Professional Documents
Culture Documents
ACOS 4.1.1-P13 Release Notes: For A10 Thunder Series 16 March 2020
ACOS 4.1.1-P13 Release Notes: For A10 Thunder Series 16 March 2020
1-P13
Release Notes
for A10 Thunder® Series
16 March 2020
© 2020 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual patent marking provi-
sions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Networks' products, including all Thunder
Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed,
copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in this document
or available separately. Customer shall not:
1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any means.
2. Sub-license, rent, or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fit-
ness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this pub-
lication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be
available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and ser-
vices are subject to A10 Networks’ standard terms and conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufac-
turer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can be
found by visiting www.a10networks.com.
Table of Contents
page 3
ACOS 4.1.1-P13 Release Notes
Contents
page 4
ACOS 4.1.1-P13 Release Notes
Contents
page 5
ACOS 4.1.1-P13 Release Notes
Contents
page 6
ACOS 4.1.1-P13 Release Notes
Contents
page 7
ACOS 4.1.1-P13 Release Notes
Contents
page 8
ACOS 4.1.1-P13 Release Notes
Contents
page 9
ACOS 4.1.1-P13 Release Notes
Contents
page 10
ACOS 4.1.1-P13 Release Notes
Contents
page 11
ACOS 4.1.1-P13 Release Notes
Contents
page 12
ACOS 4.1.1-P13 Release Notes
Contents
page 13
ACOS 4.1.1-P13 Release Notes
Contents
page 14
Feedback ACOS 4.1.1-P13 Release Notes
This chapter highlights the major changes to default or existing behavior in the ACOS 4.x releases as
compared to the earlier releases.
• Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
Feedback page 15
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.1-P3 and ACOS 4.1.1-P4
• health external create – Creates a script file and opens an editor to modify it.
Previously, these commands could be performed by any ACOS admin with Read/Write (R/W) privilege,
including Partition Read/Write (P.R/W). Starting in version 4.1.1-P10, ACOS administrators that are suffi-
ciently and specifically trusted to perform these configuration operations must be specifically provi-
sioned with a new External Health Monitor privilege (HM) for these commands to succeed as this
privilege is disabled by default.
Reflecting the system-wide nature of External Health Monitor scripts in ACOS, the new HM privilege and
these commands are no longer available for ACOS partition-constrained administrators. The new HM
privilege is only permitted for ACOS admin accounts with system-level, Read/Write (R/W) privilege.
Exiting ACOS deployments upgrading to this release or later and which use the External Health Monitor
feature will need to extend their provisioning and configuration for the selected ACOS admin users
trusted to manage this feature. ACOS CLI supports a new command, privilege hm, for this purpose
with equivalent GUI settings and corresponding access settings for external authentication integrations
with TACACS+, RADIUS, and LDAPS.
NOTE: For information on configuring ACOS for this new HM privilege, see the
Management Access and Security Guide. For general information on the
External Health Monitor feature, see the Application Delivery and Server
Load Balancing Guide (Using External Health Methods section).
page 16
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.1.1-P2 and ACOS 4.1.1-P3
NOTE: For more information on the command, see ACOS 4.1.1-P4 Command
Line Interface Reference for SLB Guide.
NOTE: Starting from 4.1.1-P4, SSLv3 is disabled by default. To enable SSLv3, run
the command version 33 30. The default version value is 33 31, which
means downgrade from TLSv1.2 to TLSv1.0 is supported by default.
• Session Capacity of SLB Real Servers and Ports Increased to 64 Million Sessions
page 17
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.1-P2 and ACOS 4.1.1-P3
• forward-proxy-verify-cert-fail-action
• forward-proxy-cert-revoke-action
• forward-proxy-cert-unknown-action
The removal of these fields caused compatibility issues with aXAPI dependent applications. These
fields are added back in the ACOS 4.1.1-P3 release.
After the change, the valid aXAPI request and response would match with that of ACOS 4.1.1-P1 and
earlier releases.
POST /axapi/v3/slb/template/client-ssl/
REQUEST:
"client-ssl": {
"name":"new3",
"forward-proxy-verify-cert-fail-action":1, <------ flag field added back
"verify-cert-fail-action":"continue",
"forward-proxy-cert-revoke-action":1, <------ flag field added back
"cert-revoke-action":"bypass",
"forward-proxy-cert-unknown-action":1, <------ flag field added back
"cert-unknown-action":"continue"
}
}
RESPONSE:
"client-ssl": {
"name":"new3",
page 18
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Introduced in ACOS 4.1.1-P2
"ocsp-stapling":0,
"client-certificate":"Ignore",
"close-notify":0,
"forward-proxy-alt-sign":0,
"enable-tls-alert-logging":0,
"forward-proxy-verify-cert-fail-action":1, <------ flag field added back
"verify-cert-fail-action":"continue", <------ flag field added back
"forward-proxy-cert-revoke-action":1, <------ flag field added back
"cert-revoke-action":"bypass", <------ flag field added back
"forward-proxy-cert-unknown-action":1, <------ flag field added back
"cert-unknown-action":"continue", <------ flag field added back
"notbefore":0,
"notafter":0,
"forward-proxy-ssl-version":33,
"forward-proxy-ocsp-disable":0,
***snipped***
"renegotiation-disable":0,
"authorization":0,
"uuid":"1925ec20-3fa5-11e7-bdc1-f3883dec13ef"
}
page 19
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Introduced in ACOS 4.1.1-P2
SSL3_RSA_DES_192_CBC3_SHA
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_AES_128_GCM_SHA256
TLS1_RSA_AES_256_GCM_SHA384
TLS1_ECDHE_RSA_AES_128_SHA
TLS1_ECDHE_RSA_AES_256_SHA
TLS1_ECDHE_RSA_AES_128_SHA256
TLS1_ECDHE_RSA_AES_128_GCM_SHA256
TLS1_ECDHE_ECDSA_AES_128_SHA
TLS1_ECDHE_ECDSA_AES_128_SHA256
TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384
TLS1_ECDHE_ECDSA_AES_256_SHA
NOTE: For more information on the original default behavior in 4.1.1-P1 and ear-
lier 4.x releases, refer and see NTP Server Default Ports in Default Behav-
ior Changes Between Legacy 2.x Releases and ACOS 4.x Releases.
page 20
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Introduced in ACOS 4.1.1-P2
Regardless of the Sig Alg list sent by the client, ACOS would always use SHA1. In this release and sub-
sequent releases, ACOS will honor the Sig Alg list request. If ACOS cannot support the algorithm, the
connection is dropped.
This behavior has changed so it no longer enables slb gateway traps. Now, use the parameters gate-
way-down or gateway-up when configuring snmp-server enable traps slb to enable the slb gateway
down or up traps.
NOTE: This change is made in both ACOS 4.1.1-P2 and ACOS 4.1.0-P8 releases.
NOTE: This change is backward compatible with 411-P2 and 2.8.2x releases.
For versions prior to 411-P2, the user must change “ipv4-list” and
“ipv6-list” to “ip-list” explicitly.
page 21
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Introduced in ACOS 4.1.1-P2
• These limits are hard-coded and apply across all platforms and models running ACOS 4.1.1-P2.
• The maximum URL length is extended to 16127 characters. The new upper limit represents the
concatenated total length of all URL strings.
• The file size increase happens after upgrading and is transparent to the user.
• You can set the file size in KB to a value in the supported range, using the following command: waf
policy max-filesize <16-10240>
• After upgrading, if you do not change the value, then the default value (32KB) will be used.
This “license” option is also removed from the “import-periodic” and “import to-device” commands.
The option to import glm-license is still supported under all the above mentioned import variants.
page 22
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1
• VRID Default
• Tunnel-Endpoint-Address
page 23
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.x and ACOS 4.1.1
Workaround
To create a similar rule of IP matching with the following constraints, use the destination any or
match-any rule as part of your source policy configuration.
The GUI is an abstraction of the CLI with a focus on streamlined workflow, reduced complexity, and a
user-friendly experience.
Previously, all the functionality would cease to work with 4.1.0x for expired licenses.
This change does not affect earlier proxy-chaining configurations. Any configurations utilizing the
proxy-chaining parameter from earlier 4.x releases will continue to function.
To recover from this state, from the web-category sub-configuration, re-enable web-category through
the enable command. Ensure your ACOS appliance is already configured to establish a connection with
the Global Licensing Manager (GLM).
NOTE: This action only needs to be done the first time after an upgrade.
page 24
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1
VRID Default
The vrid default command is revised to vrid 0 in VPN IKE-Gateway and VRRP-A configurations, with
the range of <0-31> and range <0-7> in partitions.
Tunnel-Endpoint-Address
With the support for multiple tunnel endpoints, the cgnv6 lw-4o6 tunnel-endpoint-address command
and the “LW-4over6 Tunnel Endpoint not Configured Drops” counter were removed.
• The ipmi options command in previous releases is replaced with system ipmi options.
• The ipmi ip (to view the IPMI IP configuration) and ipmi user list (to view the IPMI user config-
uration) commands are deprecated. Both IPMI IP and user configuration can be viewed with the
new show ipmi command.
page 25
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.0-P2 and ACOS 4.1.1
This change does not impact any upgrade scenarios. For downgrade scenarios, note that if you are
downgrading from Release 4.1.1 to any earlier release and your release 4.1.1 trunk configuration uses
ID numbers greater than 16, the configuration will be rejected by the older release.
This is changed in Release 4.1.1 so that only the merged files are exported in a PCAP format, and the
per-CPU files are not included. You can use additional options in the CLI to retain the original; behavior.
page 26
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3
page 27
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3
The version command behavior, when configuring a server SSL SLB template has also changed regard-
ing downgrades from 4.1.0 to 4.1.0-P3.
The following Table 1 lists the default TLS version for Server SSL Handshake and the associated SSL
version numbers for corresponding ACOS releases and behavioral changes to the version command.
page 28
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes from ACOS 4.1.0-P2 to ACOS 4.1.0-P3
ACOS(config-server ssl)#version 33 31
page 29
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.1.0 and ACOS 4.1.0-P2
To disable downgrading, you must set the version and the mini-
mum downgrade version to be the same:
NOTE: For more information, see the “version” command in the “Config Com-
mands: SLB Server SSL Templates” chapter in the Command Line Inter-
face Reference for ADC.
page 30
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0
NOTE: For more information, see “slb template tcp-proxy” in the Command
Line Interface Reference for ADC.
NOTE: For more information, see “slb template tcp-proxy” in the Command
Line Interface Reference for ADC.
page 31
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0
If you have spaces or special characters in your VIP names, you must rename them appropriately
before upgrading to release 4.1.0.
These CLI commands are not removed from the CLI for backwards-compatibility purposes, but if you
attempt to use them in release 4.1.0 the CLI will return an error message.
NOTE: For more information about the new CLI commands, SNMP community
string, and user configuration, see the “Simple Network Management Pro-
tocol (SNMP)” chapter in the System Configuration and Administration
Guide.
Usage For Aho-Corasick (AC) class lists, enter the write memory command immedi-
ately before entering show class-list.
page 32
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0
• reset-change-password
• reset-logon
• reset-logon-fail
The error is still logged in the same manner as in all previous releases.
• If you have network access during system set-up, the ACOS device will communicate with the
Global Licensing Manager to verify your licensing status once you use the glm enable-requests
command. If you do not have network connectivity, then you will have to import the license manu-
ally and start a new CLI session. See glm enable-requests, import glm-license, and show
license-info in the Command Line Interface Reference for further info about managing your
license.
• The show license-info command will show the expiry date of none or N/A for Webroot and
ThreatSTOP. However, an additional Webroot or ThreatSTOP license is required for usage.
NOTE: See the Global License Manager User Guide for further info about obtain-
ing and managing your license.
page 33
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.0.1 and ACOS 4.1.0
• Details
Details
In release 4.1.0, there is a change in the formatting of the “start time” and “duration” fields in NetFlow
records for long-lived sessions (typically defined as those lasting more than 10 minutes).
For each new NetFlow record created for a session on the ACOS device, the NetFlow record will show
the time that the session began as the start time. Therefore, NetFlow records sent out for different ses-
sions will have different start times.
However, for long-lived sessions (for example, 15 minutes), if the flow-timeout period is set to 5 min-
utes, then ACOS will produce three flow records for one 15-minute session. The three flow records will
each have the same start time, because the records are reporting on the same session.
In previous releases, the NetFlow records would erroneously reset the start time to the time at which
the previous NetFlow record was exported. This behavior was incorrect, because instead of having
three records with the same start time, there were three records that had incrementally larger start
times, even though they were for the same session.
The following sub-sections show sample records using the old (incorrect) approach, as well as a sam-
ple of records using the new approach.
page 34
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
NOTE: Instead of resetting the start time to the time at which the most recent
NetFlow record was exported, the start time remains the same for all
three records for this session. In addition, the duration is not reset to zero,
but it is incrementally larger for each record, because more time has
elapsed since the first, second, and third records were sent.
The benefit of this new approach to formatting the session “start time” and “duration” fields in the Net-
Flow records is that the new approach essentially joins the records into a single session that can be
more easily stored and searched in a database.
NOTE: For more information about configuring NetFlow, see the “NetFlow v9
and v10(IPFIX)” chapter in the System Configuration and Administration
Guide.
page 35
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
In release 4.0.1, the default is changed so that the ACOS device uses the virtual port’s client SSL tem-
plate configuration.
The default content extracted is common-name, but this may be configured to suit your specific needs for
LDAP authentication.
NOTE: For more information about these options, see the “slb template cli-
ent-ssl” command in the Command Line Interface Reference.
• Disable VRRP-A
• Force-Self-Standby
• Persistent Force-Self-Standby
• VRID Priority
page 36
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
Disable VRRP-A
ACOS 4.0 configuration:
no enable
disable
Force-Self-Standby
ACOS 4.0 configuration:
vrrp-a common
vrrp-a force-self-standby
Persistent Force-Self-Standby
ACOS 4.0 configuration:
vrrp-a common
vrrp-a force-self-standby vrid 3 persistent
page 37
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
vrrp-a vrid 0
fail-over-policy-template template1
vrrp-a vrid 0
blade-parameters
fail-over-policy-template template1
VRID Priority
ACOS 4.0 configuration:
vrrp-a vrid 0
priority 200
vrrp-a vrid 0
blade-parameters
priority 200
vrrp-a vrid 0
tracking-options
...
vrrp-a vrid 0
blade-parameters
tracking-options
...
page 38
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between ACOS 4.0 and ACOS 4.0.1
show overlay-tunnel
• Bad IP Flags
• IPv4 Options
NOTE: These checks remain applicable on non-FPGA platforms. The full list,
including these checks, can be found in the IPv6 Transitions Solution
Guide.
page 39
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
• Admin Roles
• IP-anomaly Filtering
In an slb template client-ssl configuration, in 4.1.1-P2, the dh-param 512 option is no longer supported.
So if upgrading from 2.7.2-P10 to 4.1.1-P2, if the user has a Diffie Hellman configuration using 512, dh-
param 512, in an slb template client-ssl configuration, the configuration will no longer work.
page 40
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
NOTE: For more information, see “Understanding L3V Partitions” in the Configur-
ing Application Delivery Partitions Guide.
A new implementation of RBA, called Role-Based Access Control, is introduced in this release. This fea-
tures enables the creation of multiple users, groups, and roles with varying degrees of permissions.
NOTE: For more information, see “Role-Based Access Control” in the Manage-
ment Access and Security Guide.
NOTE: For more information, see “L3V Partition Configuration” in the Configuring
Application Delivery Partitions Guide.
NOTE: For more information, see “Understanding L3V Partition Profiles” in the
Configuring Application Delivery Partitions Guide.
page 41
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
NOTE: For more information, see “show partition” in the Configuring Application
Delivery Partitions Guide.
NOTE: For more information, see “Enabling SLB or CGN in Partition” in the Config-
uring Application Delivery Partitions Guide.
NOTE: For more information, see the Configuring VRRP-A High Availability Guide.
Admin Roles
The ACOS 4.x releases support only 5 admin roles, compared to 12 from previous releases. The follow-
ing Table 2 summarizes this information:
page 42
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
The script must be modified to include a delay of a few seconds between actions.
In previous releases, ACOS automatically re-tried the action after two seconds; this is no longer the case
in 4.0.
In the legacy 2.x releases, the following section of show running-config output would indicate that inter-
face ethernet 5 is enabled and ethernet 6 is disabled:
interface ethernet 5
trunk-group 1
!
interface ethernet 6
disable
trunk-group 1
!
In the ACOS 4.x CLI, the same configuration would be shown as follows:
interface ethernet 5
page 43
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
enable
trunk-group 1
!
interface ethernet 6
trunk-group 1
!
The “non-default” state of enabled is explicitly shown, while the “default” state of disabled is not
shown.
In ACOS 2.x releases, the “GZIP” field is always present in the output and will show whether or not a
hardware-based compression module is installed on your device; a “0” in this field means that hardware-
based compression is not supported.
In ACOS 4. releases, this field appears, only if a GZIP module is installed on the device.
page 44
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
On receipt of an IPv6 packet for which no MAC address exists in the neighbor table, the new behavior is
that an ND message is sent for that packet, and a two-second timer is started. No further ND messages
are sent for the unresolved packet for 20 ms.
After five unresolved ND messages are sent for a given neighbor during the two-second timer, no addi-
tional messages are sent.
IP-anomaly Filtering
In ACOS 2.x releases, IP anomaly filtering is disabled by default for all anomaly except for ip-option.
In ACOS 4.x releases, IP anomaly filtering is disabled by default for all anomaly types, including ip-
option.
This differs from 2.7.x which would display the selected time range even if there was no data.
Layer 2 MAC Learning and Layer 2 forwarding on the default VLAN may be enabled by using the vlan-
global enable-def-vlan-l2-forwarding command under global configuration mode.
page 45
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
In ACOS 4.x releases and later, you must specify the word representing the severity level; specifying the
severity level number is invalid.
To enable NTP to listen on data ports, use the ntp allow-data-ports command.
In ACOS 4.x releases, this command is not saved to the running configuration, and therefore must be
reconfigured after each reload or reboot operation.
The ACOS 2.7.2 release allows you to configure MTU on ethernet interfaces even if they are part of the
trunk. The ACOS 4.x release does not allow you to configure MTU on ethernet interfaces, if they are a
member of the trunk.
page 46
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
This causes the MTU configuration to be rejected from the system on upgrading from 2.7.2 to 4.x. You
can find the MTU configuration under the interface inside startup configuration after upgrade as shown
below.
ACOS#show run
!Current configuration: 435 bytes
!Configuration last updated at 15:40:35 CST Tue Apr 25 2017
!Configuration last saved at 15:40:35 CST Tue Apr 25 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P3, build 45 (Jun-5-2017,11:44)
!
partition p1 id 11
!
partition p2 id 12
!
tftp blksize 32768
!
hostname TH3030S
!
timezone Asia/Shanghai
!
system-jumbo-global enable-jumbo
!
interface management
ip address 10.16.21.109 255.255.255.0
ip default-gateway 10.16.21.1
!
interface ethernet 1
name test-eth
load-interval 10
duplexity Full
speed 1000 ===> MTU not here in running config since it is rejected from system
flow-control
enable
lldp enable rx
trunk-group 1
!
ACOS(config)#show start
Show configuration profile "empty2_40"
Building configuration...
page 47
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
!
timezone Asia/Shanghai
!
system-jumbo-global enable-jumbo
!
interface ethernet 1
trunk-group 1
interface ethernet 2
trunk-group 1
!
interface ethernet 3
trunk-group 2
interface ethernet 4
trunk-group 2
!
interface management
ip address 10.16.21.109 255.255.255.0
ip default-gateway 10.16.21.1
!
interface ethernet 1
name "test-eth"
mtu 1300 ===> MTU in statup configuration
flow-control
speed 1000
duplexity Full
lldp enable rx
monitor both
load-interval 10
enable
page 48
ACOS 4.1.1-P13 Release Notes
Feedback
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
page 49
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Default Behavior Changes Between Legacy 2.x Releases and ACOS 4.x Releases
page 50
Feedback ACOS 4.1.1-P13 Release Notes
What’s New
This chapter provides a brief overview of the new features added in the every instance of 4.1.1 patch
releases. This chapter has the following topics:
NOTE: Starting from the ACOS release versions 4.1.1-P12 and 4.1.4, there is
an additional check added. It helps and prevents the user from configur-
ing the no-dest-nat feature under a virtual-server if the same service-
group under the virtual-server in question is bound to another virtual-
server. In some cases, there may be a specific requirement, where the
user needs to bind one service-group under multiple virtual-server
with no-dest-nat enabled. To accommodate such requirements, a new
Feedback page 51
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P13 New Features
Network Enhancements
The following updates and feature enhancement details are included in the ACOS 4.1.1-P13 release.
NOTE: For legacy customers that are upgrading from the ACOS 4.1.1-P11 or
older release and who already have a configuration in place, which uses
the same service-group bound to multiple virtual-server with no-
dest-nat, enabled, they need to contact the A10 Networks® support, prior
to upgrading to the latest release, as the configuration needs to be
updated after the upgrade. Also, users with such profiles are recom-
mended to schedule downtime during the upgrade process to avoid any
impact.
• In some cases, if the user needs to bind one service-group under multiple virtual-server with,
the feature no-dest-nat is enabled.
• To accommodate such requirements, a new configuration option is added in the ACOS 4.1.4-
GR1-P3 release version onwards.
slb common
service-group-on-no-dest-nat-vports allow-same
• This feature supports the same service-group to be configured on different VIPs when its port
uses no-dest-nat.
• The ACOS now allows the same service-group to bind to multiple virtual ports or on virtual ports
on different VIPs.
Health check operating in the DSR mode is incompatible if the user enables “dsr-health-check-enable”
and binds the same service-group on multiple no-dest-nat virtual ports.
page 52
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P12 New Features
CLI Configuration
The new command service-group-on-no-dest-nat-vports has the following options to support this
feature:
• enforce-different: Enforces that the same service-group can not be bound on different no-
dest-nat virtual ports.
