration level.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method icmp transparent 1.0.0.1
ACOS(config)# slb server realserver1 10.1.1.2
ACOS(config-real server)# disable-with-health-check
ACOS(config-real server-node port)# health-check hm1
ACOS(config-slb svc group)# member realserver1 80
ACOS(config-slb svc group-member:80)#
enable
Description Re-enable a real server.
Syntax [no] enable
Default Enabled
Mode Real server
Example The following commands re-enable a disabled server named “rs123”:
502

ACOS(config-real server)# enable
extended-stats
Description Enable collection of peak connection statistics for a server.
Default Disabled
Mode Real server
external-ip
Description Assign an external Network Address Translation (NAT) IP address to
the server. The external IP address allows a server that has an
internal IP address to be reached from outside the internal network.
Syntax [no] external-ip ipaddr
Default None
Mode Real server
Example The following commands configure external IP address 192.168.10.11 on

real server “rs123”:
ACOS(config-real server)# external-ip 192.168.10.11
health-check
Description Enable health monitoring for a server.
Syntax [no] health-check monitor-name
Replace monitor-name with the name of a configured health monitor. If

you omit this command, the default ICMP health monitor is used. (See
below.)
Default ICMP ping (echo request), sent every 5 seconds. If ping fails 4 times con-
secutively (first attempt followed by 3 retries), ACOS device sets the
server state to DOWN.
503
Mode Real server
Usage Entering the command at this level enables Layer 3 health checking. The
monitor you specify must use the ICMP method.
Example The following command sets a server to use the “RUthere” health mon-
itor:
ACOS(config-real server)# health-check RUthere
Description Disable health monitoring of the server.
Default The default Layer 3 health method (ping) is used by default.
ipv6
Description Assign an IPv6 address to the real server for GSLB.
Syntax [no] ipv6 ipv6addr
Default None
Mode Real server
port
Description Configure a TCP or UDP port on a server.
Syntax [no] port port-num {tcp | udp} [range num]
504
port-num Protocol port number, 0-65534.
Port number 0 is a wildcard port used for

IP protocol load balancing. For more inform-
ation, see the “IP Protocol Load Balancing”
chapter of the Application Delivery Con-
troller Guide.
tcp | udp Protocol type.
When configuring a port for NetFlow, use

UDP. TCP is not supported for NetFlow.
range num Specifies the range of real ports you want

to create within the real server con-
figuration. This value can range from 0-
254.
The specified port number is the base num-

ber for the range of real ports.
This command changes the CLI to the configuration level for the
specified port, where the following port-related commands are available:
Command Description
[no] alternate Configure an alternate port for the

sequence-num primary port. Sequence-num and
server-name port server-name can be 1-16. (For more
portnum information, see “Dedicated Backups for
Real Server Ports” in the Application
Delivery Controller Guide.)
[no] authentication- Binds an authentication-server profile

server to the port.
profile-name
NOTE: This option applies to Application
Access Management (AAM).
505
Command Description
[no] conn-limit Specifies the maximum number of con-

max-connections current connections allowed on the
server for this port, 0-8000000 (eight
million).
The default is 8000000.
[no] conn-resume Specifies the maximum number of con-

connections nections the service port can have
before the ACOS device resumes use of
the port. Use does not resume until the
number of connections reaches the con-
figured maximum or less. You can spe-
cify 1-1000000 (1 million) connections.
By default, this option is not set. The

ACOS device is allowed to start sending
new connection requests to the service
port as soon as the number of con-
nections on the port falls back below
the connection limit threshold set by
the conn-limit command.
disable Disables the port.
506
Command Description
disable-with-health- Disable member service port, but main-

check tain the server’s health check status.
This feature is introduced in ACOS

2.7.2-P2 and later, and ACOS 4.0.1 to
allow you to disable a service-group
member’s port from normal server selec-
tion, but still maintain the health of the
server.
This feature is ideal if you periodically

need to take active servers out of ser-
vice pools for maintenance, but this
maintenance is done through a remote
client. The feature allows you to access
these servers using the same front-end
VIP in the presence of a persistent
cookie template or LB::reselect aFleX
command.
enable Enables the port.
[no] extended-stats Enables collection of SLB peak con-

nection statistics for the port.
507
Command Description
[no] health-check Enables health monitoring of the port.

monitor-name The monitor-name specifies the name
of a configured health monitor.
If you omit this command or you enter it

without the monitor-name option, the
default TCP or UDP health monitor is
used:
l TCP – Every 5 seconds, the ACOS

device sends a connection request
(TCP SYN) to the specified TCP
port on the server. The port passes
the health check if the server
replies to the ACOS device by
sending a TCP SYN ACK.
l UDP – Every 5 seconds, the ACOS
device sends a packet with a valid
UDP header and a garbage pay-
load to the UDP port. The port
passes the health check if the
server either does not reply, or
replies with any type of packet
except an ICMP Error message.
[no] health-check- Specifies another real port upon which

follow-port port-num to base this port’s health status. Both
{tcp | udp} the real port and the port to use for the
real port’s health status must be the
same type, TCP or UDP. By default, this
option is not set.
[no] health-check- Disables health monitoring of the port.

disable
508
Command Description
[no] no-ssl Disables SSL for server-side con-

nections. This command is useful if a
server-SSL template is bound to the vir-
tual port that uses this real port, and
you want to disable encryption on this
real port.
Encryption is disabled by default, but it

is enabled for server-side connections
when the real port is used by a virtual
port that is bound to a server-SSL tem-
plate.
Using the double-negative form of the

command (no no-ssl) enables SSL for
server-side connections.
[no] service-prin- Specifies the Kerberos principal name of

cipal-name this server port. This is the ACOS client
string [...] name presented to the application
server.
NOTE: This option applies to Application

Access Management (AAM).
stats-data-disable | Disable or enable statistical data col-

stats-data-enable lection for the port.
509
Command Description
[no] template port The port option binds a port template to

template-name the port. The parameter settings in the
template are applied to the port.
The real port template named “default”

is bound to real ports by default. Para-
meter settings in the default real port
template automatically apply to the
port, unless you bind a different real
port template to the port.
If a parameter is set individually on this

port and also is set in a port template
bound to this port, the individual set-
ting on this port is used instead of the
setting in the template.
To configure a port template, see slb

template port.
[no] template The server-ssl option binds a server-

server-ssl template- side SSL template to the port. The para-
name meter settings in the template are
applied to the port. This is useful where
the real servers load balanced by a VIP
have different SSL settings.
[no] weight number Specifies load-balancing preference for

this port, 1-1000. Higher weights give
more favor to this server for this port rel-
ative to other servers. Default is 1.
This option applies only to the service-

weighted-least-connection load-bal-
ancing method.
510
Default No ports are configured by default. The defaults for the command
options are described with the options, above. Statistical data collection
of load-balancing resources is enabled by default.
Mode Real server

The no form of this command resets the port’s connection limit, health
monitoring, or weight to its default value. To collect statistical data for a
load-balancing resource, statistical data collection also must be enabled
globally. (See slb common.)
Usage Include the range option for each real server that will be included in
the service group, but only if you want that real server to be
included in the mapping feature. The service group can be “mixed”.
That is, some real servers within a service group can have the range
option set, but it is not mandatory for all servers in a service group to
be configured for “VIP to real port mapping”.
Example The following commands configure server “terap” and add TCP port 69 to
the server. The health-check command is not entered, so by default the
ACOS device will check the service port’s health by sending a connection
request to 69 on terap every 30 seconds.
ACOS(config)# slb server terap 10.2.4.69
ACOS(config-real server-node port)#
Example The following commands bind the server-SSL template directly to TCP
port 80 on the real server at IP 10.8.8.8:
ACOS(config-real server-node port)# template server-ssl
server-ssl1
Example The following example configures health monitor “hm1” to use the ICMP
transparent health method, and apply the monitor to a TCP port on real
server “realserver1”. The disable-with-health-check option is enabled
at the SLB server port configuration level.
ACOS(config-real server-node port)# disable-with-health-
check
511

ACOS(config-slb svc group-member:80)#
slow-start
Description Enable slow-start for a server. Slow start allows time for a server to ramp
up after the server is enabled or comes online, by temporarily limiting the
number of new connections on the server.
It is recommended to configure this feature in the real server template or
real port template instead. See the “Behavior When Slow Start Is Also
Configured on the Real Server Itself” section in the “Server and Port
Templates” chapter of the Application Delivery Controller Guide.
Default Disabled
Mode Real server
Usage Slow-start allows a maximum of 128 new connections during the

first interval (anywhere between 0 and 10 seconds). During each sub-
sequent 10-second interval, the total number of concurrent con-
nections allowed to the server is doubled. Thus, during the first 20
seconds, the server is allowed to have a total of 256 concurrent con-
nections. After 59 seconds, slow-start ends the ramp-up and no
longer limits the number of concurrent connections.
After the ramp-up period ends, the number of new connections is
controlled by the conn-limit setting. (See clear slb virtual-server and
the description of conn-limit in port.)
Slow-start is also configurable in server and port templates. (See slb
template server and slb template port.)
Example The following command enables slow-start:

ACOS(config-real server)# slow-start
512
spoofing-cache
Description Enable support for a spoofing cache server. A spoofing cache server
uses the client’s IP address instead of its own as the source address
when obtaining content requested by the client.
Syntax [no] spoofing-cache
Default Disabled
Mode Real server
Usage This command applies to the Transparent Cache Switching (TCS) fea-
ture. For more information about TCS, including additional configuration
requirements and examples, see the “Transparent Cache Switching”
chapter in the Application Delivery Controller Guide.
Example The following commands configure a real server for a spoofing cache
server:
ACOS(config)# slb server cache-rs 110.110.110.10
ACOS(config-real server)# spoofing-cache
support-http2
Description Start the HTTP/2 connection with prior knowledge and send HTTP/2
frames directly.
Syntax [no] support-http2
Mode Real server
Usage If the backend server supports HTTP/2, then configure this command in
the real server.
If this is not configured, then ACOS will make an HTTP/2 connection by
making an HTTP/1.1 request that includes an Upgrade header field with
the 'h2c' token
Example The following command enables HTTP/2 support on real server.

ACOS(config-real server-node port)# support-http2
513
stats-data-disable
Description Disable collection of statistical data for the server.
Default Statistical data collection for load-balancing resources is enabled by

default.
Mode Real server
stats-data-enable
Description Enable collection of statistical data for the server.

default.
Mode Real server
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See slb common.)
template server
Description Bind a real server template to the server.
Syntax [no] template server template-name
Default The real server template named “default” is bound to servers by default.
The parameter settings in the default real server template are auto-
matically applied to the new server, unless you bind a different real server
template to the server.
Mode Real server
Usage If a parameter is set individually on this server and also is set in a server
template bound to this server, the individual setting on this server is used
instead of the setting in the template.
To configure a real server template, see slb template server.
514
weight
Description Assign an administrative weight to the server, for weighted load bal-
ancing.
Replace num with the administrative weight assigned to the server. You
can specify 1-1000.
Default 1
Mode Real server
Usage This parameter applies only to the weighted-least-connection,

weighted-rr (weighted round robin), and round-robin-strict load-bal-
ancing methods.
Example The following commands assign a weight of 20 to a server:

ACOS(config)# slb server 10.10.10.5
ACOS(config-real server)# weight 20
515
516
Chapter 22: Config Commands: SLB Service
Groups
This section lists the commands and sub-commands to configure SLB service groups.
To access this configuration level, enter the slb service-group command at the Global con-
figuration level.
To display configured service groups, use the slb service-group ? command.
backup-server-event-log 518
extended-stats 519
health-check 520
member 521
method 525
min-active-member 537
priority 539
priority-affinity 541
reset auto-switch 541
sample-rsp-time 542
strict-select 543
template 544
traffic-replication-type 544
517
Chapter 22: Config Commands: SLB Service Groups
backup-server-event-log
Description Enable log messages to indicate when a backup service-group member
is placed into service or is removed from service.
Syntax [no] backup-server-event-log
Default Disabled
Mode Service group

A backup member is a member that has a lower priority than primary
(highest priority) members of the same service group. The ACOS device
will not use a lower-priority member (backup server) unless high priority
members (primary servers) exceed their connection limits or connection-
rate limits, or are down.
The backup-server-event-log command generates a log message
when a backup service-group member is placed into service for either of
these reasons:
• The connection limit on the primary servers or member ports is
exceeded.
• The primary servers or member ports go down.
Likewise, the command generates a log message when a backup
service-group member is removed from service, and a primary server is
returned to service for either of the following reasons:
• The primary server or member port’s connection-resume limit is
reached.
• The primary server or member port comes back up.
Generation of log messages for these events is rate-limited to once per
minute. The events described in a message occur at some point within
the 60 seconds prior to the log message’s timestamp.
By default, the backup servers are placed into service only when both
primary servers exceed their connection limits or go down. You can use
the min-active-member command to allow secondary servers to be
placed into service even when some primary servers are still available.
(See min-active-member.)
SNMP Trap Requirements
To also generate SNMP notifications, the following SLB traps must be

enabled:
518
• slb server-conn-limit
• slb server-conn-resume
• slb service-conn-limit
• slb service-conn-resume
Log Message Examples
A message such as the following is generated when a backup member is

placed into service:
Enabled new connections on server rs-backup1 port 80 in sg1
group
In this example, member rs-backup1 in service group sg1 is placed into

service.
When the backup member is removed from service, a message such as
one of the following is generated:
Disabled new connections on backup server(s) on group sg1,
resume primary server rs1 port 80
Disabled new connections on backup server(s), resume primary

server rs1 port 80
In the first message, the service group name is included. The service
group name is not included in the second message.
• If the primary server is a member of only one service group, or the ser-
vice group can otherwise be determined, the first message is used.
• If the primary server is a member of more than one service group,
and the service group can not be determined, the second message
is used.
extended-stats
Description Enable collection of peak connection statistics for a service group.
Default Disabled
Mode Service group
519
health-check
Description Use a health monitor to check the health of all members of the service
group.
Syntax [no] health-check monitor-name
Replace monitor-name with the health monitor to use.
Default None
Mode Service group
Usage The health monitor is used to test the health of all members of the service
group, including any members that are added in the future.
Service group health status applies only within the service group
context. Health checks of a port from different service groups can result
in different health status, depending on the resource requested by the
health check.
Health checks can be applied to the same resource (real server or port) at
the following levels:
• In a service group that contains the server and port as a member
• In a server or server port configuration template bound to the server
or port
• Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that
service group member in that service group is marked Down.
Example These commands configure a health monitor and apply it to a service

group:
ACOS(config)# health monitor qrs
ACOS(config-health:monitor)# method http url GET /media-
qrs/index.html
ACOS(config)# slb service-group qrs tcp
520
ACOS(config-slb svc group)# member media-rs 80

ACOS(config-slb svc group)# health-check qrs
Description Disable health monitoring of the service group.
Default Health checking is enabled by default.
member
Description Add a server to a service group.
Syntax [no] member server-name portnum
server-name port- Name of the real server you want to add to

num the service group. This server must already
exist on the system.
portnum Protocol port number on the server.
This command drops you into a sub-configuration mode, where the

following additional commands are available:
enable Enable the server and port for this service-

group only.
disable Disable the server and port for this service-

group only.
521
disable-with- Disable the member server, but maintain

health-check the server’s health check status.
This feature is introduced in ACOS 2.7.2-P2

and later, and ACOS 4.0.1 to allow you to
disable a service-group member from nor-
mal server selection, but still maintain the
health of the server.
This feature is ideal if you periodically need

to take active servers out of service pools
for maintenance, but this maintenance is
done through a remote client. The feature
allows you to access these servers using
the same front-end VIP in the presence of a
persistent cookie template or LB::reselect
aFleX command.
priority num Sets the preference for this server and

port, 1-16. The highest priority is 16.
522
sampling-enable Enable baselining. The following para-

param meters are available:
l all - All connections.

l curr_conn - Current connections.
l total_fwd_bytes - Total forward
bytes.
l total_fwd_pkts - Total forward pack-
ets.
l total_rev_bytes - Total reverse bytes.
l total_rev_pkts - Total reverse pack-
ets.
l total_conn - Total connections.
l total_rev_pkts_inspected - Total
reverse packets inspected.
l total_rev_pkts_inspected_status_
code_2xx - Total reverse packets
inspected (status code 2xx).
l total_rev_pkts_inspected_status_
code_non_5xx - Total reverse pack-
ets inspected (status code non 5xx).
l curr_req - Current requests.
l total_req - Total requests.
l total_req_succ - Total requests suc-
cessful.
l peak_conn - Peak connections.
l response_time - Response time.
l fastest_rsp_time - Fastest response
time.
523
l slowest_rsp_time - Slowest response

time.
stats-data-dis- Disable statistical data collection for the

able service-group member.
template tem- Binds a real port template to this member

plate-name port.
NOTE: The port template option slow-

start is not supported if the port template
is applied using this command.
stats-data-dis- Disable statistical data collection for the

able service-group member.
Default There are no servers in a service group by default. When you add a server
and port to the service group, the default state is enabled and the default
priority is 1. Statistical data collection of load-balancing resources is
enabled by default.
To configure a real port template, see slb template port.
Mode Service group
Usage The normal form of this command adds a configured server to the service
group. The “no” form of this command removes the server from the
group.
If you disable or re-enable a port, the state change applies only to this
service group. The state of the port is unchanged in other service groups.
To collect statistical data for a load-balancing resource, statistical data
collection also must be enabled globally. (See slb common.)
Example The following commands add servers “s1” and “s2” to service group
“sgroup1”:
ACOS(config)# slb service-group sgroup1
524
Example The following command adds a member server and port to a service
group and binds a real port template to the port:
ACOS(config-slb svc group)# member rs1 80
ACOS(config-slb svc group-member:80)# template rptemplate1
Example The following example configures health monitor “hm1” to use the ICMP
transparent health method, and apply the monitor to a TCP port on real
server “realserver1”. Then, the disable-with-health-check option is
enabled at the service group member configuration level.
ACOS(config-slb svc group-member:80)# disable-with-health-
check
method
Description The method command is a service-group configuration mode command
that specifies the load balance method used to determine which server
receives an inbound data flow (session). After a server is selected for a
session, that server receives packets from the session until the timeout
expiry, defined as the period of time the load balancer does not receive at
least one packet of the session.
The default timeout period is 180 seconds.
A session is defined by its five-tuple: source IP address, source port,
destination IP address, destination port, and protocol. Each selection
option utilizes at least one of the following four data points:
• session packet contents (typically destination IP address and port)
• load balancer configuration parameters (typically weight settings)
• health monitor packets received from member servers
• metrics managed by load balancers (such as number of connections
sent to each server)
525
Syntax [no] method lb-method

[auto-switch
[
stateless-lb-method
{
conn-rate rate duration
[revert-rate revert-duration]
[grace-period seconds] [log] |
l4-session-usage percent duration
[revert-rate revert-duration]
[grace-period seconds] [log]
]
} ]
526
lb-method Load-balancing method:
l dest-ip-hash – Calculates a hash value based

on the destination IP address and protocol
port of the client’s request.
l dest-ip-only-hash – Calculates a hash value
based on only the destination IP address of
the client’s request.
l fastest-response – Selects the server with
the fastest first data packet response time
(after three-way handshake) from end-user
traffic requests.
l The fastest-response method is not applic-
able in Direct Server Return (DSR) deploy-
ments.
l least-connection [pseudo-round-robin] –
Selects the server that currently has the few-
est connections.
For this and the other least-connection meth-

ods, if there is a tie, the default behavior is to
select the port (among those tied) that has the
lowest number of request bytes plus response
bytes. If there is still a tie, a port is randomly
selected from among the ones that are still
tied.
To override this tie-breaker behavior, use the

pseudo-round-robin option. This option
selects the server that has not been selected
for the longest time.
l link-cost-load-balance - In this method,
527
link usage is prioritized based on the cost of

the bandwidth for the connection. If the link
utilization exceeds the pre-configured band-
width, then the excess traffic is sent to the
link operating at the lowest overage cost. Addi-
tionally, in case of link failure, traffic is sent to
the next available link.
Note:
o Each link can only be referenced by one
tcp service-group and one udp service-
group.
o When a node is bound to a link-cost ser-
vice-group, it becomes a link cost node. It
is not allowed to bind to another method
type.
o Maximum of 16 nodes are allowed per ser-
vice group.
o odd-even-hash – Hash value is even-odd
result of the sum of the source IP address
octets.
l service-least-connection [pseudo-round-
robin] – Selects the server port that currently
has the fewest connections.
l weighted-least-connection [pseudo-round-
robin] – Selects a server based on a com-
bination of the server’s administratively
assigned weight and the number of con-
nections on the server. (To assign a weight to
a server, see weight.)
528
l service-weighted-least-connection
[pseudo-round-robin] – Same as weighted-
least-connection, but per service. (To assign
a weight to a service, see port. Use the weight
option.)
l src-ip-hash – Calculates a hash value based
on the source IP address and protocol port of
the client’s request.
529
lb-method Load balancing method (continued):

(cont.)
l src-ip-only-hash – Calculates a hash value
based on only the source IP address of the cli-
ent’s request.
l least-request – Selects the real server port
for which the ACOS device is currently pro-
cessing the fewest HTTP requests. This
method is applicable to HTTP load balancing.
l weighted-rr – Selects servers in rotation,

based on the servers’ administratively
assigned weights.
To use this method, you also need to assign

weights to the servers. (See weight.) If the
weight value is the same on each server, this
load-balancing method simply selects the serv-
ers in rotation.
The weighted-rr method uses only the server

weight. Server port weight is not used.
(Instead, server port weight is used by the ser-
vice-weighted-least-connection method).
l service-weighted-rr – Provides weighted
round robin at the server port level.
l round-robin – Selects servers in simple rota-
tion.
l round-robin-strict – Provides a more exact

round-robin method. The standard, default
round robin method is optimized for high per-
formance. Over time, this optimization can res-
ult in a slight imbalance in server selection.
530
Server selection is still basically round robin,

but over time some servers may be selected
slightly more often than others. An optional
weight can also be assigned. (See weight.)
These methods apply only to stateless SLB.

See the “Usage” section for more information.
l stateless-src-ip-hash – Balances server
load based on a hash value calculated using
the source IP address and source TCP or UDP
port.
l stateless-src-dst-ip-hash – Balances
server load based on a hash value calculated
using both the source and destination IP
addresses, and the source and destination TCP
or UDP ports.
l stateless-src-dst-ip-only-hash – Balances
server load based on a hash value calculated
using only the source and destination IP
addresses.
stateless-dst-ip-hash – Balances server load

based on a hash value calculated using the des-
tination IP address and destination TCP or UDP port.
l stateless-per-pkt-round-robin – Balances
server load by sending each packet to a dif-
ferent server, in rotation. This method is
applicable only for UDP DNS traffic.
l stateless-src-ip-only-hash – Calculates a
hash value based only on the source IP
address of the request, and selects a server
531
based on the hash value. Subsequently, all

requests from the same client address are
sent to the same server.
l stateless-per-pkt-weighted-rr - Balances
server load based on weight of each server, in
rotation. This method is applicable only for
traffic that uses a single packet for a request
on server level.
l stateless-per-pkt-service-weighted-rr -
Balances server load based on weight of each
service port, in rotation. This method is applic-
able only for traffic that uses a single packet
for a request on service port level.
532
auto- You can configure the following options for this fea-
switch ture.
[options]
The stateless-lb-method option specifies the state-
less load-balancing method to use if the traffic
reaches the configured threshold, and can be one of
the following:
l stateless-dst-ip-hash
l stateless-per-pkt-round-robin
l stateless-src-dst-ip-hash
l stateless-src-dst-ip-only-hash
l stateless-src-ip-hash
l stateless-src-ip-only-hash
l stateless-per-pkt-weighted-rr
l stateless-per-pkt-service-weighted-rr
You can specify either of the following sets of

thresholds:
l conn-rate rate duration – Rate of new con-

nection requests per second at which the load
balancing method is changed. The rate applies
collectively to all servers in the service group.
The threshold can be 1-1000000 connection
requests per second.
l l4-session-usage percent duration – Per-
centage of the system-wide Layer 4 session
capacity that is currently in use. The threshold
can be 1-100 percent.
For each set of thresholds, you can specify the fol-

lowing options:
533
l revert-rate – (Optional) Rate to revert to

stateful method. You can specify
1-1000000 connections per second.
Note: If no revert rate is specified, load balancing

will remain stateless. For a switch to stateful to
occur, a revert rate must be specified.
l revert-duration – (Optional) Number of

seconds during which the specified revert trig-
ger must continue to occur before the service
group changes to stateful load balancing
again. You can specify 1-600 seconds.
l grace-period seconds – (Optional) Number

of seconds the ACOS device continues to use
the current load balancing method for active
sessions, before changing to the other load bal-
ancing method. You can specify 1-600
seconds.
NOTE: The grace period applies only to ses-

sions that are active when the load balancing
change is triggered. The change applies imme-
diately to new sessions that begin after the
change is triggered.
l log – Logs changes between stateful and

stateless load balancing that occur due to this
feature. This is disabled by default.
Default The default method is round-robin.
Mode Service group
Usage The fastest-response method takes effect only if the traffic rate on
the servers is at least 5 connections per second (per server). If the
traffic rate is lower, the first server in the service group usually is
selected.
534
To set a server’s weight, see weight.
Stateless SLB
Stateless SLB conserves system resources by operating without session
table entries on the ACOS device. The stateless SLB methods are valid for
the following types of traffic:
• Traffic with very short-lived sessions, such as DNS
• Layer 2 Direct Server Return (DSR) traffic
• Other types of traffic that do not require features that use session-
table entries. (See list of limitations below.)
You can enable stateless SLB on an individual service-group basis, by
selecting a stateless SLB load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• Session synchronization
• Application Layer Gateway (ALG)
• Layer 3 DSR
• SLB-PT
• aFleX
• FWLB ALG
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group cannot be used in any
other stateless service groups.
If the virtual port is on a wildcard VIP, destination NAT must be disabled
on the virtual port. To disable destination NAT, see no-dest-nat.
Graceful transitions between stateful and stateless SLB in a service
group are not supported.
Mega-proxies may interfere with equal balancing of traffic load among
the multiple data CPUs. In this case, for DNS traffic only, try using the
stateless-per-pkt-round-robin method.
NOTE: The stateless-per-pkt-round-robin method is applicable only

for traffic that uses a single packet for a request. Examples
include DNS queries or RADIUS requests without a Challenge-
request/Response message used for EAP.
535
Example The following commands configure stateless server load balance for
weighted round-robin method. This method is similar to stateless-per-
pkt-round-robin method and applicable only for traffic that uses a single
packet for a request on server and service port level.
ACOS(config)# slb service-group sg-lvl udp

ACOS(config-slb svc group)# method stateless-per-pkt-
weighted-rr
ACOS(config-slb svc group)# method stateless-per-pkt-ser-
vice-weighted-rr
Example The following example sets the load-balancing method for a service
group to least-connection:
ACOS(config)# slb service-group sg-lc1 tcp
ACOS(config-slb svc group)# method least-connection
Example The following commands configure a stateless SLB service group for
UDP traffic:
ACOS(config)# slb service-group dns-stateless udp
ACOS(config-slb svc group)# member dns1 53
ACOS(config-slb svc group)# member dns2 53
ACOS(config-slb svc group)# method stateless-src-dst-ip-hash
Example The following commands configure a service group that uses the state-
less-per-pkt-round-robin stateless load-balancing method. This method
is used if the rate of new connection requests to the virtual port bound to
the service group reaches 80,000 connections per second, and remains
at least this high for 300 seconds.
ACOS(config)# slb service-group auto-stateless tcp
ACOS(config-slb svc group)# method weighted-rr auto-switch
stateless-per-pkt-round-robin conn-rate 80000 300 60000 300
grace-period 15 log
To return to using the stateful load-balancing method (weighted round-

robin in this example), the rate of new connection requests to the virtual
port must drop to 60,000 per second, and remain that low for at least 300
seconds. Once this occurs, the ACOS device waits for and additional 15
seconds (the grace period) before returning to use of stateful load
balancing. Logging is enabled.
Similarly, configure a service group that for other stateless load-
balancing method.
536
Example In the following configuration, if Layer 4 session usage reaches 2 percent

and stays at least this high for 5 seconds, both service-group members
begin using the stateless-dst-ip-hash method. The ACOS device reverts
back to stateful load balancing when 1 percent or less is reached for 5
seconds.
ACOS(config)# slb service-group sg-auto1 tcp
ACOS(config-slb svc group)# method dst-ip-hash auto-switch
stateless-dst-ip-hash l4-session-usage 2 5 1 5
ACOS(config-slb svc group-member:80)# member s2 80
ACOS(config)# slb service-group sg-auto tcp
ACOS(config-slb svc group)# method dst-ip-hash auto-switch
stateless-dst-ip-hash l4-session-usage 2 5 1 5
ACOS(config-slb svc group-member:80)# member s4 80
min-active-member
Description Use backup servers even if some primary servers are still up.
Syntax [no] min-active-member num [dynamic-priority] [skip-pri-set]
num Minimum number of primary servers that can

still be active (available), before the backup
servers are used. You can specify 1-63. There is
no default.
dynamic-pri- Dynamically adds lower-priority servers to the

ority active list to meet the min-active member
requirement.
skip-pri-set Specifies whether the remaining primary serv-

ers continue to be used. If you use this option,
the ACOS device uses only the backup servers
and stops using any of the primary servers.
537
Default By default, the servers with the highest priority value are the primary serv-
ers. All other servers are backups only, and are used only if all the primary
servers are unavailable.
When you use this command, the skip-pri-set option is disabled by
default.
Mode Service group
Usage Primary and backup servers are designated based on member priority
(set with the member command). For example, if a service group contains
real servers with the following priority settings, real servers s1, s2, and s3
are the primary servers. Real servers s4 and s5 are backup servers.
• s1 – priority 16
When the minimum number of active members (primary servers) comes
back up, the ACOS device immediately returns to using only the primary
servers.
Example The following commands add members with different priorities to a ser-
vice group, and configure promiscuous VIP to begin using backup serv-
ers if any of the primary servers becomes unavailable:
ACOS(config)# slb service-group sg-prom tcp
ACOS(config-slb svc group)# method least-connection
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb service group)# min-active-member 1
538
priority
Description Configure the ACOS device to respond to the failure of service-group
members of a certain priority by taking a designated action, such as drop-
ping the request or sending a TCP reset back to the client.
Syntax priority num

[
drop |
drop-if-exceed-limit |
proceed |
reset |
reset-if-exceed-limit
]
num Priority of the port, ranging from 1-16.

Higher-priority nodes are preferred over
nodes with lower numbers. There is no
default.
drop Drops the request if all nodes with this same

priority fail for any reason.
drop-if-exceed- Drops the request if all nodes with this same

limit priority fail, and if one or more nodes exceed
the configured connection limit or con-
nection-rate-limit.
proceed The ACOS device uses the node(s) with the

next-highest priority if all nodes with the cur-
rently-selected priority fail (this is the
default behavior).
reset Sends a reset to the client if all nodes with

this same priority fail for any reason.
reset-if-exceed- Sends a reset to client if all nodes with this

limit same priority fail and if failure is due to one
or more nodes exceeding configured con-
nection-limit or connection-rate-limit.
539
Default By default, the ACOS device will use the node(s) with the next-highest
priority if all nodes with the currently-selected priority fail.
Mode Service group
Usage Use this feature to define specific actions that should occur when
higher-priority service-group members fail. By default, the ACOS device
uses the highest priority service-group members until they are no longer
available. When the higher-priority nodes fail, the device fails over to the
nodes with the next-highest priority.
This priority option enables you to tie actions (drop, reset, and others) to a
general failure, such as service group members becoming disabled or
failing a health check. Alternatively, actions can be tied to connection-
limits or connection-rate-limits being exceeded.
Configuring the "priority option" feature allows you to prevent lower-
priority servers, which are presumably less robust than higher-priority
servers, from being overwhelmed by a flood of traffic when a failover
occurs.
NOTE: The actions are mutually exclusive. Only one action can be con-
figured for each priority level.
The reset or drop actions can be triggered for the following reasons:
• If a health check fails
• If a user disables a server or port
• If another Load Balancing feature causes the currently-used priority
to become unavailable (for example, min-active-member feature)
• If a connection-limit or connection-rate-limit is exceeded
Example The following commands create the TCP service group “sg1” with several
servers with a priority of 10, and one server with a priority of 5. The com-
mands also assign the reset-if-exceed-limit action for members with
priority 10, and assign the drop action for members with priority 5.
ACOS(config-slb svc group)# priority 10 reset-if-exceed-
limit
ACOS(config-slb svc group)# priority 5 drop
540

priority-affinity
Description Configure the ACOS device to continue using backup servers (servers
with lower priority) even when the primary (high priority) servers
come back up.
Syntax [no] priority-affinity [reset]
The reset option resets the priority affinity feature so that the primary
servers can be used again.
Default Disabled.
By default, the ACOS device uses only the service-group members with
the highest priority. If all the highest-priority servers go down, the ACOS
device starts using the secondary (lower-priority) members. Also by
default, when one or more of the highest-priority servers comes back up,
the ACOS device returns to using only those highest-priority servers and
stops using the backup servers.
Mode Service group
Usage The min-active-member option continues using backup servers in order

to maintain a minimum number of active servers, but does not continue
using only the backup servers after the primary servers come back up.
If the ACOS device stops using primary servers due to other features
(such as exceeding connection limits), priority affinity takes effect just as
if the switchover to the backup servers were triggered by a change in the
status of the primary servers. If those higher-priority servers become
available due to the number of connections dropping below the
configured threshold, ACOS will not use them, but will instead continue
using the lower-priority backup servers.
reset auto-switch
Description Reset load balancing from stateless back to the configured stateful
method.
541
This command applies to configurations using auto-switch, which

automatically switches from the configured stateful load-balancing
method to a stateless load-balancing method, based on a configured
threshold. (method.)
Syntax reset auto-switch
Default N/A
Mode Configuration
Usage This command is operational only and does not affect the configuration.
The command is not saved in the startup-config.
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Service group
sample-rsp-time
Description View sample server response time information.
Syntax [no] sample-rsp-time [

rpt-ext-server
[report-delay mins | top-fastest | top-slowest]
]
rpt-ext-server Report the top 10 fastest or slowest servers.
report-delay Set the reporting frequency in minutes (1-

mins 7200).
top-fastest Report the top 10 fastest servers.
top-slowest Report the top 10 slowest servers.
Mode Service group
542
stats-data-disable
Description Disable collection of statistical data for the service group.

default.
Mode Service group
stats-data-enable
Description Enable collection of statistical data for the service group.

default.
Mode Service group
strict-select
Description ACOS load balancing methods optimize for high performance, but some-
times this creates an imbalance in server selection, and some servers
may have more open connections than others. For the round-robin
method of load balancing, the imbalances can be corrected when the
option of “strict” is selected to ensure an exact round-robin distribution.
This method is supported for the Weighted Round-Robin, Least
Connection, and Service Least Connection load balancing methods,
guaranteeing that new connections will be sent to the server with the
fewest connections, or fewest service connections. While strict load
balancing can be configured with other load balancing methods, there
will be no effect. Strict load balancing is enabled within a service-group
configuration. When strict load balancing is enabled, lower performance
should be expected, especially when ACOS is running a heavy load of
traffic.
Syntax [no] strict-select
543
Default Disabled.
Mode Service group
Example The following example configures a TCP load balancing service-group

named “strict.” Within the service-group, the example configures least
connection load balancing, and then enables strict selection.
ACOS(config)# slb service-group strict tcp
ACOS(config-slb svc group)# method weight-rr
ACOS(config-slb svc group)# strict-select
template
Description Apply a server or port configuration template to a service group.
Syntax template
{policy template-name | port template-name | server tem-
plate-name}
policy template- Name of a policy template.

name
port template-name Name of a port template.
server template- Name of a server template.

name
Default The settings in the server or port template applied to the server or port are
used, unless overridden by settings in the individual server or port con-
figuration.
Mode Service group
traffic-replication-type
Description Replicate or “mirror” traffic to one or more collector servers in a service
group using one of the traffic replication types.
Syntax traffic-replication-type {
mirror |
mirror-da-repl |
mirror-ip-repl |
544
mirror-sa-da-repl |
mirror-sa-repl
}
mirror The ACOS device sends the packets “as is” to

the collector server(s). Forwarding is based on
the IP address in the original packet. This mode
does not change the packet header at all. The
original Layer 2 Destination Address (DA) or
Source Address (SA) and Layer 3 IP addresses
are left intact.
mirror-da-repl Mirror Destination MAC Address replacement

mode uses Layer 2 forwarding, with the ACOS
device replacing the destination MAC address
on the incoming packet with the destination
MAC for each of the collector servers within the
designated service group.
mirror-ip-repl Mirror IP-replacement mode replaces the incom-

ing packet’s IP address with the IP address of
the collector server(s) and then forwards the
duplicated packet to those servers. This option
affects the packet at Layer 4, with minor
changes made to the L4 source and destination
ports. This option is recommended for scenarios
in which collector servers are directly con-
nected to the ACOS device.
mirror-sa-da- Mirror Source MAC Address and Destination

repl MAC Address replacement mode replaces both
the source and destination MAC addresses at
Layer 2 but does not change the Layer 3 IP
addressing information.
545
mirror-sa-repl Mirror Source MAC Address replacement mode

replaces source MAC address on incoming pack-
ets with the MAC address corresponding to vir-
tual server on the ACOS device.
In general, most of the traffic replication options modify the headers of

the duplicated packets at Layer 2 by changing the MAC address. Only
one of the Traffic Replication modes alters the packets’ IP address.
Default Disabled
Mode Service group
Usage Traffic replication intercepts traffic feeds, such as SNMP or Syslog pack-
ets, copies them to a buffer, and forwards duplicated packets to multiple
collector servers, where data can be used to track users and devices. This
is helpful for organizations needing Network Monitoring feeds replicated
to multiple destinations.
When configuring the feature, after defining the VIP and setting up the
real collector servers, configure a service group for the collector servers,
add the real collector servers to the service group, and specify the traffic
which replication mode will be used.
Example The following commands configure a service group for the collector serv-
ers and add the real collector servers to the service group. Then, the com-
mands specify that the mirror-da-repl traffic replication mode will be
used to forward duplicated network monitoring traffic to the collector
servers.
ACOS(config)# slb service-group SG-RS tcp
ACOS(config-slb svc group)# member RS1 0
ACOS(config-slb svc group)# member RS2 0
ACOS(config-slb svc group)# traffic-replication-type mirror-
da-repl
546
Servers
This section lists the commands and sub-commands to configure SLB virtual servers.
The commands in this section apply to virtual servers (also called “VIPs”), not to real servers.
To configure real servers, see Config Commands: SLB Servers.
To access this configuration level, enter the slb virtual-server command at the global Con-
fig level.
ACOS(config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver)#
To display configured virtual servers, use the show slb virtual-server ? command.
arp-disable 549
description 549
disable 549
disable-when-any-port-down 550
enable 551
extended-stats 551
port 551
redistribution-flagged 555
template client-ssl 556
template policy 556
template scaleout 557
template server 557
template virtual-server 558
547
Chapter 23: Config Commands: SLB Virtual Servers
vrid 558
548
arp-disable
Description Disable ARP replies from a virtual server.
Syntax [no] arp-disable
Default ARP replies are enabled by default.
Mode Virtual server
Usage Use this command if you do not want the ACOS device to reply to ARP
requests to the virtual server’s IP address. For example, you can use this
command to put a VIP out of service on one ACOS device and use that
device as a switch or router for another ACOS device providing SLB for
the VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP
is automatically disabled.
Example The following command disables ARP replies:

ACOS(config-slb vserver)# arp-disable
description
Description Add a description to a VIP.
Syntax description string
Replace string with a description of the VIP (up to 63 characters long).

