Professional Documents
Culture Documents
1-P3
Command Line Interface Reference
for ADC
December, 2021
PATENT PROTECTION
A10 Networks, Inc. products are protected by patents in the U.S. and elsewhere. The following website is provided
to satisfy the virtual patent marking provisions of various jurisdictions including the virtual patent marking pro-
visions of the America Invents Act. A10 Networks, Inc. products, including all Thunder Series products, are pro-
tected by one or more of U.S. patents and patents pending listed at:
a10-virtual-patent-marking.
TRADEMARKS
A10 Networks, Inc. trademarks are listed at: a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc.. This document and information
and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc.
without prior written consent of A10 Networks, Inc..
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks, Inc. or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks, Inc. has
made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks, Inc.
assumes no responsibility for its use. All information is provided "as-is." The product specifications and features
described in this publication are based on the latest information available; however, specifications are subject to
change without notice, and certain features may not be available upon initial product release. Contact A10 Net-
works, Inc. for current information regarding its products or services. A10 Networks, Inc. products and services
are subject to A10 Networks, Inc. standard terms and conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific com-
ponent types, please contact the manufacturer of that component. Always consult local authorities for regulations
regarding proper disposal of electronic components in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest
A10 Networks, Inc. location, which can be found by visiting www.a10networks.com.
Table of Contents
Chapter 1: Overview 25
Chapter 2: Config Commands: SLB 27
Global Configuration Mode 28
slb common 28
slb resource-usage 28
slb resource-usage threshold 32
slb server 32
slb service-group 35
slb ssl-cert-revoke sampling-enable 36
slb ssl-expire-check email-address 38
slb ssl-expire-check exception 39
slb ssl-forward-proxy sampling-enable 39
slb ssl-module 40
slb svm-source-nat pool 41
slb template 42
slb transparent-acl-template 42
slb transparent-tcp-template 43
slb virtual-server 44
SLB Common Configuration Commands 48
aflex-table-entry-aging-intreval 50
aflex-table-entry-sync 50
buff-thresh 52
compress-block-size 53
conn-rate-limit src-ip 53
ddos-protection 55
ddos-protection logging 56
ddos-protection packets-per-second 56
disable-adaptive-resource-check 57
disable-server-auto-reselect 57
dns-cache-age 58
dns-cache-enable 59
3
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
dns-cache-entry-size 60
dns-response-rate-limiting 61
dns-vip-stateless 61
drop-icmp-to-vip-when-vip-down 61
dsr-health-check-enable 62
ecmp-hash 62
enable-l7-req-acct 63
extended-stats 63
fast-path-disable 64
gateway-health-check 64
graceful-shutdown 65
honor-server-response-ttl 66
hw-compression 67
hw-syn-rr 67
low-latency 68
l2l3-trunk-lb-disable 68
max-buff-queued-per-conn 69
max-http-header-count 69
msl-time 69
mss-table 70
no-auto-up-on-aflex 71
rate-limit-logging 71
reset-stale-session 72
scale-out 73
service-group-on-no-dest-nat-vports 73
snat-gwy-for-l3 74
snat-on-vip 74
sort-res 75
ssli-sni-hash-enable 77
stats-data-disable 77
stateless-sg-multi-binding 77
use-mss-tab 78
4
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
5
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
6
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
7
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
8
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-selfsign-redir 260
forward-proxy-source-nat 261
forward-proxy-ssl-version 261
forward-proxy-trusted-ca 262
forward-proxy-verify-cert-fail-action 263
handshake-logging-enable 263
hsm-param 264
local-logging 264
non-ssl-bypass 264
ocsp-stapling 265
renegotiation-disable 266
server-name 266
server-name-auto-map 267
server-name-regex 268
server-name-bypass 269
session-cache-size 270
session-cache-timeout 271
session-ticket-lifetime 271
session-ticket-disable 272
ssl-false-start-disable 272
ssli-logging 273
sslv2-bypass 273
template 274
version 274
9
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
dh-param 285
early-data 285
ec-name 286
enable-ssli-ftp-alg 286
enable-tls-alert-logging fatal 287
forward-proxy-enable 287
handshake-logging-enable 287
ocsp-stapling 288
renegotiation-disable 288
server-certificate-error 288
server-name 289
session-cache-size 289
session-cache-timeout 290
session-ticket-enable 290
ssli-logging 291
template cipher 291
use-client-sni 292
version 292
10
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
action 318
bw-rate-limit 320
conn-limit 320
conn-rate-limit 321
over-limit-action 322
request-limit 323
request-rate-limit 323
response-code-rate-limit 324
11
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
12
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
conn-limit 368
conn-rate-limit 368
dns-query-interval 369
dynamic-server-prefix 370
extended-stats 370
health-check 370
health-check-disable 371
log-selection-failure 371
max-dynamic-server 371
min-ttl-ratio 372
slow-start 372
spoofing-cache 374
stats-data-enable 374
stats-data-disable 375
weight 375
13
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
14
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
user 408
15
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
16
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
reassembly-limit 455
reassembly-timeout 455
receive-buffer 456
reno 456
reset-fwd 457
reset-rev 457
retransmit-retries 458
syn-retries 458
timewait 459
transmit-buffer 459
17
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
reset-l7-on-failover 479
reset-unknown-conn 479
snat-msl 480
snat-port-preserve 480
18
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
stats-data-disable 514
stats-data-enable 514
template server 514
weight 515
19
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
stats-data-enable 556
template client-ssl 556
template logging 556
template policy 556
template scaleout 557
template server 557
template virtual-server 558
vrid 558
20
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
redirect-fwd 576
redirect-rev 576
redirect-to-https 577
reply-acme-challenge 577
reset-on-server-selection-fail 578
rtp-sip-call-id-match 578
service-group 579
skip-rev-hash 579
snat-on-vip 580
source-nat auto 580
source-nat pool 584
source-nat use-cgnv6 585
support-http2 585
stats-data-disable 586
stats-data-enable 586
syn-cookie 586
template 587
template virtual-port 588
use-default-if-no-server 589
use-rcv-hop-for-resp 589
21
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
22
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
23
Contents
ACOS 5.2.1-P3 Command Line Reference for ADC
24
Chapter 1: Overview
This reference lists the ACOS CLI commands that apply specifically to Application Delivery
Controller (ADC) or Server Load Balancing (SLB) features.
Common commands available at all configuration levels (clear, debug, do, end, exit, no, show,
write) are described in the Command Line Interface Reference.
For detailed information about system-level commands or using the CLI, refer the Command
Line Interface Reference guide.
25
Chapter 1: Overview
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
26
Chapter 2: Config Commands: SLB
This section lists the commands and sub-commands to configure SLB common parameters. In
some cases, the commands create an SLB configuration item and change the CLI to the con-
figuration level for that item.
27
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
slb common 28
slb resource-usage 28
slb server 32
slb service-group 35
slb ssl-module 40
slb template 42
slb transparent-acl-template 42
slb transparent-tcp-template 43
slb virtual-server 44
slb common
Description Access the SLB configuration level for system-wide SLB parameters.
This command changes the CLI to the SLB common configuration level
for system-wide SLB parameters, where the commands in SLB Common
Configuration Commands are available.
slb resource-usage
28
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
29
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
30
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default The default maximum number for each type of system resource
depends on the specific device model. To display the defaults and cur-
rent values for your device, enter the show system resource-usage
command.
Usage These SLB resources are configurable at the system level and not limited
to the partition level. The maximum number of resources you can con-
figure depends on the resource type and the specific ACOS device. To
display the range of values that are valid for a resource, enter a question
mark instead of a quantity.
• For these SLB templates, the maximum is 256 each, and is not con-
figurable:
• SIP
• SMTP
• Policy (PBSLB)
• For RAM caching templates, the total number allowed is 128 each.
• The maximum number of health monitors is 1024 (not configurable).
• The total number of wildcard VIPs allowed is 200 and is not con-
figurable.
• For every type of system resource that has a default, the ACOS
device reserves one instance of the resource.
31
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example This example configures capacity maximums for virtual ports (2000) and
virtual servers (400), then specifies the number of configured ports
(1200) and servers (240) that triggers a log message and notification.
slb server
Description Configure a real server. Use the first command shown below in the
example to create or a delete a server. Use the second command to edit a
server.
32
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
33
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default N/A
Usage This command creates a new or edits an existing real server and changes
the CLI to the server configuration level. (Config Commands: SLB Serv-
ers).
A new real server is created, if required, by adding a server to a service
group, obviating the need to explicitly create a real server prior to adding
it to a group. The IP address of the server can be in either IPv4 or IPv6
format.
The maximum number of real servers is configurable. See slb resource-
usage.
Example The following example creates a new real server with an IPv4 address:
ACOS(config)# slb server rs1 10.10.10.99
ACOS(config-real server)#
Example The following example creates a new real server with an IPv6 address:
ACOS(config)# slb server rs2 2020:3e8::3
34
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ACOS(config-real server)#
Example The following example creates real server associating the ethernet inter-
face:
ACOS(config)# slb server rs2 ethernet 2
ACOS(config-real server)# port 80 tcp
Example The following example allows SLB server to reuse the same AAM authen-
tication server (IPv4 address):
ACOS(config)#slb server 192.168.90.136 use-aam-server
ACOS(config-real server)# port 389 tcp
slb service-group
Description Configure an SLB service group.
Parameter Description
35
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage The normal form of this command creates a new or edits an existing ser-
vice group. The CLI changes to the configuration level for the service
group. See Config Commands: SLB Service Groups.
all all
36
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
37
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
38
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Usage One notification is sent per day. If a certificate is updated before expir-
ation or at least before the configured interval, no more notification emails
are sent for that certificate.
Parameter Description
39
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Enable sampling of SSL forward-proxy events for display in the GUI or for
query by the AXAPI.
Parameter Description
slb ssl-module
Description Switch the SSL module modes.
40
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
NOTE:
l QAT and N5 options are SSL hardware-assisted accel-
eration modules and not on-board SSL processors.
l Reboot the system after configuring the option to take
effect.
Default None
41
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
slb template
Description Configure an SLB template.
Parameter Description
Default The templates have default settings, and some template types are auto-
matically added to a virtual port depending on its service type. For inform-
ation, see the Application Delivery Controller Guide.
Usage The normal form of this command creates a new or edits an existing tem-
plate. The CLI changes to the configuration level for the template. See
Config Commands: SLB Templates.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See slb resource-
usage.
slb transparent-acl-template
Description Set the idle timeout value for ACL-related pass-through TCP ses-
sions.
A pass-through TCP session is one that is not terminated by the ACOS
device (for example, a session for which the ACOS device is not serving
as a proxy for SLB).
42
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default The default idle timeout for pass-through TCP sessions is 30 minutes.
The default idle timeout in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300
seconds. This is true even if the idle timeout in the TCP template itself is
set to a higher value. Higher idle timeout values apply only to SLB
sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example The following command configures the default TCP template, setting the
idle timeout value to 15000 seconds. This template (and thus, idle timeout
value) are then applied to ACL-related pass-through TCP sessions:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# idle-timeout 15000
ACOS(config-l4 tcp)# exit
ACOS(config)# slb transparent-acl-template default
slb transparent-tcp-template
Description Set the idle timeout value for pass-through TCP sessions.
A pass-through TCP session is one that is not terminated by the ACOS
device (for example, a session for which the ACOS device is not serving
as a proxy for SLB).
Default The default idle timeout for pass-through TCP sessions is 30 minutes.
The default idle timeout in TCP templates is 120 seconds.
43
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300
seconds. This is true even if the idle timeout in the TCP template itself is
set to a higher value. Higher idle timeout values apply only to SLB
sessions, not to transparent sessions. This is because transparent
sessions are stateless and can be recreated if timed out.
Example The following command configures the default TCP template, setting the
idle timeout value to 15000 seconds. This template (and thus, idle timeout
value) are then applied to pass-through TCP sessions:
ACOS(config)# slb template tcp default
ACOS(config-l4 tcp)# idle-timeout 15000
ACOS(config-l4 tcp)# exit
ACOS(config)# slb transparent-tcp-template default
slb virtual-server
Description Configure a virtual server.
Parameter Description
44
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
45
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default N/A
Usage The normal form of this command creates a new or edits an existing vir-
tual server and related load balancing configurations and parameters.
The CLI changes to the configuration level for the virtual server. See Con-
fig Commands: SLB Virtual Servers.
The “no” form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See slb
resource-usage.
46
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands configure a new virtual server named “vs1” and
associate virtual ports, service group, and enable GTP sessions for server
load balancing.
ACOS(config)# slb virtual-server vs1 10.10.2.1
ACOS(config-slb vserver)# port 2123 udp
ACOS(config-slb vserver: vport)# service-group sg1
ACOS(config-slb vserver: svcgrp)# gtp-session-lb
47
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Some commands in SLB common configuration mode are only available in the shared par-
tition; commands that are not available in L3V partitions are notes below.
aflex-table-entry-aging-intreval 50
aflex-table-entry-sync 50
buff-thresh 52
compress-block-size 53
conn-rate-limit src-ip 53
ddos-protection 55
ddos-protection logging 56
ddos-protection packets-per-second 56
disable-adaptive-resource-check 57
disable-server-auto-reselect 57
dns-cache-age 58
dns-cache-enable 59
dns-cache-entry-size 60
dns-response-rate-limiting 61
dns-vip-stateless 61
drop-icmp-to-vip-when-vip-down 61
dsr-health-check-enable 62
ecmp-hash 62
enable-l7-req-acct 63
extended-stats 63
fast-path-disable 64
48
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
gateway-health-check 64
graceful-shutdown 65
honor-server-response-ttl 66
hw-compression 67
hw-syn-rr 67
low-latency 68
l2l3-trunk-lb-disable 68
max-buff-queued-per-conn 69
max-http-header-count 69
msl-time 69
mss-table 70
no-auto-up-on-aflex 71
rate-limit-logging 71
reset-stale-session 72
scale-out 73
service-group-on-no-dest-nat-vports 73
snat-gwy-for-l3 74
snat-on-vip 74
sort-res 75
ssli-sni-hash-enable 77
stats-data-disable 77
stateless-sg-multi-binding 77
use-mss-tab 78
NOTE: From the above list, the following commands are unavailable in
L3V partitions:
l buff-thresh
l disable-adaptive-resource-check
l disable-server-auto-reselect
49
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
l dns-vip-stateless
l drop-icmp-to-vip-when-vip-down
l dsr-health-check-enable
l fast-path-disable
l gateway-health-check
l hw-syn-rr
l l2l3-trunk-lb-disable
l max-buff-queued-per-conn
l max-http-header-count
l msl-time
l mss-table
l stats-data-disable
aflex-table-entry-aging-intreval
Description Configure aFlex table entry aging interval in seconds. These aFlex tables
will be synchronized with ACOS device via VRRP-A.
Default Disabled
NOTE: For detailed information about aFlex tables and VRRP-A com-
mands, refer aFleX Scripting Language Reference and Con-
figuring VRRP-A High Availability guides.
aflex-table-entry-sync
Description Configure aFlex table entry parameters. These aFlex tables will be syn-
chronized with ACOS device via VRRP-A.
50
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default Disabled
Usage ACOS supports aFlex table synchronization in the VRRP-A cluster. This
will help you to synchronize and recover aFlex when ACOS is rebooted.
The aFlex message is sent to the ACOS device using the key length, value
length, table name as well as some other parameters. If the sum of this is
less than 1000 then the data is sent to the ACOS standby device.
51
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ACOS(config-common)# aflex-table-entry-sync
ACOS(config-common-aflex-table-entry-sync)#max-key-len 50
ACOS(config-common-aflex-table-entry-sync)#max-value-len 100
ACOS(config-common-aflex-table-entry-sync)#min-lifetime 3600
NOTE: For detailed information about aFlex tables and VRRP-A com-
mands, refer aFleX Scripting Language Reference and Con-
figuring VRRP-A High Availability guides.
buff-thresh
Description Fine-tune thresholds for SLB buffer queues.
Do not use this command except under advisement from A10 Networks.
Parameter Description
52
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default N/A
compress-block-size
Description Change the default compression block size used for SLB.
The bytes option specifies the default compression block size, 6000-
32000 bytes.
Default 16000
Example The following example sets the compression block size to 16000 bytes:
ACOS(config)# slb common
ACOS(config-common)# compress-block-size 16000
conn-rate-limit src-ip
Description Configure source-IP based connection rate limiting.
All connection requests in excess of the connection limit that are
received from a client within the limit period are dropped. This action is
enabled by default when you enable the feature, and can not be
disabled.
NOTE: For configuring connection rate limits on IPv6 traffic, use class
lists. For more information, see “class-list” in the Command Line
Interface Reference and “Understanding Class Lists” in the DDoS
Mitigation Guide for ADC.
53
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
tcp | udp Specifies the Layer 4 protocol for which the fil-
ter applies.
per {100 | Specifies the limit period, The limit period is the
1000} interval to which the connection limit is applied.
A client is conforming to the rate limit if the
number of new connection requests within the
limit period does not exceed the connection
limit. You can specify 100 milliseconds or 1000
milliseconds.
54
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands allow up to 1000 connection requests per one-
second interval from any individual client. If a client sends more than
1000 requests within a given limit period, the client is locked out for 3
seconds. The limit applies separately to each individual virtual port. Log-
ging is not enabled.
ACOS(config)# slb common
ACOS(config-common)# conn-rate-limit src-ip tcp 1000 per
1000 exceed-action lock-out 3
Example The following commands allow up to 2000 connection requests per 100-
millisecond interval. The limit applies to all virtual ports together. Logging
is enabled but lockout is not enabled.
ACOS(config)# slb common
ACOS(config-common)# conn-rate-limit src-ip tcp 2000 per 100
shared exceed-action log
ddos-protection
Description Enables hardware blocking of VIP traffic that is addressed to an uncon-
figured virtual port.
Parameter Description
Default disabled
55
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ddos-protection logging
Description Enables logging of VIP traffic hardware blocking events.
Parameter Description
Default enabled
ddos-protection packets-per-second
Description Enables logging of VIP traffic hardware blocking events.
Parameter Description
Example This example sets the device to begin hardward blocking for any uncon-
figured TCP ports that exceed 1000 packets per second.
ACOS(config)# slb common
56
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
disable-adaptive-resource-check
Description In cases where data packets smaller than a pre-configured size limit are
received, HTTP sessions may be deleted when the number of such pack-
ets received exceeds a pre-defined threshold. This is the default beha-
vior on an ACOS device.
The disable-adaptive-resource-check command disables the default
behavior.
disable-server-auto-reselect
Description Stop the ACOS device from automatically reselecting a lower priority
server until a server with a higher priority is marked as Down or Disabled.
This is commonly used with inband health monitors.
Usage When server priority is configured, the ACOS device sends all traffic to the
highest priority server, until that server starts responding slowly or meets
other negative conditions. This feature stops the ACOS device from auto-
matically reselecting a lower priority server until a server with a higher pri-
ority is marked as Down or Disabled.
When a Data CPU reaches 70%, slb disable-server-auto-reselect
will automatically activate and can be seen in the running config. When
the Data CPU goes back down below 50% it will remove itself.
57
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
dns-cache-age
Description Configure the amount of time the ACOS device locally caches DNS
replies.
DNS cache aging is applicable only when DNS caching is enabled, using
the dns-cache-enable command. A DNS reply begins aging as soon as
it is cached and continues aging even if the cached reply is used after
aging starts. Use of a cached reply does not reset the age of that reply.
Server response TTL is the minimum TTL of all resource records in that
response. The honor-server-response-ttl command enables using TTL
in the server response as DNS cache TTL.
Default 300
Example This example configures the ACOS device to cache DNS replies for 300
seconds.
ACOS(config)# slb common
ACOS(config-common)# dns-cache-age 300
Example This example configures the age of global DNS cache to be the minimum
value between 600 seconds and the server response TTL:
ACOS(config-common)# dns-cache-age 600
ACOS(config-common)# honor-server-response-ttl
Example This example configures the age of the global DNS cache to be 600
seconds:
ACOS(config-common)# dns-cache-age 600
58
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example This command configures the server response TTL to be used as the
global DNS cache TTL:
ACOS(config-common)# dns-cache-age
ACOS(config-common)# honor-server-response-ttl
dns-cache-enable
Description Globally enable caching of replies to DNS queries.
Parameter Description
Default DNS caching is disabled by default. Disabled. When you globally enable
DNS caching, the round-robin and single-answer options are disabled
by default. The default TTL threshold is 0 (unset).
59
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage When DNS caching is enabled, the ACOS device sends the first request
for a given name (hostname, fully-qualified domain name, URL, and so
on) to the DNS server. The ACOS device caches the reply from the DNS
server, and sends the cached reply in response to the next request for
the same name.
The ACOS device continues to use the cached DNS reply until the reply
times out. After the reply times out, the ACOS device sends the next
request for that URL to the DNS server, and caches the reply, and so on.
Enabling the single-answer option prevents the caching of DNS replies
that have multiple IP addresses. For example, if a DNS response to a
query for “www.example1.com” and the DNS reply has only one IP
address (1.1.1.1), then the reply will be cached on the ACOS device.
However, if the DNS response to a query for “www.example2.com” has
two IP addresses (2.2.2.2 and 3.3.3.3), then the entry would not be
cached on the ACOS device.
If the ttl-threshold option is configured on the ACOS device, then DNS
replies will only be cached if they have a TTL value that is larger than the
TTL threshold configured on the ACOS device. This prevents the ACOS
device from caching DNS entries that will expire shortly thereafter.
For example, if the ACOS device’s TTL threshold is set to 7200 seconds
and the ACOS device receives a DNS response for a domain with a TTL of
only 10 seconds, there would be little benefit in caching that DNS reply,
since it will soon expire. Despite the cached information, subsequent
client requests for that same domain would bypass the “stale”
information cached on the ACOS device to perform another DNS lookup
just 10 seconds later.
DNS caching applies to DNS requests sent to UDP as well as TCP virtual
ports in a DNS SLB configuration.
Example The following example enables DNS caching on the ACOS device with all
the default values.
ACOS(config)# slb common
ACOS(config-common)# dns-cache-enable
dns-cache-entry-size
Description Set the maximum size in bytes for DNS cache entries.
Replace num with the desired DNS cache entry size, in bytes (1 - 4096).
Default 256
60
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example sets the DNS cache entry size to 3600 bytes:
ACOS(config)# slb common
ACOS(config-common)# dns-cache-entry-size 3600
dns-response-rate-limiting
Description Set the maximum number of table entries for DNS response rate limiting.
Replace num with the desired maximum number of table entries allowed
for DNS response rate limiting entries, in bytes (1000 - 4194304).
Example The example below shows how to set the maximum number of table
entries for DNS response rate limiting.
ACOS(config)# slb common
ACOS(config-common)# dns-response-rate-limiting
ACOS(config-common-dns-response-rate-limi...)#max-table-
entries 2000
dns-vip-stateless
Description This command causes the ACOS device to use round-robin to load bal-
ance DNS stateless traffic to CPU threads.
drop-icmp-to-vip-when-vip-down
61
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
dsr-health-check-enable
Description Enable health checking of the virtual server IP addresses instead of the
real server IP addresses in Direct server Return (DSR) configurations.
This feature requires configuration of a Layer 3 health method (ICMP),
with the transparent option enabled, and the alias address set to the
virtual IP address. (See method.) The health monitor must be applied to
the real server ports.
Example The following commands configure a Layer 3 health monitor for DSR
health checking, apply it to the real server ports, and enable DSR health
checking:
ACOS(config)# health monitor dsr-hm
ACOS(config-health:monitor)# method icmp transparent
10.10.10.99
ACOS(config-health:monitor)# exit
ACOS(config)# slb common
ACOS(config-common)# dsr-health-check-enable
ecmp-hash
Description The option allows hashing on connection information (source IP, source
port, destination port from forward tuple and real server IP), which would
allow a more balanced (Equal-cost multi-path routing) protocol routing.
For IP based protocols, source IP and real server IP will be used for
hashing. IPv4 to IPv6 or IPv6 to IPv4 routing is not supported.
62
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
enable-l7-req-acct
Description Globally enable Layer 7 request accounting.
When using the least-request load-balancing method in a service group,
Layer 7 request accounting is automatically enabled for the service
group’s members, and for the virtual service ports that are bound to the
service group’s members.
To display Layer 7 request statistics, use the show slb service-group
command. See show slb server, show slb service-group, and show slb
virtual-server.
Example The example below shows how to enable Layer 7 request accounting.
ACOS(config)# slb common
ACOS(config-common)# enable-l7-rreq-acct
extended-stats
Description Globally enable collection of extended SLB statistics, including peak con-
nection statistics.
63
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example This example shows how to enable the collection of extended SLB stat-
istics.
ACOS(config)# slb common
ACOS(config-common)# extended-stats
fast-path-disable
Description Disable fast-path packet inspection.
Fast processing of packets maximizes performance by using all
underlying hardware assist facilities. Typically, the feature should remain
enabled. The disable option is provided only for troubleshooting, in case it
is suspected that the fast processing logic is causing an issue. If you
disable fast-path processing, ACOS does not perform a deep inspection
of every field within a packet.
Example The example below shows how to disable fast-path packet inspection.
ACOS(config)# slb common
ACOS(config-common)# fast-path-disable
gateway-health-check
Description Enables gateway health monitoring.
Parameter Description
64
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Usage Gateway health monitoring uses ARP to test the availability of nexthop
gatew ays. When the ACOS device needs to send a packet through a gate-
way, the ACOS device begins sending ARP requests to the gateway.
• If the gateway replies to any ARP request within a configurable
timeout, the ACOS device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS
device waits for a configurable timeout for a reply to any request. If
the gateway does not respond to any request before the timeout
expires, the ACOS device selects another gateway and begins the
health monitoring process again.
Example The following example enables gateway health monitoring. Health check
attempts will be made every 10 seconds, with a reply timeout of 20
seconds.
ACOS(config)# slb common
ACOS(config-common)# gateway-health-check interval 10
timeout 20
graceful-shutdown
Description Provides time for active sessions to terminate normally before closing a
service after deleting or disabling the real or virtual server or port provid-
ing the service.
65
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default Graceful shutdown is disabled by default. When you delete a real or vir-
tual service port, the ACOS device places all the port’s sessions in the
delete queue, and stops accepting new sessions on the port.
Usage When graceful shutdown is enabled, the ACOS device stops accepting
new sessions on a disabled or deleted port, but waits for the specified
grace period before moving active sessions to the delete queue.
Example These commands enable graceful shutdown with a grace period of one
hour:
ACOS(config)# slb common
ACOS(config-common)# graceful-shutdown 3600
honor-server-response-ttl
Description TTL in server response is used as DNS cache TTL.
66
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example configures the ACOS device to cache DNS replies
for 300 seconds.
ACOS(config)# slb common
ACOS(config-common)# dns-cache-age 600
ACOS(config-common)# honor-server-response-ttl
hw-compression
Description Enable hardware-based HTTP compression.
hw-syn-rr
Description Enable distribution of client SYNs across multiple CPUs. This feature pro-
tects against CPU overload due to SYN floods, a common symptom of
DDoS attacks.
67
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following example enables distribution of client SYNs across multiple
CPUs, using 250,000 TCP SYNs as the threshold.
ACOS(config)# slb common
ACOS(config-common)# hw-syn-rr 250000
low-latency
Description Enables low latency mode. The system needs to be rebooted after con-
figuring this option.
Known limitations:
• Basic TCP and FIX IPv4 traffic supported.
• Physical platforms with TCAM hardware supported.
• Only applicable for shared partition.
Default Disabled
l2l3-trunk-lb-disable
Description Disable or re-enable trunk load balancing.
Usage When trunk load balancing is enabled, the ACOS device load balances
outb ound Layer 2/3 traffic among all the ports in a trunk. The round-
robin method is used to load balance the traffic. For example, in a trunk
containing ports 1-4, the first Layer 2/3 packet is sent on port 1. The
second packet is sent on port 2. The third packet is sent on port 3, and so
on.
If you disable trunk load balancing, the lead port will always used for
outbound traffic, and the other ports will act as standby ports in case the
lead port goes down.
68
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by
default. However, the CLI provides a command to disable trunk load
balancing, in case there is a need to do so. Disabling trunk load balancing
causes the ACOS device to use only the lead port for outbound traffic.
NOTE: Note: Trunk load balancing does not apply to Layer 4-7 traffic.
max-buff-queued-per-conn
Description Set the maximum buffer threshold per connection.
Example The following commands set the maximum buffer value per connection
to 1024:
ACOS(config)# slb common
ACOS(config-common)# max-buff-queued-per-conn 1024
max-http-header-count
Description Configure the number of headers supported in an HTTP request.
Default 90
msl-time
69
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Configure the maximum session life for client sessions. The maximum ses-
sion life controls how long the ACOS device maintains a session table
entry for a client-server session after the session ends.
The seconds option specifies the number of seconds a client session can
remain in the session table after session completion. You can specify 1-
40 seconds.
Default 2 seconds
Usage The maximum session life allows time for retransmissions from clients or
servers, which can occur if there is an error in a transmission. If a retrans-
mission occurs while the ACOS device still has a session entry for the ses-
sion, the ACOS device is able to forward the retransmission. However, if
the session table entry has already aged out, the ACOS device drops the
retransmission instead.
Maximum session life begins aging out a session table entry when the
session ends:
• TCP – The session ends when the ACOS device receives a TCP FIN
from the client or server.
• UDP – The session ends after the ACOS device receives a server
response to the client’s request. If the reply is fragmented, the
maximum session life begins only after the last fragment is received.
NOTE: For UDP sessions, maximum session life is used only if UDP aging
is set to short, instead of immediate. UDP aging is set in the UDP
template bound to the UDP virtual port. The default setting is
short.
mss-table
Description Configure the TCP Maximum Segment Size (MSS) allowed for client
traffic. This command globally changes the MSS. You also can change
the MSS in individual TCP-proxy templates. (See slb template tcp-
proxy.)
70
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
The num option specifies maximum MSS allowed in traffic from clients.
You can specify 128-750.
Default 538
Usage Clients who can only transmit TCP segments that are smaller than the
MSS are unable to reach servers.
no-auto-up-on-aflex
Description Prevent the health status of virtual ports that are bound to aFleX scripts
from being automatically marked Up.
Default This option is disabled by default. Virtual ports that are bound to aFleX
scripts are automatically marked Up.
Example The following commands prevent the health status of virtual ports that
are bound to aFleX scripts from being automatically marked Up.
ACOS(config)# slb common
ACOS(config-common)# no-auto-up-on-aflex
rate-limit-logging
Description Configure rate limiting settings for system logging.
71
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage Log rate limiting is enabled by default and can not be disabled. The con-
figurable settings have the default values as described in the table
above.
The log rate limiting mechanism works as follows:
• If the number of new messages within a one-second interval
exceeds the internal maximum (32 by default), then during the next
one-second interval, ACOS sends log messages only to the external
log servers.
• If the number of new messages generated within the new one-
second interval is the internal maximum or less, then during the fol-
lowing one-second interval, ACOS will again send messages to the
local logging buffer as well as the external log server.
• In any case, all messages (up to the external maximum) are sent to
the external log servers.
Example The following commands increase the maximum number of log mes-
sages per second sent to remote log servers:
ACOS(config)# slb common
ACOS(config-common)# rate-limit-logging max-remote-rate
30000
reset-stale-session
72
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Send reset if a session in the delete queue receives a SYN packet.
scale-out
Description Enable the Scaleout feature for SLB.
For more information, see the Configuring Scaleout guide.
service-group-on-no-dest-nat-vports
Description Bind one service-group under multiple virtual-server when 'no-dest-nat'
is enabled.
Known Limitation
Health check operating in DSR mode is incompatible if a user enables
dsr-health-check-enable and binds same service-group on multiple
no-dest-nat virtual ports.
Parameter Description
73
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage In some cases, there may be a specific requirement where user must
bind one service-group under multiple virtual-server with 'no-dest-nat'
enabled.
snat-gwy-for-l3
Description Use an IP pool’s default gateway to forward traffic from a real server.
When this feature is enabled, ACOS checks the server IP subnet against
the IP NAT pool subnet. If they are on the same subnet, then ACOS uses
the gateway as defined in the IP NAT pool for Layer 2 / Layer 3
forwarding. This feature is useful if the server does not have its own
upstream router and ACOS can leverage the same upstream router for
Layer 2 / Layer 3.
snat-on-vip
Description Globally enable IP NAT support for VIPs.
74
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Usage Source IP NAT can be configured on a virtual port in the following ways:
• ACL-based source NAT (access-list command at virtual port level)
• VIP source NAT (slb snat-on-vip command at Configuration mode
level)
• aFleX policy (aflex command at virtual port level)
• Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP
source NAT is configured using an ACL on the virtual port, and the slb
snat-on-vip command is also used, then a pool assigned by the ACL is
used for traffic permitted by the ACL. For traffic not permitted by the
ACL, VIP source NAT can be used instead.
The current release does not support source IP NAT on FTP or RTSP
virtual ports.
sort-res
Description Enable the sort display option for SLB configuration. When this option is
enabled, SLB resources in the configuration are listed in alphabetical
order.
The sort feature takes effect only after you configure at least one SLB
resource, after you enable the sort feature. Before you configure at least
one new SLB resource, the SLB resources still appear in the order they
were configured.
Default This option is disabled by default. With this default behavior, SLB
resources of a specific type appear in the order they are configured.
Example The following command displays the configured SLB servers, before the
sort option is enabled and activated:
75
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
These commands enable the sort option, configure a new SLB server,
and display the configured SLB servers. The slb server commands are
alphabetically sorted.