• This configuration is supported in both shared and L3V partitions.
GUI Configuration
• A new field Service Group Binding on no-dest-nat vPorts is added under ADC > SLB >
Global page with drop-down list options, as “Allow Same” and “Enforce Different”.
• The default option is “Enforce Different”.
aXAPI Configuration
NOTE: For more details, see the latest edition of the release specific aXAPI Ref-
erence Guide.
page 53
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P10 New Features
• SSLi Enhancements
• Platform Enhancements
Formerly, all ACOS admins with any type of Write privilege had access to these services. With this
enhancement all ACOS admins, with the exception for the ACOS root admin, are not allowed to import,
create, edit/modify, or delete External Health Monitor scripts as a default. Only ACOS, system-level
admins with Read-Write (R/W) privilege and specifically assigned this new privilege will be permitted to
perform these operations for External Health Monitor scripts.
In ACOS, these monitoring scripts have broad and intimate access throughout the ACOS system.
Accordingly, this new privilege is not available to partition constrained ACOS admins.
In addition to adding this privilege setting to CLI commands and GUI pages, corresponding access
settings were added to TACACS+, RADIUS, and LDAP interfaces for externally authenticated
environments
NOTE: For more information, see the Application Delivery and Server Load Bal-
ancing Guide (Using External Health Methods section) and the Manage-
ment Access and Security Guide.
SSLi Enhancements
This section has the following topic:
page 54
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P10 New Features
However, this behavior may cause a security breach especially during initial connections when a cache
certificate expired and all subsequent connections were either reset or bypassed till a new forged certif-
icate was ready.
As a solution to this issue, there is a new configuration option available in the client-SSL template where
you are able to buffer all new connections to a server till the time the forged certificate is ready. In case
of an SSLi deployment with OSCP and CRL implemented, the new connections are buffered till a verifi-
cation result response is received from the server.
NOTE: The default option for this SSLi configuration is to bypass all new connec-
tions. Hence, in order to buffer the new connections from a server, the
SSLi connection buffer option must be enabled either through the ACOS
CLI or ACOS GUI.
For the certificate not ready option, the following is the output of the help command, the code in blue is
the latest change.
ACOS_decrypt(config-client ssl)#forward-proxy-cert-not-ready-action ?
bypass bypass the connection(default)
reset reset the connection
intercept wait for cert and then inspect the connection
Platform Enhancements
This section has the following topic:
• Scenario
• Important
page 55
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P9 New Features
Scenario
The scenario of this feature is as the following:
• The second and the third servers are considered as the Standby Servers.
• The user uses the logic of requests which is sent to the most recently used server.
• If not, then the active server gets the requests by default.
Important
In this scenario, the following are the important points to consider:
• The new CLI or aXAPI changes or corrections must not work in L3V partitions.
page 56
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P8 New Features
• SLB Enhancements
• SSLi Enhancements
The disable-management service command on the management port disables the specified service.
For example, HTTPS service is disabled on the management port with the disable-management service
https command. The service cannot be enabled by an ACL until the disable-management service com-
mand is removed from the configuration.
Telnet service is disabled on the management port and cannot be enabled through any method without
explicitly enabled Telnet through an enable-management service command.
These commands enable Telnet service for IPv4 and IPv6 traffic.
These commands enable Telnet service for ACL-15 hosts on the management port.
page 57
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P8 New Features
ACOS(config-enable-management telnet-acl...)#
SLB Enhancements
The following enhancements are introduced for Server Load Balancing. This section has the following
topic:
This feature is enabled through the reset-follow-command, which is available through the SLB TCP tem-
plate.
Previously, when a health check is initiated for a sub-monitor within a compound health monitor, ACOS
translates it to the port found in the service-group to vport binding, not the override-port meant for the
actual sub-monitor. This feature programs ACOS to lookup the actual sub-monitor to use when translat-
ing this packet for DSR health check.
page 58
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P8 New Features
Feature limitations include 1) the compound health monitor must be bound to the service group, not
directly to the real server or real server port; and 2) to perform DSR health checks utilizing compound
monitors upon multiple VIPs, a different service group must be utilized by each DSR VIP.
• The show health stat command output is modified such that the summary table includes a col-
umn for Reason (UP/DOWN):
ACOS# show health stat
Health monitor statistics
Total run time: : 0 hours 29 minutes 14 seconds
Number of burst: : 0
max scan jiffie: : 5
min scan jiffie: : 1
average scan jiffie: : 2
Opened socket: : 3547
Open socket failed: : 0
Close socket: : 3542
Connect failed: : 0
Send packet: : 3054
Send packet failed: : 0
Receive packet: : 2355
Receive packet failed: : 348
Retry times: : 263
Timeout: : 350
Unexpected error: : 0
Conn Immediate Success: : 0
Socket closed before l7: : 0
Socket closed without fd notify: : 0
Configured health-check rate(/500ms) : Auto configured
Current health-check rate(/500ms) : 4
External health-check max rate(/200ms) : 2
Total number: : 15
Status UP: : 10
Status DOWN: : 5
Status UNKN: : 0
Status OTHER: : 0
page 59
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P8 New Features
• The show health monitor <name> command is modified to include the UP (or DOWN) reason:
ACOS# show health monitor http2
Monitor Name: http2
Interval: 5
Max Retry: 3
Timeout: 5
Up-Retry: 1
Status: In use
Method: HTTP
Attribute: port=80
url="GET /"
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http2
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 8764
L4 errors: 0
Health-check average RTT (us):10333
Health-check current RTT (us):11620
Health-check average TCP RTT (us):5002
Health-check current TCP RTT (us):7620
Status code received: 200
HTTP requests sent: 8764
HTTP errors: 0
Received OK: 8764
Received error: 0
Response timeout: 0
--------------------------------------------------------
Service information:
Service: s3(20.20.15.11):80 UP HTTP Status Code OK
ACOS#
SSLi Enhancements
The following enhancements are introduced for SSLi. This section has the following topics:
page 60
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P8 New Features
• Support for Revoking Certificate From the Cache and Generating CRL
• Support for Dropping, Rejecting, or Forwarding Connections Based on EKU Fields for Certificates
NOTE: The user can configure this feature by using either the ACOS GUI or CLI.
For more information, see SSL Insight Configuration Guide.
In running earlier ACOS releases, exception lists based on Server Name Indication (SNI) is supported. An
AC class list is defined to match the SNI in an SSL client hello message to decide whether to bypass or
inspect a packet in an SSLi setup. This feature is now extended to support exception lists that include
elements such as IP addresses, SNIs, and matching certificate subject or issuer for all cipher suites.
Cipher suites must be validated against an appropriate RFC or NIST standard. Unless this new option is
configured, by default, the SNI in the client-hello message is used for deciding bypass or inspection.
NOTE: The user can configure this feature by using either the ACOS GUI or CLI.
For more information, see SSL Insight Configuration Guide.
In order to resolve the OCSP and CRL URLs, the ip dns primary configuration in the shared partition
must be set. The ip dns primary configuration is required in the shared partition if the ACOS encrypt
and ACOS decrypt zones are in private partitions as it is a global configuration. The route for ip dns
primary must also be configured as the default gateway of the management IP.
page 61
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P8 New Features
For the legacy SSLi L3V configuration, the dynamic-service template is configured under the virtual
port. However, this configuration is not required for IP-less OCSP and CRL requests. The dynamic-ser-
vice template must have IP addresses configured for sending out packets that do not work for this fea-
ture. If there is an slb svm-source-nat pool configured, use the NAT pool IP instead of the client IP to
fetch OCSP and CRL requests.
• Specify the correct outgoing port on the dummy MAC entry with the command: mac-address
mac_address port port_number vlan vlan_id redirect-dummy-mac
• The port and vlan mentioned in the dummy MAC configuration must be must be on the gateway.
The vlan is only for configuration. The client vlan is preserved while forwarding packets to the
gateway.
• Configure use-rcv-hop-for-resp under the virtual ports as this decides the client side network
ports.
• Details
• GUI Configuration
Details
A new SSLi status page is displayed when the traffic is blocked with the following details Customized
information can be included for the ACOS administrator to track the issue:
• Decryption failure - All certificate responses that return a generic HTTP error have an IT policy.
A level of detail to determine if it was a certificate blocked, or handshake failing. A web server
page 62
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P8 New Features
instance on ACOS redirects the user for the custom messages. A log message is generated with
the reason.
• Connection drop- A warning page provides information regarding the SSLi failure when a
connection is dropped.
• OCSP blocks for revoked or non-trusted certificates - This is also available for URL filter-
ing. If a user is blocked from a category or class-list, within the URL filtering policy, level of cus-
tomization is provided to the returned response.
• Corporate policy section.
To configure a custom message for the three forward-proxy “action” commands, use the new
option called “block”:
To configure “block” custom message applicable to the above 3 commands configured with forward
proxy, use:
GUI Configuration
A friendly SSLi status page is displayed so that the users can see that data traffic is blocked.
• Details
• CLI Configuration
Details
ACOS provides option to enable or disable the default behavior for ICAP logging. The default behavior is
to send a log for all methods to system log. This allows logging of system actions to send traffic to the
ICAP server(s) for all HTTP/HTTPS methods. Option is provided to send the PUT and POST method to
ICAP with the ' allowed-http-methods “PUT POST” or to send all method logs.
page 63
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P8 New Features
CLI Configuration
The new option can be configured to change the default behavior from all methods to only send logs for
the methods defined with the ' allowed-http-methods ' command, the option log-only-allowed-method
only HTTP method is logged in the “Request Mode” or “Response Mode” ICAP templates.
This option is also available in aFlex to be used with the CATEGORY command and the ICAP disable, for
advanced ICAP filtering.
page 64
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P8 New Features
NOTE: For more information, see aFlex Scripting Language Reference Document.
Support for Revoking Certificate From the Cache and Generating CRL
ACOS supports revoking certificates generated by SSLi if the certificates are leaked. Revoked
certificates are identified by their serial numbers. If a certificate is revoked from the cache, a CRL is gen-
erated and provided to the clients connected to SSLi providing information about the revoked
certificates.
• When the CRL is generated, the list is read, put into CRL format, and signed by using the forward-
proxy-ca-key.
• The CRL is generated manually and then exported to a location reachable by the clients.
NOTE: You can configure this feature by using either the ACOS GUI or CLI. For
more information, see SSL Insight Configuration Guide.
Support for Dropping, Rejecting, or Forwarding Connections Based on EKU Fields for
Certificates
ACOS supports granting or denying access to an SSL site based on certificate Extended Key Usage
(EKU) fields defined in RFC-5280. Connections can be dropped, rejected, or forwarded based on the
value of extended fields such as code signing or mutual authentication in the certificate representing
the Internet server to the internal clients.
NOTE: For more information, see aFlex Scripting Language Reference Document.
page 65
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P7 New Features
The following example shows that the AAM configuration is changed to HTTP version 1.1:
page 66
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P6 New Features
NOTE: For more information, see the “enable”, “disable”, and “disable-with-
health-check” commands in the “Config: Commands: SLB Servers” chap-
ter of the Command Line Interface Reference for ADC.
Path MTU Discovery (PMTUD) is a process that calculates the ideal MTU in such a network path so that
IP fragmentation does not occur. PMTUD works with the help of ICMP or ICMPv6 messages between
various points in the network and source, so that the source and destination may converge upon an
optimum MTU value. This convergence ensures packet fragmentation along the network path does not
occur. However, PMTUD may not work correctly in some networks, as many security devices block the
ICMP messages.
In such circumstances, a workaround is to use maximum segment size (MSS) clamping. In MSS
clamping, the source and the destination are configured with a lower MTU than that of 1500 bytes. TCP
MSS clamping is supported on Gi-FW.
page 67
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P6 New Features
Use the ACOS CLI to set the maximum and minimum TCP MSS values, as well as the value to subtract
from the configured maximum MSS value, if the configured MSS value exceeds the MTU of the
network.
NOTE: For the CGN sessions that are based on CGN rules, see the CLI command
cgnv6 tcp mss-clamp to configure MSS clamping. For more information
about the command syntax, see Command Line Interface Reference for
CGN Guide.
You can use the ACOS CLI to set the maximum, minimum, and subtracted TCP MSS values.
The afleX command for disabling ICAP for current HTTP flow is as follows:
Syntax: ICAP::disable
If ICAP::disable is executed, ICAP process for the current request is disabled. For subsequent requests
in the same session, ICAP will still be enabled.
page 68
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P6 New Features
aFleX has highest precedence over other configuration features, so if the aFleX ICAP::disable com-
mand is executed for the current request, none of other features can re-enable ICAP.
• HTTP_REQUEST
• HTTP_RESPONSE
• HTTP
• HTTPS
Example Configuration:
when HTTP_REQUEST {
set method [HTTP::method]
if { ($method matches "POST")
or ($method matches "PUT") } {
return // follow the ICAP policy configured with CLI
} else {
ICAP::disable // disable ICAP template policy
}
}
Syntax: CATEGORY::lookup
Valid Events:
Input:
Output:
page 69
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P6 New Features
abortion
adult-and-pornography
alcohol-and-tobacco
auctions
bot-nets
business-and-economy
cdns
cheating
computer-and-internet-info
computer-and-internet-security
confirmed-spam-sources
cult-and-occult
dating
dead-sites
drugs
dynamic-comment
educational-institutions
entertainment-and-arts
fashion-and-beauty
financial-services
food-and-dining
gambling
games
government
gross
hacking
hate-and-racism
health-and-medicine
home-and-garden
hunting-and-fishing
illegal
image-and-video-search
internet-communications
internet-portals
job-search
keyloggers-and-monitoring
kids
legal
local-information
malware-sites
marijuana
page 70
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P6 New Features
military
motor-vehicles
music
news-and-media
nudity
online-greeting-cards
open-http-proxies
parked-domains
pay-to-surf
peer-to-peer
personal-sites-and-blogs
personal-storage
philosophy-and-politics
phishing-and-other-fraud
private-ip-addresses
proxy-avoid-and-anonymizers
questionable
real-estate
recreation-and-hobbies
reference-and-research
religion
sampling-enable
search-engines
sex-education
shareware-and-freeware
shopping
social-network
society
spam-urls
sports
spyware-and-adware
stock-advice-and-tools
streaming-media
swimsuits-and-intimate-apparel
training-and-tools
translation
travel
uncategorized
unconfirmed-spam-sources
violence
weapons
web-advertisements
web-based-email
web-hosting-sites
page 71
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P6 New Features
Sample Configuration
The following configuration is to allow only POST and PUT methods. For these methods ICAP is dis-
abled for the matching category or class-list.
The last section of the configuration is looking for the signal header on port 80, for the decrypted traffic.
when HTTP_REQUEST {
set method [HTTP::method]
set icap_disable 0
if { not ( $method equals "POST" or $method equals "PUT" ) } {
log " method is $method"
set icap_disable 1
} elseif { $method equals "POST" or $method equals "PUT" } {
set ctg [CATEGORY::lookup [HTTP::host]]
log "check category $ctg"
if { $ctg contains "personal-storage" or $ctg contains "personal-
sites-and-blogs" } {
log " category match"
set icap_disable 1
} elseif { [CLASS::match [HTTP::host] equals Bypass_Class_List] } {
log " host match ICAP disable"
set icap_disable 1
}
}
if { $icap_disable } {
log "icap_disable set to $icap_disable"
ICAP::disable
}
}
• ethernet
• lif
• loopback
• trunk
page 72
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P6 New Features
• tunnel
• ve
The IP address on the configured interface is used as the source IP address when the service is initiated
from ACOS. The use-mgmt-port option with management services uses the source IP address config-
ured in the ip mgmt-traffic service source-interface command. IPv6 is not supported for the ip
mgmt-traffic service source-interface command.
NOTE: For more information on syntax and usage guidelines for the command,
see CLI Reference Guide.
The following Table 3 shows the legacy HA commands and their VRRP-A equivalents that occur during
this automated upgrade process.
NOTE: Many of the VRRP-A commands are further changed in the ACOS 4.x
releases and are no longer the same as their legacy 2.7.x or 2.8.x equiva-
lents; this migration is performed by the ACOS 4.x migration script.
page 73
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P6 New Features
• The exception class-list does not apply to forward-proxy-bypass client-auth as this is used for cli-
ent authorization to go through.
• Web-category is not supported for client-auth bypass.
• The SNI extension must be present in the client hello message. If the SNI extension is not present,
the connection is intercepted by default.
• You can configure the exception list by using the CLI.
page 74
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P6 New Features
ACOS(config-client ssl)#forward-proxy-bypass ?
equals Forward proxy bypass if SNI string equals another string
exception-class-list Exceptions to forward-proxy-bypass
starts-with Forward proxy bypass if SNI string starts with another string
The following configuration example is of an SSLi deployment that bypasses interception of all search
engines except google, espn, and bing. Since the precedence for the bypass exception list is higher,
espn is intercepted although it is configured for both forward proxy bypass and as a member of the
exception list. The code highlighted in blue is an example of the SSLi Forward Proxy Bypass Exception
List feature.
class-list dest ac
contains bing
contains google
contains espn
page 75
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P5 New Features
no-dest-nat port-translation
• GUI Enhancements
• Licensing Enhancements
NOTE: For more information about any of the following A10 Harmony Controller
enhancements, see the A10 Harmony Controller Integration Guide.
page 76
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P4 New Features
Object registration in this release is focused on analytics. Therefore, only the “top names”, “keys” and
similar data are sent to the A10 Harmony Controller, but device config information is not sent to the
controller.
page 77
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P4 New Features
If an upgrade is already in progress, an HTTP 409 (not accept because of conflict) response is returned
with the following JSON body:
{
"response": {
"status": "fail",
"err": {
"code": 520734987,
"from": "BACKEND",
"msg": "Another upgrade process exists."
}
}
}
For all the other errors such as disk full error, incorrect image error, and so on, an HTTP 202 response is
returned.
Use /axapi/v3/system/upgrade-status/oper to check the aXAPI upgrade status after the receiving the
accept response.
page 78
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P4 New Features
GUI Enhancements
The following topics are covered in this section:
• Single Sign-on Support from Harmony Controller GUI to the Thunder ADC GUI
Single Sign-on Support from Harmony Controller GUI to the Thunder ADC GUI
Once registered and logged into the Harmony Controller GUI, the Harmony Controller generates a
secure and signed JSON token that enables you to access the Thunder ADC GUI without a second sign
on.
Licensing Enhancements
The following topic is covered in this section:
page 79
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P4 New Features
your license before the license expiry date. Unlike previous license models supported by A10 Networks,
capacity pool license is not node locked. You can configure multiple ACOS devices to share bandwidth
from the common license pool. You can also upgrade or downgrade the capacity of the pool without
disrupting service to your ACOS devices. Additionally, if an ACOS device does not require the assigned
bandwidth, the device has an option to return the bandwidth to the pool. An ACOS device can also
request for more bandwidth from the capacity pool. You can apply a license to an ACOS device for
capacity pool bandwidth by using any of the following methods:
• Using VM Cloning
NOTE: Capacity pool license commands may be available for your ACOS device.
However, the feature is currently supported for vThunder and Bare Metal
devices running the ACOS version 4.1.1-P4 or later. These ACOS devices
can run any supported ACOS appliance such as Application Delivery Con-
troller (ADC), Carrier Grade NAT (CGN), and Convergent Firewall (CFW).
For all other A10 devices, the feature is included for evaluation purposes
and not intended to be deployed in a production environment.
NOTE: For more information about the capacity pool license, see the Capacity
Pool License User Guide.
page 80
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P4 New Features
See the Clearing Unused Real Server Ports section in the Application Delivery and Server Load Balancing
Guide and the clear slb unused-server-ports command description in the Command Line Interface
Reference for ADC for the detailed information.
NOTE: For more information on the command, see the ACOS 4.1.1-P4 Command
Line Interface Reference for SLB Guide.
page 81
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P3 New Features
NOTE: For a configuration example based on this command, see the ACOS
4.1.1-P4 SSLi User Guide.
• Security Enhancements
Both the deployment examples are partition independent and can be deployed with or without L3V par-
titions. Additionally, both deployment examples require at least one IP address for the internal configu-
ration. For more information, see SSL Insight Configuration Guide.
page 82
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P3 New Features
relay SNI information without the interfering message (A10-FP header), run the following commands on
the shared partition:
ACOS(config-common)# ssli-sni-hash-enable
NOTE: If this feature is enabled for two-device dynamic port deployment, or the
security device modifies the IP address or port number, the outside SSLi
virtual service does not include the SNI information.
NOTE: For further guidance on A10 products and their support for FIPS Level 2,
see the “FIPS Support” chapter in the System Configuration and Adminis-
tration Guide.
Security Enhancements
The following topic is covered in this section:
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
page 83
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• GiFW Enhancements
• Security Enhancements
• Monitoring Enhancements
• Platform Enhancements
• Cloud Enhancements
page 84
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
NOTE: The authentication method can be either form-based or HTTP; that is aam
authentication logon form-based or aam authentication logon http-
authenticate.
CLI Changes
Four existing CLI commands are modified and one command is entirely new:
• Under the aam authentication logon http-authenticate command, the auth-method basic
challenge-response-form sub-command is enhanced by the addition of “challenge-page page-
name challenge-variable variable-name” parameters in the command syntax. The new fields in
this command apply the custom challenge form to the authentication method named in this com-
mand.
• Under the aam authentication logon form-based command, the portal name logon name sub-
command is enhanced by adding the challenge-page page-name option to bind the custom chal-
lenge page to the named logon portal.
• Also under the aam authentication logon form-based command now can associated with the
challenge page variable specified in the authentication method. This binding is provided by the
new challenge-variable variable-name sub-command under the aam authentication logon
form-based command.
• The output of the show aam authentication logon http-authenticate command displays two
new fields:
• Challenge page name
• Challenge variable name
• The output of the show aam authentication logon form-based command also displays these
new fields:
page 85
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
• Logging Enhancements
However, if a real error occurs, the CLI deployment process stops and returns a 40X response.
For configuration commands, the response is in JSON format and for show commands the response is
in plain text format, namely screen output of the CLI.