The string can contain blanks. Quotation marks are not required.
Default None
Mode Virtual server
2.7.0
disable
Description Disable a virtual server.
Syntax [no] disable
Default Virtual servers are enabled by default.
549
Mode Virtual server
Description Automatically disable the virtual server if all its service ports are down. If
OSPF redistribution of the VIP is enabled, the ACOS device also with-
draws the route to the VIP in addition to disabling the virtual server.
when-all-ports- Automatically disables the virtual server if all

down its service ports are down. If OSPF redis-
tribution of the VIP is enabled, the ACOS
device also withdraws the route to the VIP in
addition to disabling the virtual server.
when-any-port- Automatically disables the virtual server if

down any of its service ports is down. If OSPF redis-
tribution of the VIP is enabled, the ACOS
device also withdraws the route to the VIP in
addition to disabling the virtual server.
Default Enabled.
Mode Virtual server
disable-when-any-port-down
Description Automatically disable the virtual server if any of its service ports is
down. If OSPF redistribution of the VIP is enabled, the ACOS device
also withdraws the route to the VIP in addition to disabling the vir-
tual server.
Syntax [no] disable-when-any-port-down
Default Disabled.
Mode Virtual server
550
enable
Description Enable a virtual server.
Syntax [no] enable
Default Enabled
Mode Virtual server
Example The following commands re-enable virtual server “vs1”:

ACOS(config)# slb virtual-server vs1
ACOS(config-slb vserver)# enable
extended-stats
Description Enable collection of peak connection statistics for a virtual server.
Default Disabled
Mode Virtual server
port
Description Configure a virtual port on a virtual server.
Syntax [no] port port-number service-type [range length] [altern-

ate]
port Port number, 0-65534.
551
service- Service type of the port:

type
l diameter – Diameter AAA load balancing
l dns-tcp – DNS service over TCP
l dns-udp – DNS caching
l fast-http – Streamlined Hypertext Transfer
Protocol (HTTP) service
l fix – File Information Exchange (FIX) load bal-
ancing
l ftp – File Transfer Protocol
l ftp-proxy – FTP proxy service
l http – HTTP
l https – Secure HTTP (SSL)
l imap - Internet Message Access Protocol
l mlb – MLB service over TCP
l mms – Microsoft Media Server
l mssql – Database load balancing for MS-SQL
servers
l mysql – Database load balancing for MySQL
servers
552
service- others – Wildcard port used for IP protocol load bal-

type ancing. (For more information, see the “IP Protocol
(continued) Load Balancing” chapter of the Application Deliv-
ery Controller Guide.)
l pop3 - (Post Office Protocol 3)

l radius – RADIUS
l reqmod-icap - ICAP
l respmod-icap - ICAP
l rtsp – Real Time Streaming Protocol
l sip – Session Initiation Protocol (SIP) over
UDP
l sip-tcp – SIP over TCP
l sips – SIP over TCP / TLS
l smpp-tcp – Short Message Peer-to-Peer
(SMPP 3.3) load balancing over TCP
l smtp – Simple Mail Transfer Protocol
l spdy – Google SPeeDy protocol
l spdys – Secure SPDY
l ssl-proxy – SSL proxy service
l ssli – non-HTTP over SSL
l tcp – Layer 4 Transmission Control Protocol

(TCP)
l tcp-proxy – Full TCP-stack service for load-
balanced Layer 7 applications
l tftp – Trivial File Transfer Protocol
l udp – User Datagram Protocol
553
range Assigns a range of ports to the VIP for the spe-

length cified virtual-service type. The length specifies the
number of contiguous ports to add to the base
port, 0-254.
alternate Designates this virtual port as an alternate port for

another virtual port. An alternate port is a standby
for the primary port. (See alternate.)
Default N/A
Mode Virtual server
Usage The normal form of this command creates a new or edits an existing vir-
tual port. The CLI changes to the configuration level for the virtual port.
(See Config Commands: SLB Virtual Server Ports.)
The “no” form of this command removes the specified virtual port from
current virtual server.
The maximum number of virtual service ports allowed and the maximum
number per virtual server depend on the ACOS model.
The ACOS device allocates processing resources to HTTPS virtual ports
when you bind them to an SSL template. This results in increased CPU
utilization, regardless of whether traffic is active on the virtual port.
Fast-HTTP
Fast-HTTP is optimized for very high performance information
transfer in comparison to regular HTTP. Due to this optimization,
fast-HTTP does not support all the comprehensive capabilities of
HTTP such as header insertion and manipulation. It is recommended
not to use fast-HTTP for applications that require complete data
transfer integrity.
Packet Processing on HTTP Virtual Ports
Packets reaching a Layer 7 HTT{P virtual port are processed in the
following order of priority:
1. PBSLB (policy template) action drop/reset
2. PBSLB action service-group, in conjunction with PBSLB action.
3. Source-IP persistence template
4. Layer 4 aFleX policy (for example, CLIENT_ACCEPTED event)
554
5. Cookie persistence template

6. Layer 7 aFleX script (for example, HTTP_REQUEST event)
7. URL switching configured in HTTP template
8. Cookie persistence template with match-type of service-group and
bound to a source-IP persistence template with match-type set to
service-group.
9. Configured service- group bound to the virtual port
Example The following example creates a new (or edits an existing) virtual port:
ACOS(config-slb vserver)# port 443 https
ACOS(config-slb vserver-vport)#
redistribution-flagged
Description Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Syntax [no] redistribution-flagged
Default Not set. VIP is automatically redistributed if VIP redistribution is enabled in

OSPF.
Mode Virtual server
Usage Use this option if you want to redistribute only some of the VIPs rather
than all of them.
Selective VIP redistribution also requires configuration in OSPF. See the
description of the vip option of the redistribute command in the
“Config Commands: Router - OSPF” chapter in the Network
Configuration Guide.
stats-data-disable
Description Disable collection of statistical data for the virtual server.

default.
Mode Virtual server
555
stats-data-enable
Description Enable collection of statistical data for the virtual server.

default.
Mode Virtual server
template client-ssl
Description Bind a client-ssl template to the virtual server.
Syntax [no] template client-ssl template-name
Default None
Mode Virtual server
template logging
Description Bind a logging template to the virtual server.
Syntax [no] template logging template-name
Default None
Mode Virtual server
template policy
Description Bind a PBSLB policy template to the virtual server.
Syntax [no] template policy template-name
Default None
Mode Virtual server
556
Usage This command is applicable only for PBSLB policy templates configured
for IP limiting. (See the Application Access Management and DDoS Mit-
igation Guide.)
template scaleout
Description Bind a Scale Out template to the virtual server.
More information about Scale Out is available in “Configuring Scale Out”
in the System Configuration and Administration Guide.
Syntax [no] template scaleout template-name
Default None
Mode Virtual server
template server
Description Bind a real server template to the server.
Syntax [no] template server template-name
Default The real server template named “default” is bound to servers by default.
The parameter settings in the default real server template are auto-
matically applied to the new server, unless you bind a different real server
template to the server.
Mode Real server
Usage If a parameter is set individually on this server and also is set in a server
template bound to this server, the individual setting on this server is used
instead of the setting in the template.
To configure a real server template, see slb template server.
557

template virtual-server
Description Bind a virtual server template to the virtual server.
Syntax [no] template virtual-server template-name
Default The virtual server template named “default” is bound to virtual servers by
default. The parameter settings in the default virtual server template are
automatically applied to the new virtual server, unless you bind a dif-
ferent virtual server template to the virtual server.
Mode Virtual server
Usage If a parameter is set individually on this virtual server and also is set in a vir-
tual server template bound to this virtual server, the individual setting on
this virtual server is used instead of the setting in the template.
To configure a virtual server template, see slb template virtual-server.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting, and bind the template to a virtual
server:
ACOS(config)# slb template virtual-server vs-tmplt1
ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config-slb vserver)# template virtual-server vs-tmplt1
vrid
Description Assign the virtual server to a VRRP-A VRID.
Syntax [no] vrid num
Use num to specify the VRID (1-31 in the shared partition, or 1-7 in an L3V
partition).
Default The default VRID, if none is assigned, is 0.
Mode Virtual server configuration mode
558
Server Ports
This section lists the commands and sub-commands to configure SLB virtual server ports.
To access this configuration level, enter the port command at the configuration level for a vir-
tual server.
ACOS(config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver-vport)#
aaa-policy 561
access-list 561
aflex 563
alternate 564
attack-detection 565
bucket-count 566
clientip-sticky-nat 566
conn-limit 566
def-selection-if-pref-failed 568
def-selection-if-pref-failed-disable 569
disable 569
enable 569
extended-stats 570
force-routing-mode 570
ha-conn-mirror 570
ip-map-list 571
ipinip 572
message-switching 572
559
Chapter 24: Config Commands: SLB Virtual Server Ports
name 572
no-dest-nat 573
optimization-level 574
rate-limit-pr-log 575
redirect-fwd 576
redirect-rev 576
redirect-to-https 577
reply-acme-challenge 577
rtp-sip-call-id-match 578
service-group 579
skip-rev-hash 579
snat-on-vip 580
source-nat auto 580
source-nat pool 584
source-nat use-cgnv6 585
support-http2 585
syn-cookie 586
template 587
template virtual-port 588
use-default-if-no-server 589
use-rcv-hop-for-resp 589
560
aaa-policy
Description Bind an AAM policy to the virtual port.
Syntax [no] aaa-policy policy-name
Mode Virtual port
access-list
Description Apply an Access Control List (ACL) to a virtual server port.
Syntax [no] access-list {acl-num | name acl-name}

[source-nat-pool {pool-name | pool-group-name}
[sequence-number num]]
acl-num | name acl- Number of a configured IPv4 ACL (acl-

name num), or the name of a configured IPv6
ACL (name acl-name).
561
source-nat-pool Name of a configured IP source NAT pool

{pool-name | pool- or pool group. Use this option to con-
group-name} figure a policy-based source NAT.
[sequence-number Source NAT is required if the real servers
num] are in a different subnet than the VIP.
The sequence-number option specifies

the ACL position within the ACL
sequence associated with IP source NAT
pools and are assigned to this virtual
port. The sequence number is important
because the ACOS device uses IP
addresses in the pool associated with
the first ACL matching the traffic.
By default, the ACL sequence is based

on the order in which you apply them to
the virtual port. The first ACL has
sequence number 1, the second ACL has
sequence number 2, and so on. You can
specify 1-32 as the sequence number. To
view the sequence, use the show run-
ning-config command to view the con-
figuration for this virtual port.
Default N/A
Mode Virtual port
Usage The ACL must be configured before you can apply it to a virtual port. To
configure an ACL, use the “access-list (standard)” or “access-list (exten-
ded)” commands, which are described in the “Command Line Interface
Reference” document.
To permit or deny traffic on the virtual port, specify an ACL but do not
specify a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool.
Use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server
562
address. The action must be permit. The NAT pool is used only for traffic
that matches the ACL. This configuration allows the virtual port to have
multiple pools, and to select a pool based on the traffic.
Example The following commands configure a standard ACL to deny traffic from
subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
virtual port 8080 on virtual server “slb1”:
ACOS(config)# access-list 99 deny 10.10.10.0 0.0.0.255
ACOS(config)# slb virtual-server vslb1
ACOS(config-slb vserver-vport)# access-list 99
Example The following commands configure policy-based source NAT, by binding

ACLs to NAT pools on the virtual port.
ACOS(config-slb virtual server)# port 80 tcp
ACOS(config-slb vserver-vport)# access-list 30 source-nat-
pool pool1
ACOS(config-slb vserver-vport)# access-list 50 source-nat-
pool pool2
aflex
Description Apply an aFleX policy to a virtual port.
Syntax [no] aflex policy-name
Replace policy-name with the name of a configured aFleX policy.
Default N/A
Mode Virtual port
Usage The normal form of this command applies the specified aFleX policy to
the port. The no form of this command removes the aFleX policy from the
port. For more information about aFleX policies, see the aFleX Scripting
Language Reference.
Example The following command applies aFleX policy “aflex1” to a virtual port:
ACOS(config-slb vserver-vport)# aflex aflex1
563
aflex-table-entry-sync
Description Configure fast aFlex table synchronization to a virtual port. These aFlex
tables will be synchronized with ACOS device via VRRP-A.
Syntax [no] aflex-table-entry-sync {enable | disable}
enable Enable fast aFlex table synchronization for the defined

virtual port.
disable Disable fast aFlex table synchronization for the

defined virtual port.
Default Disabled
Mode Virtual port configuration mode
Example This following command configures aFlex table entry synchronization.

ACOS(config)# slb virtual-server vslb1
ACOS(config-slb vserver-vport)# aflex-table-entry-sync
enable
alternate
Description Enables switchover to another virtual port, based on specific conditions.
Syntax [no] alternate port port-num

{alt-port-service-type [switchover-event]}
port-num Port number of the alternate virtual port.
alt-port-service- Service type of the alternate port, tcp or

type http.
564
switchover-event The event types that cause switchover from

the primary port to the alternate port:
For TCP alternate ports, you can specify the

following:
l req-fail – Switches over if a request

fails.
l when-down – Switches over if the ser-
vice group for the primary port is
down.
l For HTTP alternate ports, you can spe-
cify the following:
l serv-sel-fail – Switches over if SLB
server selection fails.
l when-down – Switches over if the ser-
vice group for the primary port is
down.
Default Not set
Mode Virtual port
attack-detection
Description Enable analytics and attack detection using ZBAR. This command helps
in identifying volumetric and IOT DDoS attacks on the SLB virtual port
and employs mitigation policies to provide excellent application respons-
iveness for the good actors. The bad sources are dropped or rate-limited
based on their computed threat score.
Syntax [no] attack-detection
Default N/A
Mode Virtual port
565
Example The following command enables attack detection on the virtual port:
ACOS (config)# slb virtual-server vip1 12.12.12.203
ACOS (config-slb vserver)# port 80 tcp
ACOS (config-slb vserver-vport)# attack-detection
bucket-count
Description Configure the number of traffic buckets used in a Scale Out con-
figuration.
Syntax [no] bucket-count num
Replace num with the number of traffic buckets (1-256).
Mode Virtual port
clientip-sticky-nat
Description Enables sticky-NAT to use the same source NAT IP address for a given cli-
ent.
Syntax [no] clientip-sticky-nat
Default Disabled
Mode Virtual port
Usage You can enable the clientip-sticky-nat feature on the individual vir-
tual ports.
This option is not supported with the ip-rr (IP round-robin) and source-
nat auto (smart NAT) options.
Example The following example configures the clientip-sticky-nat option:

ACOS(config-slb vserver-vport)# clientip-sticky-nat
conn-limit
Description Set the connection limit for a virtual port.
566
Syntax [no] conn-limit number [reset] [no-logging]
number Connection limit, 0-8000000 (8 million); 0

means no limit.
reset Sends a connection reset to the client, if

the connection limit is reached. If you omit
this option, the connection silently drops
and no reset is sent to the client.
Default Not set. If you set a limit, the default action for any new connection
request after the limit has been reached is to silently drop the con-
nection, without sending a reset to the client. Logging is enabled by
default.
Mode Virtual port
Usage The normal form of this command changes the current port’s connection
limit.
The no form of this command resets the port connection limit to its
default value.
The connection limit puts a hard limit on the number of concurrent
connections supported by the port. No more connections will be put on
the port if its number of current connections is already equal to or bigger
than the limit.
If you change the connection limiting configuration on a virtual port or
virtual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current
connection counter for the virtual port or server in show command
output and in the GUI may become incorrect. To avoid this, do not
change the connection limiting configuration until the virtual server or
port does not have any active connections.
Example The following command changes a virtual port’s connection limit to

10000:
ACOS(config-slb vserver-vport)# conn-limit 10000
567
def-selection-if-pref-failed
Description Configure SLB to continue checking for an available server in other ser-
vice groups if all of the servers are down in the first service group selec-
ted by SLB.
Syntax def-selection-if-pref-failed
Default Enabled
Mode Virtual port
Usage During SLB selection of the preferred server to use for a client request,
SLB checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
• aFleX policies triggered by Layer 4 events
• Policy-based SLB (black/white lists). PBSLB is a Layer 3 con-
figuration item because it matches on IP addresses in black/white
lists.
2. Layer 7 configuration items:
• Cookie switching
• aFleX policies triggered by Layer 7 events
• URL switching
• Host switching
3. Default service group. If none of the items above results in selection
of a server, the default service group is used.
• In single service group configurations, this is the default service
group.
• If the configuration uses multiple service groups, the default ser-
vice group is the one that is used if none of the templates used by
the configuration selects another service group instead.
For example, if an CLIENT_ACCEPTED event triggers an aFleX policy, the
policy is consulted first. If an HTTP_REQUEST event triggers an aFleX
policy, the policy is consulted if none of the Layer 4 configuration items
results in a server selection.
The first configuration area that matches the client or VIP (as applicable)
is used, and the client request is sent to a server in the service group that
is applicable to that configuration area. For example, if the client's IP
address is in a black/white list, the service group specified by the list is
used for the client request.
568
When the def-selection-if-pref-failed option is enabled, SLB continues to

check for an available server in other service groups if all servers are
down in the first service group selected by SLB.
If Policy-Based SLB (PBSLB) is configured on the same virtual port,
PBSLB server-selection failures are not logged. This limitation does not
affect failures caused when a client is over itsr PBSLB connection limit.
These failures are still logged.
To disable the option, see “def-selection-if-pref-failed-disable” on
page 1.
Example The following command enables this option:

ACOS(config-slb vserver-vport)# def-selection-if-pref-failed
def-selection-if-pref-failed-disable
Description Disable the def-selection-if-pref-failed option. (See “def-selection-if-
pref-failed” on page 1.)
Syntax def-selection-if-pref-failed-disable
disable
Description Disable a virtual port.
Syntax [no] disable
Default Enabled
Mode Virtual port
Example The following command disables a virtual port:

ACOS(config-slb vserver-vport)# disable
enable
Description Enable a virtual port.
Syntax [no] enable
569
Default Enabled
Mode Virtual port
Example The following command re-enables a virtual port:

ACOS(config-slb vserver-vport)# enable
extended-stats
Description Enable collection of peak connection statistics for a virtual port.
Default Disabled
Mode Virtual port
force-routing-mode
Description Disables destination NAT, so that server responses go directly to clients.
Syntax [no] force-routing-mode
Default Disabled
Mode Virtual port

For IPv4 VIPs, DSR is supported on virtual port (service) types TCP, UDP,
FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP,
UDP, and RTSP.
ha-conn-mirror
Description Enable connection mirroring (session synchronization) for the virtual
port.
Syntax [no] ha-conn-mirror [on-syn]
570
on-syn Specifies condition that triggers session syn-

chronization. By default the command causes ses-
sions to synchronize when they are is established.
When the on-syn parameter is specified, the ses-
sion synchronizes when the virtual port receives
an SYN packet.
Default Disabled.
Mode Virtual port
Usage Connection mirroring applies to VRRP-A configurations. When con-

nection mirroring is enabled, the Active ACOS device sends information
about active client connections to the Standby ACOS device. If a failover
occurs, the newly Active ACOS device continues service for the session.
The client perceives very brief or no interruption.
When connection mirroring is disabled, client session information is lost.
Clients must establish new connections.
In VRRP-A deployments, session synchronization is required for
persistent sessions (for example, source-IP persistence), and is therefore
automatically enabled for these sessions by the ACOS device. Persistent
sessions are synchronized even if session synchronization is disabled in
the configuration.
Session synchronization applies only to certain virtual port types. The ha-
conn-mirror command is listed in the CLI help only for those virtual port
types.
ip-map-list
Description Applies an IP map list to the virtual port.
Syntax [no] ip-map-list list-name
Default Not set
Mode Virtual port
571
ipinip
Description Enables IP-in-IP tunneling. This option is available only on the following
port types: TCP, UDP, RSTP, FTP, MMS, SIP, TFTP and Radius.
Syntax [no] ipinip
Mode Virtual port
message-switching
Description Enable message switching.
This causes messages to be forwarded in their entirety, one hop at a time.
Each message is treated as its own individual entity.
Syntax [no] message-switching
Mode Virtual port
name
Description Change the name assigned to the virtual port.
Syntax name string
Replace string with the name for the virtual port.
Default The ACOS device assigns a name that uses the following format:
_vip-addr_service-type_portnum
Mode Virtual port
no-auto-up-on-aflex
Description Disable automatic setting of an aFleX-bound virtual port’s state to Up.
Syntax [no] no-auto-up-on-aflex
Default Disabled. If an aFleX script is bound to the virtual port, the port is auto-
matically marked Up.
572
Mode Virtual port
Usage This command applies only if an aFleX script is bound to the virtual port.
no-dest-nat
Description Disable destination NAT.
Syntax [no] no-dest-nat [port-translation]
For wildcard VIPs, the port-translation option enables the ACOS device to
translate the destination protocol port in a client request before sending
the request to a server.
This option is useful if the real port number on the server is different from
the virtual port number of the VIP. Without this option, the ACOS device
sends the request to the server without changing the destination port
number.
This option does not change the destination IP address of the request.
This option is supported only for virtual ports that are on wildcard VIPs.
Default Destination NAT is enabled by default.
Mode Virtual port
Usage This option can be used for Direct Server Return (DSR) or for wildcard
VIPs.
Direct Server Return
For virtual servers that have a specific virtual IP address (VIP), disabling
destination NAT enables Direct Server Return (DSR). When DSR is
enabled, only the destination MAC address is translated from the VIP’s
MAC address to the real server’s MAC address. The destination IP address
is still the VIP.
In DSR topologies, reply traffic from the server to the client is expected to
bypass the ACOS device.
In the current release, for IPv4 VIPs, DSR is supported on virtual port
types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is
supported on virtual port types TCP, UDP, and RTSP.
Wildcard VIPs
573
For wildcard VIPs (VIPs that can have any IP address), this option enables
the ACOS device to send the client request to the server without
changing the destination IP address of the request.
The destination port of the request also is unchanged, unless you use the
port-translation option. (See above.)
Depending on the network topology and the application, reply traffic

from the server to the client may or may not pass back through the ACOS
device. If the port-translation option is used, and reply traffic passes
through the ACOS device, the ACOS device translates the source port of
the server reply back into the destination port to which the client sent the
request, before forwarding the reply to the client.
The port-translation option is supported only for the following virtual
port types: TCP, UDP, and HTTP/HTTPS.
optimization-level
Description Set the HTTP optimization level.
Syntax [no] optimization-level
0 No optimization
1 Optimization level 1
ACOS optimizes the HTTP code path, which

reduces the processing time in the TCP stack as
well as the HTTP processing.
Default 0 (No optimization)
Mode Virtual port
Usage When configuring optimization-level 1, ACOS dynamically determ-

ines if it can process the HTTP traffic using the optimized code path. If it
cannot optimize traffic, it will use the default behavior of optim-
ization-level 0.
Certain types of traffic and configurations will not use an optimized code
path and, instead, will default to a non-optimized path. They include:
• AAM
574
• aFleX
• Compression
• External service
• HA failover
• HTTP 1.0 traffic
• HTTP/2 traffic
• HTTP redirect
• HTTP retry
• HTTP policy template
• ICAP
• IP fragmentation
• Jumbo frames
• Policy-based load balancing
• RAM cache
• Scaleout
• SSL
• TCP-proxy templates
• Virtual-port templates
• WAF
Example This command configures an HTTP port to improve the performance for
HTTP traffic.
ACOS(config-slb vserver-vport)# optimization-level 1
rate-limit-pr-log
Description For Thunder integrations with the A10 Lightning Controller, this com-
mands configures the rate limit for Per Request logging. This is used to
prevent the Thunder devices from sending too many log messages to
the Lightning Controller at a rate that would exceed the capability of the
controller to accept them.
Syntax [no] rate-limit-pr-log num
Default Disabled
Mode Virtual port
Usage This command is only available on HTTP virtual ports.
575
redirect-fwd
Description In a single partition SSLi deployment, the forward direction steers layer 2
traffic from client to Internet on the specified interface.
Syntax [no] redirect-fwd {ethernet eth-id | trunk trunk-id}
Default Disabled
Mode Virtual port
Example The following example shows using the redirect-fwd command to

select the forward direction for steering the layer 2 traffic from the client
destined for a traffic inspection device out Ethernet 3.
ACOS(config)# slb virtual-server inside1 0.0.0.0 acl 102
ACOS(config-slb vserver-vport)# service-group sg_real_
server_tcp
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# redirect-fwd ethernet 3
redirect-rev
Description In a single partition SSLi deployment, the reverse direction steers layer 2
traffic from Internet to client on the specified interface.
Syntax [no] redirect-rev {ethernet eth-id | trunk trunk-id}
Default Disabled
Mode Virtual port
Usage This is only supported under the wildcard VIP 0.0.0.0 for SSLi..
Example The following example shows the redirect-rev command to select the
reverse direction for steering the layer 2 traffic destined for the security
device from the Internet out Ethernet 5.
ACOS(config)# slb virtual-server outside1 0.0.0.0 acl 103
ACOS(config-slb vserver-vport)# service-group sg_real_
server_tcp
ACOS(config-slb vserver-vport)# redirect-rev ethernet 5
576
redirect-to-https
Description Responds to client HTTP requests with an HTTP redirect response with
response code 302 (Moved Permanently). The client is redirected to the
same host and URI they requested, but using HTTPS instead of HTTP.
Syntax [no] redirect-to-https
Default Disabled
Mode Virtual port
reply-acme-challenge
Description Enable reply ACME http-01 challenge for CA server. The challenge from
CA server goes into data port. This option only takes effect in HTTP port
80 and works on both old and new proxy.
Since the CA server verifies whether the ACME client controls the
domain, on the ACOS side, the user must manually configure reverse
proxy. The domain to be verified is the certificate’s Common Name. For
DNS mapping, the domain’s IP address is ACOS’s virtual IP address.
NOTE: If one domain maps to multiple IP addresses, then you must con-
figure multiple VIPs, and enable this option on all the HTTP virtual
ports.
Syntax [no] reply-acme-challenge
Default Disabled
Mode Virtual port
Example The following command enables this option.

ACOS (config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver-vport)# reply-acme-challenge
577
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Virtual port
Usage The TCP template reset-rev option also can be used to send a RST to cli-
ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST
in response to a server selection failure. In AX Release 2.2.2 and later, this
is no longer true. The reset-on-server-selection-fail option must
be used instead.
Description Causes RTP traffic try to match the real server of an SIP SMP call-id ses-
sion.
This command is used in conjunction with the smp-call-id-rtp-
session option under SIP template configuration (slb template sip (over
UDP)), which creates a cross-CPU RTP session that can be matched by
RTP traffic.
Syntax [no] rtp-sip-call-id-match
Mode Virtual port
Example The example below shows a sample configuration:

!
slb template sip test
!
!
slb virtual-server vv 0.0.0.0
port 0 udp
skip-rev-hash
message-switching
force-routing-mode
no-dest-nat
service-group win
578
port 5060 sip

message-switching
force-routing-mode
service-group winms
template sip test
!
service-group
Description Bind a virtual port to a service group.
Syntax [no] service-groupgroup-name
Replace group-name with the service-group name.
Default N/A
Mode Virtual port
Usage The normal form of this command binds the virtual port to the specified
service group. The “no” form of this command removes the binding.
One virtual port can be associated with one service group only, while one
service group can be associated with multiple virtual ports. The type of
service group and type of virtual port should match. For example, a UDP
service group can not be bound to an HTTP virtual port.
Example The following command binds DNS-UDP group-name with DNS-UDP

port.
ACOS(config-slb vserver-vport)# port 52 dns-udp
ACOS(config-slb vserver-vport)# source-nat auto
ACOS(config-slb vserver-vport)# service-group dns-udp
skip-rev-hash
Description Will not insert reverse tuple into the hash for lookup. This is used with
aFlex with stateless load-balancing methods.
Syntax [no] skip-rev-hash
Mode Virtual port
Example The following example shows how to activate this feature.

579

ACOS(config-slb vserver-vport)# skip-rev-hash
snat-on-vip
Description Enable IP NAT support for the virtual port.
Syntax [no] snat-on-vip
Default Disabled
Mode Virtual port
Usage Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration
level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP
source NAT is configured using an ACL on the virtual port, and the slb
snat-on-vip command is also used, then a pool assigned by the ACL is
used for traffic that is permitted by the ACL. For traffic that is not
permitted by the ACL, VIP source NAT can be used instead.
The device does not support source IP NAT on FTP or RTSP virtual ports.
source-nat auto
Description Configure Smart NAT, to automatically create NAT mappings using
the ACOS interface connected to the real server.
Syntax [no] source-nat auto {precedence | ip-rr}
580
precedence Set the auto NAT pool as higher precedence for

source NAT.
This option is applicable if standard NAT pools

are also used by the virtual port. In this case,
using this option causes Smart NAT to be used
before the standard NAT pools are used.
ip-rr Enable the IP address round-robin method for

source NAT.
This option is applicable if you want to round-

robin across multiple floating IPs for VRRP-A or
interface IPs without VRRP-A to reach more
than 41K. The IP addresses rotates through the
floating or interface IPs for every request to
balance out the traffic across all the IPs.
Default Disabled
Mode Virtual port
Usage If you do not use VRRP-A, 41K ports per interface IP address are used for
Smart NAT mappings. ACOS can use the same ACOS interface IP
address and port for more than one server connection. The combination
of ACOS IP address and port number (source) and server IP address and
port (destination) uniquely identifies each mapping.
Additional Notes
• Smart NAT applies only to ACOS devices deployed in route mode
(“gateway” mode). The feature is not applicable to devices in trans-
parent mode.
• Smart NAT uses all the multiple addresses if configured.
• Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.
• VRRP-A support:
• A floating IP addresses are required that can be reached from real
servers.
• Bind the service group to only a single virtual port. If this is not pos-
sible, ensure all virtual ports bound to the service group have the
same VRID.
581
Example The following commands configure the VIP. Smart NAT with precedence
is enabled on each virtual port.
ACOS(config-slb vserver-vport)# source-nat auto precedence
ACOS(config-slb vserver-vport)# source-nat pool snat-pool1
ACOS(config-slb vserver)# port 21 ftp
Example The following commands configure the VIP. Smart NAT with IP-RR is
enabled on each virtual port.
ACOS(config)# interface ve 10
ACOS(config-if:ve:10)# ip address 10.211.1.1 255.255.255.0
ACOS(config-if:ve:10)# ip allow-promiscuous-vip
ACOS(config-if:ve:10)# ipv6 address 2000::10:211:1:1/112
ACOS(config-if:ve:10)# ipv6 enable
ACOS(config-if:ve:10)# exit
ACOS(config-if:ve:20)# ipv6 address 2000::10:212:1:1/112
ACOS(config-if:ve:20)# ipv6 enable
ACOS(config-if:ve:20)# exit
ACOS(config)# vrrp-a vrid 1
ACOS(config-vrid:1)# floating-ip 10.212.1.222
ACOS(config-vrid:1)# floating-ip 2000::10:212:1:131
ACOS(config-vrid:1)# floating-ip 2000::10:212:1:132
ACOS(config-vrid:1)# exit
ACOS(config)# slb server rs 10.212.1.2
ACOS(config)# slb server rs6 2000::10:212:1:2
ACOS(config)# slb service-group sg-tcp tcp
ACOS(config-slb svc group)# member rs 80
582
ACOS(config)# slb service-group sgv6-tcp tcp

ACOS(config-slb svc group)# member rs6 80
ACOS(config)# slb virtual-server vs 10.211.1.131
ACOS(config-slb vserver)# service-group sg-tcp
ACOS(config-slb vserver-vport)# source-nat auto ip-rr
ACOS(config)# slb virtual-server vs6 2000::10:211:1:6
ACOS(config-slb vserver)# service-group sgv6-tcp
ACOS(config-slb vserver-vport)# source-nat auto ip-rr
Example The following commands shows VRRP-A support configuration

examples.
Example 1: The floating IP and IP nat pool are configured using the same
IP address. The IP nat pool is bound to the virtual port. In this case, the
source-nat auto configuration is not supported.
....
ACOS(config)#ACOS(config)# ip nat pool pool1 10.212.1.222
10.212.1.222 netmask /32
....
ACOS(config-slb vserver-vport)# source-nat pool pool1
....
Example 2: The floating IP and source-nat auto are configured. In this

case, the IP nat pool configuration is not supported. To configure source-
nat auto, use a different IP address in the source-nat pool or remove the
IP nat pool configuration.
...
...
583

....
....
source-nat pool
Description Enable source NAT. Source NAT is required if the real servers are in a dif-
ferent subnet than the VIP.
This command is not applicable to the MMS or RTSP service types.
Syntax [no] source-nat pool {pool-name | pool-group-name}
pool-name Specifies the name of an IP pool of addresses to

use as source addresses.
pool-group- Specifies the name of a group of IP address

name pools to use as source addresses.
NOTE: Currently, the NAT

pool-group does
not support port-
overload. Hence,
A10 recommend to
configure the NAT
pool without port-
overload.
Default Disabled.
Mode Virtual port
Usage This command enables source NAT using a single NAT pool or pool group,
for all source addresses. If you want the ACOS device to select from
584
among multiple pools based on source IP address, configure policy-

based source NAT instead. See “access-list” on page 1.
Example The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)# source-nat pool pool2
source-nat use-cgnv6
Description Follow CGNv6 source NAT configuration.
Syntax [no] source-nat use-cgnv6
Default None
Mode Virtual port
Example The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)# source-nat use-cgnv6
support-http2
Description Enable HTTP/2 support.
Syntax [no] support-http2
Usage This command can be configured in the following ways:

• If configured with source-nat, then ACOS will open multiple
server connections for each connected client.
• If configured without source-nat, then ACOS will open only one
server connection for each connected client. We support server-
side HTTP/2 by mapping one-to-one relationship with the client
HTTP/2 connection.
Example The following command configures HTTP/2 with source-nat.