ACOS(config)# slb common
ACOS(config-common)# sort-res
ACOS(config-common)# exit
ACOS(config)# slb server s88 4.3.3.3
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# show run | include slb
server
slb server MSSQLServer02 110.13.13.21
slb server Server07 110.20.20.20
slb server Server08 110.13.13.20
slb server ee 5.5.5.5
slb server fsort2 4.3.9.58
slb server fsort88 4.3.9.55
slb server http1 20.20.25.10
slb server http2 20.20.25.11
slb server ldap-sr 172.16.2.10
slb server o1 10.10.10.5
slb server rs20_10 20.20.20.10
slb server rs_http 10.1.2.10
slb server s1 20.20.20.30
slb server s88 4.3.3.3
slb server srv238 2.1.1.238
slb server srv266 10.10.100.10
slb server woo 10.10.99.99
76
Chapter 2: Config Commands: SLB
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ssli-sni-hash-enable
Description Supports dynamic-port, single-device, two-partition SSLi and relays SNI
information without the interfering message (A10-FP header).
Default Disabled
Example The following commands relays SNI information without the interfering
message (A10-FP header).
ACOS(config)# slb common
ACOS(config-common)# ssli-sni-hash-enable
stats-data-disable
Description Globally disables periodic collection of statistical data for system
resources, including CPU, memory, disks and interfaces.
Example The following commands globally disable statistics collection for system
resources.
ACOS(config)# slb common
ACOS(config-common)# stats-data-disable
stateless-sg-multi-binding
77
Chapter 2: Config Commands: SLB
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Globally enables the device to allow the binding of stateless service
groups by multiple virtual ports or virtual servers.
After a stateless service group is bound to multiple entities, this
command can be deleted only after all multiple binding instances are
removed.
Default Disabled
Example The following commands enable the binding of stateless service groups
to multiple virtual ports or servers.
ACOS(config)# slb common
ACOS(config-common)# stateless-sg-multi-binding
use-mss-tab
Description Configure ACOS to base the MSS in replies from VIPs to clients on the
interface MTU and MSS value received from clients in SYNs.
78
Chapter 3: Config Commands: SLB Templates
This section lists the commands and sub-commands to configure SLB templates.
DNS templates have the highest priority and are used first, followed by policy templates.
Then the other types of templates are used as applicable. To apply a template to a virtual
port, use the template command at the configuration level for the virtual port.
79
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
probe-interval 170
probes-per-test 170
rtt-method 171
selection-rule 171
test-interval 172
user-tag 173
expected-status-code 173
url 174
80
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
81
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Parameter Description
82
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default The default priority is 1. All ciphers within a template are enabled by
default.
Notes
• An SSL cipher template takes effect only when you apply it to a cli-
ent-SSL template or server-SSL template.
• When you apply (bind) a cipher template to a client-SSL or server-
SSL template, the settings in the cipher template override any cipher
settings in that client-SSL or server-SSL template.
• Priority values are supported only for client-SSL templates. If a cipher
template is used by a server-SSL template, the priority values in the
cipher template are ignored.
83
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following command binds the cipher template, cipher_tmplt1, to the
client-SSL template, SSLInsight_ClientSide.
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS(config-client ssl)# forward-proxy-ca-certificate Cer-
t123.pem key key123
ACOS(config-client ssl)# forward-proxy-enable
ACOS(config-client ssl)# template cipher cipher_tmplt1
ACOS(config-client ssl)# end
Command Description
84
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Default “Default” connection reuse template defaults are listed in the command
table.
To display default template settings, use the show slb template
connection-reuse default command. See show run slb template.
Usage The normal form of this command creates a connection reuse template.
The no form of this command removes the template.
You can bind only one connection-reuse template to a virtual port.
However, you can bind the same connection-reuse template to multiple
ports.
Due to the way the connection-reuse feature operates, backend
sessions with servers will not be reused in either of the following cases:
• The limit-per-server option is set to a very low value, lower than
the number of data CPUs on the ACOS device.
• The keep-alive-conn option is set to a lower value than the limit-
per-server option.
85
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
86
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
87
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
88
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
The default is 3.
89
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
90
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
91
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
92
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Default The configuration does not have a default Diameter template. If you con-
figure one, the template has the default values described in the table
above.
Mode Configure
Usage The normal form of this command creates a Diameter template. The no
form of this command removes the template.
You can bind only one Diameter template to a virtual port. However, you
can bind the same Diameter template to multiple ports.
Example For configuration examples, see the “Diameter Load Balancing” chapter
in the Application Delivery Controller Guide.
93
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
94
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
95
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
96
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
97
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
98
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
99
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
NOTE:
100
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
101
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
102
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
103
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
104
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
is IPv4 or vice-versa.
[no] remove- Remove EDNS (0) client subnet from the client
edns-csubnet- queries.
to-server
log-only Only log rate-limiting, but does not actually apply rate
limits. Selecting this option will enable “log only” beha-
vior for rate-limiting. ACOS will behave as if the queries
are being rate-limited. Logs will be sent out and coun-
ters will increment, but this is done without actually
applying rate limits to DNS responses. Enabling this
option also requires selecting the “enable-log” con-
figuration.
105
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
filter- This is the maximum allowed request rate for the filter
response-rate table. Configure a value from 1 - 1000 queries per
second. This value should match the rate of DNS quer-
ies during normal traffic patterns. This is the first “filter
table” for normal DNS requests. Once a client (source +
FQDN) exceeds this rate, then subsequent requests
are moved to the “rate-limit entry table” to monitor for
potential threats.
response-rate This is the maximum allowed request rate for the filter.
Configure a value from 1 - 1000 queries per configured
window. Responses exceeding this rate will be
dropped. This parameter maps to the second of the
two tables, the “rate-limit entry table”, and is used for
abusive DNS requests. Once a client exceeds the rate in
the filter table, then subsequent requests from that
(source + FQDN) are moved to this “rate-limit entry
table” to monitor them more closely for potential
threats.
106
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
107
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
[no] rpz seq_ Specify the Response Policy Zone (RPZ) file to
id file_name be bound with the DNS template. The para-
logging
meters are described below:
{enable action}
l seq_id: Specify the sequential ID (1-8).
l file_name: Specify the name of the RPZ
file, 1-63 characters.
l logging: Use this command to log the RPZ
triggered actions. The logging can be set
to enable and the actions mentioned
below take effort.
l action: When the logging is enabled, you
can specify any of the following actions:
o drop: Log the drop action
o pass-thru: Log the pass-thru action
o nxdomain: Log the nxdomain action
o nodata: Log the nodata action
o tcp-only: Log the tcp-only action
o local-data: Log the local-data
action
108
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Default DNS template options have the default settings described in the table
above.
Mode Configure
Usage The normal form of this command creates a DNS template. The no form of
this command removes the template.
You can bind only one DNS template to a virtual port. However, you can
bind the same DNS template to multiple ports.
For DNS caching, bind the template to virtual port type dns-udp. Virtual
port type dns applies only to DNS security.
DNS templates are not supported with stateless load-balancing
methods.
Example This example configures the age of virtual port DNS cache using DNS
template dns1 will be the minimum value between 600 seconds and
server response TTL:
ACOS(config)# show running-config | section class-list
class-list cl1 dns
dns contains example.com lid 1
ACOS(config)# slb template dns dns1
ACOS(config-dns)# class-list name cl1
ACOS(config-dns)# class-list lid 1
ACOS(config-dns)# remove-aa-flag
ACOS(config-dns-lid)# dns ttl 600 honor-server-response-ttl
Example The following command configures the dns cache round-robin on the
dns1 template.
ACOS(config)# slb template dns dns1
ACOS(config-dns)# cache-record-serving-policy round-robin
109
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following command means the age of the virtual port DNS cache
using DNS template dns1 will be 600 seconds:
ACOS(config-dns-lid)# dns ttl 600
Example The following command means the server response TTL will be used as
the virtual port’s DNS cache TTL using DNS template dns1:
ACOS(config-dns-lid)# dns ttl honor-server-response-ttl
Example The following example configures a recursive DNS resolver that you can
bind with the SLB virtual server:
ACOS(config)# slb template dns dns1
ACOS(config-dns)# recursive-dns-resolution
ACOS(config-dns-recursive-dns-resolution)# host1
Example The following command binds the RPZ to the temp1_dns template:
ACOS(config)# slb template dns templ_dns
ACOS(config-dns)# rpz 1 A10.rpz
ACOS(config-dns-rpz)# logging enable
ACOS(config-dns-rpz-logging:enable)# rpz-action drop
ACOS(config-dns-rpz-logging:enable)# rpz-action tcp-only
110
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default The DNS Query type is the default type. Currently, it is the only supported
DNS type.
This command activates the SLB DNS Template Configuration mode
where the following commands are available.
Command Description
111
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Mode Configure
Usage You must remove all CGNv6 configurations before making SLB con-
figurations (including WAF, aFlex, AAM, GSLB, and Overlay).
The normal form of this command creates a DNS template. The no form of
this command removes the template.
Example The following example logs the DNS queries associated with the dns710
template:
ACOS(config)#slb template dns-logging dns710
The DNS log created by the command uses the following conventions:
• proto – The protocol being used: UDP, TCP, or both
• src – Source IP of the incoming packet
• spt – Source port of the incoming packing
• dest – Destination IP address
• dpt – Destination port of the packet
• type – Query is the only supported type
• queryId – Query ID of the request
112
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
113
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
The following example shows the DNS Request Question (CEF and
Syslog) that results from specifying the question request-section:
Apr 02 2019 20:49:10 Info [ACOS]: vThunder
CEF:0|A10|ADC|4.1.4-adc-420-feat-
238627|486715039831556098|Log DNS Request Ques-
tion|2|proto=UDP src=10.1.1.1 spt=42839 dst=30.1.10.1 dpt=53
cs1=Query cs1Label=Query cn1=32748 cn1Label=Query ID dhost-
t=server.pradeep.com cs2=A cs2Label=Query Type cs3=IN cs3La-
bel=Query Class
Apr 02 2019 20:51:59 Info [ACOS]: vThunder
CEF:0|A10|ADC|4.1.4-adc-420-feat-
238627|486715039831556098|Log DNS Request Ques-
tion|2|proto=TCP src=10.1.1.1 spt=38573 dst=30.1.10.1 dpt=53
cs1=Query cs1Label=Query cn1=50512 cn1Label=Query ID dhost-
t=server.pradeep.com cs2=A cs2Label=Query Type cs3=IN cs3La-
bel=Query Class
Apr 02 2019 20:47:43 Info [ACOS]:UDP 10.1.1.1.54170
30.1.10.1.53 Type=Query QueryId=7280 dhost-
t=server.pradeep.com QueryType=A QueryClass=IN
Apr 02 2019 20:50:42 Info [ACOS]:TCP 10.1.1.1.33086
30.1.10.1.53 Type=Query QueryId=37115 dhost-
t=server.pradeep.com QueryType=A QueryClass=IN
The following example shows the DNS Request Header and Questions
(CEF and Syslog) that results from specifying the all request-section:
Apr 02 2019 20:49:25 Info [ACOS]: vThunder
CEF:0|A10|ADC|4.1.4-adc-420-feat-
238627|486715039831556099|Log DNS Request Header and Ques-
tions|2|proto=UDP src=10.1.1.1 spt=35419 dst=30.1.10.1 dpt-
t=53 cs1=Query cs1Label=Query cn1=6966 cn1Label=Query ID
cs2=Query cs2Label=Opcode cs3=RD|AD cs3Label=Header Flag
cn2=1 cn2Label=Question Count cn3=0 cn3Label=Answer Record
Count cn4=0 cn4Label=Authority Record Count cn5=1 cn5La-
bel=Additional Record Count dhost=server.pradeep.com cs4=A
cs4Label=Query Type cs5=IN cs5Label=Query Class
Apr 02 2019 20:52:14 Info [ACOS]: vThunder
CEF:0|A10|ADC|4.1.4-adc-420-feat-
238627|486715039831556099|Log DNS Request Header and Ques-
tions|2|proto=TCP src=10.1.1.1 spt=56362 dst=30.1.10.1 dpt-
t=53 cs1=Query cs1Label=Query cn1=44728 cn1Label=Query ID
cs2=Query cs2Label=Opcode cs3=RD|AD cs3Label=Header Flag
cn2=1 cn2Label=Question Count cn3=0 cn3Label=Answer Record
Count cn4=0 cn4Label=Authority Record Count cn5=1 cn5La-
bel=Additional Record Count dhost=server.pradeep.com cs4=A
cs4Label=Query Type cs5=IN cs5Label=Query Class
Apr 02 2019 20:47:57 Info [ACOS]:UDP 10.1.1.1.33912
30.1.10.1.53 Type=Query QueryId=62463 Opcode=Query Head-
erFlag=RD|AD QDCount=1 ANCount=0 NSCount=0 ARCount=1 dhost-
t=server.pradeep.com QueryType=A QueryClass=IN
114
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
115
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
116
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
be used.
117
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
118
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
119
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Note:
120
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
121
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Default DoH template options have the default settings described in the table
above.
Mode Configure
Usage The normal form of this command creates a DoH template. The no form of
this command removes the template.
You can bind only one DoH template to a virtual port. However, you can
bind the same DoH template to multiple ports.
DoH templates are not supported with stateless load-balancing methods.
Example Configure a new DoH template and set TCP forwarding policy:
122
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example Configure a new DoH template and set IPv4 address forwarding policy
internally with TCP protocol:
ACOS(config)# slb template doh doh2
ACOS(config-doh)# forwarder
ACOS(config-doh-forwarder)# forwarding-ipv4 10.10.1.10
internal port 53 protocol tcp
Example Configure a new DoH template and set IPv4 address forwarding policy to
external DNS server:
ACOS(config)# slb template doh doh3
ACOS(config-doh)# forwarder
ACOS(config-doh-forwarder)# forwarding-ipv4 10.23.1.1
123
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
124
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
125
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
126
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
127
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Default The configuration does not have a default External Service template. If
you configure one, the template has the default values described in the
table above.
128
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
129
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
130
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
If you plan to use a non-standard FTP port number, use this option to
specify the port number, 1-65535.
131
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
132
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l auto-disable-on-high-cpu percent
l content-type content-string
l exclude-content-type content-
string
l exclude-uri uri-string
l keep-accept-encoding enable
133
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
When keep-accept-encoding is
enabled, compression is performed
by the real server instead of the
ACOS device, if the server is con-
figured to perform the compression.
The ACOS device compresses the con-
tent that the real server does not
compress. This option is disabled by
default, which means the ACOS
device performs all the compression.
134
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l minimum-content-length bytes
135
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
136
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
137
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
138
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l response-code
l secure
139
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
140
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
141
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
142
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
143
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
144
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
145
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
146
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
147
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
NOTE: For a list of media type strings, see the Internet Assigned Num-
bers Authority Web site: http://www.i-
ana.org/assignments/media-types.
148
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
NOTE: You can use URL switching or Host switching in an HTTP tem-
plate, but not both. However, if you need to use both types of
switching, you can do so with an aFleX script.
Default The configuration has a default HTTP template. In the template, most
options are disabled or not set.
Compression is disabled by default. When you enable it, it has the default
settings described in the table above.
To display the default HTTP template settings, use the show slb
template http default command.
Usage The normal form of this command creates an HTTP configuration tem-
plate. The no form of this command removes the template.
You can bind only one HTTP template to a virtual port. However, you can
bind the same HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.
When the keep-client-alive option is enabled, the way ACOS keeps
the session with the client up depends on the way the server session is
terminated:
• Normal TCP/IP connection termination by a TCP RST or FIN – ACOS
does not forward the RST or FIN to the client, and instead leaves the
client session open. (Technically, the session is left in the client-
request-state, wherein ACOS awaits the client’s next request.)
• “Connection: Close” header option in the response – ACOS removes
this header from the server reply before forwarding the reply to the
client.
• Client is using HTTP 1.0, and did not use the “Connection: Keep-Alive”
header option – ACOS inserts this header from the server reply
before forwarding the reply to the client.
Starts-with, Contains, and Ends-with Rule Matching
The starts-with, contains, and ends-with options are always applied
in the following order, regardless of the order in which the commands
appear in the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option
(starts-with, contains, or ends-with) and a host name or URL
149
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
150
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example These commands configure an HTTP template to use URL hashing. Hash
values are calculated based on the last 8 bytes of the URL. In this
example, URL switching is also configured in the template. As a result, the
ACOS device uses URL switching to select a service group first, then uses
URL hashing to select a server within that service group. If the template
did not also contain URL switching commands, this template would
always select a server from service group sg3.
ACOS(config)# slb template http hash
ACOS(config-http)# url-hash-persist last 8
ACOS(config-http)# url-switching starts-with /news service-
group sg1
ACOS(config-http)# url-switching starts-with /sports ser-
vice-group sg2
ACOS(config-http)# exit
ACOS(config)# slb virtual-server vs1 1.1.1.1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# service-group sg3
ACOS(config-slb vserver-vport)# template http hash
151
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example These commands configure an HTTP template that replaces the client IP
addresses in the X-Forwarded-For field with the current client IP
address:
ACOS(config)# slb template http clientip-replace
ACOS(config-http)# insert-client-ip X-Forwarded-For replace
Example These commands enter slb-port template configuration mode for the
port name xyz, then configures that port, upon receiving an HTTP
request with an Expect: 100 Continue, assigns all subsequent packets to
that request until it receives an expected number of packets.
ACOS(config)# slb template http abc
ACOS(config-http)# 100-cont-wait-for-req-complete
Command Description
152
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
153
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
154
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
155
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
NOTE:
156
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
157
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
158
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
NOTE:
Usage These match options are always applied in the order shown above,
regardless of the order in which the rules appear in the configuration. The
WAF template associated with the rule that matches first is used.
If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than
one of them, the most-specific match is always used.
A template can have a single-match rule or multi-match rules. The
multi-match-rule is used when multiple rules need to be specified. The
multi-match-rule objects are matched according to the given
sequence number. For example, if the incoming HTTP request satisfies
two rules, the rule with the smaller sequence number is selected. The
WAF template associated with this rule is used.
The service group or waf template selection for the single-match-rule
and multi-match-rule is based on the following priority order: host, url,
159
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
160
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
The default is 0.
The default is 0.
161
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
162
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
163
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
164
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Usage Logging over TCP also requires some additional configuration. See the
Application Delivery Controller Guide.
Replace num with the identification number of the template. This can be
a number between 1 to 16.
165
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
166
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default The ports within a given monitor entry are always ANDed. If you specify
more than one port (eth portnum option) in the same monitor entry, the
specified event must occur on all the ports in the entry. For example, if
you specify link-down eth 9 eth 11, the link must go down on ports 9 and
11, for the link-state changes to count as a monitored event.
Usage The logical operator applies only to monitor entries, not to action entries.
For example, if the logical operator is OR, and at least one of the mon-
itored events occurs, all the actions configured in the template are
applied.
You can configure the entries in any order. In the configuration, the
entries of each type are ordered based on sequence number.
Example The following example shows how to use the SLB link monitoring com-
mand in a CGN shared partition:
ACOS(config)# allow-slb-cfg enable
ACOS(config)# slb template monitor 1
ACOS(config-monitor)# monitor-or
ACOS(config-monitor)#
167
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage This command enters the SLB Template Configuration mode where
additional commands are available.
destination hostname
Syntax Configure a destination hostname for link probe template.
Default destination hostname <host_name> {resolve-to-ipv4 | resolve-
to-ipv6 | static-ipv4-addr | static-ipv6-addr}
Parameter Description
Example The following example configures a slb template link-probe with des-
tination hostname and static/dynamic ip address (ipv4/ipv6). Only one
hostname+ip combination is allowed inside a template:
ACOS(config-probe template)# destination hostname www.probe-
template-dest.com resolve-to-ipv4
ACOS(config-probe template)# destination hostname www.probe-
template-dest.com resolve-to-ipv6
168
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Example The following example configures a slb template link-probe with des-
tination hostname and static/dynamic ip address (IPv4 or IPv6). Only one
hostname +IP combination is allowed inside a template:
ACOS(config-probe template)# destination hostname
www.probe-template-dest.com resolve-to-ipv4
ACOS(config-probe template)# destination hostname
www.probe-template-dest.com resolve-to-ipv6
ACOS(config-probe template)# destination hostname
www.probe-template-dest.com static-ipv4-addr 172.16.213.94
169
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
probe-interval
Description Configure a probe-interval for the link probe.
Parameter Description
probes-per-test
Description Configure number of probes-per-test.
Parameter Description
170
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
rtt-method
Description Configure a rtt-method type for link probe.
Parameter Description
tcp rtt Use the TCP Smoothed round trip time in the
HTTP connection. TCP SRTT is calculated for
the TCP connection up to the point of receiv-
ing an expected HTTP response.
Usage Round-trip time (RTT) is the duration in milliseconds it takes for a network
request to go from a starting point to a destination and back again to the
starting point.
RTT sample will be marked as error, if an unexpected HTTP status code or TCP
status is received or a network error occurs.
Example Calculate Round Trip Time between HTTP request and response. RTT
sample will be marked as error, if an unexpected HTTP status code is
received or a network error occurs.
selection-rule
Description Specify the link selection strategy for link-probe template.
171
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
test-interval
Description Configure a test-interval for link-probe template.
Parameter Description
172
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
user-tag
Description Configure a user-tag and associate it to link probe template.
Parameter Description
Usage This is very useful method of creating and managing website or mod-
ule
permissions. You can customize the tags to the users.
expected-status-code
Description Configure an expected-status-code.
Parameter Description
173
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example This is the code that is delivered when a web page or resource acts
exactly the way it's expected to load.
url
Description Configure an URL for link probe. Specify URL to which probes should be
sent out.
Parameter Description
Default Default is /
174
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default NA
Mode All
Example
ACOS(config)# show slb link-probe entry
175
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
------------------------------------------------------------
--------------------------- Next-Hop SLB Server IP Type
Probe Dest IP Address Domain-Name URL Average RTT
------------------------------------------------------------
---------------------------rs211-3 Static 172.16.213.93
test1.example.com / 1
------------------------------------------------------------
---------------------------
Next-Hop SLB Server IP Type Probe Dest IP Address Domain-
Name URL Average RTT
------------------------------------------------------------
---------------------------rs211 Static 172.16.213.93
test1.example.com / 13
ACOS(config)# show slb link-probe entry server rs211
------------------------------------------------------------
---------------------------
Next-Hop SLB Server IP Type Probe Dest IP Address Domain-
Name URL Average RTT
------------------------------------------------------------
---------------------------
rs211 Static 172.16.213.93 test1.example.com / 10
176
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
------------------------------------------------------------
---------------------------
Next-Hop SLB Server IP Type Probe Dest IP Address Domain-
Name URL Average RTT
------------------------------------------------------------
---------------------------
rs212 Static 172.16.213.93 test1.example.com / 33
------------------------------------------------------------
---------------------------
Next-Hop SLB Server IP Type Probe Dest IP Address Domain-
Name URL Average RTT
------------------------------------------------------------
---------------------------
rs211-3 Static 172.16.213.93 test1.example.com / 1
------------------------------------------------------------
---------------------------
Next-Hop SLB Server IP Type Probe Dest IP Address Domain-
Name URL Average RTT
------------------------------------------------------------
---------------------------
rs211 Static 172.16.213.93 test1.example.com / 13
ACOS(config)# show slb link-probe entry service-group sg1
detail
Next-Hop SLB Server : rs212
Probe Template Name : a
Domain-Name : test1.example.com
URL : /
IP Type : Static
Probe Dest IP Address : 172.16.213.93
Current Probe in Test : 10
Probes Per Test : 10
Probe Interval (Seconds) : 2
Test Interval (Seconds) : 1
RTT Method : HTTP Req - Resp Latency
Last HTTP Status Code : 200
Average RTT : 32
177
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
178
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
179
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
180
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
181
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
182
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
The cookie that the ACOS device inserts into the server reply has this
format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
The port option is shown in parentheses because the CLI does not
have a “port” keyword. If you do not set the match type to server
(see below), the match type is automatically “port”.
• match-type server – Subsequent requests from the client for the
same VIP will be sent to the same real server, provided that all virtual
ports of the VIP use the same cookie persistence template with
183
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
The cookie that the ACOS device inserts into the server reply has this
format:
Set-Cookie: cookiename=rserverIP
The cookie that the ACOS device inserts into the server reply has the
following format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_
rport
The cookie that the ACOS device inserts into the server reply has the
following format:
Set-Cookie: cookiename-servicegroupname=rserverIP
184
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
185
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
186
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
187
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Default The configuration does not have a default destination-IP persistence tem-
plate. If you configure one, it has the defaults specified in the table above.
188
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
189
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
190
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
191
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
192
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Default The configuration does not have a default source-IP persistence tem-
plate. If you configure one, it has the defaults described in the table
above.
193
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage The normal form of this command creates a source-IP persistence tem-
plate. The “no” form of this command removes the template.
You can bind only one source-IP persistence template to a virtual port.
However, you can bind the same source-IP persistence template to
multiple ports.
If you use the incl-sport option, the IP address in the Forward Source
column of show session output is modified to include the source port.
For example, “155.1.1.151:33067” is shown as “1.151.129.43”.
Using the Same VIP and Port Number for TCP and UDP Ports
When applying the source-IP persistence template to two virtual ports
with the same VIP and protocol port number but different Layer 4
protocols (TCP or UDP), member lists for the ports must be identical in
both TCP and UDP service groups.
For example, the following configuration works because service groups
5060-tcp and 5060-udp have the same member list although their
protocols are different.
slb virtual-server vip2 13.0.0.100
port 5060 sip-tcp
service-group 5060-tcp
template persist source-ip per-sip
port 5060 sip
service-group 5060-udp
template persist source-ip per-sip
!
slb service-group 5060-tcp tcp
member s1 5060
member s2 5060
!
slb service-group 5060-udp udp
member s1 5060
member s2 5060
The configuration will not work if the member lists in the service groups
are different. For example, the configuration will not work if the TCP
group's member list is changed to either of the following:
slb service-group 5060-tcp tcp
member s3 5060
member s4 5060
or
slb service-group 5060-tcp tcp
member s1 5061
member s2 5061
194
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
NOTE: When multiple ssl-sid persist sessions are created by same tuple
(same source IP address and same source port) exist, and data
session's age with the same source IP and same source port is
updated, then the age of the ssl- sid persist sessions are also
refreshed.
Command Description
195
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Default The configuration does not have a default SSL session-ID persistence
template. If you configure one, it has the defaults described in the table
above.
Usage The normal form of this command creates an SSL session-ID persistence
template. The “no” form of this command removes the template.
You can bind one SSL session-ID persistence template to a virtual port.
However, you can bind the same SSL session-ID persistence template to
multiple ports.
To display SSL session-ID persistence statistics, use the show slb l4
command.
196
Chapter 3: Config Commands: SLB Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
197
Chapter 3: Config Commands: SLB Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
198
Chapter 4: Config Commands: SLB Cache Tem-
plates
This section lists the commands and sub-commands to configure SLB cache templates.
199
Chapter 4: Config Commands: SLB Cache Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage The normal form of this command creates a RAM caching configuration
template. The no form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However,
you can bind the same RAM caching template to multiple ports.
If a URI matches the pattern in more than one policy command, the
policy command with the most specific match is used. For example, if a
template has the following commands, content for page122 is cached
whereas content for page123 is not cached:
policy uri /page12 cache 300
policy uri /page123 nocache
200
Chapter 4: Config Commands: SLB Cache Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands configure some dynamic caching policies. The
policy that matches on “/list” caches content for 5 minutes. The policy
that matches on “/private” does not cache content.
ACOS(config)# slb template cache ram-cache
ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
Example The following commands configure a RAM caching template that will
only cache content from www.xyz.com/news-clips.
ACOS(config)# slb template cache ramcache
ACOS(config-ram caching)# default-policy-nocache
ACOS(config-ram caching)# policy uri www.xyz.com/news-clips
cache
201
Chapter 4: Config Commands: SLB Cache Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
accept-reload-req 202
age 203
default-policy-nocache 203
disable-insert-age 204
disable-insert-via 204
max-cache-size 204
max-content-size 205
min-content-size 205
policy 206
remove-cookies 206
verify-host 208
accept-reload-req
Description Enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the
ACOS device to reload the cached object from the origin server.
Default Disabled.
202
Chapter 4: Config Commands: SLB Cache Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
age
Description Specifies how long a cached object can remain in the ACOS RAM cache
without being requested.
NOTE: NOTE: his value is used if the web server specifies that the object is
cacheable but does not specify for how long. If the server does
specify how long the object is cacheable, then the server value is
used instead.
Parameter Description
Default 3600 seconds (1 hour), if the server specifies that the object is cacheable
but does not specify for how long.
default-policy-nocache
Description Changes the default cache policy in the template from cache to
nocache. This option gives you tighter control over content caching.
When you use the default no-cache policy, the only content that is
cached is cacheable content whose URI matches an explicit cache
policy.
203
Chapter 4: Config Commands: SLB Cache Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
disable-insert-age
Description Disables insertion of Age headers into cached responses.
disable-insert-via
Description Disables insertion of Via headers into cached responses.
max-cache-size
Description Specifies the size (in MB) of the RAM cache.
Parameter Description
Default 80MB.
204
Chapter 4: Config Commands: SLB Cache Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
max-content-size
Description Specifies the maximum object size that can be cached. The ACOS device
will not cache objects larger than this size. If you specify 0, no objects can
be cached.
Parameter Description
min-content-size
Description Specifies the minimum object size that can be cached. The ACOS device
will not cache objects smaller than this size. If you specify 0, all objects
smaller than or equal to the maximum content size can be cached.
Parameter Description
205
Chapter 4: Config Commands: SLB Cache Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
policy
Description Configure a policy for dynamic caching.
Parameter Description
Example The following commands configure some dynamic caching policies. The
policy that matches on “/list” caches content for 5 minutes. The policy
that matches on “/private” does not cache content.
ACOS(config)# slb template cache ram-cache
ACOS(config-ram caching)# policy uri /list cache 300
ACOS(config-ram caching)# policy uri /private nocache
remove-cookies
206
Chapter 4: Config Commands: SLB Cache Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Removes cookies from server replies so the replies can be cached. RAM
caching does not cache server replies that contain cookies. (Image files
are an exception. RAM caching can cache images that have cookies.)
replacement-policy LFU
Description Specifies Least Frequently Used (LFU) policy is used to make room for
new objects when RAM cache is full. When RAM cache is more than 90%
full, ACOS device discards least-frequently used objects to ensure room
for new objects.
template logging
Description Specifies a logging template to use for external logging of RAM caching
events over TCP.
Parameter Description
v-log
207
Chapter 4: Config Commands: SLB Cache Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example Specify a logging template “extlog1” that should be used for logging RAM
caching events:
ACOS(config)# slb template cache cache1
ACOS(config-ram caching)# tempalte logging extlog1
verify-host
Description Enables the ACOS device to cache the host name in addition to the URI
for cached content. Use this command if a real server that contains
cacheable content hosts multiple host names (example: www.abc.com
and www.xyz.com).
Default By default, this is disabled. Host names are not cached along with URIs
for cached content.
208
Chapter 5: Config Commands: SLB Client SSL
Templates
This section lists the commands and sub-commands to configure SLB client SSL templates.
209
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default If none of the SSL Client template sub-commands in the preceding table
are configured, the default action of the SSL Client template is the com-
bined default actions of the individual SSL C;lient sub-commands.
Usage The normal form of this command creates a client-SSL configuration tem-
plate. The no form of this command removes the template.
For the forward-proxy-bypass option, match rules are always applied in
the following order:
• equals sni-string
• starts-with sni-string
• contains sni-string
• ends-with sni-string
210
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
The close-notify option can not be used along with the TCP-proxy
template force-delete-timeout option. Doing so may cause
unexpected behavior
Example The following example shows how the certificate drop action is enabled
in the SSL Client template named, ClientSide_vRouter. Specifically, the
drop action occurs when OCSP reports the certificate is not currently
valid.
ACOS-Inside(config)# slb template client-ssl ClientSide_
vRouter
ACOS-Inside(config-client ssl# forward-proxy-verify-cert-
drop
211
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
212
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
auth-username 216
auth-username-attribute 217
authorization 217
certificate 218
cipher 219
client-certificate 220
client-certificate-Request-CA 221
close-notify 222
crl 222
dh-param 223
direct-client-server-auth 223
disable-sslv3 224
early-data 224
ec-name 225
enable-ssli-ftp-alg 226
forward-proxy-block-message 227
213
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
forward-proxy-ca-certificate 245
forward-proxy-cache-persistence 246
forward-proxy-cert-cache 247
forward-proxy-cert-expiry 248
forward-proxy-cert-ext 249
forward-proxy-cert-not-ready-action 249
forward-proxy-cert-revoke-action 250
forward-proxy-cert-unknown-action 251
forward-proxy-cert-validity 252
forward-proxy-crl-disable 252
forward-proxy-decrypted 253
forward-proxy-esni-action 253
forward-proxy-failsafe-disable 254
forward-proxy-inspect 254
214
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-log-disable 258
forward-proxy-no-shared-cipher-action 258
forward-proxy-no-sni-action 259
forward-proxy-ocsp-disable 259
forward-proxy-require-sni-cert-matched 259
forward-proxy-selfsign-redir 260
forward-proxy-source-nat 261
forward-proxy-ssl-version 261
forward-proxy-trusted-ca 262
forward-proxy-verify-cert-fail-action 263
handshake-logging-enable 263
hsm-param 264
local-logging 264
non-ssl-bypass 264
ocsp-stapling 265
renegotiation-disable 266
server-name 266
server-name-auto-map 267
server-name-regex 268
server-name-bypass 269
session-cache-size 270
session-cache-timeout 271
session-ticket-lifetime 271
session-ticket-disable 272
ssl-false-start-disable 272
ssli-logging 273
sslv2-bypass 273
215
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
template 274
version 274
auth-username
Description Specifies the field to check in SSL certificates from clients in order to find
the client name.
Parameter Description
Usage Multiple options can be specified, but you must specify at least one.
216
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
If multiple options are specified, the ACOS device will attempt to extract
the username from the options in the order they are specified. For
example:
auth-username subject-alt-name-email subject-alt-name-
othername
This command causes the ACOS device to first attempt to extract the
username from subject-alt-name-email, and only if not found, will it
then attempt to extract the username from subject-alt-name-
othername.
Example Configure the ACOS device to extract the Email address from the client
certificate:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# auth-username subject-alt-name-
email
auth-username-attribute
Description Specify attribute name of username for client SSL.
Parameter Description
Default None.
authorization
Description Specify an LDAP server to user for client SSL authorization.