If the CLI deploy commands that are executed have an error, this feature allows a detailed error infor-
mation response in both JSON and plain text output data formats.
A new filter “mixed” with valid filter value "true", /axapi/v3/clideploy?mixed=true is introduced to end-
point /axapi/v3/clideploy.
This new filter is an on-off multipart/alternative format that allows you to choose between an error
response in JSON or a plain text format.
page 86
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
Example
The sample below includes JSON data and plain text data as alternative choices.
Content-Type: text/plain
ACOS(config-real server)#asdfasdfas
^
% Unrecognized command.Invalid input detected at '^' marker.
Done
------a10-axapi-1480694497157325—
NOTE: For the traceroute command to be executed through the CLI deploy end-
point of aXAPI, the end command needs to be issued before the tracer-
oute command in the same call.
page 87
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
1. reboot
2. reload
3. erase
Logging Enhancements
The acos-events Global configuration CLI command is added enable you to filter which log messages
are sent/received and alter the severity of the log messages.
NOTE: For more details, see “acos-events” in the Command Line Interface Refer-
ence Guide.
page 88
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
By default, the ACOS device currently continues UDP sessions from real servers that go down. The re-
select-if-server-down command, available in UDP templates, programs the device to select another real
server when the server bound to an active connection goes down; in this instance, the device clears all
UDP sessions from the down server. The the disable-clear-session option programs the device to select
another real server without clearing the UDP sessions.
NOTE: For more details, see the ADC CLI Reference Guide.
This feature is implemented through the action command, which is accessible as a class list – LID com-
ponent of an slb policy template. In addition to specifying one of the three actions, the new command
provides the ability to log action events. The show class-list command adds the capacity to count the
number of requests (hitcount) that match an IP address specified by the class list.
This feature also increases the LID value range to 1-1023; the previous range was 1-31.
NOTE: See the action command description in the CLI Reference Guide for ADC.
NOTE: For more details, see “SSL Offload and SSL Proxy” chapter of the Applica-
tion Delivery and Server Load Balancing Guide.
Configurable idle timeouts was previously available for Slow Path configurations through idle-timeout
commands in the TCP, UDP, and TCP-Proxy SLB templates. This new feature is implemented by extend-
ing the influence of the existing commands to Fast-Path configurations.
page 89
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
By default, traffic for undefined VIP ports flow through the device and are eventually dropped when pro-
cessed by a device CPU. When hardware blocking is enabled, packets in excess of a configured thresh-
old to an unconfigured port are dropped before entering the ACOS device.
NOTE: See the ADC-CLI Reference Guide and the SLB Configuration Guide for
more information.
The global stateless-sg-multi-binding command is incompatible with using stateful service groups.
The global stateless-sg-multi-binding command is incompatible with using stateful service groups.
The global stateless-sg-multi-binding command is incompatible with using stateful service groups.
page 90
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
The following schedule describes the mapping of idle-timeout command value to actual timeout period:
• For values less than 31, ACOS uses the entered value.
• For values greater than 60, ACOS rounds down to the closest multiple of 60 seconds.
NOTE: For more information, see the ADC CLI Reference Guide for ADC. The
idle-timeout commands for TCP template, SLB TCP proxy template,
and UDP template are affected.
GiFW Enhancements
The following topics are covered in this section:
The following CGN logging options, which were not applicable to SLB logging, are now supported with
the addition of the new “fw logging template” and ASCII formatted log messages:
page 91
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
This release also adds support for transmission of log messages in ASCII format, whereas previous
releases only supported Common Event Format (CEF).
To configure the new ASCII format option, use the following CLI command:
NOTE: For details, see the “fw template logging” command in CLI chapter or
the section “Choosing CEF or ASCII Format” in the Data Center and Gi/SGi
Firewall Configuration Guide.
NOTE: For more details, see the “Hairpinning Support” section in the Data Center
and Gi/SGi Firewall Configuration Guide.
For details about the enhanced capabilities offered with HTTP Logging, see:
• “HTTP Logging Support” section in the Data Center and Gi/SGi Firewall Configuration Guide
• The follow options under the fw template logging command in the Data Center and Gi/SGi Fire-
wall Configuration Guide:
• include-http
• log http-requests
• rule http-requests
page 92
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
Use the include-radius-attribute option under the fw template logging command to include
RADIUS attributes to firewall log messages.
The new counters can be used for GiFW sessions to accomplish the following:
• display system status information (memory usage, CPU usage, sessions usage) similar to CGN
This release also adds the following new CLI “show” command:
• show fw system-status – Provides a list of firewall counters associated with CPU usage, memory
usage, data/SMP sessions used, and RADIUS table entries used.
NOTE: For more information, see the “show fw system-status” command in the
CLI chapter of the Data Center and Gi/SGi Firewall Configuration Guide.
ACOS is configured to act as a RADIUS server so that it can receive RADIUS accounting requests that
include the client RADIUS attributes. To create a RADIUS server configuration for firewall deployment,
use the fw radius server command.
When client’s AAA server sends out RADIUS accounting packet that has the Framed IP and (/or)
Framed IPv6 Prefix to ACOS, ACOS intercepts the packet, creates a RADIUS table entry based on the IP
and IPv6 Prefix. When the inside user creates a data connection either from the IP or from IPv6 address
(from the prefix), ACOS then includes the RADIUS attributes while sending the log messages. When con-
figuring the Firewall RADIUS server or CGNV6 RADIUS server, use the framed-ipv6-prefix command to
specify the Framed IPv6 Prefix as a RADIUS attribute for RADIUS accounting requests.
NOTE: For details, see the Data Center and Gi/SGi Firewall Configuration Guide.
page 93
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
For details, see the following locations in the Data Center and Gi/SGi Firewall Configuration Guide:
• Disable RADIUS Accounting Response Packet in CGN Logging with Toggle Option
page 94
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
entries supported for each platform. However, you can create a customized LSN RADIUS table that sup-
ports a reduced number of entries, and is smaller than the platform-based maximum value.
To configure the RADIUS table size, use the cgnv6 resource-usage radius-table-size command. This
command is used to configure the total number of configurable CGNv6 RADIUS table entries.
NOTE: For more information, see the IPv4-toIPv6 Transition Solutions Guide.
NOTE: For more information, see the IPv4-toIPv6 Transition Solutions Guide.
NOTE: For more information, see the Traffic Logging Guide for IPv6 Migration.
To include all headers in every log message, even if the header is not in the HTTP request, use the rule-
http-requests include-all-headers command.
page 95
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
To configure the URI file extension in HTTP logs, use the include-http file-extension command at
the NAT logging template level.
Disable RADIUS Accounting Response Packet in CGN Logging with Toggle Option
Whenever ACOS receives and successfully processes a RADIUS accounting request message, it sends
a RADIUS accounting response in reply. If a confirmation is not needed, or if the user wants to limit a
potential flood of response messages, then this option can be disabled so that no RADIUS accounting
response is sent.
To disable RADIUS accounting responses from being sent in reply to RADIUS accounting requests, use
the disable-reply command at the CGNV6 LSN RADIUS server configuration level:
NOTE: For more information, see the IPv4-to-IPv6 Transition Solutions Guide.
page 96
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
NOTE: See the system trunk load-balance command in the Command Line
Interface Reference Guide for more information.
Monitoring Enhancements
The following topic is covered in this section:
One of the parameters for the log-fields is “severity”. This parameter can take different values based on
the rules configured in the active logging template.
The decision of whether to send the packet out or not is based on the severity of the log-message. In
this release, the user can now change the severity of a log message that was already loaded into the
library, and this new severity of the log-field reflected in the event logging hash table.
You can use the “no” form of this command to restore the default value as defined in the schema.
NOTE: For more information, see the acos-events message-id command in the
CLI Reference.
Platform Enhancements
The following topic is covered in this section:
page 97
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P2 New Features
Cloud Enhancements
The following topics are covered in this section:
NOTE: See “Restoring from a Backup” in the System Configuration and Adminis-
tration Guide for details.
NOTE: For more information, see “Setting the Maximum Limit of Cores for I/O
Processing” in the vThunder Install Guides1 and the “CPU Core Manage-
ment Commands” section in the Thunder Bare Metal Installation Guide.
page 98
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P2 New Features
In order for vThunder for KVM (Virtio) to support Virtio DPDK, the DPDK driver will be loaded when ACOS
starts up. There are no required configuration changes to enable this new behavior.
System Poll Mode uses the Data Plane Development Kit (DPDK), which is a set of data plane libraries
and network interface drivers that can be used to accelerate fast-packet processing. The DPDK library
was created by Intel and made available through BSD open source license. DPDK maximizes through-
put and minimizes packet processing time through several methods, such as bypassing the kernel, pro-
cessing packets in the user space, and using polling instead of interrupts.
NOTE: For more information, see “System Poll Mode” in the vThunder for KVM
(Virtio) Installation Guide.
NOTE: System poll mode is supported for vThunder instances running on the
following: VMware, KVM, AWS, OpenStack, and HVA. However, system
poll mode is not supported for vThunder instances running on Hyper-V or
Azure.
Once OvS with DPDK is set up on the host, you do not need to run any additional ACOS CLI commands
to enable the new behavior. The vThunder instance will automatically use the new OvS bridge.
You can follow the vendor-agnostic instructions from Intel’s website to install and configure OvS with
DPDK on your vThunder instance(s): https://download.01.org/packet-processing/ONPS2.1/Intel_ONP_Re-
lease_2.1_Performance_Test_Report_Rev1.0.pdf
1.
Only vThunder versions that support System Poll Mode (DPDK), such as VMware, KVM (Virtio), and KVM (SR-IOV).
page 99
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1-P1 New Features
NOTE: For more information, see WAF Policy File Size Limit Increased to 10MB
in the Changes to Default Behavior chapter.
• CGN Enhancements
Prior to this release, user-defined header extensions which allow ICAP clients to include information in
ICAP requests and responses were not preserved in the outside (re-encrypted) SSLi virtual server. This
page 100
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1-P1 New Features
meant that a proxy chain configuration with SSLi as the first proxy would not support ICAP on the sec-
ond HTTP proxy.
In this release, the x-authenticated-user and original X-Client-IP (via X-Forwarded-For) header exten-
sions described in “ICAP Extensions, draft-stecher-icap-subid-00.txt” are now supported both on the
inside ACOS virtual server and the outside ACOS virtual server. See the “Redirection of SSLi Sessions to
ICAP Servers” chapter for further information.
• Source IP address
• Destination IP address
See “SSLi Failure Logs” in the SSL Insight Configuration Guide for more information.
CGN Enhancements
The following topics are covered in this section:
ACOS then allocates the NAT IP/port and sends back the PCP response.
page 101
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: See the cgnv6 ecmp 4-tuple-hash command in the Command Line Inter-
face Reference for CGN for more information.
• Network Configuration
• aFleX Enhancements
• Gi/SGi-Firewall Enhancements
• DC-Firewall Enhancements
• vThunder Enhancements
• CGN Enhancements
page 102
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
For example, if there is more than one route specified in the routing table for the destination network of
192.0.2.0 /24:
page 103
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
Then the debug mon command example below shows the ARP request and reply of the second gateway
203.0.113.202, after it has stopped trying the first gateway.
NOTE: ACOS sends the ARP request health-check to only one of the gateways
that is active and used for forwarding packets.
When ACOS determines that the first gateway has failed the health-check, it sends an alert log along
with SNMP trap to SNMP manager.
Two new objects, axGatewayUp and axGatewayDown, are available for reporting gateway up or down sta-
tus changes.
NOTE: SNMP MIBs can be downloaded from the GUI; see “Downloading the
MIBs” in the System Configuration and Administration Guide.
When SNMP is disabled in the shared partition, no configuration change is required in any L3V partition.
From the shared partition, the ACOS device will not get SNMP responses nor see any L3V traps.
With this SNMP enhancement, the traps in the L3V partition uses different community strings.
To enable L3v partition traps, SNMP service and community string on L3V partition must be configured.
The enabling/disabling of traps in L3V partition can only be done on the group level, and not on individ-
ual trap level.
NOTE: For information on how to configure SNMP in different partitions, see the
System Configuration and Administration Guide.
page 104
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: See the logging command in the Command Line Interface Reference for
more information.
• To allow log messages to be sent from the shared partition to a syslog server in an L3V partition
• To allow log messages to be sent from an L3V partition to the shared partition or another L3V par-
tition (in ACOS 2.x releases, only sending a log message from an L3V partition to the shared parti-
tion was allowed)
NOTE: See “System Log Messages” in the System Configuration and Administra-
tion Guide for more information.
When a template is applied to an L3V partition, the library is updated with the template configuration.
The library is updated whenever a system per-sec resource is obtained and returned. ACOS maintains
the below set of data in the resource library:
For more examples, see “show system resource-usage template” in the Command Line Interface Refer-
ence.
The following gives an example of a Syslog message based on the configured system-resource thresh-
olds.
Apr 04 2015 22:49:31 Alert [ACOS]:<p1> Resource L4 CPS is now above threshold limit (10%)
page 105
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: For per-second resources, Peak is set to 0. For other resources, Peak is
set to the current peak value.
However, when many devices (initiators) are talking to one target, then the bursts can result in fan-in.
Fan-in caused by microbursts can cause short-term packet loss.
When ASIC/L2 detects congestion pause frame is sent to the Flexible Traffic Assist (FTA) complex, the
FTA complex then sends a notification to the CPUs to hold packets in buffer. CPU Complex then has
sufficient buffer memory to handle these microburst (8Gbyte).
A new CLI system queuing-buffer enable command is introduced to add TX pausing support on net-
work ports/links during microburst traffic.
page 106
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
Network Configuration
The following enhancements are available in this release:
• Trunk ID Enhancement
Trunk ID Enhancement
The trunk-group interface configuration command is enhanced to allow a trunk ID in the range from 1-
4096. Previously, only IDs 1-16 could be configured.
This enhancement can also be found in the GUI by navigating to Network >> Interfaces >> LAN >>
Update. In the Trunk Group section, the Trunk Number field can accept a Trunk ID number in the range
from 1-4096.
NOTE: For more information, see “name” in the “Config Commands: Interface”
chapter in the Network Configuration Guide.
NOTE: For more information, see “ip reroute” in the “Config Commands: IP”
chapter and “ipv6 reroute” in the “Config Commands: IPv6” chapter in the
Network Configuration Guide.
page 107
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: See show vrrp-a all-partitions in the Configuring VRRP-A High Avail-
ability Guide for more information.
NOTE: For more information, see show vrrp-a partition in the Configuring
VRRP-A High Availability Guide.
page 108
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
For explicit proxy client authentication using form-based-logon in an SSLi set up in conjunction with
checking against user/group membership, to ensure the explicit proxy client authentication occurs, con-
figure “match-any” or “match-class-list” in the source rule so it matches the first request in the slb policy
template.
See “Creating an Authentication Template” and “Tracking Sessions” in the Application Access Manage-
ment for more information on configuration.
aFleX Enhancements
The following enhancements are available in this release:
page 109
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
Use the system resource-usage aflex-table-entry-count command to defines the total number of
aFleX entries per table. Reboot the system for the change to take effect. For high capacity mode, such
as system resource-usage aflex-table-entry-count as a non-default value (100k), the recommenda-
tion is to use only one table.
NOTE: See system resource-usage in the Command Line Interface Reference for
more information.
NOTE: See the aFleX Scripting Language Reference for more information about
HTTP:redirect.
page 110
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: See show running-config in the Command Line Interface Reference for
more information.
In the example that follows, both test1 and test2 are bound to the virtual server called vs-1-11-1 on port
80 and have the HTTP_REQUEST event defined. If the “HTTP::cookie remove test” command fails, the sta-
tistics will now increment separately for each policy:
page 111
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The failure statistics are different because test1 fails, but test2 succeeds. In the past, the show output
for both test1 and test2 would show a failure. The enhancement applies to all events for execute, failure,
and abort.
NOTE: See RESOLVE::lookup in the aFleX Scripting Language Reference for more
information.
The LB_SELECTED and LB_FAILED events are not supported when binding an aFleX script under an FTP-
Proxy virtual port.
page 112
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
See TCP::payload replace in the aFleX Scripting Language Reference for more information.
Gi/SGi-Firewall Enhancements
The following topics are covered in this section:
By default, a “permit” rule with no application specified is L3-forwarded and will create a new firewall
session. In other words, it is treated the same as a permit rule with an application specified as “forward”.
For a rule without an application associated with it, use the command fw permit-default-action
{next-service-mode | forward} to change the behavior of the rule. This command changes the way a
packet will be processed by matching a rule that contains “action permit”.
Within any given partition, configuring an SLB template with the same name as a firewall template is not
permitted.
page 113
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The only option available under the firewall logging template is to configure the service group. Only fire-
wall service-group can be bound to a firewall logging template. UDP is supported as the only firewall
service group type that can be bound to a firewall logging template.
Use the fw template logging fw_logging command configure the firewall logging template. Then, use
the fw logging fw_logging command to bind the firewall logging template globally:.
• NAT44/NAT64 with LSN and Fixed NAT: session-creation, session deletion, nat port assignment,
nat port free
• Nat44/NAT64 with Fixed NAT: fixed nat port usage, fixed-nat port disable
• NAT44/NAT64 with LSN port batching v1: port batch allocation, port batch free
• NAT44/NAT64 with LSN port batching v2: port batch free, port pool batch allocation/free
DC-Firewall Enhancements
The following topics are covered in this section:
This release offers an enhancement that allows customers to configure per-port timeouts for TCP/UDP
under the firewall session-aging templates, as well as idle-timeouts under individual rules in a rule-set.
This enhancement may be helpful for long-lived protocols, such as those used to perform backups or
data replication. It may help meet the needs of customers who require the ability to configure different
TCP/UDP ports with different timeout values, or who need to be able to configure idle-timeout values
under individual rules within a rule-set.
page 114
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
In this release, port-based timeouts and rule-based idle-timeouts are only available for TCP and UDP,
and can only be configured for destination ports.
NOTE: For more information, see the fw session-aging and rule commands in
the CLI chapter of the Data Center and Gi/SGi Firewall Configuration
Guide.
In previous releases, a rule within a rule-set rule could only contain one of each of the Src, Dst, or Service
objects.
For example, prior releases had the following limitation when configuring a rule-set rule:
rule-set rs1
rule 1
action permit log
source ipv4-address 192.168.15.1 <--- only one “src” allowed per rule
dest object-group VIP-Base <--- only one “dst” allowed per rule
service udp dst eq 53001 <--- only one “service” allowed per rule
However, to support easier configuration and management of the rules in a firewall rule-set, this release
supports the ability to configure multiple Src/Dst hosts, subnets, objects, object-groups, and services
within a single rule.
Example
The following "rule 22" now supports the ability to include many Src object, Dst object, and Service
objects:
rule-set rs2
rule 22
source ipv4-address 123.123.123.123/32
source object obj1
source server ntlmsvr
dest ipv4-address 234.234.234.234/32
dest ipv4-address 143.143.143.143/32
dest object-group ogn11
dest virtual-server testvs
service tcp
service proto-id 11
service proto-id 22
service object-group ogs1
service object-group ogs2
page 115
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: Within a single rule, you can now configure up to 256 for each of the fol-
lowing types of objects: source IP, destination IP, and service
NOTE: Only one source zone or destination zone can be configured per rule.
NOTE: For more information, see the rule command in the CLI chapter of the
Data Center and Gi/SGi Firewall Configuration Guide.
However, when configuring the system resource-accounting template this release adds the fwcps-
limit-cfg command (under template sub-option system-resources), and allows you to configure CPS
limits for firewall sessions.
For example, the option in blue in the sample config below represents the new syntax associated with
this enhancement:
The template can then be bound to the target partition where you want to CPS limit to apply.
page 116
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
However, in ACOS 4.1.1 and later, you can send traffic to the ACOS device by configuring the local-type com-
mand as the destination zone criteria. This designates the zone type as a “local zone” and simultaneously
removes the ability to add interfaces, management interface, VLANs, tunnels, VEs, and trunks to that local zone.
NOTE: Do not create a zone with the name “any” or you will not be able to later
delete this zone. This limitation exists because ACOS auto-creates a zone
called “any”, but the zone does not appear in the output of the “show run-
ning” CLI command. Therefore, if you manually create a zone called “any”,
it will be visible in the output, but because it has the same name as the
system-generated zone, you will not be able to delete it.
NOTE: For more information, such as limitations associated with this new
option, see the zone command in the CLI chapter of the Data Center and
Gi/SGi Firewall Configuration Guide.
vThunder Enhancements
The following topics are covered in this section:
NOTE: For more information, see “Support for Non-dedicated Management Port
Mode” in the vThunder for VMware ESXi Installation Guide.
page 117
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
DPDK maximizes throughput and minimizes packet processing time through several methods, such as
bypassing the kernel, processing packets in the user space, and using polling instead of interrupts.
NOTE: For more information, see “System Poll Mode” in the vThunder for
VMware ESXi Installation Guide.
NOTE: System poll mode is supported for vThunder instances running on the
following: VMware, KVM, AWS, OpenStack, and HVA. However, system
poll mode is not supported for vThunder instances running on Hyper-V or
Azure.
The vThunder virtual appliance is a fully operational, software-only version of the ACOS Series Server
Load Balancer (SLB), Application Delivery Controller (ADC), or IPv6 migration device. vThunder retains
most of the functionality available on the hardware-based ACOS appliances, and it is managed using
the same CLI and GUI interface.
• http://docs.openstack.org/user-guide/common/cli-manage-images.html
• http://docs.openstack.org/user-guide/dashboard-manage-images.html
• How to boot a vThunder instance in OpenStack:
• http://docs.openstack.org/user-guide/cli-launch-instances.html
• http://docs.openstack.org/user-guide/dashboard-launch-instances.html
• How to access the vThunder CLI through a VGA console
• http://docs.openstack.org/user-guide/cli-access-instance-through-a-console.html
1.