ACOS(config-slb vserver-vport)# support-http2
Example The following command configures HTTP/2 without source-nat.
585

ACOS(config-slb vserver-vport)# support-http2
stats-data-disable
Description Disable collection of statistical data for the virtual port.

default.
Mode Virtual port
stats-data-enable
Description Enable collection of statistical data for the virtual port.

default.
Mode Virtual port
lection also must be enabled globally. (See “slb resource-usage” on
page 497.)
syn-cookie
Description Enable software-based SYN cookies for a virtual port. SYN cookies
provide protection against TCP SYN flood attacks.
Syntax [no] syn-cookie [expand]
The expand option enables expanded SYN cookie support. When

enabled, the ACOS device can encode values for the following TCP
options in the SYN-ACK:
• Windows Scale for outbound traffic (send)
• Windows Scale for inbound traffic (receive)
586
• Timestamp for RTTM (Round Trip Time Measurement) and PAWS (Pro-
tect Against Wrapped Sequences) mechanism.
To know detailed description of these options, refer RFC 1323 (TCP
Extensions for High Performance).
Default Disabled.
Mode Virtual port
Usage For software-based SYN cookies, the ACOS device bases the maximum
segment size (MSS) setting. It is the lowest MSS value supported by any
of the servers in the service group. SYN cookies on server replies to TCP
health checks sent to the servers.
For hardware-based SYN cookies, refer the 'syn-cookie' global
configuration command in the Command Line Interface Reference
guide. If hardware-based SYN cookies are enabled, then software-based
SYN cookies are not needed and are not used.
template
Description Apply an SLB configuration template to a virtual port.
Syntax [no] template template-type template-name
template-type Type of template. The template types that are

available depends on the virtual port service
type.
To list the available template types, enter the fol-

lowing command: template ?. Some of the
options are:
l dns
l dynamic-service
l virtual-port
template-name Name of the template.
587
Default If the ACOS device has a default template that is applicable to the service
type, the default template is automatically applied. The ACOS device has
a default virtual-port template, which is applied to a virtual port when you
create it.
Mode Virtual port
Usage The normal form of this command applies the specified template to the
virtual port. The no form of this command removes the template from the
virtual port but does not delete the template itself.
A virtual port can be associated with only one template of a given type.
However, the same template can be associated with more than one
virtual port. To bind a virtual-port template to the port, see “template
virtual-port” on page 1.
Example This following example applies to connection reuse template “reuse-tem-

plate” to a virtual port:
ACOS(config-slb vserver-vport)# template connection-reuse
reuse-template
Example This following example applies to bind an existing client-ssl template to a

virtual port. In this case, the TLS service is provided to the corresponding
endpoint:
ACOS(config-slb vserver-vport)# port 53 dns
ACOS(config-slb vserver-vport)# template client_SSL
template virtual-port
Description Bind a virtual service port template to the virtual port.
Syntax [no] template virtual-port template-name
Default The virtual port template of “default” is bound to virtual ports by default.
Parameter settings in this default template are automatically applied to
the new virtual port, until a different virtual port template is bound to the
virtual port.
Mode Virtual port
Usage If a parameter is set individually on this virtual port and also is set in a vir-
tual port template bound to this virtual port, the individual setting on this
port is used instead of the setting in the template.
To configure a virtual port template, see “slb template virtual-port” on
page 603.
588
Example These commands configure a virtual service port template named “com-
mon-vpsettings”, set the connection limit, and bind the template to a vir-
tual port:
ACOS(config)# slb template virtual-port common-vpsettings
ACOS(config-vport)# conn-limit 500000
ACOS(config-slb vserver-vport)# template virtual-port com-
mon-vpsettings
use-default-if-no-server
Description Forward client traffic at Layer 3, if SLB server selection fails.
Syntax [no] use-default-if-no-server
Default Disabled. If SLB server selection fails, the traffic is dropped.
Mode Virtual port
Usage This command applies only to wildcard VIPs (VIP address 0.0.0.0).
Description Force the ACOS device to send replies to clients back through the last
hop on which the request for the virtual port's service was received.
Syntax use-rcv-hop-for-resp [ src-dst-ip-swap-persist |

use-src-ip-for-dst-persist | use-dst-ip-for-src-persist ]
589
src-dst-ip-swap-per- Creates a persistent session after the

sist source IP and destination IP are swapped.
The new persistent session should match
both the source IP and the destination IP.
This option should be used with the incl-

dst-ip option for the ALG FWLB feature.
This option cannot be used for the SIP pro-
tocol, because a SIP transaction may
involve three or more parties.
use-src-ip-for-dst- Creates a destination persistent session

persist based on the source IP.
use-dst-ip-for-src- Creates source-IP persistent sessions for

persist SIP or FTP sessions by using destination
IP.
When enabled, the response packet go

through the same firewall as the client’s
request packet, and the SIP session and
communication sessions will be load bal-
anced through the same firewall node.
Default Disabled.
Mode Virtual port
Usage For simple protocols, load balancing across a firewall is relatively easy.
However, load balancing Application Layer Gateway (ALG) protocols,
such as SIP and FTP, which have multiple connections that can originate
from either side of the firewall deployment can be more challenging. The
lack of predictability that occurs with ALG protocols can cause the pro-
tocol’s control connection and data connection to be sent to different fire-
walls, thus causing the application to break.
The ACOS device uses use-rcv-hop-for-resp and sub-options to load
balance ALG protocols through a firewall deployment consisting of
paired firewalls.
590
For the use-rcv-hop-for-resp command to work for incoming packets

on the default VLAN, you must also configure vlan-global enable-
def-vlan-l2-forwarding.
Example This following is the example to configure use-rcv-hop-for-resp.

ACOS(config)# vlan-global enable-def-vlan-l2-forwarding
ACOS(config)# slb virtual-server outbound_wc 0.0.0.0 acl 100
ACOS(config-slb vserver-vport)# service-group SG_TCP
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
For more information, refer to the “ALG Protocol FWLB Support for FTP
and SIP” chapter in the Application Delivery Controller Guide.
To enable selecting an alternative next-hop IP address when one of the
firewall or router devices fail, use the use-rcv-hop-for-resp command
with 'use-rcv-hop-group' and 'server-group' options.
The following example configures use-rcv-hop-for-resp before the
use-rcv-hop-group and server-group. These options should contain a
list of valid firewall or router IP addresses.
ACOS(config)# slb virtual-server to-vpn
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# use-rcv-hop-group server-
group to-vpn
591
592
Chapter 25: Config Commands: Health Mon-
itors
This section lists the commands and sub-commands to configure SLB health monitors:
The health external command is accessed from Global Configuration mode, which is accessed
by entering the health monitor command.
ACOS(config-health:monitor)#
For more information about health monitors, see the “Health Monitoring” section of the Applic-
ation Delivery Controller Guide.
disable-after-down 594
dsr-l2-strict 594
health external 594
interval 596
method 596
override-ipv4 619
override-ipv6 620
override-port 620
passive 621
retry 623
ssl-ciphers 623
ssl-ticket 624
ssl-ticket lifetime 624
ssl-version 625
strictly-retry-on-server-error-response 626
up-retry 626
593
Chapter 25: Config Commands: Health Monitors
disable-after-down
Description Disable the target of a health check if the target fails the health check.
The server, port, or service group remains disabled until explicitly
enabled.
Syntax [no] disable-after-down
Default Disabled
Mode Health monitor configuration
Usage This command applies to servers, ports, or service groups using the
health monitor. When a server, port, or service group is disabled based on
this
command, the server, port, or service group state is changed to disable
in the running-config. If you save the configuration while the server, port,
or
service group is disabled, the state change is written to the startup-con-
fig.
dsr-l2-strict
Description In Layer 2 DSR environments, this option ensures health check packets
are only sent to servers in the same Layer 2 network as the ACOS device.
The health marks servers not in the same Layer 2 network as DOWN.
Syntax [no] dsr-l2-strict
Default Disabled
health external
Description File commands that create, edit, and manage external health monitor
scripts.
Creating, editing, and deleting external health monitor scripts is only
supported for administrative users provisioned with health monitor (hm)
privilege. If these operations fail due to insufficient privilege, contact your
ACOS root administrator.
594
For more information and script examples, see the Application Delivery
Controller Guide (Using External Health Methods section) and the
Management Access and Security Guide.
Security Notes
• External health monitors run on a system-level basis at escalated

privilege within the ACOS, independent of partition-level constraints.
• Creating or editing their underlying scripts represent an avenue for
potentially malicious code to be introduced into the ACOS system
which could be used to compromise security of the ACOS system or
its connected environment.
• To better ensure confidentiality, integrity, and availability in an ACOS
installation, external health monitor scripts should be carefully
reviewed and audited to verify their contents are for the intended
monitoring purpose and are free of unsanctioned or untrusted code.
Syntax health external {

copy src-file dest-file |
create new-file [description] |
delete source |
edit source [description] |
rename source destination
copy src-file des-file Copy the src-file script into the dest-
file script.
create new-file Creates a script file and opens an editor

[description] to modify it.
delete src-file Removes the src-file.
edit src-file [descrip- Opens an editor to modify an existing

tion] script.
rename source des- Rename an aFleX script from src-name

tination to dst-name.
Mode Global configuration
Example This command creates an external health monitor script named hm-ex_
1, adds a single line of code, then saves the file and exits the editor.
ACOS(config)# health external create hm-ex_1
Type in your Health External Script (type . on a line by
itself when done)
595
set an_connected -1
.
Done
ACOS(config)#
interval
Description Number of seconds between health check attempt, 1-180 seconds. A
health check attempt consists of the ACOS device sending a packet
to the server. The packet type and payload depend on the health mon-
itor type. For example, an HTTP health monitor might send an HTTP
GET request packet.
Syntax [no] interval seconds [timeout seconds]
interval seconds Period between health check attempts, 1-

180 seconds. Default is 5 seconds.
timeout seconds Period that ACOS waits for a reply to a

health check, 1-12 seconds. The default is 5
seconds.
method
Description Configure a health method.
Syntax [no] method method-options
Valid parameters for method-options are shown in the following table:
596
compound Configures a compound health monitor. A com-

submonitor- pound health monitor consists of a set of health
name monitors joined in a Boolean expression (AND / OR
[submonitor- / NOT). For more information, see the “Compound
name ...] Health Monitors” section in the “Health Mon-
Boolean-oper- itoring” chapter of the Application Delivery Con-
ators troller Guide.
597
[no] data- Configures a database health monitor. The ACOS

basedata- device sends a database query to the specified
base-type server.
db-namename
The following options can be configured:
usernameuser-
name-string database database-type
passwordpass-
Specifies the type of database to test:
word-string
[query- l mssql
options]
l mysql
l oracle
l postgresql
db-name name
Specifies the name of the database to query.
username username-string password password-

string
Specifies the login information required to access

the database.
query-options
Specifies query information:
sendquery [receiveexpected-reply | receive-

integer integer][rowrow-numcolumncol-num]
send query
SQL query to send to the database.
598
receive expected-reply
Query result expected from the database in order

to pass the health check. To use the receive (1-31
characters) or receive-integer (0-2147483647)
options, you also must use the send option. If you
do not use send, the ACOS device does not send a
query.
row row-num column col-num
For replies that consist of multiple results, the res-

ults are in a table. You can specify the row and
column location within the results table to use as
the receive string. If you do not specify the row
and column, row 1 and column 1 are queried by
default.
dns Sends a lookup request to the specified port num-

{ipaddress | ber for the specified domain name.
domain
You can specify a domainname or a server ipad-
domain-name}
dress as the target of the health check.
[options]
599
expect {response-code code-list|ipv4-

addripv4 address | ipv6-addr ipv6 address|
FQDN fqdn
Specifies the domain name or IP address expect-

ation function for DNS method. You can configure
the following expect.
l response-codecode-list- Specify the list of

response codes, in the range 0-15, that are
valid responses to a health check. The DNS
server can respond with any of the expected
response codes. By default, the expect list is
empty, in which case the ACOS device
expects status code 0 (No error condition).
l ipv4-addr<ipv4 address> - Specify the
IPv4 address expect. This expect can only be
specified with type A.
l ipv6-addr<ipv6 address> - Specify the
IPv6 address expect. This expect can only be
specified with type AAAA.
l FQDN fqdn - Specify the fully qualified
domain name. This expect can only be spe-
cified with type CNAME, PTR and MX. The
FQDN length can be between 1-255. Only
alphabet, digit, hyphen, and period are
allowed. Each label first and last character
must be digit or letter, max length of each
label is 63.
600
domain: For health checks sent to a domain name,

specify the record type the responding server is
expected to send in reply to health checks.
You can specify one of the following record types:
type {A | CNAME | SOA | PTR | MX | TXT |

AAAA} –
l A – IPv4 address record

l CNAME – Canonical name record for a DNS
alias
l SNI - SNI specifies the hostname to client
connection.
l SOA – Start of authority record
l PTR – Pointer record for a domain name
l MX – Mail Exchanger record
l TXT – Text string
l AAAA – IPv6 address record
By default, the ACOS device expects the DNS

server to respond to the health check with an A
record.
601
external Runs an external program (for example, a Tcl

[port port- script) and bases the health status on the out-
num] come of the program. See “Usage” below for more
program pro- information on health check using an external pro-
gram-name gram.
[arguments
The preference option applies to weighted load-
argument-
balancing methods such as SNMP-based load bal-
string]
ancing. (See the “SNMP-based Load Balancing”
[preference]
chapter in the Application Delivery Controller
Guide.)
External health methods are not supported in Dir-

ect Server Return (DSR) deployments.
ftp Sends an FTP login request to the specified port.

[[username Expects OK message, or Password message fol-
name lowed by OK message. Unless you use anonymous
password login, the username and password must be spe-
string] cified in the health check configuration.
port port-
num]
http Sends an HTTP request to the specified TCP port

[options] and URL. Expects OK message (200).
602
expect {response-code code-list |

response-code-regex regex-code-list | text-
string | text-regex regex-text-string} Spe-
cifies a response code, response code with regular
expressions, a text string, or text string with reg-
ular expression expected from the server. To spe-
cify a range of response codes for response-code,
use a dash ( - ) between the low and high numbers
of the range. Use commas to delimit individual
code numbers or separate ranges.
By default, the ACOS device expects response

code 200 (OK).
host {ipv4-addr | ipv6-addr | domain-name}

[:port-num] – Replaces the information in the Host
field of the request sent to the real server. By default, the
real server’s IP address is placed in the field.
Kerberos-auth realm realm_name kdc ip/ipv6-

addrport num
Specifies Kerberos authentication by using the

HTTP negotiation mechanism. To enable Kerberos
authentication on the health monitor, enter a Ker-
beros realm as well as the IP address of the KDC
server and its related port.
603
maintenance-code code-list
Specifies a response code that indicates the

server needs to be placed into maintenance mode.
If the ACOS device receives the specified status
code in response to a health check, the ACOS
device changes the server’s health status to Main-
tenance.
When a server’s health status is Maintenance, the

server will accept new requests on existing
cookie-persistent or source-IP persistent con-
nections, but will not accept any other requests.
To leave maintenance mode, the server must do

one of the following:
l Successfully reply to a health check by send-

ing the expected string or response code,
but without including the maintenance
code. In this case, the server’s health status
changes to Up.
l Fail a health check. In this case, the server’s
status changes to Down.
The Maintenance health status applies to server

ports and service-group members. When a port’s
status changes to Maintenance, this change
applies to all service-group members that use the
port.
NOTE: The expect maintenance-code option

applies only to servers in cookie-persistence or
source-IP persistence configurations, and can be
used only for HTTP and HTTPS ports.
604
port port-num
Specifies the protocol port on which the server

listens for HTTP traffic. Use this option if the
server does not use the default HTTP port, 80.
url string
Specifies the request type and the page (url-path)

to which to send the request. By default, GET
requests are sent for “ / ”, the index.html page.
You can specify one of the following:
l GET url-path
l HEAD url-path
l POST url-path postdata string
l POST / postfile filename
In a postdata string, use “=” between a field

name and the value you are posting to it. If
you post to multiple fields, use “&” between
the fields. For example: postdata field-
name1=value&fieldname1=value. The string
can be up to 255 bytes long.
username name
Specifies the username required for HTTP access

to the server. Unless anonymous login is used, this
option must be specified.
https This option is similar to an HTTP health check,

[options] except SSL is used to secure the connection.
The default port is 443.
The following options are available to configure:
605
cert cert-name and key key-name
Add an SSL certificate and key to an HTTPS health

monitor. When you use this option, the ACOS
device uses the certificate and key during the SSL
handshake with the HTTPS port on the server.
The certificate you plan to use with the health

monitor must be present on the ACOS device
before you configure the health monitor.
disable-sslv2hello
Disables encapsulation of SSLv3, TLSv1, or TLSv1.1

hello messages within the SSLv2 hello messages
for HTTPS health checks.
expect-cert-name <cert_name>
Validates the certificate common name in the

Server HELLO returns from the server.The host
name string can have a length of up to 63 char-
acters.
The expected server certificate parameter spe-

cifies the common name of the SSL certificate.
sni host <host_name>
Indicate SNI host and health monitor and requests

a certificate for server name.
606
imap Sends an IMAP login request with the specified

[port port- username name and password string. Expects
num] reply with OK message.
[username
For the auth-type, you can specify one or more of
name pass-
the following authentication methods:
word string
[auth auth- l cram-md5—Challenge-response authen-
type]] tication. Note that the user’s password will
be used as the shared secret.
l login—Simple login authentication.
l plain—Plain text authentication.
l If all three options are specified, plain will
be selected.
l If plain is not specified, then cram-md5 will
be used.
607
kerberos-kdc Configures a method to check accessibility of the

kinit KDC for obtaining a TGT.
principal
l principal – Name of the Kerberos principal.
password
{kdc-host- This is the ACOS client name presented to
name | kdc- the server.
ipaddr} l password – Kerberos admin password.
[port port-
l {kdc-hostname | kdc-ipaddr} [port port-
num]
num] – Hostname or IP address of the server
[tcp-only]
where the KDC is running. The port option
specifies the protocol port on which the
server listens for TGT requests. The default
KDC port is 88.
l tcp-only – Sends health checks only over
TCP.

kadmin Kerberos server for user account administration.
realm-name
l realm-name – Name of the Kerberos realm.
principal
password l principal – Name of the Kerberos principal.
{kdc-host-
l {kdc-hostname | kdc-ipaddr} [port port-
name | kdc-
num] – Hostname or IP address of the Ker-
ipaddr}
beros server. The port option specifies the
[port port-
TCP port on which the server listens for user
num]
account administration requests. The
{admin-host-
default TCP port is 749.
name |
admin- For information about the other options, see
ipaddr} the descriptions for kerberos-kdc kinit
[port port- (described above).
num]
608

kpasswd Kerberos server for user password change.
principal
l {pwd-hostname | pwd-ipaddr} [port port-
password
num] – Hostname or IP address of the Ker-
{kdc-host-
beros server. The port option specifies the
name | kdc-
UDP port on which the server listens for user
ipaddr}
password-change requests. The default UDP
[port port-
port is UDP port 464.
num]
{pwd-host- For information about the other options, see
name | pwd- the descriptions for kerberos-kdc kinit
ipaddr} (described above).
[port port-
num]
609
ldap Configures a method to check accessibility the

[StartTLS] KDC for obtaining a TGT.
[binddn dn-
l StartTLS – Begins the health check by send-
string pass-
word] ing a StartTLS request.
[overssl] l binddn dn-string password – DN name and
[portport- password.
num]
l overssl– Uses TLS to secure the connection.
[run-
search l port port-num– UDP port on which the
options] server listens for user password-change
requests. The default UDP port is UDP port
464.
l run-search options – Performs the spe-
cified database search. The following
options are supported:
l BaseDN dn-string– Searched the database
for the specified DN.
l query query-string [AcceptNotFound] –

Sends the specified query string to the
server.
The AcceptNotFound option allows the health

check to pass even if the search query is
unsuccessful.
ntp Sends an NTP client message to UDP port 123.

Expects a standard NTP 48-byte reply packet.
610
pop3 Sends a POP3 user login request with the spe-

portport-num cified username and password. Expects reply with
usernamename OK message.
password
string
radius user- Sends a Password Authentication Protocol (PAP)

name name request to the specified port to authenticate the
password specified username. Expects Access Accepted
string message (reply code 2). The secret option spe-
secret cifies the shared secret required by the RADIUS
string server.
[portport-
The code-list can contain one or more numeric
num]
response codes. To specify more than one code,
[
use commas but no spaces. (See “CLI Example”
expect
below.)
response-
code
code-list]
rtsp Sends a request to the specified port for inform-

portport-num ation about the file specified by rtspurl. Expects
rtspurl reply with information about the specified file.
string
611
sip Sends a SIP request to the SIP port. Expects 200

[register] OK in response by default. The request is an
[portport- OPTION request, unless you use the register
num] option to send a REGISTER request instead.
[expect-
The expect-response-code option specifies a set
response-
of SIP status codes. In this case, a SIP health check
code
is successful only if the server reply includes one
[tcp]
of the specified SIP status codes. You can specify
any or a combination of individual code numbers
and code ranges. Use commas as delimiters, with
no spaces. Use a dash and no spaces to delimit the
lower and upper values of a range. Examples:
l expect-response-code 100,101,121,200
l expect-response-code 100-121,200
l expect-response-code any
The tcp option configures the health method for

SIP over TCP/TLS. Without this option, the health
method is for SIP over UDP.
612
smtp Sends an SMTP Hello message to the specified

domain server in the specified domain. Expects reply with
domain-name OK message (reply code 250).
portport-
An SMTP message is generated after establishing
num
a TCP connection with the server. The message is
[mail-from
sent only after the ACOS device sends the “HELO”
sender
message and receives the expected response. Use
rcpt-to
the mail-from option to specify the SMTP sender
receiver]
of this message, and the rcpt-to option to specify
[starttls]
the recipient of this message.
You can optionally specify a specific port number,

and also check for STARTTLS support when the
Hello message is received.
snmp Sends an SNMP Get or Get Next request to the spe-

[portport- cified OID, from the specified community. Expects
num] reply with the value of the OID. The OID can be
[ sysDescr, sysUpTime, sysName, or another name in
community ASN.1 style.
string]
Although you can enter these objects in ASN.1
[oidoid-
format, only MIB-2 OIDs are supported.
name]
[operation
{get| get-
next}]
613
tacplus user- Configures a method to check server availability

nameusername by passing the TACACS+ parameters, with secret
passwordpass- and password encrypted.If authentication is cor-
word rect, a success message is returned that keeps the
secret server status marked as up.
shared-
l username – Specify the username to authen-
secret
[ ticate (1-31 characters).
portportnum] l password – Specify the password to authen-
[type ticate (0-31 characters). A password of ''
inbound-
means no password.
ascii-login]
l shared-secret – Specify the shared secret
for the TACACS+ server (1-31 characters).
l port-num – Specify the TACACS+ port (1-
65534, default 49).
l type inbound-ascii-login –The TACACS+
type. The currently supported type is
inbound-ascii-login, which is also the
default.
614
tcp Sends a connection request (TCP SYN) to the spe-

portport-num cified TCP port on the server. Expects TCP SYN
[halfopen] ACK in reply.
[send send-
By default, ACOS responds to the SYN ACK by
string
sending an ACK. To configure ACOS to send a RST
response con-
(Reset) instead, use the halfopen option.
tains
response- Use the send and response contains options to
string] send and receive text strings in TCP health
checks.
The send-string is the string the ACOS device

sends to the TCP port after the three-way hand-
shake is completed. The response-string is the
string that must be present in the server reply.
Each string can be 1-127 characters long. If a

string contain blank spaces or other special char-
acters (for example, “ / ” or “ \ ”), use double quo-
tation marks around the entire string.
615
udp Sends a packet with a valid UDP header and a

portport-num garbage payload to the specified UDP port on the
[force-up- server. Expects either of the following:
with-single-
l server reply from the specified UDP port,
healthcheck]
with any type of packet.
l server does not reply at all.
The server fails the health check only if the server

replies with an ICMP Error message.
By default, the server is reported as UP after four

health check packets are sent without a response.
The force-up-with-single-healthcheck option pro-
grams the monitor to reports a server as UP after
one health check packet.
Default The configuration has a default “ping” health monitor that uses the icmp
method. The ACOS device applies the ping monitor by default. The ACOS
device also applies the TCP or UDP health monitor by default, depending
on the port type. These default monitors are used even if you also apply
configured monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new
monitors with the ICMP, TCP, or UDP method and apply those monitors
instead.
When specifying a protocol port number, specify the port number on the
real server, not the port number of the virtual port. By default, the well-
known port number for the service type of the health monitor is used. For
example, for LDAP, the default port is 389 (or 636 if the overssl option is
used).
If you specify the protocol port number in the health monitor, the protocol
port number configured in the health monitor is used if you send an on-
demand health check to a server without specifying the protocol port.
(See the “health-test” command in the Command Line Interface
Reference. After you bind the health monitor to a real server port, health
checks using the monitor are addressed to the real server port number
instead of the port number specified in the health monitor’s
configuration. In this case, you can override the IP address or port using
the override commands described later in this chapter.
616
Usage To use a health method, you must do the following:

1. Configure a health monitor, by assigning a name to it and by assign-
ing one of the health methods listed above to it. Use the health mon-
itor command at the global Config level to create and name the
monitor. (See the “health monitor” command in the Command Line
Interface Reference.) Use the method command at the monitor con-
figuration level to assign a health method to the monitor.
2. Apply the health monitor to a real server or real server port, using the
health-check command at the configuration level for the server or
the server port. Apply monitors that use the ICMP method to real serv-
ers. (See health-check.) Apply monitors that use any of the other
types of methods to individual server ports. (See port.)
3. The expect-cert-name is an optional field. If configured, health mon-
itor uses for the cert-name and key-name to validate the certificate
Common Name (CN) received from Server. If it is not configured,
health monitor uses user-defined SNI hostname (Server Name) as a
default for
checking the certificate CN.
Example These commands apply health monitor “ping” to server “rs0”. The ping
monitor is included in the ACOS device’s configuration by default and
does not need to be configured.
ACOS(config-real server)# health-check ping
Example The following commands configure health monitor “hm1” to use the TCP
health method, and apply the monitor to a TCP port on real server “rs1”.
The TCP health checks are sent to TCP port 23 on the server.
ACOS(config-health:monitor)# method tcp port 23
ACOS(config-real server)# port 23 TCP
Example The following commands configure health monitor “hm2” and set it to
use the HTTP method. The health monitor is applied to port 80 on real
server “rs1”.
ACOS(config-health:monitor)# method http
ACOS(config-real server)# port 80 http
617
Example These commands configure a TCP health monitor that sends an HTTP
GET request to TCP port 80, and expects the string “200” to be present in
the reply:
ACOS(config)# health monitor tcp-with-http-get
ACOS(config-health:monitor)# method tcp port 80 send "GET /
HTTP/1.1\r\nHost: 22.1.2.2\r\nUser-Agent: a10\r\nAccept:
*/*\r\n\r\n" response contains 200
This health monitor sends an HTTP GET request to TCP port 80 on the
target server. This particular request uses the following header fields:
• Host – Specifies the host (server) to which the request is being sent.
• User-Agent – Identifies the entity (user agent) that is sending the
request. In this example, the sending entity is “a10”.
• Accept – Specifies the types of media that are allowed in the
response. This example uses wildcards (*/*) to indicate that any
valid media type and range are acceptable.
If the string “200” is present anywhere in the reply from the port, the port
passes the health check.
Example The following commands configure a RADIUS health monitor that

accepts response code 2 or 3 as passing (healthy) responses from a
server:
ACOS(config)# health monitor rad1
ACOS(config-health:monitor)# method radius port 1812 expect
response-code 2,3 secret a10rad username admin1 password
pwd1
Example Here is an external health-check example. Besides internal health

checks, which use a predefined health check method, you can use
external health checks with any of the following types of scripts are sup-
ported:
• Perl
• Shell
• TCL
Utility commands such as ping, ping6, wget, dig, and so on are
supported.
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable ax_env
(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as
fail. TCL script filenames must use the “.tcl” extension.
618
To use the external method, import the program onto the ACOS device.
The script execution result indicates server status, which is stored in ax_
env(Result).
The following commands import external program “ext.tcl” from FTP
server 192.168.0.1, and configure external health method “hm3” to use
the imported program to check the health of port 80 on the real server:
ACOS(config)# health external import "checking HTTP server"
ftp://192.168.0.1/ext.tcl
ACOS(config-health:monitor)# method external port 80 program
ext.tcl
SNI specifies the hostname to client connection.
ACOS(config-health:monitor)# method https sni host a10net-
works.com expect-cert-name aa
For additional information and more examples, see the “External Health
Method Examples” section in the “Health Monitoring” chapter of the
Example The following commands configure a DNS health monitor that expect
ipv4-addr as an answer for type A resolution from a server:
ACOS(config-health:monitor)# method dns domain a10net-
works.com expect ipv4-addr 10.2.1.12
Example The following commands configure a DNS health monitor that expect
FQDN as an answer for IPv6 reverse resolution from a server.
ACOS(config-health:monitor)# method dns ipaddress <ipv6
address> expect FQDN <fqdn>
override-ipv4
Description Send the health check to a specific IPv4 address, instead of sending the
health check to the IP address of the real server or GSLB service IP to
which the health monitor is bound. This command and the other override
commands are particularly useful for testing the health of remote links.
Syntax [no] override-ipv4 ipaddr
Default By default, a health check is addressed to the real server IP address of

the server to which the health monitor is bound.
619
Example The following commands configure a health monitor to check 192.168.1.1:

ACOS(config)# health monitor site1-hm
ACOS(config-health:monitor)# method icmp
ACOS(config-health:monitor)# override-ipv4 192.168.1.1
override-ipv6
Description Send the health check to a specific IPv6 address, instead of sending the
health check to the IP address of the real server to which the health mon-
itor is bound.
Syntax [no] override-ipv6 ipv6addr
Default By default, a health check is addressed to the real server IP address of

the server to which the health monitor is bound.
Example These commands configure a health monitor to check 2001:d-

b8::1521:31ab:
ACOS(config-health:monitor)# method icmp
ACOS(config-health:monitor)# override-ipv6 2001:d-
b8::1521:31ab
override-port
Description Send the health check to a specific protocol port, instead of sending the
health check to the server port to which the health monitor is bound.
Syntax [no] override-port portnum
Default By default, a health check is addressed to the protocol port number to

which the health monitor is bound.
Example These commands configure a health monitor to check port 8081 on

192.168.1.1:
ACOS(config-health:monitor)# override-ipv4 192.168.1.1
ACOS(config-health:monitor)# override-prt 8081
620
passive
Description Configures inband health monitoring based on HTTP status code.
Syntax [no] passive

{status-code-2xx | status-code-non-5xx}
[passive-interval seconds]
[sample-threshold samples-per-second]
[threshold percent]
status-code-2xx | Healthy status code numbers – These status

status-code-non- codes indicate the HTTP service is healthy.
5xx You can specify any 2xx status code or any
status code except a 5xx code.
passive-interval The health-monitor interval that is used

seconds when passive health monitoring is activ-
ated. For proper operation of the feature,
the passive interval should be longer than
the health monitor’s interval. You can spe-
cify 1-180 seconds.
sample-threshold Minimum number of server replies that

samples-per- must contain one of the specified status
second codes, within a one-second interval, before
passive health monitoring is enabled. The
sample threshold prevents passive health
monitoring from taking effect after only a
small total number of samples are taken.
You can specify 1-10000 samples per
second. The default is 50.
621
threshold percent Minimum percentage of server replies that

must contain a healthy status code, within
a given one-second interval, before passive
health monitoring is activated. You can spe-
cify 0-100 percent.
The default is 75 percent. If you specify 0,

this parameter is disabled, in which case
there is no minimum threshold.
Example The following commands create a new health monitor, and enable pass-
ive health-monitoring mode:
ACOS(config)# health monitor http-passive
ACOS(config-health:monitor)# passive status-code-2xx
The following command sets the method to HTTP:

The following commands configure a real server, service group, and

virtual server. The HTTP health monitor configured above is applied to the
TCP port on the real server.
ACOS(config)# slb server ser1 172.168.1.107
ACOS(config-real server)# no health-check
ACOS(config-real server-node port)# health-check http-pass-
ive
ACOS(config-slb svc group)# member ser1 80
622
retry
Description Maximum number of times ACOS will send the same health check to
an unresponsive server before determining that the server is down.
Syntax [no] retry number
Default 3
ssl-ciphers
Description Specify the ciphers to use in the health check of a real server or real
server port.
Syntax [no] ssl-ciphers openSSL-ciphers
openSSL- The OpenSSL Project ciphers command.

ciphers
For information on the OpenSSL Project ciphers
command, see the ciphers manpage in the OpenSSL
Project documentation.
Example Configure a health monitor to use the default OpenSSL Project cipher
suite with the exclusion of EDH ciphers.
ACOS(config)# health monitor hm-https
ACOS(config-health:monitor)# ssl-ciphers DEFAULT:!EDH
ACOS(config-health:monitor)# method https
Example Bind the hm-https health monitor to the s1 real server on its 1.1.1.1 net-
work interface.
ACOS(config-real server)# health-check hm-https
ACOS(config-real server)# end
623
Example Bind the hm-https health monitor to the TCP port 80 of the s1 real server
on its 1.1.1.2 network interface. Also apply the Server_SSL1 server-
SSL template to the same port.
If the Server_SSL1 server-SSL template specifies a cipher suite in its

configuration (cipher command), that cipher suite takes precedence if
and only if the ACOS device is equipped with hardware that supports the
cipher. The supported cipher are listed at:
https://www.a10networks.com/support/axseries.
ACOS(config-real server-node port)# template server-ssl
Server_SSL1
ACOS(config-real server-node port)# health-check hm-https
ACOS(config-real server-node port)# end
ssl-ticket
Description Enable SSL ticket session resumption for HTTPS health monitor method.
Syntax [no] ssl-ticket
Example The following command enables ssl-ticket for HTTPS health monitor
method.
ACOS(config-health:monitor)# ssl-ticket
ssl-ticket lifetime
Description Specify number of seconds the ticket will be valid from time of creation.
Update the HTTPS method to leverage session ticket when doing SSL
handshake.
Syntax [no] ssl-ticket lifetime seconds
624
seconds Specify the lifetime value in seconds. The value can

be between 0-2147483647 seconds.
If you set the lifetime to '0' then the feature will be

disabled.
Example Configure a HTTPS health monitor to use ssl-ticket lifetime.

ACOS(config-health:monitor)# ssl-ticket lifetime 4120
ssl-version
Description Specify the preferred SSL version to be used with HTTPS health monitor
method for negotiation.
Syntax [no] ssl-version {31 | 32 | 33 | 34} {31 | 32 | 33 | 34}
31 SSL/TLS v1.0.
32 SSL/TLS v1.1.
33 SSL/TLS v1.2.
34 SSL/TLS v1.3.
Mode Health monitor configuration mode
Usage The first ssl-version number is the preferred SSL version and the second
ssl-version number is for downgrading the SSL version.
• If you want to downgrade the SSL version, then specify the min-
imum SSL version to which a session can be downgraded. For
example, ssl-version 34 31.
625
• If you want to disable downgrading, then specify the same SSL-ver-

sion number for both. For example, ssl-version 34 34.