217
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
certificate
Description Specifies the name of the certificate to use for terminating or initiating an
SSL connection. The certificate must be installed on the ACOS device.
A second certificate can be assigned to a template by using the alternate
option. Two certificates assigned to a template must be of different types
(RSA, ECDSA). A major (first) certificate must be assigned before an
alternate (second) certificate is accepted by the template.
218
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
cipher
Description Specifies the cipher suite to support for certificates from clients.
Parameter Description
219
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
client-certificate
Description Specifies the action that the ACOS device takes in response to a client’s
connection request.
Parameter Description
Ignore The ACOS device does not request the client to send
its certificate.
Request The ACOS device requests the client to send its cer-
tificate. With this action, the SSL handshake pro-
ceeds even if either of the following occurs:
Default Ignore.
220
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
client-certificate-Request-CA
Description Specifies the name of a CA certificate used in requests for client authen-
tication.
Parameter Description
cert-name
Specifies a second (or alternate) certificate (1-
255 characters).
partition
shared
Bind shared client-certificate-Request-CA in
private partition’s client-SSL template.
Default No default.
Example The following commands configure the ACOS device to request the cli-
ent certificate and to send the list of more than 10 CAs in the certificate
request. This is achieved by configuring a chain cert (named
LargeExample.chain below) that contains multiple CA certificates:
ACOS(config)#slb template client-ssl client-ssl-example-name
ACOS(config-client ssl)#client-certificate-Request-CA
ca1.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca2.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca3.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca4.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca5.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca6.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca7.crt
ACOS(config-client ssl)#client-certificate-Request-CA
ca8.crt
221
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ACOS(config-client ssl)#client-certificate-Request-CA
ca9.crt
ACOS(config-client ssl)#client-certificate-Request-CA
LargeExample.chain
close-notify
Description Enables closure alerts for SSL sessions. When this option is enabled, the
ACOS device sends a close_notify message when an SSL transaction
ends, before sending a FIN. This behavior is required by certain types of
client applications, including PHP cgi. For this type of client, if the ACOS
device does not send a close_notify, an error or warning appears on the
client.
crl
Description Specifies the names of the Certificate Revocation Lists (CRLs) to use for
verifying whether server certificates have been revoked. The CRLs must
be installed on the ACOS device first. (Use the import command for more
details). The CA certificate relevant to the CRL must also be specified.
When you add a CRL to a server-SSL template, the ACOS device checks
the CRL to confirm whether or not the servers’ certificates have been
revoked or not by the issuing Certificate Authority (CA).
222
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Example This example shows how to add CRL and CA certificates to a client-SSL
template.
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# client-certificate Require
ACOS(config-client ssl)# crl 10_ca.crt_crl.pem
ACOS(config-client ssl)# crl 20_ca.crt_crl.pem
ACOS(config-client ssl)# crl root-ca.pem.crl.pem
ACOS(config-client ssl)# ca-cert 10_ca_crt
ACOS(config-client ssl)# ca-cert 20_ca.crt
ACOS(config-client ssl)# ca-cert root-ca.pem
NOTE: NOTE: If you plan to use a CRL, you must set the client-cer-
tificate mode to Require . The CRL should be signed by the
same issuer as the CA certificate. Otherwise, the client and ACOS
device will not be able to establish a connection.
dh-param
Description Specify Diffie-Hellman parameters.
direct-client-server-auth
Description Allow the backend server to perform SSL client authentication directly.
223
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
disable-sslv3
Description Disables support for SSLv3 in client-SSL templates.
NOTE: NOTE: If you disable SSLv3 support, when ACOS receives an SSL
Hello message from a client, ACOS responds by sending a TCP-
FIN to the client to end the session.
early-data
Description Enables the early data (0-RTT) for SSL version TLSv1.3.
Additionally, you must configure session-cache-size to do PSK
resumption.
224
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Usage This allows the TLS client to send encrypted data in the same packet as
the Client Hello during the handshake for resumed sessions.
ec-name
Description Specifies the Elliptic Curve name.
Default secp256r1
225
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
enable-ssli-ftp-alg
Description Enables FTP passive mode over TLS support for the specified port num-
ber. The port number value can between 1-65535.
Default Disabled.
enable-tls-alert-logging fatal
Description Enables logging of TLS alerts that include the flow information such as
source IP address.
forward-proxy-alt-sign cert
Description Configure the forward proxy alternate signing certificate, certificate key,
and chain cert. Optionally, sets a password phrase and bind a shared par-
tition's certificate.
226
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
If the SSL site requested by the client is not on the trusted list (set by the
forward-proxy-trusted-ca command), the inside ACOS device signs
the cert with the key specified by this command.
Parameter Description
forward-proxy-block-message
Description Sets a block message that is displayed on a webpage if a user encoun-
ters an invalid SSLi certificate issue.
227
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Example The following command configures a custom block message for a cer-
tificate revocation error.
ACOS(config-client ssl)# forward-proxy-cert-revoke-action
block
ACOS(config-client ssl)# forward-proxy-block-message “This
website cannot be displayed as there is a certificate
issue.”
forward-proxy-bypass ad-group-list
Description Bypasses SSLi inspection if AD group name matches a class list entry.
Parameter Description
Default None.
forward-proxy-bypass case-insensitive
Description Disables case sensitivity for string matching in SSLi bypass.
228
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Usage Use this command to disable case sensitivity for matching strings in SSLi
bypass. By default, matching is case sensitive. For example, the for-
ward-proxy-bypass contains aa rule searches for matches on SNI
strings that contain “aa” but not on strings that contain “AA”. You can also
enable or disable case-sensitive matching. In this case, the rule shown
above matches SNI strings that contain any of the following: “aa”, “AA”,
“aA”, or “Aa”.
You can disable case sensitivity on a template-wide basis. The setting
applies to all match rules in the template.
forward-proxy-bypass certificate-issuer
Description Configures SSLi bypass based on the string from a certificate issuer.
Parameter Description
229
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default None
Usage Use this command to enable SSLi bypass based on certificate issuer. To
determine the Certificate Authority that issued your certificate, open the
website in a browser and click on the certificate information.
The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a value matches on more than one of them,
the most-specific match is always used.
Example The following example configures a condition for bypassing SSLi if the
certificate-issuer contains the string Norton:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-bypass certificate-
issuer
contains Norton
forward-proxy-bypass certificate-san
230
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Configures SSLi bypass based on the string from a certificate SAN.
Parameter Description
Default None
Usage Use this command to enable SSLi bypass based on certificate SAN. Sub-
ject Alternative Name (SAN) certificates can secure a number of fully
231
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
qualified domain names with a single certificate. The SAN field enables
you to specify additional host names such as sites, IP addresses, com-
mon names, and so on, to be protected by a single SSL Certificate.
The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a value matches on more than one of them,
the most-specific match is always used.
Example The following example configures a condition for bypassing SSLi if the
certificate-SAN contains the string a10:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-bypass certificate-
san
contains a10
forward-proxy-bypass certificate-subject
Description Configures SSLi bypass based on the string from a certificate subject.
Parameter Description
232
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default None
Usage Use this command to enable SSLi bypass based on certificate subject.
The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
233
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following example configures a condition for bypassing SSLi if the
certificate-subject contains the string a10:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-bypass certificate-
subject contains a10
forward-proxy-bypass class-list
Description Configures SSLi bypass when the SNI of the outside server matches
based on the specified class list or class-lists.
Parameter Description
Default None
Usage Use this command to enable SSLi bypass when the SNI of the outside
server matches based on the specified class list or class-lists. The fol-
lowing match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
234
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example configures a condition for bypassing SSLi if the
SNI of the outside server matches any entry in two multiple-class-lists:
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-(config-client ssl)# forward-proxy-bypass class-list
multi-class-list my-classlist-name1
ACOS(config-client ssl)# forward-proxy-bypass class-list
multi-class-list my-classlist-name2
forward-proxy-bypass client-auth
Description Configures the SNI attributes and/or class-lists that determine whether
or not a client is enabled for client-authentication SSLi bypass. These
attributes and class-lists are bound to a SSL client template which itself is
bound to the the ACOS decrypt device
Parameter Description
235
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default None
236
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-bypass contains
Description Configures SSLi bypass if SNI string contains the configured string.
Parameter Description
Default None
Usage The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a value matches on more than one of them,
the most-specific match is always used.
forward-proxy-bypass ends-with
Description Configures SSLi bypass if SNI string ends with the configured string.
237
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default None
Usage The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
contains, or ends-with) and a value matches on more than one of them,
the most-specific match is always used.
forward-proxy-bypass equals
Description Configures SSLi bypass if SNI string equals the configured string.
Parameter Description
Default None
Usage The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
238
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-bypass exception-ad-group-list
Description Configures exceptions to SSLi bypass if AD group name matches an
entry in the exception AD group list.
Parameter Description
Default None
Example The following example configures an exception class list for exceptions
for SSLi bypass:
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-(config-client ssl)# forward-proxy-bypass exception-
class-list mylist
forward-proxy-bypass exception-class-list
Description Configures exceptions to SSLi bypass if SNI string matches an entry in
the exception class list.
239
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default None
Example The following example configures an exception class list for exceptions
for SSLi bypass:
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-(config-client ssl)# forward-proxy-bypass exception-
class-list mylist
forward-proxy-bypass exception-user-name-list
Description Configures an exception to SSLi bypass if a user name matches an entry
in the user name exception class list.
Parameter Description
Default None
Usage Use this command to configure exceptions for SSLi bypass based on
user names.
Example The following example configures an exception user name list of mylist:
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-(config-client ssl)# forward-proxy-bypass exception-
user-name-list mylist
forward-proxy-bypass exception-web-category
Description Configures SSLi intercept decision making based on web URL category.
240
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default None
Example The following example configures web category exception for sports
URLs:
ACOS(config)# slb template client-ssl SSL_web-
categoryexception
ACOS-(config-client ssl)# forward-proxy-bypass exception-
web-category sports
forward-proxy-bypass exception-web-reputation
Description Configures SSLi intercept decision making based on web URL reputation
scope.
Parameter Description
241
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default None
Usage When the web-reputation score is less than or equal to the level set or
customized score, the request would be intercepted. Otherwise, SSLi will
check other bypass criteria, and then make the decision. However, it does
not bypass immediately.
NOTE: A client-ssl template can only have one entry of the exception-
web-reputation at a time.
Example The following example configures web reputation exception for mali-
cious URLs:
ACOS(config)# slb template client-ssl SSL_webrepu-
tationexception
ACOS-(config-client ssl)# forward-proxy-bypass exception-
web-reputation malicious
forward-proxy-bypass require-web-category
Description Enables Web Category Lookup Enforcement for both the web-category
and web-reputation based SSLi bypass policies under that template.
Web category lookup enforcement resolves the category and reputation
of the unknown (first request) URLs by pausing the data plane
connection. When the result is known and the URL is categorized or
reputed, the connection is resumed.
Default Disabled
242
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example enables Web Category Lookup Enforcement for
web-category based SSLi bypass policies under the BLUE client-ssl tem-
plate.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-category
financial-services
ACOS(config-client ssl)# forward-proxy-bypass web-category
health-and-medicine
ACOS(config-client ssl)# forward-proxy-bypass require-web-
category
Example The following example enables Web Category Lookup Enforcement for
web-reputation based SSLi bypass policies under the BLUE client-ssl
template.
ACOS(config)# slb template client-ssl BLUE
ACOS(config-client ssl)# forward-proxy-bypass web-reputation
financial-services
ACOS(config-client ssl)# forward-proxy-bypass require-web-
category
forward-proxy-bypass starts-with
Description Configures SSLi bypass if the SNI string starts with the configured string.
Parameter Description
Default None
Usage The following match options are used by the rules that you configure:
• Equals—Matches only if the value completely matches the specified
string.
• Starts-with—Matches only if the value starts with the specified string.
• Contains—Matches if the specified string appears anywhere within
the value.
• Ends-with—Matches only if the value ends with the specified string.
These match options are always applied in the order shown, regardless of
the order in which the rules appear in the configuration. If a template has
more than one rule with the same match option (equals, starts-with,
243
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
forward-proxy-bypass web-category
Description Configures SSLi bypass based on URL Classification. When URLs are cat-
egorized, this information can be used to filter out unwanted content to
add an additional layer of security, or it can be used to determine which
URLs should bypass SSLi decryption in compliance with privacy laws.
Default None
Example The following example configures SSLi bypass for websites related to
sports and real-estate:
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-(config-client ssl)# forward-proxy-bypass web-category
sports
ACOS-(config-client ssl)# forward-proxy-bypass web-category
real-estate
Example The following example configures SSLi bypass for websites related to
child abuse material (CAM):
ACOS(config)# slb template client-ssl SSLInsight_ClientSide
ACOS-(config-client ssl)# forward-proxy-bypass web-category
illegal-pornography
ACOS-(config-client ssl)# forward-proxy-bypass web-category
nudity-artistic
forward-proxy-bypass web-reputation
244
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Configures SSLi bypass decision making based on web URL reputation
scope.
Parameter Description
Default None
Usage When the web-reputation score is greater than or equal to the level set or
customized score, the request would be bypassed. Otherwise, SSLi will
check other intercept criteria, and then make the decision. However, it
does not intercept immediately.
Example The following example configures web reputation for trustworthy URLs:
ACOS(config)# slb template client-ssl SSL_webreputation
ACOS-(config-client ssl)# forward-proxy-bypass web-repu-
tation trustworthy
forward-proxy-ca-certificate
245
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Configure the forward proxy CA-signed certificate, certificate key, and
chain cert. Optionally, sets a password phrase and bind a shared par-
tition's certificate.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in the SSLi configurations.
Parameter Description
forward-proxy-cache-persistence
Description Specifies an Aho-Corasick (AC) class-list of SNIs of forged certificates
that are to be retained in the cache when ACOS is rebooted or whenever
the ACOS forward-proxy process is restarted. If an SNI in the certificate
matches an entry in this class list, it is retained; otherwise, it is dropped.
246
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
Parameter Description
Default If a persist class list is not bound to a client-SSL template, the cached
forged certificates do not persist.
forward-proxy-cert-cache
Description Configures forward proxy certificate cache options.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
Parameter Description
247
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
forward-proxy-cert-expiry
Description The number of hours that the forward proxy certificates will be valid.
Shortening the lifetime of the forged forward-proxy certs reduces the
security risk if any are stolen. From 1 to 168 hours can be specified.
If the expiry occurs after the validity end-date, then this command will
adjust the validity end date.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
Parameter Description
Default By default, the forged forward proxy certs have the same expiration as
the original certificates.
248
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-cert-ext
Description Specify the certificate extension for a Certificate Revocation List Dis-
tribution Point (CRLDP) or an Authority Information Access extension for
Online Certificate Status Protocol (OCSP) or Certificate Authority (CA)
Issuer for certificate validation.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
forward-proxy-cert-not-ready-action
Description Configures the action of the client connection if ACOS does not have the
proxied cert ready.
Default By default, SSL proxy session is bypassed when the proxied cert is not ready.
249
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
forward-proxy-cert-revoke-action
Description Configures the action of the client connection if OCSP or CRL verification
determines the certificate is irreversibly revoked.
Parameter Description
Usage This command applies only to the certificates that are forged on the
ACOS device for the interception of SSL sessions in SSLi configurations.
The options available are bypassing SSL Proxy, continuing with the con-
nection, dropping the connection, or blocking the connection with a cus-
tomizable mesage to the user.
Example The following example configures an SSLi connection as blocked and dis-
palys a custom blocked message:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-cert-revoke-action
block
250
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-cert-unknown-action
Description Configures the action of the client connection if OCSP or CRL verification
determines the certificate status is ‘unknown.’
Parameter Description
Usage This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations. The
options available are bypassing SSL Proxy, continuing with the con-
nection, or dropping the connection.
Example The following example configures an SSLi connection as blocked and dis-
palys a custom blocked message:
ACOS(config)# slb template client-ssl clientssl
251
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
forward-proxy-cert-validity
Description Specify the starting and ending certificate validation period in which the
certificate status and information will be maintained.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
Parameter Description
Default None.
Example The following example shows how to add the starting validation time
of November 1, 2005 for proxied certificates from the ACOS device.
ACOS(config)#slb template client-ssl SSL-Client
ACOS(config-client ssl)#forward-proxy-cert-validity not-
before 1 11 2005
forward-proxy-crl-disable
Description Disable Certificate Revocation List (CRL) services for SSLi (forward-
proxy).
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
252
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-decrypted
Description Sets DSCP value for decrypted and bypassed traffic for SSLi con-
figurations.
Parameter Description
Default None.
Usage Use this command to set the DSCP value for encrypted and bypassed
traffic in an SSLi client template. If the service group has a template with
DSCP configured, this command takes precedence.
forward-proxy-esni-action
Description Specify the action taken if the encrypted server name indication (ESNI) is
recieved in ClientHello extension.
This command applies only to SSLi configurations.
253
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
forward-proxy-failsafe-disable
Description Forward proxy (SSLi) failsafe enables SSLi traffic interception to be
bypassed when there is a handshake failure. The most common hand-
shake failures are due to servers only accepting elliptical ciphers.
This command applies only to SSLi configurations.
Default This feature is enabled by default; use this command to disable SSLi
failsafe.
forward-proxy-inspect
Description Perform SSL Insight only if the traffic matches an entry in the specified
class list. and is not bypassed by any other matching criteria. Only Aho-
Corasick class-lists are supported by this command.
The forward-proxy-inspect criteria are applied first before any forward
proxy bypass matching criteria. If forward-proxy-inspect is not
configured, all SSL sessions are inspected for the other bypass matching
criteria.
This command applies only to SSLi configurations.
254
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Configuration
#sh run slb template client-ssl oym1
!Section configuration: 202 bytes
!
slb template client-ssl oym1
forward-proxy-ca-certificate ca1 key ca1
forward-proxy-enable
forward-proxy-bypass class-list b-class
forward-proxy-inspect class-list i-class
!
255
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Selection Results
forward-proxy-inspect certificate-issuer
Description Configures SSLi inspect based on the class-list from a certificate issuer.
Parameter Description
Default None
Usage Use this command to enable SSLi inspect based on class-list from a cer-
tificate issuer. To determine the Certificate Authority that issued your cer-
tificate, open the website in a browser and click on the certificate
information.
256
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-inspect certificate-san
Description Configures SSLi inspect based on the class-list from a certificate Subject
Alternative Name (SAN).
Parameter Description
Default None
Usage Use this command to enable SSLi inspect based on class-list from a cer-
tificate SAN. This can secure a number of fully qualified domain names
with a single certificate. You can specify additional host names such as
sites, IP addresses, common names, and so on, to be protected by a
single SSL Certificate.
forward-proxy-inspect certificate-subject
Description Configures SSLi inspect based on the class-list from a certificate subject.
Parameter Description
257
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default None
Usage Use this command to enable SSLi inspect based on the class-list from a
certificate subject.
forward-proxy-log-disable
Description Disable SSL forward proxy (SSLi) logging.
This command applies only to SSLi configurations.
Default SSLi logging is enabled by default; use this command to disable SSLi log-
ging.
forward-proxy-no-shared-cipher-action
Description Specify the action taken if the handshake fails due to no shared cipher.
Parameter Description
Default drop
258
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-no-sni-action
Description Specify the SSL forward proxy action in case of no SNI.
Parameter Description
Default Intercept
forward-proxy-ocsp-disable
Description Disable OCSP Stapling for SSL forward proxy (SSLi).
This command applies only to SSLi configurations.
forward-proxy-require-sni-cert-matched
259
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default Disabled
Usage Use this command to match SNI in ClientHello message and subject
CN/SANs in server certificate to prevent spoofing.
forward-proxy-selfsign-redir
Description With this option enabled, ACOS redirects traffic away from the self-
signed site and to a warning page in which the client sees “The page you
have tried to reach uses an untrusted certificate, please contact your
administrator.”
This command applies only to SSLi configurations.
260
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-source-nat
Description To provision the SSL-Client template for source NAT, enter this com-
mand with either the auto or pool pool-name option.
When a fetched SSL session is connected and the source NAT pool
option is configured, the ACOS device replaces the client source IP
address of forwarded SSLi traffic with an address from the specified
NAT pool.
• auto
When a fetched SSL session is connected and the source NAT auto
option is configured, the ACOS device replaces the client source IP
address of forwarded SSLi traffic with the address of the real server
that is forwarding traffic to the SSL server.
• precedence
Example The following example configures dynamic IP addresses for source NAT
in the SSL-Client template:
ACOS(config)# slb template client-ssl clientssl
ACOS(config-client ssl)# forward-proxy-source-nat auto
Example The following example configures static IP addresses for source NAT in
the SSL-Client template with precedence set for source NAT:
ACOS(config)# slb template client-ssl c-ssl2
ACOS(config-client ssl)# forward-proxy-source-nat pool p3
precedence
forward-proxy-ssl-version
Description Specify the version of SSL to be used with SSL Insight.
261
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
31 SSL/TLS v1.0.
32 SSL/TLS v1.1.
34 SSL/TLS v1.3.
Default 33
forward-proxy-trusted-ca
Description File in PEM format listing all the trusted CA certificates. When server veri-
fication is configured using this list, the action is to drop client con-
nections if the certificate of the outside server is not on the trusted list.
This command applies only to the CA certs that are proxied for on the
ACOS device for the interception of SSL sessions in SSLi (that is, forward-
proxy) configurations.
Parameter Description
262
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-proxy-verify-cert-fail-action
Description Configure the action of the client connection if CRL verification of any cer-
tificate fails. The options available are bypassing SSL Proxy, continuing
with the connection, or dropping the connection.
This command applies only to the certs that are forged on the ACOS
device for the interception of SSL sessions in SSLi configurations.
Default By default, the client connection is dropped if CRL verification of any cer-
tificate in the chain is not successful.
handshake-logging-enable
Description Enable SSL handshake logging.
263
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
hsm-param
Description Specify HSM parameters.
Parameter Description
local-logging
Description Enables local loggin.
Default Disabled
non-ssl-bypass
Description Specifies that non-SSL session traffic is redirected to the specified ser-
vice group.
Parameter Description
264
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ocsp-stapling
Description Configure OCSP Stapling support.
Parameter Description
Default is 1 hour.
Default is 30 minutes.
265
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
renegotiation-disable
Description Disable automatic TLS/SSL renegotiation.
ACOS allows for renegotiation of SSL connections over previously
secured channels to help speed up the re-establishment of previous SSL
connections with known clients. Disabling TLS/SSL renegotiations can
help prevent vulnerabilities that may lead to SSL/TLS renegotiation Man-
In-TheMiddle Attacks.
server-name
Description Configure Server Name Indication (SNI) in the client Hello extension.
A second certificate can be assigned to the server with the alternate
option. Two certificates assigned to a template must be of different types
(RSA, ECDSA). A major (first) certificate must be assigned before an
alternate (second) certificate is accepted by the template.
When the command includes a chain cert, the SNI SSL ctx is configured
with the cert and chain cert. When a default chain cert is defined for the
template, the default chain cert is used in place of the configured chain.
[no] server-name server-name cert cert-name [chain chain-name]
key key-name [pass-phrase string [alternate | partition
shared]
Parameter Description
266
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
server-name-auto-map
Description Enables dynamic SNI extension support. When this option is enabled,
SNI-based ctx creation (SSL context) is enabled. The SSL context is cre-
ated based on the SNI in the client hello if a cert and key was previously
imported to the device.
The no server-name-auto-map command disables dynamic SNI
extension support.
Parameter Description
Default Disabled
Usage When dynamic SNI extension support is enabled, a matching cert and
key is required for inbound client hello SNI contents. For example, for the
sni www.a10networks-black.com, then the following files are required:
• Imported cert: www.a10networks-black.com.crt
• Imported key: www.a10networks-black.com.key
267
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example This example imports a cert and key file for the www.a10networks-green.-
com file, then enables dynamic SNI extension support.
ACOS(config)# import key www.a10networks-green.com.key
scp://10.1.1.1/green.key
ACOS(config)# import cert www.a10networks-green.com.cert
scp://10.1.1.1/green.cert
ACOS(config)# slb template client-ssl CLIENT-1
ACOS(config-client ssl)# server-name-auto-map
ACOS(config-client ssl)# exit
ACOS(config)# show run | sec slb template client-ssl
slb template client-ssl CLIENT-1
server-name-auto-map
ACOS(config)#
server-name-regex
Description Configure Server Name Indication (SNI) in the ClientHello extension with
regular expressions. The wildcard support includes the following regular
expression symbols:
^ $ . | * + [ {
When a new connection request is made from client, the SNI from TLS
extension in ClientHello is captured and first checked against “server-
name” config with existing hash method. If no match found, it is
compared with the compiled regex string configured by server-name-
regex. When multiple server-name-regex entries match, the cert/key
associated with the best match is used.
A second certificate can be assigned to the server with the alternate
option. Two certificates assigned to a template must be of different types
(RSA, ECDSA). A major (first) certificate must be assigned before an
alternate (second) certificate is accepted by the template.
When the command includes a chain cert, the SNI SSL ctx is configured
with the cert and chain cert. When a default chain cert is defined for the
template, the default chain cert is used in place of the configured chain.
268
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
server-name-bypass
Description Enable SNI bypass.
This command is available only if one of the below commands are
configured:
269
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
• server-name
• server-name-regex
• server-name-auto-map
Parameter Description
missing- Bypass the SSL traffic when the SNI does not match
cert with any of the configured server names.
expired- Bypass SSL traffic when SNI matches one of the server-
cert names, but the certificate is expired.
Default Disabled
Usage When the server-name is configured under client-SSL template, and you
want to bypass SSL traffic in the following scenarios:
• Missing cert/key, i.e., client SNI does not match
• Client SNI matches one of the configured server-name, but the cer-
tificate is expired
• Client SNI matches the configured SNI bypass class-list
session-cache-size
270
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
session-cache-timeout
Description Sets the maximum number of seconds a cache entry can remain unused
before being removed from the cache. Cache entries age according to
the ticket age time. The age time is not reset when a cache entry is used.
Parameter Description
session-ticket-lifetime
271
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Sets the lifetime for stateless SSL session ticketing. After a client’s SSL
ticket expires, they must complete an SSL handshake in order to set up
the next secure session with ACOS.
NOTE: This option is only supported on vThunder systems, and is not sup-
ported on hardware A10 Thunder Series or AX Series devices
Parameter Description
session-ticket-disable
Description Disables client side SSL session ticketing.
ssl-false-start-disable
Description SSL False Start support for Google Chrome browser.
NOTE: The following ciphers are not supported for SSL False Start in the
current release:
272
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
ssli-logging
Description Enables or disables SSLi logging for all SSLi events.
Parameter Description
Default By default, without this configuration, SSLi logging is enabled only for fail-
ure events.
sslv2-bypass
Description Redirects clients who request SSLv2 sessions to the specified service
group.
273
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
template
Description Name of a cipher or HSM template to bind to client-SSL and server-SSL
templates. In this case, the settings in the cipher template override any
cipher settings in the client-SSL template.
Parameter Description
version
Description Specifies the security version and minimum allowable security version
that can be used when communicating with SSL clients.
In SSLi configurations, the security version from this template must
match the security version configured under the client-SSL template
through the forward-proxy-ssl-version command.
274
Chapter 5: Config Commands: SLB Client SSL Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default 34
Example The following example configures TLS version 1.1 for use in SSL com-
munication with the clients. Depending on the response received from
each client, TLS version 1.0 may also be used.
ACOS(config)# slb template client-ssl SSL
ACOS(config-client ssl)# version 32 31
Example The following example disables downgrade; only TLS version 1.2 can be
used to communicate with clients. If the client is using a lower (less
secure) version of TLS, the session will not be created.
ACOS(config)# slb template client-ssl SSL
275
Chapter 5: Config Commands: SLB Client SSL Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
276
Chapter 6: Config Commands: SLB Server SSL
This section lists the commands and sub-commands to configure SLB Server-SSL templates.
277
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default The configuration does not have a default server-side SSL template.
278
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
In the following example, an ACOS system is configurred with two virtual-servers, SSL_Internet_vip_
001 and SSL_Internet_vip_003. And, each of these virtual servers are configured with an HTTP virtual
port, port 8080 http.
A different SSL-template and a different service group is applied to each virtual port.
The SSL-template, SSL_Internet_vip_001_server_ssl, and the service group, sg2, are applied to
port 8080 http on SSL_Internet_vip_001.
The SSL-template, SSL_Internet_vip_003_server_ssl, and the service group, sg1, are applied to
port 8080 http on SSL_Internet_vip_003.
The preceding configuration is supported when each service group specifies a different real
server. Service group sg1 specifies real server, rs1, and service group, sg2, specifies real
server, rs2:
279
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
However, the configuration in step 1 is not supported when both service groups specify the
same real server, rs1, as shown in the following:
280
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ca-cert 282
certificate 282
cipher 284
close-notify 284
crl 285
dh-param 285
early-data 285
ec-name 286
enable-ssli-ftp-alg 286
forward-proxy-enable 287
handshake-logging-enable 287
ocsp-stapling 288
renegotiation-disable 288
server-certificate-error 288
server-name 289
session-cache-size 289
session-cache-timeout 290
session-ticket-enable 290
ssli-logging 291
use-client-sni 292
version 292
281
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ca-cert
Description Specifies the name of a CA certificate. A server-SSL template can have
multiple CA-signed certificates.
You can add the CA certificates to the server-SSL template in either of
the following ways:
• As separate files (one for each certificate)
• As a single file containing multiple certificates
Parameter Description
Usage Note: If validation of the ca-cert fails, the connection to the server is
terminated.
certificate
Description Specifies the name of the certificate and key name pair with optional
pass-phrase setting, to use for terminating or initiating an SSL
282
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
NOTE: If chain-
cert para-
meter is
required,
then make
sure to con-
figure it in
the same line
of certificate
and key.
283
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
cipher
Description Specifies the cipher suite to support for certificates from servers.
You can remove (or re-add) one cipher in the template with a single
command. Enter separate commands for each cipher to remove or re-
add.
Parameter Description
close-notify
Description Enables support for close notification (close_notify) alerts. When this
option is enabled, the ACOS device sends a close_notify message when
an SSL transaction ends, before sending a FIN. This behavior is required
by certain types of applications, including PHP cgi.The close notification
option may not work if connection reuse is also configured on the same
virtual port. In this case, when the server sends a FIN to the ACOS device,
the ACOS device will not send a FIN followed by a close notification.
Instead, the ACOS device will send a RST.
NOTE: This command can not be used along with the TCP-proxy tem-
plate force-delete-timeout option. Doing so may cause unex-
pected behavior.
284
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
crl
Description Specifies the names of the Certificate Revocation Lists (CRLs) to use for
verifying whether server certificates have been revoked. The CRLs must
be installed on the ACOS device first. (Use the import command for more
details). The CA certificate relevant to the CRL must also be specified.
Parameter Description
dh-param
Description Specify Diffie-Hellman parameters.
early-data
Description Enable the early data (0-RTT) for SSL version TLSv1.3.
285
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Syntax [no]early-data
Usage This allows the server to respond immediately by including the requested
data in the Server Hello or Finished message.
Example The following command configures early data for server-SSL template,
svr-0rtt-test:
ec-name
Description Specify elliptic curve name.
Default secp256r1
enable-ssli-ftp-alg
Description Enables FTP passive mode over TLS support for the specified port num-
ber. The port number value can between 1-65535.
286
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default Disabled.
enable-tls-alert-logging fatal
Description Enables logging of TLS alerts that include the flow information such as
source IP address.
forward-proxy-enable
Description Enables SSL Insight support.
handshake-logging-enable
Description Enable SSL handshake logging.
287
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ocsp-stapling
Description Enable OCSP stapling support.
renegotiation-disable
Description Disables TLS/SSL renegotiation.
server-certificate-error
Description Specifies the ACOS response if there is a server certificate error.
288
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
server-name
Description Configure a user-defined server name to the server side of an SSL proxy
configuration.
Example The following example shows the server side template in an ACOS SSL
proxy configuration where the user-defined server name is passed
through to the SSL server:
ACOS(config)# slb template server-ssl test
ACOS(config-server ssl)# server-name www.test.com
ACOS(config-server ssl)# no server-name www.test.com
session-cache-size
Description Sets the maximum number of session-ID entries.
289
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
session-cache-timeout
Description Sets the maximum number of seconds a cache entry can remain unused
before being removed from the cache.
Cache entries age according to the ticket age time. The age time is not
reset when a cache entry is used. After a client’s SSL ticket expires, they
must complete an SSL handshake in order to set up the next secure
session with ACOS.
Parameter Description
session-ticket-enable
Description Enables stateless SSL session ticketing features.
290
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ssli-logging
Description Enables or disables SSLi logging for all SSLi events.
Parameter Description
Default By default, without this configuration, SSLi logging is enabled only for fail-
ure events.
template cipher
Description Name of a cipher template to bind to the server-SSL template. In this
case, the settings in the cipher template override any cipher settings in
the server-SSL template.
Parameter Description
Default Not set; the ciphers enabled in the server-SSL template are used.
291
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
use-client-sni
Description Pass the client domain name to the server side of an SSL proxy con-
figuration.
Example The following example shows the server side template in an ACOS SSL
proxy configuration where the client domain name is passed through to
the SSL server:
ACOS(config)# slb template server-ssl sstmp1
ACOS(config-server ssl)# use-client-sni
version
Description Specify the security version.
Parameter Description
Parameter Description
292
Chapter 6: Config Commands: SLB Server SSL
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default 34
293
Chapter 6: Config Commands: SLB Server SSL
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
294
Chapter 7: Config Commands: SLB Policy Tem-
plates
This section lists the commands and sub-commands to configure SLB policy templates.
295
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default The configuration does not have a default SIP over UDP template.
Usage The normal form of this command creates a PBSLB template. The no form
of this command removes the template.
You can bind only one PBSLB template to a virtual port. However, you
can bind the same PBSLB template to multiple ports.
PBSLB configuration on a virtual port can be set either using a template
or by configuring the individual settings on the port. Individual PBSLB
settings and a PBSLB template can not be configured on the same virtual
port.