[Unattributed]: “Manage images”: [http://docs.openstack.org/user-guide/common/cli-manage-images.html]: para. all: [Oct
11, 2016]
page 118
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: There is no GUI guide for this, but the information can be found in the
same place as launching. For example, navigate as follows: compute >
instance > console
System Requirements
• The minimal resource requirements for vThunder instances running on OpenStack:
• CPU must be <= 8
• Memory must be at least 4GB RAM
• Free disk space must be at least 12GB
• The instance must be provisioned with two networks/NICs (management and data inter-
faces)
Limitations
• The key pair is unsupported on vThunder for OpenStack instances.
• Deleting and/or attaching data ports is only supported while the vThunder instance is in a shut-
down state. You cannot modify (delete/attach data ports) for active vThunder instances.
• If using special hardware, such as SR-IOV, this hardware must be configured by the operator as
normal.
NOTE: For more information, see “Enabling Jumbo Frame Support” in the A10
Thunder Series 3030S/3530S Hybrid Virtual Appliance Guide.
page 119
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
When LACP is used with an HVA device that has many vThunder instances running, you can configure a
single LACP trunk going to the switches in the data center, and the vThunder instances can share that
one trunk.
NOTE: For more information, see “LACP Support – Enabling many vThunder
instances to share a trunk” in the A10 Thunder Series 3030S/3530S
Hybrid Virtual Appliance Guide.
page 120
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
• Secure ICAP
• ICAP Logging
page 121
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
packets in Layer 7 sessions such as ACOS SSL Proxy configurations. In this release, DSCP can now be
used for L7 proxy connections.
If a template is configured with a DSCP value and the template is applied to port, the ACOS device
marks all packets from the proxy. If the proxy application sends packets back to the clients, those pack-
ets are also marked with the DSCP value.
• The dscp command in the “Config Commands: SLB Real Port Templates” chapter
of the Command Line Reference for ADC book.
• The dscp command in the “Config Commands: SLB Virtual Port Templates” chap-
ter of the Command Line Reference for ADC book..
• The “Example Configuration: DSCP Dynamic-Port SSLi” section of the “Dynamic-
Port SSLi” chapter of the SSL Insight Configuration Guide.
By increasing the maximum number of SNI entries per IP, customers can host more domains per VIP.
This enhancement can be helpful for web-hosting companies that have many websites but a relatively
limited number of IP addresses.
ACOS has a maximum limit of 8192 SSL contexts available to the whole system, meaning that one SNI
entry bound to a virtual port uses up one SSL context. Therefore, you could reach that limit by configur-
ing one client-SSL template (with 8192 SNI entries) and binding it to one virtual port (8192 x 1 = 8192),
or the limit could be reached by configuring a client-SSL template that has 2048 SNI entries and binding
it to four virtual ports (2048 x 4 = 8192).
page 122
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: For more information, see “SSLi Failure Logs” in the SSL Insight Configu-
ration Guide.
For steering the traffic in a forward or reverse direction, the redirect-fwd and redirect-rev com-
mands are available. The forward direction steers traffic from client to Internet. The reverse direction
steers traffic from the Internet to the client. See the port command in the “Config Commands: SLB Vir-
tual Servers” chapter of the Command Line Interface Reference for more information.
NOTE: For configuration example information, see “SSLi Single Partition Sup-
port” in the SSL Insight Configuration Guide.
NOTE: See the Config Commands: SLB Client SSL Templates document for
details on this command. See the SSL Offload and SSL Proxy document
for configuration instructions.
page 123
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
now present DH prime values no less than 1024-bits. For the server side, ACOS will accept only DH
prime values that are 1024-bits or more.
This extension provides the Uniform Resource Identifier (URI) of the CRL.
• Authority Information Access (AIA)
This extension can be used to identify the Certificate Authority (CA) Issuer’s URI or an Online
Certificate Status Protocol’s (OCSP) URI.
These features are used to improve the certificate validation process and adhere to the guidelines spec-
ified in RFC 5280.
App Template
• The “App Template” link redirects you to A10 AppCentric Templates page.
• AppCentric Templates provides a wizard, configuration templates and dashboard designed for a
specific applications.
NOTE: See the SSL Insight Configuration Guide book for details.
page 124
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
In this release, SSL/TLS secure renegotiation is the default. if you enter “no renegotiation-disable” in
both the SLB server-SSL template and the SLB client-SSL template.
NOTE: See the Command Line Reference for ADC to get further information.
NOTE: See the import and import-periodic commands in the Command Line
Reference for ADC to get further information.
The existing show slb icap command displays statistics that includes both blocked and not blocked
traffic.
In ACOS 4.1.1, the format of the ICAP REQ,MOD and RESPMOD requests will include the entire URL
when and the protocol the include-protocol-in-uri command is enabled.
Secure ICAP
The secure ICAP feature provides the ability to connect an ACOS system to the ICAP server over an SSL
connection. The template server-ssl command in the REQMOD and RESPMOD template configura-
tion modes enables this feature.
page 125
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
• The min-payload-size command specifies minimum payload size that can be sent to the ICAP
server.
ICAP Logging
When configuring the ICAP REQMOD and RESPMOD templates, you can bind enable ICAP logging. Log
messages include the following fields: timestamp, sender username, source IP, destination URL, and
DLP verdict. See the template logging command under the slb template reqmod-icap and slb tem-
plate respmod-icap commands, and also see the “Configuring ACOS Logging in ICAP Templates” sec-
tion of the SSL Insight Configuration Guide for further information.
page 126
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
page 127
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The command, del-session-on-server-down, is added as an option in three places: to the SLB real port
template, the SLB TCP template, and the SLB TCP-proxy template.
Parameter Description
ipv4 Clear ipv4 persistent sessions only.
ipv6 Clear ipv6 persistent sessions only.
dst-ip dst-ip Clear persistent sessions matching the specified destination IP address value.
src-ip src-ip Clear persistent sessions matching the specified source IP address value.
ssl-sip ssl-sip Clear persistent SSL sessions matching the specified destination SSL IP address
value.
uie Clear sessions that are made persistent by the aFleX persist uie command
page 128
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
Active sessions, (receiving client-side packets) are cleared immediately. Idle sessions may continue to
exist for more than a minute after the command is issued.
Implementation
Configuration Example
These commands assign a real server to a service group, then configure the session-close-on-server-
shutdown function on that server.
page 129
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
ACOS(config-rport)#exit
ACOS(config)#slb server real-A 10.0.0.50
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group SG-A tcp
ACOS(config-slb svc group)#member real-A 80
ACOS(config-slb svc group-member:80)#template abc
ACOS(config-slb svc group-member:80)#exit
ACOS(config-slb svc group)#exit
ACOS(config)#show run | sec slb
slb template port abc
del-session-on-server-down
slb server real-A 10.0.0.50
port 80 tcp
slb service-group SG-A tcp
member real-A 80
template abc
ACOS(config)#
del-session-on-server-down
Description When applied to a server template, ACOS closes the session associated with
the server when the server is disabled or fails a health-check.
page 130
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: See “forward-to-proxy” in the Command Line Interface Reference for ADC
for details on parameters available for this command. See “Proxy Chain-
ing Overview” in the Application Delivery and Server Load Balancing Guide
or “Proxy Chaining SSLi Overview” in the SSL Configuration Guide for con-
figuration instructions.
For information about legacy configurations, see Legacy Proxy Chaining Configuration in Changes to
Default Behavior.
NOTE: See “forward-policy” in the Command Line Interface Reference for ADC for
details on available commands for configuration.
Configuration to use a proxy server is now available as a solution so that IP management is no longer
necessary under this type of situation. See “Web Category” in the Command Line Interface Reference for
ADC for details on available commands for configuration.
NOTE: See “Configuring a Proxy Server for Web Category Services” in the Appli-
cation Delivery and Server Load Balancing Guide for configuration instruc-
tions.
page 131
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: For information about this feature, see “Explicit Proxy Permission with
AAM Policy” in the Application Delivery and Server Load Balancing Guide.
For more information about the CLI commands, see “forward-policy” in
the SLB Policy Template section of the Command Line Interface Refer-
ence for ADC.
The Credit-Control-Answer (CCA) and Credit-Control-Request (CCR) code messages are now load bal-
anced by default.These are shown in the “Diameter Message Codes.”
The show slb diameter command includes processing statistics for the sent and received CCR and
CCA messages.
The show session command includes a parameter for displaying diameter sessions.
The clear command includes a parameter for clearing the diameter sessions.
NOTE: See the Command Line Interface Reference for further information.
The show slb diameter command includes an output field to show when ACOS sends unknown-ses-
sion-id messages.
NOTE: See the Command Line Interface Reference for further information.
page 132
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
The show slb diameter command includes an output field to show when ACOS sends unknown-ses-
sion-id messages.
NOTE: See the Command Line Interface Reference for further information.
NOTE: See the show session command in the Command Line Interface Refer-
ence.
If the retries are unsuccessful, ACOS forwards the server response to the client even if the result code is
3002/3004.
page 133
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: See the Command Line Interface Reference for further information.
• “STARTTLS for Secure SMTP” in the Application Delivery and Server Load Bal-
ancing Guide.
• “slb template imap-pop3” in the Command Line Interface Reference.
NOTE: For more information, see method in the “Config Commands: Health Mon-
itors” chapter in the Command Line Interface Reference for ADC.
page 134
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
To configure the maximum number of health checks, use the health-monitor-count parameter under
the slb resource-usage command at the global configuration mode in the CLI.
NOTE: For more information, see the Command Line Interface Reference for
ADC.
To configure this feature using the GUI, navigate to System >> Settings > Resource Accounting.
The Health Monitor parameter is located at the bottom of the App Resources tab.
NOTE: For more information, see the “bw-list id” command under “slb template
policy” in the Command Line Interface Reference for ADC.
This enhancement can also be found in the GUI by navigating to ADC >> Templates and selecting the
L7 Protocols tab. When creating a Policy template, the BW List field is no longer a drop-down menu,
but instead accepts a number entry from 0 - 1023.
page 135
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: Note that this feature will not be supported for HSM platforms, including
Thunder 5630.
NOTE: For more information, see “SSL Certificate Management and Options” in
the Application Delivery and Server Load Balancing Guide.
• Platforms with at least 16G and less than 32G memory: 2K class lists
• Platforms with at least 8G and less than 16G memory: 1K class lists
page 136
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
• RSA Ciphers
• AES128-GCM-SHA256
• AES256-GCM-SHA384
• DHE Ciphers
• DHE-RSA-AES128-SHA
• DHE-RSA-AES256-SHA
• DHE-RSA-AES128-GCM-SHA256
• DHE-RSA-AES256-GCM-SHA384
• ECDHE/RSA Perfect Forward Security (PFS) Ciphers
• ECDHE-RSA-AES256-SHA384 (1)
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE/ECDSA Perfect Forward Security (PFS) Ciphers
• ECDHE-ECDSA-AES128-SHA
• ECDHE-ECDSA-AES256-SHA
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-ECDSA-AES256-SHA384 (1)
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• EXP-RC4-MD5
• EXP-DES-CBC-SHA
• DES-CBC-SHA
• EXP1024-RC4-MD5
• EXP1024-RC4-SH
page 137
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The URL Filter server’s HTTP module parses client requests and saves the results in the corresponding
data structure. The AX module then inserts the configured header when it forwards HTTP requests to
the proxy server. If the proxy server response is good, the AX connects to the destination server. If the
proxy server response is bad, the AX closes the connection.
To specify HTTP request-headers to be sent to the proxy server, use the "request-header-forward"
option in an SLB "external-service" template. The following describes details and limitations of the
"request-header-forward" option:
1. Client request-headers are case insensitive. For example, “User-Agent”, “user-agent”, and “USER-
AGENT” are treated as the same request header.
2. A maximum of 16 “request-header-forward” options can be configured.
3. An HTTP request-header (including request-header content) which can be forwarded cannot
exceed 1036 bytes.
• Example 1: Length of (User-Agent: xxx…) must be less than 1036
• Example 2: Length of (Accept: xxx…) must be less than 1036;
4. An external-service template only forwards GET/POST methods to proxy server; these methods
forward request-header-forward content to proxy servers.
page 138
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: This feature can also be applied at the virtual port level for DNS caching;
for more information, see “slb template dns” in the Command Line Inter-
face Reference.
NOTE: For more information, see “show slb ssl” in the Command Line Interface
Reference.
• “Configuring Bandwidth Limits for Servers and Ports” in the Application Delivery
and Server Load Balancing Guide.
• “bw-rate-limit” and “bw-rate-limit-acct” in the “slb template server” command
(Command Line Interface Reference).
• “bw-rate-limit” in the “slb template port” command in the Command Line Interface
Reference.
Two new SNMP traps for SLB bandwidth rate limits are also added; bw-rate-limit-exceed and bw-rate-
limit-resume.
NOTE: For more information, see “snmp-server enable” in the Command Line
Interface Reference.
• Intermediate CA
• Root CA
page 139
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
• Server
• Server
• Intermediate CA
• Root CA
If the file contains a chain with a missing link or certificates from multiple chains, the file will be rejected.
NOTE: For more information, see “slb template tcp” or “slb template tcp-proxy” in
the Command Line Interface Reference.
This enhancement can also be found in the GUI by navigating to ADC >> Templates >> L4 and creat-
ing a TCP template. When the Reset Receive checkbox is checked, the Server Status of Down or Dis-
abled is available. Also found in ADC >> Templates >> L7and creating a TCP Proxy template. When
the Reset Receive checkbox is checked, the Server Status of Down or Disabled is available.
For more information, see “slb dsr-health-check-enable” in the Command Line Interface Reference.
• A per option to enable packet rate sampling to be defined per 100 ms intervals in addition to one-
second intervals.
• A reset option to send a TCP reset command to kill a session that exceeds a specified packet rate
limit.
NOTE: For more information, see the pkt-rate-limit option for “slb template vir-
tual-port” in the Command Line Interface Reference.
page 140
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: For more information, see “slb template virtual-port” in the Command Line
Interface Reference.
NOTE: For more information see “SLB Protocol Translation” chapter in the Appli-
cation Delivery and Server Load Balancing Guide.
NOTE: For more information, see “show slb cache” in the Command Line Inter-
face Reference for ADC.
Header insertion in Fast-HTTP more is not supported for POST, GET with data, and Pipeline requests
across two packets. This functionality is supported in HTTP mode.
NOTE: For more information, see “slb template http” in the Command Line Inter-
face Reference.
page 141
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The current ACOS response to an HTTP Post request with an Expect:100 continue is to receive non-
chunked packets as a part of the request until it receives a response that is not Expect: 100 Continue, in
which case subsequent packets are treated as part of a new request. This behavior remains the default
setting.
NOTE: For more information, see the slb template http command in the Com-
mand Line Interface Reference for ADC.
NOTE: For more information, see “strict-select” in the Command Line Interface
Reference.
NOTE: Header insertion in Fast-HTTP more is not supported for POST, GET with
data, and Pipeline requests across two packets. This functionality is sup-
ported in HTTP mode.
NOTE: For more information, see “slb template http” in the Command Line Inter-
face Reference for ADC.
page 142
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: For more information about this feature, see “SLB Protocol Translation”
chapter in the Application Delivery and Server Load Balancing Guide.
NOTE: For more information, see “Load Balancing with the “DNSSEC OK” (DO)
Bit” in the Application Delivery and Server Load Balancing Guide.
You can use the rcpt-to and mail-from parameters to specify the recipient and sender of this message.
NOTE: For more information, see “method” in the “Config Commands: Health
Monitor” chapter in the Command Line Interface Reference for ADC.
To configure this feature using the GUI, navigate to ADC >> Health Monitors. When you create the
SMTP type of monitor, the Mail From and Receive To fields are available.
To configure this feature using the GUI, navigate to ADC >> Health Monitors. When you create a
health monitor, select the checkbox in the Enable Strict L2dsr health-check field.
NOTE: See “dsr-l2-strict” in the Command Line Interface Reference for ADC for
more information.
page 143
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
page 144
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
1. At the global configuration level, import a geo-location database file and set the periodic frequency,
in seconds, to update the geo-location database.
2. Load the geo-location database into the start-up configuration for the GSLB group.
To configure a GSLB Health Monitor, create a health monitor, specifying the Global Server Load Balanc-
ing configuration level.
• When a connection is updated or created on the master, it broadcasts the change to other mem-
bers of the group.
• When a connection is updated or created on a group member, it notifies the master, which broad-
casts the change to other members in the group (excluding the source member).
• The "clear gslb session" and "clear gslb service-group-session" commands cannot be synced.
NOTE: For more information, see “GSLB Synchronization” in the Global Server
Load Balancing Guide.
The device can be configured to calculate the response delay time by using ICMP packets instead of
DNS requests. In legacy implementations, using RDT as a metric for requires calculating the metric by
sending a DNS request to the originating LDNS Server from the DNS Controller. Some topologies block
outbound DNS requests by firewalls, invalidating this metric. This feature facilitate ICMP packet usage
for calculating response delay time as ping requests and replies pass through the firewall.
page 145
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: For more information, see “GSLB Controller-Based Metrics” in the Global
Server Load Balancing Guide.
NOTE: For more information, see “Support for DNS CNAME Records” in the
Global Server Load Balancing Guide.
NOTE: For more information, see “edns client-subnet geographic” in the Global
Server Load Balancing Guide.
NOTE: For more information, see “Configuring DNS Logging” in the Global Server
Load Balancing Guide.
In previous releases, GSLB zones on different private partitions had to be configured with different
domains.
NOTE: For more information, see “Zones, Services, and Sites” in the Global
Server Load Balancing Guide. An example configuration can be found in
the “Configure a Zone” section in this guide.
page 146
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
Configuration Steps
1. Create a geo-location instead of a class list.
2. Create a GSLB policy to enable geo-location aliases.
3. Create a CNAME record for IPv4 queries only.
NOTE: For more information, see “edns client-subnet geographic” in the Global
Server Load Balancing Guide.
This enhancement can also be found in the GUI by navigating to System >> Settings >> General.
page 147
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
NOTE: For more information, see “banner” in the Command Line Interface Refer-
ence.
NOTE: For details, see the Command Line Interface Reference for ADC.
NOTE: For more information, see the name command in “Config Commands:
Interface” in the Network Configuration Guide.
NOTE: For more information, see “Searching and Filtering CLI Output” in the
Command Line Interface Reference.
page 148
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
NOTE: See the Thunder Bare Metal Installation Guide for more information.
CGN Enhancements
The following enhancements are available in this release:
page 149
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The feature allows HTTPS proxy to use CGN pool instead of the regular NAT pool since ADC and CGN
can run in the same partition. The allow-slb-cfg enable command enables the configuration of SLB
objects in CGN partition and disables the check that ACOS executes to prohibit ADC and CGN being
configured in the same partition.
NOTE: For more information, see “Client IP Insertion into HTTPS Requests on
CGN/IPv6 Platform” in the IPv4-to-IPv6 Transition Solutions Guide.
When creating a MAP-T domain, a Default Mapping Rule (DMR) must first be configured, followed by a
Basic Mapping Rule (BMR The DMR is used to map IPv4 addresses to IPv6 addresses beyond the MAP-
T domain. The BMR configures the IPv6 address or prefix, and allows for MAP-T CPE to configure an
IPv4 address based on the IPv6 prefix. For each BMR, a maximum number of 256 IPv6 IPv4 prefix rule
sets is supported.
Within a MAP-T domain, the ACOS device sits at the edge and acts as the MAP-T Border Relay (BR). The
ACOS device uses the configured DMR and BMR to translate between IPv4 and IPv6 packet headers,
and routes the traffic accordingly onto the respective v6 or v4 networks. Multiple ACOS devices can be
supported as MAP-T BRs in the same MAP-T domain, and all MAP-T BR devices within the domain
share the same DMR and BMR.
NOTE: For more information, see “MAP-T Domain and Rule Expansion” in the
IPv4-to-IPv6 Transition Solutions Guide for configuration details.
page 150
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
Both the share-ratio and port-start parameters must be in the values of the power of 2. The share-
ratio parameter can be up to 65,536 while the port-start parameter can be up to 32,768.
NOTE: For more information, see “MAP-T Support for Share-Ration and Port-
Start” in the IPv4-to-IPv6 Transition Solutions Guide for configuration
details.
If the public NAT IP is distributed using a routing protocol (for example, BGP), ACOS stops redistributing
the old public IP address until all the sessions using this public IP is cleared first in the background. New
public IP addresses are redistributed immediately when the NAT pool is modified.
In the GUI, see the online help on the ADC >> IP Source NAT >> Static NAT page.
When a DDoS attack, targeted towards a specific IP address within a NAT IP pool, is detected, then the
ACOS device will add that IP address to the Black List. Future traffic to the given NAT IP will be dropped
until the configured Black List time limit has passed. The ACOS Black List can contain up to 1024 IP
addresses at any given moment.
page 151
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
• To configure NAT IP Black Listing for DDoS protection, options are available using the cgnv6
ddos-protection packets-per-second ip command.
• The cgnv6 ddos-protection logging enable command is used to enable event logging for DDoS
protection.
• The cgnv6 ddos-protection logging disable command is used to disable event logging for
DDoS protection.
Event logging for DDoS protection must be enabled in order to log and view the Black Listed NAT IP
addresses.
NOTE: For more information, see “IP Black List for DDoS Protection” in the IPv4-
to-IPv6 Transition Solutions Guide.
To configure multiple tunnel-endpoint addresses in a Lw4o6 binding table, the new CLI tunnel-IPv6-
address [NAT-ipv4-address port num to num ipv6-tunnel-endpoint-address] command replaces
the deprecated lw-4o6 tunnel-endpoint-address command.
For more information, see “Lw4o6 - Multiple Tunnel Support” in the IPv4-to-IPv6 Transition Solutions
Guide.
The cgnv6 lw-4o6 inside-src-access-list command is added to apply an ACL to Lightweight 4over6
traffic.
NOTE: For more information, see “Lw4o6 access-list for Inside IPv4 Clients” in
the IPv4-to-IPv6 Transition Solutions Guide.
page 152
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
There are no new commands to configure one-to-one NAT for NAT64, but options are added to display
and clear the mappings for a specific IPv6 inside address.