ACOS(config-health:monitor)# ssl-version 34 34
strictly-retry-on-server-error-response
Description Force the ACOS device to wait until all retries are unsuccessful
before marking a server or port Down.
Syntax [no] strictly-retry-on-server-error-response
Default Disabled. For some health method types, the ACOS device marks the
server or port Down after the first failed health check attempt, even if the
retries option for the health monitor is set to higher than 0.
Usage This command applies to all types of health monitors. However, if you use
an HTTP health monitor.that expects a string in the server reply and the
string is missing, the port on the ACOS device is marked as down. By
default, if the server’s HTTP port does not reply to the first health check
attempt with the expected string, the ACOS device immediately marks
the port Down.
Example The following commands configure an HTTP health monitor that checks
for the presence of “testpage.html”, and enable strict retries for the mon-
itor.
ACOS(config)# health monitor http-exhaust
ACOS(config-health:monitor)# method http url GET /test-
page.html
ACOS(config-health:monitor)# strictly-retry-on-server-error-
response
up-retry
Description Number of consecutive times the device must pass the same periodic
health check, in order to be marked Up. You can specify 1-10.
Syntax [no] up-retry number
626
Default 1
627
628
Chapter 26: Config Commands: Web Category
This section lists the commands and sub-commands to configure Web Category clas-
sification.
web-category 630
629
web-category
Description Configure the operation of web category classification.
Syntax [no] web-category
This command changes the CLI to configuration level for Web Category
classification, where the following commands are available:
Command Description
[no] category-list cat- Create a list of web categories to

egory-list-name provide criteria used in configuration
forward-policy source destination
rules. See the destination command
under the forward-policy command.
After entering the command, you are
placed in a sub-configuration mode
where predefined lists are specified to
be part of the named category-list.
The command enable for web-cat-
egory must precede configuration of a
category-list.
[no] cloud-query-dis- Disables cloud queries for URLs that

able are not present in the local cache or
database.
By default, cloud queries are

enabled.
[no] database-server URL of the BrightCloud database

server-url server.
Default: database.brightcloud.com
630
Command Description
[no] db-update-time Time of day at which ACOS requests

hh:mm an updated web category database
from the BrightCloud server.
Default is 00:00 (12 a.m.).
[no] enable Initializes and enables the

BrightCloud library. The web-cat-
egory license file must be imported
prior to using this feature to enable
the feature.
Disabled by default.
[no] port portnum Protocol port where the BrightCloud

server listens for requests.
Default is 80.
[no] proxy-server Command in web-category configuration

mode that specifies a proxy-server to use
for querying the BrightCloud database
server. This command places you in a sub-
configuration mode, where the commands
in web-category are available.
[no] remote-syslog- Enables data plane logging to a

enable remote syslog server.
[no] reputation-scope Specify the scope of web reputation.

scope-name The value can be greater-than or
less-than the score level or cus-
tomized score. And only one entry
can be set in one scope for each
greater-than or less-than setting.
You can bind this setting to forward

policy template for destination rule.
631
Command Description
[no] rtu-update-disable Disables realtime updates.
Enabled by default. ACOS peri-

odically checks for realtime updates
based on the rtu-update-interval
setting and adds them to the service
cache.
[no] rtu-update-inter- Interval at which to periodically

val minutes check for real time updates. You can
specify 10-14400 minutes. Default is
60 minutes.
[no] server server-url URL of the BrightCloud server.
Default: service.brightcloud.com
[no] server-timeout Maximum number of seconds to wait

seconds for BrightCloud server to respond to
a query from ACOS. You can specify
1-300 seconds.
If a reply is not received before the

timeout, ACOS terminates the con-
nection with the server.
Default is 15 seconds.
[no] ssl-port seconds Protocol port where the BrightCloud

server listens for SSL traffic.
Default is 443.
[no] use-mgmt-port Uses the management interface for

all communication with BrightCloud
servers, including downloading the
database and any lookup queries.
The category-list-name sub command contains the following

categories.
632
Category list Name Description
abortion Category Abortion
adult-and-pornography Category Adult and Pornography
alcohol-and-tobacco Category Alcohol and Tobacco
auctions Category Auctions
bot-nets Category Bot Nets
business-and-economy Category Business and Economy
cdns Category CDNs
cheating Category Cheating
computer-and-internet- Category Computer and Internet Info

info
computer-and-internet- Category Computer and Internet

security Security
confirmed-spam-sources Category Confirmed SPAM Sources
cult-and-occult Category Cult and Occult
dating Category Dating
dead-sites Category Dead Sites (db Ops only)
drugs Category Abused Drugs
dynamic-comment Category Dynamic Comment
educational-institutions Category Educational Institutions
entertainment-and-arts Category Entertainment and Arts
fashion-and-beauty Category Fashion and Beauty
financial-services Category Financial Services
food-and-dining Category Food and Dining
gambling Category Gambling
games Category Games
633
government Category Government
gross Category Gross
hacking Category Hacking
hate-and-racism Category Hate and Racism
health-and-medicine Category Health and Medicine
home-and-garden Category Home and Garden
hunting-and-fishing Category Hunting and Fishing
illegal Category Illegal
illegal-pornography Category Illegal join Adult and Por-

nography
image-and-video-search Category Image and Video Search
internet-communications Category Internet Communications
internet-portals Category Internet Portals
job-search Category Job Search
keyloggers-and-mon- Category Keyloggers and Monitoring

itoring
kids Category Kids
legal Category Legal
local-information Category Local Information
malware-sites Category Malware Sites
marijuana Category Marijuana
military Category Military
motor-vehicles Category Motor Vehicles
music Category Music
news-and-media Category News and Media
634
nudity Category Nudity
nudity-artistic Category Nudity join Entertainment

and Arts
online-greeting-cards Category Online Greeting cards
open-http-proxies Category Open HTTP Proxies
parked-domains Category Parked Domains
pay-to-surf Category Pay to Surf
peer-to-peer Category Peer to Peer
personal-sites-and-blogs Category Personal sites and Blogs
personal-storage Category Personal Storage
philosophy-and-politics Category Philosophy and Political

Advocacy
phishing-and-other-fraud Category Phishing and Other Frauds
private-ip-addresses Category Private IP Addresses
proxy-avoid-and-anonym- Category Proxy Avoid and Anonym-

izers izers
questionable Category Questionable
real-estate Category Real Estate
recreation-and-hobbies Category Recreation and Hobbies
reference-and-research Category Reference and Research
religion Category Religion
search-engines Category Search Engines
sex-education Category Sex Education
shareware-and-freeware Category Shareware and Freeware
shopping Category Shopping
635
social-network Category Social Network
society Category Society
spam-urls Category SPAM URLs
sports Category Sports
spyware-and-adware Category Spyware and Adware
stock-advice-and-tools Category Stock Advice and Tools
streaming-media Category Streaming Media
swimsuits-and-intimate- Category Swimsuits and Intimate

apparel Apparel
training-and-tools Category Training and Tools
translation Category Translation
travel Category Travel
uncategorized Uncategorized URLs
unconfirmed-spam-sources Category Unconfirmed SPAM

Sources
violence Category Violence
weapons Category Weapons
web-advertisements Category Web Advertisements
web-based-email Category Web based email
web-hosting-sites Category Web Hosting Sites
The proxy-server commands places the device in web-category-

proxy-server configuration mode.
636
Command Description
[no] proxy-host hostID Sub-command in web-category-

proxy-server configuration mode to
specify the proxy server’s hostname or
IP address to connect to.
hostID
Proxy server’s hostname or the proxy

server’s IP address in either IPv4 or
IPv6 format.
[no] http-port port-num Sub-command in web-category-

proxy-server configuration mode to
specify the proxy server port to con-
nect to through HTTP protocol.
port-num
Port number of the proxy server to

connect to through HTTP protocol. If
https-port is not configured, both
HTTPS and HTTP communication will
be handled through the configured
HTTP port.
637
Command Description
[no] https-port port- Sub-command in web-category-

num proxy-server configuration mode to
specify the proxy server port to con-
nect to through HTTPS protocol. If no
HTTPS port is specified, HTTP protocol
will be used.
port-num
Port number of the proxy server to con-

nect to through HTTPS protocol. If
http-port is not configured, both
HTTPS and HTTP communication will
be handled through the configured
HTTPS port.
[no] username proxy-auth- Sub-command in web-category-

username proxy-server configuration mode to
specify the username to use for
authentication when connecting with
the proxy server.
proxy-auth-username
Username to use for proxy server

authentication.
[no] password proxy- Sub-command in web-category-

auth-password proxy-server configuration mode for
specifying the password to use for
authentication when connecting with
proxy server.
proxy-auth-password
Password to use for proxy server

authentication.
638
Command Description
[no] auth-type {ntlm Sub-command in web-category-

[domain ntlm-realm]| proxy-server configuration mode to
basic} specify the authentication protocol
type when connecting to proxy server.
The following options are available in
this command:
ntlm domain ntlm-realm
Specify NTLM authentication pro-

tocol. Specifying NTLM realm is
optional.
NTLM version 2 is used if this pro-

tocol is configured. NTLM version 1 is
not supported.
basic
Specify BASIC authentication pro-

tocol.
A username and password must be con-

figured for the authentication protocol
used.
Default N/A
Mode web-category configuration mode
Usage The web-category configuration defines actions related to URL clas-

sification and
configuration for connecting with the BrightCloud servers and is nor-
mally used in conjunction with forward-policy source rules that link
destination and matching rules for an slb template policy through a
category-list and specifying categories for bypassing traffic in the for-
ward-proxy-bypass command in slb template client-ssl for SSLi
configuration. The URLs are categorized in a third-party database
(BrightCloud) that ACOS can download and periodically pull down
updates from.
639
Example Configure an ACOS device to use a proxy-server through NTLM authen-

tication protocol to connect with BrightCloud servers.
ACOS(config)# web-category
ACOS(config-web-category)# proxy-server
ACOS(config-web-category-proxy-server)# proxy-host 192.0.2.0
ACOS(config-web-category-proxy-server)# http-port 3128
ACOS(config-web-category-proxy-server)# https-port 8080
ACOS(config-web-category-proxy-server)# auth-type ntlm
domain example
ACOS(config-web-category-proxy-server)# username examplead-
min
ACOS(config-web-category-proxy-server)# password
0e1x2a3m4p5l6e7
ACOS(config-web-category-proxy-server)# exit
Example Configure the web-category list Mail_Categories, then apply that list to
the configuration of the forward-policy source list Any_Source. Any
request whose destination is in the Web_Mail_List web-category-list is
forwarded.
ACOS(config-web-category)# enable
Please check the show log output for Web category enable
status
ACOS(config-web-category)# category-list Web_Mail_List
ACOS(config-web-category-category-list)# web-based-email
ACOS(config-web-category-category-list)# exit
ACOS(config-web-category)# exit
ACOS(config)#
...
ACOS(config-policy-forward-policy)# source Any_Source
ACOS(config-policy-forward-policy-source)# match-any
ACOS(config-policy-forward-policy-source)# destination web-
category-list Web_Mail_List action ForwardMail
Example Enable web category classification, then apply web-category clas-

sification to bypass SSLi decryption and inspection for websites clas-
sified as category-list.
ACOS(config-web-category)# enable
ACOS(config-web-category)# exit
ACOS(config)#
...
640
ACOS-Inside(config)# slb template client-ssl SSLInsight_Cli-

entSide
ACOS-Inside(config-client ssl)# forward-proxy-bypass web-cat-
egory financial-services
egory educational-institutions
egory health-and-medicine
641
642
Chapter 27: SLB Show Commands
The show slb commands display information for Server Load Balancing (SLB).
To automatically re-enter a show slb command at regular intervals, use the repeat com-
mand.
In addition to the command options provided with some show commands, you can use output
modifiers to search and filter the output. See “Searching and Filtering CLI Output” and "Show
Commands" in the Command Line Interface Reference.
show slb aflow 646
show slb attack-prevention 646
show slb cache 647
show slb compression 657
show slb connection-reuse 657
show slb conn-rate-limit 660
show slb ddos-protection l4-entries 661
show slb ddos-protection statistics 662
show slb diameter 663
show slb fast-http-proxy 669
show slb fix 672
show slb ftp 674
show slb ftp-proxy 675
show slb generic-proxy 675
show slb geo-location 676
show slb http-proxy 677
show slb 688
show slb hw-compression 698
show slb icap 699
show slb icap-http 701
643
show slb l4 703
show slb mlb 719
show slb mssql 719
show slb mysql 722
show slb passthrough 724
show slb persist 724
show slb pop3-proxy 727
show slb rate-limit-logging 728
show slb resource-usage 731
show slb server 732
show slb service-group 750
show slb sip 758
show slb smpp 761
show slb smtp 769
show slb spdy-proxy 773
show slb ssl 775
show slb ssl-cert-revoke-stats 781
show slb ssl-counters 784
show slb ssl-crl 788
show slb ssl-expire-check 789
.. 790
show slb ssl-cert-pinning-candidate-list 790
show slb ssl-forward-proxy-cert 791
show slb ssl-forward-proxy-stats 793
show slb ssl-ocsp cache 794
show slb ssl-ocsp cache detail 795
show slb switch 796
show slb syn-cookie 804
show slb syn-cookie-buffer 805
644
805
show slb tcp stack 805
show run slb template 807
show slb template policy forward-policy-stats 809
show slb virtual-server 811
show web-category 828
show web-reputation 831
645
show slb aflow

Description Show aFlow statistics.
Syntax show slb aflow [detail]
detail List separate counters for each CPU in the statistics

output.
Mode All
show slb attack-prevention

Description Show SYN-cookie statistics for the number of packets received during dif-
ferent intervals of time.
Syntax show slb attack-prevention
Mode All
Usage When running the show slb attack-prevention command on an

FTA-enabled model, the “SYN attack” field does not show output for
the historical counters (1s/5s/30s/1min/5min). Output is only
provided for the “current” column.
This feature is supported for L3V private partitions in non-FTA-enabled
models. If the show slb attack-prevention command is run from an
L3V partition on an FTA-enabled model, the “SYN attack” counter
displays zero for all columns.
Example The following command shows SYN-cookie statistics:

ACOS# show slb attack-prevention
Current 1 sec 5 sec 30 sec 1 min 5 min
------------------------------------------------------------
--------------------------
SYN cookie snt 0 0 0 0 0 0
SYN cookie snt ts 0 0 0 0 0 0
SYN cookie snt fail 0 0 0 0 0 0
SYN cookie chk fail 0 0 0 0 0 0
646
SYN attack 0 0 0 0 0 0
The following table describes the fields in the command output.
Field Description
SYN cookie Number of TCP SYN cookies sent.

snt
SYN cookie Number of expanded TCP SYN cookies sent.

snt ts
SYN cookie Number of TCP SYN cookie send attempts that

snt fail failed.
SYN cookie Number of TCP SYN cookies for which the respond-
chk fail ing ACK failed the SYN cookie check.
SYN attack Total number of SYN connections that did not

receive an ACK from the client and assumed to be
SYN attack.
show slb cache

Description Display statistics and other information for RAM caching.
Syntax show slb cache

[entriesvip-name port-num [url | detail] |
memory-usage |
replacementvip-name port-num |
stats [vip-name port-num]]
647
Option Description
entries vip-name Shows a list of the cached objects for the

port-num specified VIP and virtual port.
You can specify a url to further refine

the statistics shown for each cached
entry/URL maintained under a cache tem-
plate that is bound to a virtual port.
l If certain headers are present in

the server response, such as Age,
Via, Connection, they will be
removed and the ACOS device will
add a separate header for them
before the response is stored in
cache. Similarly if the cache tem-
plate has the remove-cookies
option set, any cookie header in the
server response will be removed
before saving the same in cache.
l If the url includes special char-
acters such as a question mark, the
character must be represented in
its octal notation as (for example,
\077 for the question mark) in the
URL string. A URL name such as
“/testing?html” is specified as
“/testing\077html” and it must be
enclosed within double quotes to
ensure that it is interpreted cor-
rectly.
memory-usage Shows memory usage for RAM caching.
648
Option Description
replacement vip- Shows replacement information for the

name port-num specified virtual port on the specified vir-
tual server.
stats [vip-name Lists RAM caching statistics by VIP. If you

port-num] specify a VIP or port number, statistics
are displayed only for that VIP or port
number.
Mode All
Usage If you do not use any of the optional parameters, RAM caching statistics
are displayed. This is equivalent to entering the show slb cache stats
command.
Example The following command shows RAM caching statistics:

ACOS# show slb cache
Total
------------------------------------------------------------
---
Cache Hits 0 (0.0 %)
Cache Misses 0
Memory Used 0
Bytes Served 0
Requests
- Total Requests 0
- Cacheable Requests 0
- No-cache Requests 0
- IMS Requests 0
Responses (from server)

- 304 Not Modified 0
- 200 OK - Cont Len 0
- 200 OK - Chnk Enc 0
- 200 OK - Other 0
- Not cacheable 0
Responses (from cache)

- 304 Not Modified 0
- 200 OK - No Comp 0
649
- 200 OK - Gzip 0
- 200 OK - Deflate 0
- Other 0
Entries
- Cached 0
- Replaced 0
- Aged Out 0
- Cleaned 0
- Create failures 0
Revalidation
- Successes 0
- Failures 0
Policies
- URI nocache 0
- URI cache 0
- URI invalidate 0
- Content Too Big 0
- Content Too Small 0
Field Description
Cache Hits Number of times a requested page was found in

the cache and served from the cache.
Cache Misses Number of times a requested page was not

found in the cache.
Memory Used Amount of RAM currently used by cached con-

tent.
Bytes Served Number of bytes served.
650
Field Description
Requests Contains the following conters:
l Total Requests – Total number of requests

received on all virtual server ports on
which caching is configured.
l Cacheable Requests – Number of
requests that are potentially cacheable.
l No-cache Requests – Number of requests
with no-cache header directives.
l IMS Requests – Number of requests that
contained an If-Modified-Since header.
Responses (from Contains the following counters:

server)
l 304 Not Modified – Number of “304 Not
Modified” responses sent from the server.
l 200 OK - Cont Len – Number of “200 OK -
Cont Len” responses sent to clients.
l 200 OK - Chnk Enc – Number of “200 OK -
Chnk Enc” responses sent to clients.
l 200 OK - Other – Number of “200 OK -
Other” responses sent to clients.
l Not cacheable – Number of responses
with no-cache header directives.
651
Field Description
Responses (from Contains the following counters:

cache)
l 304 Not Modified – Number of “304 Not
Modified” responses sent from the cache.
l 200 OK - No Comp – Number of “200 OK -
No Comp” responses sent from the cache.
“No Comp” indicates that the object is not
compressed.
l 200 OK - Gzip – Number of “200 OK -
Gzip” responses sent from the cache. This
indicates that an object was compressed
using gzip. Gzip is an encoding format pro-
duced by the file compression program
“gzip” (GNU zip) as described in RFC 1952
(Lempel-Ziv coding [LZ77] with a 32 bit
CRC).
l 200 OK - Deflate – Number of “304 Not
Modified” responses sent from the cache.
This indicates that an object was com-
pressed using deflate. Deflate is the “zlib”
format defined in RFC 1950 in com-
bination with the “deflate” compression
mechanism described in RFC 1951.
l Other – Number of “Other” responses sent
from the cache. This indicates that an
object was compressed using compress.
Compress is the encoding format pro-
duced by the common UNIX file com-
pression program “compress” (adaptive
Lempel-Ziv-Welch coding [LZW]).
652
Field Description
Entries Contains the following counters:
l Cached – Number of objects currently in

the cache.
l Replaced – Number of cached items that
were removed to make room for newer
entries, per the replacement policy.
l Aged Out – Number of entries that were
removed because they are older than
their expiration time.
l Cleaned – Number of cached objects that
have aged out and therefore been
removed from the cache.
l Create Failures – Number of times ACOS
failed to create a cache entry.
Revalidation Contains the following counters:
l Successes – Number of entries that were

successfully revalidated by the server.
l Failures– Number of times revalidation
failed.
653
Field Description
Policies Contains the following counters:
l URI nocache – Number of times requested

content was not cached due to a URI
policy.
l URI cache – Number of times a request
was cached due to a URI policy.
l URI invalidate – Number of times a
request was invalidated due to a URI
policy.
l Content Too Big – Number of cacheable
items that were not cached because the
file size was larger than the configured
maximum content size.
l Content Too Small – Number of cacheable
items that were not cached because the
file size was smaller than the configured
minimum content size.
Example The following command shows cached objects:

ACOS# show slb cache entries vs-cookie-cache 80
vs-cookie-cache:80
Host Object URL Bytes Type Status Expires
in
------------------------------------------------------------
---------------------------
10.20.0.120 /static2/1000.txt 1365
CL,No FR 3410 s
10.20.0.120 /static2/10000.txt
10366 CL,No FR 3490 s
10.20.0.120 /static2/1000000.txt 636152
CE,Gz FR 3594 s
10.20.0.120 /static2/1000000.txt 1000368
CL,No FR 2719 s
10.20.0.120 /ewen/index.html 1479
CL,Mo FR -57 s
654
Field Description
cached-vip Virtual port number on which RAM caching is

enabled.
Host IP address of the content server.
Object URL URL from which the cached object was obtained
by the ACOS device.
Bytes Length of the cached object.
Type Indicates whether the cached object has a Con-

tent-Length header, is compressed, or is chunk-
encoded.
The value after the comma indicates the type of

compression used:
l No – Object is uncompressed.
l Gz – Object was compressed using gzip. Gzip
is an encoding format produced by the file
compression program “gzip” (GNU zip) as
described in RFC 1952 (Lempel-Ziv coding
[LZ77] with a 32 bit CRC).
l Cm – Object was compressed using com-
press. Compress is the encoding format pro-
duced by the common UNIX file compression
program “compress” (adaptive Lempel-Ziv-
Welch coding [LZW]).
l Df – Object was compressed using deflate.
Deflate is the “zlib” format defined in RFC
1950 in combination with the “deflate” com-
pression mechanism described in RFC 1951.
655
Field Description
Status Status of the entry:
l FR – Fresh
l ST – Stale
l IN – Incomplete
l FA – Failed
l UN – Unknown
l R – The entry must be revalidated.
Expires in Number of seconds the object can remain unused

before it ages out.
Example The following command shows RAM caching memory usage:

ACOS# show slb cache memory-usage
VIP Port Memory Configured Memory Used Percent Used
------------------------------------------------------------
---------------------------
vs120 80 10485760 8386560 79.98%
------------------------------------------------------------
---------------------------
Total 10485760 8386560 79.98%
Example The following command shows replacement statistics:

ACOS# show slb cache replacement cached-vip 80
Frequency Total
------------------------------------------------------------
---
1/256 6
1/128 0
1/64 0
1/32 0
1/16 0
1/8 0
1/4 0
1/2 0
1 0
2 0
656
4 0
8 0
16 0
32 0
64 0
128 2
The output shows the distribution of requests for the cached entries.
Entries listed for 1/256 (one in 256 requests) are the least requested,
whereas entries listed for 128 are the most requested.
show slb compression

Description Show HTTP compression statistics in bytes.
Syntax show slb compression

[virtual-server port-num]
[all-partitions | partition {shared | name}]
Option Description
virtual- Show HTTP compression statistics for the spe-

server port- cified virtual server only.
num
The port-num option shows information only for
the specified virtual port on the virtual server.
all-par- Show HTTP compression statistics in all par-

titions titions.
partition Show HTTP compression statistics in the spe-

{shared | cified partition or shared partition.
name}
Mode All
show slb connection-reuse

Description Show SLB connection-reuse statistics.
Syntax show slb connection-reuse [detail]
657
detail List separate counters for each CPU in the statistics

output.
Mode All
Example The following command shows summary connection-reuse statistics:

ACOS# show slb connection-reuse
Total
------------------------------------------------------------
------
Open persist 0
Active persist 0
Total established 1787
Total terminated 1787
Total terminated by err 0
Total bind 1277
Total unbind 2389
Delayed unbind 4
Long resp 0
Missed resp 0
Unbound data received 0
Pause request 0
Pause request fail 0
Resume request 0
Not remove from list 0
Field Description
Open persist Number of new client connections directed to

the same server as previous connections by the
persistence feature.
Active persist Number of currently active connections that

were sent to the same real server by the per-
sistence feature.
658
Field Description
Total estab- Total number of established connections to the

lished backend server.
Total terminated Total number of terminated connections to the

backend server.
Total terminated Total Number of backend connections ter-

by err minated due to an error.
Total bind Total number of client persistent connections

bound to the backend server.
Total unbind Total number of client persistent connections

unbound from the backend server.
Delayed unbind Number of connections whose unbinding was

delayed.
NOTE: In the current release, this counter is

unused and is always 0.
Long resp Number of responses that took too long.
Missed resp Number of missed responses to HTTP requests.
Unbound data Amount of data received on an unbound con-

received nection. This is used for debugging purposes.
Pause request These are internal counters used by A10 Tech-

nical Support for debugging purposes.
Pause request
fail
Resume request
Not remove
from list
659
show slb conn-rate-limit

Description Show statistics for source-IP based connection rate limiting.
Syntax show slb conn-rate-limit src-ip

{locked-out-ips | statistics [debug]}
Mode All
Example This command shows statistics for source-IP based connection rate lim-
iting:
ACOS(config)# show slb conn-rate-limit src-ip statistics
Sessions allocated 0
Sessions freed 0
Too many sessions consumed 0
Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
The following table describes the fields in the show command output.
Field Description
Sessions allocated Number of sessions allocated.
Sessions freed Number of sessions freed.
Too many sessions Number of times too many sessions were

consumed consumed.
Out of sessions Number of times the device ran out of ses-

sions.
Threshold check Number of times the ACOS device has

count checked for connection-limit violations.
Honor threshold Number of requests permitted because they

count were within the connection limit.
660
Field Description
Threshold exceeded Number of requests denied because they

count exceeded the connection limit.
Lockout drops Number of requests dropped because a cli-

ent was locked out.
Log messages sent Number of log messages generated by this

feature.
DNS requests re- Number of re-transmitted DNS requests

transmitted detected. These are DNS requests for which
no response was received by the ACOS
device.
No DNS response Number of DNS requests for which no

for request response was received.
show slb ddos-protection l4-entries

Description This command displays abnormal L4 port entries from DDoS monitoring
and selective filtering.
Syntax show slb ddos-protection l4-entries

[address ipaddr | in-hardware | l4-proto protocol-num |
not-in-hardware | port port-num]
Example The following example displays sample output:

ACOS(config)# show slb ddos-protection l4-entries
Address L4 Port PPS
----------------------------------
1.1.1.1 17 333 5000
Usage The following table describes the fields for the show command output:
Field Description
Address The destination IP address that traffic is matched

to.
661
Field Description
L4 The Layer 4 protocol type. In the above example,

L4 17 indicates UDP traffic.
Port The specific destination IP port that traffic is

matched to.
HW? This indicates whether or not the entry is pro-

grammed into the hardware. A “Y” means the
entry is programmed into the hardware, and an
“N’” means it is not.
Pkts in last 10 The number of packets that match the IP address

sec and the given port in the last 10 seconds.
show slb ddos-protection statistics

Description This command displays the logging statistics for SLB DDoS selective fil-
tering.
Syntax show slb ddos-protection statistics
Mode All
Example The following is a sample output:

ACOS# show slb ddos-protection statistics
L3 Entry Added 0
L3 Entry Deleted 0
L3 Entry Added to BGP 0
L3 Entry Removed From BGP 0
L3 Entry Added to HW 0
L3 Entry Removed From HW 0
Too Many L3 entries 0
L3 Entry Match Drop 0
HW L3 Entry Match Drop 0
L4 Entry Added 3
L4 Entry Deleted 2
L4 Entry Added to HW 3
L4 Entry Removed From HW 1
HW out of L4 Entries 0
662
L4 Entry Match Drop 5

HW L4 Entry Match Drop 2153756264
show slb diameter

Description Show statistics for Diameter load balancing.
Syntax show slb diameter [detail]
detail Show statistics per CPU in the output.
device If the ACOS device is a member of an aVCS virtual

DeviceID chassis, use this option to specify the device ID to
which to apply this command. If you omit this
option, the command is applied to the vMaster.
However, if you have changed the device context of

the management session from the vMaster to
another device, and you omit the device option, the
command is applied only to the other device (the
one to which you set the device context).
Mode All
Example The following command shows statistics for Diameter load balancing:
ACOS# show slb diameter
Total
------------------------------------------------------------
------
concurrent user-session 0
acr out 0
acr in 0
aca out 0
aca in 0
dpr out 0
dpr in 0
dpa out 0
dpa in 0
cea out 0
663
cea in 0
cer out 0
cer in 0
dwa out 0
dwa in 0
dwr out 0
dwr in 0
str out 0
str in 0
sta out 0
sta in 0
asr out 0
asr in 0
asa out 0
asa in 0
other out 0
other in 0
mismatch fwd session id 0
mismatch rev session id 0
unknown command code 0
no session id drop 0
no fwd tuple drop 0
no rev tuple drop 0
cross cpu fwd send 0
cross cpu fwd rcv 0
cross cpu rev send 0
cross cpu rev rcv 0
cross cpu fail 0
retry client req 0
retry client req fail 0
reply unknown session id 0
ccr out 0
ccr in 0
cca out 0
cca in 0
ccr initial 0
ccr update 0
ccr termination 0
cca termination 0
term session on cca-t 0
fwd unknown session id 0
update latest server 0
client selection failure 0
664
close conn by virtual portdown 0

invalid avp 0
reselect fwd tuple 0
reselect fwd tuple cross 0
reselect rev tuple 0
conn closed by client 0
conn closed by server 0
reply invalid avp value 0
reply unable to deliver 0
reply error info fail 0
ACOS#
Field Description
concurrent user- Number of concurrent user sessions.

session
acr out Number of Accounting-Request messages

sent by the ACOS device.
acr in Number of Accounting-Request messages

received by the ACOS device.
aca out Number of Accounting-Answer messages sent

by the ACOS device.
aca in Number of Accounting-Answer messages

cea out Number of Capabilities-Exchange-Answer

messages sent by the ACOS device.
cea in Number of Capabilities-Exchange-Answer

messages received by the ACOS device.
cer out Number of Capabilities-Exchange-Request

messages sent by the ACOS device.
cer in Number of Capabilities-Exchange-Request

messages received by the ACOS device.
665
Field Description
dwr out Number of Device-Watchdog-Request mes-

sages sent by the ACOS device.
dwr in Number of Device-Watchdog-Request mes-

sages received by the ACOS device.
dwa out Number of Device-Watchdog-Answer mes-

dwa in Number of Device-Watchdog-Answer mes-

str out Number of Session-Termination-Request mes-

str in Number of Session-Termination-Request mes-

sta out Number of Session-Termination-Answer mes-

sta in Number of Session-Termination-Answer mes-

asr out Number of Abort-Session-Request messages

asr in Number of Abort-Session-Request messages

asa out Number of Abort-Session-Answer messages

asa in Number of Abort-Session-Answer messages

other out Number of other types of Diameter messages

(other codes) sent by the ACOS device.
666
Field Description
other in Number of Diameter messages of other types

ccr out Total Credit-Control-Request messages sent.
ccr in Total Credit-Control-Request messages

received.
cca out Total Credit-Control-Answer messages sent.
cca in Total Credit-Control-Answer messages

received.
ccr initial Total Credit-Control-Request-initial messages

received.
ccr update Total Credit-Control-Request-update mes-

sages received.
ccr termination Total Credit-Control-Request-termination mes-

sages received.
cca termination Total Credit-Control-Answer-termination mes-

sages received.
term session on Total sessions ACOS terminated for Credit-

cca-t Control-Answer-Termination.
mismatch fwd Client session ID does not match Diameter ses-

session id sion table.
mismatch rev ses- Server session ID does not match Diameter ses-
sion id sion table.
unknown com- Drop Diameter session because of unre-

mand code cognized command code.
no session id drop Cannot find session ID AVP in the message,

drop request.
667
Field Description
no fwd tuple drop Cannot match client L4 session, drop mes-

sage.
no rev tuple drop Cannot match server L4 session, drop mes-

sage.
cross cpu fwd Number of client messages sent to server

send using different CPU.
cross cpu fwd rcv Number of client messages received by dif-

ferent CPU and sent to server.
cross cpu rev Number of server message sent to client using

send different CPU.
cross cpu rev rcv Number of server message received by dif-

ferent CPU and sent to client.
cross cpu fail Number of failures during cross CPU process.
retry client req Number of times reselect is performed and a

different server is chosen.
retry client req Failure counter for retry client features.

fail
reply unknown Total unknown-session-id messages sent with

session id error-code 5002.
invalid avp Attribute Value Pair (avp) value contains

illegal characters.
reselect fwd Original client tuple does not exist, so reselect

tuple another one on the same CPU.
reselect fwd Original client tuple does not exist, so reselect

tuple cross another one on another CPU because there is
none on the current CPU.
668
Field Description
reselect rev tuple Original server tuple does not exist, so reselect
another one. There should always be a server
side connection on the current CPU so there is
no counter for “reselect rev tuple cross”.
conn closed by cli- Client side connection was terminated by cli-

ent ent (client initiated fin/reset).
conn closed by Server side connection was terminated by

server server (server initiated fin/reset).
reply invalid avp Reply to sender (client or server) with error

value info “invalid avp value” when incoming mes-
sage has invalid avp value.
reply unable to Reply to sender (client or server) with error

deliver info “unable to deliver” when an incoming mes-
sage cannot be forwarded.
reply error info Fail to reply to client or server with error info.
fail
show slb fast-http-proxy

Description Show statistics for SLB fast-HTTP proxy.
Syntax show slb fast-http-proxy [server-name port] [detail]
server-name Show statistics for the specified server and

port port only.
Mode All
Example The following command shows summary fast-HTTP-proxy statistics:
669
ACOS# show slb fast-http-proxy

Total
------------------------------------------------------------
------
Curr Proxy Conns 0
Total Proxy Conns 0
HTTP requests 0
HTTP requests(succ) 0
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 0
Source NAT failure 0
Request over limit 0
Request rate over limit 0
Out RSTs 0
Full proxy tot 0
Full proxy POST 0
Full proxy pipeline 0
Full proxy fpga err 0
Close on DDoS 0
DNS unresolve 0
Policy drop 0
Field Description
Curr Proxy Conns Number of currently active connections using

the fast-HTTP proxy.
Total Proxy Conns Total number of connections that have used

the fast-HTTP proxy.
670
Field Description
HTTP requests Number of HTTP requests received by the

fast-HTTP proxy.
HTTP requests Number of HTTP requests successfully ful-

(succ) filled (by establishing a connection to a real
server).
No proxy error Number of proxy errors.
Client RST Number of times TCP connections with clients

were reset.
Server RST Number of times TCP connections with serv-

ers were reset.
No tuple error Number of tuple errors.
Parse req fail Number of times the HTTP parser failed to

parse a received HTTP request.
Server selection Number of times selection of a real server

fail failed.
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt out-of- Number of request packets received from cli-

order ents out of sequence.
Server reselection Number of times initial selection of a real

server for an HTTP request failed (for
example, due to a TCP Reset sent by the
server).
Server premature Number of times the connection with a server

close closed prematurely.
671
Field Description
Server conn made Number of connections made with servers.
Source NAT fail- Number of source NAT failures.

ure
Request over limit Number of times the request limit was

exceeded.
Request rate over Number of times the request rate limit was
limit exceeded.
Out RSTs Number of TCP RSTs sent out.
Full proxy tot Total number of full proxy HTTP sessions.
Full proxy POST Total number of full proxy sessions for HTTP
POST request.
Full proxy pipeline Total number of pipelined requests.
Full proxy fpga Total number of FPGA errors.

err
Close on DDoS
show slb fix

Description Show SLB statistics for the Financial Information Exchange (FIX) proxy.
Syntax show slb fix [detail]
Mode All
Example The following command shows FIX SLB statistics.

ACOS(config)# show slb fix
Total
672
------------------------------------------------------------
------
Current proxy conns 4
Total proxy conns 2
Client fail 7
Server fail 2
Server selection failure 1
no route failure 0
Insert client IP 5
Default switching 1
Sender ID switching 4
Target ID switching 0
Field Description
Current proxy Number of currently active connections using

conns the FIX proxy.
Total proxy Total number of connections that have used the

conns FIX proxy.
Client fail Number of times that the connection was ter-

minated due to an error on the client side.
Server fail Number of times that the connection was ter-

minated due to an error on the server side.
Server selection Number of times selection of a real server failed.

failure
no route failure Number of times FIX failed due to a route lookup

failure.
Source NAT Fail- Number of source NAT failures.

ure
673
Field Description
Insert client IP Number of times that the ACOS inserted the cli-
ent’s IP address into tag 11447 and forwarded
the recalculated request packet to the FIX
server.
Default switch- Number of times that the ACOS parsed the tag
ing value from a client’s request and selected a ser-
vice-group based on a match with the con-
figured tag keyword.
Sender ID Instances of content switching based on the

Switching sender’s identification tag (SenderCompID).
Target ID Instances of content switching based on the

Switching receiver’s identification tag (TargetCompID).
show slb ftp

Description Show SLB FTP statistics.
Syntax show slb ftp
Mode All
Example The following command shows SLB FTP statistics.

ACOS# show slb ftp
Total Control Sessions 0
Total ALG packets 0
ALG packets rexmitted 0
Total Data Sessions 0
Total PORT helper sessions 0
Total PASV helper sessions 0
Drop Data Port out of range 0
674
Field Description
Total Control Ses- Total number of FTP control sessions load-bal-

sions anced by the ACOS device.
Total ALG packets Total number of Application Layer Gateway

(ALG) packets.
ALG packets Number of ALG packets that have been

rexmitted retransmitted.
Out of Con- Number of times an FTP control session could

nections not be established because none of the real
servers had available connections.
Total Data Ses- Total number of FTP data sessions load-bal-

sions anced by the ACOS device.
Out of Con- Number of times an FTP data session could not

nections be established because none of the real serv-
ers had available connections.
show slb ftp-proxy

Description Display FTP-proxy statistics.
Syntax show slb ftp-proxy [detail]
Mode All
show slb generic-proxy

Description Display generic-proxy statistics.
Syntax show slb generic-proxy [detail]
675
Mode All
show slb geo-location

Description Display geo-location information.
Syntax show slb geo-location

[
virtual-server-name |
port-num |
bad-only |
depth num |
id group-id |
ip ipaddr |
location location-name |
statistics
]
Option Description
virtual-server- Displays geo-location information for only

name the specified virtual server.
port-num Displays geo-location information for only

the specified virtual port.
bad-only Displays only the invalid entries.
depth num Specifies how many nodes in the geo-loc-

ation data tree to display. For example, to
display only continent and country entries
and hide individual state and city entries,
specify depth 2. By default, the full tree is
displayed. You can specify 1-5.
id group-id Displays geo-location information for only

the specified black/white-list group ID.
676
Option Description
ip ipaddr Displays geo-location database entries for

only the specified IP address.
location loc- Displays geo-location database entries for

ation-name only the specified location.
statistics Displays statistics for the specified geo-loc-

ation.
Mode All
Example This example displays geo-location statistics

ACOS# show slb geo-location statistics
M = Matched or Level, ID = Group ID

Conn = Connection number, Last = Last Matched IP
v = Exact Match, x = Fail
Virtual Server: vip1/80, c-share
------------------------------------------------------------
--------------------
Max Depth: 3
Success: 3
Geo-location M ID Permit Deny Conn Last
------------------------------------------------------------
--------------------
US.CA.SJ v 3 1 1 1 77.1.1.107
------------------------------------------------------------
--------------------
Total: 1
show slb http-proxy

Description Show statistics for SLB HTTP proxy and EP/TP Proxy
Syntax show slb http-proxy [virtual-server port-num] [detail] | i

DOH
677
Option Description
detail Lists separate counters for each CPU.
virtual- Displays counters for HTTP response codes. For

server the virtual-server port-num, enter the name of a
port-num virtual server and its port. The port-num can be 1-
65534.
Mode All
Example The following command shows summary HTTP-proxy and EP/TP Proxy
statistics:
ACOS# show slb http-proxy
Total
------------------------------------------------------------
------
Curr Proxy Conns 0
Total Proxy Conns 0
HTTP requests 0
HTTP requests(succ) 0
HTTP requests(CONNECT) 0
HTTP requests enter SSLi 0
HTTP req (cache succ) 0
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server conn made 0
Tot data before compress 0
Tot data after compress 0
Request over limit 0
Request rate over limit 0
678
Close on DDoS 0
Tot data pre decompress 0
Tot data post decompress 0
Status code 1XX 0
Status code 100 0
Status code 101 0
Status code 102 0
Status code 2XX 0
.. 0
.. 0
Status code 6XX 0
Status code unknown 0
Method GET 0
Method HEAD 0
Method PUT 0
Method POST 0
Method TRACE 0
Method TRACK 0
Method OPTIONS 0
Method CONNECT 0
Method DELETE 0
Method UNKNOWN 0
Req content len 0
Resp content len 0
Resp chunk encoding 0
Req <= 1K 0
.. 0
Req > 256K 0
Resp <= 1K 0
.. 0
Resp <= 256K 0
Resp > 256K 0
Chunk <= 512 0
.. 0
Chunk > 4K 0
Rsp time < 10u 0
.. 0
Rsp time < 100m 0
Rsp time < 200m 0
Rsp time < 500m 0
.. 0
Rsp time >= 5s 0
679
Field Description
Curr Proxy Conns Number of currently active HTTP connections

using the ACOS device as an HTTP proxy.
Total Proxy Conns Total number of HTTP connections that have

used the ACOS device as an HTTP proxy.
HTTP requests Total number of HTTP requests received by

the HTTP proxy.
HTTP requests Number of HTTP requests received by the

(succ) HTTP proxy that were successfully fulfilled
(by connection to a real server).
HTTP requests Number of CONNECT requests received by

(CONNECT) the HTTP proxy.
HTTP requests Number of HTTP requests directed to SSLi.

enter SSLi
HTTP req (cache Number of HTTP requests received by the

succ) HTTP proxy that were successfully fulfilled
from the cache.
Client RST Number of times TCP connections with cli-

ents were reset.
Server RST Number of times TCP connections with serv-

ers were reset.
Parse req fail Number of times parsing of an HTTP request

failed.

fail failed.
680
Field Description
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt out-of- Number of request packets received from cli-

order ents out of sequence.
Server reselection Number of times a request was forwarded to

another server because the current server
was failing.