The ACOS device also allows policy templates to be applied at the virtual-
server level. However, PBSLB does not take effect if you apply the policy
template at the virtual-server level. Only class lists are supported at the
virtual-server level. To use PBSLB, apply the policy template globally or
on individual virtual ports.
296
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
297
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ACOS(config-policy-class-list:example-cli...)# request-limit
10
ACOS(config-policy-class-list:example-cli...)# over-limit-
action forward log
Example The following example configures a bandwidth limit per source IP, using
a policy template and class list.
298
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
bw-list id 299
class-list 303
forward-policy 305
bw-list id
Description Specifies the action to take for clients using a Black/White list ID.
Parameter Description
name Sends clients to the SLB service group with the spe-
cified name on the ACOS device.
299
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
300
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
bw-list name
Description Binds the specified Black/White list to the virtual ports that use this tem-
plate.
Parameter Description
Example Bind the Black/White list “example-bw-list” to virtual ports using this tem-
plate.
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list name example-bw-list
bw-list over-limit
Description Specifies the action to take for traffic that is over the limit.
Parameter Description
Default Drop
301
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example When traffic goes over the limit, do not accept any new connections for
five minutes.
ACOS(config)# slb template policy p1
ACOS(config-policy)# bw-list over-limit lockup 5
bw-list timeout
Description Number of minutes dynamic Black/White-list client entries can remain
idle before aging out.
Parameter Description
Default 5 minutes
bw-list use-destination-ip
302
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
class-list
Description Create a class-list or geo-location class-list within the template.
Parameter Description
303
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
304
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
forward-policy
Description Configure a forward policy of an slb policy template to specify permitted
traffic destinations and sources along with the actions to apply. Forward
policy is a required component when configuring an explicit HTTP proxy.
Command Description
action action-name Specify the action policy name. This command places you in
a sub-configuration mode, where the commands in Sub-
Commands in the forward-policy action Configuration Mode
are available.
305
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
306
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l intercepted-sni-enable
l intercepted-http-disable
l no-sni-allow
307
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
l bypassed-san-disable
l intercepted-san-enable
l no-san-allow
308
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
[no] drop-response-code Specify response code for drop action. The code
range <100-599>.
309
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
l snat snat-pool-name
l fallback fallback-sg
l snat fb-snat-pool-name
l snat snat-pool-name
310
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l snat snat-pool-name
l bypass
l support-cert-fetch
311
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
l action action-name
312
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l web-category-list web-category-list-name
l web-reputation-scope reputation-scope
l action action-name
l host | ip | url
313
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
314
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
l all
l hits
l destination-match-not-found
l no-host-info
Usage The forward policy action command defines actions that can be
taken, and is normally used in conjunction with forward-policy source
rules that link destination and matching rules for an slb template
policy.
forward-to-internet fw-sg is just a placeholder.
Example Configure the source list Any_Source to apply the Default_Deny action
for any requests that are not defined by a class-list or web-category-list
or web-reputation-scope.
ACOS(config-policy-forward-policy)# source Any_Source
ACOS(config-policy-forward-policy-source)# match-any
315
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example Configure the source s1 to match IPs from class-list Src-List and links
the destinations from class-list dest with rules to apply from the a1
action sub template, using a url check with a priority of 10.
ACOS(config)# slb template policy p1
ACOS(config-policy)# forward-policy
ACOS(config-policy-forward-policy)# source s1
ACOS(config-policy-forward-policy-source)# match-class-list
Src-List
ACOS(config-policy-forward-policy-source)# destination
class-list dest action a1 url priority 10
geo-location full-domain-tree
Description Checks current connection count for the client’s specific geo-location
and for all geo-locations higher up in the domain tree.
It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
geo-location overlap
Description Enables overlap matching mode. If there are overlapping addresses in
the Black/White list or class list, use this option to enable the ACOS device
to find the most precise match.
Default Disabled
316
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
geo-location share
Description Enables sharing of PBLSB statistics counters for virtual servers and vir-
tual ports that use the template. This option causes the following coun-
ters to be shared:
• Permit
• Deny
• Connection number
• Connection limit
It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Default Disabled
317
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
action 318
bw-rate-limit 320
conn-limit 320
conn-rate-limit 321
over-limit-action 322
request-limit 323
request-rate-limit 323
response-code-rate-limit 324
action
Description Specifies the ACOS behavior when a request matches the class list entry
for servers using the template.
318
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
l service-groupgrp-name-request is for-
warded to specified service group.
l reset- ACOS sends RST to the
l drop- ACOS drops the request
Example This example configures the device to forward matching requests to the
service group gp1 and create a log entry every 15 minutes.
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# action service-
group group1 logging 15
ACOS(config-policy-class-list:clist1)# end
319
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
bw-rate-limit
Description Configure the bandwidth rate limit for servers that use this template.
Parameter Description
Example This example configures a bandwidth rate limit of 1,024,000 bytes per
second (10 100ms intervals):
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# bw-rate-limit
1024000 per 10
conn-limit
Description Specifies the maximum number of concurrent connections allowed
for a client.
320
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
conn-rate-limit
Description Specifies the maximum number of new connections allowed for a cli-
ent within the specified limit period.
Parameter Description
Example This example configures 1,000,000 new connections allowed per second
(10 100ms intervals):
ACOS(config)# slb template policy pol1
ACOS(config-policy)# class-list clist1
ACOS(config-policy-class-list:clist1)# lid 1
ACOS(config-policy-class-list:clist1-lid:1)# conn-rate-limit
1000000 per 10
321
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
over-limit-action
Description Specifies the action to take when a client exceeds one or more of the
limits. The command also configures lockout and enables logging.
Parameter Description
322
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
request-limit
Description Specifies maximum number of concurrent Layer 7 requests allowed
for a client.
Parameter Description
request-rate-limit
Description Specifies the maximum number of Layer 7 requests allowed for the
client within the specified limit period.
323
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
response-code-rate-limit
Description Configure a limit for the number of times a specified range of server
response codes is received in a specified period of time.
NOTE: This feature only works for SMTP virtual ports. See the example
below.
Parameter Description
Example This example configures a policy template with a response code rate limit
and then applies the template to an SMTP virtual port. The response code
rate limit will be exceeded when there are:
324
Chapter 7: Config Commands: SLB Policy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
325
Chapter 7: Config Commands: SLB Policy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
326
Chapter 8: Config Commands: SLB Real Port
Templates
This section lists the commands and sub-commands to configure SLB real port templates.
327
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Before changing a default template, make sure the changes you plan to make are applicable
to all virtual ports that use the template.
Usage The normal form of this command creates a real port template. The no
form of this command removes the template.
You can bind only one real port template to a real port. However, you can
bind the real port template to multiple real ports.
Some of the parameters that can be set using a template can also be set
or changed on the individual port.
• If a parameter is set (or changed from its default) in both a template
and on the individual port, the setting on the individual port takes pre-
cedence.
328
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example configures a real port template named “common-
rpsettings”, enables slow-start in the template, and binds the template to
a real port:
ACOS(config)# slb template port common-rpsettings
ACOS(config-rport)# slow-start from 256
ACOS(config-rport)# exit
ACOS(config)# slb server rs1 10.1.1.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# template port common-
rpsettings
329
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
bw-rate-limit 330
conn-limit 331
conn-rate-limit 332
dampening-flaps 333
del-session-on-server-down 334
dest-nat 334
down-grace-period 334
dscp 335
dynamic-member-priority 336
extended-stats 337
health-check 337
health-check-disable 338
inband-health-check 338
no-ssl 340
request-rate-limit 341
slow-start 342
source-nat 343
stats-data-disable 343
stats-data-enable 344
weight 344
bw-rate-limit
Description Configure the bandwidth rate limit for ports that use this template.
330
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
conn-limit
Description Maximum number of connections allowed on the port using this tem-
plate.
Parameter Description
331
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to
ports that use this template. When a port reaches its connection limit, the
ACOS device stops selecting the port for client requests.
Parameter Description
Default By default this is not set; when enabled, the default sampling rate is per
1sec.
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
332
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
dampening-flaps
Description Specifies parameters for taking a port or service group out of service
when they report flaps. A flap is consecutive down and up status reports.
When the template is bound to a port or service-group and that entity
reports more flaps than specified by the max parameter over the period
specified by flap-time, the entity is forced down and remains out of the
rotation for the period specified by down-time.
Parameter Description
Example This example configures the template to force a port down if it exper-
iences more than 3 flaps within 20 seconds. The entity remains out of ser-
vice for 40 seconds.
ACOS(config)# slb template port PORT1
ACOS(config-rport)# dampening-flaps 3 flap-period 20
restore-svc-time 40
ACOS(config-rport)#
333
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
del-session-on-server-down
Description This command clears a port protocol session within 2 to 3 seconds if a ses-
sion server is disabled by ACOS command or the server fails an ACOS
health check at the service group level.
If a one or more real servers in a service group fails the health check and
this command is enabled for the session, ACOS clears the session.
Active sessions, (receiving client-side packets) are cleared within 2 to 3
seconds. Idle sessions may continue to exist for more than a minute after
the command is issued.
dest-nat
Description Enables destination Network Address Translation (NAT) on ports that use
this template.
Destination NAT is enabled by default, but is automatically disabled in
Direct Server Return (DSR) configurations. You can re-enable destination
NAT on individual ports for deployment of mixed DSR configurations,
which use backup servers across Layer 3 (in different subnets).
Default Disabled.
down-grace-period
Description Number of seconds the ACOS device will continue to forward packets to
a port that is down. This option is useful for taking servers down for
334
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
NOTE: The service group must contain 2 or more servers for this feature
to work.
Parameter Description
dscp
Description Sets the differentiated services code point (DSCP) value in the IP header
of a client request before sending the request to ports that use this tem-
plate.
Parameter Description
335
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
dscp 4
2. Configure a virtual-port template named vp1 that marks DSCP 6 on
outgoing packets.
port 80 http
source-nat pool s2
service-group sg-80-6
template virtual-port vp1
port 443 https
source-nat pool s2
service-group sg-443-6
template server-ssl s1
template client-ssl cl-ssl1
template virtual-port vp1
dynamic-member-priority
Description Configure service-group priority settings for ports on dynamically cre-
ated servers. When configuring the service group, add the port template
to the member.
336
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
The default is 0.
extended-stats
Description Enables collection of SLB peak connection statistics for the port.
Default Disabled.
health-check
Description Enables health monitoring of ports that use this template.
Parameter Description
337
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage If you omit this command or you enter it without the monitor-name
option, the default TCP or UDP health monitor is used:
• TCP—Every 30 seconds, the ACOS device sends a connection
request (TCP SYN) to the specified TCP port on the server. The port
passes the health check if the server replies to the ACOS device by
sending a TCP SYN ACK.
• UDP—Every 30 seconds, the ACOS device sends a packet with a
valid UDP header and a garbage payload to the UDP port. The port
passes the health check if the server either does not reply, or replies
with any type of packet except an ICMP Error message.
Example Create health monitor “hm-dad” the enable health monitoring for ports
using this template, using “hm-dad” as the health monitor.
ACOS(config)# health monitor hm-dad
ACOS(config-health:monitor)# disable-after-down
ACOS(config-health:monitor)# exit
ACOS(config)# slb template port default
ACOS(config-rport)# health-check hm-dad
health-check-disable
Description Disable health checking for the port.
inband-health-check
Description Supplements the standard Layer 4 health checks by using client-server
traffic to check the health of service ports.
338
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
339
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
max-reas- Each real port has its own reassign counter. Each
signs time the retry counter for any session is
exceeded, the ACOS device increments the reas-
sign counter for the server port. If the reassign
counter exceeds the configured maximum num-
ber of reassignments allowed, the ACOS device
marks the port down.
Default Disabled.
Usage It is recommended that you continue to use standard Layer 4 health mon-
itoring even if you enable in-band health monitoring. Without standard
health monitoring, a server port marked down by an in-band health
check remains down.
no-ssl
Description Disables SSL for server-side connections. This command is useful if a
server-SSL template is bound to the virtual port that uses this real port,
and you want to disable encryption on this real port.
Using the double-negative form of the command (no no-ssl) enables
SSL for server-side connections..
340
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
request-rate-limit
Description Limits the number of new requests that can be received by the port.
Parameter Description
341
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
slow-start
Description Provides time for real ports that use the template to ramp-up after
TCP/UDP service is enabled, by temporarily limiting the number of new
connections on the ports.
Parameter Description
342
Chapter 8: Config Commands: SLB Real Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Example Configure ramp-up for ports; 128 connections to start, increase every 15
seconds, until 4096 connections are reached.
ACOS(config)# slb template port default
ACOS(config-rport)# slow-start from 128 every 15 till 4096
source-nat
Description Specifies the IP NAT pool to use for assigning source IP addresses to cli-
ent traffic sent to ports using this template. When the ACOS device per-
forms NAT for a port that is bound to the template, the device selects an
IP address from the pool.
Parameter Description
stats-data-disable
Description Disables statistical data collection for ports that use this template..
343
Chapter 8: Config Commands: SLB Real Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
stats-data-enable
Description Enables statistical data collection for ports that use this template..
weight
Description Specifies the load-balancing preference for ports that use this template.
A higher weight gives preference to the server and port relative to other
servers and ports.
This option applies only to the service-weighted-least-connection
load-balancing method. This option does not apply to the weighted-
least-connection or weighted-round-robin load-balancing methods.
Parameter Description
Default 1
344
Chapter 9: Config Commands: SLB REQMOD
ICAP Templates
This section lists the commands and sub-commands to configure SLB Request Modification
Mode, Internet Content Adaptation Protocol (REQMOD ICAP) templates.
345
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default ACOS does not have a default SLB REQMOD ICAP template.
Usage See the “Redirection of SSLi Sessions to ICAP Servers” section of the SSL
Insight Configuration Guide for an overview of ICAP and usage
guidelines.
Example The following example creates a REQMOD ICAP template with the
name REQMOD_abcd, and then binds it to the HTTP vPort of a wild-
card SLB virtual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11
ACOS(config-real server)# port 1344 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config-slb svc group-member:1344)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template reqmod-icap REQMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/reqmod_
abcd
ACOS(config-reqmod-icap)# exit
346
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
347
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
allowed-http-methods 348
disable-http-server-reset 349
fail-close 350
include-protocol-in-uri 350
log-only-allowed-method 350
min-payload-size 351
preview 351
service-group 352
service-url 352
template 353
allowed-http-methods
Description List of allowed HTTP methods.
The allowed methods that can be specified are GET, POST, HEAD, PUT,
OPTIONS, TRACE, DELETE, PURGE, PROPFIND, PROPPATCH, MKCOL,
COPY, MOVE, LOCK, UNLOCK.
Default If no methods are specified, the default is to allow all HTTP methods.
348
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example Use the no form of the command to return to the default where all HTTP
methods are allowed. The following example removes the restrictions of
the previous example that allowed only MKCOL and GET, and returns to
the default where all HTTP methods are allowed::
Example If ACOS does not recognize or allow the methods you enter in the com-
mand, you will get the following error message listing the all allowed meth-
ods:
ACOS(config-reqmod-icap)# allowed-http-methods ALL
Unsupported HTTP method in list, Supported methods are: GET
POST HEAD PUT OPTIONS TRACE DELETE PURGE PROPFIND PROPPATCH
MKCOL COPY MOVE LOCK UNLOCK
disable-http-server-reset
Description Prevents the HTTP server from resetting.
Default Enabled
349
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
fail-close
Description Mark the virtual port down when the template service group is down.
include-protocol-in-uri
Description Include the protocol and port in the HTTP URI sent to the ICAP server.
log-only-allowed-method
Description Configures device to print ICAP logs for only HTTP requests sent to the
ICAP server that are designated as "allowed" by the "allow-http-meth-
ods" command. Logs are printed for all requests that the device forwards
to ICAP or receives from ICAP.
When this option is not enabled, logs are printed for all HTTP requests
sent to ICAP. By default, this option is not enabled.
350
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
min-payload-size
Description Set the minimum payload size sent to the ICAP server.
Parameter Description
Default 4096
preview
Description Specifies the number of bytes that ACOS forwards to the ICAP server at
the beginning of a transaction.
If you do not configure a preview value, the ACOS device uses the
preview value obtained from the ICAP server.
Parameter Description
Default 32768
351
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage If you enter the default value of the command or use the no form of the
command to remove the setting (no preview num), ACOS uses the pre-
view value obtained from the ICAP server. See RFC 3507 for further
information.
service-group
Description Specify the names of the ICAP service groups.
Parameter Description
service-url
Description Specify the URLs of the ICAP servers.
Parameter Description
352
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
template
Description Apply an ACOS template to this ICAP template.
Parameter Description
353
Chapter 9: Config Commands: SLB REQMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
354
Chapter 10: Config Commands: SLB RESPMOD
ICAP Templates
This section lists the commands and sub-commands to configure SLB Response Modification
Mode (RESPMOD) ICAP templates.
355
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default ACOS does not have a default SLB RESPMOD ICAP template.
Usage See the “Redirection of SSLi Sessions to ICAP Servers” section of the SSL
Insight Configuration Guide for an overview of ICAP and usage
guidelines.
Example The following example creates a RESPMOD ICAP template with the
name RESPMOD_abcd, and then binds it to the HTTP vPort of a wild-
card SLB virtual server.
ACOS(config)# slb server ICAP_server_1 10.1.260.11
ACOS(config-real server)# port 1344 tcp
ACOS(config-real server-node port)# health-check-disable
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group SG_ICAP tcp
ACOS(config-slb svc group)# member ICAP_server_1 1344
ACOS(config-slb svc group-member:1344)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# slb template respmod-icap RESPMOD_abcd
ACOS(config-reqmod-icap)# service-group SG_ICAP
ACOS(config-reqmod-icap)# service-url icap://abcd.com/respmod_
abcd
ACOS(config-reqmod-icap)# exit
356
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
357
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
disable-http-server-reset 358
fail-close 358
include-protocol-in-uri 359
log-only-allowed-method 359
min-payload-size 359
preview 360
service-group 360
service-url 361
template 361
disable-http-server-reset
Description Prevents the HTTP server from resetting.
Default Enabled
fail-close
Description Mark the virtual port down when the template service group is down.
358
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
include-protocol-in-uri
Description Include the protocol and port in the HTTP URI sent to the ICAP server.
log-only-allowed-method
Description Configures device to print ICAP logs for only HTTP requests sent to the
ICAP server that are designated as "allowed" by the "allow-http-meth-
ods" command. Logs are printed for all requests that the device forwards
to ICAP or receives from ICAP.
When this option is not enabled, logs are printed for all HTTP requests
sent to ICAP. By default, this option is not enabled.
min-payload-size
Description Set the minimum payload size.
359
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default 4096
preview
Description Command to allow the ICAP server to preview to RESPMOD messages.
If you do not configure a preview value, the ACOS device uses the
preview value obtained from the ICAP server.
Parameter Description
Default 32768
service-group
Description Specify the names of the ICAP service groups.
360
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
service-url
Description Specify the URLs of the ICAP servers.
Parameter Description
template
Description Apply an ACOS template to this ICAP template.
361
Chapter 10: Config Commands: SLB RESPMOD ICAP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
362
Chapter 11: Config Commands: SLB Server
Templates
This section lists the commands and sub-commands to configure SLB server templates.
363
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Before changing a default template, make sure the changes you plan to make are applicable
to all real ports that use the template.
Usage The normal form of this command creates a real server template. The no
form of this command removes the template.
You can bind only one real server template to a real server. However, you
can bind the real server template to multiple real servers.
Some of the parameters that can be set using a template can also be set
or changed on the individual server.
• If a parameter is set (or changed from its default) in both a template
and on the individual server, the setting on the individual server
takes precedence.
• If a parameter is set (or changed from its default) in a template but is
not set or changed from its default on the individual server, the set-
ting in the template takes precedence.
364
Chapter 11: Config Commands: SLB Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands configure a real server template called “rs-
tmplt1” and bind the template to two real servers:
ACOS(config)# slb template server rs-tmplt1
ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
ACOS(config-rserver)# exit
ACOS(config)# slb server rs1 10.1.1.99
ACOS(config-real server)# template server rs-tmplt1
ACOS(config-real server)# exit
ACOS(config)# slb server rs2 10.1.1.100
ACOS(config-real server)# template server rs-tmplt1
365
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
bw-rate-limit 366
bw-rate-limit-acct 367
conn-limit 368
conn-rate-limit 368
dns-query-interval 369
dynamic-server-prefix 370
extended-stats 370
health-check 370
health-check-disable 371
log-selection-failure 371
max-dynamic-server 371
min-ttl-ratio 372
slow-start 372
spoofing-cache 374
stats-data-enable 374
stats-data-disable 375
weight 375
bw-rate-limit
Description Configure the bandwidth rate limit for servers that use this template.
366
Chapter 11: Config Commands: SLB Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
bw-rate-limit-acct
Description Configure the bandwidth rate limit accounting for servers that use this
template.
Parameter Description
367
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
conn-limit
Description Maximum number of connections allowed on real servers using this tem-
plate.
Parameter Description
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to
servers that use this template. When a real server reaches its connection
limit, the ACOS device stops selecting the server for client requests.
368
Chapter 11: Config Commands: SLB Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default By default this is not set; when enabled, the default sampling rate is per
1sec.
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
dns-query-interval
Description Specifies how often the ACOS device sends DNS queries for the IP
addresses of dynamic real servers.
Parameter Description
Default 10 minutes
369
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
dynamic-server-prefix
Description Specifies the prefix added to the front of dynamically created servers.
Parameter Description
extended-stats
Description Enables collection of peak connection statistics for a server.
health-check
Description Enables health monitoring of ports that use this template.
370
Chapter 11: Config Commands: SLB Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Usage If this command is not used, or is used without a specific monitor name,
the default ICMP health monitor is used; a ping is sent every 30 seconds.
If the ping fails 2 times consecutively, the ACOS device sets the server
state to DOWN.
health-check-disable
Description Disables health monitoring of servers that use this template.
log-selection-failure
Description Enables real-time logging for server-selection failures.
max-dynamic-server
371
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Maximum number of dynamic real servers that can be created for a given
hostname.
Parameter Description
Default 255
min-ttl-ratio
Description Minimum initial value for the TTL of dynamic real servers. The ACOS
device multiplies this value by the DNS query interval to calculate the min-
imum TTL value to assign to the dynamically created server.
Parameter Description
Default 2
Example Configure a DNS query interval of 30 minutes and minimum initial value
of 3; this will set the TTL of dynamic real servers to 90:
ACOS(config)# slb template server default
ACOS(config-rserver)# dns-query-interval 30
ACOS(config-rserver)# min-ttl-ratio 3
slow-start
372
Chapter 11: Config Commands: SLB Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Provides time for real ports that use the template to ramp-up after
TCP/UDP service is enabled, by temporarily limiting the number of new
connections on the ports.
Parameter Description
The default is 2.
373
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage If a normal runtime connection limit is also configured on the server (for
example, by the conn-limit command), and the normal connection limit
is smaller than the slow-start ending connection limit, the ACOS device
limits slow-start connections to the maximum allowed by the normal con-
nection limit.
spoofing-cache
Description Enables support for a spoofing cache server. A spoofing cache server
uses the client’s IP address instead of its own as the source address
when obtaining content requested by the client.
Default Disabled.
stats-data-enable
Description Enable statistical data collection for servers that use this template.
374
Chapter 11: Config Commands: SLB Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Syntax stats-data-enable
stats-data-disable
Description Disable statistical data collection for servers that use this template.
Syntax stats-data-disable
weight
Description Assigns an administrative weight to the server, for weighted load bal-
ancing.
Parameter Description
Default 1
375
Chapter 11: Config Commands: SLB Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
376
Chapter 12: Config Commands: SLB SIP Tem-
plates
This chapter describes the commands and subcommands for configuring SLB Session Ini-
tiation Protocol (SIP) templates.
377
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
This command enters the SLB SIP (Over UDP) Template Configuration
Mode Commands for the specified SIP (over UDP) template.
Default The configuration does not have a default SIP over UDP template.
Usage The normal form of this command creates a SIP configuration template.
The no form of this command removes the template.
You can bind only one SIP template to a virtual port. However, you can
bind the same SIP template to multiple ports.
The header-erase and header-insert options apply to both traffic
directions, client-to-server and server-to-client traffic.
378
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default The configuration does not have a default SIP over TCP/TLS template.
Usage The normal form of this command creates a SIP configuration template.
The no form of this command removes the template.
You can bind only one SIP template to a virtual port. However, you can
bind the same SIP template to multiple ports.
379
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
To access these commands at the SLB SIP Over UDP template level, enter the slb template sip
(over UDP) command.
alg-dest-nat 380
alg-source-nat 381
call-id-persist-disable 381
dialog-aware 385
exclude-translation 385
insert-client-ip 385
keep-server-ip-if-match-acl 386
timeout 390
alg-dest-nat
380
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Translates the VIP address into the real server IP address in SIP mes-
sages, when destination NAT is used.
alg-source-nat
Description Translates source IP address in to the NAT IP address in SIP messages,
when source NAT is used.
ALG support status does not affect IP layer address translation. IP layer
address translation is still performed, if applicable, even when ALG
support is disabled.
call-id-persist-disable
Description Disables call-ID persistence.
381
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
client-request-header erase
Description Erases the specified header.
Parameter Description
client-request-header insert
Description Inserts the specified header into requests.
Parameter Description
Examples:
client-request-header insert Max-For-
wards:15
client-request-header insert “Max-For-
wards: 15”
382
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
client-response-header erase
Description Erases the specified header.
Parameter Description
383
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
client-response-header insert
Description Inserts the specified header into responses.
Parameter Description
Examples:
client-response-header insert Max-For-
wards:15
client-response-header insert “Max-For-
wards: 15”
384
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
dialog-aware
Description Enables multiple active client instance support with the same end-user
login.
exclude-translation
Description Disables translation of the virtual IP address and virtual port in specific
portions of SIP messages.
Parameter Description
Default Not set; the ACOS device does not translate addresses in any header
except the top Via header.
Example Do not translate virtual IP addresses and virtual ports in the message
body:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# exclude-translation body
insert-client-ip
385
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
keep-server-ip-if-match-acl
Description Disables reverse NAT based on the IP addresses in an extended ACL. This
command is useful in cases where a SIP server needs to reach another
server, and the traffic must pass through the ACOS device.
registrar service-group
Description Specifies the name of a service group of SIP Registrar servers.
Parameter Description
386
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
server-request-header erase
Description Erases the specified header.
Parameter Description
server-request-header insert
Description Inserts the specified header into requests.
387
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Examples:
server-request-header insert Max-For-
wards:15
server-request-header insert “Max-For-
wards: 15”
server-response-header erase
Description Erases the specified header.
388
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
server-response-header insert
Description Inserts the specified header into responses.
Parameter Description
Examples:
client-response-header insert Max-For-
wards:15
client-response-header insert “Max-For-
wards: 15”
389
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
timeout
Description Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates the session.
Parameter Description
Default 30 minutes
390
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
To access commands at the SLB SIP Over TCP/TLS template level, enter the slb template sip
(over TCP/TLS) command.
alg-dest-nat 392
alg-source-nat 392
call-id-persist-disable 392
client-keepalive 393
dialog-aware 396
exclude-translation 396
failed-client-selection 397
failed-server-selection 398
insert-client-ip 398
server-keep-alive 399
server-selection-per-request 402
smp-call-id-rtp-session 403
391
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
timeout 404
alg-dest-nat
Description Enables SIP ALG support for the destination IP address.
alg-source-nat
Description Enables SIP ALG support for the source IP address.
ALG support status does not affect IP layer address translation. IP layer
address translation is still performed, if applicable, even when ALG
support is disabled.
call-id-persist-disable
Description Disables call-ID persistence.
392
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ACOS(config-sip)# call-id-persist-disable
client-keepalive
Description Enables the ACOS device to respond to SIP pings from clients on behalf
of SIP servers. When this option is enabled, the ACOS device responds to
a SIP ping from a client with a “pong”. This option is disabled by default.
If connection reuse is configured, even if client keepalive is disabled, the
ACOS device will respond to a client SIP ping with a pong.
client-request-header erase
Description Erases the specified header.
Parameter Description
client-request-header insert
Description Inserts the specified header into requests.
393
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Examples:
client-request-header insert Max-For-
wards:15
client-request-header insert “Max-For-
wards: 15”
client-response-header erase
Description Erases the specified header.
394
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
client-response-header insert
Description Inserts the specified header into responses.
Parameter Description
Examples:
client-response-header insert Max-For-
wards:15
client-response-header insert “Max-For-
wards: 15”
395
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
dialog-aware
Description Enables multiple active client instance support with the same end-user
login.
exclude-translation
Description Disables translation of the virtual IP address and virtual port in specific
portions of SIP messages.
396
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default Not set; the ACOS device does not translate addresses in any header
except the top Via header.
Example Do not translate virtual IP addresses and virtual ports in the message
body:
ACOS(config)# slb template sip sip-tmp1
ACOS(config-sip)# exclude-translation body
failed-client-selection
Description Specifies the response when selection of an SIP client fails.
This option is applicable only if the configuration includes a connection-
reuse template.
Parameter Description
Default Not set; the ACOS device resets the connection when selecting an SIP
server fails
397
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
failed-server-selection
Description Specifies the response when selection of an SIP server fails.
Parameter Description
Default Not set; the ACOS device resets the connection when selection of an SIP
server fails
insert-client-ip
Description Inserts an “X-Forwarded-For: IP-address:port” header into SIP packets
from the client to the SIP server. The header contains the client IP
address and source protocol port number. The ACOS device uses the
header to identify the client when forwarding a server reply.
398
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
server-keep-alive
Description For configurations that use a connection-reuse template, this option spe-
cifies how often the ACOS device sends a SIP ping on each persistent
connection. The ACOS device silently drops the server’s reply. If the
server does not reply to a SIP ping within the connection-reuse timeout,
the ACOS device closes the persistent connection.
The connection-reuse timeout is configured by the timeout command at
the configuration level for the connection-reuse template. For more
information, see slb template connection-reuse.
Parameter Description
server-request-header erase
Description Erases the specified header.
Parameter Description
399
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
server-request-header insert
Description Inserts the specified header into requests.
Parameter Description
Examples:
server-request-header insert Max-For-
wards:15
server-request-header insert “Max-For-
wards: 15”
400
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
server-response-header erase
Description Erases the specified header.
Parameter Description
server-response-header insert
Description Inserts the specified header into responses.
401
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Examples:
client-response-header insert Max-For-
wards:15
client-response-header insert “Max-For-
wards: 15”
server-selection-per-request
Description Forces the ACOS device to perform the server selection process anew for
every SIP request. Without this option, the ACOS device reselects the
same server for subsequent requests (assuming the same server group
is used), unless overridden by other template options. This option applies
402
Chapter 12: Config Commands: SLB SIP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
to SIP-TCP and SIPS virtual ports. The option is unnecessary for SIP over
UDP. Strict transaction switching is automatically used for SIP over UDP.
smp-call-id-rtp-session
Description Create a cross-CPU call-ID RTP session.
This feature enables your ACOS device to monitor RTP and SIP traffic.
This command creates a cross-CPU RTP session which can be matched
by RTP traffic.
Use this command with rtp-sip-call-id-match to configure this feature.
403
Chapter 12: Config Commands: SLB SIP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
service-group winms
template sip test
!
timeout
Description Specifies the number of minutes a SIP session can remain idle before the
ACOS device terminates the session.
Parameter Description
Default 30 minutes
404
Chapter 13: Config Commands: SLB SMPP
Templates
This section lists the commands and sub-commands to configure SLB Short Message Peer-
to-Peer (SMPP) templates.
405
Chapter 13: Config Commands: SLB SMPP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage The normal form of this command creates an SMPP template. The no
form of this command removes the template.
406
Chapter 13: Config Commands: SLB SMPP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
client-enquire-link 407
server-enquire-link 407
server-selection-per-request 408
user 408
client-enquire-link
Description When enabled, ACOS replies to clients directly with an ENQUIRE_LINK
message. The ENQUIRE_LINK message prevents the client connection
from timing out and serves the same purpose as a keepalive message.
server-enquire-link
Description Prevents reusable connections to the SMPP server from aging out. When
this option is enabled, ACOS regularly sends an ENQUIRE_LINK message
to the SMPP server to maintain the client-to-server connection.
Parameter Description
407
Chapter 13: Config Commands: SLB SMPP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default 30 seconds.
server-selection-per-request
Description Forces ACOS to perform server selection process for each SMPP request.
Without this option, ACOS device selects same server for subsequent
requests, assuming same server group is used, unless overridden by
other template options.
This command works only in conjunction with a connection-reuse
template. In addition, this command requires that a username-password
pair is configured in the SMPP template, so that ACOS can immediately
authenticate SMPP clients for every instance of server selection.
user
Description Sets a username and password which the ACOS device uses to authen-
ticate SMPP clients.
If you configure a user and password, you must configure the same
username-password pair for all SMPP clients and servers. Otherwise, the
ACOS device will never open a TCP connection between the clients and
servers.
408
Chapter 13: Config Commands: SLB SMPP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
409
Chapter 13: Config Commands: SLB SMPP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
410
Chapter 14: Config Commands: SLB SMTP
Templates
This section lists the commands and sub-commands to configure SLB Simple Mail Transfer
Protocol (SMTP) templates.
411
Chapter 14: Config Commands: SLB SMTP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage The normal form of this command creates an SMTP template. The no form
of this command removes the template.
You can bind only one SMTP template to a virtual port. However, you can
bind the same SMTP template to multiple ports.
412
Chapter 14: Config Commands: SLB SMTP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
413
Chapter 14: Config Commands: SLB SMTP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
client-domain-switching
Description Selects a service group based on the domain of the client. You can spe-
cify all or part of the client domain name. This command is applicable
when you have multiple SMTP service groups.
Parameter Description
Default Not set; all client domains match, and any service group can be used.