• The show cgnv6 one-to-one mappings inside-address-ipv6 command is added to display one-
to-one NAT mappings for a specific IPv6 inside address, enter the following commands:
• The clear cgnv6 one-to-one mappings [inside-address-ipv6 ipv6-address] inside-address-
ipv6 command is added to clear the mappings.
NOTE: For more information, see “One-to-One NAT Support for NAT64” in the
IPv4-to-IPv6 Transition Solutions Guide.
No additional configuration changes are needed to configure Lightweight 4over6 support for port-less
protocols, outside of assigning a full NAT IP address to a single user within the binding table.
NOTE: For configuration examples, see “Lw4o6 for Port-less Protocols” in the
IPv4-to-IPv6 Transition Solutions Guide.
The cgnv6 nat64 force-non-zero-ipv4-id [all] command is added to enable a non-zero Identification field
in the IPv4 packet header to be set if there is no IPv6 fragment header.
NOTE: For more information, see “IPv4 Identification Value for IPv6 to IPv4
Translation” in the IPv4-to-IPv6 Transition Solutions Guide.
page 153
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
The cgnv6 lw-4o6 binding-table-validate command is added to check an imported binding table and
logs all the error entries into a file.
The show cgnv6 lw-4o6 binding-table-validation-log files command is added to show the error
files resulting from the lw-4o6 binding-table-validate command.
NOTE: For more information, see “Validating Lightweight 4over6 Binding Tables”
in the IPv4-to-IPv6 Transition Solutions Guide.
NOTE: For more information, see “Displaying Lightweight 4over6 Binding Table
in the Order Configured” in the IPv4-to-IPv6 Transition Solutions Guide.
If LSN is enabled, then ACOS checks for an existing full cone session, port reservation, or ALG session. If
Fixed NAT is enabled, then ACOS checks for an existing full cone session or ALG session. If none of
those conditions are met, then the packet is dropped.
CPU round robin for CGN is enabled by default. All dropped packets increment the “L4 Out-of-State
packets” in the show cgnv6 l4 debug command.
NOTE: For more information, see “Reduced CPU Overhead for CPU Round
Robin” in the IPv4-to-IPv6 Transition Solutions Guide.
• To configure a custom LSN RADIUS table size, a new radius-table-size option is added to the
cngv6 resource-usage command.
page 154
ACOS 4.1.1-P13 Release Notes
Feedback
ACOS 4.1.1 New Features
• To view the current LSN RADIUS table size, as well as the default, maximum, and minimum values
allowed for your platform, a new radius-table-size entry is added to the show cgnv6 resource-
usage command.
NOTE: For more information, see “Configurable LSN RADIUS Table Size” in the
IPv4-to-IPv6 Transition Solutions Guide.
NOTE: For more information, see “ip nat translation” in the Command Line Inter-
face Reference.
NOTE: See the cgnv6 ecmp 4-tuple-hash command in the Command Line Inter-
face Reference for CGN for more information.
page 155
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
ACOS 4.1.1 New Features
page 156
Feedback ACOS 4.1.1-P13 Release Notes
This chapter summarizes platform support information for the ACOS 4.x releases.
• Splitter Cable Support for Quad Small Form-factor Pluggable on 40-Gigabit Ports
• A device with “4.0.1” in the Minimum Release column would not support release 4.0.0.
• A device with “4.0.0” in the Minimum Release column would be supported on 4.0.0 and all later
releases, unless otherwise noted.
• A device with “4.0.1” in the Minimum Release column would not support release 4.0.0.
• A device with “4.0.0” in the Minimum Release column would be supported on 4.0.0 and all later
releases, unless otherwise noted.
page 158
ACOS 4.1.1-P13 Release Notes
Feedback
Jumbo Frames: Supported Platforms
Thunder 6435(S)
Thunder 6430(S)(S)
Thunder 5840(S)
Thunder 5630
Thunder 5435(S)
Thunder 5430(S)-11
Thunder 5330(S)
Thunder 4430(S)
Thunder 3430(S)
Thunder 3230(S)
AX 5630
AX 3200-12
page 159
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Jumbo Frames: Supported Platforms
AX 3530
Thunder 1030S No
Thunder 930
Thunder 840
vThunder for VMware ESXi Yes2
page 160
ACOS 4.1.1-P13 Release Notes
Feedback
Supported Number of Partitions Per Platform
AX 5630 (FTA)
Thunder 5330/5330S (FTA) 127
AX 5200 (FTA)
AX 3530 (Non-FTA)
Thunder 3230/3230S (FTA) 64
AX 3200-12 (FTA)
Thunder 1030S (Non-FTA) 32
page 161
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Splitter Cable Support for Quad Small Form-factor Pluggable on 40-Gigabit Ports
See “Splitter Cable Support for QSFP 40G Ports” for your specific hardware model installation guide for
more information on configuration.
page 162
Feedback ACOS 4.1.1-P13 Release Notes
• A10 Tracking ID
Part of the system that had the issue (for example, IP NAT, SLB, or aFleX).
• Severity
page 164
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P13
page 165
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P13
page 166
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P13
page 167
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P12
page 168
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P12
page 169
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P12
page 170
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P11
page 171
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P11
page 172
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P11
page 173
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P11
page 174
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P10
page 175
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P10
page 176
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P10
page 177
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P10
page 178
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P10
page 179
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P10
page 180
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P10
page 181
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P9
page 182
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P9
page 183
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P9
- The LLDP Port value did not have space, like an Inter-
face name.
page 184
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P9
page 185
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P9
Configuration:
non-ssl-bypass service-group <sg_name> [bypass-
proxy]
~ With the bypass-proxy configured under Dynamic
Port Intercept, non-SSL sessions will be processed as
L4 traffic.
~ Without the bypass-proxy option configured
(default), the behavior will be same as that of 4.1.1-P7,
where the traffic is being processed as L7 traffic.
443331 Explicit Major Sending a normal request when “use-rcv-hop-for-resp” 4.1.4-P2
Proxy is configured can result in an explicit proxy storm loop
that generates 300k sessions.
page 186
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P9
page 187
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P9
page 188
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P9
page 189
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P9
page 190
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P8
The traffic can not pass through, we can see that the
IP address in URL of RTSP packet is not changed
from slb vip (20.0.0.100) to server ip (20.0.0.10) when
it is forwarded to ACOS server.
435001 Web - ADC Major Auto-authenticate option for configure-sync is miss- 4.1.1-P8
CGN ing from Web user interface for VRRP.
434566 SNMP Major The remote default user configured is missing after 4.1.1-P6
SNMP upgrade using "snmp-server community read
pw-encrypted:’ command.
434481 Explicit Major When DNS entry expired suddenly, Ethernet port used 4.1.1-P5
Proxy to delete the back-end connection. Now the ethernet
port checks host name and port to avoid this sce-
nario.
434317 SLB-FTP- Major ACOS accepts standard “227 Entering Passive Mode” 4.1.1-P8
Proxy message or messages length >=27.
434299 L2/L3 Major The default configuration of “forward-ip-traffic” 4.1.2-P4
forwards only IP/IPv6 unicast traffic across all VLANs
in the “bridge vlan group”. It does not forward IP/IPv6
multicast traffic across all VLANs in the “bridge vlan-
group”.As a workaround, use the “forward all-traffic”
option.
433735 SSLi Major The memory usage after reload of ACOS devices and 4.1.1-P8
without traffic was high with maximum CPU usage
due to memory leak.
433687 SNMP Major In the auto-generated MIB file: "ACOS-FW-OPER- 4.1.1-P6
MIB.mib", some of the objects include additional
comma, which is preventing from loading the MIB file
to the NMS/Browser, etc.
433687 SNMP Major In the auto-generated MIB file: "ACOS-FW-OPER- 4.1.1-P6
MIB.mib", some of the objects include additional
comma, that are preventing the MIB file from loading
to the NMS/Browser, and so on.
page 191
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P8
page 192
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P8
page 193
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P8
page 194
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P8
page 195
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P8
page 196
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P8
page 197
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P8
page 198
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P8
page 199
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P8
page 200
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P7
409534 VRRP Major In GiFW deployments, the Thunder device did not successfully create 4.1.1-P5
an ICMP/ICMPv6 session while pinging the floating IP in a VRRP-A pair.
The ping succeeded, but the Thunder device did not create the data ses-
sion.
409146 Firewall Major In DCFW configurations, the local session idle timeout value was not 4.1.1-P6
correct.
page 201
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P6
This behavior was seen under the following conditions: The client sent a
POST to the ACOS device and the packet was forwarded to the server.
The server responded with a “400 bad request” HTTP status code (indi-
cating that the client's request was somehow corrupted). The ACOS
device reset the server connection and forwarded the 400 message to
the client. At this point, the client sent the Patch and the ACOS device
was stalling.
page 202
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P6
Four seconds was the default link check timeout configured to avoid
link flapping detection. The timeout value is now reduced to avoid the
issue.
399367 System- Major When upgrading from 2.7.2 to 4.1.1-Px, the ciphers TLS1_R- 4.1.1-P3
Platform SA_AES_128_GCM_SHA256 and TLS1_RSA_AES_256_GCM_SHA384
are removed.
(This issue is addressed in 411-P6.)
403180 HW Major On the A10 TH3040S model, the output of the “show log” command dis- 4.1.1-P5
played a fan failure.
385666 HW Major The location number of the fans on the A10 TH3040S was incorrect. 4.1.1-P3
408298 aFlex Enhanc In 41x releases, the aflex_per_conn_data grew from 252 bytes in 272 to 4.1.1-P5
ement 373 bytes in 4.x.
Since this structure used conn session memory, conn type jumped from
3 to 4 (256 bytes pool to 512 pool). The system was unable to scale to
1M sessions on models such as the A10 TH4440S system.
397535 L2/L3 Major The member port of trunk in a “down” state was incorrectly transitioned 4.1.2-P2
to up. If another port in an “up” state was added to the trunk, then the
trunk state also changed to “up”.
279823 NAT-CGN Major The syslog session leaked when aged out. 2.8.2-P3
387085 ConfigMgr Major The ACL did not sync correctly under any of the following conditions: 4.1.0-P7
404161 Counter- Major Some aXAPI failed with an error ACOS OPER BUFFER is corrupted by 4.1.1-P3
Infra app layer.
399799 System- Major The latest httpd CVE fixes for CVE-2017-3169, CVE-2017-7679 are now 4.1.2-P3
platform available.
page 203
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P6
However, in ACOS version 4.x, the actual retry number was calculated
as equal to the number of syn-retries configured in the template. The
value was not dependent on the number of active server members.
406816 Platform Major The 1G port LED glowed green even after being disabled when inserting 4.1.1-P5
the 1G SFP into the 1G port.
406645 System - Major Syslog messages reported non-existing port entries that also contained 4.1.1-P4
SNMP incorrect priority levels.
406633 SLB-Con- Major The “show session persist” CLI command did not display complete 4.1.2-P3
fig IPv6 addresses.
406579 NAT- Major Sessions were not removed when FIN was followed by RST. 4.1.1-P2
NATPT
page 204
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P6
As a workaround, reboot the devices in the cluster that were not initially
rebooted.
406450 System - Major When starting up, the Thunder 3430 model, running ACOS 4.1.1-P1, 4.1.1-P6
platform raised some critical system voltage logs. For example:
Sep 20 2017 09:10:50 Info
[SYSTEM]:System Voltage VBAT 3.3V is OK.
Current value is 3119
Sep 20 2017 09:10:50 Info
[SYSTEM]:System Voltage AVCC 3.3V is OK.
Current value is 3243
406393 Web - Critical On deleting the server port, the associated RRD files were not automati- 4.1.0-P9
ADC/ CGN cally deleted from the ACOS device.
405850 System - Major The callback function for regular expression handled the last character 4.1.1-P6
manage- of log messages incorrectly by ignoring it. Matching failed if the key-
ment word was the last word of the log message.
405439 IPSec VPN Major An enabled health monitor that used port 500, 4500, or 4510 as the 4.1.0-P9
source port failed because its response packet was consumed by the
daemon.
405325 Explicit Major FTP explicit proxy improperly used the route lookup to destination to 4.1.1-P6
Proxy route traffic. The correct method is to select a next-hop through the ser-
vice-group forward policy action.
404684 L2/L3 Major For SLB UDP traffic, the LACP or trunk was not getting load balanced. 4.1.1-P3
404377 TCPIP Critical When an A10 device sent a full payload (window probe) packet in 4.1.0-P6
response to a TCP zero window, some firewalls dropped the connec-
tion. The window probe is now changed to improve interoperability.
404134 SNMP Major The OID subtree acosRootStats was not defined in the A10-AX-MIB. 4.1.1-P6
There was no sub root available for CM sub-agent.
404113 ConfigMgr Major Some object descriptors in the generated MIB files for ACOS version 4.1.1-P5
4.1.1-P5 contained the underscore character "_", which is prohibited to
be used for SNMP.
403828 Router Major The BGP “aggregate-address” command did not work after reloading 4.1.2-P1
or rebooting the ACOS device.
page 205
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P6
page 206
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P6
387072 aXAPI v3 Critical AXAPIv3 did not support configuring sync with auto-authentication. 4.1.1-P2
382330 aXAPI v3 Major When using aXAPIv3 to send a write memory request, the ACOS device 4.1.1-P2
returned an error message “Communication error with LB
process.” This issue occurred under the following conditions:
380923 SLB-HTTP Major The connection reservation counters were not properly updated when 2.7.2-P10
strict transaction switching was triggered. This caused the conn-limit
feature to not work properly.
374228 SSL Major In SSLi deployments, the current counter sometimes showed a negative 4.1.1-P2
value in the output of the “show slb ssl-counter” command when
handling SSL traffic.
370048 SLB-Con- Major Service groups members that were in disabled status when added 4.1.1-P6
fig through aXAPI improperly accepted traffic.
360788 Web - ADC Major In SSL configurations, the ACOS device did not support the ability to 4.1.0-P8
CGN view, delete, or export the Certificate Signing Request (CSR) by using the
GUI.
page 207
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P6
page 208
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P5
page 209
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P4
397996 Web Cate- Major The ACOS CLI or GUI would sometimes hang if network connectivity 4.1.0-P9
gory - URL issues occurred while ACOS was downloading RTU (Real Time
Filtering Updates) from the BrightCloud server. In such cases, the RTU back-
ground thread was not terminated when the "no enable" option, under
"web-category" was invoked.
397951 SSL / Major When sending IMAP over STARTTLS, the ACOS IMAP proxy received a 4.1.1-P3
IMAP separate two bytes "\r\n" after SSL decryption. However, ACOS did not
support the ability to parse the "APPEND" command. Therefore, the
"APPEND" message was split across multiple packets, and the second
packet was not forwarded to the server.
397936 CGNv6 Major When SYN packets were re-transmitted on the session, CGN logging 4.1.1-P3
double-counted the length of the re-transmitted SYN packets.
397636 Platform Major The error message, "unary operator expected" appeared in the console 4.1.1-P3
output after upgrading to 4.1.1-P3 from 2.7.1-GR1-P1. This error mes-
sage appeared when a certain "if block check" was evaluated in the a10-
boot script, and it was only seen on non-FPGA devices that had the "l4-
session-count" option configured.
397483 aXAPI v3 Major Unsuccessful configuration of an access list resulted in a 100% CPU 4.1.1-P3
usage after running the "show access-list" command.
page 210
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P4
397270/ DDoS Critical On the Thunder 14045 devices, the fans and voltages were getting 3.2.2-P1
395599 “debounced” infinitely. This meant that if a fan failed, the user would not
be notified.
397252 VCS Major Doing a backup system restore, followed by rebooting the ACOS device, 4.1.0-P9
did not restore the original config sync number, which was captured
when the backup system was taken. The VCS config sequence num-
bers did not match, and this caused the vMaster and vBlade configura-
tions to become desynchronized.
396787 SSLi Enhanc In prior releases, the cert and ca-certs were located in different loca- 4.1.1-P4
ement tions, so the “import-periodic” option only be applied to server certifi-
cates. In this release, the “import-periodic” option now supports the
ability to update the ca-cert bundle that is used in SSLi configurations.
396560 SLB-L4 Major In SLB deployments, if the "src-ip-only-hash" method was used in a ser- 4.1.1-P3
vice-group, then the slb alternative server was used, even if the primary
server was UP.
396340 System - Major The position of the power units on the TH3040S device appeared to be 4.1.2-P2
platform reversed. According to the output of "show environment" command,
from the front side view, the position must be:
However, the output of the "show log" command indicated that the posi-
tion was:
395452 aFleX Major If cookie persistence and aFleX are both used at the same time, then 4.1.1-P4
aFleX wins. While this is the expected behavior for the match-type ser-
vice group, it is not the correct behavior for server or port. The behavior
is fixed such that cookie persist now takes priority with match-type
server or port, and aFleX takes priority with match-type service-group.
The behavior is corrected to be the same as the ACOS 2.7.2 release.
page 211
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P4
394727 VRRP Major In VRRP-A deployments, when modifying the class list and using the 4.1.1-P4
"configure sync" command to push the config from the Active to the
Standby device, the output from the "show class-list" command contin-
ued to display the old content and did not show the modified class list
file on the running config.
394714 SSLi Major With SSL3 disabled by default in 4.1.1-P4, if the client request used 4.1.1-P4
SSL3, then the request was not successful.
394411 Web - ADC Critical ACOS did not allow users with Partition Read/Write permissions to cre- 4.1.1-P3
CGN ate a VLAN from the ACOS GUI. This issue could be seen by navigating
to the Network >> VLAN page, and clicking the Create button.
393973 GiFW Major With GiFW logging, the RADIUS attribute logging was broken for HTTP 4.1.1-P4
and custom attributes.
393760 Health- Major If an FTP banner was large and spanned across multiple packets, the 4.1.0-P7
Monitor-L7 ACOS device did not send the FTP password with the health check.
393424 Router Major Loss of Designated Router (DR) due to a dead timer resulted in the link 4.1.2-P2
state database (LSDB) inconsistencies.
393313 CGN-LOG- Major Receipt time (RT) value in firewall logging messages must have indi- 4.1.2-P2
GING cated a more meaningful value.
392968 HA Major When performing "configure sync" to a peer device, the ACOS GUI dis- 4.1.1-P4
played a yellow warning message prompting the user to reboot/reload
device. This error message persisted even after rebooting the peer
device, which could cause confusion.
392650 ConfigMgr Critical In aVCS environments, when some "clear" commands were executed 4.1.0-P10
on the vMaster under the device-context of a vBlade, the "a10cfgmgr"
process reloaded.
page 212
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P4
axIpNatLsnTop5PrivateIpAddrTotNumTcpPorts
axIpNatLsnTop5PrivateIpAddrTotNumUdpPorts
392021 Health- Major In rare instances, a health monitor reload was caused by the LOG code. 4.1.1-P4
monitor- Workaround: Change the sequence of the parameters of HM_LOG.
infra
392020 SSL Major SSL memory leaks occurred with the N5 SSL card if the ACOS device 4.1.1-P2
was under traffic loads that were heavy enough to overwhelm the hard-
ware's capability.
391570 SSLi Major In SSLi configurations, if the signature algorithm used by the real server 4.1.0-P9
was not recognized, the forged certificate would use SHA1 as the signa-
ture digest algorithm.
391037 Web - ADC Major ACOS experienced high control CPU utilization rates if the device had 4.1.1-P2
CGN more than 10,000 services and if the user attempted to use the GUI to
navigate to the following page:
390733 NAT-CGN Major When PPTP traffic was running, "stack trace logs" appeared. 4.1.1-P3
390703 Explicit Major In Explicit Proxy deployments, an issue occurred when the server was 4.1.1-P2
Proxy attempting to redirect HTTP requests to HTTPS, and the client sent a
"CONNECT for HTTPS" request on the same connection. The CONNECT
request must be forwarded to port 443, but was mistakenly forwarded
to port 80.
390625 CGN-LOG- Critical After enabling ALG support for RTSP, when client port information was 4.1.1-P3
GING missing from the response for client RTSP SETUP messages, memory
corruption might occur.
page 213
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P4
The iMessage is a large chunked PUT request that contains a trailer (X-
Apple-Content-MD5). ACOS was unable to parse this trailer correctly,
and that prevented the device from forwarding the message.
389338 CGN-LOG- Major When the RADIUS table was blank, RADIUS attributes configured with 4.1.1-P3
GING "0000" were not included.
389455 System - Major Checking for resource value before system resource numbers are cre- 4.1.1-P2
platform ated for first-time booting from 2.8.2 to 4.1.1-P2.
389144 GiFW Major Non-TCP/UDP Firewall sessions did not refresh properly, even when 4.1.1-P3
there was live traffic going through the ACOS device.
389098 GiFW Enhanc The "source-address" option was not available under "fw template log- 4.1.1-P2
ement ging", so it was necessary to use the "source-address" option under
"cgnv6 template logging" as a workaround. This issue is fixed in this
release.
387967 L2/L3 Major Since concurrent session count was not freed for fragmented IP-NAT 4.1.1-P3
traffic, it was observed that the resource-usage exceeded its limit even
though not many sessions were shown on the session counter.
387898 Firewall Major In Firewall deployments, the TCP Handshake was getting dropped if the 4.1.0-P9
Explicit Congestion Notification (ECN) was enabled.
If the client had the TCP ECN feature (see RFC 3168) enabled, the cli-
ent's SYN packet had the ECE and CWD flags set.
However, the SYN+ACK response only had the ECN bit flagged, so the
ACOS device wrongly dropped these packets, which caused the TCP
handshake to fail.
page 214
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P4
387376 GiFW Major When configuring a firewall logging template that enabled HTTP log- 4.1.1-P2
ging, IPv6 fragmented HTTP traffic was dropped.
386812 SSLi Critical In SSLi deployments, the outside ACOS device sent a FIN packet if both 4.1.1-P4
aFleX and proxy chaining were configured at the same time.
386539 L2/L3 Major The same link-local IPv6 address could not be configured as both a 4.1.1-P2
floating IP and a next-hop IP for a route.