Server conn made Number of connections made with servers.
Source NAT failure Number of source NAT failures.
Tot data before These counters show statistics for HTTP com-
compress pression, in bytes before and after com-
mpression.
Tot data after com-
press
Request over limit
Request rate over

limit
Close on DDoS Connection was forced to close due to a DDoS

attack.
Method <options> Counter for HTTP methods processed, like

GET, POST, CONNECT, DELETE and so on.
Response Content Length of Response content in bytes.

Length
681
Field Description
Response Chunk Encoding statistics for Response compression

Encoding chunk.
Response Time Rsp Time Response time in seconds.
Example The following command shows HTTP response code statistics:

ACOS(config)# show slb http-proxy vs800-http 80
Total
------------------------------------------------------------
------
status code 1XX 3
status code 2XX 1
status code 3XX 12
status code 4XX 8
status code 5XX 2
status code 6XX 3
...
Rsp time < 200m 0
Rsp time < 500m 1
Rsp time < 1s 3
Rsp time < 2s 7
Rsp time < 5s 13
Rsp time >= 5s 22
ACOS(config)# show slb http-proxy detail | i DOH

DOH Req 0 20 20
DOH Non DOH Req 0 0 0
DOH Resp 0 20 20
DOH UDP Req Retry 0 0 0
DOH TCP Req Retry 0 0 0
ACOS(config)# show slb http-proxy UDP_VIP 80 | i DOH

DOH Req 12
DOH GET Req 6
DOH POST Req 6
DOH Non DOH Req 0
DOH Non DOH GET Req 0
DOH Non DOH POST Req 0
DOH Resp 12
DOH TC Resp 4
682
DOH UDP DNS Req 12

DOH UDP DNS Resp 8
DOH TCP DNS Req 4
DOH TCP DNS Resp 4
DOH DNS Req Tx Fail 0
DOH DNS Resp Tx Fail 0
DOH Mem Alloc Fail 0
DOH UDP Req Retry 0
DOH UDP Req Retry Fail 0
DOH TCP Req Retry 0
DOH TCP Req Retry Fail 0
DOH Src NAT failed 0
DOH uri path not found 0
DOH GET dns arg failed 0
DOH GET base64 decode failed 0
DOH POST content-type mismatch 0
DOH POST payload not found 0
DOH POST payload extract failed 0
DOH non DOH method 0
DOH TCP send failed 0
DOH UDP send failed 0
DOH Query time out 0
DOH DNS Query type A 16
DOH DNS Query type AAAA 0
DOH DNS Query type NS 0
DOH DNS Query type CNAME 0
DOH DNS Query type ANY 0
DOH DNS Query type SRV 0
DOH DNS Query type MX 0
DOH DNS Query type SOA 0
DOH DNS Query type Others 0
DOH Resp setup failed 0
DOH Resp header alloc failed 0
DOH Resp Queue failed 0
DOH Resp UDP frag'ed 4
DOH Resp TCP frag'ed 0
DOH Server Select Failed 0
DOH Retry with TCP SG 0
ACOS(config)# show slb http-proxy test-udp 80 detail | i DOH

DOH Req 0 12 12
DOH GET Req 0 6 6
DOH POST Req 0 6 6
683
DOH Non DOH Req 0 0 0

DOH Non DOH GET Req 0 0 0
DOH Non DOH POST Req 0 0 0
DOH Resp 0 12 12
DOH TC Resp 0 4 4
DOH UDP DNS Req 0 12 12
DOH UDP DNS Resp 0 8 8
DOH TCP DNS Req 0 4 4
DOH TCP DNS Resp 0 4 4
DOH DNS Req Tx Fail 0 0 0
DOH DNS Resp Tx Fail 0 0 0
DOH Mem Alloc Fail 0 0 0
DOH UDP Req Retry 0 0 0
DOH UDP Req Retry Fail 0 0 0
DOH TCP Req Retry 0 0 0
DOH TCP Req Retry Fail 0 0 0
DOH Src NAT failed 0 0 0
DOH uri path not found 0 0 0
DOH GET dns arg failed 0 0 0
DOH GET base64 decode failed 0 0 0
DOH POST content-type mismatch 0 0 0
DOH POST payload not found 0 0 0
DOH POST payload extract failed 0 0 0
DOH non DOH method 0 0 0
DOH TCP send failed 0 0 0
DOH UDP send failed 0 0 0
DOH Query time out 0 0 0
DOH DNS Query type A 0 16 16
DOH DNS Query type AAAA 0 0 0
DOH DNS Query type NS 0 0 0
DOH DNS Query type CNAME 0 0 0
DOH DNS Query type ANY 0 0 0
DOH DNS Query type SRV 0 0 0
DOH DNS Query type MX 0 0 0
DOH DNS Query type SOA 0 0 0
DOH DNS Query type Others 0 0 0
DOH Resp setup failed 0 0 0
DOH Resp header alloc failed 0 0 0
DOH Resp Queue failed 0 0 0
DOH Resp UDP frag'ed 0 4 4
DOH Resp TCP frag'ed 0 0 0
DOH Server Select Failed 0
DOH Retry with TCP SG 0
684
Field Description
DOH Req Total DoH Requests received
DOH GET Req Total DoH GET Requests received
DOH POST Req Total DoH POST Requests received
DOH Non DOH Total Non-DoH Requests received with a delay

Req on virtual port bound to virtual port.
DOH Non DOH Total Non-DoH GET Requests received on vir-

GET Req tual port bound to DOH template.
DOH Non DOH Total Non-DoH POST Requests received on vir-

POST Req tual port bound to DOH template.
DOH Resp Total DoH related DNS responses received from

backend DNS Server
DOH TC Resp Total DoH related DNS responses received from

backend DNS Server with TC bit set
DOH UDP DNS Total DOH UDP DNS queries sent to backend
Req DNS server
DOH UDP DNS Total DOH UDP DNS responses received from
Resp backend DNS server
DOH TCP DNS Total DOH TCP DNS queries sent to backend
Req DNS server
DOH TCP DNS Total DOH TCP DNS responses received from
Resp backend DNS server
DOH DNS Req Tx Total DOH DNS Requests failed to be sent out
Fail to the backend server
DOH DNS Resp Tx Total DOH DNS Response failed to be sent out
Fail to the client
685
Field Description
DOH Mem Alloc Total Count of DOH related memory allocation

Fail failures
DOH UDP Req Total number of times DOH UDP DNS requests
Retry were retried
DOH UDP Req Total number of times DOH UDP DNS requests
Retry Fail retry failed
DOH TCP Req Total number of times DOH TCP DNS requests
Retry were retried
DOH TCP Req Total number of times DOH TCP DNS requests
Retry Fail retry failed
DOH Src NAT Total number of DOH Source NAT Failures

failed
DOH uri path not Total count of HTTP requests received not con-
found taining DOH URI '/dns-query', when virtual
port has DOH template. bound
DOH GET dns arg Total count of HTTP GET requests received not
failed containing a valid arg 'dns=', when virtual port
has DOH template. bound
DOH GET base64 Total count of HTTP GET requests received

decode failed where DOH base64url decoding failed, when
virtual port has DOH template. bound
DOH POST con- Total count of HTTP POST requests received

tent-type mis- not containing DOH content-type 'applic-
match ation/dns-message', when virtual port has
DOH template. bound
DOH POST pay- Total count of HTTP POST requests received

load not found not containing payload, when virtual porthas
DOH template. bound
686
Field Description
DOH POST pay- Total count of HTTP requests received not con-
load extract taining DOH URI '/DNS-query', when virtual
failed porthas DOH template. bound
DOH non DOH Total count of HTTP requests received whose

method method is not GET or POST, when virtual
porthas DOH template. bound
DOH TCP send Total DOH TCP DNS queries failed to be sent
failed out to backend DNS server
DOH UDP send Total DOH UDP DNS queries failed to be sent
failed out to backend DNS server
DOH Query time Total DOH DNS queries sent to backend DNS
out server and timed out due to no response
DOH DNS Query Total DOH requests received containing DNS A

type A query
DOH DNS Query Total DOH requests received containing DNS A

type AAAA query
DOH DNS Query Total DOH requests received containing DNS

type NS AAAA query

type CNAME CNAME query

type ANY ANY query

type SRV SRV query

type MX MX query
687
Field Description

type SOA SOA query

type Others query type othen than above types
DOH Resp setup Total count of DOH responses failed to be

failed setup
DOH Resp header Total count of header memory allocation fail-

alloc failed ure for DOH responses
DOH Resp Queue Total count of queueing failure for DOH

failed responses to be sent to the client
DOH Resp UDP Total fragmented DOH UDP DNS responses

frag'ed received from backend DNS server
DOH Resp TCP Total fragmented DOH TCP DNS responses

frag'ed received from backend DNS server
DOH Server Total number of times backend dns server

Select Failed selection failed for DOH
DOH Retry with Total number of times DOH attempted to retry

TCP SG with backend TCP DNS service-group after con-
necting to UDP DNS Servers failed
show slb
Description Show statistics for SLB HTTP2.
Syntax show slb http2 [detail]
Option Description
detail Lists separate counters for each CPU.
Mode All
688
Field Description
Curr HTTP2 Ses- Number of active HTTP2 connections that

sions the ACOS device is servicing
Peak HTTP2 Ses- Maximum number of HTTP2 connections the

sions ACOS device has simultaneously
serviced.
Total HTTP2 Ses- Number of HTTP2 connections that the

sions ACOS device has serviced
Connection Preface Number of HTTP2 connection prefaces

received received
Control Frame Number of HTTP2 Control frames received

received
Headers Frame Number of HTTP2 Header frames received

received
Continuation Frame Number of HTTP2 continuation frames

received received
RST Frame received Number of HTTP2 RST frames received
Settings Frame Number of HTTP2 Settings frames received

received
Window Update Number of HTTP2 Window_update frames

Frame received received
Ping Frame Number of Ping frames received

received
Goaway Frame Number of HTTP2 Goaway frames received

received
Priority Frame Number of HTTP2 Priority frames received

received
689
Field Description
Data Frame Recvd Number of HTTP2 Data frames received
Unknown Frame Number of frames of unknown type received

Recvd
Conn preface sent Number of HTTP2 connection prefaces sent
Setting Frame Sent Number of HTTP2 Settings frames sent
Setting ACK Frame Number of ACK frames sent

Sent
Empty Setting Number of Empty Setting frames sent

Frame Sent
Ping Frame Sent Number of Ping frames sent
Window Update Number of HTTP2 Window_update frames

Frame Sent sent
RST Frame Sent Number of HTTP2 RST frames sent
GOAWAY Frame Number of HTTP2 Goaway frames sent

Sent
Header Frame to Number of HTTP Header frames sent

HTTP
Data Frame to HTTP Number of HTTP Data frames sent
Protocol Error Number of Frames received with HTTP2 Pro-

tocol_error
Internal Error Number of Frames received with HTTP2

Internal_error
Push Promise Statistics from HTTP2 Push frame count.

Frame Sent
690
Field Description
Unexpected PUSH_ Statistics from HTTP2 Push Promise frame

PROMISE Frame count.
Splitting Buffer Number of Buffer splitting attempt failures

Failed
Control Frame Alloc Number of control frame allocation attempt

Failed failures
Max Invalid Stream Maximum number of simultaneous streams

received flagged as invalid
Data Frame on non Number of Data frames from non-dependent

stream streams
Flow Control Error Number of HTTP2 Flow Control frame errors
Settings Timeout Number of settings frame sent without

receiving a timely response
Frame Size Error Number of frames received with an invalid

size
Refused Stream Number of frames received that endpoint

refused prior to processing applications
Cancel Number of frames that signify an endpoint

no longer requires a data stream
Compression Error Number of frames received with an HTTP2

compression_error
Connect Error Number of frames received with an HTTP2

connect_error
Enhance Your Calm Number of frames received with an HTTP2

Error enhance_your_calm error
691
Field Description
Inadequate Secur- Number of frames received with an inad-

ity equate_security code
HTTP1.1 Required Number of frames received with an HTTP_

1_1 required code
Deflate Alloc Fail Number of deflation allocation failures
Inflate Alloc Fail Number of inflation allocation failures
Inflate Header Fail Number of headers with inflation failures
Bad Connection Number of bad connection preface frame

Preface errors
Cannot Alloc Con- Number of control frames for which

trol Frame resources could be be allocated
Cannot Alloc Set- Number of setting frames for which

tings Frame resources could be be allocated
Bad Frame Type for Number of bad frames

Stream
Wrong Stream Number of frames with wrong frame

State
Data Queue Alloc Number of data frames from which

Error resources could be be allocated
Buff Alloc Error Number of buffers for which resources

could be be allocated
Cannot Alloc Rst Number of RST frames for which resources

Frame could be be allocated
Cannot Alloc Number of goaway frames for which

Goaway Frame resources could be be allocated
692
Field Description
Cannot Alloc Ping Number of ping frames for which resources

Frame could be be allocated
Cannot Alloc Number of stream frames for which

Stream resources could be be allocated
Cannot Alloc Win- Number of window frames for which

dow Frame resources could be be allocated
Header No Stream Number of headers for which no stream was

processed
Header Padlen Too Number of data frames with excessive pad-

Large ding bytes
Too Many Streams Number of times the maximum number of

streams was exceeded
Unexpected Frame Number of times idle frame was in unex-

in Idle pected place within a stream
Unexpected Frame Number of times Reserved Local frame was

in Rsvd Local in unexpected place within a stream
Unexpected Frame Number of times Reserved Remote frame

in Rsvd Remote was in unexpected place within a stream
Unexpected Frame Number of times Half Close Remote frame

in Half Close was in unexpected place within a stream
Remote
Unexpected Frame Number of times Closed frame was in unex-

in Closed pected place within a stream
Window Update Number of Window Update frames with no

with 0 Increment increment
693
Field Description
Window Update Number of Window Update frames with

Increment Too excessive increment
Large
Stream Closed Number of streams that the device has

closed
Continuation Frame Number of continuation streams received

with No Headers with no corresponding header frame
Unexpected Frame Number of streams with data frames before

Before Headers the header completes
Complete
Headers Frame Number of streams with header frames

Before Cont Com- before continuation completes
plete
Unexpected Push Number of unexpect push of representation

Promise Frame from servers to client
Received Invalid Number of frames received with invalid

Stream ID stream ID
Headers Inter- Maximum number of headers that are inter-

leaved on Streams leaved within the HTTP2 stream
Trailer Frame Not Number of streams not terminated with an

Marked End of End of Stream frame
Stream
Invalid Setting Number of frames with invalid setting value

Value
Invalid Window- Number of frames with invalid window-

Update Value update values
694
Field Description
Frame Header Number of HTTP2 frame header bytes the

Bytes received ACOS device received
Frame Header Number of HTTP2 frame header bytes the

Bytes Sent ACOS device sent
Control Frame Number of HTTP2 control frame bytes the

Bytes received ACOS device received
Control Frame Number of HTTP2 control frame bytes the

Bytes Sent ACOS device sent
Header Bytes Number of HTTP2 header bytes the ACOS

received device received
Header Bytes Sent Number of HTTP2 header bytes the ACOS

device sent
Data Bytes Number of HTTP2 data bytes the ACOS

received device received
Data Bytes Sent Number of HTTP2 data bytes the ACOS

device sent
Total Bytes Number of HTTP2 bytes the ACOS device

received received
Total Bytes Sent Number of HTTP2 bytes the ACOS device

sent
Example The following command shows HTTP2 statistics:

ACOS# show slb http2 | section HTTP2
Curr HTTP2 Session 0
Peak HTTP2 Session 0
Total HTTP2 Session 0
ACOS# show slb http2 detail

DP0 DP1 Total
695
------------------------------------------------------------
------
Curr HTTP2 Sessions 0 0 0
Peak HTTP2 Sessions 0 0 0
Total HTTP2 Sessions 0 0 0
Connection Preface received 0 0 0
Control Frame received 0 0 0
Headers Frame received 0 0 0
Continuation Frame received 0 0 0
RST Frame received 0 0 0
Settings Frame received 0 0 0
Window Update Frame received 0 0 0
Ping Frame received 0 0 0
Goaway Frame received 0 0 0
Priority Frame received 0 0 0
Data Frame Recvd 0 0 0
Unknown Frame Recvd 0 0 0
Conn preface sent 0 0 0
Setting Frame Sent 0 0 0
Setting ACK Frame Sent 0 0 0
Empty Setting Frame Sent 0 0 0
Ping Frame Sent 0 0 0
Window Update Frame Sent 0 0 0
RST Frame Sent 0 0 0
GOAWAY Frame Sent 0 0 0
Header Frame to HTTP 0 0 0
Data Frame to HTTP 0 0 0
Protocol Error 0 0 0
Internal Error 0 0 0
HTTP2 Proxy alloc Error 0 0 0
Push Promise Frame Sent 11
Unexpected PUSH_PROMISE Frame 1
Splitting Buffer Failed 0 0 0
Control Frame Alloc Failed 0 0 0
Max Invalid Stream received 0 0 0
Data Frame on non stream 0 0 0
Flow Control Error 0 0 0
Settings Timeout 0 0 0
Frame Size Error 0 0 0
Refused Stream 0 0 0
Cancel 0 0 0
Compression Error 0 0 0
Connect Error 0 0 0
696
Enhance Your Calm Error 0 0 0

Inadequate Security 0 0 0
HTTP1.1 Required 0 0 0
Deflate Alloc Fail 0 0 0
Inflate Alloc Fail 0 0 0
Inflate Header Fail 0 0 0
Bad Connection Preface 0 0 0
Cannot Alloc Control Frame 0 0 0
Cannot Alloc Settings Frame 0 0 0
Bad Frame Type for Stream 0 0 0
Wrong Stream State 0 0 0
Data Queue Alloc Error 0 0 0
Buff Alloc Error 0 0 0
Cannot Alloc Rst Frame 0 0 0
Cannot Alloc Goaway Frame 0 0 0
Cannot Alloc Ping Frame 0 0 0
Cannot Alloc Stream 0 0 0
Cannot Alloc Window Frame 0 0 0
Header No Stream 0 0 0
Header Padlen Too Large 0 0 0
Too Many Streams 0 0 0
Unexpected Frame in Idle 0 0 0
Unexpected Frame in Rsvd Local 0 0 0
Unexpected Frame in Rsvd Remote 0 0 0
Unexpected Frame in Half Close Remote 0 0 0
Unexpected Frame in Closed 0 0 0
Window Update with 0 Increment 0 0 0
Window Update Increment Too Large 0 0 0
Stream Closed 0 0 0
Continuation Frame with No Headers 0 0 0
Unexpected Frame Before Headers Complete 0 0 0
Headers Frame Before Cont Complete 0 0 0
Unexpected Push Promise Frame 0 0 0
Received Invalid Stream ID 0 0 0
Headers Interleaved on Streams 0 0 0
Trailer Frame Not Marked End of Stream 0 0 0
Invalid Setting Value 0 0 0
Invalid Window-Update Value 0 0 0
Frame Header Bytes received 0 0 0
Frame Header Bytes Sent 0 0 0
Control Frame Bytes received 0 0 0
Control Frame Bytes Sent 0 0 0
Header Bytes received 0 0 0
697
Header Bytes Sent 0 0 0

Data Bytes received 0 0 0
Data Bytes Sent 0 0 0
Total Bytes received 0 0 0
Total Bytes Sent 0 0 0
show slb hw-compression

Description Show statistics for hardware-based compression.
Syntax show slb hw-compression [detail]
Mode All
Usage Hardware-based compression is available using an optional hardware

module in some models. If this command does not appear on your ACOS
device, the device does not contain a compression module.
Example The following commands first enable hardware-based compression (hw-

compression command), then display statistics for the feature:

ACOS(config-common)# hw-compression
ACOS(config-common)# show slb hw-compression
Hardware compression device is installed.
Hardware compression module is enabled.
Total
------------------------------------------------------------
------
total request count 177157
total submit count 177157
total response count 177157
total failure count 0
last failure code 0
compression queue full 0
max queued request count 84
max queued submit count 68
698
show slb icap

Description Show ICAP statistics for debugging.
Syntax show slb icap [detail]
Mode All

ACOS# show slb icap detail
DP0 DP1 DP2 DP3 DP4 DP5 Total
------------------------------------------------------------
------
reqmod request 0 0 0 0 0 0 0
respmod request 0 0 0 0 0 0 0
reqmod req after 100 0 0 0 0 0 0 0
respmod req after 100 0 0 0 0 0 0 0
reqmod response 0 0 0 0 0 0 0
respmod response 0 0 0 0 0 0 0
reqmod resp after 100 0 0 0 0 0 0 0
respmod resp after 100 0 0 0 0 0 0 0
send option req 0 0 0 0 0 0 0
recv option resp 0 0 0 0 0 0 0
chunk no allow 204 0 0 0 0 0 0 0
Big CL so no allow 204 0 0 0 0 0 0 0
result continue 0 0 0 0 0 0 0
result icap response 0 0 0 0 0 0 0
result 100 continue 0 0 0 0 0 0 0
result other 0 0 0 0 0 0 0
status 2xx 0 0 0 0 0 0 0
status 200 0 0 0 0 0 0 0
status 201 0 0 0 0 0 0 0
status 202 0 0 0 0 0 0 0
status 203 0 0 0 0 0 0 0
status 204 0 0 0 0 0 0 0
status 205 0 0 0 0 0 0 0
status 206 0 0 0 0 0 0 0
status 207 0 0 0 0 0 0 0
status 1xx 0 0 0 0 0 0 0
status 100 0 0 0 0 0 0 0
status 101 0 0 0 0 0 0 0
status 102 0 0 0 0 0 0 0
status 3xx 0 0 0 0 0 0 0
699
status 300 0 0 0 0 0 0 0
status 301 0 0 0 0 0 0 0
status 302 0 0 0 0 0 0 0
status 303 0 0 0 0 0 0 0
status 304 0 0 0 0 0 0 0
status 305 0 0 0 0 0 0 0
status 306 0 0 0 0 0 0 0
status 307 0 0 0 0 0 0 0
status 4xx 0 0 0 0 0 0 0
status 400 0 0 0 0 0 0 0
status 401 0 0 0 0 0 0 0
status 402 0 0 0 0 0 0 0
status 403 0 0 0 0 0 0 0
status 404 0 0 0 0 0 0 0
status 405 0 0 0 0 0 0 0
status 406 0 0 0 0 0 0 0
status 407 0 0 0 0 0 0 0
status 408 0 0 0 0 0 0 0
status 409 0 0 0 0 0 0 0
status 410 0 0 0 0 0 0 0
status 411 0 0 0 0 0 0 0
status 412 0 0 0 0 0 0 0
status 413 0 0 0 0 0 0 0
status 414 0 0 0 0 0 0 0
status 415 0 0 0 0 0 0 0
status 416 0 0 0 0 0 0 0
status 417 0 0 0 0 0 0 0
status 418 0 0 0 0 0 0 0
status 419 0 0 0 0 0 0 0
status 420 0 0 0 0 0 0 0
status 422 0 0 0 0 0 0 0
status 423 0 0 0 0 0 0 0
status 424 0 0 0 0 0 0 0
status 425 0 0 0 0 0 0 0
status 426 0 0 0 0 0 0 0
status 449 0 0 0 0 0 0 0
status 450 0 0 0 0 0 0 0
status 5xx 0 0 0 0 0 0 0
status 500 0 0 0 0 0 0 0
status 501 0 0 0 0 0 0 0
status 502 0 0 0 0 0 0 0
status 503 0 0 0 0 0 0 0
status 504 0 0 0 0 0 0 0
700
status 505 0 0 0 0 0 0 0
status 506 0 0 0 0 0 0 0
status 507 0 0 0 0 0 0 0
status 508 0 0 0 0 0 0 0
status 509 0 0 0 0 0 0 0
status 510 0 0 0 0 0 0 0
status 6xx 0 0 0 0 0 0 0
status unknown 0 0 0 0 0 0 0
app serv conn no pcb err 0 0 0 0 0 0 0
app serv conn err 0 0 0 0 0 0 0
chunk1 hdr err 0 0 0 0 0 0 0
chunk2 hdr err 0 0 0 0 0 0 0
chunk bad trail err 0 0 0 0 0 0 0
no payload next buff err 0 0 0 0 0 0 0
no payload buff err 0 0 0 0 0 0 0
resp hdr incomplete err 0 0 0 0 0 0 0
serv sel fail err 0 0 0 0 0 0 0
start icap conn fail err 0 0 0 0 0 0 0
prep req fail err 0 0 0 0 0 0 0
icap ver err 0 0 0 0 0 0 0
icap line err 0 0 0 0 0 0 0
encap hdr incomplete err 0 0 0 0 0 0 0
no icap resp err 0 0 0 0 0 0 0
resp line read err 0 0 0 0 0 0 0
resp line parse err 0 0 0 0 0 0 0
resp hdr err 0 0 0 0 0 0 0
req hdr incomplete err 0 0 0 0 0 0 0
no status code err 0 0 0 0 0 0 0
http resp line read err 0 0 0 0 0 0 0
http resp line parse err 0 0 0 0 0 0 0
http resp hdr err 0 0 0 0 0 0 0
show slb icap-http

Description Show ICAP HTTP statistics for debugging.
Syntax show slb icap-http [detail]
Mode All

ACOS# show slb icap-http detail
701
DP0
DP1
DP2
DP3
DP4 DP5 DP6 DP7 DP8 DP9 DP10 DP11 DP12 DP13 DP14 DP15 Total
-----------------------------------------
status
2xx
0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 200 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 201 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 202 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 203 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 204 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 205 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 206 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 207 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 1xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 101 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 102 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 3xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 300 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 301 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 302 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 303 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 304 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 305 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 306 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 307 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 4xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 400 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 401 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 402 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 403 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 404 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 405 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
702
status 406 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 407 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 408 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 409 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 410 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 411 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 412 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 413 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 414 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 415 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 416 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 417 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 418 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 419 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 422 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 423 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 424 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 425 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 426 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 449 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 450 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 5xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 501 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 502 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 503 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 504 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 505 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 506 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 507 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 508 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 509 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 510 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 6xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
show slb l4
Description Show Layer-4 SLB statistics.
Syntax show slb l4 [detail]
703
Mode All
Example The following command shows summary statistics for Layer 4 SLB:
ACOS# show slb l4
Total
------------------------------------------------------------
------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 226510
TCP SYN cookie snt 226510
TCP SYN cookie expd snt 0
TCP SYN cookie snt fail 0
TCP received 1042844
UDP received 0
L2 DSR received 0
L3 DSR received 0
Server sel failure 0
Source NAT no fwd route 0
Source NAT no rev route 0
Source NAT ICMP Process 0
Source NAT ICMP No Match 0
Auto NAT id mismatch 0
TCP SYN cookie failed 0
L4 SYN attack 226510
NAT no session drops 0
virtual portnot matching drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
704
Conn Limit resets 0

Conn rate limit drops 0
Conn rate limit resets 0
Proxy no sock drops 0
aFleX drops 0
Session aged out 0
TCP Session aged out 0
UDP Session aged out 0
Other Session aged out 0
TCP no SLB 0
UDP no SLB 0
SYN Throttle 0
Inband HM retry 0
Inband HM reassign 0
Auto-reselect server 0
Fast aging set 0
Fast aging reset 0
TCP invalid drop 0
Out of sequence ACK drop 0
SYN stale sess drop 589824
Anomaly out of sequence 0
Anomaly zero window 0
Anomaly bad content 0
Anomaly pbslb drop 0
No resource drop 0
Reset unknown conn 0
RST L7 on failover 0
TCP SYN Other Flags Drop 0
TCP SYN With Data Drop 0
ignore msl 0
NAT Port Preserve Try 0
NAT Port Preserve Succ 0
BW-Limit Exceed drop 0
BW-Watermark drop 0
L4 CPS exceed drop 0
NAT CPS exceed drop 0
L7 CPS exceed drop 0
SSL CPS exceed drop 0
SSL TPT exceed drop 0
SSL TPT-Watermark drop 0
L3V Conn Limit Drop 0
L4 server handshake fail 0
L4 AX re-xmit SYN 0
705
L4 rcv ACK on SYN 0

L4 rcv RST on SYN 0
TCP no-Est Sess aged out 0
no-Est CSYN rcv aged out 0
no-Est SSYN snt aged out 0
L4 rcv rexmit SYN 589824
L4 rcv rexmit SYN (delq) 589824
L4 rcv rexmit SYN|ACK 0
L4 rcv rexmit SYN|ACK DQ 0
L4 rcv fwd last ACK 0
L4 rcv rev last ACK 0
L4 rcv fwd FIN 0
L4 rcv fwd FIN dup 0
L4 rcv fwd FIN|ACK 0
L4 rcv rev FIN 0
L4 rcv rev FIN dup 0
L4 rcv rev FIN|ACK 0
L4 rcv fwd RST 226510
L4 rcv rev RST 0
L4 UDP reqs no rsp 0
L4 UDP req rsps 0
L4 UDP req/rsp not match 0
L4 UDP req > rsps 0
L4 UDP rsps > reqs 0
L4 UDP reqs 0
L4 UDP rsps 0
L4 TCP Established 0
Skip Insert-client-ip 0
DNS query id switch 0
Field Description
IP out noroute Number of IP packets that could not be routed.

These packets are dropped by the ACOS
device.
TCP out RST Number of TCP Resets sent.
TCP out RST no Number of Resets sent for which there was no
SYN SYN.
706
Field Description
TCP out RST L4 Number of TCP Reset packets the ACOS device
proxy has sent as a Layer 4 proxy.
TCP out RST ACK Number of TCP Resets sent in response to a

attack TCP ACK attack.
TCP out RST Number of TCP Reset packets the ACOS device
aFleX has sent due to an aFleX policy.
TCP out RST This counter is incremented each time the fol-
stale sess lowing occurs:
A client SYN is received
“reset on terminated session SYN packet” is

enabled in the delete queue (this is enabled by
default)
“slb reset-stale-session” is enabled.
In such cases, an RST is sent out and the

counter is incremented.
TCP out RST TCP Number of TCP Reset packets the ACOS device
proxy has sent as a TCP proxy.
TCP SYN Number of first SYN packets the ACOS device

received has received from the client.
TCP SYN cookie Number of TCP SYN cookies sent.

snt
TCP SYN cookie Number of TCP SYN cookies with expanded

expd snt options that were sent.
NOTE: Expanded SYN cookie options are dis-

abled by default but can be enabled. (See syn-
cookie.)
707
Field Description
TCP SYN cookie Number of TCP SYN cookie send attempts that
snt fail failed because delivery to the client failed.
TCP received Number of subsequent packets ACOS received

from a client during a particular session.
Counter includes the following types of pack-
ets: SA, A, FINACK, PSHACK.
UDP received Number of UDP packets received.
L2 DSR received Number of reply packets received for Layer 2

DSR sessions.
L3 DSR received Number of reply packets received for Layer 3

DSR sessions.
Server sel failure Number of times selection of a real server

failed.
Source NAT fail- Number of times a source NAT failure

ure occurred.
Source NAT no Number of times there was no route to the des-

fwd route tination for Layer 3 NAT traffic.
Source NAT no Number of times there was no route to the

rev route source for Layer 3 NAT traffic.
Source NAT ICMP Number of times an ICMP error related to

Process source NAT occurred.
Source NAT ICMP Number of times an ICMP error related to

No Match source NAT occurred, and there was no match-
ing session for the traffic.
Auto NAT ID mis- Number of times a mismatch has occurred

match between a Smart NAT resource and a VRRP-A
VRID.
708
Field Description
TCP SYN cookie Number of times a TCP SYN cookie validate fail-
failed ure occurred when the client never sent an
ACK packet to complete the TCP three-way
handshake.
L4 SYN attack Total number of TCP SYNs received by the

ACOS device that were not followed by a valid
client ACK to establish the connection.
This counter is calculated as follows:

(Total-SYNs-Received-by-Hardware +
Total-SYNs-Received-by-Software) -
Total-Number-of-Successful-Connections =
L4-SYN-Attack-Count
NAT no session Number of packets sent to the NAT Pool IP, but
drops for which there was no corresponding session
on the device.
virtual portnot Number of packets received on a virtual port

matching drops that was either down, disabled, or non-exist-
ent.
No SYN pkt drops The cumulative number of the following three

types of packets: ACK, RST, FIN.
No SYN pkt drops Number of FIN packets received for which

- FIN there was no corresponding session on the
ACOS device.
No SYN pkt drops Number of RST packets received for which

- RST there was no corresponding session on the
ACOS device.
No SYN pkt drops Number of ACK packets received for which

- ACK there was no corresponding session on the
ACOS device.
709
Field Description
Conn Limit drops Number of connections dropped because the

server connection limit had been reached.
Conn Limit resets Number of connections reset because the

server connection limit had been reached.
Conn rate limit Number of connections dropped by connection

drops rate limiting.
Conn rate limit Number of connections reset by connection

resets rate limiting.
Proxy no sock Number of packets dropped because the proxy

drops did not have an available socket.
aFleX drops Number of packets dropped due to an aFleX

policy.
Session aged out Total number of TCP (TCP Session aged out),
UDP (UDP Session aged out) and other (Other
session aged out) sessions that aged out.
TCP Session aged Number of TCP sessions that aged out, includ-
out ing both half-open and established sessions.
UDP Session Number of UDP sessions that have aged out.

aged out
Other Session Number of sessions of other types (not TCP or

aged out UDP) that have aged out.
TCP no SLB This counter is deprecated and is no longer

used.
UDP no SLB Number of non-SLB UDP packets received by

the ACOS device.
710
Field Description
SYN Throttle If the count of buffers allocated from system

memory is higher than currently available free
system buffers, a flag is enabled to ‘throttle
SYN’. For TCP connections, this means that
incoming packets for new TCP connections are
dropped to avoid queuing more buffers for pro-
cessing.
Inband HM retry Number of times the ACOS device retried an

inband health check, because a SYN-ACK was
not received for the previous SYN.
Inband HM reas- Number of times the ACOS device reassigned a

sign client’s traffic to another server, because the
initial server exceeded the maximum number
of retries allowed by the inband health check.
Auto-reselect Number of times the ACOS device has reper-

server formed server selection automatically because
the initially selected server did not respond to
the TCP-SYN from the ACOS device.
NOTE: In the current release, this counter

applies only to traffic on HTTP/HTTPS virtual
ports.
Fast aging set Number of times fast aging of idle connections

was automatically enabled by the ACOS device
due to factors such as low availability of I/O
buffers, number of sessions or amount of avail-
able memory.
Fast aging reset Number of times fast aging of idle connections

was disabled. This occurs after a sufficient
number of buffers become available again.
711
Field Description
TCP invalid drop Number of TCP packets received by the ACOS

device that did not conform to the standard
format for TCP packets. For example, this
counter is incremented if the ACOS device
receives a packet whose total length is less
than the following:
Internet-Header-Length * 4 + TCP-data-offset
*4
Out of sequence Number of TCP ACKs that were dropped

ACK drop because they were out of sequence.
SYN stale sess This counter is incremented each time the fol-
drop lowing occurs:
A client SYN is received
“reset on terminated session SYN packet” is

enabled in the delete queue (this is enabled by
default)
“slb reset-stale-session” is disabled.
In such cases, the packet is dropped and the

counter is incremented.
Anomaly out of Number of packets that matched an IP anom-

sequence aly out-of-sequence filter.
NOTE: To configure IP anomaly filters, see the

ip anomaly-drop command in the “Config
Commands: IP” chapter in the Network Con-
figuration Guide.
Anomaly zero Number of packets that matched an IP anom-

window aly zero-window filter.
712
Field Description
Anomaly bad con- Number of packets that matched an IP anom-

tent aly bad-content filter.
Anomaly PBSLB Number of packets that matched an IP anom-

drop aly filter used for system-wide Policy-Based
SLB (PBSLB).
No resource drop Number of times traffic has been dropped

because the ACOS device had run out of Layer
4 session resources.
Reset unknown Number of times the ACOS device sent a RST

conn in response to a non-SYN packet for a non-
existent session.
NOTE: This feature is enabled using the reset-

unknown-conn option in virtual port templates.
See slb template virtual-port.
RST L7 on fail- Number of Layer 7 sessions that were reset fol-

over lowing VRRP-A failover.
TCP SYN Other Number of TCP SYN packets that were dropped
Flags Drop by the ACOS device because they contained a
flag other than the SYN flag.
TCP SYN With Number of TCP SYN packets that were dropped
Data Drop by the ACOS device because they contained
data.
Ignore MSL Number of times a SYN packet reaches the