Usage The starts-with, contains, and ends-with options are always applied
in the following order, regardless of the order in which the commands
appear in the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
414
Chapter 14: Config Commands: SLB SMTP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
If a template has more than one command with the same option
(starts-with, contains, or ends-with) and a client domain matches on
more than one of them, the most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same
string, the ends-with rule is used, because it has the more specific
match. Here is an example of a set of client-domain-switching rules in an
SMTP template. The numbers to the right indicate the precedence of the
rules when matching on client domain name “localhost”. In this case, the
last rule is the best match and will be used.
client-domain-switching contains localhost service-group sg-
a (4)
client-domain-switching contains local service-group sg-b
(5)
client-domain-switching ends-with host service-group sg-c
(6)
client-domain-switching ends-with localhost service-group
sg-d (3)
client-domain-switching starts-with local service-group sg-e
(2)
client-domain-switching starts-with localhost service-group
sg-f (1)
Example This example directs clients to service group “smtp-sg1” if their domain
contains the string “hq”:
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# client-domain-switching contains hq ser-
vice-group smtp-sg1
command-disable
Description Disables support of the specified SMTP commands. If a client tries to
issue a disabled SMTP command, ACOS sends the following message to
the client:
502 - Command not implemented
Parameter Description
415
Chapter 14: Config Commands: SLB SMTP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
server-domain
Description Specifies the Email server domain. This is the domain for which the ACOS
device provides SMTP load balancing.
Parameter Description
Default “mail-server-domain”
service-ready-msg
Description Specifies the text of the SMTP service-ready message sent to clients. The
complete message sent to the client is constructed as follows:
200 - smtp-domain service-ready-string
416
Chapter 14: Config Commands: SLB SMTP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Example Set “Your ESMTP mail service is ready” as the service-ready message.
ACOS(config)# slb template smtp smtp-tmp1
ACOS(config-smtp)# service-ready-msg “Your ESMTP mail ser-
vice is ready”
starttls
Description Specifies whether or not use of STARTTLS by clients is required.
Parameter Description
Default Disabled.
417
Chapter 14: Config Commands: SLB SMTP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
418
Chapter 15: Config Commands: SLB SSLi Tem-
plates
This chapter describes the commands and subcommands for configuring SLB Secure Sockets
Layer Insight (SSLi) templates.
419
Chapter 15: Config Commands: SLB SSLi Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
This command enters the SLB SSLi Template Configuration Mode for the
specified SSLi template. For additional commands, see SLB SSLi
Template Configuration Mode Commands.
420
Chapter 15: Config Commands: SLB SSLi Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
type 421
type
Description Specifies the service that is intercepted by SSLi.
Parameter Description
Default HTTP
421
Chapter 15: Config Commands: SLB SSLi Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
422
Chapter 16: Config Commands: SLB TCP Tem-
plates
This section lists the commands and sub-commands to configure SLB Transmission Control
Protocol (TCP) templates.
423
Chapter 16: Config Commands: SLB TCP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Before changing a default template, make sure the changes you plan to make are applicable
to all virtual ports that use the template.
Usage The normal form of this command creates a TCP configuration template.
The no form of this command removes the template.
You can bind only one TCP template to a virtual port. However, you can
bind the same TCP template to multiple ports.
Example The following commands configure a TCP template named “test” that
sets the TCP window size to 1460 bytes, and bind the template to virtual
service port 22 on virtual server vs1:
ACOS(config)# slb template tcp test
ACOS(config-l4 tcp)# initial-window-size 1460
ACOS(config-l4 tcp)# exit
424
Chapter 16: Config Commands: SLB TCP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands configure a TCP template that quickly ter-
minates half-open sessions while allowing active sessions to continue.
ACOS(config)# slb template tcp halfopen-tcp
ACOS(config-l4 tcp)# force-delete-timeout 3 alive-if-active
ACOS(config-l4 tcp)# reset-fwd
ACOS(config-l4 tcp)# reset-rev
425
Chapter 16: Config Commands: SLB TCP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
del-session-on-server-down 426
force-delete-timeout 427
force-delete-timeout-100ms 427
half-open-idle-timeout 428
idle-timeout 429
initial-window-size 429
insert-client-ip 430
lan-fast-ack 430
qos 431
reset-follow-fin 431
reset-fwd 432
reset-rev 432
del-session-on-server-down
Description This command clears a TCP session within 2 to 3 seconds if a session
server is disabled by ACOS command or the server fails an ACOS health
check at the service group level.
If a one or more real servers in a service group fails the health check and
this command is enabled for the session, ACOS clears the session.
Active sessions, (receiving client-side packets) are cleared within 2 to 3
seconds. Idle sessions may continue to exist for more than a minute after
the command is issued.
426
Chapter 16: Config Commands: SLB TCP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
force-delete-timeout
Description Specifies the maximum number of seconds a session can remain active,
and forces deletion of any session still active after the specified number
of seconds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the reset-
fwd and reset-rev options, the force-delete-timeout option can help
clean up user connections with RSTs instead of allowing the connections
to hang.
This command can not be used with the client-SSL or server-SSL
template close-notify option. Doing so may cause unexpected
behavior
Parameter Description
force-delete-timeout-100ms
427
Chapter 16: Config Commands: SLB TCP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Specifies the maximum time (milliseconds) a session can remain active.
Forces deletion of any session still active after the specified number of mil-
liseconds.
Parameter Description
half-open-idle-timeout
Description Enables the configuration of half-open TCP sessions. A half-open refers
to the TCP session in which the client receives a SYN-ACK, but does not
reply with an ACK.
This mode is supported only for client side data streams.
Parameter Description
428
Chapter 16: Config Commands: SLB TCP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
idle-timeout
Description Specifies the number of minutes that a connection can be idle before the
ACOS device terminates the connection.
Parameter Description
initial-window-size
Description Sets the initial TCP window size in SYN ACK packets to clients. The TCP
window size in a SYN ACK or ACK packet specifies the amount of data
that a client can send before it needs to receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the
client. After the SYN ACK, the ACOS device does not modify the TCP
window size for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client
or server:
429
Chapter 16: Config Commands: SLB TCP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
insert-client-ip
Description Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client
IP address, but that do not use HTTP or another protocol such as
Financial Information eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a
TCP option field of type 0x1c, with a length of 7 bytes. For example, the
value placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
lan-fast-ack
Description Increases performance of bidirectional peer sessions by acknowledging
receipt of data on behalf of clients and servers.
430
Chapter 16: Config Commands: SLB TCP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
qos
Description Marks DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-server
SLB traffic.
Parameter Description
reset-follow-fin
Description enables closing a client or server connection with a reset (RST) on the
first FIN received from the client or server.
Usage This option alleviates the situation where a backend server receives the
client FIN, ACKs the FIN, enters CLOSE_WAIT but does not close the
431
Chapter 16: Config Commands: SLB TCP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
reset-fwd
Description Sends a TCP RST to the real server after a session times out.
reset-rev
Description Sends a TCP RST to the client after a session times out.
This command does not send an RST if a server selection failure occurs.
To do this, use the reset-on-server-selection-fail option at the
configuration level for the service group or virtual port.
Parameter Description
432
Chapter 16: Config Commands: SLB TCP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Usage If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
When using reset-rev disable with the disable-with-hm command under
SLB server configuration, the server is not treated as “disabled” since
persist sessions continue to use the “disabled” server.
When using reset-rev disable with the slb graceful-shutdown Global
configuration command, state of enabled is also not treated as disabled
but as UP since existing sessions need to be drained and not reset.
433
Chapter 16: Config Commands: SLB TCP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
434
Chapter 17: Config Commands: SLB TCP Proxy
Templates
This section lists the commands and sub-commands to configure SLB TCP Proxy templates.
435
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
NOTE: Before changing a default template, make sure the changes you
plan to make are applicable to all virtual ports that use the tem-
plate.
Example The following commands create a TCP-proxy template named “rst” and
set the idle timeout to 3000 seconds: When the idle timeout occurs, the
ACOS device will send an RST to the client. In cases where the server
goes down, the ACOS device will reset the connection.
ACOS(config)# slb template tcp-proxy rst
436
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
437
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ack-aggressiveness 439
backend-wscale 440
del-session-on-server-down 440
disable-abc 441
disable-sack 441
disable-tcp-timestamps 441
disable-window-scale 442
dynamic-buffer-allocation 442
early-retransmit 443
fin-timeout 443
force-delete-timeout 443
force-delete-timeout-100ms 444
half-close-idle-timeout 445
half-open-idle-timeout 445
idle-timeout 446
init-cwnd 446
initial-window-size 447
insert-client-ip 448
invalid-rate-limit 448
keepalive-interval 449
keepalive-probes 450
limited_slowstart 451
maxburst 451
438
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
min-rto 452
mss 452
nagle 453
proxy-header 453
psh-flag-optimization 454
qos 454
reassembly-limit 455
reassembly-timeout 455
receive-buffer 456
reno 456
reset-fwd 457
reset-rev 457
retransmit-retries 458
syn-retries 458
timewait 459
transmit-buffer 459
ack-aggressiveness
Description Specifies the cases in which the ACOS device sends an ACK to the client.
A high ACK aggressiveness helps reduce the delay of interactive client-
server applications, but at a cost of more ACKs.
Parameter Description
439
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default low
backend-wscale
Description Specifies the TCP window scaling factor for backend connections to serv-
ers.
The TCP window scaling factor is applicable to virtual ports for which the
ACOS device acts as a TCP proxy.
The TCP window scaling factor is used to calculate the TCP receive
window, which is the maximum amount of data (in bytes) the receiver on
a TCP connection will buffer. The sender is not allowed to send more than
this amount of data before receiving an acknowledgement that the data
has arrived.
Parameter Description
Default Disabled
del-session-on-server-down
Description This command clears a port protocol session within 2 to 3 seconds if a ses-
sion server is disabled by ACOS command or the server fails an ACOS
health check at the service group level.
If a one or more real servers in a service group fails the health check and
this command is enabled for the session, ACOS clears the session.
440
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
disable-abc
Description Calculates the Congestion Window based on appropriate counting of the
bytes (ABC). It is recommended that ABC is enabled.
disable-sack
Description Disables flows to use Selective Ack options, which are sent by the
receiver to inform the sender of missing data segments to enhance TCP
fast recovery.
disable-tcp-timestamps
441
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Disables the TCP Timestamps option. Disabling this option stops the TCP
Protection Against Wrapping Sequence (PAWS) and causes retrans-
mission timeout (RTO) calculations to use relative receive time for round-
trip time (RTT) calculations.
disable-window-scale
Description Disables the TCP Window-Scale option. Disabling the Window-Scale
option prevents an increase in the amount of data that the receiver can
accept before sending an acknowledgement to the sender.
dynamic-buffer-allocation
Description Optimally adjusts the transmit and receive buffer sizes of TCP-proxy
while maintaining a constant sum of combined values.
442
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
early-retransmit
Description Specifies the number of packets that an ACOS device sends when it
retransmits lost data.The recommended setting is 3. This allows prob-
lematic networks time to recover from data loss before attempting
another transmission.
Parameter Description
Default 3
fin-timeout
Description Specifies the number of seconds that a connection can be in the FIN-
WAIT or CLOSING state before the ACOS device terminates the con-
nection.
Parameter Description
Default Disabled
force-delete-timeout
443
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Specifies maximum number of seconds a session can remain active, and
forces deletion of any session that is still active after the specified num-
ber of seconds.
This option is useful for small, fast transactions for which the completion
time of sessions is guaranteed. When used in combination with the
reset-fwd and reset-rev commands, this option can help clean up user
connections with RSTs instead of allowing the connections to hang.
Parameter Description
force-delete-timeout-100ms
Description Specifies the maximum number of milliseconds a session can remain act-
ive, and forces deletion of any session that is still active after the specified
number of milliseconds.
Parameter Description
444
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
half-close-idle-timeout
Description Enables aging of half-closed TCP sessions. A half-closed refers to the
TCP session in which the server sends a FIN but the client does not reply
with an ACK.
The ACOS device keeps half-closed sessions open indefinitely.
Parameter Description
half-open-idle-timeout
Description Enables aging of half-open TCP sessions. A half-open TCP session is one
in which the client receives a SYN-ACK, but does not reply with an ACK.
This command is supported only on the client side.
Parameter Description
445
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
idle-timeout
Description Specifies the number of minutes that a connection can be idle before the
ACOS device terminates the connection.
Parameter Description
Usage See keepalive-interval for more information about how the idle timeout
and keepalive values are related.
init-cwnd
Description Specifies the maximum number of unacknowledged packets that can be
sent on a TCP connection. A large initial congestion-control window size
helps reduce HTTP response latency, especially for short web pages.
446
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default 10
initial-window-size
Description Sets the initial TCP window size in SYN ACK packets to clients. The TCP
window size in a SYN ACK or ACK packet specifies the amount of data
that a client can send before it needs to receive an ACK.
The initial TCP window size applies only to the SYN ACKs sent to the
client. After the SYN ACK, the ACOS device does not modify the TCP
window size for any other packets in the session.
By default, the ACOS device uses the TCP window size set by the client
or server:
• If the virtual port is one of the service types that is proxied by the
ACOS device, initial TCP window size applies to SYN ACKs generated
by the ACOS device and sent to clients. By default, the ACOS device
uses the TCP window size in the client’s SYN. The following service
types are proxied by the ACOS device: HTTP, HTTPS, Fast-HTTP,
SSL-proxy, and SMTP.
• If the virtual port is not one of the service types that is proxied by the
ACOS device (for example, the tcp service type), initial TCP window
size applies to SYN ACKs generated by servers and forwarded by the
ACOS device to clients. By default, the ACOS device uses the TCP
window size in the server’s SYN ACK.
If SYN cookies are enabled, either globally or on the virtual service port,
the ACOS device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the ACOS device
447
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
insert-client-ip
Description Inserts the client IP address into an options field in the TCP header.
This option is useful for applications that require knowledge of the client
IP address, but that do not use HTTP or another protocol such as
Financial Information eXchange (FIX) that can include this information.
For example, insertion of the client IP address into the TCP header can be
useful for financial applications that do not use FIX.
When this feature is enabled, ACOS places the client IP address into a
TCP option field of type 0x1c, with a length of 7 bytes. For example, the
value placed by ACOS into the TCP header for client 40.40.40.26 is
0x1c07012828281a.
invalid-rate-limit
Description Limits the rate at which responses are sent (in milliseconds) for sus-
picious or invalid packets.
448
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default 500 ms
keepalive-interval
Description Number of seconds a TCP-proxy session can remain idle before the
ACOS device sends a TCP ACK to the devices on both ends of the ses-
sion.
Parameter Description
Usage The keepalive feature, which for TCP-proxy templates, periodically veri-
fies that a TCP-proxy session is still up on both ends of the session. The
keepalive feature uses keepalive interval to establish the number of
seconds a TCP-proxy session can remain idle before the ACOS device
sends a TCP ACK to the devices on both ends of the session, and the
keepalive probe count allows you to set the maximum number of times
the ACOS device sends a keepalive ACK, before deleting the session.
The ACOS device sends the first keepalive ACK if a session remains idle
for the duration of the keepalive interval:
• If both devices respond with an ACK before the next keepalive inter-
val expires, the ACOS device resets the keepalive time to 0. This
starts a new keepalive interval.
449
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
• If either device does not respond with an ACK before the next
keepalive interval expires, the action taken by the ACOS device
depends on the setting of the keepalive probe count.
• Keepalive probe count set to value greater than 1 – The ACOS
device sends another ACK to each device.
• Keepalive probe count set to 1 – The ACOS device does not send
new probe ACKs. Instead, the ACOS device deletes the session.
Relation of Keepalive to Idle-timeout
The keepalive and idle-timeout options work independently of one
another.
By default, the keepalive interval is shorter than the idle timeout. In this
case, keepalive probes are triggered before the idle timeout expires.
• If both devices respond with an ACK before either of the following
occurs, the keepalive interval time and the idle time are both reset to
0.
• Idle timeout expires – If this occurs, the session is deleted, even if
the maximum number of keepalive probes have not been sent.
• Maximum number of keepalive probes are sent, but at least one of
the devices still does not respond – In this case, the session is
deleted even if the idle timeout has not expired.
• If you change the keepalive or idle-timeout settings so that the idle
timeout is shorter than the keepalive interval, the keepalive mech-
anism is never triggered. The idle timeout always expires first, caus-
ing the session to be deleted. No keepalive probes are ever sent.
keepalive-probes
Description Maximum number of times the ACOS device sends a keepalive ACK,
before deleting the session.
450
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
limited_slowstart
Description Specifies the maximum amount of data the ACOS device initially trans-
mits in an effort to promote a healthy network connection and avoid con-
gestion.
Parameter Description
Default 0
Example Set the size of the TCP slow start to 500 bytes:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# limit-slowstart 500
maxburst
Description Limits that number of data segments that can be transmitted for each
TCP window the ACOS device sends.
451
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default 25
min-rto
Description Specifies the minimum length of time for an ACOS device to transmit
data and receive acknowledgement that the data was received. This con-
figuration is particularly helpful in networks with low bandwidth. Increase
the length of time for low bandwidth.
Parameter Description
Example Set the length of time (in milliseconds ) for round-trip data transmission to
500:
ACOS(config)# slb template tcp-proxy default
ACOS(config-tcp proxy)# min-rto 500
mss
Description Change the minimum supported TCP Maximum Segment Size (MSS).
452
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default 1460
nagle
Description Enables Nagle congestion compression (described in RFC 896).
proxy-header
Description Configures proxy protocol header insertion only. For more information on
proxy protocol, refer HAProxy.
Parameter Description
453
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example This command configures tcp-proxy template with version 1, then bind it
to vport.
ACOS(config)# slb template tcp-proxy TP
ACOS(config-tcp proxy)# proxy-header insert v1
ACOS(config-tcp proxy)# exit
ACOS(config)# slb virtual-server VIP-10 10.1.1.1
ACOS(config-slb vserver)# port 80 tcp-proxy
ACOS(config-slb vserver-vport)# template tcp-proxy TP
Related Commands
• Under SLB SIP template: insert-client-ip
• Under SLB TCP template: insert-client-ip
• Under SLB TCP proxy template: insert-client-ip
psh-flag-optimization
Description Enables PSH flag optimization on the configuration mode TCP-Proxy tem-
plate.
The PSH (PUSH) flag is a TCP option that allows an application to start
sending the data even if the buffer is not full. By default, the PSH flag
uses the PSH setting on every data segment. To limit its use for SSL flows,
the ssl flush routine is modified to mark the last buffer within the queue
with a psh marker. When PSH Flag Optimization is enabled, TCP reads the
PSH marker and sets the PSH flag on packets based on that marker..
qos
Description Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-
server SLB traffic.
454
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
reassembly-limit
Description Specifies the maximum number of TCP segments allowed in the
assembly queue for each flow.
Parameter Description
Default 25
reassembly-timeout
455
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Description Specifies the length of time (in seconds) that the ACOS device waits for
progress to be made in the reassembly of TCP segments before it
removes segments from the assembly queue.
Parameter Description
Default 30 seconds
receive-buffer
Description Specifies the maximum number of bytes addressed to the port that the
ACOS device will buffer.
Parameter Description
reno
Description Enables the TCP Reno congestion control algorithm, and disables Cubic.
456
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
reset-fwd
Description Sends a TCP RST to the real server after a session times out.
reset-rev
Description Sends a TCP RST to the client after a session times out.
Parameter Description
Usage If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
457
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
retransmit-retries
Description Specifies the maximum number of times the ACOS device can retransmit
a data segment for which the ACOS device does not receive an ACK.
Parameter Description
Default 5
syn-retries
Description Specifies the maximum number of times the ACOS device can retransmit
a SYN for which the ACOS device does not receive an ACK.
Parameter Description
458
Chapter 17: Config Commands: SLB TCP Proxy Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default 5
timewait
Description Specifies the number of seconds that a connection can be in the TIME-
WAIT state before the ACOS device transitions it to the CLOSED state.
Parameter Description
Default 5 seconds
transmit-buffer
Description Specifies the maximum number of bytes sent by the port that the ACOS
device will buffer.
Parameter Description
459
Chapter 17: Config Commands: SLB TCP Proxy Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
460
Chapter 18: Config Commands: SLB UDP Tem-
plates
This section lists the commands and sub-commands to configure SLB User Datagram Pro-
tocol (UDP) templates.
461
Chapter 18: Config Commands: SLB UDP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Before changing a default template, make sure the changes you plan to make are applicable
to all virtual ports that use the template.
Usage The normal form of this command creates a UDP configuration template.
The no form of this command removes the template.
You can bind only one UDP template to a virtual port. However, you can
bind the same UDP template to multiple ports.
462
Chapter 18: Config Commands: SLB UDP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
aging 463
idle-timeout 464
qos 464
re-select-if-server-down 465
stateless-conn-timeout 466
aging
Description Specifies how quickly sessions are terminated when the request is
received.
Parameter Description
463
Chapter 18: Config Commands: SLB UDP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
idle-timeout
Description Specifies the number of seconds a connection can remain idle before the
ACOS device terminates the connection.
Parameter Description
The maximum idle timeout supported for TFTP virtual ports is 15300
seconds (255 minutes).
qos
464
Chapter 18: Config Commands: SLB UDP Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Description Marks the DSCP (Layer 3) and 802.1p priority (Layer 2) values in client-
server SLB traffic.
Parameter Description
re-select-if-server-down
Description Configures the ACOS device to select another real server if the server
that is bound to an active connection goes down. Without this option,
another server is not selected.
By default, the device clears all UDP sessions from the server that goes
down.
Parameter Description
465
Chapter 18: Config Commands: SLB UDP Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example These commands configures the device to select another real server
when a server bound to an active connection goes down and clears all
UDP sessions for the disabled server.
ACOS(config)# slb template udp udp-tmp1
ACOS(config-l4 udp)# re-select-if-server-down
stateless-conn-timeout
Description Set the stateless current connection timeout value in seconds.
Parameter Description
466
Chapter 19: Config Commands: SLB Virtual
Port Templates
This section lists the commands and sub-commands to configure SLB virtual port templates.
467
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Before changing a default template, make sure the changes you plan to make are applicable
to all virtual ports that use the template.
Usage The normal form of this command creates a virtual service port template.
The no form of this command removes the template.
You can bind only one virtual service port template to a virtual service
port. However, you can bind the virtual service port template to multiple
virtual service ports.
Some of the parameters that can be set using a template can also be set
or changed on the individual virtual port.
• If a parameter is set (or changed from its default) in both a template
and on the individual virtual port, the setting on the individual virtual
port takes precedence.
468
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example These commands configure a virtual service port template named “com-
mon-vpsettings”, set the connection limit, and bind the template to a vir-
tual port:
ACOS(config)# slb template virtual-port common-vpsettings
ACOS(config-vport)# conn-limit 500000
ACOS(config-vport)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.99
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template virtual-port com-
mon-vpsettings
Example The following commands create real servers “s1” at 5.5.5.1 (with a real port
range of 10), real server “s2” at 5.5.5.2 (with a range of 25), and real server
“s3” at 5.5.5.3 (which does not have a range configured and will not be
used for this feature). These real servers are then bound to a service
group “sg1”, which is in turn, bound to a VIP (“vip3”) at 10.10.10.0 /24. A vir-
tual port template “vport1” is created, and the allow-vip-to-rport-map-
ping option is used, and the template is bound to the “vip3”.
469
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ACOS(config-vport)# exit
ACOS(config)# slb virtual-server vip3 10.10.10.0 /24
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)# service-group sg1
ACOS(config-slb vserver-vport)# template virtual-port vport1
ACOS(config-slb vserver-vport)# exit
ACOS(config-slb vserver)# port 90 http
ACOS(config-slb vserver-vport)# service-group sg1
ACOS(config-slb vserver-vport)# template virtual-port
vport1
ACOS(config-slb vserver-vport)# exit
470
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
aflow 471
allow-syn-otherflags 472
allow-vip-to-rport-mapping 472
conn-limit 473
conn-rate-limit 474
drop-unknown-conn 475
dscp 475
ignore-tcp-msl 476
non-syn-initiation 477
pkt-rate-limit 477
reset-l7-on-failover 479
reset-unknown-conn 479
snat-msl 480
snat-port-preserve 480
aflow
Description Enables aFlow control. aFlow helps avoid packet drops and retrans-
missions when a real server port reaches its configured connection limit.
aFlow control is triggered when either of the following occurs:
• If connection limit is configured on the real server or real port – The
backend real server or real port reaches its configured connection
limit.
• If connection limit is not configured on the real server or real port –
The response time of the backend real server or real port increases
dramatically. The response time is the time between when the ACOS
471
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
allow-syn-otherflags
Description Allows initial SYN packet with other flags.
allow-vip-to-rport-mapping
Description Enables the VIP to Real Port Mapping feature for a subnet VIP.
472
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
The virtual port template containing this option must be bound to the VIP,
and the VIP itself must use a subnet for the last octet (for
example,10.10.10.0 /24), or the feature will not work.
conn-limit
Description Specifies the maximum number of connections allowed on virtual ports
that use this template.
Parameter Description
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
473
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
connection limiting configuration until the virtual server or port does not
have any active connections.
Example Configure a connection limit of 10000 connections per second, and dis-
able logging:
ACOS(config)# slb template virtual-port vport-tmplt1
ACOS(config-vserver)# conn-limit 10000 no-logging
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to
virtual ports that use this template. When a virtual port reaches its con-
nection limit, the ACOS device stops selecting the port for client requests.
Parameter Description
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the connection
474
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any act-
ive connections.
Example Configure a connection rate limit of 10000 connections per second, and
disable logging:
ACOS(config)# slb template virtual-port vport-tmply1
ACOS(config-vserver)# conn-rate-limit 10000 no-logging
drop-unknown-conn
Description Drop the connection a TCP packet without a SYN or RST flag is received,
and the packet does not belong to any existing connections.
dscp
Description Sets the Differentiated Services Code Point (DSCP) value in client
requests before forwarding them to the server.
Parameter Description
475
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ignore-tcp-msl
Description Immediately reuse TCP sockets after session termination, without waiting
for the SLB Maximum Session Life (MSL) time to expire.
476
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
non-syn-initiation
Description Enables a TCP session to be created when the initial TCP packet is non-
SYN.
This feature is useful in VRRP-A topologies where, after a failover, a non-
SYN packet from the existing connection arrives at the new active device
and a session can be created on the new active device without having to
configure haconn- mirror under the virtual port.
Usage To guarantee the same backend server is selected after failover, use the
src-ip-only method.
This feature is only supported on TCP virtual ports and not supported
when:
• source-nat is configured on the virtual port.
• syn-cookie is configured on the virtual port.
• A conn-limit is configured on a real server or real port
pkt-rate-limit
Description Configure packet rate limit for the virtual port.
Parameter Description
477
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
478
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Example These commands configure a template with a packet rate limit such pack-
ets are dropped when the rate from a source port exceeds 500 packets
per second; a TCP reset is sent to terminate the session when the
source’s packet rate exceeds 1000 packets per second.
ACOS(config)# slb template virtual-port vsettings
ACOS(config-vport)# pkt-rate-limit src-port rate 500 reset
1000
ACOS(config-vport)#
reset-l7-on-failover
Description Resets a Layer 7 connection upon failover.
reset-unknown-conn
Description Enables sending TCP Reset (RST) in response to a session mismatch,
which occurs when the ACOS device receives a TCP packet for a TCP ses-
sion that is not in the active session table on the ACOS device.
479
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
snat-msl
Description Set the Maximum Segment Life (MSL) for source-NAT connections. This
option is useful for servers that have older TCP/IP stacks, which wait up
to 240 seconds (4 minutes) after a FIN before the endpoint can enter a
new connection.
Parameter Description
snat-port-preserve
Description Attempts to preserve the client’s source port for traffic destined for the vir-
tual port.
Usage Note:
• Port preservation is not always guaranteed and is performed on a
best-effort basis.
• Port preservation depends on the number of Platform CPUs. Hence,
in some cases, the ports from 1024 - <xxxx> will not be preserved.
480
Chapter 19: Config Commands: SLB Virtual Port Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
• Port preservation does not work for FTP active mode sessions.
• Port preservation works only if source NAT is enabled for the virtual
port.
481
Chapter 19: Config Commands: SLB Virtual Port Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
482
Chapter 20: Config Commands: SLB Virtual
Server Templates
This section lists the commands and sub-commands to configure SLB virtual server tem-
plates.
483
Chapter 20: Config Commands: SLB Virtual Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Before changing a default template, make sure the changes you plan to make are applicable
to all virtual ports that use the template.
Usage The normal form of this command creates a virtual server template. The
no form of this command removes the template.
You can bind only one virtual server template to a virtual server. However,
you can bind the virtual server template to multiple virtual servers.
Some of the parameters that can be set using a template can also be set
or changed on the individual virtual server:
• If a parameter is set (or changed from its default) in both a template
and on the individual virtual server, the setting on the individual vir-
tual server takes precedence.
484
Chapter 20: Config Commands: SLB Virtual Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting and bind the template to a virtual
server:
ACOS(config)# slb template virtual-server vs-tmplt1
ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.2
ACOS(config-slb virtual server)# template virtual-server vs-
tmplt1
485
Chapter 20: Config Commands: SLB Virtual Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
conn-limit 486
conn-rate-limit 487
icmp-rate-limit 488
icmpv6-rate-limit 489
subnet-gratuitous-arp 490
disable-when-all-ports-down 491
disable-when-all-ports-down 491
conn-limit
Description Specifies the maximum number of connections allowed on virtual serv-
ers that use this template.
Parameter Description
486
Chapter 20: Config Commands: SLB Virtual Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
Example Configure a connection limit of 10000 connections per second, and dis-
able logging:
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# conn-limit 10000 no-logging
conn-rate-limit
Description Limits the rate of new connections the ACOS device is allowed to send to
servers that use this template. When a real server reaches its connection
limit, the ACOS device stop selecting the server for client requests.
Parameter Description
487
Chapter 20: Config Commands: SLB Virtual Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage If you change the connection limiting configuration on a virtual port or vir-
tual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current con-
nection counter for the virtual port or server in show command output
and in the GUI may become incorrect. To avoid this, do not change the
connection limiting configuration until the virtual server or port does not
have any active connections.
Example Configure a connection rate limit of 10000 connections per second, and
disable logging:
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# conn-rate-limit 10000 no-logging
icmp-rate-limit
Description Configures ICMP (v4) rate limiting for the virtual server, to protect against
denial-of-service (DoS) attacks.
Parameter Description
488
Chapter 20: Config Commands: SLB Virtual Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default By default, this is not set. When enabled, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
Example Configure ICMP rate limiting to allow 5000 packets per second.
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# icmp-rate-limit 5000
icmpv6-rate-limit
Description Configures ICMPv6 rate limiting for the virtual server, to protect against
denial-of-service (DoS) attacks.
Parameter Description
489
Chapter 20: Config Commands: SLB Virtual Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default Not set by default. When enabled, specifying a maximum lockup rate and
lockup time is optional. When they are not specified, lockup does not
occur.
Example Configure ICMPv6 rate limiting to allow 5000 packets per second.
ACOS(config)# slb template virtual-server vstempl1
ACOS(config-vserver)# icmpv6-rate-limit 5000
subnet-gratuitous-arp
Description Enables gratuitous ARPs for all VIPs in subnet VIPs. A subnet VIP is a
range of VIPs created from a range of IP addresses within a subnet.
This option applies only to VIPs created using a range of subnet IP
addresses. The option has no effect on VIPs created with a single IP
address.
Default This is disabled by default; the ACOS device sends gratuitous ARPs for
only the first IP address in a subnet VIP.
Example Send a gratuitous ARPs for every IP in the subnet virtual server.
ACOS(config)# slb template virtual-server vstempl1
490
Chapter 20: Config Commands: SLB Virtual Server Templates
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
ACOS(config-vserver)# subnet-gratuitous-arp
disable-when-all-ports-down
Description Disable virtual server when all member ports are down.
disable-when-all-ports-down
Description Disable virtual server when all member ports are down.
491
Chapter 20: Config Commands: SLB Virtual Server Templates
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
492
Chapter 21: Config Commands: SLB Servers
This section lists the commands and sub-commands to configure SLB servers.
These commands apply to real servers, not virtual servers, described in Config Commands:
SLB Virtual Servers.
To access this configuration level, enter the slb server server-name command at the global
Config level.
ACOS(config)# slb server s1
ACOS(config-real server)#
alternate 495
conn-limit 500
conn-resume 500
disable 501
disable-with-health-check 501
enable 502
extended-stats 503
external-ip 503
health-check 503
health-check-disable 504
ipv6 504
port 504
slow-start 512
spoofing-cache 513
support-http2 513
stats-data-disable 514
stats-data-enable 514
493
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
weight 515
494
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
alternate
Description Assign an alternate server as a dedicated backup for a primary
server.
Parameter Description
495
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
all partitions on the device. When the all-partition option is not specified,
the clear port action is effective only within the partition where it is
invoked.
Block merge and replace modes do not support the removal of ports
through this clear command. The system log provides a Warning
message when the clear slb unused-server-port command is not
successful.
496
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
497
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Option Description
498
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Option Description
Usage To clear the virtual-server information for a specific partition, use the par-
tition option; use partition shared for the shared partition, or par-
tition name, where name is a specific L3V partition.
Example The following command clears the virtual port DNS cache based on
FQDN:
ACOS(config)# clear slb virtual-server vip1 53 dns-udp dns-
cache entry domain-name fqdn_domain foo.com
499
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following command clears the virtual port DNS cache for DNS type
ANY:
Example The following command clears the virtual port DNS cache for DNS class
66:
ACOS(config)# clear slb virtual-server vip1 53 dns-tcp dns-
cache entry dns-class 66
conn-limit
Description Specify maximum number of concurrent connections allowed on a real
server.
Default 8000000
Usage If you set a connection limit, it is recommended that you also set the
conn-resume interval. (See conn-resume.)
You also can set the connection limit on individual protocol ports. In this
case, the limit specified for the port overrides the limit set at the server
level.
conn-resume
Description Specify the maximum number of connections the server can have
before the ACOS device resumes use of the server. Use does not resume
until the number of connections reaches the configured maximum or
less.