386404 Firewall Major The firewall TCP window check feature worked improperly for IPv6 frag- 4.1.1-P2
ment traffic. This caused the firewall to unexpectedly drop packets on
TCP sessions for IPv6 fragments.
385765 Firewall Critical Random ports appeared in the "show session" output for the firewall if a 4.1.1-P3
large volume of TFTP traffic was sent to the SLB-TFTP virtual port.
385609 SLB-ICAP Major In ICAP configurations, if the original HTTP request line was very long, 4.1.1-P2
the 200 response from the ICAP server was truncated/broken across
three or more packets.
384730 AAA Major If more than one TACACS server was configured on the ACOS device 4.1.0-SP2
for command authorization and if "tacacs-server monitor" was config-
ured for the TACACS servers, then ACOS was switching between the
two TACACS servers. This, in turn, caused authorization to fail.
384622 Health- Critical The aXAPIv3 only showed 60 items, even when more than 200 health 4.1.1-P2
Monitor- check objects were configured. This is because the “MAX_TLV_COUNT”
Infra is 60.
page 215
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P4
380353 Health- Major Background: The nomenclature for cipher suits is inconsistent across 4.1.1-P4
Monitor-L7 SSL templates and SSL health monitors. When defining ciphers under
client SSL templates, the A10-specific cipher names are used, but when
defining ciphers under HTTPS health monitors, the OpenSSL names are
used.
372049 Web - ADC Major This fix addresses a vulnerability resulting in buffer overflows. 4.1.0-P8
CGN
370735 L2/L3 Major Enabling or disabling a 100 Gbps port that had live traffic flowing at a 2.8.2-P5
Broad- moderate rate caused all outbound traffic to be dropped at the XAUI
com/Mar- level. Once this issue was triggered, the only way to recover the device
vell was to reload.
page 216
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P4
6. Total current connections chart and real time data show zero in mas-
ter.
369292 System- Major On the A10 TH3040S model, the configuration of store name is allowed 4.1.2
platform by using special characters but using it is not allowed. An error mes-
sage for an incorrect string value is displayed.
365098 Firewall Minor The “Data Sessions Used” counter in the output of the “show fw system- 4.1.1-P2
status” displayed incorrect large values shortly after packets were sent.
356662 SNMP Major The displayed memory usage when generated by the CLI and the SNMP 4.1.0-P7
(axSysMemoryUsage) had extreme differences, when they must be
closer in parity.
348940 SLB-HTTP Major If a virtual server was configured for proxy server load balancing, the 4.1.0-P5
ACOS device did not bypass HTTPS requests as it must have. Instead,
ACOS forwarded the CONNECT request to the real proxy server and
when the client sent a "Client Hello", ACOS terminated the connection
with a FIN packet.
348881 System- Critical If the timezone configuration from a device was removed and then a 4.1.2-P2
platform reload was initiated, the timezone information appeared differently
when viewed from the two following pages:
System>>Getting Started>>System
System>>Settings>>Time
The timezone CLI command behavior was changed to fix this. When
configuring timezone with the CLI, the timezone configuration now only
appears in the startup-config after performing a write memory opera-
tion and is not part of the running-config.
347005 L2/L3 Major Interface flapping could occur on the VE or trunk interface if the system 2.8.2-P6
clock was manually configured or if NTP was used. This issue occurred
if the ACOS device had an LACP trunk configured as tagged or
untagged under any VLAN. While there was no workaround for this
issue, the interface flapping typically lasted for a short time while the
system clock was changing.
344842 SSL Enhanc ACOS did not provide an alert message after importing a Thales cert/ 4.1.1
ement key that was created by another device. Such a warning message is
needed to inform the user that the changes will only take effect after a
service restart.
page 217
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P3
386560 GiFW Normal An incorrect checksum calculation for ICMPv6 error messages caused 4.1.1-P2
the client to drop packets.
386065 System- Normal When setting the temperature threshold on an AX 5630S model so that 2.7.2-P10
platform it will be in the “FAILED” range, the “Physical System temperature2”
always showed “OK” and did not trigger the “FAIL” monitor event. This
issue was specific to the AX 5630S model.
385135 VRRP Normal In LSN VRRP-A configurations, if a failover occurred from Active to 4.1.1-P2
Standby, the session timeout value was still increasing on the new
Standby device.
page 218
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P3
when HTTP_REQUEST {
.
385084 GiFW Normal For GiFW, IPv6 GRE packets were handled incorrectly. GRE packets 4.1.2-P1
from one side were dropped although the GRE session was created.
384727 System - Normal On TH6440 platforms, the “big-buff-pool” command was not supported 4.1.1-P2
platform since 6M buffers were already enabled.
384121 GiFW Major Syslog messages for ALG data sessions were not sent out for some 4.1.1-P3
ALGs, such as FTP and SIP.
384115 Web - ADC Critical The ACOS GUI returned an “Invalid Authentication” error message, even 4.1.1-P2
CGN if the login credentials were entered correctly.
383917 Firewall Normal CGN logs included inside RADIUS information instead of outside 4.1.1-P2
RADIUS information, as expected.
383851 Firewall Normal Flexible Traffic ASIC (FTA) models have an extra 4 bytes of packet 4.1.1-P2
length in the fw logs. This caused FW logs to show a different lengths
for the same packet on FTA devices versus non-FTA devices.
383674 SLB-NAT Normal GRE session synchronization with IP NAT PPTP ALG did not work. 4.1.1-P2
383435 System - Critical The 40G port on the TH 4440 model sometimes did not return to UP 4.1.1-P3
platform status after enable and disable the device several times.
383317 AWS Major For vThunder for AWS, the management service did not work on the 4.1.1-P3
data interface.
383038 SLB-Con- Normal The configuration for lids which have no parameter will not be dis- 4.1.1-P2
fig played.
page 219
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P3
page 220
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P3
379567 VCS Normal In aVCS configurations, on a newly-joined vBlade node, the tagged or 4.1.2
untagged Ethernet configuration under the VLAN was lost.
379279 SSL Normal SSL intermediate certificates that were part of the certificate file were 4.1.1-P2
not being sent out during the SSL handshake.
379234 Config- Normal An FQDN server could not be deleted from the ACOS device if the same 4.1.1-P2
Mgr server exists in both the shared and L3V partitions.
2) Another FQDN server (with the same name) was created in the L3V
partition.
If you then tried to delete this same FQDN server from the L3V partition,
the operation would fail, and the server could not be removed from the
running config.
This issue only occurred when using the long form of the CLI command:
"no slb server a10 www.a10networks.com". The issue does not happen
if you use the short form of the CLI command: "no slb server a10".
378649 TCPIP Normal When using TCP syslog servers for CGN logging, some TCP options on 4.1.1-P2
the syn-retry packets were missing or disabled. For example, for full-
proxy TCP SYN retries exceeding 2, the TCP options on the SYN packet
were disabled.
378643 TCPIP Normal When the ACOS device sent a reset packet to the TCP syslog server 4.1.1-P2
(due to retransmit retries), the ACOS device erroneously sent a
PSH+ACK+RST packet, instead of simply sending a RST+ACK packet.
378601 TCPIP Normal When a syslog service was stopped, the service would send a RST 4.1.1-P2
packet for any new attempts to connect. The TCP stack responded
after the timeout with a RST packet. This behavior was unexpected, and
not in accordance with the RFC.
page 221
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P3
378334 Firewall Normal With a basic Firewall configuration, the TCP SYN packet created a half- 4.1.1-P2
open session on the ACOS device. If a client needed to re-transmit the
SYN packet because the first SYN packet was lost (or for a similar rea-
son), then the retransmitted SYN packet got dropped by the ACOS
device. Since the retransmitted SYN packet was dropped by the ACOS
device, the client had to re-start the TCP connection from the very
beginning.
377431 SSLi Major When configuring SSLi with a single partition, the SSLi inside and out- 4.1.1-P2
side VIPs sent FIN/ACK packets that contained the wrong source MAC
address.
377426 IPV6 Tran- Major When configuring a server for external logging, the health status of a 4.1.1-P2
sition specific port could not be followed.
377065 GSLB Normal When configuring GSLB, the “showtech” and “show running config” 2.7.2-P10
commands would sometimes hang due to an internal error with the
a10gmpd process.
376783 Web Cate- Critical The ACOS device experienced a slow memory leak associated with 4.1.1-P1
gory - URL web-category cloud lookups. In rare situations, if the cloud lookup failed
Filtering (due to a stale socket connection or other connectivity problems), the
ACOS device would retry the request by opening a new connection.
During this process, some memory was being overwritten without being
freed up, and 32 KB memory was getting leaked during every retry
attempt.
page 222
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P3
375412 System - Normal The ICMP timestamp request and respond packets were not dropped 4.1.0-P9
manage- as expected.
ment
375343 Config- Normal When using the OVA file from the A10 Support Portal to launch a new 4.1.1-P1
Mgr vThunder instance, ACOS did not allow use of the GUI to edit an inter-
face.
This issue only occurred when the vThunder instance was deployed
using the OVA found on the Support Portal, and the issue did not occur
after upgrading the vThunder instance to the same release, but this time
using an upgrade image (with the UPG extension).
This “a10jsongen” was launched and running when the instance was
created using the UPG upgrade file, but the file was erroneously not
included in the installation OVA file.
375289 SSL Normal In end-to-end SSL offload, downloading a file over HTTPS failed when 4.1.0-P7-
the back-end server sent a “close notify signal” and the SSL card was in SP2
the middle of processing encryption or decryption operations.
page 223
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P3
• Dashboard>>ADC
• ADC>>SLB.
374500 Router/ Normal The ACOS device stopped sending OSPFv3 multicast packets when the 4.1.1-P1
OSPFv3 OSPF neighbor count reached 150 peers.
374389 aFleX Normal When using the aFleX command "HTTP::respond 400" while the ACOS 2.7.2-P5
device was in the middle of receiving a client POST request, this some-
times caused various HTTP parsing errors to occur, such as, "HTTP
header ... too long".
368446 Explicit Major A forward-to-proxy policy error was occurring in which, for client 4.1.1-P1
Proxy requests received in a specific order, the subsequent request was not
forwarded correctly. The forward-to-proxy policy was resetting connec-
tion parameters, such as which “forward-to-service-group”.
368203 SLB-HTTP Normal With “100-cont-wait-for-req-complete” configured in the HTTP template, 4.1.0-P8
the ACOS device sent a RST to the client or server if it received a 401
response error message without the content-length header.
367342 L2/L3 Normal When migrating an L3V interface configuration from a 2.7.2 ACOS to a 4.1.0-P8
4.1.X ACOS system the migration process failed due to the existence of
certain interface configurations that were present inside an L3V inter-
face such as MTU, name, flow-control, speed, duplexity, LLDP, monitor,
and load-interval.
367006 System - Normal The ACOS device SSH config file only supported hmac-sha1 and hmac- 4.1.1-P2
platform sha1-96. To enhance SSH security, support for two MAC algorithms
(hmac-sha2-512 and hmac-sha2-256) was added to the SSH client and
server configuration files, and hmac-sha1-96 will not be supported in
future releases.
366844 SSLi Major If an import of cert/key/crl/ca-cert failed, instead of returning an error to 4.1.1-P2
the CLI, it was being added to periodic import backend file, and ACOS
was trying to import periodically. This was not the expected behavior.
This behavior is expected only for failure cases of periodic-import con-
figuration and not for regular import configuration.
page 224
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P3
365794 SSLi Normal Non-TCP/UDP traffic sometimes bypassed the security/FW device and 4.1.1-P2
was forwarded to the internet. The “redirect-fwd” or “redirect-rev” com-
mand options were not effective when configured under “port 0 others”
virtual port, so traffic was sometimes not redirected to the security/FW
device.
364738 TCP/IP Major In a VRRP-A configuration, when failover occurred from the active 4.1.0-P9
device to the standby device, the active Layer 7 sessions continued
from the new-standby device.
364618 SLB-FTP Normal A 4K memory leak occurred with ftp-proxy virtual port configurations. 2.7.2-P10
The 4K memory block was continually increasing if the request was
split across multiple packets.
364598 IPV6 Tran- Critical In 4.1.1-P3, it is compatible to synchronize sessions from a device run- 4.1.1-P1
sition ning an older release, such as 2.7.x, 2.8.x, 4.1.0-PX, 4.1.100 and older.
However, ACOS 4.1.1-P3 does not support the ability to synchronize
sessions from releases 4.1.1 to 4.1.1-P1.
361897 VRRP-A Major The standby device in a VRRP-A pair was erroneously sending FIN/RST 4.1.1-P3
packets. This could happen with older active Layer 7 sessions that had
aged-out.
361699 Health- Enhanc A config-management limitation caused regular expressions containing 4.1.1-P1
Monitor- ement a '?' character to not work. This limitation impacted health monitor con-
Infra figurations.
361594 SLB-NAT Normal An issue caused the ACOS device to avoid using the IP NAT Gateway 4.1.1-P1
and it was instead sending packets out using the static route. If the out-
side interface matched the IP NAT subnet range, then the ACOS device
must be using the IP NAT gateway as the next-hop, but this was not
happening.
360181 System - Critical The ACL on the ACOS device was not dynamically updating service ipt- 4.1.1-P1
manage- able entries. For example, when the ACL was used to provide manage-
ment ment services, the iptable entries must be automatically updated, but
this was not happening. Workaround: Remove the management port
and then re-attach it under the service.
360022 SLB-SMTP Normal A slow memory leak occurred when IMAP traffic was sent over an 4.1.0-P7
invalid request line.
page 225
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P3
358036 SLB-Con- Major When binding a policy to multiple virtual ports, the ACOS device did not 4.1.1-P2
fig migrate all of the configuration after upgrading the device, so the PBSLB
configuration was missing.
347248 L3V Major Deleting an L3V partition affected the trunk ports on the ACOS device. 4.1.1-P3
This issue occurred under the following conditions:
3) Tag all of the VLANs on each partition to bind them to the trunk inter-
face.
While this issue did not impact traffic, the output from the "show varlog"
command shows that deleting the L3V partition impacted the trunk
ports, resulting in unexpected log messages, such as the following:
page 226
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P2
329632 NAT-CGN Normal For a CGN device with VRRP-A configured, a full-cone session entry for 4.1.2-P1
an FTP data session (in FTP “active mode”) was erroneously created on
the standby ACOS device, instead of being created on the active ACOS
device. Then, the full-cone session on the standby device timed-out
shortly thereafter.
317689 NAT-CGN Major The client-to-server connection did not work if configuring “max-users- 4.1.1-P3
per-ip 1” in the NAT pool, but it worked if configuring “max-users-per-ip
2” in the NAT pool.
page 227
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P2
page 228
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P2
The workaround is to save the gslb group related configuration for the
members so if the ‘a10lb’ process reloads, the members can retrieve
their configurations from the master when the connection is re-estab-
lished.
page 229
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P2
2) each source rule had at least one dest. ac/ipv4/ipv6 class-list rule,
AND
The reload could occur even if multiple source rules had different desti-
nation class-lists, but a class-list which had a duplicated entry in the
existing class-list was imported.
363205 aFleX Critical Occasionally, a local variable defined under an aFleX script was modi- 4.1.1-P2
fied or used by a different session.
363201 VRRP-A Critical If the disable-default-vrid option was configured in VRRP-A common 4.1.1-P2
and no VRID was attached with a resource configuration, then the ACOS
device was erroneously considered to be the standby device for vrid 0.
363163 Health Normal When changing the health monitor method from TCP to HTTP, the 4.1.0-P8
Monitor proto_data of the Health Monitor instance of the old TCP method was
not freed, so it could not be used for the new HTTP method.
363076 VRRP-A Normal In VRRP-A configurations with 3 devices, changing one of the ACOS 4.1.100
devices to a higher priority did not lead to the expect change in the
active role of the devices.
362449 SNMP Major The GUI statistic for total throughput had no equivalent OID for use via 2.8.2-P6
aXAPI. The following object was added: axGlobalThroughputPerSecond
that adds throughput of all Ethernet interfaces.
362422 SLB-Policy Normal Importing a file using the Windows SFTP client was causing the file to 4.1.0-P7-
be created with 600 permissions. Both the GUI and the show bwlist SP2
<name> details CLI command were not able to display the content.
362215 Web - ADC Normal On Internet Explorer 11, with “Display intranet sites in Compatibility 4.1.0-P7
CGN View” on, the GUI would appear blank after logging in.
page 230
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P2
page 231
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P2
OR
page 232
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P2
357337 System - Critical A core-less reboot occurred on the ACOS device which was caused by a 2.7.2-P9
platform race condition in the kernel hash table.
356858 System - Critical NTPD only listened on the physical interfaces and not the VE interfaces. 4.1.0-P7
manage- Therefore, NTP could not sync with the NTP server using the VE inter-
ment face.
356838 NAT-CGN Normal The "allow-slb-cfg enable" feature did not work with lsn-rule-list. 4.1.1-P1
356830 System - Normal When the maximum number of admin sessions is reached, the session 4.1.1-P1
manage- ID restarts at 1 but then does not get incremented as additional ses-
ment sions are created.
356773 SSL Normal SSL renegotiation did not work with RC4 ciphers. ACOS could not open 4.1.0-P7-
a website going through SSLi. The issue happened on the external SSLi SP2
device, which had the connection between the ACOS device and real
server. The website was doing SSL renegotiation and was using RC4
ciphers. If RC4 ciphers were disabled in the server-SSL template, then
the website opened without issue.
356662 SNMP Major The displayed memory usage when generated by the CLI and the SNMP 4.1.0-P7
(axSysMemoryUsage) had extreme differences, when they must be
closer in parity.
356467 L2/L3 Normal If an ACOS device is in transparent mode and you attempt to modify the 4.1.0-P7
default gateway without removing the old gateway first, then the output
from the CLI command show ip route will display multiple gateway
routes. This could cause lack of synchronization between the front- and
back-end configurations, and any packets sent to the default route
could be lost.
356257 Health Critical LDAP Health Monitor was incorrectly reporting health check as DOWN 4.1.1
Monitor with a result code 0, when the result code 0 must only occur for health
monitor marked as UP.
355909 SSL Critical With session-cache enabled, the original connection continued to work 2.7.2-P9
but the re-use connection failed. The ACOS device completed the ses-
sion-reuse handshake and forwarded the data to the server, but the
server response was not forwarded back to client.
355612 IPV6 Tran- Normal MAP-T CE enforced dropping inbound packets to reserved destination 4.1.1-P1
sition ports. However, in MAP-T shared address configurations, it is now being
done in BR itself.
page 233
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P2
The “value” keyword was not a supported parameter, and use of this
triggered a NULL pointer de-referencing that caused the device to
reload.
355459 System - Normal The process for the Config manager becomes stuck and the CLI and 4.1.1-P1
platform GUI hang after running the show techsupport export command.
355288 SSLi Major The ACOS device sometimes reloaded if there was live traffic, and if a 4.1.0-P8
service-group was removed from an HTTP virtual port, which was
bound to a forward-policy template.
355192 TCPIP Normal If a client requested ECN in the TCP options, the TCP stack sometimes 2.7.2-P7
responded with “ECN capable” even though it was not ECN capable.
When the SYN packet was received with the ECN flag set, the SYN-ACK
response also had the ECN flag set, although ECN was not supported in
some cases.
354926 Explicit Critical Using a software solution for SSL with an explicit proxy policy, if the cli- 4.1.1-P1
Proxy ent-ssl template was configured to include a bypass and client access
to a website which was bypassed, the ACOS device would fail.
354830 Web - ADC Major Errors sometimes occurred when attempting to use the GUI to config- 4.1.1-P1
CGN ure object names containing special characters.
354788 AWS Major If the user updates the license on a vThunder for AWS device and later 4.1.1-P1
revokes it, the “factory-installed” default license will also be revoked.
This is because only one license file can be present on the system at a
given time.
354772 SLB-NAT Normal External Service Auto-NAT failed when a large number of ports were 2.7.2-P8
configured. With this fix, response packets for the data sent to an exter-
nal service group are returned to the same CPU as the client connec-
tion.
354676 aFleX Normal If using the aFleX command DNS::header to configure the ACOS device, 2.7.2-P9
the AD and CD fields could not be read or set. Attempting to change
either value was unsuccessful.
354442 SSLi Normal Cert-Fetch requests were terminated by a FIN packet in SSLi + Proxy 4.1.0-P8
environments, resulting in memory leak issues.
354247 SLB - L4 Normal Retransmitted SYN packets are being dropped if the half-open-idle-time- 2.7.2-P9
out is configured.
353587 SSLi Normal The server-side SSL renegotiation did not work on the outside ACOS 4.1.0-P6
SSLi device. The renegotiation-disable did not take effect as long as for-
ward-proxy-enable was configured.
352516 System - Normal This fix addresses issues with the buffer threshold in multiple CPU envi- 2.7.2-P7
platform ronments.
page 234
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P2
The workaround for this issue is as follows: after the device is rebooted,
remove the DHCP configuration, re-configure the wildcard VIP, and then
re-add the DHCP config on the interface.
351347 Web - ADC Normal Using the GUI, when selecting the period of time to display a VIP chart, if 4.1.1
CGN the period of time was longer than 3 days, the graph would only provide
the period of time up to the 3 days from the initial start time.
351211 VCS Normal The user was not allowed to rename the device name without doing a 2.7.2-P10
“no” operation on the device name.
351154 AAA Normal Increasing LDAP DN Field Length to 128 characters as per requirement 4.1.1-P1
349975 SSL Normal In previous releases, the ACOS device did not check the SignatureAlgo- 4.1.0-P8
rithm extension offered by the client and always signed the ServerKey-
Exchange message with SHA1. This caused connection errors if the
client did not support SHA1. In this latest release, support is added for
the SignatureAlgorithm extension.
349252 SLB - L4 Major The age of the TCP half open session refreshed to 60 when the CLI 2.7.2-P9
options half-open-idle-timeout and reset-unknown-conn were both con-
figured.
349078 SLB - DNS Normal With SNAT enabled, if two DNS queries were received on the same socket, 2.7.2-P8
both would be sent to the server, but only the first response would be sent
to the client.