MSL limit (default is 2 seconds) during a time-
wait state and does not get dropped due to the
“ignore-tcp-msl” option being configured in
the virtual-port template.
(See slb template virtual-port.)
713
Field Description
NAT Port Pre- Number of times the client port preservation

serve Try feature attempted to preserve a client’s source
port for traffic destined to a virtual port.
Note: This feature is enabled using the snat-

port-preserve option in virtual port templates.
See slb template virtual-port.
NAT Port Pre- Number of times the client port preservation

serve Succ feature successfully preserved a client’s
source port for traffic destined to a virtual
port.
BW-Limit Exceed Number of times traffic was dropped because

drop a configured bandwidth limit was exceeded.
BW-Watermark Number of times traffic was dropped because

drop a configured bandwidth watermark was
exceeded.
L4 CPS exceed Number of times traffic was dropped because

drop the maximum allowed number of Layer 4 con-
nections per second (CPS) was exceeded.
NAT CPS exceed Number of times traffic was dropped because

drop the maximum allowed number of NAT CPS was
exceeded.
L7 CPS exceed Number of times traffic was dropped because

drop the maximum allowed number of Layer 7 CPS
was exceeded.
SSL CPS exceed Number of times traffic was dropped because

drop the maximum allowed number of SSL CPS was
exceeded.
714
Field Description
SSL TPT exceed Number of times SSL traffic was dropped

drop because SSL throughput exceeded the max-
imum allowed by a system-resource template.
SSL TPT-Water- Number of times SSL traffic was dropped

mark drop because SSL throughput exceeded the con-
figured watermark.
L3V Conn Limit Number of times Layer 3 traffic was dropped

Drop because a configured connection limit was
exceeded.
L4 server hand- Number of times traffic was dropped because

shake fail the Layer 4 handshake with a server failed.
L4 AX re-xmit Number of times the ACOS device needed to

SYN retransmit a TCP SYN.
L4 rcv ACK on Number of SYN-ACKs (ACKs in response to

SYN TCP-SYNs) received by the ACOS device.
L4 rcv RST on Number of TCP Resets (RST) the ACOS device

SYN received in response to a SYN.
TCP no-Est Sess Number of half-open sessions on the ACOS

aged out device. A half-open session means the ACOS
device received a SYN packet, forwarded it to
the backend server but there was no SYN-ACK
from the backend server, resulting in a half-
open session on the ACOS device. These ses-
sions are created with a session age time of 60
seconds. If the session is idle for more than 60
seconds, ACOS terminates the session and
removes it from the session table and incre-
ments this counter.
715
Field Description
no-Est CSYN rcv Number of times the ACOS device received a

aged out SYN from a client and forwarded it to the
server. This can create a half-open session on
the ACOS device if there is no SYN-ACK from
the server for a period exceeding 60 seconds.
If this happens, ACOS kills the session and
increments this counter.
no-Est SSYN snt Number of TCP sessions that aged out before a
aged out SYN was received from the server, and there-
fore could not be established.
L4 rcv rexmit Number of times the client does not get a SYN-
SYN ACK from the server. This causes the client to
retransmit same SYN packet that it sent
earlier. This counter will increment each time
such a re-transmission of the SYN packet
occurs.
L4 rcv rexmit Number of times the client SYN packet

SYN (delq) matches an existing session currently in the
delete queue. When this occurs, both the “L4
rcv rexmit SYN” and “L4 rcv rexmit SYN (delq)”
counters are incremented.
L4 rcv rexmit Total number of retransmitted SYN-ACKs

SYN|ACK received by the ACOS device.
L4 rcv rexmit Number of retransmitted SYN-ACKs received

SYN|ACK DQ by the ACOS device for sessions that had
already been moved to the delete queue.
716
Field Description
L4 rcv fwd last Number of final ACKs (last ACKs of a given TCP
ACK session) received by the ACOS device from cli-
ents.
Note: In this field and the following fields, the

following terms describe the traffic origination
and direction:
l rcv fwd – Final ACKs received from the

client.
l rcv rev – Final ACKs received from the
server.
L4 rcv rev last Number of final ACKs (last ACKs of a given TCP
ACK session) received by the ACOS device from
servers.
L4 rcv fwd FIN Number of TCP FINs received from clients.
L4 rcv fwd FIN Number of times more than one FIN packet is
dup received from the client.
An example of this would be if the server did

not reply to a FIN-ACK in time, thus causing
the client to send another FIN.
L4 rcv fwd Number of TCP FIN-ACKs received from cli-

FIN|ACK ents.
L4 rcv rev FIN Number of TCP FINs received from servers.
L4 rcv rev FIN Number of duplicate TCP FINs received from

dup servers.
L4 rcv rev Number of TCP FIN-ACKs received from serv-

FIN|ACK ers.
717
Field Description
L4 rcv fwd RST Number of TCP RST packets that the ACOS
device received from a client and forwarded to
the server.
L4 rcv rev RST Number of TCP RST packets that the ACOS
device received from a server and forwarded
to the client.
L4 UDP reqs no Number of port 53 UDP requests received to

rsp which there was no response.
L4 UDP req rsps Number of port 53 UDP requests received to

which there was a response.
L4 UDP req/rsp Number of mismatches between port 53 UDP

not match requests and responses.
L4 UDP req > rsps Number of port 53 UDP requests received for
which there was no corresponding response.
L4 UDP rsps > Number of port 53 UDP responses received for

reqs which there was no corresponding request.
L4 UDP reqs Total number of port 53 UDP requests received

by the ACOS device.
L4 UDP rsps Total number of port 53 UDP responses

L4 TCP Estab- Number of established sessions that com-

lished pleted a 3-way TCP handshake.
Skip Insert-cli- Number of times client IP insertion into TCP

ent-ip option failed due to lack of space.
DNS query id Number of requests load balanced based on

switch DNS query ID.
718
show slb mlb

Description Display statistics for message based load balancing (MBLB).
Syntax show slb mlb [detail]
Mode All
Example The following command displays MBLB statistics:

ACOS# show slb mlb
Total
------------------------------------------------------------
------
Client message sent 0
Server message received 0
Server connection created 0
Server connection rst 0
Server connection failed 0
Server connection closed 0
Client connection created 0
Client connection closed 0
Client connection not found 0
ACOS#
show slb mssql

Description Display statistics for database load-balancing (DBLB) for a MS-SQL data-
base system.
Syntax show slb mssql [detail]
Mode All
719
Example The following command displays MS-SQL statistics:

ACOS(config)# show slb mssql
Total
------------------------------------------------------------
------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr BE Encryption Conns 0
Total BE Encryption Conns 0
Curr FE Encryption Conns 0
Total FE Encryption Conns 0
Client FIN 0
Server FIN 0
Session err 0
DB Queries 0
DB commands reply 0
Authentication Success 0
Authentication Failure 0
The following table describes the output:

Field Description
Current Proxy Con- Number of currently active connections

nections that use the DBLB proxy.
Total Proxy Con- Total number of connections that have

nections used the DBLB proxy.
Current BE Encryption Number of currently active, encrypted

Connections connections on the back-end (BE),
between the ACOS device and server
which process database queries.
Total BE Encryption Total number of encrypted connections

Connections on the back-end (BE), between the ACOS
device and server which process data-
base queries.
720
Field Description
Current FE Encryption Number of currently active, encrypted

Connections connections on the front-end (FE),
between the ACOS device and a client.
Total FE Encryption Total number of encrypted connections

Connections on the front-end (FE), between the
ACOS device and a client.
Client FIN Number of TCP connections that were

closed on the client side.
Server FIN Number of TCP connections that were

closed on the server side.
Session Error Total number of session errors that

occurred while processing DBLB
requests.
DB Queries Total number of received database quer-

ies.
Note: This counter corresponds to the

number of instances that the aFleX DB_
QUERY event was triggered.
DB Commands Reply Total number of received database com-

mands.

COMMAND event was triggered.
Authentication Suc- Number of successful AUTH commands.

cess
Authentication Failure Number of failed AUTH commands.
721
show slb mysql

Description Display statistics for database load-balancing (DBLB) for a MySQL data-
base system.
Syntax show slb mysql [detail]
Mode All
Example The following command displays MySQL statistics:

ACOS(config)# show slb mysql
Total
------------------------------------------------------------
------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr BE Encryption Conns 0
Total BE Encryption Conns 0
Curr FE Encryption Conns 0
Total FE Encryption Conns 0
Client FIN 0
Server FIN 0
Session err 0
DB Queries 0
DB commands reply 0
Field Description
Current Proxy Con- Number of currently active connections

nections that use the DBLB proxy.
Total Proxy Con- Total number of connections that have

nections used the DBLB proxy.
722
Field Description
Current BE Encryp- Number of currently active, encrypted

tion Connections connections on the back-end (BE),
between the ACOS device and server
which process database queries.
Total BE Encryption Total number of encrypted connections

Connections on the back-end (BE), between the ACOS
device and server which process database
queries.
Current FE Encryp- Number of currently active, encrypted

tion Connections connections on the front-end (FE),
between the ACOS device and a client.
Total FE Encryption Total number of encrypted connections

Connections on the front-end (FE), between the ACOS
device and a client.
Client FIN Number of TCP connections that were

closed on the client side.
Server FIN Number of TCP connections that were

closed on the server side.
Session Error Total number of session errors that

occurred while processing DBLB requests.
DB Queries Total number of received database quer-

ies.

QUERY event was triggered.
723
Field Description
DB Commands Reply Total number of received database com-

mands.

COMMAND event was triggered.
show slb passthrough

Description Display statistics for pass-through TCP sessions. A pass-through TCP ses-
sion is one that is not terminated by the ACOS device (for example, a ses-
sion for which the ACOS device is not serving as a proxy for SLB).
Syntax show slb passthrough
Mode All
Example The following command displays TCP pass-through session statistics:

ACOS# show slb passthrough
Request packets: 10741 Response packets: 38195
Request bytes: 570272 Response bytes: 56562872
Current connections: 0 Total connections: 4
show slb persist

Description Show persistence load-balancing statistics.
Syntax show slb per [detail]
Example The following command shows summary persistence statistics:

ACOS# show slb per
Total
------------------------------------------------------------
------
724
URL hash persist(pri) 0

URL hash persist(sec) 0
URL hash persist fail 0
SRC IP persist ok 0
SRC IP persist fail 0
SRC IP hash persist(pri) 0
SRC IP hash persist(sec) 0
SRC IP hash persist fail 0
DST IP persist ok 0
DST IP persist fail 0
DST IP hash persist(pri) 0
DST IP hash persist(sec) 0
DST IP hash persist fail 0
SSL SID persist ok 0
SSL SID persist fail 0
Cookie persist ok 0
Cookie persist fail 0
Persist cookie not found 0
Persist cookie Pass-thru 0
Enforce higher priority 30
Field Description
URL hash persist Number of requests successfully sent to the

(pri) primary server selected by URL hashing. The
primary server is the one that was initially selec-
ted and then re-used based on the hash value.
URL hash persist Number of requests that were sent to another

(sec) server (a secondary server) because the
primary server selected by URL hashing was
unavailable.
URL hash persist Number of requests that could not be fulfilled

fail using URL hashing.
SRC IP persist ok Number of requests successfully sent to the

same server as previous requests from the
same client, based on source-IP persistence.
725
Field Description
SRC IP persist Number of requests that could not be fulfilled

fail by the same server as previous requests from
the same client, based on source-IP per-
sistence.
SRC IP hash per- Number of requests successfully sent to the

sist(pri) primary server selected by source IP hashing.
The primary server is the one that was initially
selected and then re-used based on the hash
value.
SRC IP hash per- Number of requests that were sent to another

sist(sec) server (a secondary server) because the
primary server selected by source IP hashing
was unavailable.
SRC IP hash per- Number of requests that could not be fulfilled

sist fail using source IP hashing.
DST IP persist ok Number of requests that were sent to the same

resource, based on destination-IP persistence.
DST IP persist Number of requests that could not be sent to

fail the same resource, based on destination-IP per-
sistence.
DST IP hash per- Number of requests successfully sent to the

sist(pri) primary server selected by destination IP hash-
ing. The primary server is the one that was ini-
tially selected and then re-used based on the
hash value.
DST IP hash per- Number of requests that were sent to another

sist(sec) server (a secondary server) because the
primary server selected by destination IP hash-
ing was unavailable.
726
Field Description
DST IP hash per- Number of requests that could not be fulfilled

sist fail using destination IP hashing.
SSL SID persist Number of requests successfully sent to the

ok same server as previous requests that had the
same SSL session ID, based on SSL session-ID
persistence.
SSL SID persist Number of requests that could not be fulfilled

fail by the same server as previous requests that
had the same SSL session ID, based on SSL ses-
sion-ID persistence.
Cookie persist ok Number of requests successfully sent to the

same server as previous requests based on a
persistence cookie.
Cookie persist Number of requests that could not be fulfilled

fail by the same server as previous requests based
on a persistence cookie.
Persist cookie Number of requests in which a persistence

not found cookie was not found in the request header.
Persist cookie Number of requests that contained a pass-

Pass-thru through cookie.
Enforce higher Number of times the enforce-higher-priority

priority option overrode server persistence and selec-
ted another server.
show slb pop3-proxy

Description Show POP3 proxy statistics
Syntax show slb pop3-proxy [detail]
727
Mode All
Example Example output for this command:

ACOS-Inside# show slb pop3-proxy
Total
------------------------------------------------------------
------
Total proxy conns 0
Total POP3 Request 0
no route failure 0
source nat failure 0
request line freed 0
request line freed 0
invalid start line 0
other cmd 0
line too long 0
Control chn ssl 0
Bad Sequence 0
Serv Sel Persist fail 0
Serv Sel SMPv6 fail 0
Serv Sel SMPv4 fail 0
Serv Sel ins tpl fail 0
Client EST state erro 0
Serv CTNG state erro 0
Serv RESP state erro 0
Client RQ state erro 0
show slb rate-limit-logging

Description Show log rate-limiting statistics.
Syntax show slb rate-limit-logging [detail]
728
Mode All
Example The following command shows log rate-limiting statistics:

ACOS# show slb rate-limit-logging
Total
------------------------------------------------------------
------
Total log times 51
Total log messages 26
Local log messages 190
Remote log messages 1959
Local rate (per sec) 32
Remote rate (per sec) 453
Log message too big 0
No route 0
Buffer alloc fail 0
Buffer send fail 0
Log-session alloc 15
Log-session free 15
Log-session alloc fail 0
No repeat message 4
Field Description
Total log times Total number of times log rate limiting has
been used.
Total log mes- Total number of log messages generated by

sages the ACOS device.
NOTE: The ACOS device combines repeated

messages into a single message. For this
reason, the Total log times count will differ
from the Total log messages count.
729
Field Description
Local log mes- Total number of log messages in the ACOS

sages device’s log buffer. These messages can be
displayed using the show log command.
Remote log mes- Total number of log messages the ACOS

sages device has sent to external log servers.
Local rate (per Number of messages sent to the ACOS

sec) device’s log buffer during the most recent
one-second interval.
Remote rate (per Number of messages sent to external log serv-

sec) ers during the most recent one-second inter-
val.
Log message too Number of log messages dropped by the

big ACOS device because they were too long.
No route Number of log messages dropped by the

ACOS device because the device did not have
a route to the log server.
Buffer alloc fail Number of times the ACOS device was unable
to allocate a buffer for sending a log message
to an external log server.
Buffer send fail Number of times the ACOS device was unable
to send a log message that had been placed in
the buffer for sending to an external log
server.
Log-session alloc Number of times the ACOS device allocated a

log session for repeated log messages.
Log-session free Number of times the ACOS device freed a log

session that was allocated for repeated log
messages.
730
Field Description
Log-session alloc Number of times the ACOS device was unable

fail to allocate a log session for repeated log mes-
sages.
No repeat mes- Number of times there was no repeated mes-

sage sage for a log session allocated for repeated
messages.
show slb resource-usage

Description Display the minimum and maximum numbers of SLB resources that can
be configured or used, the default maximum number allowed by the con-
figuration, and the number currently in use.
Syntax show slb resource-usage
Example Below is an example of the output for this command:

ACOS# show slb resource-usage
Resource Current Default Minimum Maximum
------------------------------------------------------------
--------------
nat-pool-addr-count 10 10 10 2000
real-server-count 128 128 32 8192
real-port-count 256 256 64 16384
service-group-count 128 128 32 8192
virtual-port-count 128 128 32 8192
virtual-server-count 64 64 16 4096
http-template-count 128 128 32 4096
proxy-template-count 128 128 32 4096
conn-reuse-template-count 128 128 32 4096
fast-tcp-template-count 128 128 32 4096
fast-udp-template-count 128 128 32 4096
client-ssl-template-count 128 128 32 8192
server-ssl-template-count 128 128 32 8192
stream-template-count 128 128 32 4096
persist-cookie-template-count 128 128 32 4096
persist-srcip-template-count 128 128 32 4096
class-list-ipv6-addr-count 524288 524288 524288 1048576
gslb-site-count 500 500 500 500
731
gslb-device-count 1000 1000 1000 1000

gslb-service-ip-count 128 128 32 5000
gslb-service-port-count 256 256 64 10000
gslb-zone-count 5000 5000 5000 5000
gslb-service-count 10000 10000 10000 10000
gslb-policy-count 10000 10000 10000 10000
gslb-geo-location-count 5000000 5000000 5000000 5000000
gslb-ip-list-count 500 500 500 500
gslb-template-count 1000 1000 1000 1000
gslb-svc-group-count 500 500 500 500
auth-portal-html-file-size 20 20 4 120
auth-portal-image-file-size 6 6 1 80
show slb server

Description Show information about real servers.
Syntax show slb server [bindings]
or
show slb server
[server-name [port-num]
[all-partitions | partition {shared | name} | detail] |
[config]
[all-partitions | partition {shared | name}] |
[connection-reuse]
[all-partitions | partition {shared | name}] |
[auto-nat-stats]
[all-partitions | partition {shared | name}]
[ip-nat-stats]
732
server-name [[port- Shows information only for the spe-

num] detail cified server or port. If you omit this
option, information is shown for all real
servers and ports. IPv6 address support
available.
For example: DRS-2001:133::16-http1.ex-
ample.com
The detail option shows statistics for

the specified server or port. This option
also displays the name of the server or
port template bound to the server or
port with IPv4 or IPv6 address (for
example: 2001:133::16).
bindings Shows the bindings for real server

ports.
config Shows the SLB configuration of the real

servers.
connection-reuse Shows connection-reuse state inform-

ation and statistics for the real servers.
auto-nat-stats Shows statistics for Smart NAT.
ip-nat-stats Shows statistics for IP NAT.
all-partitions Show SLB server configuration for all

partitions.
partition {shared | name} Show SLB server configuration for

either the shared partition, or the spe-
cified L3V partition name.
Dynamic server name:
Dynamic server IP address:
Mode All
733
Example The following command shows the output for the basic show slb
server command. The “State”
ACOS# show slb server

Total Number of Servers configured: 1
Total Number of Services configured: 1
Current = Current Connections, Total = Total Connections
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service Current Total Fwd-pkt Rev-pkt Peak-conn State
------------------------------------------------------------
------------------------------
test-s1:80/tcp 0 0 0 0 0 Disb/Down
test-s1: Total 0 0 0 0 0 Disb/Down
Example The following command shows SLB statistics for real server “http1”. This
server is in a service group that is bound to an HTTP virtual port:
ACOS# show slb server http1
Total Number of Services configured on Server http1: 1
Service: http1:80/tcp (Status: Up)
Forward packets: 0 Reverse packets: 0
Forward bytes: 0 Reverse bytes: 0
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 0 Total requests succ: 0
Response time: 0 tick
Peak connections: 0
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 938
L4 errors: 0
Health-check average RTT (us):15930
Health-check current RTT (us):15958
Health-check average TCP RTT (us):7895
Health-check current TCP RTT (us):7933
HTTP requests sent: 938
HTTP errors: 0
Received OK: 938
Received error: 0
734
Response timeout: 0
Example The following table describes out fields for the show slb server com-
mand. The output from this command includes statistics for health check
fields. Keep in mind that these health check fields only appear in the out-
put for HTTP traffic. The counters begin when the health check is con-
figured and increment until the statistics are cleared or the health check
is deleted.
Field Description
Total Number of Total number of services configured on the

Services con- ACOS device (if a server name is not spe-
figured cified) or on the specified server.
Service Real server name, service protocol port, and

transport protocol (TCP or UDP), and Status
(Up/Down/Disabled)
Forward packets Number of request packets received for the

service.
Reverse packets Number of response packets sent on behalf

of the real server.
Forward bytes Number of request bytes received for the ser-

vice.
Reverse bytes Number of response bytes sent on behalf of

the real server.
Current Current number of connections to the ser-

vice.
Persistent con- Number of persistent connections to the ser-

nections vice.
Current requests Current number of requests to the service.
Total requests Total number of requests to the service.
Total connections Total number of connections to the service.
735
Field Description
Total requests Total number of requests to the service suc-

succ cessfully received.
Response time Server response time.
Peak-conn Peak connection rate.
Note: Peak connection statistics are collected

only if the extended-stats option is enabled.
To enable extended-stats, see the following:
l slb common (global)
l extended-stats (individual server)
Health check fields (HTTP traffic only)
Up / Down reason Reason the ACOS device marked the port up

or down.
Monitor name Name of the health monitor used to perform

the health check.
Method Health method in the monitor used for the

health check.
Attribute The destination TCP port of the health check,

and the HTTP request sent to the port.
Wait for HTTP Indicates whether the ACOS device is still

response waiting for a response to the HTTP request.
L4 conn made Total number of Layer 4 connections made to

the destination TCP port for health checking.
L4 errors Total number of Layer 4 errors that occurred

during health checking.
736
Field Description
Health-check aver- The average length of time it took for each

age RTT health check. The time is expressed in micro-
seconds (us).
This counter includes the entire health-check

process.
Health-check cur- The length of time it took to perform the

rent RTT most recent health check.
Health-check aver- The average length of time it took to com-

age TCP RTT plete the 3-way handshake with the server
port.
Health-check cur- The length of time it took to complete the 3-

rent TCP RTT way handshake in the most recent health
check.
HTTP requests Total number of HTTP requests sent to the

sent server as part of health checks.
HTTP errors Total number of HTTP errors that occurred

during health checking.
Received OK Number of times the payload of a Layer 4

health check reply was successfully read by
the ACOS device.
Received error Number of times a a read failure occurred in

the a10hm module.
Response timeout Number of times a health check to the port

timed out.
NOTE: The same health check fields appear in the output for the show
slb service-group group-name and similarly only apply to HTTP
traffic.
Example The following command shows details for a real server with IPv4 address:
ACOS# show slb server dang0 detail
737
Server name: dang0

Server IP address: 192.168.120.21
Server gateway ARP: 0000:0000:0000
State: Down
Server template: default
Health check: default
Current connection: 0
Current request: 0
Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connection: 0
The following command shows details for a real server with IPv6
address:
ACOS# show slb server http1 detail
Server name: http1
Hostname: http1.example.com
Last DNS reply: Mon May 14 18:43:57 2018
Server gateway ARP: 0000:0000:0000
State: Up
Current request: 0
Total connection: 0
Total request: 0
Peak connection: 0
Dynamic server name: DRS-2001:133::16-http1.example.com
Dynamic server IP address: 2001:133::16
TTL: 86400
Server gateway ARP: 000c:29fc:ee32
State: Up
738

Current request: 0
Total connection: 0
Total request: 0
Peak connection: 0
Dynamic server name: DRS-172.16.133.16-http1.example.com
Dynamic server IP address: 172.16.133.16
TTL: 86399
Server gateway ARP: 000c:29fc:ee32
State: Up
Current request: 0
Total connection: 0
Total request: 0
Peak connection: 0
Field Description
Server name Name of the server. IPv6 address support avail-

able. For example: DRS-2001:133::16-http1.ex-
ample.com
739
Field Description
Server IP IP address of the server. For the specified server

address or port. This option also displays the name of the
server or port template bound to the server or
port with IPv4 or IPv6 address (for example:
2001:133::16).
Server gateway Server ARP value (if directly connected) or

ARP nexthop ARP value (if connected through a gate-
way).
State Current state of the service:
l Up
l Down
l Disabled
Server tem- Name of the real server template bound to the

plate server.
Health check Name of the health monitor used to check the

health of the real port.
Current con- Current number of connections to the port.

nection
Current Current number of HTTP requests being pro-

request cessed by the port.
Note: In this field and the Total request and

Total request success fields, Layer 7 requests are
counted only if Layer 7 request accounting is
enabled. See slb common.
Total con- Total number of connections that have been

nection made to the port.
740
Field Description
Total request Total number of HTTP requests processed by the

port.
Total request Total number of HTTP requests that were suc-

success cessful.
Total forward Number of request bytes forwarded to the port.

bytes
Total forward Number of request packets forwarded to the

packets port.
Total reverse Number of request bytes received from the port.

bytes
Total reverse Number of request packets received from the

packets port.
Peak con- Peak connection count.

nection
Note: Peak connection statistics are collected
only if the extended-stats option is enabled. To
enable extended-stats, see the following:
Example The following command shows details for a real port on a server:
ACOS(config)# show slb server dang1 80 detail
Server name: dang1
Port: 1.1.1.1:80
State: Up
Port template: default
Current request: 42
Total connection: 10011
Total request: 20090
741

Peak connection: 24411
Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway Server ARP value (if directly connected) or

ARP nexthop ARP value (if connected through a
gateway).
Port Real port number.
l Up
l Down
l Disabled
Port template Name of the real port template bound to the

port.
Health check Name of the health monitor used to check the

health of the real port.
Current con- Current number of connections to the port.

nection
Current request Current number of HTTP requests being pro-

cessed by the port.
In this field and the Total request and Total

request success fields, Layer 7 requests are
742
Field Description
Total connection Total number of connections that have been

made to the port.
Total request Total number of HTTP requests processed by

the port.
Total request suc- Total number of HTTP requests that were suc-
cess cessful.
Total forward Number of request bytes forwarded to the

bytes port.
Total forward pack- Number of request packets forwarded to the

ets port.
Total reverse Number of request bytes received from the

bytes port.
Total reverse pack- Number of request packets received from the

ets port.
Peak connection Peak connection count.
Peak connection statistics are collected only

if the extended-stats option is enabled. To
Example The following command displays detailed information for a dynamic host-
name server. The configuration details are shown first, followed by details
for the dynamically created servers.
ACOS# show slb server s-test1 detail
Server name: s-test1
Hostname: s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
State: Up
Server template: temp-server
DNS query interval: 5
743
Minimum TTL ratio: 3

Maximum dynamic server: 16
Health check: none
Current request: 0
Total request: 1919
Total forwarded byte: 546650
Total forwarded packet: 5715
Total received byte: 919730
Total received packet: 5631
Dynamic server name: DRS-10.4.2.5-s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
TTL: 4500
State: Up
Server template: test
DNS query interval: 5
Minimum TTL ratio: 15
Maximum dynamic server: 1023
Health check: none
Current request: 0
Total request: 1919
Example The following command shows SLB configuration information for real
servers:
ACOS# show slb server config
H-check = Health check Max conn = Max. Connection Wgt =
Weight
Service Address H-check Status Max conn Wgt
------------------------------------------------------------
------------------
1_yahoo_finance:80/tcp 69.147.86.163 None Enable 1000000 1
1_yahoo_finance 69.147.86.163 None Enable 1000000 1
1_cybozu:80/tcp 202.218.147.129 None Enable 1000000 1
744
1_cybozu 202.218.147.129 None Enable 1000000 1
win20:25/tcp 172.22.66.20 Default Enable 1000000 1

win20 172.22.66.20 ping Disable 1000000 1
win21:25/tcp 172.22.66.21 Default Enable 1000000 1

--MORE--
Field Description
Total Number of Ser- Total number of SLB services configured

vices configured on the ACOS device.
Service Real server name, service protocol port,

and transport protocol (TCP or UDP).
Address Real IP address of the server.
H-check Health check enabled for the service:
l None – No health check has been

applied to the service.
l Default – The default health monitor
for the service type was auto-
matically applied to the service by
the ACOS device.
Name of a configured health monitor (for

example, “ping”) – The named health mon-
itor was applied to the service by an ACOS
administrator.
Status Current administrative status of the ser-

vice:
l Enable
l Disable
745
Field Description
Max conn Maximum number of connections allowed

to the service.
Wgt Administrative weight assigned to the ser-

vice.
Example The following command shows connection-reuse state information and

statistics for real servers:
ACOS# show slb server connection-reuse
Service State Persistent-Conn
----------------------------------------------------
1_yahoo_finance:80/tcp Up 0
1_cybozu:80/tcp Up 0
win20:25/tcp Down 0
win21:25/tcp Up 0
win21:110/tcp Up 0
win21:80/tcp Up 0
win21:443/tcp Down 0
linux22:25/tcp Disb 0
linux22:80/tcp Up 0
linux22:53/udp Disb 0
Field Description
Total Number of Ser- Total number of SLB services configured

vices configured on the ACOS device.
Service Real server name, service protocol port,

and transport protocol (TCP or UDP).
746
Field Description
l Up
l Down
l Disabled
Persistent-Conn Number of connections sent to the server

by the persistence feature.
Example The following command shows Smart NAT statistics:

ACOS(config-slb vserver-vport)# show slb server rs auto-nat-
stats
Total Number of Services configured on Server rs: 21
Service HA/VR ID IP_RR Nat Address Port Usage Total Used
Total Freed Failed
------------------------------------------------------------
------------------------
rs:80/tcp 1 Yes 10.212.1.225 64 660469 660405 0
10.212.1.226 64 660470 660406 0
rs:8080/tcp 1 Yes 10.212.1.225 0 0 0 0
10.212.1.226 0 0 0 0
In this example, all the virtual ports are using Smart NAT along with
round-robin of floating IPs. The Nat Address, Port Usage, Total Used, Total
Freed, and Failed columns show the same information shown in show IP
NAT pool statistics output. (See the CLI Reference.)
The Service column lists the server, protocol port, and Layer 4 protocol.
The HA/VR ID column lists the HA group ID or VRRP-A VRID, if applicable.
In this example, the ACOS device is deployed as a standalone device, so
“0” is shown in this column.
Field Description
Service Real server name and port number, and the Layer 4
protocol (TCP or UDP).
HA/VR ID The HA group ID or VRRP-A VRID, if applicable.
747
Field Description
NAT The IP address used for the NAT mapping.

Address
Port Number of mappings currently in use by sessions.

Usage
Total Used Total number of sessions that have been NATted for
the source address.
Total Number of NATted sessions that have been ter-

Freed minated, thus freeing up a port for another session.
Failed Number of times a mapping attempt failed. Generally,

this type of error occurs if the system does not have
any resources for new mappings.
Example The following example output shows a list of server bindings:

ACOS# show slb server bindings
Total Number of Servers configured: 24
Service Port Address State
------------------------------------------------------------
-------
rs1 8080 20.20.20.20
+sg-8080 All Up
+=>vip2 10.10.10.200:8080
+linux:8080 Functional Up
+=>ITA-VIP-01 192.168.19.120:8080
This example shows server bindings for server “rs1”.

The service groups are indicated by “+”. In this example, the server is a
member of the following service groups:
• sg-8080
• linux:8080
The VIP bindings are indicated by “+=>”. In this example, “rs1” has the
following bindings:
• Bound to “vip2” through service group “sg-8080”
• Bound to “ITA-VIP-01” through service group “linux:8080”
748
The state of each service group is shown. In this example, service group
“sg-8080” is All Up. This indicates all service ports on all real servers in the
service group are up. Service group “linux:8080” is Functionally Up. The
service is up on at least one real server in the service group, but not on all
the servers in the group.
The following command displays the IP NAT statistics for SLB server.
ACOS (config)# show slb server rs ip-nat-stats
Total Number of Services configured on Server rs: 2
Service Pool Address Port Usage Total Used Total Freed
Failed
------------------------------------------------------------
---------------------------
rs:21/tcp ipv4-pool3 10.212.1.243 0 2 2 0
10.212.1.244 0 0 0 0
Field Description
Total Number of Services con- Number of services configured on

figured on Server SLB server.
Service Real server name and port num-

ber, and the Layer 4
protocol (TCP or UDP).
Pool The IP NAT Pool ID.
Address The IP address used for the NAT

mapping.
Port Usage Number of mappings currently in

use by sessions.
Total Used Total number of sessions that

have been NAT ed for the source
address.
Total Freed Number of NAT ed sessions that

have been terminated, thus free-
ing up a port for another session.
749
Field Description
Failed Number of times a mapping

attempt failed. Generally, this
type of error occurs if the system
does not have any resources for
new mappings.
show slb service-group

Description Show SLB service-group information.
Syntax show slb service-group [group-name] [brief] [config]

[all-partitions | partition {shared | name}] [link-cost-stat-
istics]
group-name Shows information only for the specified service

group. If you omit this option, information is
shown for all service groups configured on the
ACOS device.
brief Shows a summary view of the configured ser-

vice groups and their operational status. If you
specify a service-group name, summary inform-
ation is displayed for only that group. Otherwise,
summary information for all groups is displayed.
config Shows the SLB configuration of the service

groups.
all-par- Show SLB service group information in all par-

titions titions.
partition Show SLB service group information in the spe-

cified partition only.
750
link-cost- Show server group link-cost statistics (including

statistics cost estimate) for the specified duration. Men-
start_date tion the start date and end date.
end_date
Note: The command acos-events logdb
enable-link-cost needs to be configured in
order to get the correct cost estimate for the
specified duration.
Mode All
Example The following command shows statistics for SLB service groups:
ACOS# show slb service-group
Current = Current Connections, Total =
Total Connections
Fwd-p = Forward packets, Rev-p = Reverse
packets
Peak-c = Peak connections
Service Group Name
Service Current Total Fwd-p Rev-p Peak-c
------------------------------------------------------------
------------------
*sg-80-1 State: Down
rs-http:80 0 0 0 0 0
*sg-80-2 State: All Up
rs-http-2:80 1 1 1 4 5
Field Description
Number of Service Total number of SLB service groups con-

Groups configured figured on the ACOS device.
Service Group Name Name of the service group.
751
Field Description
State Indicates the state of the service group:
l All Up – All service ports on all real

servers in the service group are up.
l Functional Up – Each service port
number is up on at least one real
server in the service group.
l Down – Either all service ports are
down, or some (not all) are Dis-
abled.
l Disabled – All the service ports are
disabled.
Current Current number of connections to the

service.
Total Number of connections to the service.
Fwd-p Number of request packets received by

the ACOS device for the service.
Rev-p Total number of server response packets

sent to clients by the ACOS device on
behalf of real servers.
Peak-c Peak connection count.
Note: Peak connection statistics are col-

lected only if the extended-stats option
is enabled. To enable extended-stats,
see the following:
Example The following command shows configuration information and statistics

for SLB service group “louis”:
752
ACOS# show slb service-group louis

Service group name: louis State: Disb
Service selection fail drop: 2
Service selection fail reset: 1
Service peak connection: 0
Priority affinity: 10
Service: s-4-2-1:80 DOWN
Request packets: 6 Response packets: 0
Request bytes: 360 Response bytes: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
Service: s-2-2-1:80 DOWN
Forward packets: 12 Reverse packets: 9
Forward bytes: 951 Reverse bytes: 396
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
NOTE: A separate set of health check fields appears in the show slb ser-
vice-group command output for HTTP traffic.