500
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default By default, this option is not set. The ACOS device is allowed to start send-
ing new connection requests to the server when the number of con-
nections on the server falls below the connection limit threshold set by
conn-limit.
Usage You also can set the conn-resume value on individual protocol ports.
In this case, the value specified for the port overrides the value set at
the server level.
Example The following command sets the conn-resume option to 500,000 con-
nections:
ACOS(config)# slb server rs123
ACOS(config-real server)# conn-resume 500000
disable
Description Disable a real server.
Default Enabled
disable-with-health-check
Description Disable a service-group member from normal server selection, but still
maintain the health of the server.
This feature is ideal if you periodically need to take active servers out of
service pools for maintenance, but this maintenance is done through a
remote client. The feature allows you to access these servers using the
501
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
This feature is available in ACOS 2.7.2-P2 and later, and ACOS 4.0.1 and
later.
Syntax disable-with-health-check
Usage In addition to real server configuration mode, this command is also avail-
able from the following modes:
• Real server port configuration (see port)
• Service -group member (see member)
Example This example configures health monitor “hm1” to use ICMP transparent
health method and apply the monitor to a TCP port on real server
“realserver1”. Disable-with-health-check is enabled at the SLB server
configuration level.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method icmp transparent 1.0.0.1
ACOS(config-health:monitor)# exit
ACOS(config)# slb server realserver1 10.1.1.2
ACOS(config-real server)# disable-with-health-check
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check hm1
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member realserver1 80
ACOS(config-slb svc group-member:80)#
enable
Description Re-enable a real server.
Default Enabled
502
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
extended-stats
Description Enable collection of peak connection statistics for a server.
Default Disabled
external-ip
Description Assign an external Network Address Translation (NAT) IP address to
the server. The external IP address allows a server that has an
internal IP address to be reached from outside the internal network.
Default None
health-check
Description Enable health monitoring for a server.
Default ICMP ping (echo request), sent every 5 seconds. If ping fails 4 times con-
secutively (first attempt followed by 3 retries), ACOS device sets the
server state to DOWN.
503
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Usage Entering the command at this level enables Layer 3 health checking. The
monitor you specify must use the ICMP method.
Example The following command sets a server to use the “RUthere” health mon-
itor:
ACOS(config)# slb server rs123
ACOS(config-real server)# health-check RUthere
health-check-disable
Description Disable health monitoring of the server.
ipv6
Description Assign an IPv6 address to the real server for GSLB.
Default None
port
Description Configure a TCP or UDP port on a server.
504
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
This command changes the CLI to the configuration level for the
specified port, where the following port-related commands are available:
Command Description
505
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
506
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
507
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
508
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
509
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
510
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default No ports are configured by default. The defaults for the command
options are described with the options, above. Statistical data collection
of load-balancing resources is enabled by default.
Usage Include the range option for each real server that will be included in
the service group, but only if you want that real server to be
included in the mapping feature. The service group can be “mixed”.
That is, some real servers within a service group can have the range
option set, but it is not mandatory for all servers in a service group to
be configured for “VIP to real port mapping”.
Example The following commands configure server “terap” and add TCP port 69 to
the server. The health-check command is not entered, so by default the
ACOS device will check the service port’s health by sending a connection
request to 69 on terap every 30 seconds.
ACOS(config)# slb server terap 10.2.4.69
ACOS(config-real server)# port 69 tcp
ACOS(config-real server-node port)#
Example The following commands bind the server-SSL template directly to TCP
port 80 on the real server at IP 10.8.8.8:
ACOS(config)# slb server rs88 10.8.8.8
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# template server-ssl
server-ssl1
Example The following example configures health monitor “hm1” to use the ICMP
transparent health method, and apply the monitor to a TCP port on real
server “realserver1”. The disable-with-health-check option is enabled
at the SLB server port configuration level.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method icmp transparent 1.0.0.1
ACOS(config-health:monitor)# exit
ACOS(config)# slb server realserver1 10.1.1.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check hm1
ACOS(config-real server-node port)# disable-with-health-
check
ACOS(config-real server-node port)# exit
511
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
slow-start
Description Enable slow-start for a server. Slow start allows time for a server to ramp
up after the server is enabled or comes online, by temporarily limiting the
number of new connections on the server.
It is recommended to configure this feature in the real server template or
real port template instead. See the “Behavior When Slow Start Is Also
Configured on the Real Server Itself” section in the “Server and Port
Templates” chapter of the Application Delivery Controller Guide.
Default Disabled
512
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
spoofing-cache
Description Enable support for a spoofing cache server. A spoofing cache server
uses the client’s IP address instead of its own as the source address
when obtaining content requested by the client.
Default Disabled
Usage This command applies to the Transparent Cache Switching (TCS) fea-
ture. For more information about TCS, including additional configuration
requirements and examples, see the “Transparent Cache Switching”
chapter in the Application Delivery Controller Guide.
Example The following commands configure a real server for a spoofing cache
server:
ACOS(config)# slb server cache-rs 110.110.110.10
ACOS(config-real server)# spoofing-cache
ACOS(config-real server)# port 80 tcp
support-http2
Description Start the HTTP/2 connection with prior knowledge and send HTTP/2
frames directly.
Usage If the backend server supports HTTP/2, then configure this command in
the real server.
If this is not configured, then ACOS will make an HTTP/2 connection by
making an HTTP/1.1 request that includes an Upgrade header field with
the 'h2c' token
513
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
stats-data-disable
Description Disable collection of statistical data for the server.
Syntax stats-data-disable
stats-data-enable
Description Enable collection of statistical data for the server.
Syntax stats-data-enable
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See slb common.)
template server
Description Bind a real server template to the server.
Default The real server template named “default” is bound to servers by default.
The parameter settings in the default real server template are auto-
matically applied to the new server, unless you bind a different real server
template to the server.
Usage If a parameter is set individually on this server and also is set in a server
template bound to this server, the individual setting on this server is used
instead of the setting in the template.
To configure a real server template, see slb template server.
514
Chapter 21: Config Commands: SLB Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following commands configure a real server template called “rs-
tmplt1” and bind the template to two real servers:
ACOS(config)# slb template server rs-tmplt1
ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
ACOS(config-rserver)# exit
ACOS(config)# slb server rs1 10.1.1.99
ACOS(config-real server)# template server rs-tmplt1
ACOS(config-real server)# exit
ACOS(config)# slb server rs2 10.1.1.100
ACOS(config-real server)# template server rs-tmplt1
weight
Description Assign an administrative weight to the server, for weighted load bal-
ancing.
Replace num with the administrative weight assigned to the server. You
can specify 1-1000.
Default 1
515
Chapter 21: Config Commands: SLB Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
516
Chapter 22: Config Commands: SLB Service
Groups
This section lists the commands and sub-commands to configure SLB service groups.
To access this configuration level, enter the slb service-group command at the Global con-
figuration level.
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)#
backup-server-event-log 518
extended-stats 519
health-check 520
health-check-disable 521
member 521
method 525
min-active-member 537
priority 539
priority-affinity 541
reset-on-server-selection-fail 542
sample-rsp-time 542
stats-data-disable 543
stats-data-enable 543
strict-select 543
template 544
traffic-replication-type 544
517
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
backup-server-event-log
Description Enable log messages to indicate when a backup service-group member
is placed into service or is removed from service.
Default Disabled
518
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
• slb server-conn-limit
• slb server-conn-resume
• slb service-conn-limit
• slb service-conn-resume
In the first message, the service group name is included. The service
group name is not included in the second message.
• If the primary server is a member of only one service group, or the ser-
vice group can otherwise be determined, the first message is used.
• If the primary server is a member of more than one service group,
and the service group can not be determined, the second message
is used.
extended-stats
Description Enable collection of peak connection statistics for a service group.
Default Disabled
519
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
health-check
Description Use a health monitor to check the health of all members of the service
group.
Default None
Usage The health monitor is used to test the health of all members of the service
group, including any members that are added in the future.
Service group health status applies only within the service group
context. Health checks of a port from different service groups can result
in different health status, depending on the resource requested by the
health check.
Health checks can be applied to the same resource (real server or port) at
the following levels:
• In a service group that contains the server and port as a member
• In a server or server port configuration template bound to the server
or port
• Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that
service group member in that service group is marked Down.
520
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
health-check-disable
Description Disable health monitoring of the service group.
member
Description Add a server to a service group.
Parameter Description
Parameter Description
521
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
522
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
523
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default There are no servers in a service group by default. When you add a server
and port to the service group, the default state is enabled and the default
priority is 1. Statistical data collection of load-balancing resources is
enabled by default.
To configure a real port template, see slb template port.
Usage The normal form of this command adds a configured server to the service
group. The “no” form of this command removes the server from the
group.
If you disable or re-enable a port, the state change applies only to this
service group. The state of the port is unchanged in other service groups.
To collect statistical data for a load-balancing resource, statistical data
collection also must be enabled globally. (See slb common.)
Example The following commands add servers “s1” and “s2” to service group
“sgroup1”:
ACOS(config)# slb service-group sgroup1
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# exit
524
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following command adds a member server and port to a service
group and binds a real port template to the port:
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member rs1 80
ACOS(config-slb svc group-member:80)# template rptemplate1
Example The following example configures health monitor “hm1” to use the ICMP
transparent health method, and apply the monitor to a TCP port on real
server “realserver1”. Then, the disable-with-health-check option is
enabled at the service group member configuration level.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method icmp transparent 1.0.0.1
ACOS(config-health:monitor)# exit
ACOS(config)# slb server realserver1 10.1.1.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check hm1
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# member realserver1 80
ACOS(config-slb svc group-member:80)# disable-with-health-
check
method
Description The method command is a service-group configuration mode command
that specifies the load balance method used to determine which server
receives an inbound data flow (session). After a server is selected for a
session, that server receives packets from the session until the timeout
expiry, defined as the period of time the load balancer does not receive at
least one packet of the session.
The default timeout period is 180 seconds.
A session is defined by its five-tuple: source IP address, source port,
destination IP address, destination port, and protocol. Each selection
option utilizes at least one of the following four data points:
• session packet contents (typically destination IP address and port)
• load balancer configuration parameters (typically weight settings)
• health monitor packets received from member servers
• metrics managed by load balancers (such as number of connections
sent to each server)
525
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
526
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
l least-connection [pseudo-round-robin] –
Selects the server that currently has the few-
est connections.
527
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Note:
o Each link can only be referenced by one
tcp service-group and one udp service-
group.
o When a node is bound to a link-cost ser-
vice-group, it becomes a link cost node. It
is not allowed to bind to another method
type.
o Maximum of 16 nodes are allowed per ser-
vice group.
o odd-even-hash – Hash value is even-odd
result of the sum of the source IP address
octets.
l service-least-connection [pseudo-round-
robin] – Selects the server port that currently
has the fewest connections.
l weighted-least-connection [pseudo-round-
robin] – Selects a server based on a com-
bination of the server’s administratively
assigned weight and the number of con-
nections on the server. (To assign a weight to
a server, see weight.)
528
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
l service-weighted-least-connection
[pseudo-round-robin] – Same as weighted-
least-connection, but per service. (To assign
a weight to a service, see port. Use the weight
option.)
l src-ip-hash – Calculates a hash value based
on the source IP address and protocol port of
the client’s request.
529
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
530
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
l stateless-per-pkt-round-robin – Balances
server load by sending each packet to a dif-
ferent server, in rotation. This method is
applicable only for UDP DNS traffic.
l stateless-src-ip-only-hash – Calculates a
hash value based only on the source IP
address of the request, and selects a server
531
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
l stateless-per-pkt-service-weighted-rr -
Balances server load based on weight of each
service port, in rotation. This method is applic-
able only for traffic that uses a single packet
for a request on service port level.
532
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
auto- You can configure the following options for this fea-
switch ture.
[options]
The stateless-lb-method option specifies the state-
less load-balancing method to use if the traffic
reaches the configured threshold, and can be one of
the following:
l stateless-dst-ip-hash
l stateless-per-pkt-round-robin
l stateless-src-dst-ip-hash
l stateless-src-dst-ip-only-hash
l stateless-src-ip-hash
l stateless-src-ip-only-hash
l stateless-per-pkt-weighted-rr
l stateless-per-pkt-service-weighted-rr
533
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Usage The fastest-response method takes effect only if the traffic rate on
the servers is at least 5 connections per second (per server). If the
traffic rate is lower, the first server in the service group usually is
selected.
534
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Stateless SLB
Stateless SLB conserves system resources by operating without session
table entries on the ACOS device. The stateless SLB methods are valid for
the following types of traffic:
• Traffic with very short-lived sessions, such as DNS
• Layer 2 Direct Server Return (DSR) traffic
• Other types of traffic that do not require features that use session-
table entries. (See list of limitations below.)
You can enable stateless SLB on an individual service-group basis, by
selecting a stateless SLB load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• Session synchronization
• Application Layer Gateway (ALG)
• Layer 3 DSR
• SLB-PT
• aFleX
• FWLB ALG
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group cannot be used in any
other stateless service groups.
If the virtual port is on a wildcard VIP, destination NAT must be disabled
on the virtual port. To disable destination NAT, see no-dest-nat.
Graceful transitions between stateful and stateless SLB in a service
group are not supported.
Mega-proxies may interfere with equal balancing of traffic load among
the multiple data CPUs. In this case, for DNS traffic only, try using the
stateless-per-pkt-round-robin method.
535
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following commands configure stateless server load balance for
weighted round-robin method. This method is similar to stateless-per-
pkt-round-robin method and applicable only for traffic that uses a single
packet for a request on server and service port level.
Example The following example sets the load-balancing method for a service
group to least-connection:
ACOS(config)# slb service-group sg-lc1 tcp
ACOS(config-slb svc group)# method least-connection
Example The following commands configure a stateless SLB service group for
UDP traffic:
ACOS(config)# slb service-group dns-stateless udp
ACOS(config-slb svc group)# member dns1 53
ACOS(config-slb svc group-member:53)# exit
ACOS(config-slb svc group)# member dns2 53
ACOS(config-slb svc group-member:53)# exit
ACOS(config-slb svc group)# method stateless-src-dst-ip-hash
Example The following commands configure a service group that uses the state-
less-per-pkt-round-robin stateless load-balancing method. This method
is used if the rate of new connection requests to the virtual port bound to
the service group reaches 80,000 connections per second, and remains
at least this high for 300 seconds.
ACOS(config)# slb service-group auto-stateless tcp
ACOS(config-slb svc group)# method weighted-rr auto-switch
stateless-per-pkt-round-robin conn-rate 80000 300 60000 300
grace-period 15 log
536
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
min-active-member
Description Use backup servers even if some primary servers are still up.
Parameter Description
537
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default By default, the servers with the highest priority value are the primary serv-
ers. All other servers are backups only, and are used only if all the primary
servers are unavailable.
When you use this command, the skip-pri-set option is disabled by
default.
Usage Primary and backup servers are designated based on member priority
(set with the member command). For example, if a service group contains
real servers with the following priority settings, real servers s1, s2, and s3
are the primary servers. Real servers s4 and s5 are backup servers.
• s1 – priority 16
• s2 – priority 16
• s3 – priority 16
• s4 – priority 8
• s5 – priority 8
When the minimum number of active members (primary servers) comes
back up, the ACOS device immediately returns to using only the primary
servers.
Example The following commands add members with different priorities to a ser-
vice group, and configure promiscuous VIP to begin using backup serv-
ers if any of the primary servers becomes unavailable:
ACOS(config)# slb service-group sg-prom tcp
ACOS(config-slb svc group)# method least-connection
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s3 80
ACOS(config-slb svc group-member:80)# priority 16
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s4 80
ACOS(config-slb svc group-member:80)# priority 8
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s5 80
ACOS(config-slb svc group-member:80)# priority 8
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb service group)# min-active-member 1
538
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
priority
Description Configure the ACOS device to respond to the failure of service-group
members of a certain priority by taking a designated action, such as drop-
ping the request or sending a TCP reset back to the client.
Parameter Description
539
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default By default, the ACOS device will use the node(s) with the next-highest
priority if all nodes with the currently-selected priority fail.
Usage Use this feature to define specific actions that should occur when
higher-priority service-group members fail. By default, the ACOS device
uses the highest priority service-group members until they are no longer
available. When the higher-priority nodes fail, the device fails over to the
nodes with the next-highest priority.
This priority option enables you to tie actions (drop, reset, and others) to a
general failure, such as service group members becoming disabled or
failing a health check. Alternatively, actions can be tied to connection-
limits or connection-rate-limits being exceeded.
Configuring the "priority option" feature allows you to prevent lower-
priority servers, which are presumably less robust than higher-priority
servers, from being overwhelmed by a flood of traffic when a failover
occurs.
NOTE: The actions are mutually exclusive. Only one action can be con-
figured for each priority level.
The reset or drop actions can be triggered for the following reasons:
• If a health check fails
• If a user disables a server or port
• If another Load Balancing feature causes the currently-used priority
to become unavailable (for example, min-active-member feature)
• If a connection-limit or connection-rate-limit is exceeded
Example The following commands create the TCP service group “sg1” with several
servers with a priority of 10, and one server with a priority of 5. The com-
mands also assign the reset-if-exceed-limit action for members with
priority 10, and assign the drop action for members with priority 5.
ACOS(config)# slb service-group sg1 tcp
ACOS(config-slb svc group)# priority 10 reset-if-exceed-
limit
ACOS(config-slb svc group)# priority 5 drop
ACOS(config-slb svc group)# member s1 80
ACOS(config-slb svc group-member:80)# priority 10
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s2 80
ACOS(config-slb svc group-member:80)# priority 10
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# member s3 80
540
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
priority-affinity
Description Configure the ACOS device to continue using backup servers (servers
with lower priority) even when the primary (high priority) servers
come back up.
The reset option resets the priority affinity feature so that the primary
servers can be used again.
Default Disabled.
By default, the ACOS device uses only the service-group members with
the highest priority. If all the highest-priority servers go down, the ACOS
device starts using the secondary (lower-priority) members. Also by
default, when one or more of the highest-priority servers comes back up,
the ACOS device returns to using only those highest-priority servers and
stops using the backup servers.
reset auto-switch
Description Reset load balancing from stateless back to the configured stateful
method.
541
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default N/A
Mode Configuration
Usage This command is operational only and does not affect the configuration.
The command is not saved in the startup-config.
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Default Disabled
sample-rsp-time
Description View sample server response time information.
Parameter Description
542
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
stats-data-disable
Description Disable collection of statistical data for the service group.
Syntax stats-data-disable
stats-data-enable
Description Enable collection of statistical data for the service group.
Syntax stats-data-enable
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See slb common.)
strict-select
Description ACOS load balancing methods optimize for high performance, but some-
times this creates an imbalance in server selection, and some servers
may have more open connections than others. For the round-robin
method of load balancing, the imbalances can be corrected when the
option of “strict” is selected to ensure an exact round-robin distribution.
This method is supported for the Weighted Round-Robin, Least
Connection, and Service Least Connection load balancing methods,
guaranteeing that new connections will be sent to the server with the
fewest connections, or fewest service connections. While strict load
balancing can be configured with other load balancing methods, there
will be no effect. Strict load balancing is enabled within a service-group
configuration. When strict load balancing is enabled, lower performance
should be expected, especially when ACOS is running a heavy load of
traffic.
543
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default Disabled.
template
Description Apply a server or port configuration template to a service group.
Syntax template
{policy template-name | port template-name | server tem-
plate-name}
Parameter Description
Default The settings in the server or port template applied to the server or port are
used, unless overridden by settings in the individual server or port con-
figuration.
traffic-replication-type
Description Replicate or “mirror” traffic to one or more collector servers in a service
group using one of the traffic replication types.
Syntax traffic-replication-type {
mirror |
mirror-da-repl |
mirror-ip-repl |
544
Chapter 22: Config Commands: SLB Service Groups
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
mirror-sa-da-repl |
mirror-sa-repl
}
Parameter Description
545
Chapter 22: Config Commands: SLB Service Groups
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default Disabled
Usage Traffic replication intercepts traffic feeds, such as SNMP or Syslog pack-
ets, copies them to a buffer, and forwards duplicated packets to multiple
collector servers, where data can be used to track users and devices. This
is helpful for organizations needing Network Monitoring feeds replicated
to multiple destinations.
When configuring the feature, after defining the VIP and setting up the
real collector servers, configure a service group for the collector servers,
add the real collector servers to the service group, and specify the traffic
which replication mode will be used.
Example The following commands configure a service group for the collector serv-
ers and add the real collector servers to the service group. Then, the com-
mands specify that the mirror-da-repl traffic replication mode will be
used to forward duplicated network monitoring traffic to the collector
servers.
ACOS(config)# slb service-group SG-RS tcp
ACOS(config-slb svc group)# member RS1 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# member RS2 0
ACOS(config-slb svc group-member:0)# exit
ACOS(config-slb svc group)# traffic-replication-type mirror-
da-repl
546
Chapter 23: Config Commands: SLB Virtual
Servers
This section lists the commands and sub-commands to configure SLB virtual servers.
The commands in this section apply to virtual servers (also called “VIPs”), not to real servers.
To configure real servers, see Config Commands: SLB Servers.
To access this configuration level, enter the slb virtual-server command at the global Con-
fig level.
ACOS(config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver)#
To display configured virtual servers, use the show slb virtual-server ? command.
arp-disable 549
description 549
disable 549
disable-when-all-ports-down 550
disable-when-any-port-down 550
enable 551
extended-stats 551
port 551
redistribution-flagged 555
stats-data-disable 555
stats-data-enable 556
547
Chapter 23: Config Commands: SLB Virtual Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
vrid 558
548
Chapter 23: Config Commands: SLB Virtual Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
arp-disable
Description Disable ARP replies from a virtual server.
Usage Use this command if you do not want the ACOS device to reply to ARP
requests to the virtual server’s IP address. For example, you can use this
command to put a VIP out of service on one ACOS device and use that
device as a switch or router for another ACOS device providing SLB for
the VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP
is automatically disabled.
description
Description Add a description to a VIP.
Default None
2.7.0
disable
Description Disable a virtual server.
549
Chapter 23: Config Commands: SLB Virtual Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
disable-when-all-ports-down
Description Automatically disable the virtual server if all its service ports are down. If
OSPF redistribution of the VIP is enabled, the ACOS device also with-
draws the route to the VIP in addition to disabling the virtual server.
Parameter Description
Default Enabled.
disable-when-any-port-down
Description Automatically disable the virtual server if any of its service ports is
down. If OSPF redistribution of the VIP is enabled, the ACOS device
also withdraws the route to the VIP in addition to disabling the vir-
tual server.
Default Disabled.
550
Chapter 23: Config Commands: SLB Virtual Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
enable
Description Enable a virtual server.
Default Enabled
extended-stats
Description Enable collection of peak connection statistics for a virtual server.
Default Disabled
port
Description Configure a virtual port on a virtual server.
Parameter Description
551
Chapter 23: Config Commands: SLB Virtual Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
552
Chapter 23: Config Commands: SLB Virtual Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
553
Chapter 23: Config Commands: SLB Virtual Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default N/A
Usage The normal form of this command creates a new or edits an existing vir-
tual port. The CLI changes to the configuration level for the virtual port.
(See Config Commands: SLB Virtual Server Ports.)
The “no” form of this command removes the specified virtual port from
current virtual server.
The maximum number of virtual service ports allowed and the maximum
number per virtual server depend on the ACOS model.
The ACOS device allocates processing resources to HTTPS virtual ports
when you bind them to an SSL template. This results in increased CPU
utilization, regardless of whether traffic is active on the virtual port.
Fast-HTTP
Fast-HTTP is optimized for very high performance information
transfer in comparison to regular HTTP. Due to this optimization,
fast-HTTP does not support all the comprehensive capabilities of
HTTP such as header insertion and manipulation. It is recommended
not to use fast-HTTP for applications that require complete data
transfer integrity.
Packet Processing on HTTP Virtual Ports
Packets reaching a Layer 7 HTT{P virtual port are processed in the
following order of priority:
1. PBSLB (policy template) action drop/reset
2. PBSLB action service-group, in conjunction with PBSLB action.
3. Source-IP persistence template
4. Layer 4 aFleX policy (for example, CLIENT_ACCEPTED event)
554
Chapter 23: Config Commands: SLB Virtual Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example creates a new (or edits an existing) virtual port:
ACOS(config-slb vserver)# port 443 https
ACOS(config-slb vserver-vport)#
redistribution-flagged
Description Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Usage Use this option if you want to redistribute only some of the VIPs rather
than all of them.
Selective VIP redistribution also requires configuration in OSPF. See the
description of the vip option of the redistribute command in the
“Config Commands: Router - OSPF” chapter in the Network
Configuration Guide.
stats-data-disable
Description Disable collection of statistical data for the virtual server.
Syntax stats-data-disable
555
Chapter 23: Config Commands: SLB Virtual Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
stats-data-enable
Description Enable collection of statistical data for the virtual server.
Syntax stats-data-enable
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See slb common.)
template client-ssl
Description Bind a client-ssl template to the virtual server.
Default None
template logging
Description Bind a logging template to the virtual server.
Default None
template policy
Description Bind a PBSLB policy template to the virtual server.
Default None
556
Chapter 23: Config Commands: SLB Virtual Servers
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Usage This command is applicable only for PBSLB policy templates configured
for IP limiting. (See the Application Access Management and DDoS Mit-
igation Guide.)
template scaleout
Description Bind a Scale Out template to the virtual server.
More information about Scale Out is available in “Configuring Scale Out”
in the System Configuration and Administration Guide.
Default None
template server
Description Bind a real server template to the server.
Default The real server template named “default” is bound to servers by default.
The parameter settings in the default real server template are auto-
matically applied to the new server, unless you bind a different real server
template to the server.
Usage If a parameter is set individually on this server and also is set in a server
template bound to this server, the individual setting on this server is used
instead of the setting in the template.
To configure a real server template, see slb template server.
Example The following commands configure a real server template called “rs-
tmplt1” and bind the template to two real servers:
ACOS(config)# slb template server rs-tmplt1
ACOS(config-rserver)# health-check ping2
ACOS(config-rserver)# conn-limit 500000
ACOS(config-rserver)# exit
ACOS(config)# slb server rs1 10.1.1.99
ACOS(config-real server)# template server rs-tmplt1
557
Chapter 23: Config Commands: SLB Virtual Servers
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
template virtual-server
Description Bind a virtual server template to the virtual server.
Default The virtual server template named “default” is bound to virtual servers by
default. The parameter settings in the default virtual server template are
automatically applied to the new virtual server, unless you bind a dif-
ferent virtual server template to the virtual server.
Usage If a parameter is set individually on this virtual server and also is set in a vir-
tual server template bound to this virtual server, the individual setting on
this virtual server is used instead of the setting in the template.
To configure a virtual server template, see slb template virtual-server.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting, and bind the template to a virtual
server:
ACOS(config)# slb template virtual-server vs-tmplt1
ACOS(config-vserver)# icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.2
ACOS(config-slb vserver)# template virtual-server vs-tmplt1
vrid
Description Assign the virtual server to a VRRP-A VRID.
Use num to specify the VRID (1-31 in the shared partition, or 1-7 in an L3V
partition).
558
Chapter 24: Config Commands: SLB Virtual
Server Ports
This section lists the commands and sub-commands to configure SLB virtual server ports.
To access this configuration level, enter the port command at the configuration level for a vir-
tual server.
ACOS(config)# slb virtual-server VIP1 192.168.22.22
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)#
aaa-policy 561
access-list 561
aflex 563
aflex-table-entry-sync 564
alternate 564
attack-detection 565
bucket-count 566
clientip-sticky-nat 566
conn-limit 566
def-selection-if-pref-failed 568
def-selection-if-pref-failed-disable 569
disable 569
enable 569
extended-stats 570
force-routing-mode 570
ha-conn-mirror 570
ip-map-list 571
ipinip 572
message-switching 572
559
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
name 572
no-auto-up-on-aflex 572
no-dest-nat 573
optimization-level 574
rate-limit-pr-log 575
redirect-fwd 576
redirect-rev 576
redirect-to-https 577
reply-acme-challenge 577
reset-on-server-selection-fail 578
rtp-sip-call-id-match 578
service-group 579
skip-rev-hash 579
snat-on-vip 580
support-http2 585
stats-data-disable 586
stats-data-enable 586
syn-cookie 586
template 587
use-default-if-no-server 589
use-rcv-hop-for-resp 589
560
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
aaa-policy
Description Bind an AAM policy to the virtual port.
access-list
Description Apply an Access Control List (ACL) to a virtual server port.
Parameter Description
561
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default N/A
Usage The ACL must be configured before you can apply it to a virtual port. To
configure an ACL, use the “access-list (standard)” or “access-list (exten-
ded)” commands, which are described in the “Command Line Interface
Reference” document.
To permit or deny traffic on the virtual port, specify an ACL but do not
specify a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool.
Use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server
562
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
address. The action must be permit. The NAT pool is used only for traffic
that matches the ACL. This configuration allows the virtual port to have
multiple pools, and to select a pool based on the traffic.
Example The following commands configure a standard ACL to deny traffic from
subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
virtual port 8080 on virtual server “slb1”:
ACOS(config)# access-list 99 deny 10.10.10.0 0.0.0.255
ACOS(config)# slb virtual-server vslb1
ACOS(config-slb vserver)# port 8080 http
ACOS(config-slb vserver-vport)# access-list 99
aflex
Description Apply an aFleX policy to a virtual port.
Default N/A
Usage The normal form of this command applies the specified aFleX policy to
the port. The no form of this command removes the aFleX policy from the
port. For more information about aFleX policies, see the aFleX Scripting
Language Reference.
Example The following command applies aFleX policy “aflex1” to a virtual port:
ACOS(config-slb vserver-vport)# aflex aflex1
563
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
aflex-table-entry-sync
Description Configure fast aFlex table synchronization to a virtual port. These aFlex
tables will be synchronized with ACOS device via VRRP-A.
Parameter Description
Default Disabled
alternate
Description Enables switchover to another virtual port, based on specific conditions.
Parameter Description
564
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
attack-detection
Description Enable analytics and attack detection using ZBAR. This command helps
in identifying volumetric and IOT DDoS attacks on the SLB virtual port
and employs mitigation policies to provide excellent application respons-
iveness for the good actors. The bad sources are dropped or rate-limited
based on their computed threat score.
Default N/A
565
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following command enables attack detection on the virtual port:
ACOS (config)# slb virtual-server vip1 12.12.12.203
ACOS (config-slb vserver)# port 80 tcp
ACOS (config-slb vserver-vport)# attack-detection
bucket-count
Description Configure the number of traffic buckets used in a Scale Out con-
figuration.
clientip-sticky-nat
Description Enables sticky-NAT to use the same source NAT IP address for a given cli-
ent.
Default Disabled
Usage You can enable the clientip-sticky-nat feature on the individual vir-
tual ports.
This option is not supported with the ip-rr (IP round-robin) and source-
nat auto (smart NAT) options.
conn-limit
Description Set the connection limit for a virtual port.
566
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default Not set. If you set a limit, the default action for any new connection
request after the limit has been reached is to silently drop the con-
nection, without sending a reset to the client. Logging is enabled by
default.
Usage The normal form of this command changes the current port’s connection
limit.
The no form of this command resets the port connection limit to its
default value.
The connection limit puts a hard limit on the number of concurrent
connections supported by the port. No more connections will be put on
the port if its number of current connections is already equal to or bigger
than the limit.
If you change the connection limiting configuration on a virtual port or
virtual server that has active sessions, or in a virtual-port or virtual-server
template bound to the virtual server or virtual port, the current
connection counter for the virtual port or server in show command
output and in the GUI may become incorrect. To avoid this, do not
change the connection limiting configuration until the virtual server or
port does not have any active connections.
567
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
def-selection-if-pref-failed
Description Configure SLB to continue checking for an available server in other ser-
vice groups if all of the servers are down in the first service group selec-
ted by SLB.
Syntax def-selection-if-pref-failed
Default Enabled
Usage During SLB selection of the preferred server to use for a client request,
SLB checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
• aFleX policies triggered by Layer 4 events
• Policy-based SLB (black/white lists). PBSLB is a Layer 3 con-
figuration item because it matches on IP addresses in black/white
lists.
2. Layer 7 configuration items:
• Cookie switching
• aFleX policies triggered by Layer 7 events
• URL switching
• Host switching
3. Default service group. If none of the items above results in selection
of a server, the default service group is used.
• In single service group configurations, this is the default service
group.
• If the configuration uses multiple service groups, the default ser-
vice group is the one that is used if none of the templates used by
the configuration selects another service group instead.
For example, if an CLIENT_ACCEPTED event triggers an aFleX policy, the
policy is consulted first. If an HTTP_REQUEST event triggers an aFleX
policy, the policy is consulted if none of the Layer 4 configuration items
results in a server selection.
The first configuration area that matches the client or VIP (as applicable)
is used, and the client request is sent to a server in the service group that
is applicable to that configuration area. For example, if the client's IP
address is in a black/white list, the service group specified by the list is
used for the client request.
568
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
def-selection-if-pref-failed-disable
Description Disable the def-selection-if-pref-failed option. (See “def-selection-if-
pref-failed” on page 1.)
Syntax def-selection-if-pref-failed-disable
disable
Description Disable a virtual port.
Default Enabled
enable
Description Enable a virtual port.
569
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default Enabled
extended-stats
Description Enable collection of peak connection statistics for a virtual port.
Default Disabled
force-routing-mode
Description Disables destination NAT, so that server responses go directly to clients.
Default Disabled
ha-conn-mirror
Description Enable connection mirroring (session synchronization) for the virtual
port.
570
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default Disabled.
ip-map-list
Description Applies an IP map list to the virtual port.
571
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
ipinip
Description Enables IP-in-IP tunneling. This option is available only on the following
port types: TCP, UDP, RSTP, FTP, MMS, SIP, TFTP and Radius.
message-switching
Description Enable message switching.
This causes messages to be forwarded in their entirety, one hop at a time.
Each message is treated as its own individual entity.
name
Description Change the name assigned to the virtual port.
Default The ACOS device assigns a name that uses the following format:
_vip-addr_service-type_portnum
no-auto-up-on-aflex
Description Disable automatic setting of an aFleX-bound virtual port’s state to Up.