Workaround:
Configure a udp-template with aging-short to change fast-path processing
to slow-path.
Recommended addition configuration:
slb template udp u1
aging short 6
348631 NAT-CGN Normal For certain ranges of NAT IPs, the NAT IP will not be configured to 4.1.0-P8
Linux. This sometimes caused issues when advertising the NAT IPs.
(The fixed-NAT pool was not added to Kernel lo1 if the first octet was
either the subnet ID or the broadcast IP integer.)
348014 Health Major The ACOS device generated “service-group down” logs even though one 4.1.1-P2
Monitor or more members of the service-group were UP.
347020 Chassis Major The show log command was displaying some incorrect output. 4.1.100
Platform
346027 System - Major This fix addresses an issue with high control CPU usage using a config- 2.8.2-P5
platform uration option for the switching ASIC.
341740 Web - ADC Normal Using Internet Explorer 11, if the user attempted to use the GUI to edit a 4.1.0-P5
CGN DCFW ruleset, the ruleset edit page would sometimes not appear.
340939 NAT-CGN Critical In some SLB SIP configurations with HA, the device was not working. 2.8.2-P4-
The workaround is to avoid using HA for SIP traffic. SP2
page 235
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1-P2
page 236
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1-P1
page 237
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1
page 238
ACOS 4.1.1-P13 Release Notes
Feedback
Issues Fixed in Release 4.1.1
The workaround was to make sure that lockout was not configured for
any template that would be applied at the virtual port level.
333038 Explicit Major After applying a policy template under a virtual port and not applying a 4.1
Proxy service-group, the virtual-port status was down and could not handle
explicit proxy request
332615 System - Major If a class list was created from the CLI, then a class list file with the 4.1.1
mgmt same name was imported, the “show run class-list name” output was
different than the “show class-list name” output.
With the fix, they are no longer merged together. The workaround is to
delete the original first, instead of trying to overwrite it.
page 239
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Issues Fixed in Release 4.1.1
page 240
Feedback ACOS 4.1.1-P13 Release Notes
A10
Tracking Version
ID System Area Severity Issue Description Reported
460837 System - Major The SSH access control does not take effect for vThun- 4.1.1-P9
platform der ports on Azure. In Azure Single Interface mode, only
1 interface acts as both the management and data inter-
face. ACOS allows traffic on port 22 before the "a10lb"
process comes up. This is expected behavior.
333961 L3V Enhance Some counters in the output of the "show resource- 4.1.1
ment accounting" command are incorrect. The default "current
value" of real servers, real ports, service groups, and
GSLB Geo-locations shows some value, but the current
value must be zero because there is no related
configuration. The "clear" command does not clear it.
page 242
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P7
A10
Tracking Version
ID System Area Severity Issue Description Reported
435640 System-Plat- Major When TH930 family(TH930/TH1030/TH3030) manage- 4.1.1-P6
form ment port was connected to Cisco C2950 fast ethernet
port, even when Thunder management port was dis-
abled, the Cisco C2950 port did not change from link-up
to link-down.
430636 GUI Major Thunder (TH1030) reboots after it was downloaded with 4.1.1.P5
a large size > 250M size ACOS debug through GUI. This
is a very low reproducible issue.
430462 System - Major TH3040 10G ports do not function correctly after reboot 4.1.1-P7
platform when connected to Brocade ICX7450 SFP+ 10G ports.
428875 L2/L3 Major When capturing packets with ACOS debug, a display 4.1.1.P5-
issue occurred, causing erroneous values to appear in SP2
the ACOS debug output for VLAN numbers. This issue
was seen for incoming IP packets with non-zero DSCP
values on tagged interfaces.
383891 Firewall Major VMaster blocks configuration of interface of vBlade if 4.1.1-P3f
"Local zone" in zone is existing it the axAPI Local zone
configuration
page 243
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P5
page 244
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P4
page 245
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P4
389455 System- Major When upgrading from 2.8.2-Px to 4.1.1-P2, the AX-5630 4.1.1-P2
platform remained in a LOADING state. This issue appears to be
caused by ACOS checking for a resource value before the
system resource numbers were created. The issue only
seems to happen upon the first-time booting, after upgrad-
ing from 2.8.2 to 4.1.1-P2.
387496 System - Major On vThunder systems running Azure and installed with a 4.1.1-P2
manage- single NIC, you cannot access the GUI and aXAPI on ports
ment 80 and 443. As a workaround, you can use other ports for
GUI and aXAPI access. For example, run the following
commands to access GUI and aXAPI on ports 8080 and
1112:
- if the profile is not '' or does not exist in the saved startup
profile
page 246
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P4
import/export/copy/backup
The second CLI session may hang if the user tries to run
one of the long-latency commands while the first session
is still working on the request.
364198 SLB-HTTP Major If the "keep-client-alive" option was configured, the ACOS 2.7.1-GR1
device did not remove session entries upon receiving a
RST/FIN packet from the client. This caused the connec-
tion with the client to remain open even after the FIN
packet.
359863 Health- Major The Database Health Monitor (Oracle) does not work in 4.1.1-P1
Monitor- any L3V partition, but the shared partition has no issues.
Infra
344836 System - Major When upgrading from 4.0.1 to 4.1.0-P5, the upper limit on 4.1.0-P5
platform the maximum number of supported object groups is
reduced from 256 to only 128 entries.
342955 System - Critical ACOS may allow multiple simultaneous upgrade requests 4.1.0-P5
platform from the API, CLI, and GUI.
339874 aFleX Major You may not be able to delete a service group if it was 4.1.1-P3
used in an aFleX script that was later deleted.
336658 System - Major An erroneous fan ID mapping was corrected in the ACOS 2.8.2-P8
platform software on Thunder 6430 models in order to align with
the information in the installation guide.
307219 Health- Major The ACOS device reloaded when the ACOS device ran a 2.7.2-P8
Monitor- health check to the Oracle Database.
Infra
287614 VCS Enhance- On aVCS deployments, the sequence number may 2.7.2-P6
ment become re-ordered and may no longer reflect what was
configured. This issue could happen if you insert a new
ACL entry with the sequence number located in the middle
of an existing ACL that is configured on the vMaster, and if
the vBlade is then reloaded or rebooted.
256261 L2/L3 Major When aVCS is enabled, the interface status in the CLI 4.0.1
shows "UP" while it shows "DOWN" in the GUI.
249916 L2/L3 Major Adding static IPv6 neighbor entries to Link local addresses 2.8.1-SP6
failed.
page 247
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P3
- if the profile is not '' or does not exist in the saved startup
profile
380744 Web - ADC Major Chrome-supported ECDSA cipher suites do not match the 4.1.1-P3
CGN ECDSA cipher suites available on the FIPS device. If an
ECDSA web certificate or key is imported into a FIPS
device, the GUI will become inaccessible.
379409 SLB-NAT Major If the source NAT pool is not large enough to handle heavy 4.1.1-P3
traffic, the ACOS device may reset some of the connec-
tions. This, in turn, may cause ACOS to use the wrong
VRID MAC as the source-mac address in the RST packets.
378404 System - Major The configuration of monitor x (under interface) will be 4.1.1-P3
manage- lost after upgrading to 4.1.1-P3 from legacy 2.x build.
ment For example:
interface ethernet 1
monitor both <--
interface ethernet 2
monitor input <--
interface ethernet 3
monitor output <--
page 248
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P3
page 249
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P2
In this case, since the peer already has a VIP with the
same name and a different IP address, a sync shows up
as a modification of the IP address for an existing virtual-
server and is rejected.
page 250
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P2
page 251
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P2
page 252
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P2
page 253
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P2
• Before upgrading from 2.x to 4.x, if the user has both pri-
mary and secondary profiles with version 2.x, during
upgrade, ACOS creates two new profiles “Default_prima-
ry_old” and “Default_secondary_old” with the same con-
tents of the old 2.7 default profiles as a backup.
page 254
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P1
page 255
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1-P1
page 256
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1-P1
1) Configure VRRP-A.
page 257
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1
page 258
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1
page 259
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1
page 260
ACOS 4.1.1-P13 Release Notes
Feedback
Known Issues in 4.1.1
page 261
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Known Issues in 4.1.1
page 262
Feedback ACOS 4.1.1-P13 Release Notes
• Software Limitations
• Hardware Limitations
• Documentation Limitations
Software Limitations
The following limitations are related to ACOS Release 4.x (specific release limitations are so noted in the
descriptions):
• SNMP Read for GSLB Groups Does Not Support Identical Host Names
• AAM Limitations
• aFleX Limitations
• Active FTP on vThunder for Azure With KDEMUX Drivers Does Not Work
• Passive FTP on vThunder for AWS and Azure Does Not Work
• VRRP-A and VCS on vThunder for AWS and Azure Does Not Work
• vThunder Cannot Ping Standby Interface in VPPR-A Deployments with L3 Inline Mode
page 264
ACOS 4.1.1-P13 Release Notes
Feedback
Software Limitations
This caused the request to erroneously pass to the internal server instead of providing a failed message
“Can't verify Cert-Rejected”
page 265
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Software Limitations
For example, if the same real server:port member is used in two service groups, it is valid to bind each of
those service groups to a different virtual port. However, if there are server-SSL templates configured
for both virtual ports, the server-side SSL behavior is not predictable and is not supported. It is recom-
mended to duplicate the real server port configuration with different real servers in each group.
In the following example, an ACOS system is configured with two virtual-servers, SSL_Internet_vip_001
and SSL_Internet_vip_003. And, each of these virtual servers are configured with an HTTP virtual port,
port 8080 http.
1. A different SSL-template and a different service group is applied to each virtual port.
• The SSL-template, SSL_Internet_vip_001_server_ssl, and the service group, sg2, are applied to
port 8080 http on SSL_Internet_vip_001.
• The SSL-template, SSL_Internet_vip_003_server_ssl, and the service group, sg1, are applied to
port 8080 http on SSL_Internet_vip_003.
2. The preceding configuration is supported when each service group specifies a different real server.
Service group sg1 specifies real server, rs1, and service group, sg2, specifies real server, rs2:
page 266
ACOS 4.1.1-P13 Release Notes
Feedback
Software Limitations
3. However, the configuration in step 1 is not supported when both service groups specify the same
real server, rs1, as shown in the following:
page 267
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Software Limitations
The traffic can not pass through, we can see that the IP address in URL of RTSP packet is not changed
from slb vip(20.0.0.100) to server ip(20.0.0.10) when it is forwarded to ACOS server.
SNMP Read for GSLB Groups Does Not Support Identical Host
Names
In Release 4.1.0, SNMP OID functionality is enhanced to include GSLB group information. However,
members of the group must have unique host names. For example, consider this example output from
the show gslb group command:
page 268
ACOS 4.1.1-P13 Release Notes
Feedback
Software Limitations
In this example, the group contains two members, both named “vThunder” but with different IP
addresses (.206 and .205). Using SNMP read to view the GSLB group OID will yield results for a single
member, because the host names are identical (example is truncated for brevity):
To work around this issue, you must manually change the host name for each member in the GSLB
group so that each host name is unique within the group.
• Overlay functionality on all platforms (FTA and non-FTA) does not support jumbo frames or frag-
mentation.
• Overlay functionality is only available with SLB configurations.
• This field works properly for LSN configurations, where there is outside-to-inside communication
(full-cone session).
page 269
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Software Limitations
Hence, to resolve this, the option "alive-if-active" for "force-delete-timeout" was removed from the
firewall session-aging option settings for TCP. This option is removed from CLI command "force-
delete-timeout" and AXAPI.
• The implementation of the aXAPI in the 4.x releases is not backwards compatible with any 2.7.x
or 2.8.x aXAPI implementations.
• The ACOS software does not provide support for the configuration of Health Monitors, VRRP-A, or
deletion of an interface that is part of a trunk using aXAPIs. Use the CLI for these operations.
• Issuing a block of configuration using the cli.deploy aXAPI method will cause the control CPU to
experience a spike to 100% while this operation is in progress. As soon as the configuration
change is applied, the Control CPU will revert to normal behavior.
1. Some form-based pages will require a user to provide a dynamic variable in response.
2. Some pages may not contain a “Content-Length” header or the “Content-Length” header may be too
short.
page 270
ACOS 4.1.1-P13 Release Notes
Feedback
Software Limitations
• When switching aVCS device-context from the vMaster to a vBlade, configuration of the vBlade is
allowed as expected, but only statistical information from the vMaster is visible.
• Importing compressed files is not supported, except for SSL certificates.
• DHE ciphers might encounter crypto (hardware) failures for some SSL engines.
• SSLi Outside may encounter some crypto failures for some ciphers at load time.
AAM Limitations
ACOS 4.x does not support AAM configuration in any CGNv6 partitions.
<html>
<body>
<form name="chall" method="POST">
$replymsg$: <input type="text" name="chalv">
<input type="submit" value="Submit">
</form>
</body>
page 271
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Software Limitations
</html>
In the form, AAM does not support the attribute "action", such as:
"action="form/handle.staff.php""
• When using a RADIUS server as the authorization server with SAML authentication and WS-Feder-
ation relay, AAM aFlex will not retrieve user passwords from HTTP requests. AAM aFlex authori-
zations against the RADIUS server will fail due to failing to provide user password for the RADIUS
server.
• With WS-Federation relay, the Active Directory Federation Services (ADFS) may return attribute
names in lower case or in upper case, while AAM aFlex AAM::attribute commands are case-sensi-
tive. Make sure AAM aFlex is configured with the correct attribute names for the values retrieved
from ADFS.
aFleX Limitations
• This limitation is applicable for all 4.x releases. Tcl allows backslash-newline in its scripts but
aFleX currently does not support it. For example, you can continue a long line in Tcl with a backs-
lash character (\):
However, aFleX will experience a compilation error if you use backslash-newline. The recommenda-
tion is to write the long line without the backslash character:
• The RESOLVE::lookup command does not support CLIENT_ACCEPTED and CLIENT_DATA events
if the virtual port is HTTP or HTTPS type.
page 272
ACOS 4.1.1-P13 Release Notes
Feedback
Software Limitations
• To disable perfect forward secrecy (PFS), do not configure a Diffie Helman (DH) group in IPsec
configuration.
• IPsec packet round robin may cause packet reordering.
• In a single tunnel without IPsec round robin may cause CPU load sharing to trigger, thus forcing
packet round robin. To avoid this, disable CPU load sharing.
• NAT-traversal flow affinity is A10 proprietary and may not inter-operate with other vendors.
Active FTP on vThunder for Azure With KDEMUX Drivers Does Not
Work
Active FTP mode is not supported in Azure with kdemux drivers.
page 273
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Hardware Limitations
Passive FTP on vThunder for AWS and Azure Does Not Work
If you need to use FTP on vThunder for Azure or vThunder for AWS in pvgrub mode, use active FTP; pas-
sive FTP does not work reliably.
VRRP-A and VCS on vThunder for AWS and Azure Does Not Work
VRRP-A and aVCS commands are not available on vThunders instances running in Azure or AWS envi-
ronments.
Hardware Limitations
The following hardware limitations are applicable to all 4.x releases.
• Transceivers Not Purchased From A10 Networks May Show Error Message
page 274
ACOS 4.1.1-P13 Release Notes
Feedback
Documentation Limitations
• Thunder 7440(S)
• Thunder 6440(S)
• Thunder 5840(S)
• Thunder 5440(S)
• Thunder 4440(S)
Plugging a cable directly into this interface does not work; you must use the splitter cable to have either
console or LOM functionality.
Additionally, auto-negotiation is disabled by default when fiber media is used on a 10G interface.
Documentation Limitations
There are no known documentation limitations at this time.
page 275
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Documentation Limitations
page 276
Feedback ACOS 4.1.1-P13 Release Notes
This chapter provides information for upgrading your ACOS software to release 4.1.1.
NOTE: If you are configuring a new ACOS device, see the installation guide for
your specific device for hardware installation instructions, and the Quick
Start Guide for initial configuration instructions.
CAUTION: Make sure N5 SSL card is supported before installing a different soft-
ware.
• Hardware devices purchased before February 2016 have no concept of product SKU. Hard-
ware devices purchased after February 2016 are identified by a product SKU.
• vThunder devices prior to Release 4.1.0 utilized bandwidth licenses; licenses introduced in 4.1.0
involve both product and bandwidth usage.
The following Table 31 summarizes the hardware device product SKUs and features available in each
product:
The following Table 32 summarizes the vThunder and Bare Metal product licenses and contents of
each product:
NOTE: For more information about obtaining your product license, see your spe-
cific vThunder or Bare Metal installation Guide, available on the Support
Portal: https://files.a10networks.com/support-axseries/hardware-install-
guides/index.html.
page 278
ACOS 4.1.1-P13 Release Notes
Feedback
Supported Upgrade Paths
The following Table 33 summarizes the availability of Webroot and ThreatSTOP licenses for hardware
product SKUs:
TABLE 33ACOS 4.1.0 Webroot and ThreatSTOP Availability Matrix for Hardware
Device SKU Webroot and ThreatSTOP Availability
A10 Thunder Series or AX CGN None
Series hardware device ADC ThreatSTOP
SSLi Webroot and ThreatSTOP
CFW Webroot and ThreatSTOP
The following Table 34 summarizes the availability of Webroot and ThreatSTOP licenses for vThunder
and Bare Metal devices:
TABLE 34ACOS 4.1.0 Webroot and ThreatSTOP Availability Matrix for vThunder and Bare Metal
Device License Webroot and ThreatSTOP Availability
vThunder device licenses CGN None
ADC ThreatSTOP
SSLi Webroot and ThreatSTOP
CFW Webroot and ThreatSTOP
Bare Metal licenses ADC ThreatSTOP
CGN None
• Any legacy 2.7.2.x or 2.8.2.x release to ACOS 4.1.1 (see Upgrading to ACOS 4.1.1 From Legacy
2.7.2.x or 2.8.2.x Releases)
• Any ACOS 4.x release to ACOS 4.1.1 (see Upgrading to ACOS 4.1.1 From 4.x Releases)
NOTE: To perform an upgrade to ACOS Release 4.x using the GUI, you must
start with Release 2.7.2-P3. Earlier releases are not supported.
These releases support the encryption and decryption of the .upg image file formats used for upgrading
a device (Upgrade Image File Names).
page 279
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrade Image File Names
First, determine whether or not your device is FTA enabled. See Hardware Platform Support, or use the
following show hardware command; devices that are FTA-enabled will have an output similar to the fol-
lowing:
• For FTA enabled platforms, use the image with the file name:
ACOS_FTA_version.upg
• For non-FTA enabled platforms (including vThunder), use the image with the file name:
ACOS_non_FTA_version.upg
NOTE: Before upgrading, be sure you have obtained the appropriate upgrade
image (Upgrade Image File Names).
• Upgrade Instructions
page 280
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
• Migrating Partitions
• Migrating Admins
Upgrade Instructions
When you are ready to upgrade:
1. Use the write memory all-partitions command to save your current running-config to the
startup-config.
2. Upgrade your ACOS release 2.7.2-Px or 2.8.2-Px software to release 4.x using the upgrade com-
mand and the image file name from Upgrade Image File Names. For example, to upgrade the pri-
mary boot image on an FTA device:
page 281
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
3. Near the end of the upgrade procedure, you will be prompted to reboot your ACOS device. You can
answer yes to reboot, or no if you want to reboot manually.
You must reboot the device to bring up the ACOS 4.x software and complete the upgrade proce-
dure.
To verify, you can use the show startup-config all command and
• For each legacy local configuration profile, the migration tool will generate one new profile with
name with “_40” appended to the name. For example, an existing profile called “slb_profile” would
become “slb_profile_40”. The original profile is not modified so that reverting back to the earlier
version is possible.
Use the show startup-config all command to view a list of all local configuration profiles, and to
view the profile currently being used. The “Version” column in the output shows you the ACOS ver-
sion of the configuration profile.
For example:
page 282
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
• For default primary and secondary configurations, the migration tool will create one copy of the
original profile as a local configuration profile with name “Default_<primary/secondary>_old” and
change the default profile to a format compatible with 4.x.
Migrating Partitions
The migration tool will migrate at most 1023 partitions to the new format, or the maximum number
allowed by the specific system.
For example, a system that allows a maximum of 32 L3V partitions has the following configuration pro-
files:
The migration tool will migrate all 33 of these partitions to the new configuration, since the number is
less then 1023. However, since the platform supports a maximum of 32 partitions, you must expect to
see parse error messages similar to the following for each partition exceeding the maximum number
supported by the device:
If the total number of partition migrated exceeds 1023, the following parse error messages are
expected:
In release 4.x, the directory structure for L3V partitions is completely new. All L3v partitions contain
independent profiles that are not tied to the shared partition. To avoid conflicts in system, all partition
IDs are re-arranged during the migration process and available IDs are assigned to all partitions. Once
all available IDs are assigned, meaning the maximum number of supported partitions is reached, the
remaining partitions are discarded.
Migrating Admins
During the migration process, error messages relating to admin migration will be seen.
page 283
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
Feb 02 2016 23:30:54 Error [CLI]:Parse error when executing command: object-access-con-
trol "none" "none" "none" "none" "none" "none" "none" "none"
Feb 03 2016 00:07:34 Error [CLI]:Parse error when executing command: role-admin ReadOn-
lyAdmin
1. Re-configure the admin in the 4.x CLI (same commands as 2.7.2.x or 2.8.2.x).
2. Use write memory to save your changes
3. Use reload to reload the ACOS device.
page 284
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From Legacy 2.7.2.x or 2.8.2.x Releases
Feb 02 2016 22:08:21 Error [CLI]:Parse error when executing command: role-admin Parti-
tionReadOnly "p1" "p2"
Workaround
1. Re-configure the admin in the 4.x CLI (multiple partition names are not allowed in a single com-
mand in 4.x):
1. Use the write memory all-partitions command to save your current running-config to the
startup-config.