Field Description
Service group Name of the service group.

name
753
Field Description
State Indicates the state of the service group:
l All Up – All service ports on all real serv-

ers in the service group are up.
l Functional Up – Each service port num-
ber is up on at least one real server in the
service group.
l Partially Up – Some service ports are up
but others are down.
l Down – Either all the service ports are
down, or some but not all of them are Dis-
abled.
l Disabled – All the service ports are dis-
abled.
Service selection Number of server selection failures where the

fail drop ACOS device dropped the client request.
Service selection Number of server selection failures for which

fail reset the ACOS device sent a RST to the client.
Service peak con- Peak number of connections.

nection
Priority affinity Number associated with the currently active

priority level. By default, the primary service-
group members with the highest priority are
active and appear in the output. However, if
failover occurs, then the priority of the lower-
priority secondary members appears in the out-
put.
Service Service bound to the service group. Also indic-

ates the state of the service.
754
Field Description
Forward packets Total number of request packets received by

the ACOS device for the service.
Reverse packets Total number of server response packets sent

to clients by the ACOS device on behalf of real
servers.
Forward bytes Total number of request bytes received by the

ACOS device for the service.
Reverse bytes Total number of server response bytes sent to

clients by the ACOS device on behalf of real
servers.
Current con- Current number of connections to the service.

nections
Persistent con- Number of connections established on the

nections server due to an SLB persistence feature.
Current requests Current number of HTTP requests being pro-

cessed by the server.
In this field and the Total Requests and Total

requests success fields, Layer 7 requests are
Total requests Total number of HTTP requests processed by

the server.
Total con- Total number of connections to the service.

nections
Response time Server response time.
Total requests Total number of HTTP requests that were suc-

succ cessful.
755
Field Description
Peak conn Peak connection count.
Peak connection statistics are collected only if

the extended-stats option is enabled. To
Example The following command shows configuration information for SLB service
groups:
ACOS# show slb service-group config
member s1 80
!
member s2 80
member s1 80
!
member s3 80
!
Example The following command shows configuration information for named SLB
service groups:
ACOS (config-slb svc group)# show slb service-group sg con-
fig
Service group name: sg
Type: tcp Distribution: Svc Wtd RR
Health Check: None
Member Count: 2
Member2: s:80 Priority: 1
Member1: s2:80 Priority: 1
In this example, 2 service groups are configured. Each service group

takes the weight from the service group member. It reuses the weight
from the service member of the real server port number.
Example The following command displays a brief, summarized display of service-

group information for all service groups:
ACOS# show slb service-group brief
756
Total Number of Service Groups configured: 2

slb service-group rontest tcp
Service group name: rontest
Type: tcp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
slb service-group udptest udp
Service group name: udptest
Type: udp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
In this example, 2 service groups are configured. Each service group has
1 server. In each of the groups, the server is down.
Example The following sample command includes the sort-priority option that
displays the members of a service group organized by their configured
priority in descending order. For example, the western-region service
group specified in the following example includes three members that
are displayed in descending numeric order by priority (8, 4, then 1):
ACOS# show slb service-group western-region config sort-pri-
ority
Service group name: western-region
Type: tcp Distribution: Round Robin
Health Check: None
Member Count:3
Member3: GW:80 Priority: 8
Member2: FW1_Inspect:80 Priority: 4
Member1: DEFAULT_GATEWAY:80 Priority: 1
If you issue the command without the sort-priority option, the service
group members appear in ascending alphabetical order (D, F, then G) as
shown:
Member1: DEFAULT_GATEWAY:80 Priority: 1
Member2: FW1_Inspect:80 Priority: 4
Member3: GW:80 Priority: 8
Example The following command displays link-cost statistics for a server group, for
the specified duration:
757
ACOS (config)# show slb service-group sg link-cost-stat-

istics 2020-05-01 2020-06-01
Link Name Link Total Bytes Interval Average Max
selected Transferred Transferred Throughput(Kbpi) Throughput
(Kbpi)
------------------------------------------------------------
---------------------------
rs 0 0 50 1 17
rs2 25439 10088300 124 1 160
rs3 3011 1193928 67 1 17
Estimated cost for dates 2020-05-01 - 2020-06-01: 2494
The following table describes the fields in the command output:
Field Description
Link Name The name of the selected link
Link Selected The number of times the server link

was selected
Total Bytes Transferred Total Bytes transferred during the spe-

cified time
Interval Transferred Total Bytes transferred during the cur-

rent interval
Average Throughput Average throughput (Kbpi) during the

interval
Max Throughput Maximum throughput (Kbpi) during

the interval
show slb sip

Description Display SIP SLB statistics.
Syntax show slb sip [detail]
758
Mode All
Example The following command shows SIP SLB statistics:

ACOS# show slb sip
Total
------------------------------------------------------------
------
SIP Session created 0
SIP Session freed 0
Curr SIP Proxy 0
Total SIP Proxy 0
Client message received 0
Sent to server 0
Incomplete 0
Drop 0
Connecting server 0
Failed 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
Failed 0
Field Description
SIP Session Total number of SIP sessions created.

created
SIP Session Total number of SIP connection freed.

freed
Curr SIP Current number of SIP connections between the

Proxy ACOS device and SIP servers.
Total SIP Total number of SIP connections between the

Proxy ACOS device and SIP servers.
759
Field Description
Client mes- Total number of SIP messages received from cli-

sage received ents:
l Sent to server — Number of SIP messages

received from client and forwarded to
server.
l Incomplete — Number of packet which con-
tains incomplete message.
l Drop — Number of packets dropped.
l Connecting server — Client message cur-
rently in server connecting state.
l Failed — Number of SIP messages received
from clients not forwarded to servers.
Server mes- Total number of SIP messages received from serv-

sage received ers:
l Sent to client — Number of SIP messages

received from server and forwarded to cli-
ent.
l Incomplete — Number of packet which con-
tains incomplete message.
l Drop — Number of SIP messages received
from servers that were not forwarded to cli-
ents.
Server conn Total number of connections made with servers:

created
l Created successfully — Number of suc-
cessful connections.
l Failed — number of failed connections.
760
show slb smpp

Description Display Short Message Peer-to-Peer (SMPP) protocol SLB statistics.
Syntax show slb smpp [detail]
Mode All
Example The following command shows SMPP SLB statistics.

ACOS(config)# show slb smpp
Total
------------------------------------------------------------
------
Curr SMPP Proxy 0
Total SMPP Proxy 0
Client message received 0
Sent to server 0
Incomplete 0
AX responds directly 0
Drop 0
Connecting server 0
Failed 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
Failed 0
Client conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0
Select failed 0
Server conn selection 0
Select by request 0
Select by roundbin 0
761
Select by conn 0
Select failed 0
Field Description
SMPP msg mem alloc- Total amount of memory currently in use

ated for SMPP connections.
SMPP msg mem Total amount of memory cached for SMPP

cached connections.
SMPP msg mem Total amount of memory freed after an

freed SMPP connection has closed.
SMPP msg payload Total amount of memory allocated for the

allocated SMPP packet payload.
SMPP msg payload Total amount of memory freed from the

freed SMPP packet payload.
Curr SMPP Proxy Number of currently active connections

using the SMPP proxy.
Total SMPP Proxy Total number of connections that have

used the SMPP proxy.
762
Field Description
Client message Total number of SMPP messages received

received from clients.
l Sent to server – Number of SMPP

messages received by the client
and forwarded to the server.
l Incomplete – Number of packets
which contain incomplete mes-
sages.
l AX responds directly – Number of
times the ACOS device responded
directly to a client’s request.
l Drop – Number of packets dropped
due to the configured SMP
resource limit.
l Connecting server – Number of
times the ACOS device forwarded a
client’s request to the SMPP server.
l Failed – The following counters dis-
play the number of failed con-
nections, listed by the cause:
oFailed to parse
oFailed to process
oFailed to SNAT
oExceeded buff
oFailed to send
oServer conn start failed
763
Field Description
Server message Total number of SMPP messages received

received from servers.
l Sent to client – Number of SMPP

messages received by the server
and forwarded to the client.
l Incomplete – Number of packets
which contain incomplete mes-
sages.
l Drop – Number of packets dropped
due to the configured SMP
resource limit.
l Failed – Number of SMPP messages
received by the server that were
not forwarded to the client. The fol-
lowing counters display the num-
ber of failed connections, listed by
cause:
oFailed to parse
oFailed to process
oFailed to sel client conn
oFailed to SNAT
oExceeded buff
oFailed to send
764
Field Description
Server conn created l Created successfully – Number of

server connections created suc-
cessfully.
l Failed – Number of failed server
connection attempts, listed by
cause:
oFailed to SNAT
oFailed to construct
oFailed to reserve
oFailed to start
oServer conn already exists
oFailed to insert
Message parsing Number of SMPP messages that the ACOS

failed failed to parse. The following sub-counters
describe the cause:
l The packet size too small – Number

of SMPP messages that were not
parsed because the message size
was less than 4 bytes.
l Invalid sequence number – SMPP
messages are incremented by +1.
This counter indicates the total
number of SMPP messages that
were not parsed because of an
incorrect sequence number.
765
Field Description
Message processing Number of times the ACOS could not pro-

failed cess the SMPP message. The following
sub-counters describe the cause:
l No virtual port– There was no vir-

tual port that matched the des-
tination of the SMPP message.
l Failed to select server – Server
selection failure to forward the
SMPP request.
Client conn selection The following counters apply to SMPP cli-

ent selection:
l Select by request – Number of cli-

ent connections, selected by the
type of request message.
l Select by roundbin – Number of cli-
ent connection selected by the
Round Robin algorithm.
l Select by conn – Number of client
connections, selected by the con-
nection type.
l Select failed – Number of times the
ACOS failed to select a client for
the SMPP connection.
766
Field Description
Server conn selec- The following counters apply to SMPP

tion server selection:
l Select by request – Number of

server connections, selected by the
type of request message.
l Select by roundbin – Number of
server connection selected by the
Round Robin algorithm.
l Select by conn – Number of server
connections, selected by the con-
nection type.
l Select failed – Number of times the
ACOS failed to select a server for
the SMPP connection.
Bind client and Number of times the ACOS successfully for-

server warded the initial BIND message from a cli-
ent an SMPP server.
Unbind client and Number of times the ACOS disconnected

server the client to an SMPP server.
Receive enquire_link Total number of ENQUIRE_LINK messages

that the ACOS received from the SMPP cli-
ent or server.
Receive enquire_ Total number of ENQUIRE_LINK_RESP mes-

link_resp sages that the ACOS received from the
SMPP client or server.
Send enquire_link Total number of ENQUIRE_LINK messages

that the ACOS device has sent.
767
Field Description
Send enquire_link_ Total number of ENQUIRE_LINK_RES mes-

resp sages that the ACOS device has sent.
Fail to bind server Total number of times the ACOS device

received a BIND message and failed to con-
nect the client to an SMPP server.
Single message Total number of single messages that were

sent to the ACOS and did not require a
response.
Transfer msg from Number of SMPP messages that the ACOS

L4 to L7 CPU transferred from a Layer 4 CPU to a Layer 7
CPU.
Fetch msg from L7 Number of SMPP messages that the ACOS

CPU transferred from the Layer 7 CPU to a
Layer 4 CPU.

proxy to conn CPU transferred from the proxy CPU to the con-
nection CPU.
Fetch msg from conn Number of SMPP messages that the ACOS
CPU transferred from the connection CPU to
the proxy CPU.

L7 to L4 CPU transferred from a Layer 7 CPU to a Layer 4
CPU.

conn to proxy CPU transferred from the connection CPU to
the proxy CPU.
768
Field Description
Alloc mem failed Number of times a connection failed

because the ACOS device did not have
access to sufficient memory resources.
Unexpected error Number of unexpected errors that are not

categorized by the other counters.
AX holds msg Number of messages that the ACOS device

has received from a client or server and
has yet to forward.
Splited packet Number of times the ACOS split TCP pack-

ets which contain multiple SMPP mes-
sages.
Message in pipeline Number of SMPP messages that the ACOS

processed using an HTTP pipeline.
Client RST Number of times TCP connections with cli-

ents were reset.
Server RST Number of times TCP connections with

servers were reset.

show slb smtp

Description Shows SLB information for SMTP. Insert server name to display SLB
information for SMTP proxy server.
Syntax show slb smtp [prxy_name <1-65535>] [detail]
prxy_name <1- SMTP proxy server name and port number.

65535>
769
Mode All
Example The following command shows summary SMTP SLB statistics:

ACOS# show slb smtp
Total
------------------------------------------------------------
------
Total proxy conns 0
SMTP requests 0
SMTP requests (success) 0
No proxy error 0
Client reset 0
Server reset 0
No tuple error 0
Parse request failure 0
Forward request failure 0
Forward REQ data failure 0
Request retransmit 0
Request pkt out-of-order 0
Server connection made 0
Init server starttls 0
Real server starttls disable 0
Server starttls fail 0
Field Description
Current proxy Number of currently active SMTP connections

conns using ACOS device as an SMTP proxy.
Total proxy conns Number of SMTP connections that have used

the ACOS device as an SMTP proxy.
SMTP requests Total number of SMTP requests received by

the SMTP proxy.
770
Field Description
SMTP requests Number of SMTP requests received by the

(success) ACOS device that were successfully fulfilled
(by connection to a real server).
Client reset Number of times TCP connections with cli-

ents were reset.
Server reset Number of times TCP connections with serv-

ers were reset.
Parse request fail- Number of times parsing of an SMTP request

ure failed.

failure failed.
Forward request Number of forward request failures.

failure
Forward REQ data Number of forward request data failures.

failure
Request retrans- Number of retransmitted requests.

mit
Request pkt out- Number of request packets received from cli-

of-order ents out of sequence.
Server reselection Number of times a request was forwarded to

another server because the current server
was failing.

771
Field Description
Server connection Number of connections made with servers.

made
Source NAT failure Number of source NAT failures.
Init server starttls Number of STARTTLS sessions initiated with

the server.
Real server Number of times the server was unable to

starttls disable negotiate a STARTTLS session.
Server starttls fail Number of times a server STARTTLS session

failed due to a TCP error event.
Example This command shows detailed SMTP SLB statistics for each data pro-
cessor (DP):
ACOS# show slb smtp detail
DP0 DP1 DP2 Total
------------------------------------------------------------
------
Current proxy conns 0 0 0 0
Total proxy conns 0 0 0 0
SMTP requests 0 0 0 0
SMTP requests (success) 0 0 0 0
No proxy error 0 0 0 0
Client reset 0 0 0 0
Server reset 0 0 0 0
No tuple error 0 0 0 0
Parse request failure 0 0 0 0
Server selection failure 0 0 0 0
Forward request failure 0 0 0 0
Forward REQ data failure 0 0 0 0
Request retransmit 0 0 0 0
Request pkt out-of-order 0 0 0 0
Server reselection 0 0 0 0
Server premature close 0 0 0 0
Server connection made 0 0 0 0
Source NAT failure 0 0 0 0
772
show slb spdy-proxy

Description Show statistics for SLB SPDY proxy.
Syntax show slb spdy-proxy [debug] [detail]
debug Show debug information.
Mode All
Example Sample output for this command:

ACOS# show slb spdy-proxy
Total
------------------------------------------------------------
------
Curr Proxy Conns 0
Total Proxy Conns 0
Curr HTTP Proxy Conns 0
Total HTTP Proxy Conns 0
Version 2 Streams 0
Version 3 Streams 0
Curr Streams 0
Total Streams 0
Streams(succ) 0
Server RST sent 0
Server GOAWAY sent 0
TCP sock error 0
Inflate context 0
Deflate context 0
PING sent 0
STREAM not found 0
Client FIN 0
Server FIN 0
Stream close 0
Session close 0
Stream err 0
Session err 0
Control frame received 0
773
SYN stream 0
SYN reply 0
RST 0
Setting 0
Ping 0
Goaway 0
Headers 0
Window update 0
Data frame received 0
Dt no stream found 0
Dt no stream & goaway 0
Dt no str&gw & cl ses 0
Est callback no tuple 0
Dat callback no tuple 0
Contex alloc fail 0
FIN close session 0
Serv RST close stream 0
Stream found 0
Clse St ses not found 0
Clse St str not found 0
Clsing closed stream 0
Str cl session close 0
Clsing closed session 0
Max conc stream limit 0
Stream alloc fail 0
HTTP conn alloc fail 0
Req/Header alloc fail 0
NV tot len exceed 0
NV zero name length 0
NV ivld http version 0
NV connection 0
NV keep alive 0
NV proxy-connection 0
NV transfer encoding 0
NV no must have 0
Decompress fail 0
SYN after goaway 0
Stream id < previous 0
Str already exist 0
Unidirectional SYN 0
Syn reply alr received 0
Cl RST str not found 0
Win upd no str found 0
774
Invalid window size 0

Unknown control frame 0
Data on closed stream 0
Invalid frame size 0
Invalid version 0
Hdr after ses close 0
Compr ctx alloc fail 0
Header compress fail 0
HTTP data ses close 0
HTTP data str nt fnd 0
Clse Str not http-pr 0
Session needs reque 0
New Str aftr Ses del 0
HTTP fin str alr clsd 0
HTTP cl str alr clsd 0
HTTP err str alr clsd 0
HTTP hdr str alr clsd 0
HTTP data str alr clsd 0
show slb ssl

Description Show SSL statistics.
Syntax show slb ssl {

counters vserver virtual port|
error | stats |
}
counters Shows the number of successes and failures for

key exchange methods, and SSL/TLS version.
Shows the session cache count for new, hits,
missed, and expired. Shows the average hand-
shake time and total renegotiations.
error Shows errors such as cookie mismatch, wrong sig-

nature length, unsupported cipher, incorrect pub-
lic key, no certificate returned, etc.
stats Shows statistics for SSL modules.
775
Mode All
Example The following command shows SSL SLB statistics:

ACOS# show slb ssl stats
SSL module: Hardware
Number of SSL modules: 1
SSL module 1
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 0
Current clientside SSL connections: 0
Total clientside SSL connections: 0
Current serverside SSL connections: 0
Total serverside SSL connections: 0
Total Non SSL Bypass connections: 0
Total times of reusing SSL sessions(IDs) in client ssl 0
Total times of reusing SSL sessions(IDs) in server ssl 0
Failed SSL handshakes: 0
Failed crypto operations: 0
SSL memory usage: 8132 bytes
SSL server certificate errors: 0
SSL client certificate authorization failed: 0
SSL fail CA verification 0
HW Context Memory Total Count 497102
HW Context Memory in Use 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
Total client ssl context malloc failures: 0
Maximum SSL contexts 8256
Current SSL contexts in use 0
Static SSL contexts in use 0
Dynamic SSL contexts in use 0
SSL Forward Proxy
Bypass Failsafe SSL sessions: 0
Bypass SNI sessions: 0
Bypass ESNI sessions: 3
Bypass Client Auth sessions: 0
Failed in SSL handshakes: 0
Failed in crypto operations: 0
Failed in TCP: 0
Failed in Certificate verification: 0
Failed in Certificate signing: 0
776
Invalid OCSP Stapling Response: 0

Revoked OCSP Response: 0
Unsupported SSL version: 0
SSLi Errors
Cert fetch, Fatal alert: 0
Cert fetch, TCP FIN/RST: 0
Cert fetch, validation error: 0
Client SSL, Fatal Alert: 0
Client SSL, TCP FIN/RST, Pinning: 0
Client SSL, Internal error: 0
Client SSL, Unknown error: 0
SSL Session, TCP FIN/RST: 0
Server SSL, Fatal alert: 0
Server SSL, TCP FIN/RST: 0
Server SSL, Internal error: 0
Server SSL, Unknown error: 0
The following table describes the fields on this output.
Field Description
SSL Module “Hardware” indicates SSL processing

occurs in hardware modules. “Soft-
ware” indicates SSL processing occurs
in ACOS software.
Number of SSL modules Total number of SSL processing mod-

ules on the ACOS device.
SSL module n ID number of the SSL module to which

the following statistics apply.
number of enabled Number of SSL encryption/decryption

crypto engines processing engines that are enabled.
number of available Number of SSL encryption/decryption

crypto engines processing engines that are available
on the device.
number of requests Number of SSL requests handled by the

handled SSL processing engine.
777
Field Description
Current clientside SSL Number of currently active SSL client-

connections side SSL sessions (sessions between
ACOS and clients).
Total clientside SSL con- Total number of SSL client-side ses-

nections sions since the last time statistics were
cleared.
Current serverside SSL Number of currently active SSL server-

connections side SSL sessions (sessions between
ACOS and servers).
Total serverside SSL con- Total number of SSL server-side ses-

nections sions since the last time statistics were
cleared.
Total times of reusing SSL session-ID reuse statistics.

SSL sessions(IDs) in cli-
ent ssl
Total times of reusing

SSL sessions(IDs) in
server ssl
Failed SSL handshakes Number of SSL sessions in which the

SSL security handshake failed.
Failed crypto operations Number of times an encryp-

tion/decryption failure occurred for an
SSL record.
Dropped serverside SSL Total number of SSL server-side ses-

connections sions dropped since the last time stat-
istics were cleared.
SSL memory usage Amount of memory in use by the SSL

processing module.
778
Field Description
SSL server certificate Total count of certificate errors.

errors
SSL fail CA verification Number of times an SSL session was ter-

minated due to a certificate verification
failure.
HW Context Memory Total amount of hardware available for

Total Count SSL context memory allocation.
HW Context Memory in Total amount of hardware in use for

Use SSL context memory allocation.
HW Context Memory Number of times the encryption pro-

alloc failed cessor was unable to allocate memory.
HW ring full Number of times the ACOS software

was unable to enqueue an SSL record
to the SSL processor for encryp-
tion/decryption. (Number of times the
processor reached its performance
limit.)
Record too big Number of times the ACOS device

received an SSL record that spanned
across more than 64 packets.
Total client ssl context Number of times ACOS failed to allocate

malloc failures memory for client SSL context memory.
Bypass Failsafe SSL ses- Number of bypassed SSL sessions

sions
Bypass SNI sessions Number of bypassed SSL sessions

based on SNI criteria specified in the
ACOS configuration.
779
Field Description
Bypass ESNI sessions Number of bypassed SSL sessions

based on ESNI criteria specified in the
ACOS configuration.
Bypass Client Auth ses- Number of bypassed SSL sessions

sions based on client authentic criteria spe-
cified in the ACOS configuration.
Failed in SSL hand- Number of SSL sessions in which the

shakes SSL security handshake failed.
Failed in crypto oper- Number of times an encryp-

ations tion/decryption failure occurred for an
SSL record.
Failed in TCP Number of TCP sessions that failed.
Failed in Certificate veri- Number of SSL sessions in which the

fication SSL security handshake failed.
Failed in Certificate sign- Number of times an SSL session was ter-

ing minated due to a certificate verification
failure.
Invalid OCSP Stapling Number of times an SSL session was ter-

Response minated due to a certificate verification
failure message in the OCSP stapling
response.
Revoked OCSP Response Number of times an SSL session was ter-

minated due to a certificate verification
failure message in the OCSP response.
NOTE: The description of SSLi error counter fields is similar to the

description of the SSLi insepction failure error logs. For more
information, see the SSLi Configuration Guide.
780
show slb ssl-cert-revoke-stats

Description Show statistics for certificate revocation check.
Syntax show slb ssl-cert-revoke-stats
Example ACOS# show slb ssl-cert-revoke-stats

OCSP stapling response good: 0
Certificate chain status good: 0
Certificate chain status revoked: 0
Certificate chain status unknown: 0
OCSP requests: 0
OCSP responses: 0
OCSP connection errors: 0
OCSP URI not found: 0
OCSP URI https: 0
OCSP URI unsupported: 0
OCSP response status good: 0
OCSP response status revoked: 0
OCSP response status unknown: 0
OCSP cache status good: 0
OCSP cache status revoked: 0
OCSP cache miss: 0
OCSP cache expired: 0
OCSP other errors: 0
CRL requests: 0
CRL responses: 0
CRL connection errors: 0
CRL URI not found: 0
CRL URI https: 0
CRL URI unsupported: 0
CRL response status good: 0
CRL response status revoked: 0
CRL response status unknown: 0
CRL cache status good: 0
CRL cache status revoked: 0
CRL other errors: 0
The following table describes the fields on this output.
Field Description
OCSP stapling response good Number of times the OCSP stap-

ling response was good.
781
Field Description
Certificate chain status good Number of times the certificate

chain status was good.
Certificate chain status Number of times the certificate

revoked chain status was revoked.
Certificate chain status Number of times the certificate

unknown chain status was unknown.
OCSP requests Number of OCSP requests.
OCSP responses Number of OCSP responses.
OCSP connection errors Number of OCSP connection

errors.
OCSP URI not found Number of times the OCSP URI was
not found.
OCSP URI https Number of times the OCSP URI was

HTTPS.
OCSP URI unsupported Number of times the OCSP URI was

unsupported.
OCSP response status good Number of times the OCSP

response status was good.
OCSP response status Number of times the OCSP

revoked response status was revoked.
OCSP response status Number of times the OCSP

unknown response status was unknown.
OCSP cache status good Number of times the OCSP cache

status was good.
OCSP cache status revoked Number of times the OCSP cache

status was revoked.
782
Field Description
OCSP cache miss Number of times the OCSP cache

was missed.
OCSP cache expired Number of times the OCSP cache

was expired.
OCSP other errors Number of times OCSP had other

errors.
CRL requests Number of CRL requests.
CRL responses Number of CRL responses.
CRL connection errors Number of CRL connection errors.
CRL URI not found Number of times the CRL URI was
not found.
CRL URI https Number of times the CRL URI was

HTTPS.
CRL URI unsupported Number of times the CRL URI was

unsupported.
CRL response status good Number of times the CRL response

status was good.
CRL response status revoked Number of times the CRL response

status was revoked.
CRL response status Number of times the CRL response

unknown status was unknown.
CRL cache status good Number of times the CRL cache

status was good.
CRL cache status revoked Number of times the CRL cache

status was revoked.
783
Field Description
CRL other errors Number of times CRL had other

errors.
show slb ssl-counters

Description Shows the number of successes and failures for key exchange methods,
and SSL/TLS version. Shows the session cache count for new, hits,
missed, and expired. Shows the average handshake time and total rene-
gotiations.
Syntax show slb ssl-counters [vserver [vport]]
Field Description
vserver Specifies virtual server name. 1 to

127 characters.
vport Specifies virtual port ID. Integer

from 0 to 65534. No default value.
Example In this example, the TPS device is configured with two virtual servers,
vip1 and vip2, each of which is bound to two virtual ports each, 443 and
444.
The statistics of vip1, port 443
ACOS# sh slb ssl-counters vip1 443

Virtual Server Name: vip1 Port: 443
------------------------------------------------------------
--------------------
Cumulative sessions = 4
ID Name Successes Failures

0x0300002f TLS1_RSA_AES_128_SHA 1 0
0x0300003d TLS1_RSA_AES_256_SHA256 3 0
Key Exchange Methods Successes Failures

RSA
1024 bits 4 0
ECDHE
784
DHE
SSL/TLS Version Successes Failures

TLS1.1 1 0
TLS1.2 3 0
Session Cache Count

New 4
Hit 0
Miss 0
Expired 0
Handshake Average time = 7 ms
Renegotiation Counters
Total renegotiations = 0
Renegotiated SSL/TLS Versions Successes Failures

(none used)
The statistics of vip1, port 444
ACOS# sh slb ssl-counters vip1 444

Virtual Server Name: vip1 Port: 444
------------------------------------------------------------
--------------------

0x0300000a SSL3_RSA_DES_192_CBC3_SHA 1 0
0x0300009d TLS1_RSA_AES_256_GCM_SHA384 2 0

RSA
2048 bits 3 0
ECDHE
DHE

SSLv3 1 0
TLS1.2 2 0
Session Cache Count
785
New 3
Hit 0
Miss 0
Expired 0

(none used)
This “show slb ssl-counters” command output displays statistics for TLS 1.3 cipher. Add new
counter for TLS1.3 cipher. Add new counter for version downgrade(1.3 to 1.2)
ACOS# show slb ssl-counters
Virtual Server Name: vip1
------------------------------------------------------------
--------------------
Client ssl stats

0x0300c030 TLS1_ECDHE_RSA_AES_256_GCM_SHA384 2 0
0x03001301 TLS13_AES_128_GCM_SHA256 1 0
0x03001302 TLS13_AES_256_GCM_SHA384 6 0
0x03001303 TLS13_CHACHA20_POLY1305_SHA256 3 0

RSA
ECDHE
DHE

TLS1.2 2 0
TLS1.3 10 0
The statistics of SNI bypass due to missing cert/key
ACOS# sh slb ssl-counters ep_in_vs

Virtual Server Name: ep_in_vs
786
------------------------------------------------------------
--------------------
Client ssl stats

(none used)

RSA
ECDHE
DHE
(none used)
Session Cache Count

New 1
Hit 0
Miss 0
Expired 0
Current 0

Handshake Failures = 0
Certificate Auth = 0
SNI Auto-Map Successes = 0
SNI Auto-Map Failures = 0
SNI Auto-Map Failures Connection Closed = 0
SNI Auto-Map Failures Max Active Connections = 0
SNI Auto-Map Failures Missing Cert/Key = 0
SNI Bypass due to Missing Cert/Key = 1
SNI Bypass due to Certificate Expired = 0
SNI Bypass due to Matched Explicit Bypass List = 0

(none used)
787
show slb ssl-crl

Description Show the retrieved Certificate Revocation List for a specific virtual port. If
the certificate issuers have listed expiration dates for the certificates,
then this command will show you the issuer and the expired or not
expired status.
Syntax show slb ssl-crl vserver vport
Example ACOS# show slb ssl-crl vip1 443
Virtual server(vipw : 443):
----Retrieved CRL----
Issuer: /C=FR/O=Certplus/CN=Class 2 Primary CA
Status: Not expired
Issuer: /OU=GlobalSign Root CA - R2/O-

O=GlobalSign/CN=GlobalSign
Status: Expired
Issuer: /CN=ComSign Secured CA/O=ComSign/C=IL

Status: Expired
Issuer: /C=US/O=Network Solutions L.L.C./CN=Network Solu-

tions Certificate Authority
Status: Expired
Issuer: /C=US/O=SecureTrust Corporation/CN=Secure Global CA

Status: Expired
Issuer: /C=US/O=SecureTrust Corporation/CN=SecureTrust CA

Status: Expired
Issuer: /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig

Status: Expired
Issuer: /C=EU/O=AC Camerfirma SA CIF A82743287/OU-

U=http://www.chambersign.org/CN=Chambers of Commerce Root
Status: Expired
Issuer: /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
Status: Expired
788
Issuer: /C=EU/O=AC Camerfirma SA CIF A82743287/OU-

U=http://www.chambersign.org/CN=Global Chambersign Root
Status: Expired
Issuer: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate

Signing/CN=StartCom Certification Authority
Status: Expired
Issuer: /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class

2 CA/CN=TC TrustCenter Class 2 CA II
Status: Not expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA

Limited/CN=AAA Certificate Services
Status: Expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA

Limited/CN=Secure Certificate Services
Status: Expired
Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA

Limited/CN=COMODO Certification Authority
Status: Expired
Issuer: /C=HU/L=Budapest/O=Microsec Ltd./OU=e-Szigno CA/CN-

N=Microsec e-Szigno Root CA
Status: Expired
Issuer: /CN=Autoridad de Certificacion Raiz del Estado

Venezolano/C=VE/L=Caracas/ST=Distrito Capital/O=Sistema
Nacional de Certificacion Electronica/OU=Superintendencia de
Servicios de Certificacion Elec-
tronica/emailAddress=acraiz@suscerte.gob.ve
Status: Not expired
----End of CRL----
17 CRL retrieved
show slb ssl-expire-check

Description Display information about email notification of expired certificates.
Syntax show slb ssl-expire-check
789
Mode All
..
show slb ssl-cert-pinning-candidate-list

Description Show or clear certificate pinning candidate list (in descending order of
counter).
Syntax show slb ssl-cert-pinning-candidate-list

clear slb ssl-cert-pinning-candidate-list {server-name} <1-
255 characters>
Mode All
Example
ACOS(config)# show slb ssl-cert-pinning-candidate-list
SNI Counter TTL
--------------------------
youtube.com 10 1440
gmail.com 6 1440
google.com 5 1440
yahoo.com 3 1440
api.snapcraft.io 1 1430
The following table describes the fields in the show command output.
Field Description
SNI List of Server Name Indication or Destination

domain.
Counter Counter for the times when cert-pinning

happened.
TTL Time-to-Live (TTL) value.
790
show slb ssl-forward-proxy-cert

Description Display hash entries for server certificates forged by ACOS device for
SSLi. Also, display status of the forward-proxy-cert process. The state
field displays whether the server certificate is being verified, whether a
CA certificate is in the process of being forged, whether the ACOS soft-
ware is ready to forge a new CA certificate, or whether ACOS software is
in the ready state.
Syntax show slb ssl-forward-proxy-cert name num {ipaddr | all} [sni]
name Wildcard VIP name.
num Virtual port number to which clients send

requests (for example, 443).
ipaddr | all Displays entries for the certificate associated

with a specific server IP address or for all server
IP addresses. The default is all.
sni The full or partial SNI of the server from which

the inside ACOS device imported the self-signed
certificate and private key.
l If you enter the IP address of the server, sni

must be an exactly the same as in the cer-
tificate cache. You must enter the full SNI
that is exactly the same as in the cer-
tificate cache. sni, The hashing activity for
only that specific certificate is reported.
l If you enter the keyword all, sni can be a
partial match to the full server name. If a
group of servers meets this partial match,
all servers in this group are reported.
Usage The following field values appear in the output of this command :]
791
Field Description
Real Server This field specifies the gateway IP address and pro-
tocol port of the server that clients are trying to
connect to.
Server Name This field specifies the URL or SNI of the server
that clients are trying to connect to.
state state: cert verifying
The certificate of the server specified by the Real

Server and Server Name fields is in the process of
being verified.
l state: cert forging
The ACOS device is forging the certificate it

will use for SSL sessions with clients trying
to reach the specified server.
l state: ready to forge
The ACOS has verified the specified server’s

certificate is not revoked, and it is ready to
forge certificates it will use for SSL sessions
with clients trying to reach the specified
server.
l state: ready
The forge certificate is in the ACOS cache.
hit times The number of occurrences that a new session

matches this certificate.
idle time The amount of time since the previous hit.
timeout The certificate will be removed after this amount

after of idle time without any hits.
792
Field Description
expires after The certificate is removed after this amount of

time has passed since the certificate was created.
serial (hex) Certificate serial number in hexadecimal.
Default None
Mode All
Example The following example is for dynamic port SSLi:

ACOS# show slb ssl-forward-proxy-cert inside 0 ip 10.10.10.1
443 www.example.com
----Start One Certificate---
Real Server : 10.10.10.1 :443 tcp
Servername: www.example.com
ALPN Protocol: ALPN NONE
state: ready
hash index : 5864
hit times : 1
idle time : 33 seconds
timeout after 3567 seconds
expires after 604758 seconds
version : 3
[output turncated]
serial(hex): 0123e2
Total number of particular certificates that are printed is
1
show slb ssl-forward-proxy-stats

Description Show SSLi statistics.
Syntax show slb ssl-forward-proxy-stats
Default None
Mode All
Example The following example shows the counter fields provided by the show slb
ssl-forward-proxy-stats command.
793
ACOS(config)# show slb ssl-forward-proxy-stats

Bypass Failsafe SSL sessions: 0
Bypass SNI sessions: 0
Bypass ESNI sessions: 3
Bypass Client Auth sessions 0
Failed in SSL handshakes 0
Failed in crypto operations 0
Failed in TCP 0
Failed in Certificate verification 0
Invalid OCSP Stapling Response 0
Revoked OCSP Response 0
Unsupported SSL version 0
Certificates created 0
Certificates expired 0
Certificate cache hits 0
Certificate cache miss 0
Connections bypassed 0
Connections inspected 0
show slb ssl-ocsp cache

Description Displays summarized contents of the SSL OCSP cache.
Syntax show slb ssl-ocsp cache
Default None
Mode All
Usage The following table describes the fields in the command output:
Field Description
Total The total number of cached requests is listed.
Common The common certificate name is listed.

Name
Status Good, revoked or unknown will appear to indicate

certificate status.
Example The following example displays the contents of the SSL OSCP cache:
ACOS# show slb ssl-ocsp cache
794
Total: 2
Common Name
Status
------------------------------------------------------------
-------
Company1 Internet Authority
G2 Good
Company2 Root Certificate Authority -
G2 Good
show slb ssl-ocsp cache detail

Description Displays detailed contents of the SSL OCSP cache.
Syntax show slb ssl-ocsp cache detail
Default None
Mode All
Usage The following table describes the fields in the command output:
Field Description
Total The total number of certificates in the ACOS

cache
Name Certificate name
Subject Certificate subject name
Length: Length of the certificate in bytes
URI: URI of the certificate owner
Expire: Time in seconds remaining before the certificate

expires
Hits: Number of times certificate was called from the

cache by SSL proxy handshake with a client.
795
Example Use command to display information on SSL OCSP cache, including the
name of the company, status, subject, length, URI, expiration, and num-
ber of hits.
ACOS# show slb ssl-ocsp cache detail
Total: 1
------------------------------------------------------------
-------
Name: Company1 Internet Authority G2
Status: Good
Subject: /C=US/O=Company1 Inc/CN=Company1 Internet Authority
G2
Length: 1012
URI: http://a.example.com/
Expire: 17731488
Hits: 760
show slb switch

Description Show SLB switching statistics.
Syntax show slb switch [detail | ethernet port-num [detail]]
detail Shows statistics per individual CPU in the out-

put.
ethernet port- Shows statistics only for the specified Eth-

num ernet port.
Mode All
Example The following command shows summary SLB switching statistics:

ACOS# show slb switch
Total
------------------------------------------------------------
------
L2 Forward 2793
L3 IP Forward 0
IPv4 No Route Drop 0
L3 IPv6 Forward 0
IPv6 No Route Drop 0
796
L4 Process 709223
Incorrect Len Drop 0
Prot Down Drop 289
Unknown Prot Drop 32136
TTL Exceeded Drop 0
Link Down Drop 0
SRC Port Suppresion 0
VLAN Flood 141022
IP Fragment received 0
ARP REQ received 80272
ARP RESP received 15939
Forward Kernel 91163
IP(TCP) Fragment received 0
IP Fragment Overlap 0
IP Frag Overload Drops 0
IP Fragment Reasm OKs 23
IP Fragment Reasm Fails 0
IP Fragment Timeout 0
Anomaly Land Attack Drop 0
Anomaly IP OPT Drops 0
Anomaly PingDeath Drop 0
Anomaly All Frag Drop 0
Anomaly TCP noFlag Drop 0
Anomaly SYN Frag Drop 0
Anomaly TCP SYNFIN Drop 0
Anomaly Any Drops 0
BPDUs Received 0
BPDUs Sent 0
ACL Denys 0
SYN rate exceeded Drop 0
Packet Error Drops 0
IPv6 Frag UDP 0
IPv6 Frag TCP 0
IPv6 Frag ICMP 0
IPv6 Frag OSPF 0
IPv6 Frag ESP 0
IPv6 Frag Reasm OKs 0
IPv6 Frag Reasm Fails 0
IPv6 Frag Invalid Pkts 0
Bad Pkt Drop 0
IP Frag Exceed Drop 0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0
797
L2 Default Vlan FWD Drop 507865

BW Limit Drop 0
License Expire Drop 0
L4 Misc Er 0
Management Service Drop 0
Jumbo Frag Drop 0
IPv6 Jumbo Frag Drop 0
Field Description
L2 Forward When the ACOS device is acting as a Layer-

2 switch and receives a packet that has the
destination MAC address in its MAC table,
ACOS sends the packet to the outgoing
interface (as per the MAC table entry) and
increments this counter.
L3 IP Forward Number of packets that have been Layer 3

routed.
IPv4 No Route Drop Number of IPv4 packets that were dropped

due to routing failures.
L3 IPv6 Forward Number of IPv6 packets that have been

Layer 3 routed.
IPv6 No Route Drop Number of IPv6 packets that were dropped

due to routing failures.
L4 Process Number of packets that went to a VIP or

NAT for processing.
Incorrect Len Drop Number of packets dropped due to incorrect

protocol length.
Note: A high value for this counter can indic-

ate a packet length attack.
798
Field Description
Prot Down Drop l Number of IPv6 packets received on

an interface for which there was no
IPv6 address configured.
l Number of IPv4 packets received on
an interface for which there was no
IPv4 address configured.
Unknown Prot Drop Number of times ACOS dropped a packet

because the packet was not one of the fol-
lowing: IPv4, IPv6, or ARP
TTL Exceeded Drop Number of packets dropped due to TTL

expiration.
Link Down Drop Number of packets dropped because the

outgoing link was down.
SRC Port Number of packets dropped because the

Suppression source and destination interface within the
same VLAN is same.
VLAN Flood Number of times ACOS received a packet

that did not have the destination MAC
address in the MAC table, causing ACOS to
flood the packet out all other interfaces on
the VLAN.
IP Fragment Number of IPv4 fragments that have been

received received.
ARP REQ received Number of ARP requests the ACOS device

received.
ARP RESP received Number of ARP responses the ACOS device

received in response to an ARP request sent
by itself.
799
Field Description
Forward Kernel When the ACOS device receives a health

monitor packet (for example, LACP or ARP
packets), ACOS forwards these packets to
the kernel for processing and increments
this counter.
IP(TCP) Fragment Number of IP TCP fragments received.

received
IP Fragment Over- Number of overlapping fragments received.

lap
IP Frag Overload Number of fragments dropped due to over-

Drops load.
IP Fragment Reasm Number of successfully reassembled IP frag-

OKs ments.
IP Fragment Number of times ACOS device does not

Timeout receive subsequent fragments for frag-
mentation reassembly.
IP Fragment Reasm Number of IP fragment reassembly failures.