Default Disabled. If an aFleX script is bound to the virtual port, the port is auto-
matically marked Up.
572
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Usage This command applies only if an aFleX script is bound to the virtual port.
no-dest-nat
Description Disable destination NAT.
For wildcard VIPs, the port-translation option enables the ACOS device to
translate the destination protocol port in a client request before sending
the request to a server.
This option is useful if the real port number on the server is different from
the virtual port number of the VIP. Without this option, the ACOS device
sends the request to the server without changing the destination port
number.
This option does not change the destination IP address of the request.
This option is supported only for virtual ports that are on wildcard VIPs.
Usage This option can be used for Direct Server Return (DSR) or for wildcard
VIPs.
For virtual servers that have a specific virtual IP address (VIP), disabling
destination NAT enables Direct Server Return (DSR). When DSR is
enabled, only the destination MAC address is translated from the VIP’s
MAC address to the real server’s MAC address. The destination IP address
is still the VIP.
In DSR topologies, reply traffic from the server to the client is expected to
bypass the ACOS device.
In the current release, for IPv4 VIPs, DSR is supported on virtual port
types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is
supported on virtual port types TCP, UDP, and RTSP.
Wildcard VIPs
573
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
For wildcard VIPs (VIPs that can have any IP address), this option enables
the ACOS device to send the client request to the server without
changing the destination IP address of the request.
The destination port of the request also is unchanged, unless you use the
port-translation option. (See above.)
optimization-level
Description Set the HTTP optimization level.
Parameter Description
0 No optimization
1 Optimization level 1
574
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
• aFleX
• Compression
• External service
• HA failover
• HTTP 1.0 traffic
• HTTP/2 traffic
• HTTP redirect
• HTTP retry
• HTTP policy template
• ICAP
• IP fragmentation
• Jumbo frames
• Policy-based load balancing
• RAM cache
• Scaleout
• SSL
• TCP-proxy templates
• Virtual-port templates
• WAF
Example This command configures an HTTP port to improve the performance for
HTTP traffic.
ACOS(config)# slb virtual-server vip2 1.1.1.101
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# optimization-level 1
rate-limit-pr-log
Description For Thunder integrations with the A10 Lightning Controller, this com-
mands configures the rate limit for Per Request logging. This is used to
prevent the Thunder devices from sending too many log messages to
the Lightning Controller at a rate that would exceed the capability of the
controller to accept them.
Default Disabled
575
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
redirect-fwd
Description In a single partition SSLi deployment, the forward direction steers layer 2
traffic from client to Internet on the specified interface.
Default Disabled
redirect-rev
Description In a single partition SSLi deployment, the reverse direction steers layer 2
traffic from Internet to client on the specified interface.
Default Disabled
Usage This is only supported under the wildcard VIP 0.0.0.0 for SSLi..
Example The following example shows the redirect-rev command to select the
reverse direction for steering the layer 2 traffic destined for the security
device from the Internet out Ethernet 5.
ACOS(config)# slb virtual-server outside1 0.0.0.0 acl 103
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# service-group sg_real_
server_tcp
ACOS(config-slb vserver-vport)# no-dest-nat
ACOS(config-slb vserver-vport)# redirect-rev ethernet 5
576
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
redirect-to-https
Description Responds to client HTTP requests with an HTTP redirect response with
response code 302 (Moved Permanently). The client is redirected to the
same host and URI they requested, but using HTTPS instead of HTTP.
Default Disabled
reply-acme-challenge
Description Enable reply ACME http-01 challenge for CA server. The challenge from
CA server goes into data port. This option only takes effect in HTTP port
80 and works on both old and new proxy.
Since the CA server verifies whether the ACME client controls the
domain, on the ACOS side, the user must manually configure reverse
proxy. The domain to be verified is the certificate’s Common Name. For
DNS mapping, the domain’s IP address is ACOS’s virtual IP address.
NOTE: If one domain maps to multiple IP addresses, then you must con-
figure multiple VIPs, and enable this option on all the HTTP virtual
ports.
Default Disabled
577
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Default Disabled
Usage The TCP template reset-rev option also can be used to send a RST to cli-
ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST
in response to a server selection failure. In AX Release 2.2.2 and later, this
is no longer true. The reset-on-server-selection-fail option must
be used instead.
rtp-sip-call-id-match
Description Causes RTP traffic try to match the real server of an SIP SMP call-id ses-
sion.
This command is used in conjunction with the smp-call-id-rtp-
session option under SIP template configuration (slb template sip (over
UDP)), which creates a cross-CPU RTP session that can be matched by
RTP traffic.
578
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
service-group
Description Bind a virtual port to a service group.
Default N/A
Usage The normal form of this command binds the virtual port to the specified
service group. The “no” form of this command removes the binding.
One virtual port can be associated with one service group only, while one
service group can be associated with multiple virtual ports. The type of
service group and type of virtual port should match. For example, a UDP
service group can not be bound to an HTTP virtual port.
skip-rev-hash
Description Will not insert reverse tuple into the hash for lookup. This is used with
aFlex with stateless load-balancing methods.
579
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
snat-on-vip
Description Enable IP NAT support for the virtual port.
Default Disabled
Usage Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration
level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP
source NAT is configured using an ACL on the virtual port, and the slb
snat-on-vip command is also used, then a pool assigned by the ACL is
used for traffic that is permitted by the ACL. For traffic that is not
permitted by the ACL, VIP source NAT can be used instead.
The device does not support source IP NAT on FTP or RTSP virtual ports.
source-nat auto
Description Configure Smart NAT, to automatically create NAT mappings using
the ACOS interface connected to the real server.
580
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Default Disabled
Usage If you do not use VRRP-A, 41K ports per interface IP address are used for
Smart NAT mappings. ACOS can use the same ACOS interface IP
address and port for more than one server connection. The combination
of ACOS IP address and port number (source) and server IP address and
port (destination) uniquely identifies each mapping.
Additional Notes
• Smart NAT applies only to ACOS devices deployed in route mode
(“gateway” mode). The feature is not applicable to devices in trans-
parent mode.
• Smart NAT uses all the multiple addresses if configured.
• Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.
• VRRP-A support:
• A floating IP addresses are required that can be reached from real
servers.
• Bind the service group to only a single virtual port. If this is not pos-
sible, ensure all virtual ports bound to the service group have the
same VRID.
581
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following commands configure the VIP. Smart NAT with precedence
is enabled on each virtual port.
ACOS(config)# slb virtual-server vip1 160.160.160.150
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)# source-nat auto precedence
ACOS(config-slb vserver-vport)# source-nat pool snat-pool1
ACOS(config-slb vserver)# port 21 ftp
ACOS(config-slb vserver-vport)# source-nat auto
ACOS(config-slb vserver-vport)# source-nat pool snat-pool1
Example The following commands configure the VIP. Smart NAT with IP-RR is
enabled on each virtual port.
ACOS(config)# interface ve 10
ACOS(config-if:ve:10)# ip address 10.211.1.1 255.255.255.0
ACOS(config-if:ve:10)# ip allow-promiscuous-vip
ACOS(config-if:ve:10)# ipv6 address 2000::10:211:1:1/112
ACOS(config-if:ve:10)# ipv6 enable
ACOS(config-if:ve:10)# exit
ACOS(config)# interface ve 20
ACOS(config-if:ve:20)# ip address 10.212.1.1 255.255.255.0
ACOS(config-if:ve:20)# ipv6 address 2000::10:212:1:1/112
ACOS(config-if:ve:20)# ipv6 enable
ACOS(config-if:ve:20)# exit
ACOS(config)# vrrp-a vrid 1
ACOS(config-vrid:1)# floating-ip 10.212.1.222
ACOS(config-vrid:1)# floating-ip 10.212.1.223
ACOS(config-vrid:1)# floating-ip 10.212.5.1
ACOS(config-vrid:1)# floating-ip 10.212.6.1
ACOS(config-vrid:1)# floating-ip 2000::10:212:1:131
ACOS(config-vrid:1)# floating-ip 2000::10:212:1:132
ACOS(config-vrid:1)# exit
ACOS(config)# slb server rs 10.212.1.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb server rs6 2000::10:212:1:2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group sg-tcp tcp
ACOS(config-slb svc group)# member rs 80
ACOS(config-slb svc group-member:80)# exit
ACOS(config-slb svc group)# exit
582
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example 1: The floating IP and IP nat pool are configured using the same
IP address. The IP nat pool is bound to the virtual port. In this case, the
source-nat auto configuration is not supported.
....
ACOS(config)#ACOS(config)# ip nat pool pool1 10.212.1.222
10.212.1.222 netmask /32
ACOS(config)# vrrp-a vrid 1
ACOS(config-vrid:1)# floating-ip 10.212.1.222
....
ACOS(config)# slb virtual-server vs 10.212.1.20
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver)# service-group sg-tcp
ACOS(config-slb vserver-vport)# source-nat pool pool1
ACOS(config-slb vserver-vport)# exit
....
583
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
source-nat pool
Description Enable source NAT. Source NAT is required if the real servers are in a dif-
ferent subnet than the VIP.
This command is not applicable to the MMS or RTSP service types.
Parameter Description
Default Disabled.
Usage This command enables source NAT using a single NAT pool or pool group,
for all source addresses. If you want the ACOS device to select from
584
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)# source-nat pool pool2
source-nat use-cgnv6
Description Follow CGNv6 source NAT configuration.
Default None
Example The following example enables source NAT for the virtual port:
ACOS(config-slb vserver-vport)# source-nat use-cgnv6
support-http2
Description Enable HTTP/2 support.
585
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
stats-data-disable
Description Disable collection of statistical data for the virtual port.
Syntax stats-data-disable
stats-data-enable
Description Enable collection of statistical data for the virtual port.
Syntax stats-data-enable
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See “slb resource-usage” on
page 497.)
syn-cookie
Description Enable software-based SYN cookies for a virtual port. SYN cookies
provide protection against TCP SYN flood attacks.
586
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
• Timestamp for RTTM (Round Trip Time Measurement) and PAWS (Pro-
tect Against Wrapped Sequences) mechanism.
To know detailed description of these options, refer RFC 1323 (TCP
Extensions for High Performance).
Default Disabled.
Usage For software-based SYN cookies, the ACOS device bases the maximum
segment size (MSS) setting. It is the lowest MSS value supported by any
of the servers in the service group. SYN cookies on server replies to TCP
health checks sent to the servers.
For hardware-based SYN cookies, refer the 'syn-cookie' global
configuration command in the Command Line Interface Reference
guide. If hardware-based SYN cookies are enabled, then software-based
SYN cookies are not needed and are not used.
template
Description Apply an SLB configuration template to a virtual port.
Parameter Description
l dns
l dynamic-service
l virtual-port
587
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default If the ACOS device has a default template that is applicable to the service
type, the default template is automatically applied. The ACOS device has
a default virtual-port template, which is applied to a virtual port when you
create it.
Usage The normal form of this command applies the specified template to the
virtual port. The no form of this command removes the template from the
virtual port but does not delete the template itself.
A virtual port can be associated with only one template of a given type.
However, the same template can be associated with more than one
virtual port. To bind a virtual-port template to the port, see “template
virtual-port” on page 1.
template virtual-port
Description Bind a virtual service port template to the virtual port.
Default The virtual port template of “default” is bound to virtual ports by default.
Parameter settings in this default template are automatically applied to
the new virtual port, until a different virtual port template is bound to the
virtual port.
Usage If a parameter is set individually on this virtual port and also is set in a vir-
tual port template bound to this virtual port, the individual setting on this
port is used instead of the setting in the template.
To configure a virtual port template, see “slb template virtual-port” on
page 603.
588
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example These commands configure a virtual service port template named “com-
mon-vpsettings”, set the connection limit, and bind the template to a vir-
tual port:
ACOS(config)# slb template virtual-port common-vpsettings
ACOS(config-vport)# conn-limit 500000
ACOS(config-vport)# exit
ACOS(config)# slb virtual-server vip1 10.10.10.99
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template virtual-port com-
mon-vpsettings
use-default-if-no-server
Description Forward client traffic at Layer 3, if SLB server selection fails.
Usage This command applies only to wildcard VIPs (VIP address 0.0.0.0).
use-rcv-hop-for-resp
Description Force the ACOS device to send replies to clients back through the last
hop on which the request for the virtual port's service was received.
589
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default Disabled.
Usage For simple protocols, load balancing across a firewall is relatively easy.
However, load balancing Application Layer Gateway (ALG) protocols,
such as SIP and FTP, which have multiple connections that can originate
from either side of the firewall deployment can be more challenging. The
lack of predictability that occurs with ALG protocols can cause the pro-
tocol’s control connection and data connection to be sent to different fire-
walls, thus causing the application to break.
The ACOS device uses use-rcv-hop-for-resp and sub-options to load
balance ALG protocols through a firewall deployment consisting of
paired firewalls.
590
Chapter 24: Config Commands: SLB Virtual Server Ports
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
For more information, refer to the “ALG Protocol FWLB Support for FTP
and SIP” chapter in the Application Delivery Controller Guide.
To enable selecting an alternative next-hop IP address when one of the
firewall or router devices fail, use the use-rcv-hop-for-resp command
with 'use-rcv-hop-group' and 'server-group' options.
The following example configures use-rcv-hop-for-resp before the
use-rcv-hop-group and server-group. These options should contain a
list of valid firewall or router IP addresses.
ACOS(config)# slb virtual-server to-vpn
ACOS(config-slb vserver)# port 0 tcp
ACOS(config-slb vserver-vport)# use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)# use-rcv-hop-group server-
group to-vpn
ACOS(config-slb vserver-vport)# no-dest-nat
591
Chapter 24: Config Commands: SLB Virtual Server Ports
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
592
Chapter 25: Config Commands: Health Mon-
itors
This section lists the commands and sub-commands to configure SLB health monitors:
The health external command is accessed from Global Configuration mode, which is accessed
by entering the health monitor command.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)#
For more information about health monitors, see the “Health Monitoring” section of the Applic-
ation Delivery Controller Guide.
disable-after-down 594
dsr-l2-strict 594
interval 596
method 596
override-ipv4 619
override-ipv6 620
override-port 620
passive 621
retry 623
ssl-ciphers 623
ssl-ticket 624
ssl-version 625
strictly-retry-on-server-error-response 626
up-retry 626
593
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
disable-after-down
Description Disable the target of a health check if the target fails the health check.
The server, port, or service group remains disabled until explicitly
enabled.
Default Disabled
Usage This command applies to servers, ports, or service groups using the
health monitor. When a server, port, or service group is disabled based on
this
command, the server, port, or service group state is changed to disable
in the running-config. If you save the configuration while the server, port,
or
service group is disabled, the state change is written to the startup-con-
fig.
dsr-l2-strict
Description In Layer 2 DSR environments, this option ensures health check packets
are only sent to servers in the same Layer 2 network as the ACOS device.
The health marks servers not in the same Layer 2 network as DOWN.
Default Disabled
health external
Description File commands that create, edit, and manage external health monitor
scripts.
Creating, editing, and deleting external health monitor scripts is only
supported for administrative users provisioned with health monitor (hm)
privilege. If these operations fail due to insufficient privilege, contact your
ACOS root administrator.
594
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
For more information and script examples, see the Application Delivery
Controller Guide (Using External Health Methods section) and the
Management Access and Security Guide.
Security Notes
Parameter Description
copy src-file des-file Copy the src-file script into the dest-
file script.
Example This command creates an external health monitor script named hm-ex_
1, adds a single line of code, then saves the file and exits the editor.
ACOS(config)# health external create hm-ex_1
Type in your Health External Script (type . on a line by
itself when done)
595
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
set an_connected -1
.
Done
ACOS(config)#
interval
Description Number of seconds between health check attempt, 1-180 seconds. A
health check attempt consists of the ACOS device sending a packet
to the server. The packet type and payload depend on the health mon-
itor type. For example, an HTTP health monitor might send an HTTP
GET request packet.
Parameter Description
method
Description Configure a health method.
596
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
597
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
db-name name
query-options
send query
598
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
receive expected-reply
599
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
600
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
601
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
602
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
603
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
maintenance-code code-list
604
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
port port-num
url string
l GET url-path
l HEAD url-path
l POST url-path postdata string
username name
605
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
disable-sslv2hello
expect-cert-name <cert_name>
606
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
607
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
608
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
609
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
610
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
611
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
l expect-response-code 100,101,121,200
l expect-response-code 100-121,200
l expect-response-code any
612
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
613
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
614
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
615
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Default The configuration has a default “ping” health monitor that uses the icmp
method. The ACOS device applies the ping monitor by default. The ACOS
device also applies the TCP or UDP health monitor by default, depending
on the port type. These default monitors are used even if you also apply
configured monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new
monitors with the ICMP, TCP, or UDP method and apply those monitors
instead.
When specifying a protocol port number, specify the port number on the
real server, not the port number of the virtual port. By default, the well-
known port number for the service type of the health monitor is used. For
example, for LDAP, the default port is 389 (or 636 if the overssl option is
used).
If you specify the protocol port number in the health monitor, the protocol
port number configured in the health monitor is used if you send an on-
demand health check to a server without specifying the protocol port.
(See the “health-test” command in the Command Line Interface
Reference. After you bind the health monitor to a real server port, health
checks using the monitor are addressed to the real server port number
instead of the port number specified in the health monitor’s
configuration. In this case, you can override the IP address or port using
the override commands described later in this chapter.
616
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example These commands apply health monitor “ping” to server “rs0”. The ping
monitor is included in the ACOS device’s configuration by default and
does not need to be configured.
ACOS(config)# slb server rs0 10.2.3.4
ACOS(config-real server)# health-check ping
Example The following commands configure health monitor “hm1” to use the TCP
health method, and apply the monitor to a TCP port on real server “rs1”.
The TCP health checks are sent to TCP port 23 on the server.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method tcp port 23
ACOS(config-health:monitor)# exit
ACOS(config)# slb server rs1 1.1.1.1
ACOS(config-real server)# port 23 TCP
ACOS(config-real server-node port)# health-check hm1
Example The following commands configure health monitor “hm2” and set it to
use the HTTP method. The health monitor is applied to port 80 on real
server “rs1”.
ACOS(config)# health monitor hm2
ACOS(config-health:monitor)# method http
ACOS(config-health:monitor)# exit
ACOS(config)# slb server rs1 2.2.2.2
ACOS(config-real server)# port 80 http
617
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example These commands configure a TCP health monitor that sends an HTTP
GET request to TCP port 80, and expects the string “200” to be present in
the reply:
ACOS(config)# health monitor tcp-with-http-get
ACOS(config-health:monitor)# method tcp port 80 send "GET /
HTTP/1.1\r\nHost: 22.1.2.2\r\nUser-Agent: a10\r\nAccept:
*/*\r\n\r\n" response contains 200
This health monitor sends an HTTP GET request to TCP port 80 on the
target server. This particular request uses the following header fields:
• Host – Specifies the host (server) to which the request is being sent.
• User-Agent – Identifies the entity (user agent) that is sending the
request. In this example, the sending entity is “a10”.
• Accept – Specifies the types of media that are allowed in the
response. This example uses wildcards (*/*) to indicate that any
valid media type and range are acceptable.
If the string “200” is present anywhere in the reply from the port, the port
passes the health check.
• Perl
• Shell
• TCL
Utility commands such as ping, ping6, wget, dig, and so on are
supported.
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable ax_env
(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as
fail. TCL script filenames must use the “.tcl” extension.
618
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
To use the external method, import the program onto the ACOS device.
The script execution result indicates server status, which is stored in ax_
env(Result).
The following commands import external program “ext.tcl” from FTP
server 192.168.0.1, and configure external health method “hm3” to use
the imported program to check the health of port 80 on the real server:
ACOS(config)# health external import "checking HTTP server"
ftp://192.168.0.1/ext.tcl
ACOS(config)# health monitor hm3
ACOS(config-health:monitor)# method external port 80 program
ext.tcl
SNI specifies the hostname to client connection.
ACOS(config-health:monitor)# method https sni host a10net-
works.com expect-cert-name aa
For additional information and more examples, see the “External Health
Method Examples” section in the “Health Monitoring” chapter of the
Application Delivery Controller Guide.
Example The following commands configure a DNS health monitor that expect
ipv4-addr as an answer for type A resolution from a server:
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method dns domain a10net-
works.com expect ipv4-addr 10.2.1.12
Example The following commands configure a DNS health monitor that expect
FQDN as an answer for IPv6 reverse resolution from a server.
ACOS(config)# health monitor hm1
ACOS(config-health:monitor)# method dns ipaddress <ipv6
address> expect FQDN <fqdn>
override-ipv4
Description Send the health check to a specific IPv4 address, instead of sending the
health check to the IP address of the real server or GSLB service IP to
which the health monitor is bound. This command and the other override
commands are particularly useful for testing the health of remote links.
619
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
override-ipv6
Description Send the health check to a specific IPv6 address, instead of sending the
health check to the IP address of the real server to which the health mon-
itor is bound.
override-port
Description Send the health check to a specific protocol port, instead of sending the
health check to the server port to which the health monitor is bound.
620
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
passive
Description Configures inband health monitoring based on HTTP status code.
Parameter Description
621
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Example The following commands create a new health monitor, and enable pass-
ive health-monitoring mode:
ACOS(config)# health monitor http-passive
ACOS(config-health:monitor)# passive status-code-2xx
622
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
retry
Description Maximum number of times ACOS will send the same health check to
an unresponsive server before determining that the server is down.
You can specify 1-10.
Default 3
ssl-ciphers
Description Specify the ciphers to use in the health check of a real server or real
server port.
Parameter Description
Example Configure a health monitor to use the default OpenSSL Project cipher
suite with the exclusion of EDH ciphers.
ACOS(config)# health monitor hm-https
ACOS(config-health:monitor)# ssl-ciphers DEFAULT:!EDH
ACOS(config-health:monitor)# method https
Example Bind the hm-https health monitor to the s1 real server on its 1.1.1.1 net-
work interface.
ACOS(config)# slb server s1 1.1.1.1
ACOS(config-real server)# health-check hm-https
ACOS(config-real server)# end
623
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example Bind the hm-https health monitor to the TCP port 80 of the s1 real server
on its 1.1.1.2 network interface. Also apply the Server_SSL1 server-
SSL template to the same port.
ssl-ticket
Description Enable SSL ticket session resumption for HTTPS health monitor method.
Example The following command enables ssl-ticket for HTTPS health monitor
method.
ACOS(config)# health monitor hm-https
ACOS(config-health:monitor)# ssl-ticket
ACOS(config-health:monitor)# method https
ssl-ticket lifetime
Description Specify number of seconds the ticket will be valid from time of creation.
Update the HTTPS method to leverage session ticket when doing SSL
handshake.
624
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
ssl-version
Description Specify the preferred SSL version to be used with HTTPS health monitor
method for negotiation.
Parameter Description
31 SSL/TLS v1.0.
32 SSL/TLS v1.1.
33 SSL/TLS v1.2.
34 SSL/TLS v1.3.
Usage The first ssl-version number is the preferred SSL version and the second
ssl-version number is for downgrading the SSL version.
• If you want to downgrade the SSL version, then specify the min-
imum SSL version to which a session can be downgraded. For
example, ssl-version 34 31.
625
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
strictly-retry-on-server-error-response
Description Force the ACOS device to wait until all retries are unsuccessful
before marking a server or port Down.
Default Disabled. For some health method types, the ACOS device marks the
server or port Down after the first failed health check attempt, even if the
retries option for the health monitor is set to higher than 0.
Usage This command applies to all types of health monitors. However, if you use
an HTTP health monitor.that expects a string in the server reply and the
string is missing, the port on the ACOS device is marked as down. By
default, if the server’s HTTP port does not reply to the first health check
attempt with the expected string, the ACOS device immediately marks
the port Down.
Example The following commands configure an HTTP health monitor that checks
for the presence of “testpage.html”, and enable strict retries for the mon-
itor.
ACOS(config)# health monitor http-exhaust
ACOS(config-health:monitor)# method http url GET /test-
page.html
ACOS(config-health:monitor)# strictly-retry-on-server-error-
response
up-retry
Description Number of consecutive times the device must pass the same periodic
health check, in order to be marked Up. You can specify 1-10.
626
Chapter 25: Config Commands: Health Monitors
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Default 1
627
Chapter 25: Config Commands: Health Monitors
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
628
Chapter 26: Config Commands: Web Category
This section lists the commands and sub-commands to configure Web Category clas-
sification.
web-category 630
629
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
web-category
Description Configure the operation of web category classification.
This command changes the CLI to configuration level for Web Category
classification, where the following commands are available:
Command Description
Default: database.brightcloud.com
630
Chapter 26: Config Commands: Web Category
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
Disabled by default.
Default is 80.
631
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
Default: service.brightcloud.com
Default is 15 seconds.
Default is 443.
632
Chapter 26: Config Commands: Web Category
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
633
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
634
Chapter 26: Config Commands: Web Category
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
635
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
636
Chapter 26: Config Commands: Web Category
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
hostID
port-num
637
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Command Description
port-num
proxy-auth-username
proxy-auth-password
638
Chapter 26: Config Commands: Web Category
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Command Description
basic
Default N/A
639
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example Configure the web-category list Mail_Categories, then apply that list to
the configuration of the forward-policy source list Any_Source. Any
request whose destination is in the Web_Mail_List web-category-list is
forwarded.
ACOS(config)# web-category
ACOS(config-web-category)# enable
Please check the show log output for Web category enable
status
ACOS(config-web-category)# category-list Web_Mail_List
ACOS(config-web-category-category-list)# web-based-email
ACOS(config-web-category-category-list)# exit
ACOS(config-web-category)# exit
ACOS(config)#
...
ACOS(config-policy-forward-policy)# source Any_Source
ACOS(config-policy-forward-policy-source)# match-any
ACOS(config-policy-forward-policy-source)# destination web-
category-list Web_Mail_List action ForwardMail
640
Chapter 26: Config Commands: Web Category
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
641
Chapter 26: Config Commands: Web Category
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
642
Chapter 27: SLB Show Commands
The show slb commands display information for Server Load Balancing (SLB).
To automatically re-enter a show slb command at regular intervals, use the repeat com-
mand.
In addition to the command options provided with some show commands, you can use output
modifiers to search and filter the output. See “Searching and Filtering CLI Output” and "Show
Commands" in the Command Line Interface Reference.
643
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
.. 790
644
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
805
645
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
Mode All
646
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
SYN attack 0 0 0 0 0 0
Field Description
SYN cookie Number of TCP SYN cookies for which the respond-
chk fail ing ACK failed the SYN cookie check.
647
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Option Description
648
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Option Description
Mode All
Usage If you do not use any of the optional parameters, RAM caching statistics
are displayed. This is equivalent to entering the show slb cache stats
command.
Requests
- Total Requests 0
- Cacheable Requests 0
- No-cache Requests 0
- IMS Requests 0
649
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
- 200 OK - Gzip 0
- 200 OK - Deflate 0
- Other 0
Entries
- Cached 0
- Replaced 0
- Aged Out 0
- Cleaned 0
- Create failures 0
Revalidation
- Successes 0
- Failures 0
Policies
- URI nocache 0
- URI cache 0
- URI invalidate 0
- Content Too Big 0
- Content Too Small 0
Field Description
650
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
651
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
652
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
653
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
654
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Object URL URL from which the cached object was obtained
by the ACOS device.
l No – Object is uncompressed.
l Gz – Object was compressed using gzip. Gzip
is an encoding format produced by the file
compression program “gzip” (GNU zip) as
described in RFC 1952 (Lempel-Ziv coding
[LZ77] with a 32 bit CRC).
l Cm – Object was compressed using com-
press. Compress is the encoding format pro-
duced by the common UNIX file compression
program “compress” (adaptive Lempel-Ziv-
Welch coding [LZW]).
l Df – Object was compressed using deflate.
Deflate is the “zlib” format defined in RFC
1950 in combination with the “deflate” com-
pression mechanism described in RFC 1951.
655
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l FR – Fresh
l ST – Stale
l IN – Incomplete
l FA – Failed
l UN – Unknown
l R – The entry must be revalidated.
656
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
4 0
8 0
16 0
32 0
64 0
128 2
The output shows the distribution of requests for the cached entries.
Entries listed for 1/256 (one in 256 requests) are the least requested,
whereas entries listed for 128 are the most requested.
Option Description
Mode All
657
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
Field Description
658
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Resume request
Not remove
from list
659
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Mode All
Example This command shows statistics for source-IP based connection rate lim-
iting:
ACOS(config)# show slb conn-rate-limit src-ip statistics
Sessions allocated 0
Sessions freed 0
Too many sessions consumed 0
Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
The following table describes the fields in the show command output.
Field Description
660
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Usage The following table describes the fields for the show command output:
Field Description
661
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Mode All
662
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
Example The following command shows statistics for Diameter load balancing:
ACOS# show slb diameter
Total
------------------------------------------------------------
------
concurrent user-session 0
acr out 0
acr in 0
aca out 0
aca in 0
dpr out 0
dpr in 0
dpa out 0
dpa in 0
cea out 0
663
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
cea in 0
cer out 0
cer in 0
dwa out 0
dwa in 0
dwr out 0
dwr in 0
str out 0
str in 0
sta out 0
sta in 0
asr out 0
asr in 0
asa out 0
asa in 0
other out 0
other in 0
mismatch fwd session id 0
mismatch rev session id 0
unknown command code 0
no session id drop 0
no fwd tuple drop 0
no rev tuple drop 0
cross cpu fwd send 0
cross cpu fwd rcv 0
cross cpu rev send 0
cross cpu rev rcv 0
cross cpu fail 0
retry client req 0
retry client req fail 0
reply unknown session id 0
ccr out 0
ccr in 0
cca out 0
cca in 0
ccr initial 0
ccr update 0
ccr termination 0
cca termination 0
term session on cca-t 0
fwd unknown session id 0
update latest server 0
client selection failure 0
664
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
665
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
666
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
mismatch rev ses- Server session ID does not match Diameter ses-
sion id sion table.
667
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
668
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
reselect rev tuple Original server tuple does not exist, so reselect
another one. There should always be a server
side connection on the current CPU so there is
no counter for “reselect rev tuple cross”.
reply error info Fail to reply to client or server with error info.
fail
Parameter Description
Mode All
669
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
670
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
671
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Request rate over Number of times the request rate limit was
limit exceeded.
Full proxy POST Total number of full proxy sessions for HTTP
POST request.
Close on DDoS
Parameter Description
Mode All
672
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
------------------------------------------------------------
------
Current proxy conns 4
Total proxy conns 2
Client fail 7
Server fail 2
Server selection failure 1
no route failure 0
Source NAT failure 1
Insert client IP 5
Default switching 1
Sender ID switching 4
Target ID switching 0
Field Description
673
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Insert client IP Number of times that the ACOS inserted the cli-
ent’s IP address into tag 11447 and forwarded
the recalculated request packet to the FIX
server.
Default switch- Number of times that the ACOS parsed the tag
ing value from a client’s request and selected a ser-
vice-group based on a match with the con-
figured tag keyword.
Mode All
674
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Parameter Description
Mode All
675
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
Option Description
676
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Option Description
Mode All
677
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Option Description
Mode All
Example The following command shows summary HTTP-proxy and EP/TP Proxy
statistics:
ACOS# show slb http-proxy
Total
------------------------------------------------------------
------
Curr Proxy Conns 0
Total Proxy Conns 0
HTTP requests 0
HTTP requests(succ) 0
HTTP requests(CONNECT) 0
HTTP requests enter SSLi 0
HTTP req (cache succ) 0
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 0
Source NAT failure 0
Tot data before compress 0
Tot data after compress 0
Request over limit 0
Request rate over limit 0
678
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Close on DDoS 0
Tot data pre decompress 0
Tot data post decompress 0
Status code 1XX 0
Status code 100 0
Status code 101 0
Status code 102 0
Status code 2XX 0
.. 0
.. 0
Status code 6XX 0
Status code unknown 0
Method GET 0
Method HEAD 0
Method PUT 0
Method POST 0
Method TRACE 0
Method TRACK 0
Method OPTIONS 0
Method CONNECT 0
Method DELETE 0
Method UNKNOWN 0
Req content len 0
Resp content len 0
Resp chunk encoding 0
Req <= 1K 0
.. 0
Req > 256K 0
Resp <= 1K 0
.. 0
Resp <= 256K 0
Resp > 256K 0
Chunk <= 512 0
.. 0
Chunk > 4K 0
Rsp time < 10u 0
.. 0
Rsp time < 100m 0
Rsp time < 200m 0
Rsp time < 500m 0
.. 0
Rsp time >= 5s 0
679
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
680
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Tot data before These counters show statistics for HTTP com-
compress pression, in bytes before and after com-
mpression.
Tot data after com-
press
681
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
682
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
683
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
684
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
DOH UDP DNS Total DOH UDP DNS queries sent to backend
Req DNS server
DOH UDP DNS Total DOH UDP DNS responses received from
Resp backend DNS server
DOH TCP DNS Total DOH TCP DNS queries sent to backend
Req DNS server
DOH TCP DNS Total DOH TCP DNS responses received from
Resp backend DNS server
DOH DNS Req Tx Total DOH DNS Requests failed to be sent out
Fail to the backend server
DOH DNS Resp Tx Total DOH DNS Response failed to be sent out
Fail to the client
685
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
DOH UDP Req Total number of times DOH UDP DNS requests
Retry were retried
DOH UDP Req Total number of times DOH UDP DNS requests
Retry Fail retry failed
DOH TCP Req Total number of times DOH TCP DNS requests
Retry were retried
DOH TCP Req Total number of times DOH TCP DNS requests
Retry Fail retry failed
DOH uri path not Total count of HTTP requests received not con-
found taining DOH URI '/dns-query', when virtual
port has DOH template. bound
DOH GET dns arg Total count of HTTP GET requests received not
failed containing a valid arg 'dns=', when virtual port
has DOH template. bound
686
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
DOH POST pay- Total count of HTTP requests received not con-
load extract taining DOH URI '/DNS-query', when virtual
failed porthas DOH template. bound
DOH TCP send Total DOH TCP DNS queries failed to be sent
failed out to backend DNS server
DOH UDP send Total DOH UDP DNS queries failed to be sent
failed out to backend DNS server
DOH Query time Total DOH DNS queries sent to backend DNS
out server and timed out due to no response
687
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
show slb
Description Show statistics for SLB HTTP2.