2. Set the boot image to the location where your 2.7.2.x or 2.8.2.x image resides. For example, if your
4.x image was loaded in the primary boot image area, and your legacy image resides in the second-
ary boot image area:
3. Using the reboot command to reboot the device from the specified boot image area.
page 285
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
NOTE: After the device is rebooted, you can link to the configuration profile of
your choice. (See Generating New Profiles for more information about
how the migration tool handles existing profiles.)
NOTE: After reverting to your 2.7.2.x or 2.8.2.x release, your legacy admin config-
uration will no longer exist. You must re-configure all admins that have a
specified role, or privileges for multiple partitions.
This failure is due to an inherent limitation with the built-in TFTP client in ACOS. The TFTP client’s
default TFTP block size is 512 bytes, which is too small to support download of the ACOS image.
Therefore, it is recommended to set the TFTP client’s block size to a larger value to allow the file trans-
fer to complete successfully.
page 286
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
Other special characters are not supported, except as noted for the following objects:
2. The following special characters: “/”, “#”, “?”, “:”, “[“ are not supported for servers, service groups and VIPs.
• /axapi/v3/gslb/policy/
• /axapi/v3/cgnv6
• /axapi/v3/vpn/ike-gateway
• /axapi/v3/vpn/ike-gateway
• /axapi/v3/vpn/ike-gateway
• /axapi/v3/system/session/stats
• /axapi/v3/interface
page 287
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
• /axapi/v3/web-category
• /axapi/v3/slb
• /axapi/v3/router
• /axapi/v3/router/isis
/axapi/v3/gslb/policy/
The following properties are removed from this object. Remove these from POST and PUT payloads
before upgrading.
"weighted-ip":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Select Service-IP by weighted preference",
"optional": true
}
"weighted-site":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Select Service-IP by weighted site preference",
"optional": true
}
"bw-cost":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Select site with minimum bandwidth cost",
"optional": true
}
/axapi/v3/cgnv6
The tunnel-endpoint-address is removed from these objects in favor of use-binding-table for multi-
ple tunnel support.
• /axapi/v3/cgnv6
• /axapi/v3/cgnv6/lw-4o6
• /axapi/v3/cgnv6/lw-4o6/global
page 288
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
Revise any existing calls to remove these from POST and PUT payloads from existing scripts before
upgrading.
"tunnel-endpoint-address":{
" type": "string",
"format": "ipv6-address",
"description": "Configure LW-4over6 IPIP Tunnel Endpoint Address (LW-4over6 Tunnel
Endpoint Address)"
}
/axapi/v3/vpn/ike-gateway
The following properties are revised in this object so that the password of a key shall be reset to null
when typing the key keyname command. See the Command Line Interface Reference for further information.
"key":{ "key":{
"type":"object", "type": "string",
"properties":{ "format": "string",
"key-name":{ "minLength": 1,
"type":"string", "maxLength": 255,
"format":"string", "description": "Private Key",
"minLength":1, "optional": true
"maxLength":64, },
"description":"Private "key-passphrase":{
Key File Name" "type": "string",
}, "format": "password",
"key-passphrase":{ "minLength": 1,
"type":"string", "maxLength": 127,
"format":"string", "description": "Private Key Pass
"minLength":1, Phrase",
"maxLength":127, "optional": true
"description":"Private },
Key Pass Phrase"
}
}
}
page 289
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
/axapi/v3/vpn/ike-gateway
The following properties are removed from this object so that vrid default is now vrid 0 in VPN IKE-
Gateway configurations, with the range revised from beginning with 1 to <0-31> (and <0-7> in parti-
tions). If you were previously using vrid default, revise it after upgrading.
"default":{
"type": "number",
"format": "flag",
"default": 0,
"not": "vrid-num",
"description": "Default VRRP-A vrid"
}
/axapi/v3/vpn/ike-gateway
The following properties in blue are added to this object so that the CLI and GUI formats display the
same.
"properties":{
"inside-ipv4-address": {
"type": "string",
"format": "ipv4-address"
},
"inside-ipv6-address": {
"type": "string",
"format": "ipv6-address"
}
}
/axapi/v3/system/session/stats
The following properties, which are not session specific, are removed from this object so that the GUI
will know which stats to leverage going forward.
"reverse_nat_tcp_ounter":{
"type": "number",
"format": "counter",
"size": "8",
"oid": "16",
page 290
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
page 291
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
"type":"number",
"format":"counter",
"size":"8",
"oid":"32",
"description":"Total IP Nat Conn",
"optional":true
},
"client_ssl_ctx_malloc_failure":{
"type": "number",
"format": "counter",
"size": "8",
"oid": "34",
"description": "Client SSL Ctx malloc Failures",
"optional": true
},
"proxy-chaining":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Enable proxy chaining feature",
"optional": true
}
• /axapi/v3/file
• /axapi/v3/file-ca-cert
• /axapi/v3/file-ssl-key
• /axapi/v3/import
page 292
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
• /axapi/v3/import-periodic
• /axapi/v3/import-periodic-ssl-cert
• /axapi/v3/import-periodic-ssl-crl
• /axapi/v3/import-periodic-ssl-key
Revise any existing calls to remove these properties from POST and PUT payloads before upgrading.
"csr-generate":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Generate CSR file",
"optional": true
}
/axapi/v3/interface
DHCP is removed from the following objects because DHCP was not supported, even if it was config-
ured.
• /axapi/v3/interface
• /axapi/v3/interface-tunnel
• /axapi/v3/interface-tunnel-ip
After the upgrade, the dhcp configuration will be removed automatically. If an IP address is needed on
tunnel interface, static addresses are supported.
"dhcp":{
"type": "number",
"format": "flag",
"default": 0,
"description": "Use DHCP to configure IP address"
}
/axapi/v3/web-category
The server-timeout default parameter is revised to 15 seconds.
"server-timeout":{
page 293
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
"type": "number",
"format": "number",
"minimum": 1,
"maximum": 300,
"default": 15,
"partition-visibility": "shared",
"description": "BrightCloud Servers Timeout in seconds (default: 15s)",
"optional": true
}
/axapi/v3/slb
A variety of counter names are revised in the following statistics:
• slb-server-port-stats
• slb-server-stats
• slb-service-group-member-stats
• slb-service-group-stats
• slb-template-cache-stats
• slb-virtual-server-port-stats
• slb-virtual-server-port-stats-cache
You’ll see the following type of example CLI output differences when sampling-enable is used:
all
total-throughput-bits-per-sec all
l4-connection-rate total-throughput-bits-per-sec
l7-connection-rate l4-conns-per-sec
l7-trans-per-sec l7-conns-per-sec
ssl-connection-rate
ip-nat-connection-rate l7-trans-per-sec
total-new-connection-rate ssl-conns-per-sec
total-current-connectionss ip-nat-conns-per-sec
l4-bandwidth total-new-conns-per-sec
l7-bandwidth
total-curr-conns
l4-bandwidth
l7-bandwidth
page 294
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
You’ll also see the following type of example responses in your GET requests:
{ {
"port": { "port": {
"stats" : { "stats" : {
"current-conns":0, "curr_conn":126,
"total-l4-conns":0, "total_l4_conn":13128,
"total-l7-conns":7985,
"total-tcp-conns":7985, "total_l7_conn":0,
"total-conns":7985, "total_tcp_conn":13128,
"total-fwd-bytes":2693024, "total_conn":13128,
"total-fwd-packets":35929, "total_fwd_bytes":6433228,
"total-rev-bytes":2104590, "total_fwd_pkts":91901,
"total-rev-packets":16062,
"total-dns-pkts":0, "total_rev_bytes":6892903,
"total-mf-dns-packets":0, "total_rev_pkts":52519,
"es-total-failure-actions":0, "total_dns_pkts":0,
"compression-bytes-before":0, "total_mf_dns_pkts":0,
"compression-bytes-after":0,
"compression-hit":0, "es_total_failure_actions":0,
"compression-miss":0, "compression_bytes_before":0,
"compression-miss-no-client":0, "compression_bytes_after":0,
"compression_hit":0,
... "compression_miss":0,
"compression_miss_no_client":0,
...
/axapi/v3/router
The ha-standby-extra-cost is revised in various places throughout these objects to support extra cost
per VRID, rather than only for the default VRID.
• /axapi/v3/router
• /axapi/v3/router-ipv6
• /axapi/v3/router-ipv6-ospf
• /axapi/v3/router-isis
• /axapi/v3/router-ospf
The following properties in blue are new. After the upgrade, move existing default VRID costs to an
array.
page 295
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
"ha-standby-extra-cost":{
"type": "array",
"minItems": 1,
"items": {
"type": "object"
},
"uniqueItems": true,
"array": [{
"properties": {
"extra-cost": {
"type": "number",
"format": "number",
"minimum": 1,
"maximum": 65535,
"description": "The extra cost value"
},
"group": {
"type": "number",
"format": "number",
"minimum": 0,
"maximum": 31,
"description": "Group (Group ID)"
},
"optional": true
}
}]
}
page 296
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
/axapi/v3/router/isis
The multi field block used for the set-overload-bit suppress command was creating multiple
instances for the set-overload-bit such that PUT operations would fail. The following properties in
blue are revised.
"suppress-list":{ "suppress-cfg":{
"type": "array", "type": "object",
"minItems": 1, "properties": {
"items": { "external": {
"type": "object" "type": "number",
}, "format": "flag",
"uniqueItems": true, "default": 0,
"array": [{ "description": "If
"properties": { overload-bit set, don't advertise IP
"suppress": { prefixes learned from other protocols"
"type": "string", },
"format": "enum", "interlevel": {
"description": "type": "number",
"'external': If overload-bit set, don't "format": "flag",
advertise IP prefixes learned from other "default": 0,
protocols; 'interlevel': If overload-bit "description": "If
set, don't advertise IP prefixes learned overload-bit set, don't advertise IP
from another ISIS level; ", prefixes learned from another ISIS level"
"enum": [ }
}
"external", }
"interlevel"
]
},
"optional": true
}
}]
}
1. Obtain the appropriate upgrade package (see Upgrade Image File Names).
2. Use this upgrade package and follow the instructions in Upgrade Instructions.
page 297
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Upgrading to ACOS 4.1.1 From 4.x Releases
After the reboot, your original configuration will be loaded and ACOS2 will re-join the aVCS chassis and
become the VRRP-A standby device. Your VRRP-A configuration is not disrupted due to the manual
forced failover caused by changing the VRID priorities.
1. Obtain the appropriate upgrade package (see Upgrade Image File Names).
2. On all devices in the virtual chassis, save the startup configuration to a new profile. Use the all-par-
titions option if you have L3V partitions configured. Do not link the profile; this profile will serve as
the local backup of the 4.1.0 configuration. For example, on the current vMaster “ACOS1:”
page 298
ACOS 4.1.1-P13 Release Notes
Feedback
Upgrading to ACOS 4.1.1 From 4.x Releases
Mar 21 2016 16:14:41 B3 a10logd: [CLI]<3> rimacli: terminted because received SIGTERM
signal
5. On “ACOS2:”
a. Access the configuration level for the VRRP-A VRID in the shared partition and each L3V parti-
tion. For example:
ACOS2# configure
ACOS2(config)# vrrp-a vrid 1
ACOS2(config-vrid:1)#
b. Change the VRID priority to a value that is higher than the priority on the vMaster. For example, if
the VRID priority on the vMaster is 100, we can change the priority to 105:
ACOS2(config-vrid:1)# blade-parameters
ACOS2(config-vrid:1-blade-parameters)# priority 105
ACOS2(config-vrid:1-blade-parameters)# exit
ACOS2(config-vrid:1)# exit
ACOS2(config)#
This will cause VRRP-A to fail over so that ACOS2, now with the higher priority, becomes the new
active device.
6. Install the Release 4.1.1 image on ACOS1 and reboot the device for the change to take effect. See
Upgrade Instructions.
7. On ACOS2:
a. Access the configuration level for the VRRP-A VRID in the shared partition and each L3V parti-
tion. For example:
b. In the shared partition and all L3V partitions, change the VRID priority back to its original value,
or any value that is lower than the value on ACOS1. For example, if the VRID priority on ACOS1 is
100, we can change the priority to 99 on ACOS2:
ACOS2(config-vrid:1)# blade-parameters
ACOS2(config-vrid:1-blade-parameters)# priority 99
ACOS2(config-vrid:1-blade-parameters)# exit
page 299
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Steps After Upgrading to 4.1.1 with an Existing Web-category License
ACOS2(config-vrid:1)# exit
ACOS2(config)#
This will cause VRRP-A to fail over so that the ACOS1 will once again become the active device.
8. Without saving the configuration, install the Release 4.1.0 image on ACOS2 and reboot the device
for the change to take effect. See Upgrade Instructions.
After ACOS2 is rebooted, your original configuration (saved in step 2) will be loaded and ACOS2 will
rejoin the virtual chassis and the upgrade of the chassis to Release 4.1.0 is complete.
ACOS#config
ACOS#(config)#web-category
ACOS#(config-web-category)#enable
This procedure will check for and fix a web-category license corruption that might occur from an
upgrade.
*Ensure your ACOS appliance is already configured with an established connection to the Global Licens-
ing Manager (GLM). Configuration for GLM can be done at the global configuration level using the glm
command.
page 300
Feedback ACOS 4.1.1-P13 Release Notes
This section describes about the additional changes which are not described in the previous sections
and it provides clarifications on the features supported in the previous releases.
• Documentation Errata
Documentation Errata
The following sections clarify or expand on information in the manuals for previous releases:
• Port Batching v2
• Logging Enhancements
Port Batching v2
Port batches can be created in NAT pools using Large Scale Nat (LSN). This allows ACOS to assign port
batches contiguously and increases the maximum configurable port batch size. The port range can be
configured for the NAT pool and then configure up to 4096 ports per port batch. If a subscriber’s con-
nections are fewer than the number of ports in a batch, then only one port batch will be assigned.
The only exception is when ALG connections need two consecutive ports in a batch, but the subscriber
does not have two consecutive ports in any given batch. In that case, a new port batch will be assigned
to the subscriber.
NOTE: To change the port batch size, all of the current configuration must be
deleted, and all existing sessions need to be cleared first.
To support contiguous port batch assignments, NAT port ranges will be configurable within a NAT pool.
In both the cases of a port batch and of a NAT pool, a warning log will be generated when a configurable
usage threshold is reached.
A log is generated when a port batch is allocated, and another log is generated when the port batch is
freed. In the case that a session creation fails, the port batch allocation message will be immediately
followed by a port batch freed log.
NOTE: When port batching is configured within an IP NAT pool, ACOS uses less
memory and has better traffic processing performance.
Logging Enhancements
Use of port batches version 2 create new logs, similar to the existing port batching logs.
NOTE: For more information on logging formats, see the Traffic Logging Guide
for IPv6 Migration.
• Syslog
• Binary Log
• RADIUS Log
• NetFlow
Syslog
Port batching logs can reflect the starting port and ending port for port batches, rather than the batch
size and the step size. In the examples below, note the difference in the event identifier (NAT-UDP-B and
NAT-UDP-T) that indicate how to interpret the highlighted portion of each log message.
In the following current port batch logs, the highlighted numbers indicate the starting point, the port
batch size, and the step size:
In the new port batching pool logs below, the highlighted numbers indicate the starting port and the
ending port. The highlighted letters indicate a different event:
page 302
ACOS 4.1.1-P13 Release Notes
Feedback
Documentation Errata
Binary Log
For binary logging format, the “Proto” field of the port batching log header is changed from 3 bits to 2
bits. A new 1 bit header “V” is added to indicate use of the second version of port batching. If the “V” bit
is set, then the new logging format is used. Existing port batching will not have the “V” bit set and will
use the legacy logging format.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Act | V|Proto| Type | Length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
If the “V” bit is set, then the following log format is used:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inside IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAT IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Start NAT Port | End NAT Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If the “P” bit is not set, then the legacy log format below is used:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Inside IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NAT IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Base NAT Port | Batch Size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Step Size |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
page 303
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Documentation Errata
RADIUS Log
For RADIUS logging, the following new event codes are added:
port-batch-v2-allocated
$proto-name$ Protocol name
$proto-num$ Protocol number
$src-ip$ Source IP
$nat-ip$ NAT IP
$nat-port-start$ Start port of batch NAT ports
$nat-port-end$ End port of batch NAT ports
$inside-user-mac$ Inside user MAC
$radius-msisdn$ RADIUS attribute: MSISDN
$radius-imei$ RADIUS attribute: IMEI
$radius-imsi$ RADIUS attribute: IMSI
$radius-ctm1$ RADIUS attribute: Custom1
$radius-ctm2$ RADIUS attribute: Custom2
$radius-ctm3$ RADIUS attribute: Custom3
page 304
ACOS 4.1.1-P13 Release Notes
Feedback
Documentation Errata
NetFlow
NetFlow logging can be configured for NAT pool port batching. To do so, enter the following command
at the NetFlow configuration level:
These options configure NetFlow monitor records for NAT pool port batches for NAT44, NAT64, or
DSLite. The option of both exports both creation and deletion NetFlow records, whereas the options of
creation or deletion export only those respective NetFlow records.
ACOS(config)# cgnv6 nat pool lsn 198.51.100.1 198.51.100.254 netmask /24 port-batch-v2-
size 64 usable-nat-ports 1024 2000
ACOS(config)# cgnv6 lsn-lid 1
ACOS(config-lsn lid)# source-nat-pool lsn
ACOS(config-lsn-lid)# exit
ACOS(config)# class-list lsn
ACOS(config-class list)# 5.5.5.0 lsn-lid 1
ACOS(config)# cgnv6 lsn inside source class-list lsn
To display logging information for IP NAT pool port batching, enter one of the following show com-
mands:
page 305
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Documentation Errata
For example, if a new user requires a TCP port, then a TCP port batch is allocated. The UDP port batch
with the same port range will also be assigned to that user at that time. The TCP user quota is used to
limit the port usage for inside users, and any configured UDP user quota is not applicable when this fea-
ture is enable.
Additionally, NAT pools with TCP and UDP port batch allocation enabled cannot have an extended user
quota configured as well.
NOTE: This feature is only supported in Port Batch version 2, added in release
2.8.2-P1.
• The original Port Batching feature only assigns one protocol port batch at a time.
• Only a single log message is generated when both the TCP and the UDP port batch
are allocated together.
• For more information on the new log message, see TCP/UDP Port Batch Allocation
Logging.
• RADIUS
• Configuration Example
ACOS(config)# cgnv6 nat pool lsn 198.51.100.1 198.51.100.254 netmask /24 port-batch-v2-
size 64 simultaneous-batch-allocation
page 306
ACOS 4.1.1-P13 Release Notes
Feedback
Documentation Errata
• Default Format
• Compact Format
• RFC5424 Format
• Binary Format
Default Format
Compact Format
RFC5424 Format
Binary Format
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Act |V|Proto| Type | Length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
• Act (2 bits) – Action:
Port mapping allocate – 0
Port mapping free – 2
• V (1 bits) – Port batch version:
Version 1 – 0
Version 2 – 1
• Proto (2 bits) – Protocol:
TCP – 1
UDP – 2
Other – 0
• Type (3 bits) – Session type:
LSN – 0
page 307
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Documentation Errata
NAT64 – 1
DS-Lite – 2
6rd over NAT64 – 3
RADIUS
A10-CGN-Protocol = OTHER
Configuration Example
The following configuration example configures an IP NAT pool named “portbatch2” and enables Port
Batch v2, as well as simultaneous TCP and UDP port batch allocation. The IP NAT pool is added to an
LSN LID 1. The LSN LID is then added to a class list called “portbatchlist”, which is then applied to the
IP NAT inside.
ACOS(config)# cgnv6 nat pool lsn 198.51.100.1 198.51.100.254 netmask /24 port-batch-v2-
size 64 simultaneous-batch-allocation
ACOS(config)# cgnv6 lsn-lid 1
ACOS(config-lsn lid)# source-nat-pool lsn
ACOS(config-lsn-lid)# exit
ACOS(config)# class-list lsn
ACOS(config-class list)# 5.5.5.0 lsn-lid 1
ACOS(config)# cgnv6 lsn inside source class-list lsn
Port Batch version 2 logs are sent when a new port batch is allocated, and when the port batch is freed.
In between the two log messages, you can choose to receive interim log messages. These are sent peri-
odically based on a configurable time interval. Interim log messages follow the same log format as the
“port batch allocated” log.
The only fields that change between interim logs are the uploaded and downloaded bytes field, which
display the aggregate amount of traffic that is served by the port batch since the port batch was first
allocated. Since these numbers are aggregated, they do not display traffic information for each individ-
ual session within a port batch.
page 308
ACOS 4.1.1-P13 Release Notes
Feedback
Documentation Errata
NOTE: If interim updates are enabled after a port batch is created, then there will
not be interim logs for that port batch. Interim logs will only be generated
for port batches created after interim updates are enabled.
For custom logging, there are new keywords for port-batch-v2-allocated and port-batch-v2-freed entries:
port-batch-v2-allocated
port-batch-v2-freed
page 309
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Documentation Errata
Two new configuration entries are added to custom logging format for interim logs. There is an new
entry for Port Batch version 2 interim updates, and a new entry for Fixed NAT interim updates.
port-batch-v2-interim-update
NOTE: The keywords for Port Batch version 2 freed (port-batch-v2-freed) are the
same as the keywords for Port Batch version 2 interim update (port-
batch-v2-interim-update, with the addition of the $ct-msg$ keyword to
log connection termination.
fixed-nat-interim-update
$src-ip$ Source IP
$nat-ip$ NAT IP
$nat-port-start$ First NAT port
$nat-port-end$ Last NAT port
$ul-byte$ Upload byte count (only for "format custom")
$dl-byte$ Download byte count (only for "format custom")
$sesn-start-time$ Session start time (only for "format custom")
$curr-time$ Log generated time (only for "format custom")
page 310
ACOS 4.1.1-P13 Release Notes
Feedback
Documentation Errata
page 311
ACOS 4.1.1-P13 Release Notes
FeedbackF
Fee
e
Documentation Errata
page 312
ACOS 4.1.1-P13 Release Notes
page 313
CONTACT US
a10networks.com/contact