Fails
Anomaly Land Number of SYN packets dropped because

Attack Drop they were spoofed (used the destination IP
address as the source IP address).
Anomaly IP OPT Number of packets dropped because they

Drops had IP options set.
Anomaly PingDeath Number of oversized (longer than 32 K)

Drop ICMP packets dropped.
An oversized ICMP packet can trigger Denial

of Service (DoS), crashing, freezing, or
rebooting.
800
Field Description
Anomaly All Frag Number of IP fragments dropped.

Drop
Anomaly TCP Number of TCP packets dropped because

noFlag Drop they had no flags set.
TCP packets are normally sent with at least

one bit in the flags field set.
Anomaly SYN Frag Number TCP SYN fragments dropped that

Drop had the fragmentation bit set.
A SYN fragment attack floods the target

host with SYN packet fragments. An unpro-
tected host will store the fragments, in
order to reassemble them. By not com-
pleting the connection, and flooding the
server or host with such fragmented SYN
packets, the attacker can cause the host’s
memory buffer to fill up eventually.
Anomaly TCP Number of TCP packets dropped that had

SYNFIN Drop TCP SYN and FIN bits set.
An attacker can send a packet with both

bits set to determine what kind of system
reply is returned, and then use the system
information for further attacks using known
system vulnerabilities. Also, some older
devices will let such packets through even
though there is an established ACL defined
and the state of the TCP connection is not
considered to be established.
Anomaly Any Drops Total number of packets dropped by IP

anomaly filtering.
801
Field Description
BPDUs Received Number of Bridge Protocol Data Units

(BPDUs) received.
BPDUs Sent Number of Bridge Protocol Data Units

(BPDUs) sent.
ACL Denys Number of times traffic was not forwarded

due to a deny rule in an Access Control List
(ACL).
This counter also includes traffic dropped

due to the l3-vlan-fwd-disable action in
ACL rules.
SYN rate exceeded Number of packets dropped because the

Drop TCP SYN threshold had been exceeded.
Packet Error Drops Number of times the ACOS device dropped

a packet due to a TCP/UDP checksum error.
IPv6 Frag UDP Number of IPv6 UDP fragments received by

the ACOS device.
IPv6 Frag TCP Number of IPv6 TCP fragments received by

the ACOS device.
IPv6 Frag ICMP Number of IPv6 ICMP fragments received by

the ACOS device.
IPv6 Frag OSPF Number of IPv6 OSPF fragments received by

the ACOS device.
IPv6 Frag ESP Number of IPv6 ESP fragments received by

the ACOS device.
IPv6 Frag Reasm Number of successfully reassembled IPv6

OKs fragments.
802
Field Description
IPv6 Frag Reasm Number of IPv6 fragment reassembly fail-

Fails ures.
IPv6 Frag Invalid Number of IPv6 fragments that were

Pkts invalid.
Bad Pkt Drop Number of bad packets dropped; this is a

cumulative number for all packets that
could not be processed (for example, packet
has an incorrect length).
IP Frag Exceed Drop Number of fragmented IP packets that were

dropped because they exceeded the
allowed maximum.
IPv4 No L3 VLAN Number of IP packets that were dropped by

FWD Drop the l3-vlan-fwd-disable action in an IPv4
ACL.
IPv6 No L3 VLAN Number of IP packets that were dropped by

FWD Drop the l3-vlan-fwd-disable action in an IPv6
ACL.
L2 Default VLAN Number of times The DLF packets were

FWD Drop dropped because the ACOS is configured to
disallow flooding on the default VLAN
(VLAN1).
BW Limit Drop Number of packets dropped because they

exceeded the bandwidth limit.
NOTE: This field does not apply to hardware

models.
803
Field Description
License Expire Drop Number of packets dropped due to an

invalid license.
NOTE: This field does not apply to hardware

models.
L4 Misc Er Number of Layer 4 packets dropped due to

miscellaneous errors.
Management Ser- Number of times management traffic was

vice Drop drop because the specific service type was
not enabled.
Jumbo Frag Drop Number of dropped fragmented IPv4 jumbo

packets.
IPv6 Jumbo Frag Number of dropped fragmented IPv6 jumbo

Drop packets.
Example The following command shows detailed SLB switching statistics for Eth-
ernet port 1:
ACOS# show slb switch ethernet 1 detail
DP0 DP1 DP2 Total
------------------------------------------------------------
------
L2 Forward 2115 227 453 2795
L3 IP Forward 0 0 0 0
IPv4 No Route Drop 0 0 0 0
...
show slb syn-cookie

Description Show SLB hardware SYN-cookie statistics
Syntax show slb syn-cookie
Mode All
804
show slb syn-cookie-buffer

Description Show SYN-cookie buffer statistics.
Syntax show slb syn-cookie-buffer
Mode All
Example The following command shows SYN-cookie buffer information:

ACOS# show slb syn-cookie-buffer
Maximum SYN cookie buffer size : 10
Total SYN cookie buffer queued : 0
Total SYN cookie buffer drop : 0
show slb tcp stack

Description Show statistics for TCP SLB.
Syntax show slb tcp stack [detail]
Mode All
Example The following command shows summary TCP stack statistics:

ACOS# show slb tcp stack
Total
------------------------------------------------------------
------
Currently EST conns 29
Active open conns 6968
Passive open conns 7938
Connect attemp failures 0
Total in TCP packets 678804
Total out TCP packets 712974
Retransmited packets 359
Resets received on EST conn 5369
805
Reset Sent 4303
Field Description
Currently EST Current number of established TCP con-

conns nections being handled by the proxy.
Active open conns Number of active connections open.
Passive open conns Number of passive connections open.
Connect attemp Number of TCP connection attempts that

failures failed.
Total in TCP pack- Total number of TCP packets received by the

ets TCP proxy.
Total out TCP pack- Total number of TCP packets sent by the TCP
ets proxy.
Retransmitted pack- Number of TCP packets retransmitted by the

ets TCP proxy.
Resets received on Number of TCP Resets received for estab-

EST conn lished connections.
Reset Sent Number of TCP Resets sent by the ACOS

device.
TCPIP out noroute Number of times request failed to send due

to route failure.
Example The following command shows summary TCP stack statistics when
proxy header is configured:
ACOS#show slb tcp stack extend | section Proxy
Proxy header v1 1
Proxy header v2 0
!
806
show run slb template

Description Show configuration information for SLB templates. The template con-
figuration commands in the running-config are displayed.
Syntax show run slb template

[template-type
[certificate-status]
[default]
[template-name]
[url-stats]
~[virtual-server]
]
[all-partitions]
[partition {shared | name}]
template-type The type of SLB template configure.
Enter show slb template ? to view a list of

supported template types.
certificate- Show the status of the virtual server’s cer-

status tificate (OCSP-Stapling)
default Show the configuration of the default tem-

plate.
template-name Show the configuration of the specified tem-

plate.
virtual-server Show the configuration of the specified vir-

tual server template
all-partitions Show SLB template configuration in all par-

titions.
partition Show SLB template configuration in the spe-

cified partition only.
Mode All
Example The following command shows the template configuration commands in

the running-config on an ACOS device:
ACOS# show run slb template
807
slb template udp udp-aging

aging immediate
slb template http X-Forwarded-For
insert-client-ip "X-Forwarded-For"
compression minimum-content-length 120
slb template http clientip-insert
insert-client-ip "x-Forwarded-For"
slb template http cookie-delete
header-erase "Cookie"
slb template http hostdelete
header-erase "Host"
slb template http hostinsert
header-insert "Host: www.example.com"
slb template http http100
header-insert "Expect: 100-continue"
slb template http httpinsert
header-erase "Host"
header-insert "Host: www.example.com"
slb template tcp-proxy tcp-timeout
idle-timeout 180
slb template connection-reuse creuse
timeout 60
--MORE--
To view the SLB virtual server template configuration

ACOS(config)# show run slb template virtual-server
slb template virtual-server default
disable-when-any-port-down
!
slb template virtual-server disable-when-all
To view the client SSL template URL statistics

ACOS(config)# show slb template client-ssl SSL-test
Category hits:
military 0
violence 0
Other Categories 1
Reputation hits:
trustworthy 2
low-risk 1
moderate-risk 0
suspicious 0
808
malicious 0
show slb template policy forward-policy-stats

Description Displays statistics for the configured forward policies like Explicit Proxy,
EP/TP for HTTP, SSL Policy and so on.
Mode All
Usage Statistics for the following fields are displayed::
Field Description
slb template The name of the policy template the forward-

policy name policy is bound to.
Source NAT fail- The count of source NAT failures.

ure
Unresolved DNS The count of DNS requests for the IP address

requests of the downstream server that could not be
resolved.
Outstanding DNS The current number of queued DNS requests.

requests
Hits The count of the matches to the source IP

address specified in the forward-policy.
Requests forward Number hits that have been forwarded to the

to Internet Internet URL requested by the
clients.
Requests forward The count of hits that have been forwarded to

to Service Group service-group specified in the
forward-policy.
Requests forward Number of hits forwarded to another HTTP

to Proxy proxy server in the forward-policy.
809
Field Description
Requests The count of client connection requests

dropped dropped.
Source Match not Number of client connection requests where

found the source IP address could not be found.
Expected Client The count of client connection requests in

HELLO requests which the HELLO message was absent or
not found could not be parsed.
Example The policy template defines what actions are applied to upstream traffic
by the client-facing virtual server on the ACOS device. A configuration of
this policy template follows:
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet
Example The statistics for the policy template Explicit_Proxy follow:

ACOS# show slb template policy forward-policy-stats
slb template policy name: Explicit_Proxy

Source NAT failure: 0
Unresolved DNS requests: 0
Outstanding DNS requests: 0
Hits: 0
Requests forward to Internet: 0
Requests forward to Service Group: 0
Requests forward to Proxy: 0
Requests dropped: 0
Source Match not found: 0
Expected Client HELLO requests not found: 0
ACOS(config)#show slb template policy forward-policy-stats
slb template policy name: HTTP-POLICY

810

Hits: 0
Requests dropped: 0
slb template policy name: SSL-POLICY

Hits: 0
Requests dropped: 0
slb template policy name: Explicit_Policy_SSLi

Hits: 0
Requests dropped: 0
show slb virtual-server

Description Show information for SLB virtual servers.
Syntax show slb virtual-server [

virtual-server-name
[vport-num
{
port-type [service-group-name] |
811
[application-statistics] |
detail |
dns-cache {entry {dns-class string | dns-type string |
domain-name {dns_domain_name | fqdn_domain} name}}|
host-hits-counter {host-name | all} |
url-hits-counter {url-string | all}
}
]
[bind]
[config]
[all-partitions]
[partition {shared | name}]
812
Option Description
virtual-server- Shows information only for the specified vir-

name tual server.
The vport-num port-type option shows inform-

ation only for the specified virtual port on the
virtual server.
l The service-group-name option further

restricts the output, to show information
only for the specified service group.
l The option application-statistics dis-
plays statistics related to an application.
l The detail option displays connection
and packet statistics. Specifying detail
also shows the connection rate per vir-
tual port for each virtual server. For more
information, see the examples below.
l The option dns-cache along with entry
display DNS cache entries for one of the
filters given below:
o dns-class - You can specify one of
the following DNS classes:
o IN – INTERNET class
o CH – CHAOS class
o HS – HESIOD class
o NONE – NONE class
o ANY – ANY class
o num - Other class value (1-
65535)
o dns-type - You can specify one of
813
Option Description
the following DNS types:

o A – Address type
o AAAA – IPv6 Address type
o CNAME – Canonical name type
o MX – Mail exchange type
o NS – Name server type
o SRV – Service locator
o PTR – PTR resource type
o SOA – Start of authority type
o TXT – Text type
o ANY – All cached type
o num - Other type value (1-65535)
o domain-name - You can specify either
one of the following:
o dns_domain_name – Domain
name
o fqdn_domain – Fully qualified
domain name
l The host-hits-counter option displays
rule-matching statistics for host switch-
ing. Each time traffic matches a host-
matching rule in an HTTP template, the
applicable “hits” counter is incremented.
l The url-hits-counter option displays
rule-matching statistics for URL switch-
ing. Each time traffic matches a URL-
switching rule in an HTTP template, the
applicable “hits” counter is incremented.
814
Option Description
all-partitions Show information for all partitions.
bind Includes the service groups and real servers

and ports bound to the virtual ports.
config Displays virtual-server configuration inform-

ation.
You can optionally specify the specific par-

tition for which you want to view this con-
figuration.
partition Show information for a specific partition.
Mode All
Usage To display virtual-server information for a specific partition, use the par-
tition option; use partition shared for the shared partition, or par-
tition name, where name is a specific L3V partition.
Example The following command shows summary information for all virtual serv-
ers:
ACOS# show slb virtual-server
Total Number of Virtual Services configured: 2
Virtual Server Name IP Current Total Request Response Peak
Service-Group Service connection connection packets packets
connection
------------------------------------------------------------
-------------------------------
*v-server(A) 3.1.1.99
port 80 http 0 3 14 10 611
abctcp 80/http 0 2 14 10 2112
Total received conn attempts on this port: 3
port 53 udp 0 0 0 0 411
abcudp 53/udp 0 0 0 0 696969
Total received conn attempts on this port: 0
...
815
Field Description
Total Number of Virtual Total number of virtual services (vir-

Services configured tual server ports) configured on the
ACOS device.
Virtual Server Name Name of the virtual server.
Underneath the virtual server name,

each of the virtual ports on the server
is listed, followed by the service
groups in which the virtual server and
the virtual port are members.
In the example above, virtual server

“v-server” has two virtual ports, HTTP
port 80 and UDP port 53. HTTP port 80
is a member of service group “abctcp”,
and UDP port 53 is a member of ser-
vice group “abcudp”.
For each VIP, its VRRP-A state on the

ACOS device is shown by one of the fol-
lowing:
l (A) – VIP is in active state on this

ACOS device.
l (S) – VIP is in standby state on
this ACOS device.
The primary servers are listed under

the virtual port. If alternates are con-
figured for a primary server, the altern-
ates are listed under the primary
server. If an asterisk is shown at the
end of an alternate server name, the
primary server is down and the altern-
ate server is active instead.
816
Field Description
IP Virtual IP address of the virtual server.
Current connection Current number of connections to the

virtual service port.
NOTE: Connection and packet counters

are listed separately for virtual ports
and for service groups.
Total connection Total number of connections to the vir-

tual service port.
Request packets Number of request packets received

for the virtual service.
Response packets Number of server reply packets sent

by the ACOS device for the virtual ser-
vice.
Peak connection Peak connection count.
Note: Peak connection statistics are col-

lected only if the extended-stats
option is enabled. To enable extended-
stats, see the following:
l extended-stats (individual vir-
tual server)
l extended-stats (individual vir-
tual service port)
Total received conn Total number of connection requests

attempts on this port received for this port.
Service-Group Service group bound to the virtual ser-

vice.
817
Field Description
Service Virtual service port number and ser-

vice type.
Example This command shows status information for SLB virtual server “v-server”:
ACOS(config)# show slb virtual-server v-server
Virtual server: v-server State: All Up IP: 3.1.1.99
Port Curr-conn Total-conn Rev-
Pkt Fwd-Pkt Peak-conn
------------------------------------------------------------
-------------------------
Virtual Port:80 / service:abctcp / state:All Up

port 80 http 0 3 10 14 1011
Source NAT Pool: pootest
Virtual Port:53 / service:abcudp / state:All Up

port 53 udp 0 0 0 0 811
Source NAT Pool: pootest
Total Traffic 0 3 10 14 1822
...
Field Description
Virtual Name of the virtual server.

server
818
Field Description
State State information is shown separately for virtual serv-

ers and for individual virtual ports.
Virtual server state:
l All Up – All virtual ports on the virtual server are

Running.
l Functional Up – Some of the virtual ports are Run-
ning or Functional Running, but at least one of
them is not Running.
l Partial Up – At least one virtual port is Running or
Functional Running, but at least one other virtual
port is Down.
l Down – All the virtual ports are Down.
l Disb – The virtual server has been admin-
istratively disabled.
Virtual port state:
l All Up – All members (real servers and ports) in all

service groups bound to the virtual port are up.
l Functional Up – At least one member in a service
group bound to the virtual port is up, but not all
members are up.
l Down – All members in all service groups bound
to the virtual port are down.
l Disb – The virtual port has been administratively
disabled.
IP Virtual IP address of the virtual server.
Port Virtual port number and service type.
819
Field Description
Curr- Current number of connections to the virtual service

conn port.
Total- Total number of connections to the virtual service port.

conn
Rev-Pkt Number of server reply packets sent by the ACOS

device for the virtual service.
Fwd-Pkt Number of request packets received for the virtual ser-

vice.
Peak- Peak connection count.

conn
NOTE: Peak connection statistics are collected only if
the extended-stats option is enabled. To enable exten-
ded-stats, see the following:
l extended-stats (individual virtual server)
l extended-stats (individual virtual service port)
Example The following command shows configuration information:

ACOS# show slb virtual-server config
Virtual server Name Address
------------------------------------------------
louis2 192.168.20.253
member0:louis 80/http
Source NAT Pool: p1 HTTP Template: clientip-insert
Reuse Template: cr Persist Cookie:cookie-persist
aFleX: bugzilla_proxy_fix
820
Field Description
Total Number of Virtual Total number of virtual services (vir-

Services configured tual server ports) configured on the
ACOS device.
Virtual server Name Name of the virtual server.
Address Virtual IP address of the virtual server.
member Real server bound to the virtual server.

The number at the end is assigned by
the ACOS device for this show com-
mand output.
Under the member name, the NAT

pools and SLB templates bound to the
virtual server are listed.
Example The following command shows configuration information for named SLB
service groups:
ACOS (config-slb svc group)# show slb virtual-servicer vip
80 http Service group name: sg
Type: tcp Distribution: Svc Wtd RR
Health Check: None
Member Count: 2
Pri Port/State Curr-conn Total-conn
Rev-Pkt Fwd-Pkt Peak-conn
------------------------------------------------------------
-------------------------
1 s:80/Up 0 0 0 0 1011
1 s2:80/Up 0 0 0 0 1011
Virtual Port Traffic 0 0 0 0 1822
In this example, 2 service groups are configured. Each service group

takes the weight from the service group member. It reuses the weight
from the service member of the real server port number.
Example The following command shows details for a virtual server:

ACOS# show slb virtual-server vip1 detail
Virtual server name: vip1
Virtual server IP address: 200.200.200.100
Virtual server MAC: 021f:a000:0000
821
Virtual server template: adi

Connection rate limit: 800000 per second
Connection rate over limit action: drop
Current request: 0
Total request: 0
Peak connections: 0
Current connection rate: 121 per second
Field Description
Virtual server Name of the virtual server.

name
Virtual server IP IP address of the virtual server.

address
Virtual server MAC address of the VIP.

MAC
Virtual server Name of the virtual server template bound to

template the virtual server.
Current con- Current number of connections to the virtual

nection port.

cessed by the virtual port.
NOTE: In this field and the Total request and

Total request success fields, Layer 7 requests
are counted only if Layer 7 request accounting
is enabled. See slb common.
822
Field Description
Current Current number of HTTP responses being pro-

response cessed by the virtual port.

made to the virtual port.

the virtual port.
Total response Total number of HTTP respnses processed by

the virtual port.

success cessful.
Total response Total number of HTTP responses that were suc-

success cessful.
Total forward Number of request bytes forwarded to the vir-

bytes tual port.

packets virtual port.
Total reverse Number of request bytes received from the vir-

bytes tual port.

823
Field Description

nections
Peak connection statistics are collected only if
the extended-stats option is enabled. To
l extended-stats (individual virtual service
port)
Current con- Current connection rate for the virtual port on

nection rate the virtual server.
Current request Current request rate for the virtual port on the
rate virtual server.
Current Current response rate for the virtual port on

response rate the virtual server.
Example The following command shows details for a virtual port on a virtual server:
ACOS(config)# show slb virtual-server vip1 80 detail
Virtual port name: vip1:80:tcp
Virtual port number: 220.220.220.100:80
Virtual port template: default
Current request: 0
Current response: 0
Total request: 0
Total response: 0
Total response success: 0
Peak connections: 0
Response time: 1
824
Fastest Rsp time: 1

Slowest Rsp time: 1
Current connection rate: 268 per second
Current request rate: 0 per second
Current response rate: 0 per second
Field Description
Virtual port Name of the virtual server, virtual port, and

name port type.
Virtual port num- IP address of the virtual server and protocol

ber port number of the virtual port.
Virtual port tem- Name of the virtual port template bound to the
plate virtual port.
Current con- Current number of connections to the virtual

nection port.

cessed by the virtual port.
In this field and the Total request and Total

request success fields, Layer 7 requests are

made to the virtual port.

the virtual port.

success cessful.
Total forward Number of request bytes forwarded to the vir-

bytes tual port.
825
Field Description

Total reverse Number of request bytes received from the vir-

bytes tual port.


nections
NOTE: Peak connection statistics are collected
only if the extended-stats option is enabled.
To enable extended-stats, see the following:
l extended-stats (individual virtual service
port)
Current con- Current connection rate for the virtual port on

nection rate the virtual server.
Example The following command shows service group and port bindings:
ACOS# show slb virtual-server bind
------------------------------------------------------------
---------------------
*Virtual Server : SanJose(A) 192.192.100.100
Down
+port 80 tcp ====>sg-80-1 State :Down

+rs-http:80 192.168.215.16 State : Down
*Virtual Server : Chicago(A) 192.192.200.200

All Up
+port 80 tcp ====>sg-80-2 State :All Up

+rs-http-2:80 192.168.215.13 State : Up
826
In this example, virtual port 80 on virtual server SanJose is bound to real

port 80 on real server rs-http in service group sg-80-1. Likewise, virtual
port 80 on virtual server Chicago is bound to real port 80 on real server
rs-http-2 in service group sg-80-2.
For each VIP, its VRRP-A state on the ACOS device is shown by one of the
following:
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
Example The following example shows the information displayed if alternate

(backup) servers are configured:
ACOS(config)# show slb virtual-server bind
------------------------------------------------------------
---------------------
*Virtual Server : http-with-alternates(A) 192.168.10.10 Func-
tional Up
+port 80 http ====>http1 State :Functional Up

+rs1:80 10.10.10.10 State : Up
Alternate: rs1-a1, rs1-a2, rs1-a3
+rs2:80 10.10.10.20 State : Down
Alternate: rs2-a1*, rs2-a2, rs2-a3
The primary servers are listed under the virtual port. Under each primary
server, that server’s alternate servers are listed.
If an asterisk is shown at the end of an alternate server name, the primary
server is down and the alternate server is active instead. In the example
above, rs2 is down, so alternate rs2-a1 is being used instead.
Example The following example demonstrates the DNS statistics displayed for a vir-
tual server:
ACOS(config)# show slb virtual-server v1 53 dns-tcp applic-
ation-statistics
Total DNS Query: 0
Total Malformed Query: 0
DNS Response Rate Limiting Total Allowed: 0
DNS Response Rate Limiting Total Dropped: 0
DNS Response Rate Limiting Total Slipped: 0
DNS Response Rate Limiting Bad FQDN: 0
Total DNS Filter Query Type Drop: 0
Total DNS Filter Query Class Drop: 0
DNS Filter Query Type A Drop: 0
827
DNS Filter Query Type AAAA Drop: 0

DNS Filter Query Type CNAME Drop: 0
DNS Filter Query Type MX Drop: 0
DNS Filter Query Type NS Drop: 0
DNS Filter Query Type SRV Drop: 0
DNS Filter Query Type PTR Drop: 0
DNS Filter Query Type SOA Drop: 0
DNS Filter Query Type TXT Drop: 0
DNS Filter Query Type ANY Drop: 0
DNS Filter Query Type OTHERS Drop: 0
DNS Filter Query Class INTERNET Drop: 0
DNS Filter Query Class CHAOS Drop: 0
DNS Filter Query Class HESIOD Drop: 0
DNS Filter Query Class NONE Drop: 0
DNS Filter Query Class ANY Drop: 0
DNS Filter Query Class OTHERS Drop: 0
DNS Recursive Resolution Started: 0
DNS Recursive Resolution Succeeded: 0
DNS RPZ Action Drop: 0
DNS RPZ Action Pass Through: 0
DNS RPZ Action Force Switching TCP: 0
DNS RPZ Action NXDOMAIN Return: 0
DNS RPZ Action NODATA Retrun: 0 << Typo
DNS RPZ Action Walled Garden: 0
DNS RPZ Trigger Client IP: 0
DNS RPZ Trigger Response IP: 0
DNS RPZ Trigger NS IP: 0
DNS RPZ Trigger QNAME: 0
DNS RPZ Trigger NS Domain Name: 0
show web-category
Description Shows the information about the current operation of the Web Category
feature.
Syntax show web-category

{bypassed-urls [num | all] |
database |
intercepted-urls [num | all] |
license |
url-category name [local-db-only] | version}
828
bypassed-
urls Lists the URLs bypassed by the Web Category fea-
[num | all] ture.
num – Specifies the number of URLs to list, 1-8000.

The most recently bypassed URLs, up to the num-
ber you specify, are listed.
all – Displays the entire list of URLs bypassed by

the feature.
The entries are listed beginning with the most

recently bypassed URL on top. If a URL is
bypassed multiple times, the URL is listed sep-
arately for each time it bypassed.
By default, the 50 most recent entries are shown.

database
Shows information about the currently loaded
BrightCloud database.
intercepted-
urls Lists the URLs intercepted by the Web Category
[num | all] feature.
num – Specifies the number of URLs to list, 1-8000.

The most recently bypassed URLs, up to the num-
ber you specify, are listed.
all – Displays the entire list of URLs bypassed by

the feature.
The entries are listed beginning with the most

recently intercepted URL on top. If a URL is inter-
cepted multiple times, the URL is listed separately
for each time it intercepted.
By default, the 50 most recent entries are shown.

license
Shows detailed information about the license.
829
url-category
url-name Shows categories returned by BrightCloud library
[local-db- for the specified URL.
only]
local-db-only – Checks only the local database
and service cache. Does not make a cloud query to
fetch the category list for this URL.
version
Shows the current version of the Web Category
engine.
Mode All
Example The following command shows the URLs bypassed by the Web Category
feature:
ACOS#show web-category bypassed-urls
paper.example.com
paper.example.com
paper.example.com
paper.example.com
step.example.com
metrics1.example.com
step.example.com
paper.example.com
online.example.com
...
Example The following command shows information about the currently loaded
BrightCloud database:
ACOS#show web-category database
Database Name : full_bcdb_4.827.bin
Database Status : Active
Database Size : 351 MB
Database Version : 827
Last Update Time : Wed Jul 6 19:39:59 2016
Next Update Time : Fri Jul 8 00:00:22 2016
Connection Status : GOOD
Last Successful Connection : Thu Jul 7 00:39:22 2016
830
Example The following command shows the URLs intercepted by the Web Cat-
egory feature:
ACOS#show web-category intercepted-urls
fhr.data.example.com
aus3.example.org
blocklist.addons.example.org
aus4.example.org
Default versioncheck-bg.addons.example.org
versioncheck-bg.addons.example.org
services.addons.example.org
aus3.example.org
...
Example The following commands show the web categories to which some indi-
vidual URLs belong. In this example, the categories for the URLs in the
ACOS device’s local database match the most recent categorizations
from the BrightCloud server.
ACOS#show web-category url-category www.google.com
Search Engines
ACOS#show web-category url-category www.google.com local-db-
only
Search Engines
ACOS#show web-category url-category www.youtube.com
Streaming Media
ACOS#show web-category url-category www.youtube.com local-
db-only
Streaming Media
Example The following command shows the current version of the Web Category
engine:
ACOS#show web-category version
version: 4.0
show web-reputation
Description Displays the URLs which are bypassed/intercepted by web-reputation
rules in client-ssl template and checks the reputation score for the
831
specific URLs.
Syntax show web-reputation {bypassed-urls | intercepted-urls | url-

reputation URL name}
Option Description
bypassed-urls Show the list of bypassed URLs, when the

request is bypassed by web reputation rules.
intercepted-urls Show the list of intercepted URLs, when the

request is intrecepted by web reputation
rules.
url-reputation Show the URL reputation score returned by

BrightCloud library for a URL.
Mode SLB client SSL template show mode
Example The following command shows the URLs bypassed by the web repu-
tation feature:
ACOS#show web-reputation bypassed-urls
Score URL
79 www.77file.com
81 www.testing.com
81 a10networks.com
...
Example The following command shows the URLs intercepted by the web repu-
tation feature:
ACOS#show web-reputation intercepted-urls
Score URL
10 17ebook.com
40 gerry90160.a10-tplab.com
54 earn4files.com
Example The following commands show the web reputation scores of the URLs:
ACOS#show web-reputation url-reputation www.google.com
local-db-only
trustworthy(81)
ACOS# show show web-reputation url-reputation www.google.com
trustworthy(81)
832
ACOS# show web-reputation url-reputation www.abc.com local-

db-only
can not find reputation score from local database
ACOS# show web-reputation url-reputation www.abc.com
trustworthy(96)
833
834
Chapter 28: ADC support on Chassis
Starting ACOS version 5.1.0, ADC is supported on chassis. To enable ADC support on chassis,
set
chassis-application-type to adc.
chassis-application-type 836
Key Considerations 836
835
chassis-application-type
Description The command is used to set the application type on a dual chassis
box.
Syntax chassis-application-type [adc | cgn]
Default cgn
Mode All
Usage It is mandatory to configure the chassis-application-type as adc or

cgn before configuring any other command. The box should be rebooted
to switch between the modes.
While switching the box from CGN to ADC, ADC related configuration
should not exist on the box on any of the partitions (shared/L3v/service).
Execute the chassis-application-type command as adc and save the
configuration.
Similarly, to configure the box for CGN, run the chassis-application-
type command as cgn and save the configuration. CGN related con-
figuration should not exist on the box on any of the partitions
(shared/L3v/service).
NOTE: To save the chassis-application-type in the startup config,

execute write memory command.
Example ACOS(config)#chassis-application-type adc
Key Considerations
Key considerations for ADC support on chassis are mentioned below:
l Broadcom layer is common for the Master and the blade.

l Vrid is the primary way of sending traffic between the Master and the blade.
l ‘Odd’ vrid cannot be created before an ‘even’ vrid is created. An error is displayed in
this case as the vrids come in pairs. Vrid 1 can be created since vrid 0 is the default vrid
and is assumed to be present.
l The odd and even vrid numbers bind as a pair. For example, vrid 4 and vrid 5 have the
same status (active/standby).
836
l Each service partition follows only one vrid.

l Configuration on templates that is associated with a service group should not use
default templates as default templates are bound to both odd and even vrid.
l Objects with explicit or inherited vrid support is not shared between the master and
the blade. For example, virtual-server, service-group, server and ip nat pools.
l Packets associated with ‘even’ vrid are directed to the Master, while the packets asso-
ciated with ‘odd’ vrid are directed to the blade. If vrid is 0, all the packets are directed
to the Master.
l If an object does not have a vrid config field, but is associated with objects that have
vrid config field, that one instance of such an object can be associated with only one
instance of the object that has vrid config field. For example, one instance of service
group can be associated with only one virtual-server.
The supported show commands related to the applications and templates are mentioned
below:
l SNMP and external VCS are not supported. Also, only UDP based syslogs are supported,
TCP based syslogs are not supported.
l VRRP configuration sync with external device is not supported.
l Persist sessions are not supported on chassis.
Supported vports or Templates

Supported vports or applications
udp UDP Port
http HTTP Port
https HTTPS port
tcp-proxy Generic TCP proxy
dns-tcp DNS service over TCP
dns-udp DNS service over UDP
ftp File Transfer Protocol Port
837
ftp-proxy ftp proxy port
fast-http Fast HTTP Port
client-ssl Client SSL Template
cipher SSL Cipher Template
dns DNS Template
ftp FTP Template
http HTTP
Supported Templates
port Port Template
server Server Template
server-ssl Server Side SSL Template
tcp L4 TCP switch config
tcp-proxy TCP Proxy
udp L4 UDP switch config
virtual-port Virtual port template
838

A10 5.2.1-P3 Cli-Slb

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 5.2.1-P3 Cli-Slb

Uploaded by

Copyright:

Available Formats

ACOS 5.2.

© 2021 A10 Networks, Inc.CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED.

Chapter 3: Config Commands: SLB Templates 79

slb template persist destination-ip 184

Chapter 4: Config Commands: SLB Cache Templates 199

replacement-policy LFU 207

Chapter 5: Config Commands: SLB Client SSL Templates 209

forward-proxy-bypass ends-with 237

Chapter 6: Config Commands: SLB Server SSL 277

Chapter 7: Config Commands: SLB Policy Templates 295

Chapter 8: Config Commands: SLB Real Port Templates 327

Chapter 9: Config Commands: SLB REQMOD ICAP Templates 345

Chapter 10: Config Commands: SLB RESPMOD ICAP Templates 355

Chapter 11: Config Commands: SLB Server Templates 363

Chapter 12: Config Commands: SLB SIP Templates 377

server-request-header insert 387

Chapter 13: Config Commands: SLB SMPP Templates 405

Chapter 14: Config Commands: SLB SMTP Templates 411

Chapter 15: Config Commands: SLB SSLi Templates 419

Chapter 16: Config Commands: SLB TCP Templates 423

Chapter 17: Config Commands: SLB TCP Proxy Templates 435

Chapter 18: Config Commands: SLB UDP Templates 461

Chapter 19: Config Commands: SLB Virtual Port Templates 467

Chapter 20: Config Commands: SLB Virtual Server Templates 483

Chapter 21: Config Commands: SLB Servers 493

Chapter 22: Config Commands: SLB Service Groups 517

Chapter 23: Config Commands: SLB Virtual Servers 547

Chapter 24: Config Commands: SLB Virtual Server Ports 559

Chapter 25: Config Commands: Health Monitors 593

ssl-ticket lifetime 624

Chapter 26: Config Commands: Web Category 629

Chapter 27: SLB Show Commands 643

show slb pop3-proxy 727

Chapter 28: ADC support on Chassis 835

The following topics are covered:

Global Configuration Mode 28

SLB Common Configuration Commands 48

Global Configuration Mode

slb resource-usage threshold 32

slb ssl-cert-revoke sampling-enable 36

slb ssl-expire-check email-address 38

slb ssl-expire-check exception 39

slb ssl-forward-proxy sampling-enable 39

slb svm-source-nat pool 41

Syntax slb common

NOTE: Commands in SLB common configuration mode are only avail-

Mode Configuration mode

Description Change the capacity of an SLB resource.

Syntax [no] slb resource-usage resource-type

The following table lists the valid resource types and

Resource Type Description and Acceptable Values

cache-template-count Total number of configurable HTTP

client-ssl-template- Total number of configurable client SSL

conn-reuse-template- Total number of connection reuse tem-

fast-tcp-template- Total number of configuration Fast TCP

fast-udp-template- Total number of configuration Fast UDP

fix-template-count Total number of configurable FIX tem-

health-monitor-count Total number of health monitors (512-

http-template-count Total number of configurable HTTP tem-

link-cost-template- Total number of configurable Link-cost

nat-pool-addr-count Total number of source IP NAT pools

Resource Type Description and Acceptable Values

pbslb-subnet-count Total number of PBSLB subnets in the