Option Description
Mode All
688
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
689
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
690
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
691
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
692
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
693
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
694
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
695
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
------------------------------------------------------------
------
Curr HTTP2 Sessions 0 0 0
Peak HTTP2 Sessions 0 0 0
Total HTTP2 Sessions 0 0 0
Connection Preface received 0 0 0
Control Frame received 0 0 0
Headers Frame received 0 0 0
Continuation Frame received 0 0 0
RST Frame received 0 0 0
Settings Frame received 0 0 0
Window Update Frame received 0 0 0
Ping Frame received 0 0 0
Goaway Frame received 0 0 0
Priority Frame received 0 0 0
Data Frame Recvd 0 0 0
Unknown Frame Recvd 0 0 0
Conn preface sent 0 0 0
Setting Frame Sent 0 0 0
Setting ACK Frame Sent 0 0 0
Empty Setting Frame Sent 0 0 0
Ping Frame Sent 0 0 0
Window Update Frame Sent 0 0 0
RST Frame Sent 0 0 0
GOAWAY Frame Sent 0 0 0
Header Frame to HTTP 0 0 0
Data Frame to HTTP 0 0 0
Protocol Error 0 0 0
Internal Error 0 0 0
HTTP2 Proxy alloc Error 0 0 0
Push Promise Frame Sent 11
Unexpected PUSH_PROMISE Frame 1
Splitting Buffer Failed 0 0 0
Control Frame Alloc Failed 0 0 0
Max Invalid Stream received 0 0 0
Data Frame on non stream 0 0 0
Flow Control Error 0 0 0
Settings Timeout 0 0 0
Frame Size Error 0 0 0
Refused Stream 0 0 0
Cancel 0 0 0
Compression Error 0 0 0
Connect Error 0 0 0
696
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
697
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
698
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Mode All
699
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
status 300 0 0 0 0 0 0 0
status 301 0 0 0 0 0 0 0
status 302 0 0 0 0 0 0 0
status 303 0 0 0 0 0 0 0
status 304 0 0 0 0 0 0 0
status 305 0 0 0 0 0 0 0
status 306 0 0 0 0 0 0 0
status 307 0 0 0 0 0 0 0
status 4xx 0 0 0 0 0 0 0
status 400 0 0 0 0 0 0 0
status 401 0 0 0 0 0 0 0
status 402 0 0 0 0 0 0 0
status 403 0 0 0 0 0 0 0
status 404 0 0 0 0 0 0 0
status 405 0 0 0 0 0 0 0
status 406 0 0 0 0 0 0 0
status 407 0 0 0 0 0 0 0
status 408 0 0 0 0 0 0 0
status 409 0 0 0 0 0 0 0
status 410 0 0 0 0 0 0 0
status 411 0 0 0 0 0 0 0
status 412 0 0 0 0 0 0 0
status 413 0 0 0 0 0 0 0
status 414 0 0 0 0 0 0 0
status 415 0 0 0 0 0 0 0
status 416 0 0 0 0 0 0 0
status 417 0 0 0 0 0 0 0
status 418 0 0 0 0 0 0 0
status 419 0 0 0 0 0 0 0
status 420 0 0 0 0 0 0 0
status 422 0 0 0 0 0 0 0
status 423 0 0 0 0 0 0 0
status 424 0 0 0 0 0 0 0
status 425 0 0 0 0 0 0 0
status 426 0 0 0 0 0 0 0
status 449 0 0 0 0 0 0 0
status 450 0 0 0 0 0 0 0
status 5xx 0 0 0 0 0 0 0
status 500 0 0 0 0 0 0 0
status 501 0 0 0 0 0 0 0
status 502 0 0 0 0 0 0 0
status 503 0 0 0 0 0 0 0
status 504 0 0 0 0 0 0 0
700
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
status 505 0 0 0 0 0 0 0
status 506 0 0 0 0 0 0 0
status 507 0 0 0 0 0 0 0
status 508 0 0 0 0 0 0 0
status 509 0 0 0 0 0 0 0
status 510 0 0 0 0 0 0 0
status 6xx 0 0 0 0 0 0 0
status unknown 0 0 0 0 0 0 0
app serv conn no pcb err 0 0 0 0 0 0 0
app serv conn err 0 0 0 0 0 0 0
chunk1 hdr err 0 0 0 0 0 0 0
chunk2 hdr err 0 0 0 0 0 0 0
chunk bad trail err 0 0 0 0 0 0 0
no payload next buff err 0 0 0 0 0 0 0
no payload buff err 0 0 0 0 0 0 0
resp hdr incomplete err 0 0 0 0 0 0 0
serv sel fail err 0 0 0 0 0 0 0
start icap conn fail err 0 0 0 0 0 0 0
prep req fail err 0 0 0 0 0 0 0
icap ver err 0 0 0 0 0 0 0
icap line err 0 0 0 0 0 0 0
encap hdr incomplete err 0 0 0 0 0 0 0
no icap resp err 0 0 0 0 0 0 0
resp line read err 0 0 0 0 0 0 0
resp line parse err 0 0 0 0 0 0 0
resp hdr err 0 0 0 0 0 0 0
req hdr incomplete err 0 0 0 0 0 0 0
no status code err 0 0 0 0 0 0 0
http resp line read err 0 0 0 0 0 0 0
http resp line parse err 0 0 0 0 0 0 0
http resp hdr err 0 0 0 0 0 0 0
Mode All
701
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
DP0
DP1
DP2
DP3
DP4 DP5 DP6 DP7 DP8 DP9 DP10 DP11 DP12 DP13 DP14 DP15 Total
-----------------------------------------
status
2xx
0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 200 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 201 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 202 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 203 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 204 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 205 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 206 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 207 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 1xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 101 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 102 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 3xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 300 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 301 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 302 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 303 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 304 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 305 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 306 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 307 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 4xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 400 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 401 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 402 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 403 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 404 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 405 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
702
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
status 406 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 407 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 408 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 409 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 410 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 411 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 412 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 413 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 414 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 415 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 416 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 417 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 418 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 419 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 422 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 423 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 424 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 425 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 426 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 449 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 450 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 5xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 501 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 502 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 503 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 504 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 505 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 506 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 507 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 508 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 509 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 510 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
status 6xx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
show slb l4
Description Show Layer-4 SLB statistics.
703
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
Example The following command shows summary statistics for Layer 4 SLB:
ACOS# show slb l4
Total
------------------------------------------------------------
------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 226510
TCP SYN cookie snt 226510
TCP SYN cookie expd snt 0
TCP SYN cookie snt fail 0
TCP received 1042844
UDP received 0
L2 DSR received 0
L3 DSR received 0
Server sel failure 0
Source NAT failure 0
Source NAT no fwd route 0
Source NAT no rev route 0
Source NAT ICMP Process 0
Source NAT ICMP No Match 0
Auto NAT id mismatch 0
TCP SYN cookie failed 0
L4 SYN attack 226510
NAT no session drops 0
virtual portnot matching drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
704
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
705
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
TCP out RST no Number of Resets sent for which there was no
SYN SYN.
706
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
TCP out RST L4 Number of TCP Reset packets the ACOS device
proxy has sent as a Layer 4 proxy.
TCP out RST Number of TCP Reset packets the ACOS device
aFleX has sent due to an aFleX policy.
TCP out RST This counter is incremented each time the fol-
stale sess lowing occurs:
TCP out RST TCP Number of TCP Reset packets the ACOS device
proxy has sent as a TCP proxy.
707
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
TCP SYN cookie Number of TCP SYN cookie send attempts that
snt fail failed because delivery to the client failed.
708
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
TCP SYN cookie Number of times a TCP SYN cookie validate fail-
failed ure occurred when the client never sent an
ACK packet to complete the TCP three-way
handshake.
NAT no session Number of packets sent to the NAT Pool IP, but
drops for which there was no corresponding session
on the device.
709
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Session aged out Total number of TCP (TCP Session aged out),
UDP (UDP Session aged out) and other (Other
session aged out) sessions that aged out.
TCP Session aged Number of TCP sessions that aged out, includ-
out ing both half-open and established sessions.
710
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
711
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Internet-Header-Length * 4 + TCP-data-offset
*4
SYN stale sess This counter is incremented each time the fol-
drop lowing occurs:
712
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
TCP SYN Other Number of TCP SYN packets that were dropped
Flags Drop by the ACOS device because they contained a
flag other than the SYN flag.
TCP SYN With Number of TCP SYN packets that were dropped
Data Drop by the ACOS device because they contained
data.
713
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
714
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
715
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
no-Est SSYN snt Number of TCP sessions that aged out before a
aged out SYN was received from the server, and there-
fore could not be established.
L4 rcv rexmit Number of times the client does not get a SYN-
SYN ACK from the server. This causes the client to
retransmit same SYN packet that it sent
earlier. This counter will increment each time
such a re-transmission of the SYN packet
occurs.
716
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
L4 rcv fwd last Number of final ACKs (last ACKs of a given TCP
ACK session) received by the ACOS device from cli-
ents.
L4 rcv rev last Number of final ACKs (last ACKs of a given TCP
ACK session) received by the ACOS device from
servers.
L4 rcv fwd FIN Number of times more than one FIN packet is
dup received from the client.
717
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
L4 rcv fwd RST Number of TCP RST packets that the ACOS
device received from a client and forwarded to
the server.
L4 rcv rev RST Number of TCP RST packets that the ACOS
device received from a server and forwarded
to the client.
L4 UDP req > rsps Number of port 53 UDP requests received for
which there was no corresponding response.
718
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
Parameter Description
Mode All
719
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
720
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
721
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
Field Description
722
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
723
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Mode All
Parameter Description
724
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
725
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
726
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
727
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
Mode All
728
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
Field Description
Total log times Total number of times log rate limiting has
been used.
729
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Buffer alloc fail Number of times the ACOS device was unable
to allocate a buffer for sending a log message
to an external log server.
Buffer send fail Number of times the ACOS device was unable
to send a log message that had been placed in
the buffer for sending to an external log
server.
730
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
731
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
or
show slb server
[server-name [port-num]
[all-partitions | partition {shared | name} | detail] |
[config]
[all-partitions | partition {shared | name}] |
[connection-reuse]
[all-partitions | partition {shared | name}] |
[auto-nat-stats]
[all-partitions | partition {shared | name}]
[ip-nat-stats]
732
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
733
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following command shows the output for the basic show slb
server command. The “State”
Example The following command shows SLB statistics for real server “http1”. This
server is in a service group that is bound to an HTTP virtual port:
ACOS# show slb server http1
Total Number of Services configured on Server http1: 1
Service: http1:80/tcp (Status: Up)
Forward packets: 0 Reverse packets: 0
Forward bytes: 0 Reverse bytes: 0
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 0 Total requests succ: 0
Response time: 0 tick
Peak connections: 0
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 938
L4 errors: 0
Health-check average RTT (us):15930
Health-check current RTT (us):15958
Health-check average TCP RTT (us):7895
Health-check current TCP RTT (us):7933
HTTP requests sent: 938
HTTP errors: 0
Received OK: 938
Received error: 0
734
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Response timeout: 0
Example The following table describes out fields for the show slb server com-
mand. The output from this command includes statistics for health check
fields. Keep in mind that these health check fields only appear in the out-
put for HTTP traffic. The counters begin when the health check is con-
figured and increment until the statistics are cleared or the health check
is deleted.
Field Description
735
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l slb common (global)
l extended-stats (individual server)
736
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
NOTE: The same health check fields appear in the output for the show
slb service-group group-name and similarly only apply to HTTP
traffic.
Example The following command shows details for a real server with IPv4 address:
ACOS# show slb server dang0 detail
737
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
The following command shows details for a real server with IPv6
address:
ACOS# show slb server http1 detail
Server name: http1
Hostname: http1.example.com
Last DNS reply: Mon May 14 18:43:57 2018
Server gateway ARP: 0000:0000:0000
State: Up
Server template: default
Health check: default
Current connection: 0
Current request: 0
Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connection: 0
Dynamic server name: DRS-2001:133::16-http1.example.com
Dynamic server IP address: 2001:133::16
Last DNS reply: Mon May 14 18:43:57 2018
TTL: 86400
Server gateway ARP: 000c:29fc:ee32
State: Up
738
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
739
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l Up
l Down
l Disabled
740
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
l slb common (global)
l extended-stats (individual server)
Example The following command shows details for a real port on a server:
ACOS(config)# show slb server dang1 80 detail
Server name: dang1
Port: 1.1.1.1:80
State: Up
Port template: default
Health check: default
Current connection: 53
Current request: 42
Total connection: 10011
Total request: 20090
Total request success: 20089
Total forward bytes: 36378463
741
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l Up
l Down
l Disabled
742
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Total request suc- Total number of HTTP requests that were suc-
cess cessful.
l slb common (global)
l extended-stats (individual server)
Example The following command displays detailed information for a dynamic host-
name server. The configuration details are shown first, followed by details
for the dynamically created servers.
ACOS# show slb server s-test1 detail
Server name: s-test1
Hostname: s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
State: Up
Server template: temp-server
DNS query interval: 5
743
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example The following command shows SLB configuration information for real
servers:
ACOS# show slb server config
Total Number of Services configured: 30
H-check = Health check Max conn = Max. Connection Wgt =
Weight
Service Address H-check Status Max conn Wgt
------------------------------------------------------------
------------------
1_yahoo_finance:80/tcp 69.147.86.163 None Enable 1000000 1
1_yahoo_finance 69.147.86.163 None Enable 1000000 1
744
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
l Enable
l Disable
745
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
1_cybozu:80/tcp Up 0
win20:25/tcp Down 0
win21:25/tcp Up 0
win21:110/tcp Up 0
win21:80/tcp Up 0
win21:443/tcp Down 0
linux22:25/tcp Disb 0
linux22:80/tcp Up 0
linux22:53/udp Disb 0
Field Description
746
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
l Up
l Down
l Disabled
In this example, all the virtual ports are using Smart NAT along with
round-robin of floating IPs. The Nat Address, Port Usage, Total Used, Total
Freed, and Failed columns show the same information shown in show IP
NAT pool statistics output. (See the CLI Reference.)
The Service column lists the server, protocol port, and Layer 4 protocol.
The HA/VR ID column lists the HA group ID or VRRP-A VRID, if applicable.
In this example, the ACOS device is deployed as a standalone device, so
“0” is shown in this column.
The following table describes the fields in the command output.
Field Description
Service Real server name and port number, and the Layer 4
protocol (TCP or UDP).
747
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Total Used Total number of sessions that have been NATted for
the source address.
748
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
The state of each service group is shown. In this example, service group
“sg-8080” is All Up. This indicates all service ports on all real servers in the
service group are up. Service group “linux:8080” is Functionally Up. The
service is up on at least one real server in the service group, but not on all
the servers in the group.
The following command displays the IP NAT statistics for SLB server.
ACOS (config)# show slb server rs ip-nat-stats
Total Number of Services configured on Server rs: 2
Service Pool Address Port Usage Total Used Total Freed
Failed
------------------------------------------------------------
---------------------------
rs:21/tcp ipv4-pool3 10.212.1.243 0 2 2 0
10.212.1.244 0 0 0 0
Field Description
749
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Parameter Description
750
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
Example The following command shows statistics for SLB service groups:
ACOS# show slb service-group
Current = Current Connections, Total =
Total Connections
Fwd-p = Forward packets, Rev-p = Reverse
packets
Peak-c = Peak connections
Service Group Name
Service Current Total Fwd-p Rev-p Peak-c
------------------------------------------------------------
------------------
*sg-80-1 State: Down
rs-http:80 0 0 0 0 0
*sg-80-2 State: All Up
rs-http-2:80 1 1 1 4 5
Field Description
751
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l slb common (global)
l extended-stats (individual server)
752
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
NOTE: A separate set of health check fields appears in the show slb ser-
vice-group command output for HTTP traffic.
Field Description
753
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
754
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
755
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l slb common (global)
l extended-stats (individual server)
Example The following command shows configuration information for SLB service
groups:
ACOS# show slb service-group config
slb service-group sg1 tcp
member s1 80
!
slb service-group sg2 tcp
member s2 80
member s1 80
!
slb service-group sg3 tcp
member s3 80
!
Example The following command shows configuration information for named SLB
service groups:
ACOS (config-slb svc group)# show slb service-group sg con-
fig
Service group name: sg
Type: tcp Distribution: Svc Wtd RR
Health Check: None
Member Count: 2
Member2: s:80 Priority: 1
Member1: s2:80 Priority: 1
756
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
In this example, 2 service groups are configured. Each service group has
1 server. In each of the groups, the server is down.
Example The following sample command includes the sort-priority option that
displays the members of a service group organized by their configured
priority in descending order. For example, the western-region service
group specified in the following example includes three members that
are displayed in descending numeric order by priority (8, 4, then 1):
ACOS# show slb service-group western-region config sort-pri-
ority
Service group name: western-region
Type: tcp Distribution: Round Robin
Health Check: None
Member Count:3
Member3: GW:80 Priority: 8
Member2: FW1_Inspect:80 Priority: 4
Member1: DEFAULT_GATEWAY:80 Priority: 1
If you issue the command without the sort-priority option, the service
group members appear in ascending alphabetical order (D, F, then G) as
shown:
Member1: DEFAULT_GATEWAY:80 Priority: 1
Member2: FW1_Inspect:80 Priority: 4
Member3: GW:80 Priority: 8
Example The following command displays link-cost statistics for a server group, for
the specified duration:
757
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Parameter Description
758
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Mode All
Field Description
759
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
760
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
761
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Select by conn 0
Select failed 0
Field Description
762
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
763
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
764
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
765
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
766
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
767
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Fetch msg from conn Number of SMPP messages that the ACOS
CPU transferred from the connection CPU to
the proxy CPU.
768
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Parameter Description
769
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Mode All
Field Description
770
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
771
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Example This command shows detailed SMTP SLB statistics for each data pro-
cessor (DP):
ACOS# show slb smtp detail
DP0 DP1 DP2 Total
------------------------------------------------------------
------
Current proxy conns 0 0 0 0
Total proxy conns 0 0 0 0
SMTP requests 0 0 0 0
SMTP requests (success) 0 0 0 0
No proxy error 0 0 0 0
Client reset 0 0 0 0
Server reset 0 0 0 0
No tuple error 0 0 0 0
Parse request failure 0 0 0 0
Server selection failure 0 0 0 0
Forward request failure 0 0 0 0
Forward REQ data failure 0 0 0 0
Request retransmit 0 0 0 0
Request pkt out-of-order 0 0 0 0
Server reselection 0 0 0 0
Server premature close 0 0 0 0
Server connection made 0 0 0 0
Source NAT failure 0 0 0 0
772
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
773
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
SYN stream 0
SYN reply 0
RST 0
Setting 0
Ping 0
Goaway 0
Headers 0
Window update 0
Data frame received 0
Dt no stream found 0
Dt no stream & goaway 0
Dt no str&gw & cl ses 0
Est callback no tuple 0
Dat callback no tuple 0
Contex alloc fail 0
FIN close session 0
Serv RST close stream 0
Stream found 0
Clse St ses not found 0
Clse St str not found 0
Clsing closed stream 0
Str cl session close 0
Clsing closed session 0
Max conc stream limit 0
Stream alloc fail 0
HTTP conn alloc fail 0
Req/Header alloc fail 0
NV tot len exceed 0
NV zero name length 0
NV ivld http version 0
NV connection 0
NV keep alive 0
NV proxy-connection 0
NV transfer encoding 0
NV no must have 0
Decompress fail 0
SYN after goaway 0
Stream id < previous 0
Str already exist 0
Unidirectional SYN 0
Syn reply alr received 0
Cl RST str not found 0
Win upd no str found 0
774
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
775
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Mode All
776
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
777
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
778
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
779
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
780
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
781
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
OCSP URI not found Number of times the OCSP URI was
not found.
782
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
CRL URI not found Number of times the CRL URI was
not found.
783
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Field Description
Example In this example, the TPS device is configured with two virtual servers,
vip1 and vip2, each of which is bound to two virtual ports each, 443 and
444.
784
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
DHE
Renegotiation Counters
Total renegotiations = 0
785
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
New 3
Hit 0
Miss 0
Expired 0
Renegotiation Counters
Total renegotiations = 0
This “show slb ssl-counters” command output displays statistics for TLS 1.3 cipher. Add new
counter for TLS1.3 cipher. Add new counter for version downgrade(1.3 to 1.2)
ACOS# show slb ssl-counters
Virtual Server Name: vip1
------------------------------------------------------------
--------------------
Client ssl stats
Cumulative sessions = 0
TLS1.3 10 0
786
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
------------------------------------------------------------
--------------------
Client ssl stats
Cumulative sessions = 1
Certificate Auth = 0
SNI Auto-Map Successes = 0
SNI Auto-Map Failures = 0
SNI Auto-Map Failures Connection Closed = 0
SNI Auto-Map Failures Max Active Connections = 0
SNI Auto-Map Failures Missing Cert/Key = 0
SNI Bypass due to Missing Cert/Key = 1
SNI Bypass due to Certificate Expired = 0
SNI Bypass due to Matched Explicit Bypass List = 0
Renegotiation Counters
Total renegotiations = 0
787
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
----Retrieved CRL----
Issuer: /C=FR/O=Certplus/CN=Class 2 Primary CA
Status: Not expired
Issuer: /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
Status: Expired
788
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
----End of CRL----
17 CRL retrieved
789
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Mode All
..
Mode All
Example
ACOS(config)# show slb ssl-cert-pinning-candidate-list
SNI Counter TTL
--------------------------
youtube.com 10 1440
gmail.com 6 1440
google.com 5 1440
yahoo.com 3 1440
api.snapcraft.io 1 1430
The following table describes the fields in the show command output.
Field Description
790
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Usage The following field values appear in the output of this command :]
791
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Real Server This field specifies the gateway IP address and pro-
tocol port of the server that clients are trying to
connect to.
Server Name This field specifies the URL or SNI of the server
that clients are trying to connect to.
l state: ready
792
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Default None
Mode All
[output turncated]
serial(hex): 0123e2
Total number of particular certificates that are printed is
1
Default None
Mode All
Example The following example shows the counter fields provided by the show slb
ssl-forward-proxy-stats command.
793
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Default None
Mode All
Usage The following table describes the fields in the command output:
Field Description
Example The following example displays the contents of the SSL OSCP cache:
ACOS# show slb ssl-ocsp cache
794
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Total: 2
Common Name
Status
------------------------------------------------------------
-------
Company1 Internet Authority
G2 Good
Company2 Root Certificate Authority -
G2 Good
Default None
Mode All
Usage The following table describes the fields in the command output:
Field Description
795
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Example Use command to display information on SSL OCSP cache, including the
name of the company, status, subject, length, URI, expiration, and num-
ber of hits.
ACOS# show slb ssl-ocsp cache detail
Total: 1
------------------------------------------------------------
-------
Name: Company1 Internet Authority G2
Status: Good
Subject: /C=US/O=Company1 Inc/CN=Company1 Internet Authority
G2
Length: 1012
URI: http://a.example.com/
Expire: 17731488
Hits: 760
Parameter Description
Mode All
796
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
L4 Process 709223
Incorrect Len Drop 0
Prot Down Drop 289
Unknown Prot Drop 32136
TTL Exceeded Drop 0
Link Down Drop 0
SRC Port Suppresion 0
VLAN Flood 141022
IP Fragment received 0
ARP REQ received 80272
ARP RESP received 15939
Forward Kernel 91163
IP(TCP) Fragment received 0
IP Fragment Overlap 0
IP Frag Overload Drops 0
IP Fragment Reasm OKs 23
IP Fragment Reasm Fails 0
IP Fragment Timeout 0
Anomaly Land Attack Drop 0
Anomaly IP OPT Drops 0
Anomaly PingDeath Drop 0
Anomaly All Frag Drop 0
Anomaly TCP noFlag Drop 0
Anomaly SYN Frag Drop 0
Anomaly TCP SYNFIN Drop 0
Anomaly Any Drops 0
BPDUs Received 0
BPDUs Sent 0
ACL Denys 0
SYN rate exceeded Drop 0
Packet Error Drops 0
IPv6 Frag UDP 0
IPv6 Frag TCP 0
IPv6 Frag ICMP 0
IPv6 Frag OSPF 0
IPv6 Frag ESP 0
IPv6 Frag Reasm OKs 0
IPv6 Frag Reasm Fails 0
IPv6 Frag Invalid Pkts 0
Bad Pkt Drop 0
IP Frag Exceed Drop 0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0
797
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
798
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
799
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
800
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
801
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
802
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
803
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Example The following command shows detailed SLB switching statistics for Eth-
ernet port 1:
ACOS# show slb switch ethernet 1 detail
DP0 DP1 DP2 Total
------------------------------------------------------------
------
L2 Forward 2115 227 453 2795
L3 IP Forward 0 0 0 0
IPv4 No Route Drop 0 0 0 0
...
Mode All
804
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Mode All
Parameter Description
Mode All
805
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Total out TCP pack- Total number of TCP packets sent by the TCP
ets proxy.
Example The following command shows summary TCP stack statistics when
proxy header is configured:
ACOS#show slb tcp stack extend | section Proxy
Proxy header v1 1
Proxy header v2 0
!
806
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
Mode All
807
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Reputation hits:
trustworthy 2
low-risk 1
moderate-risk 0
suspicious 0
808
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
malicious 0
Mode All
Field Description
809
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Example The policy template defines what actions are applied to upstream traffic
by the client-facing virtual server on the ACOS device. A configuration of
this policy template follows:
slb template policy Explicit_Proxy
forward-policy
action Permit_to_Internet
forward-to-internet FW1_Inspect_SG snat Internet_Pool
log
source Any_Source
match-any
destination any action Permit_to_Internet
810
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
811
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
[application-statistics] |
detail |
dns-cache {entry {dns-class string | dns-type string |
domain-name {dns_domain_name | fqdn_domain} name}}|
host-hits-counter {host-name | all} |
url-hits-counter {url-string | all}
}
]
[bind]
[config]
[all-partitions]
[partition {shared | name}]
812
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Option Description
813
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Option Description
814
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Option Description
Mode All
Usage To display virtual-server information for a specific partition, use the par-
tition option; use partition shared for the shared partition, or par-
tition name, where name is a specific L3V partition.
Example The following command shows summary information for all virtual serv-
ers:
ACOS# show slb virtual-server
Total Number of Virtual Services configured: 2
Virtual Server Name IP Current Total Request Response Peak
Service-Group Service connection connection packets packets
connection
------------------------------------------------------------
-------------------------------
*v-server(A) 3.1.1.99
port 80 http 0 3 14 10 611
abctcp 80/http 0 2 14 10 2112
Total received conn attempts on this port: 3
port 53 udp 0 0 0 0 411
abcudp 53/udp 0 0 0 0 696969
Total received conn attempts on this port: 0
...
815
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
816
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
l slb common (global)
l extended-stats (individual vir-
tual server)
l extended-stats (individual vir-
tual service port)
817
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
Example This command shows status information for SLB virtual server “v-server”:
ACOS(config)# show slb virtual-server v-server
Virtual server: v-server State: All Up IP: 3.1.1.99
Port Curr-conn Total-conn Rev-
Pkt Fwd-Pkt Peak-conn
------------------------------------------------------------
-------------------------
Field Description
818
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
819
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l slb common (global)
l extended-stats (individual virtual server)
l extended-stats (individual virtual service port)
820
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Example The following command shows configuration information for named SLB
service groups:
ACOS (config-slb svc group)# show slb virtual-servicer vip
80 http Service group name: sg
Type: tcp Distribution: Svc Wtd RR
Health Check: None
Member Count: 2
Pri Port/State Curr-conn Total-conn
Rev-Pkt Fwd-Pkt Peak-conn
------------------------------------------------------------
-------------------------
1 s:80/Up 0 0 0 0 1011
1 s2:80/Up 0 0 0 0 1011
Virtual Port Traffic 0 0 0 0 1822
821
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
822
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
823
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l slb common (global)
l extended-stats (individual virtual server)
l extended-stats (individual virtual service
port)
Current request Current request rate for the virtual port on the
rate virtual server.
Example The following command shows details for a virtual port on a virtual server:
ACOS(config)# show slb virtual-server vip1 80 detail
Virtual port name: vip1:80:tcp
Virtual port number: 220.220.220.100:80
Virtual port template: default
Current connection: 11216
Current request: 0
Current response: 0
Total connection: 6215984
Total request: 0
Total response: 0
Total request success: 0
Total response success: 0
Total forward bytes: 51614803
Total forward packets: 80370519
Total reverse bytes: 3536281441
Total reverse packets: 39742461
Peak connections: 0
Response time: 1
824
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Field Description
Virtual port tem- Name of the virtual port template bound to the
plate virtual port.
825
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Field Description
l slb common (global)
l extended-stats (individual virtual server)
l extended-stats (individual virtual service
port)
Example The following command shows service group and port bindings:
ACOS# show slb virtual-server bind
------------------------------------------------------------
---------------------
*Virtual Server : SanJose(A) 192.192.100.100
Down
826
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
The primary servers are listed under the virtual port. Under each primary
server, that server’s alternate servers are listed.
If an asterisk is shown at the end of an alternate server name, the primary
server is down and the alternate server is active instead. In the example
above, rs2 is down, so alternate rs2-a1 is being used instead.
Example The following example demonstrates the DNS statistics displayed for a vir-
tual server:
ACOS(config)# show slb virtual-server v1 53 dns-tcp applic-
ation-statistics
Total DNS Query: 0
Total Malformed Query: 0
DNS Response Rate Limiting Total Allowed: 0
DNS Response Rate Limiting Total Dropped: 0
DNS Response Rate Limiting Total Slipped: 0
DNS Response Rate Limiting Bad FQDN: 0
Total DNS Filter Query Type Drop: 0
Total DNS Filter Query Class Drop: 0
DNS Filter Query Type A Drop: 0
827
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
show web-category
Description Shows the information about the current operation of the Web Category
feature.
828
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Parameter Description
bypassed-
urls Lists the URLs bypassed by the Web Category fea-
[num | all] ture.
829
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
Parameter Description
url-category
url-name Shows categories returned by BrightCloud library
[local-db- for the specified URL.
only]
local-db-only – Checks only the local database
and service cache. Does not make a cloud query to
fetch the category list for this URL.
version
Shows the current version of the Web Category
engine.
Mode All
Example The following command shows the URLs bypassed by the Web Category
feature:
ACOS#show web-category bypassed-urls
paper.example.com
paper.example.com
paper.example.com
paper.example.com
step.example.com
metrics1.example.com
step.example.com
paper.example.com
online.example.com
...
Example The following command shows information about the currently loaded
BrightCloud database:
ACOS#show web-category database
Database Name : full_bcdb_4.827.bin
Database Status : Active
Database Size : 351 MB
Database Version : 827
Last Update Time : Wed Jul 6 19:39:59 2016
Next Update Time : Fri Jul 8 00:00:22 2016
Connection Status : GOOD
Last Successful Connection : Thu Jul 7 00:39:22 2016
830
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
Example The following command shows the URLs intercepted by the Web Cat-
egory feature:
ACOS#show web-category intercepted-urls
fhr.data.example.com
fhr.data.example.com
fhr.data.example.com
aus3.example.org
blocklist.addons.example.org
aus4.example.org
Default versioncheck-bg.addons.example.org
versioncheck-bg.addons.example.org
services.addons.example.org
aus3.example.org
fhr.data.example.com
...
Example The following commands show the web categories to which some indi-
vidual URLs belong. In this example, the categories for the URLs in the
ACOS device’s local database match the most recent categorizations
from the BrightCloud server.
ACOS#show web-category url-category www.google.com
Search Engines
ACOS#show web-category url-category www.google.com local-db-
only
Search Engines
ACOS#show web-category url-category www.youtube.com
Streaming Media
ACOS#show web-category url-category www.youtube.com local-
db-only
Streaming Media
Example The following command shows the current version of the Web Category
engine:
ACOS#show web-category version
version: 4.0
show web-reputation
Description Displays the URLs which are bypassed/intercepted by web-reputation
rules in client-ssl template and checks the reputation score for the
831
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
specific URLs.
Option Description
Example The following command shows the URLs bypassed by the web repu-
tation feature:
ACOS#show web-reputation bypassed-urls
Score URL
79 www.77file.com
81 www.testing.com
81 a10networks.com
...
Example The following command shows the URLs intercepted by the web repu-
tation feature:
ACOS#show web-reputation intercepted-urls
Score URL
10 17ebook.com
40 gerry90160.a10-tplab.com
54 earn4files.com
Example The following commands show the web reputation scores of the URLs:
ACOS#show web-reputation url-reputation www.google.com
local-db-only
trustworthy(81)
ACOS# show show web-reputation url-reputation www.google.com
trustworthy(81)
832
Chapter 27: SLB Show Commands
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
833
Chapter 27: SLB Show Commands
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
834
Chapter 28: ADC support on Chassis
Starting ACOS version 5.1.0, ADC is supported on chassis. To enable ADC support on chassis,
set
chassis-application-type to adc.
chassis-application-type 836
835
Chapter 28: ADC support on Chassis
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
chassis-application-type
Description The command is used to set the application type on a dual chassis
box.
Default cgn
Mode All
Key Considerations
Key considerations for ADC support on chassis are mentioned below:
836
Chapter 28: ADC support on Chassis
Feedback ACOS 5.2.1-P3 Command Line Reference for ADC
The supported show commands related to the applications and templates are mentioned
below:
l SNMP and external VCS are not supported. Also, only UDP based syslogs are supported,
TCP based syslogs are not supported.
l VRRP configuration sync with external device is not supported.
l Persist sessions are not supported on chassis.
837
Chapter 28: ADC support on Chassis
ACOS 5.2.1-P3 Command Line Reference for ADC Feedback
http HTTP
Supported Templates
838